If I told you that, as of right now, any key could open your front door, you would rush home and change the lock immediately. Faced with the very real possibility that quite literally anyone could access your home, you would take swift, preventative action.

You’d be right to do so. Not everyone would take advantage—I still like to think that the majority of people are good—but the chance of at least one malicious person waltzing into your home and taking whatever they like is still too great to ignore.

So why do we not take the same approach when it comes to cybersecurity? Many times, I have explained to IT teams that a freely available exploit is available for a product or appliance they utilise that would let anyone using it into their network. Rather than rushing home to change the lock, it gets brushed aside and put on the back burner, often until it’s too late.

Perhaps it’s because the threat feels less personal. Perhaps it feels less tangible and emotive. But, for a company of any size, in any sector and in any region around the world, the threat of a cyber breach could well destroy their business. I have first-hand experience of this, witnessing many business owners’ life work and reputation crumble due to a cyber incident. On one distinct occasion, we were informed that the owner of the business had sought out support from experts due to the stress. Not something I would want to experience again.  

Not only that, but with supply chains increasingly integrated, a breach in one part of the chain also provides access for the threat actors to the rest of it in a domino effect. If the first breach is the hacker walking through the open front door, the subsequent ones are them finding passageways and tunnels into neighbouring houses.

Much like the proverbial lock, cybersecurity measures protect a business’ digital ‘home’ and all the sensitive and business critical data that comes with it. While it can seem confusing to the uninitiated, understanding the entirety of the digital ecosystem in which a business operates is vital for understanding the risk exposure and the overall potential impact of a cyber event.

To that end, here are our essential tips for keeping the ‘house’ safe:

1. Know what you use

A business should know the exact hardware and software they use, what protocols are in place should an attack occur, the extent of its supply chain and what critical infrastructure it depends on. This will allow a business to take swift action should it become clear that a hacker has developed malicious code giving them access to technology. This is most important for anything externally accessible or for software that provides access to any part of your network or data. Think remote access tools, virtual networking software, software deployment systems, data management portals and customer relationship software or databases.

2. Monitor and secure your network

Deploy tools that allow for real-time alerting, prevention and detection of potential security events. Think of this as reinforcing and strengthening the door frame and installing a peephole to check who you’re letting in. Understand the capabilities that the equipment provides and enable the appropriate security settings for your network. Keep this appliance at the top of your risk register and prioritise any updates that are needed for it.

3. Educate and engage with employees

Employees should be a significant line of defence to a cyber-attack, not the weakest link in the chain. Ensure the business provides thorough training for spotting all signs of different cyber-attacks, and that staff know exactly what to do in the event one takes hold. Create fool-proof guidelines for sensitive work like any approvals of money transfer, data migration, installing software, uninstalling existing software and enrolling new devices, etc.

From my experience ‘human in the loop’ methodology is often the one measure that prevents something bad happening. I have seen someone second guessing something odd, making a phone call to double check a payment transfer, and preventing a massive incident. Everyone—including the C-suite—sticking to the agreed rules can prevent social engineering attacks.

4. Conduct regular security audits and penetration tests

Don’t wait to be told there’s an issue. Malicious actors, whether acting alone or as part of a sponsored group, are always working to find new hacking methods. Conducting regular audits means being able to spot any part of the cyber defence that has been tampered with. There are many great tools out there to make this easy, and many of them are free.  

5. Update, update, update

Ensure all systems and company assets are updated with the latest fixes. Make sure you get your updates from the correct sources to prevent fake ones being deployed.  If you have the tools, automate the alerting system to critical security updates so you don’t miss anything. Testing updates before full deployment is also advised.

6. Have an incident response plan

Make sure the business is prepared through well documented plans that are tested regularly should a breach happen. Have the right partners in place, including the right insurance policy and claims team, the right legal support and best-in-class ransom negotiators so that if the worst does happen, you can limit the damage and stop hackers in their tracks. At TMK, we run simulated attacks with our clients to trial the initial steps to take in the event of a cyber incident. This can save so much time and running around at 03:00 in the morning. The most valuable part of this test is knowing what everyone’s role is in the decision-making process: no one can do everything, so breaking it down to small decisions and delegations is key.

In the digital age, businesses cannot afford to be reactive to cyber-attacks, not least because of increasing regulatory scrutiny checking consumer data remains safe. Being proactive is an imperative, and consulting with a cyber expert is like talking to a good locksmith: it helps businesses put the best possible locks in place and change them the second a potential threat emerges.