Keeping information systems secure is a big challenge for many businesses, especially as the threats continue to grow.
In CyberEdge’s latest Cyberthreat Defense Report, close to 90 per cent of Canadian IT security pros surveyed reported their companies had suffered at least one successful cyberattack in 2021. That was up from 78 per cent just two years earlier.
So how can you keep your organization from becoming another unfortunate statistic? What can you do to prevent a security breach in your workplace?
This post will help you understand the nature of security breaches: what they are, how they happen, and what steps you can take to prevent them. Keep reading to learn more about common threats as well as IT security best practices for employees.
WHAT IS A SECURITY BREACH?
A security breach is an event that results in an unauthorized entity gaining access to protected networks, devices, or data. Basically, it’s when someone (or something, such as a virus) defeats cybersecurity measures and infiltrates a computer system.
It’s not technically the same thing as a data breach, though you’ll often see the terms used interchangeably. A security breach is when an intruder gets inside the system; a data breach is when that intruder actually steals, releases, or manipulates sensitive information.
As you’re probably aware, a security breach can be enormously disruptive, expensive, and damaging to a company’s reputation.
HOW DOES A BREACH OCCUR?
Sometimes a security breach is the result of an intentional act. For example, a profit-seeking hacker (or even a disgruntled employee) could steal credit card information from a corporate database and sell it to a third party.
A breach can also happen through carelessness or negligence. For instance, a staff member’s phone containing confidential customer data accidentally gets left in the back of a cab. Or a worker clicks on a link in an innocent-looking email and ends up with a virus that spreads throughout the organization.
A single click is all it takes to compromise an entire network
WHAT KIND OF ATTACKS CAN OCCUR?
According to the Cyberthreat Defense Report, these are some of the most common threats IT security professionals face:
Short for “malicious software,” malware is a catch-all term for any file or program that was created to intentionally cause havoc on a computer system or device. Malware is designed to sneak into a system without the user’s knowledge and interfere with normal operations.
Different types of malware include:
- Viruses—Viruses are malicious code attached to files or documents that replicate and spread from host to host once the infected files or documents are activated.
- Worms—Worms are stand-alone programs that can self-replicate without any triggering action from the user.
- Trojans—Disguised as legitimate software, Trojans activate upon download and allow the attackers to access sensitive data, spy on user activity, or install additional malware.
Phishing is when an attacker poses as a trusted entity to trick users into clicking a link, downloading an attachment, or providing sensitive data like passwords or banking details. Phishing usually involves email, but it can also be done via texts, phone calls, instant messaging, and other communication channels.
Ransomware hijacks a computer system by locking out users or encrypting files until a ransom is paid. The Cyberthreat Defense Report notes that the percentage of companies falling victim to a ransomware attack grew from 55 per cent in 2018 to a record-high 71 per cent in 2021.
WAYS TO PREVENT A SECURITY BREACH IN THE WORKPLACE
Fortunately, there are some concrete steps you can take to avoid security issues in the workplace and protect your organization. The following are a few key IT security tips for the workplace.
1. Provide Employees With Necessary Equipment
It’s much harder to enforce security measures when employees use their own personal devices. So if you have staff members who work remotely some or all of the time, it’s best to issue them a company-owned laptop or phone.
That way, you can control who can log into the devices, what software gets installed, and what ends up on the corporate network.
Providing company devices also makes it easier to maintain security when employees leave the organization—you can simply reclaim the machine and all its data.
2. Adopt a Secure Password Policy
Don’t let staff members fall into the trap of choosing passwords that are easy to guess or using the same password for every account.
Instead, encourage employees to use complex passwords that include a mix of uppercase and lowercase letters, numbers, and symbols. Require all users to change their passwords regularly, like once a month or once every 90 days.
For added security, use a password manager. This will allow users to generate strong, unique passwords for different accounts and store them safely (i.e., not written on a sticky note or logged on a spreadsheet).
Passwords shouldn’t be easy to guess or written down where others can see
3. Use the Right Tools
Be sure to enable firewalls and install antivirus and anti-malware software. Always use the most recent version of software and install updates and patches as soon as they’re released. Set updates to run automatically if possible.
Consider implementing multi-factor authentication (MFA) for anyone logging in to sensitive accounts or apps. MFA requires users to complete an extra step to verify their identity, such as entering a temporary code sent to their phone.
You may also benefit from setting up a virtual private network (VPN). A VPN creates a secure and encrypted connection between a user device and your company’s network. VPNs are particularly important if you have remote employees who rely on home networks or public wi-fi.
4. Restrict Access
To limit potential vulnerabilities, each staff member should only be able to access the specific data they need to do their jobs. Allowing blanket access to the wider system is a major security risk.
So create different user roles with different permissions. Use multi-factor authorization as mentioned above. And be sure to disable an employee’s permissions immediately when they leave the company.
5. Use Extra Protection for Portable Devices
Portable devices present an additional risk, as they can easily be lost or stolen.
Things like laptops, phones, tablets, external hard drives, and USB flash drives should be encrypted. This ensures that the data on them will be unreadable to anyone who doesn’t have the right decryption key or password. Unauthorized users can still copy encrypted files, but they won’t be able to view them.
6. Train All Employees
Make your staff aware of cybersecurity risks and teach them how to identify potential threats.
For example, everyone should exercise caution before clicking on any links or attachments in an email. Encourage employees to hover over a link to see where it really goes; if it’s not the expected destination, the email is probably not legit.
Derek Lewis has more than 20 years of experience in both cybersecurity and education. He says staff training is critical as attackers use more sophisticated techniques.
“Hackers use tools like social media to gather information, gain the end user’s trust, and get access to company systems. Hackers are really good at doing this. End users need training on how to spot suspicious behaviour, phishing scams, etc.”
WANT TO LEARN MORE ABOUT BEST PRACTICES IN IT SECURITY?
Have a look at the online cybersecurity program at Herzing College. It delivers cutting-edge training in IT security technologies and tactics—and it only takes 12 months to complete.
Click below for complete program details.