What should I care about Cyber Security?
If you pick up a newspaper or browse the Internet for even a minute then you can’t help but see stories of high profile cyber-attacks affecting large organisations such as Talk Talk, Sony and the NHS.
However small businesses are equally, if not more, vulnerable. It’s a sobering thought that nearly half of all businesses reported a cyber breach or attack in the past 12 months and the majority of these were small businesses.
On top of this if you hold and/or process personal data, then the introduction of GDPR next May places a further onus on your organisation to have adequate security in place.
To put it simply, there has rarely been more of an imperative to make sure your cyber security is fit for purpose and reviewed regularly. It’s certainly not enough to have the odd penetration test and a password policy. After all penetration tests are out of date as soon as they are done, and passwords can often be bypassed simply by looking over someone’s shoulder as they work in a public place. No a far more holistic approach is necessary these days, so let’s take a look at some good areas to consider first.
Where do I start?
Our recommendation is that the government’s Cyber Essentials scheme is an excellent starting place for organisations that don’t currently have any formal cyber security controls in place. The scheme is designed cover the five most common areas that are attacked and is a subset of more comprehensive standards such as ISO 27001.
In a nutshell Cyber Essentials recommends the following:
1. Boundary firewalls and internet gateways – ensure you have firewalls in place, that they are running the latest software and have secure passwords that are changed often.
2. Secure configuration – all computer systems and software should be configured as securely as possible and should be running the latest versions and patches. Mobile devices should have passwords or pass codes enabled.
3. Access control – it’s critical that access should be controlled, and this should include a formal process for granting appropriate access only to people who require access for their role. There should also be a process for revoking access when people leave the organisation or change role. Special access should be restricted to a minimal set of individuals. If you use a lot of mobile devices they you should also consider ways to remotely erase or block access to data if they are lost or stolen.
4. Malware protection – computers, especially those exposed to the Internet, should have up-to-date malware protection software. This should be configured to scan files automatically on access and should perform regular scans on a daily basis. Website blacklisting should be used to prevent access to malicious websites.
5. Patch management – software running on computers and network devices should be kept up-to-date and have the latest security patches installed.
And of course most importantly, don’t forget to backup your data. Ideally in multiple locations and in a way that means the backup isn’t permanently connected to your device or network (otherwise your backups could equally be at risk).
Bear in mind also that regular testing of restoring from backups is part of the process. You’d be surprised how little this is done with the result that backups often turn out to be useless anyway.
Where can I find out more?
A really good starting place for further reading, this government resource provides an excellent website explaining cyber security for small businesses here: https://www.cyberaware.gov.uk/cyberessentials/
The website includes a questionnaire that can help you determine how secure your business is and where you need to improve. So why not take time to go through this and if you need any further help or guidance, especially with respect to software security, Verasseti can help. Just pick up the phone for a no obligation chat.