4 simple rules for protecting your organisation from data breaches

In the wake of data breaches at Deloitte and Equifax, both caused by basic security failures, it’s clear that people need a reminder of the essential things they should be doing to stay secure.

Here are four simple rules that all employees should follow.

1. Create strong passwords

The received wisdom about passwords is that they should have at least eight characters and mix letters, numbers and special characters. However, doing this runs the risk of creating ridiculously complicated phrases that are hard to remember and, ironically, comparatively easy for computers to crack.

These passwords tend to originate with a base word that’s then jazzed up with character substitutions, a tactic that password-cracking technology takes into account. But there’s another problem: even though How Secure Is My Password (HSIMP) claims that the phrase “Tr0ub4dor&3” would take a computer 400 years to crack – which seems secure enough – you’d do well to not have to write that phrase down somewhere, immediately compromising its integrity.

A simpler and more secure technique is to create a mnemonic or cipher, such as taking the first character and punctuation from each word of a sentence. So ‘The 50-year-old man caught the 15:50 train’ becomes ‘T50-y-omct15:50t’, which HSIMP claims would take 41 trillion years to crack.

Alternatively, you might find that length alone is an effective method for security. Each character you add to a password creates one more element that a hacker needs to correctly guess. A password such as ‘PurpleMonkeyDishwasher’ avoids predictable patterns by using a series of unrelated words and, according to HSIMP, would take 45 quintillion years to crack.

2. Don’t reuse or share your passwords

No matter how secure your password is, if you write it down or share it, you invite ways for people to gain access to your account.

Using the same password for multiple accounts compounds that risk. Once hackers have your login credentials for one site, they’ll inevitably try it on other accounts – so a data breach at your email provider could soon turn into a breach of your online bank account or your company’s systems.

Password managers such as LastPass and 1Password help you generate and keep track of unique passwords.

3. Watch out for phishing attacks

Broadly speaking, phishing is any attempt to pose as a trustworthy source in order to get people to hand over personal information.

These attacks are usually delivered by email and are characterised by poor grammar and claims that you need to address something that’s gone wrong. For example, such messages might claim that your account has been hacked, you need to confirm a card payment or your bank account has been frozen.

If you fall for one of these schemes, you’ll inadvertently hand over login details, personal information or payment card information to criminals. If it happens at your workplace, you’ll expose your entire organisation to a potentially massive cyber attack or data breach.

Although technology can help filter out phishing emails, Mimecast’s third quarterly Email Security Risk Assessment claims that 24% of all malicious emails pass through spam filters. So, as well as technological defences, organisations need to invest in staff awareness training.

4. Apply patches

Companies create patches for a reason – namely, to fix bugs and vulnerabilities in their software that would otherwise allow criminals to conduct an attack. Once a patch has been announced, the vulnerability is made public. Every day that passes without applying that patch is a day that you leave yourself open to an attack.

Patches are common, with security company Bromium reporting that, on average, organisations have to issue an emergency patch five times a month. In order to make sure no application is overlooked, organisations should have a patch management policy in place.

Boost awareness in your organisation

Don’t make your organisation’s security awareness programme a tick-box exercise. Engage them with a variety of learning methods with our Security Awareness Programme.

This programme helps you generate tangible and lasting improvements to your organisation’s security awareness. It combines a learning needs assessment to identify the areas that your organisation should focus on with a series of tools and services to address the problems that arise. These tools and services include hands-on support from a specialist consultant, pocket guides and e-learning courses.

Find out more about our Security Awareness Programme >>