Cyber Resilient Best Practices

  • 14 April 2020
  • 2 replies
Cyber Resilient Best Practices
Userlevel 2
  • Sr. Engineering Data Analyst
  • 0 replies

Those of us who are able to work remotely in response to the COVID-19 outbreak are now taking more of our IT security into our own hands. But beyond staying aware of the latest coronavirus-inspired scams, what we can do to look after our own online security in these uncertain times?

What follows is our time-tested list of cybersecurity best practices that, in a perfect world, we’d all adhere to all the time. Nothing flashy, nothing dramatic. Just a list of habits cybersecurity experts agree could help make us all a little more cyber resilient.


Use antivirus software

While it sounds like a given from a company that makes it, antivirus software—we prefer the all-encompassing term anti-malware software, since viruses are only one strain of malicious software and you’re likely to be targeted by others—is an essential step in securing your devices. All your devices.

While most anti-malware software was once list-based, meaning it relied on a semi-static list of known threats living on your devices and fed by continuous updates, the industry gold standard is shifting to cloud-based.

This eliminates the need to continuously update and store bulky lists on your devices, which can lead to performance issues and allow new, sometimes as-yet-identified, threats to slip by. Cloud-based anti-malware software that can monitor unknown applications and decide on threat status based on their actions (with the ability to roll those actions back) is even better.


Regularly patch system software

This should be a no-brainer. But just like periodically changing your home’s air filter, it’s easily lost in the shuffle of everyday life.

Patching is essential since cyber criminals are always on the hunt for known exploits that could help them profitably infect unsuspecting users. Once patches are issued in response to exploits discovered by (sometimes ethical) hackers, it’s a simpler proposition to work backwards to the original security gap being addressed.

This applies to all software installed on your system, but it’s especially important for operating systems. They must be kept up to date, with upgrades if necessary. Windows 7, for which service has been discontinued by Microsoft, saw a 125% increase in malware targeting it over the course of 2019, as reported in the 2020 Webroot Threat Report.


Use strong passwords. And keep them to yourself

Our latest study on the password habits of 2020’s Most (and least) Secure States, we found that 34% of Americans are still sharing passwords! Americans who shared passwords for streaming services like Netflix were twice as likely to experience identity theft as those who didn’t.

Without going into too much math here (though it can be found here for those interested), long passwords are simply more effective than short ones against brute-force attacks, even when special characters are used. Passphrases are even better.

Essentially, it’s important to understand that “Keyb04rd$” is significantly weaker than “everyone loves a good passphrase”. 


Limit your sharing of data

As data breaches continue to occur, we as internet users, must understand the tradeoffs and risks that accompany its many benefits. Users should limit where they share their information online and with whom. This, along with the other cybersecurity best practices we've discussed, make things safer not only for individuals but also for the internet as a whole.

If we stop offering up our data so freely, then we leave a less enticing bounty for cybercriminals to pursue. Being better stewards of our own data could also reduce the need for more legislation and privacy penalties, making the internet a more enjoyable place to spend our time.


When all else fails, back up

Another essential best practice for protecting data while working from home is reliable backup. When all else fails, data backup is the only surefire way to bounce back. True cyber resilience requires having a plan when all else fails.

Backup solutions can also protect you from unforeseen events around the house. Ever dropped your laptop? Ever spilt coffee on the keyboard? What about a hard drive failing? It’s essential to think about the physical risks around the home as well as the security risks.
There are four main ingredients to a resilient backup solution:

  • Backups need to be automatic. It's no good relying on memory. Backups needs to happen regularly, especially when you're not thinking about them.
  • Backups need to be off-site. Local backups are not secure. You’re tempting fate by keeping originals and copies like eggs in the same basket.
  • Backups need to be immutable. Once a backup happens, there should be no way anyone or anything can get into it, modify it, or delete it.
  • Lastly, backups should allow for recovery from any point in time. In the event of any kind data corruption, accidental deletion, unintentional overwrite or hardware failure, it’s important to be able to roll files back to when the data was good.

Stay safe out there, everyone, and start with these tips.

2 replies

Userlevel 3
Badge +4

Thanks, @bbutler . I’ve really been thinking about  your final bullet, limiting data sharing, lately and really asking myself what I need to sign up for / download before giving away information. 

Userlevel 3

Reading through the list of best practices, there is 1 that comes to mind which is missing.  Inevitably companies will invest time and effort to utilise training packages to educate their workforce of the need to be vigilant when it comes to online websites and emails which appear in inboxes.

Whilst much emphasis is placed on completing mandatory training on the perils of malware, how many companies and enterprises take this 1 step further and actively select random groups of employees to receive a simulated malware-loaded email which reinforces training?

2 years ago an employer implemented this approach in response to a malware attack and gullible employees who fell for the trap were greeted with the news that they needed to undertake additional remediatory training  which had to be completed within a set period of time.  As a result, many personnel became more aware of what to look for.

My present employer utilises a similar approach to reinforcing training with similar simulations and examples which appear to be legitimate.  For instance, how many employees would innocently click on a web link in email which refers to an imminent payrise and more holiday time off work?  I recently received such an email, looked carefully at the sender’s details and hovered over a web link only to find that it looked suspicious.  In the email was a button to report suspicious email messages and upon hitting that button, I was instantaneously congratulated on detecting malware which was part of a simulation exercise.  This reminded me of my previous employer’s practice and suddenly I felt comforted that my employer is thinking outside of the box to test employee skills on an ongoing basis.

As the presentation of malware evolves over time, there is a need for ongoing yet practical exercises to ensure that workforces are equipped and knowledgeable on how to react in an appropriate manner.