The moment hackers at your organisation make off with privacy-sensitive data, the consequences are your responsibility – including legal ones. Yet cybersecurity within companies is still not as self-evident as a decent lock on the front door. And that while this topic deserves just as much attention.
‘Who is catching us, why should we be of interest to hackers?’ The idea that there are always bigger fish swimming in the sea elsewhere often causes laziness among smaller companies. But make no mistake: even the smallest file containing personal data is worth breaking into for hackers. And companies that roll out the red carpet for malicious actors by putting cybersecurity at the bottom of the priority list are just as at risk as those big fish sitting on a goldmine of data.
Good security policy is all about awareness
Edward van Egmond is Senior Manager IT Audit at Noordbeek and helps companies detect vulnerabilities in online security. Among other things, he does PCI and 3DS audits on online payment transactions and is a ‘registered IT auditor’ for assurance assignments. In practice, he regularly sees the effects of good cyber security policies, but also what the consequences can be if they are still lacking to a greater or lesser extent. “How often I come across that someone got a new modem and kept the username and password on ‘admin-admin’,” van Egmond says. “Good cybersecurity policy is all about awareness, both at corporate and individual level.”
Security awareness is the start of prevention
So prevention starts with awareness, Van Egmond continues. “For example, it is hugely important to provide regular awarenes training for employees. Not the standard open-door routine once a year, but innovative material repeated regularly in a stimulating way. For instance, agree that cybersecurity will be discussed once every four weeks during a work meeting. You can rotate people who give a short presentation on a sub-topic during such a meeting, so they can bring up their own hobbyhorse. By keeping the topic topical, you make sure it does not fade into the background. Risks really are in a small corner: most people use the same e-mail address and password on lots of sites. As a result, the consequences quickly become significant. If they enter their details on untrustworthy websites, hackers on such a website can “steal” the password with a simple script. This allows them to gain access to many other websites.
Good information policy often lacking
Decent cybersecurity hinges on good information policy, Van Egmond argues. Information policy is an organisation’s vision of strong security, in order to reduce the risks of unauthorised access, among other things. Yet in practice, he still often sees that this is precisely what is lacking. “I often see webshops that have been hacked do a quick website security scan afterwards, such as PCI. It then turns out that they have assessed and resolved the vulnerabilities found as they see fit, but not translated them into information policy. They then think they are fine, only to find out later that the security is not up to scratch after all. Correct information policy is therefore very important. If employees do not know which procedures they have to follow, how do you create awareness?”
Set good policies and act on them
So: draw up good policies and act on them, is the motto. Awareness-raising training can then ensure that the policy is actually live, and that employees remain aware of its importance. But as a company, how do you know whether the policy is still adequate, and whether the measures taken are still sufficient? “Preventive website security scans are very helpful for that,” Van Egmond believes.
Keeping an extra eye on things with preventive scans
By periodically scanning your website, web applications and web servers for security weaknesses and vulnerabilities, you ensure that an extra eye is kept on things. Very nice once you think you have your security in order: a scan tests every week whether that is actually still the case. With every technical change and/or update, the weekly check scans whether everything is still in order or whether adjustments are necessary.
Preventive scans are nothing more and nothing less than a maintenance action for your cybersecurity policy. That is your responsibility, not that of the website builder. Think of it as an MOT inspection: for that too, you are responsible, not the manufacturer of the car. A scan is a small effort with a big effect.
Want to experience how a security scan works? Click here for a free Freemium scan and check your website on a few basic security aspects.