Businesses are much more aware of the dangers of cyber attack. Attackers are doing it for profit, and are organised. The damage to a business can be huge, in terms of loss of crucial data, reputational damage and even GDPR fines. Sadly, there is no single silver bullet to make your business secure from attack, however here are 12 steps that you can take to protect your business.
Keep reading to access a free infographic on what you need to secure your business
1 - Security Assessment
Many companies only have the vaguest awareness of the level of cyber threat and the degree of their exposure to it. Get an assessment done that provides you with a written report of the vulnerabilities, the level of risk, and the options and costs of addressing those vulnerabilities. Budgets are not unlimited, but with a security assessment, management can have visibility of the risks, prioritise the most severe, and have an agreed acceptance of the less severe risks. You can’t manage risks that you don’t know about.
2 - Spam and malicious Email
Most attacks originate in email. Filter your emails for known spam/malware before they even reach your network. You should consider banning users from accessing their private emails on company PCs/laptops. It is normal for corporate email to be filtered for malware, but personal email accounts such as Gmail etc, are not. If a user triggers malware contained in personal email, on a company PC, the malware will still the company network.
3 - Passwords and Policy
Define and apply security policies on your network. Enforce rules about password length, complexity, and frequency of changing. Deny or limit USB file storage access, and set screen timeouts. One area of vulnerability is the accounts of users who are no longer with the company being left in place. Make sure you have a defined leavers procedure that includes clearing down inactive accounts.
4 - Security Awareness
Train your users to spot malicious emails and phishing attacks. As well as improving your security, the provision of this training provides a big tick in the box when it comes to demonstrating GDPR compliance.
One handy tip for Office 365 is to upload a picture of your company logo or office building, to be a background to the Office 365 login page for your users. That way, if an attacker manages to get a user to a false Office 365 login screen, it will look like the standard login page and won’t have your company logo or picture behind it. This will make users pause before entering their credentials as it won’t look right.
5 - Advanced Endpoint Security
We all know about anti-virus software, and how important it is to keep it up to date. The latest endpoint security goes beyond simple anti-virus, to protect against file-less and script based threats. That said, the biggest thing is to have a regime in place so that all PCs/laptops are covered, and they continually get the security updates.
6 - Multi-Factor Authentication
We are very used to providing a username and password in order to log in to all sorts of sites and applications. The problem is that if we are tricked into providing these credentials then an attacker can use them from any PC, anywhere in the worlds.
A simple form of multi-factor authentication can be provided by a free app on a mobile phone which continually sends out a one-time 6 digit code which expires after 60 seconds. As well as your username and password, you will be required to enter the 6 digit code. Even if an attacker gets you to provide it in a phishing attack, it will be no use to them as it expires in 60 seconds.
This should be used wherever possible. It is a simple, inexpensive and effective way to ensure that even if your password gets stolen, your data will remain safe.
7 - Computer Updates
Keep Microsoft, Adobe and Java software updated with the latest security patches. All software vendors discover bugs, and vulnerabilities in their software. They are constantly releasing updates to fix bugs and close down vulnerabilities. Many attacks take advantage of known vulnerabilities in widely used software. A regime of regular patching will minimise your exposure.
8 - Dark Web Research
One of the problems with using the same password for different sites is that if one site is compromised, the attacker will sell the password data on the dark web. For example an on-line provider of games for mobile suffered a data breach and the attackers accessed thousands of usernames and passwords. Now if a user has signed up to the game using their company email address as a username and a password (possibly the same one that they use for work), then the attacker will now have that combination of credentials.
Attackers will sell lists of names, and passwords obtained from such data breaches, on the dark web. A dark web report can show whether password data for your network is for sale on the dark web, and prompt users to stop using that password.
Visit Have I Been Pwned to check if you have an email account that has been breached.
9 - Password Management
We all use so many passwords both at work and in our personal lives, that it is hard to keep track of them all. There are problems if you re-use passwords for different sites. Consider using one of the password management applications to make it easy to have unique and strong passwords for every application.
10 - Firewall
In security terms your firewall is your front door. At the very least, the firewall should be kept updated so that it can scan for the latest malware incidents. The current generation of firewalls can do so much more than before, but in order to do it they need active management. Make sure that ports that don’t need to be open are closed. Turn on Intrusion Detection and Intrusion Prevention features. If your IT team don’t know what these are, then call Concise.
11 - Encryption
Wherever possible, the goal is to encrypt files at rest and in motion (think email); especially on mobile devices. Hard drive encryption is now an option included in Windows 10 Professional. Be aware that the encryption only kicks in when the PC/laptop is shut down as opposed to the “sleep” option. The use of SSL VPN technology ensures that data being sent over the internet is encrypted. This is particularly important if you use publicly provided wi-fi such as in hotels and cafes.
12 - Backup
Your backup is your last line of defence against ransomware attacks. Backup locally, and backup to the cloud. Be aware of how often the backups run, how long the data is stored (retention policy) and how long it would take you to restore the data. Most importantly, test your backups. Make sure that they are working and covering all your data.
Our Next Generation Cyber Security service Concise Protect is aligned to meet government compliance by aligning IT policies and procedures.
- A security audit is essential to understand how secure your systems and data are. This will tell you where there is a room for improvement.
- Inform your people to make better decisions about protecting your data by providing awareness training to spot suspicious emails.
- Backup and recovery are an essential part of protecting and securing your data. Make sure you know what do to when disaster strikes.
- Follow the rest of the 12 ways in the summarised for you infographic below.
- Consider getting certified with Cyber Essentials Certification from IASME. This government backed scheme shows customers and the outside world that you have a sound level of IT security setup in your business. We are a Certification Body of the scheme. Talk to us today about getting certified
- Want someone to deal with it for you? Consider Concise Protect which brings all 12 ways together, constantly monitors and aligns to government compliance through GDPR and Cyber Essentials Certification.
Mark Howard is Technical Solutions Consultant at Concise Technologies and has been with the company for 10 years.