In the past year, 58% of large businesses have experienced cybercrime, with the average incident costing around £5,000. Despite these alarming figures, many organisations are still not prioritising cybersecurity as they should.

Given that 95% of security breaches result from human error, Indusface, an application security SaaS company, has provided expert guidance on enhancing cyber-hygiene to prevent breaches, particularly in the context of remote work and the increasing use of AI.

Cyber-hygiene refers to the practices and measures taken to maintain the health of an organisation’s digital environment. Poor cyber-hygiene can lead to significant consequences, including data loss, security breaches, and outdated software vulnerabilities. These issues not only expose businesses to cyber threats but also hinder operational efficiency and compromise the security of sensitive information.

Steps to Improve Cyber-Hygiene in the Workplace

To counter these risks, businesses are advised to follow a comprehensive cyber-hygiene checklist:

  • Document Existing Processes: Companies should thoroughly document all existing hardware, software, and applications used within their network. This includes devices such as computers, mobile phones, printers, and software like Dropbox and Google Drive.
  • Scrutinise for Vulnerabilities: Regular audits should be conducted to identify and address vulnerabilities. This includes updating software, wiping unused equipment, and ensuring that passwords are regularly changed. Unnecessary programs should be uninstalled to reduce potential attack vectors.
  • Establish Cyber-Hygiene Policies: A centralised standard operating procedure (SOP) for cyber-hygiene should be created. This should include guidelines for regular software updates, password changes, and data backups. Employees must be prohibited from downloading unauthorised software, and new installations should be documented meticulously.
  • Focus on Internet-Facing Assets: Public-facing assets are particularly vulnerable to attacks. Businesses must regularly assess and mitigate risks associated with these assets through vulnerability assessments and a solid mitigation plan.

Enhancing Application Security to Prevent Cybercrime

Customer data is among the most valuable assets any organisation holds. Protecting this data, especially personally identifiable information (PII), is crucial to avoiding compliance issues and costly fines. Applications, including websites, mobile apps, and APIs, are common targets for cyber-attacks. However, employees can also be exploited as entry points for these attacks.

Here are some key strategies for bolstering application security:

  • Understand Your External Attack Surface: Large organisations often struggle to maintain a comprehensive inventory of all external-facing assets. The first step in protecting these assets is to identify and document all public-facing websites, applications, and IP addresses.
  • Scan for Vulnerabilities: Remote code execution is responsible for over 50% of cybersecurity incidents, far surpassing phishing attacks. Businesses should regularly scan their critical applications for vulnerabilities such as cross-site scripting and HTML injections. Compliance guidelines typically require annual manual penetration testing by certified experts.
  • Patch Vulnerabilities Promptly: Delays in patching vulnerabilities, even critical ones, are common due to a lack of expertise or concerns about disrupting business operations. To mitigate risks, businesses can use virtual patches on Web Application and API Protection (WAAP) or Web Application Firewalls (WAF) while preparing to deploy permanent patches.
  • Perform Regular Log Analysis: Analysing access logs, request logs, and response logs is vital for detecting anomalies that may indicate an attack. Artificial intelligence can assist in identifying these anomalies and refining security policies.

Individual Accountability and Employee Training

Given the increasing number of data breaches, individual accountability among employees is critical. In 2023, over 352 million individuals were affected by data compromises, underscoring the importance of comprehensive employee training. Workers should understand what constitutes sensitive data, how to protect it, and the personal and professional consequences of failing to adhere to security policies.

Understanding the frequency and impact of cyber-attacks can also enhance employee engagement with security measures, making them more vigilant in protecting the organisation’s data.

Encryption software is a crucial tool for safeguarding sensitive data, particularly in the context of remote work. Encrypting files ensures that even if data is stolen, it cannot be accessed without the encryption key. Businesses should establish clear policies on when and how to encrypt data, and conduct routine checks to ensure compliance.

Virtual Private Networks (VPNs) are another essential defence against cyber threats, especially for remote workers accessing company data from potentially insecure networks. VPNs protect data transmitted over the internet, reducing the risk of interception and data breaches.

Addressing AI and Remote Work Risks

AI systems, while offering efficiency benefits, also introduce new risks. AI can store sensitive business information, making it a target for cyber-attacks. Therefore, it is crucial to implement robust security policies that protect AI systems from exploitation.

Remote working further complicates the cybersecurity landscape. As Venky Sundar, Founder and President – Americas, Indusface, explains, “Remote working means people are working in less secure environments and their devices are more exposed to data breaches both digitally and physically.”

Organisations must adapt their security strategies to account for the decentralised nature of remote work. Security policies should assume that breaches are inevitable and focus on limiting the damage by ensuring that critical IT infrastructure remains inaccessible even if an employee’s device is compromised. A holistic approach to both application security and endpoint security is essential for protecting sensitive business data in the age of remote work and AI.