Panic! … if you’re not doing these 7 things for cyber-security
For many organisations, cyber security is a business area that often gets overlooked or skimmed through – particularly for smaller businesses and start-ups. However, much like an insurance policy, there are measures which can be taken early to prevent issues becoming critical later. Addressing potential cyber security threats early doesn’t have to be a costly exercise – and it is certainly worthwhile if a security breach could have financial implications.
This list is based on the government’s outline of the basic steps your business urgently needs to take, in order to stay secure and mitigate the most common risk factors when it comes to cyber security.
1. Have a risk management policy
As a bare minimum, your business needs to outline a risk management policy. In an ideal world, this document should be built out into a complete information assurance (IA) structure – but the policy lays the foundation of how your organisation approaches the various cyber risks it may face. The policy must be supported by your leadership team and communicated across the business to ensure that employees, contractors and suppliers are aware of your organisation’s risk management boundaries.
2. Secure baseline builds and networks
Your business should introduce corporate policies and processes to develop secure baseline builds, and manage the configuration as well as the use of your ICT systems. By removing or disabling unnecessary functionality from your systems, and keeping them patched against known vulnerabilities, you will maintain a decent first line of defence. Failing to do this, however, will expose your business to threats and vulnerabilities, and increase risk to the confidentiality, integrity and availability of systems and information.
When configuring perimeter and internal network segments, you should always follow recognised network design principles and ensure all network devices are configured to the secure baseline build. You should then filter all traffic at the network perimeter, ensuring that only traffic required to support your business is allowed. You should also monitor traffic for unusual or malicious incoming and outgoing activity that could indicate an attack – or an attempted attack.
3. Maintain the right user privileges
All users of your ICT systems should only be provided with the user privileges that they genuinely need in order to do their job. By controlling the number of privileged accounts for roles such as system or database administrators, and ensuring they are not used for high-risk or day-to-day user activities, you can reduce the risk of inappropriate activity. You should also monitor general user activity – especially when it comes to accessing sensitive information, managing new user accounts, changing user passwords and deleting accounts or audit logs.
4. Educate and enable
You should produce user-appropriate security policies that describe the acceptable and secure use of your organisation’s ICT systems. You should then refer to these policies in any employment terms and conditions. All users should also receive regular training on the cyber risks they may face as employees and individuals. Any security related roles such as system administrators or incident managers will require specialist training.
5. Manage incidents
You need to establish an incident response and disaster recovery plan that addresses the full range of security incidents that can occur within the business. This process should be regularly tested and updated as required. Any online crimes you may witness should always be reported to the relevant law enforcement agency to help the UK establish a clear view of threats to the nation, working towards delivering an appropriate response.
6. Prevent and monitor
You should produce policies that directly address the business processes vulnerable to malware. By scanning for malware across your organisation and protecting all host and client machines with antivirus solutions, you will be able to scan all information supplied to or from your organisation for malicious content.
You should also establish a monitoring strategy for staying informed, while developing supporting policies that take into account previous security incidents and attacks. Continuously monitoring all ICT systems using Network and Host Intrusion Detection Systems (NIDS/HIDS) and Prevention Systems (NIPS/HIDS), you will be able to identify unusual activity or trends that could indicate attacks and the compromise of data.
7. Manage endpoints and mobile devices
Assess the risks to all types of mobile working, including remote working where the device connects to the corporate network infrastructure, and develop appropriate security policies. Train your mobile users on how to use their mobile devices securely across all locations and apply the secure baseline build to all types of devices in the business. It’s important to consider protecting both data at rest using encryption (if the device supports it) and data in transit using an appropriately configured Virtual Private Network (VPN).
We often guide clients through the quagmire of cyber security and help them understand their risk exposure as well as how to manage staff training and enablement. If you want to discuss some of your security requirements and how to address them when selecting software and development options, we’re more than happy to help.