TALLINN – The Estonian Information System Authority (RIA) has published four recommendations for managers of businesses for the prevention of cyber attacks, as the number of such attacks in Estonia keeps growing and cyber criminals are harassing local businesses on a daily basis.
In addition, cyber criminals are ever more cunning, which requires growing amounts of attention from business operators to protect their employees, assets and reputation, Joosep Sander Juhanson, information security expert at RIA, said in a press release.
Recommendation number one: pay attention to your own and your colleagues' cyber hygiene.
It is a widespread notion that ensuring cyber security is a duty of the IT department or the service provider, Juhanson said, describing such attitude as dangerous, as it distracts from responsibility. He pointed out that the whole company and its employees may suffer as a result of the negligent attitude of a single person.
"The cyber security of a business depends on each individual employee. On whether they carefully check the sender's name and address in each e-mail, apply multi-step authentication in e-mail accounts, take care of updating their passwords and the software on their computers," Juhanson said, adding that companies paying attention to the personal cyber hygiene of their employees significantly reduces the likelihood of the company suffering financial or reputation damage as a result of a cyber attack.
Recommendation number two: know what hardware and software your company is using.
Juhanson observed that the day-to-day work of a business is mostly done using computers. Businesses use a wide variety of software in their work, starting with customer management software and sales and business software, and ending with accounting software. Therefore, users frequently get notifications that updates are available. Unfortunately, the update often is not made.
"The attitude is widespread that the update will always be there and there's no need to hurry. People don't understand that through postponing the update they are providing cyber criminals with the opportunity and the time to plan an evil act," Juhanson said, recommending businesses to appoint people whose duty is to observe that necessary software updates are performed.
Also, businesses should have a precise overview of the programs and computers that are used by their team in their work.
Recommendation number three: know who of employees have access to data.
In the information society, data is more valuable for a business than ever before. Also cyber criminals know this and are constantly seeking opportunities to find security gaps in the information systems of businesses, being keen to quickly cash in on any information they might garner.
"It must be clearly known in a company who has access to various data -- be it customer data, financial data or other types of data," Juhanson said. He added that each company should have imposed specific rules as to how data is handled, preserved, and what should be done in the event of a data leak.
"Having clear procedural rules in place helps prevent cyber attacks and find a solution to the problem faster if an attack occurs," he said.
It definitely must be made sure that people who have changed employer are barred from accessing data, Juhanson added.
Recommendation number four: educate your team on the most common cyber attacks.
The cyber security of a business starts from prevention. Juhanson said that the main cyber incidents causing financial damage to Estonian companies -- executive-mimicking fraud schemes, invoice scams and ransomware attacks -- are generally identifiable for a person versed in cyber security best practices.
"While there of course are also very professional criminals who are excellently capable of hiding their actions, a big proportion of cyber attacks can be avoided," Junanson said, pointing out that with an incompetent response a cyber attack may halt the business of a whole enterprise.
"Being able to recognize the most common cyber attacks may save a business from incurring expenses amounting to the tens of thousands of euros due to cyber criminals," the expert said, advising to check out information on cyber threats available on the Estonian-language website Itvaatlik at www.itvaatlik.ee.
Cyber incidents can be reported in Estonia to the e-mail address email@example.com or by filling in a questionnaire at www.raport.cert.ee