No matter what industry they’re in, businesses are vulnerable to cyberattacks. These can be mild, such as slowing down a few company computers, or devastating, such as compromising financial data and destroying the organization’s reputation. When it comes to malware, it’s crucial to be proactive, rather than reactive. If measures are already in place when a cyberattack targets a company, the chances of an adverse outcome are much smaller.
The question is, what steps can a company take to put these measures in place? There are several essential aspects of keeping a businesses’ data safe, such as employee training or using anti-malware programs on company computers. It’s also recommended to use outsourced IT services to protect against malware, since they’ll be able to identify weak points that could be targeted by hackers. To prevent or reduce the effects of a malware attack, these are the top strategies that every business should have in place.
Create and maintain encrypted backups of all data
The goal of some malware is to disrupt businesses by wiping out all their data, which is why it’s standard practice to maintain backups. However, it isn’t enough to have a single backup of all data stored somewhere on the cloud (although this could technically be enough to satisfy compliance requirements). The United States Computer Emergency Readiness Team recommends using the 3-2-1 data backup rule, which will cover pretty much any malware scenario.
- Three copies should be kept of important files – the primary version, plus two backups.
- Two different types of media should be used to store data and files. This prevents both backups from being wiped out in a single incident.
- One data copy should be stored off-site. This could even mean storing a backup in another geographical location, so at least one copy would stay intact in the event of a natural disaster.
Only download tools, software, or files from official sources
A common tactic is to get desktop or mobile users to download viruses, bugs, or other malware to their devices. The malware is then free to operate, and can cause all kinds of damage simply because the user didn’t confirm where the download was coming from. Employees should know to watch out for this tactic; it may appear with a prompt from the device they’re using, such as the message “Do you want to allow this app from an unknown publisher to make changes to your device?” If the publisher isn’t known or trusted, the answer should always be no.
Implement access controls and identity management
No matter how big or small the company, some of its data will be sensitive; this should only be accessed by certain people. Even if all of the organization’s employees are trustworthy, granting universal access to sensitive data is a risk that simply shouldn’t be taken. Human error is a fairly common factor in successful malware attacks, and the more people are accessing this data, the more likely it is that someone will make a mistake that leaves the data vulnerable.
Instead, identity and access management (IAM) should be used to control authorization and authentication. Systems that contain sensitive data should have permissions set for each user, with only a few people given administrative access.
Use authentication methods besides passwords
Passwords may be the default way to keep devices and information safe, but they have some crucial weaknesses that other authentication methods don’t. For example, many people have very weak passwords (such as “password” or “12345”) because they want something that’s easy to remember. Even if a company requires employees to change their passwords every month for security, they could just come up with variations on previous passwords.
A better approach is to use alternative authentication methods. These include:
- Client authentication certificates
- ID cards or other physical pieces of hardware
- One-time links, codes, or PINs
Use multi-factor authentication
There are several ways to secure information with more than just a password, but what’s even more secure is to use two or more of these authentication methods. Even if a hacker could crack one of them, it’s extremely unlikely that they could get past both. This could be a combination of a password (something that you know), plus a voiceprint, retinal scan, or other biometric (something that you are), or a physical security token or authentication app (something that you have).
Educate employees on scam tactics and cyber threats
Investing in IT staffing and cybersecurity is key, but none of that will be of much use unless regular employees are also educated on how to follow recommended cybersecurity practices. A chain is only as strong as its weakest link, and cybercriminals know that – which is why they go after employees, not IT staff.
Employees should be trained on cybersecurity as part of the onboarding process, and be provided with periodic refresher courses as well. This training should include:
- Reporting processes if something happens (for instance, who they should contact if they suspect a problem)
- How to respond to suspicious situations and messages
- Common tactics used by cybercriminals (email attachments, malicious URLs, email spoofing, social engineering, etc.)
- Common types of online threats and cyberattacks (malicious websites, phishing emails, etc.)
- Overall best practices for cybersecurity
- The organization’s policies on cybersecurity practices
Install anti-malware software
This is essentially the first line of defense against malware, since it automatically blocks the majority of malicious websites, ads, pop-ups, and so on. It should be used to protect not only browsers and devices, but also every network and server used by the organization.
Keep software, plugins, and IT systems updated
It’s typical for software manufacturers to regularly release updates or patches, which are designed to fix vulnerabilities as they’re identified. Unfortunately, many companies don’t take advantage of these updates, meaning they continue using software with known weak spots that leave them open to cyberattacks. Hackers can tell when an organization is using an older version of software, which makes it that much easier for them to target someone. The solution is to regularly update software, plugins, and IT systems whenever possible.