Security Made in Luxembourg has announced a number of meaures that will help with protecting and securing our computers and digital devices as many of us return from a relaxing summer holiday.

It is time to go back to work and so, activities will return to their hectic pace. So everyone is on deck and ready to go full speed ahead? Before sailing towards success, the initiative recommends checking the state-of-the-art boat, the on-board equipment and the lifeboats.

As is the case in sailing, the most common mistakes made with information systems can be counted on one hand. There are precisely five errors can can be made:

1. Thinking we are not a target
2. Thinking that security is only an IT problem
3. Relying solely on anti-virus solutions
4. Neglecting devices (PCs, tablets, smartphones...)
5. Neglecting to inform our employees about the matter

1. The first mistake is to underestimate the risk, whether it be because we think we are already protected or that criminals are not interested in our business. This way of thinking is wrong for two reasons:

a) You probably underestimate the actual value of the information stored. Even if it seems to be of little value, it is important to think carefully about the impact which a data breach could have, for example on the business' reputation and its clients.

b) Perhaps criminals are not specifically targetting you, but they use robots which try to gain access to every computer connected to the Internet, yours included. They have maybe already achieved this and used your servers as "zombies" in order to conduct other attacks.

Being realistic, even if you do not know it, you have probably already been the target of such attacks. Consulting your website's logs will confirm this. In order to better assess the risk, call the Computer Incident Response Center Luxembourg's (CIRCL) Malware Information Sharing Platform (MISP).

2. The second mistake consists of believing that information security is an IT problem. In fact, this is not the case as it is principally a human and organisational issue. Many attacks are carried out or prepared through direct or even telephone contacts.

Secretaries or employees could, in good faith, pass on critical information to criminals who have mastered the art of "social engineering". This also relates to the fifth common mistake: neglecting to provide employees with cybersecurity training. Each employee has a specific role to play in protecting the company's shared information. In order to armour your employees’ defenses, consult the training programmes offered by Cyberworld Awareness and Security Enhancement Services (CASES).

3.  In regard to antivirus software, whilst the initiative still recommends installing them, they are completely inadequate when it comes to tackling new emerging types of threats. For example, antivirus software does not always detect ransomware. "We cannot emphasise enough the fact that regular, functional backups are the only real protection against this type of malware."

4. Finally, devices should be protected against theft and loss as well as against unsecure private use. If employees are allowed to use their own equipment in the business, then this should be supervised and regulated in a way that will not jeapordise the company's information systems. For more information, consult the BYOD archives at https://securitymadein.lu/tags/byod/