The IT sector is commonly a target in cybercrime attacks.
Whether it is stealing code, sensitive data or using them as part of a supply chain attack, the IT sector need to be aware of and take action to build their own cyber resilience.
And although tech companies are improving, and indeed leading the way in some areas of cyber security, sometimes the basics can be overlooked.
1. Enable 2FA. Many people still reuse passwords or use passwords that are weak. Password123! has a mixture of upper, lowercase, numbers and symbols but can be found on a criminal’s word list. Having 2FA should mean that even if a criminal got hold of usernames and passwords, they wouldn’t be able to log on. Admin accounts in particular need 2FA/MFA.
2. Segment customer data. This way if someone does gain access to one customer, they won’t immediately get access to everything.
3. Access control. Make sure that only people who need access to key systems have it. Does everyone in the company need access to your code repository? Do your admin accounts, only carry out admin activities? Consider the insider threat. When someone leaves the company, do you remove their access before or after they leave the building?
4. Train your staff. It doesn’t really matter if you have the best protection, you can buy if your staff are clicking on those phishing emails or letting anyone with a clipboard and a lanyard into your server room. Metacompliance found that 91% of cyber-attacks started with phishing, so if you are not preparing your staff to deal with this attack vector you are potentially making your business vulnerable.
5. Patch. Yes, patching can be problematic, yes, it is annoying, but yes, it does stop criminals from being able to exploit security weaknesses. And if you develop your own software, are you actively looking for your own weaknesses? Why not develop a vendor programme and get the good guys working for you rather than waiting for a bad one to find the needle in the haystack?
Further guidance & support
The Eastern Cyber Resilience Centre provides Staff Awareness Training, but did you know your local police protect officer might be able to do this too? We train and mentor local university students, so when we say affordable, it really is. Find out more here.
Our students also complete vulnerability assessments, maybe you could use us mid-development?
The Eastern Cyber Resilience Centre is a not-for-profit membership organisation, run by policing, with the intention of increasing cyber resilience of SMEs within the East of England.
We also provide free guidance on our website and we would always encourage you to sign up for our free core membership. Core members receive regular updates which include the latest guidance, news, and security updates. Our core membership has been tailored for businesses and charities of all sizes who are based across the seven counties in the East of England.
Policing led – business focused.