By Toni Sless and Dr Jessica Barker
With the launch of The Risk Avengers, we thought it a timely reminder of our top tips to improve your organisation’s security combating fraud and cyber crime. Whether you’re big or small, fraud awareness, prevention and cyber in security is a real issue that we all need to address. Security shouldn’t be about locking down all information or getting in the way of people working, but it should be proportionate, holistic and tailored to the needs, context and risk appetite of your organisation.
With that in mind, here are our Top Tips:
1. Undertake a third party audit of your information security. Expert, external eyes will help you work out what you’re doing right as well as where – and how – to improve.
2. Get your policies and processes in order. Policies should be clear, concise, accessible and appropriate to the business. They also, very importantly and often overlooked, need to be well-communicated and enforced. Processes should be simple but understandable by all stakeholders so that in the event of an incident (be it fraud, a critical threat or a cyber attack) everybody knows who is handling what and communicating to whom.
3. Everyone in your organisation should have training – whether this is in-depth specialist training or general awareness-raising will vary depending on the organisation and people’s roles. Your training need analysis matrix will assist with this.
4. Consider your culture and if you find there’s a tendency to scaremonger, scapegoat or rule by fear, it’s time for cultural change.
5. Review your governance. Who owns information risk and fraud prevention and how is this disseminated throughout the rest of the organisation? If you don’t already have them, consider approaching some keen staff members to see if they would act as ‘cyber and/or fraud awareness ambassadors’.
6. If you’re launching a new product, refreshing an existing one or implementing changes in the business, make sure you engage with your fraud and information security teams so that they can stress test them and make them robust against attack. If you don't have this in-house, consider seeking external expertise.
7. Focus on passwords. Often the quickest and easiest way for an attacker to compromise your network, which is not surprising considering ‘123456’ and ‘password’ were the two most common passwords of last year.
8. Put two-factor authentication in place wherever you can, and make sure people understand it and use it. This is linked to number 7, in that two-factor means you are no longer relying on passwords alone. Despite the simplicity and effectiveness of 2FA, unfortunately most people are unaware of it and not engaging with it.
9. Look at your physical and personnel security. Like many of these tips, a good information security audit should cover this as there is much more to information security than digital. Social engineering (or ‘people hacking’) takes advantage of poor physical security and organisations who fail to empower their staff to challenge strangers in the office or stop someone from following them through card access doors.
10. Keep up-to-date with threats. One of the most common, and successful, attacks right now is CEO Fraud, which often involves spoofed emails. Use team meetings to make staff aware of threats and try to make these discussions as engaging and interactive as possible.
11. Ensure your system is well-configured. Patches and updates should be timely, vulnerability scans should be regular, firewalls should be in place and penetration testing should be carried out and the recommendations implemented.
Bonus tip: it’s now widely accepted that, when it comes to information breaches, it’s not a case of ‘if’ but ‘when’. As such, your incident response plan (developed under 2 – get your policies in order) should be tested before a breach, so that the first time you put it into practice isn’t when you need it the most. In the event of an incident, ensure you conduct a lessons learned exercise, implement resolves within a timely manner and ensure you’re stakeholders are informed.
There is no such thing as 100% security, but you can and should mitigate risk where possible – the tips above will help you do just that.
If you want more assistance or information, please contact us. Dr Jessica Barker, Toni Sless and Sharon Conheady – collaboratively, The Risk Avengers.