Cybersecurity is a hugely complicated area where there is no end of products and salesmen trying to push you to buy products. Where do you start …?
Here are 10 key steps:
1. Perimeter security. The perimeters include both physical security of your office and the security of your systems. All networks make contact with the outside world and those points of contact should be firewalled. Knowledgeable and trusted experts who understand the complexities of system and firewall management need to configure this equipment and to keep it up to date. Specifically this involves minimising points of access (ports) and using secure ports for email and web access rather than standard ports.
2. Least-privilege policy. Access to systems should be on a least-privilege policy. For example, when a person is given access to a system, the default should ensure that person has no rights to anything. Then privileges should be granted according to what that person needs to do in the system, building up to only include the data and processes they require. If your systems don’t follow a least-privilege system, then you are significantly exposed to cyberattack, to fraud and to errors.
3. Stay up to date. All computers should use up to date operating systems which are properly patched; utilise up to date anti-virus and anti-malware systems. However these systems only work well when they know what they’re up against. Newer protection systems coming on the market look for programmes acting suspiciously and will automatically shut down the programme down before it has had time to cause mayhem. These systems provide protection against new attacks (often called “Zero Day”) because they spot the bad behaviour of an application rather than recognise the malware itself.
4. Encryption. To protect your data, it should be encrypted by default and only accessible to those with the approved rights to look at it. Where you have customer data, particularly user accounts and passwords, ask your IT team whether the data is “hashed and salted” which will make it very secure and difficult to break even if your systems are breached. It is unforgiveable nowadays to be holding customer data unencrypted (known as “clear or plain text”).
5. People issues. Security systems can be bypassed by canny criminals because they know where the weak link is in the security chain, and that’s your employees. Criminals have become highly adept at social engineering – manipulating humans in your organisation to their own ends. For instance, emailing your financial controller posing as you, the CEO, telling them to send money to a supplier and providing bank account details are not unusual and many people fall for this and a lot of money can be lost very quickly. Having sound financial processes in place and spending time on training and awareness for your staff is the only defence against this kind of attack.
6. Backups. Your data and systems should also be well backed up and stored in an off-site location, preferably with no connection to your live systems (known as an “airgap”). Ensure the backups include multiple versions of the same document in case corruption or malicious encryption took place at some point in the past. Having a decent data backup can be the difference between having a business post-disaster and not.
7. Bespoke software. Bespoke software and web applications must be built by experts, using modern tools and techniques. Good developers can build secure software, but bad ones don’t – and you won’t necessarily know which they are! Ask whether they are designing to meet the OWASP Top 10 and consider getting an independent penetration test which can be done for well under £5k.
8. Attitudes. Create a “security culture”, where taking this stuff seriously is encouraged. Ensure you and the Board demonstrate good practice – for example, if you write your passwords on post-its then you should fully expect your staff to do the same… and one day you will probably be hacked as a result.
9. Crisis Planning. Establish how you will handle a crisis in advance. Who’s in charge if you are attacked by ransomware and decisions need to be taken on the spot. GDPR makes specific requirements about notifying the ICO if you suffer a security breach – who is responsible for making this happen; failure to do so will result in a fine.
10. Certification. Get certified – this will give a focus and purpose to your efforts to improve security. A good place to start is Cyber Essentials Plus certification. This will provide you with a government standard accreditation that directly demonstrates to you, your company and your customers that you take security seriously and that you’re working to ensure their data is held securely and your systems are well managed. We know of clients that have won new customers simply because they stood out from the competition by having Cyber Essentials Plus accreditation.
We have also created a more detailed full CEO’s Briefing document on IT Risks, Compliance and Security. Click the button below to download our full CEO’s briefing.Download now and make sure your business is protected
Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT directors, CIOs and CTOs. We work exclusively with SME and mid-market organisations and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.