Top Tips: 5 Security Tips to Prevent Cyber Attacks

30-07-14-top-tips-5-security-tips-to-prevent-cyber-attacksTroy Hunt is a Pluralsight author and security expert, Software Architecture Lead for a Fortune 50 healthcare company, Microsoft MVP for Developer Security and ASPInsider, who's been building software for browsers since the very early days of the web. He blogs regularly about web security at and is the author of the OWASP Top 10 for .NET developers series and the free eBook of the same name. He's also a frequent conference speaker and the creator of the Automated Security Analyser for ASP.NET Websites (ASafaWeb) at

Troy shares his top tips for preventing cyber attacks.

Following the recent spate of high-profile hacks at major companies such as Target and eBay, as well as the widespread panic inflicted by the Heartbleed Bug, many are wondering how to best secure against future attacks.

A security breach not only negatively affects a company’s reputation but also consumer confidence and even its revenue. Oftentimes the vulnerabilities that lead to these attacks are already known within the technology industry, but a lack of process and awareness results in them being exploited. It is of the utmost importance that companies understand what pre-emptive measures to take before an incident occurs, as hacks can cost companies billions of dollars and even cause companies to fold.

Below are five tips to help top executives prevent cyber attacks and mitigate harm in the event a breach does occur.

1. Do not rely on security audits alone
While standards such as PCI DSS (the Payment Card Industry Data Security Standards) encourage security compliance to rules and regulations, these standards are infrequently assessed, rarely exhaustive and can easily be compromised by simple oversights in processes. A successful audit often leaves a company feeling “secure”, but it is not a foolproof measure for company security.

2. Let the IT department’s security culture play an important role
Security management is an ongoing process, and an organization’s culture and approach to security can show its propensity for risk in being attacked. The following questions can help ensure IT maintains a culture of security:

  • Do software developers and IT professionals working on building systems undergo any formal security training?
  • Are there dedicated security professionals involved in assessing the IT landscape?
  • Are there regular penetration tests? Is there someone accountable—such as a Chief Information Security Officer—who is shepherding these processes?

3. Make sure security is not simply implied
Following a security breach, many organizations respond that they believed the system was “secure”; however, as the implementation of these systems is entrusted to partners or staff, the definition of “security” is often vaguely defined and can be misinterpreted. Expectations should be explicit and clearly spelled out as part of the system requirements to prevent the exploitation of security risks. Wherever possible, security standards should be defined as a requirement of the system, as should the processes that assess these standards and ensure compliance.

4. Understand security is a balance, not an absolute state
A common fallacy with security is that a system is either “secure” or “insecure”, but any system will eventually fall to a determined attacker. As organizations focus on understanding the balance between what data is being protected, who it is being protected from and the overall impact a breach will have, organizations can be sure their system is not just “secure”, but “secure enough”. In addition, vulnerabilities and risks will evolve over time, and security controls need to adapt accordingly.

5. Communicate early and clearly in the event of an incident
Even when all reasonable measures are taken, security incidents do still occur. When a system is compromised, customers are often left wondering about the impact, leading to speculation that adversely affects a company’s reputation. Communicating with customers early is essential, and failing to do so promptly, clearly and concisely after a breach can be detrimental to a brand. In order to avoid confusion, organizations can develop an incident response plan that addresses inevitable about who takes responsibility for a breach, how it affects customers and how to minimize the potential damage to the organization.

Attacks against IT systems are inevitable, but a company’s preparedness can determine how successful breaches are and how much impact they ultimately have on the business. CEOs can start with these five tips to ensure the IT department understands the value of security — not just the cost — to keep its data, businesses and reputation safe.



« The Tipping Point for Digital Textbooks


Argentina's Globant: A Test for Tech Globalisation »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?