10 practical tips for more IT security

There are still many myths about security. But companies should only make decisions based on hard facts. For example, 72 percent of attacks today target user identities and applications. Yet only 10 percent of the IT security budget is spent on protecting them. Also underestimated continues to be the threat posed by internal employees. According to Fortune, one in five employees would sell their personal company passwords, nearly half of them for less than $1,000.

Only a few companies are sufficiently prepared

Over 4 million records are compromised daily. More than 2 billion compromised accounts are available for purchase online. Last year, Google discovered between 9 and 49 million malware sites and 22 to 54 million phishing sites each week. "Given these numbers, the real question today is not if a company is under attack, but when," said Andreas Riepen, vice president DACH at F5. "However, only a few companies are really adequately prepared for the worst-case scenario. Last year alone, for example, over 26.5 million websites were hacked. But comprehensive protection through an integrated security architecture is not witchcraft. And even a few simple tips can go a long way in practice."

10 practical tips increase safety

1. Understand the motives, goals, and tactics of hackers: Most hackers are cybercriminals who are only after one thing: Money. And although they have a reputation for constantly coming up with the most ingenious plans, many of their methods are actually quite simple. In the end, they always choose the path of least resistance and look for easy targets.
2. Match your budget to your threat landscape - and plan for cyber insurance, too: Be sure to plan for cyber insurance in your budget. A small amount for consumer confidence is unlikely to ruin your business, but the data breach and associated costs caused by a hacker attack may.
3. Train all employees - from administration to the board of directors: When it comes to security, everyone matters, and that's why it's important to make everyone aware. Educate your users vigorously so they can recognize and defend against targeted phishing attacks. Make them aware of the importance of proper password management (and the danger unprotected passwords can pose), and provide them with tools like Password Safes.
4. Control the access properly: Limit the number of user identities. Multi-level authentication (MFA) for access to your network and its applications can mitigate the risk of identity attacks. Don't use insecure or predetermined username/password combinations. Hash passwords offer virtually no protection at all. Remember that access is a privilege.
5. Manage your vulnerabilities: Use a scanning solution for each network, system, and software type. Prioritize vulnerability management for web applications. Automate vulnerability management for web applications. Patch all devices - desktops, laptops, servers, etc. - monthly, especially if you use Windows.
6. Always provide the necessary transparency, especially for your critical data, because you can't protect what you can't see: Intrusion detection/prevention systems (IDS/IPS), security information event managers (SIEM), data loss prevention (DLP), and other systems must be properly built, implemented, and managed on an ongoing basis.
7. Hire a hacker and/or set up a bug bounty program If a successful attack on a particular application could cause significant damage to your business, it's worth hiring a technician to hack it.
8. Leverage experts, especially in the areas of compliance and incident response: Security-as-a-Service is a great option for effectively managing high-risk controls that require a fast 24×7 response from skilled technicians.
9. Pursue a DDoS strategy: By now, virtually anyone can build IoT botnets without much effort, which can be used to launch attacks on the order of a few terabytes per second. If you don't already have a plan to combat DDoS attacks, you should develop one quickly.
10. Communicate the likelihood and impact of an attack: Inform your board, audit committee, and senior management about potential attacks and their consequences. Under no circumstances should you surprise them at some point with a completely unexpected security breach.

If 10 practical tips are not enough, you can find more information in a whitepaper from F5 Networks. This whitepaper with detailed information on the current data and the threat situation can be downloaded at https://interact.f5.com/ThreatLandscapeReportDE.html download