This is probably one of the most unpopular topics for those who don’t know much about it. We all know it’s a risk to us either personally or professionally, but unless you are interested in the subject or acquainted with some of the terminology, it’s a tough topic to tackle.
The government recently published a paper with guidance for SMEs. (LINK) Although this is a good resource to refer to many organisations will find some of the areas covered quite technical and consequently it isn’t fully accessible.
With that in mind we wanted to write a short guide highlighting some of the key areas a business should address to improve their cyber security. It is meant as a guide and not a definitive list of “Do’s and Don’ts” however if the areas covered are addressed your business will be more secure. Many in the industry will argue there is a difference between cyber and network security, however the net result is that without taking some basic steps to harden access to your data you are more exposed to some sort criminal activity through the electronic systems you use.
We would always recommend you engage a company to assess your business however there are a number of things you can (should) do which will give you an idea of how your business currently measures up.
Cyber Security isn't just a problem for your IT team or IT service provider although they will certainly help build awareness. Most threats are aimed at normal users. A fake website an email pretending to be someone you might know or trust or a text message are the most common starting points. With these they have access and this can soon spiral from a single user through to the whole company.
Training everyone in your organisation to look for the common signs, in our opinion, is one of the most important steps in protection. This not only protects your business data and processes but also your teams outside the office, which is another route of attack.
There are several ways to achieve this training that are both measurable and repeatable helping you coach your people and track awareness. An easy way is to use an online learning platform. You can also support this with periodic testing with things like pretend email campaigns to see if you need to focus on any specific areas for further training. Your IT provider will be able to guide you on this.
Once you've placed the idea of what a threat looks like you can turn to what these threats might be targeting. It is your information and ultimately from there, your money. With this in mind review and raise awareness about where your data is and how you access it. This needs to be done systemically for each system you use. From logging onto your laptop, remote access to your office or cloud based information.
2. Username, Passwords and Access.
Passwords haven't been the name of your pet for a very long time, thankfully however people still use things such as “12345”, “Password”, “Qwerty”, “abc1234”, “sports teams”, “birthdays”, and variations around the theme. A seasoned hacker will crack these within seconds. Complex passwords and secondary authentication methods are now common place and should be used to delivery extra security. We are all used to the idea of adding a code from an app or an email to gain access to the platforms and services we use. If you aren't doing this for your business or personal systems then you need to ask your IT team or service provider how to get MFA (Multi Factor Authentication) in place. It's often free and just needs a little time to set up and subsequently manage.
Password policies controlling complexity (minimum length, character types), lockouts following incorrect login attempts and arguably forced changes are an important step helping to ensure if a username gets into the wrong hands gaining entry becomes much more difficult. Not sharing passwords with anyone or using the same password for multiple systems is also a well know taboo! To aid with this use a password manager to help remove the repetition of a password and negate the notion of writing them down.
Ensure you implement system and application updates, not just your operating system and antivirus products but all of the apps you use. Your IT provider can help with this and should already manage this for you in line with the business needs. If you aren't sure then ask them.
Again not just a topic for IT teams and your service provider to discuss. All IT teams will look to provide backups to give the business the best resilience from any potential loss. Remote site, Cloud backups and a design with air gapped solutions (offline) are commonplace. If you aren't aware of the backup strategy and it falls into your remit, then ask those who manage it.
As a user you have a part to play too. Making sure your data is saved in the correct location ensuring the backup strategy functions correctly is important. If you are unsure ask your IT provider for clarification.
5. Secure your Data
Think about what you store, where you store it and who has access to it. Protect your most important data first allowing only those who need access to it to have it. Be aware of the legal guidance and controls. There are a great many options to help control data in today's cloud environment and also the control once that data leaves your environment, which can be useful when you are sharing with third parties Think about your devices and physical access too. If someone is able to walk into your office and access the systems or pick up a laptop and walk away with it, what is at risk. Local disk encryption for laptops is a basic step to help.
In general terms you need to make sure that only those who need access to your systems and data platforms have access but also that you repeat these processes regularly and they are checked. Make sure you have solid starter and leavers processes, you are reviewing changes and security permissions across your data and points of entry to your environment. This is an important measure. Once these are in place the next step is easier, Audit and Review.
7. Audit and review
Once all the good work above, items 1 to 6, is done there needs to be an easy process to check it is still fit for purpose and all relevant controls are working to ensure you can see and review changes.
Most companies will have a change process in place. If you have your own IT team or IT service provider they should be working to a framework such as ITIL v4* to ensure a review process and the relevant documentation is in place to support this with logged and authorised changes and control.
What you are looking to do with Audit and Review is to look at the changes made to the environment since the last Audit and Review to ensure the security principles still apply and that the risk those changes might pose to your environment are acceptable.
(* The ITIL (Information Technology Infrastructure Library) is a framework designed to standardise the selection, planning, delivery, maintenance, and overall lifecycle of IT (information technology) services within a business).
Go over each of the steps above and review them. Ensure you log the process of these reviews and they are repeatable. Ensure with each step you record all feedback, incidents and then review and update the policy and processes going forward.
i. Is everyone up to date with the awareness training? Have they all completed it?
ii. Are all the measures imposed around access control in place and functioning correctly?
iii. Is software etc up to date? Not just the computers but other devices such as Routers, Firewalls, software and security applications? With the mobile work force most organisations now have following Covid, you may need to consider personal devices too.
iv. Are the backups running reliably? Are their changes you want to make to current policy and plan? Are you satisfied that all important data is backed up?
v. What changes have been made to the data, locations and access rights?
vi. What other changes, new devices, equipment and software have been added? Have these additions been added to any of the above points to ensure they are monitored?
vii. When it comes to it, you also need to review the review process. Ask yourself the same questions here. Are their changes you want to make to current policy and plan? Have you had any feedback to review? Most of these adds and changes you will already capture with tickets into the service desk or PO's to suppliers etc. however you need to find an easy way to collate and review.
viii. There is obviously repetition in each of the steps, however, it is important to review and adapt. The world of technology changes constantly and you will need to adopt new technologies and tools to enable your business to grow and remain safe.
We've left this as the last point on purpose. Some state it is the last line of defence, and others argue it is not even that and should not be included! It is clearly important from a risk management point of view. When the worst case happens then these policies can support you and those affected and potentially mitigate some losses however most insurers will expect the steps suggested etc will be followed before cover is offered.
These measures are meant to highlight some of the key risks a business may face and a number of measures you can take to mitigate them. We would always recommend you discuss this with your IT services provider. They will work with you to develop policies, measures and solutions specific to your organisation.
REMEMBER THIS IS NOT A ONE OFF EXERCISE. REGULAR CHECKS AND MONITORING IS ESSENTIAL