In the below article our Founding Partner, Irwin Mitchell outline straight forward ways to manage cyber-risk effectively. Initially, all businesses should have a cybersecurity strategy and someone to own it. This should focus on identifying your current cybersecurity status and gaps, and what you want to achieve and by when.
You can’t do everything and you’ll have a limited budget, but a great way to start is to pick an industry cybersecurity standard. Many good cybersecurity frameworks can be found on the internet and many are free (including Cyber Essentials). A pragmatic one for SME’s is the NCSC’s 10 Steps to Cybersecurity.
For many SME’s, the key take-home message is simple: ask a professional for some help.
An explanation of top security risks and the key controls to mitigate the risks are shown below.
1. Cloud Services are the primary target for criminals
The risk is that online services can be hacked into from anywhere in the world with just a username and a password.
As more ‘cloud’ services are used, particularly Office365, this has become the primary target for criminals due to them being easy to exploit with just a (stolen or guessed) username and password.
Use two-factor authentication for all remote access, including email and other key online services such as Office 365.
Educate colleagues on the use of strong passwords and not reusing passwords.
Sign up to haveibeenpwned.com for free, to automatically check if any of your accounts have been compromised. If your email account has been involved in a 3rd party breach, change the password on all online services that used the same email-password combination as the breached account.
Malware (malicious software) that locks up your files and demands a payment to release them. Typically, ransomware is delivered to victims via phishing emails or compromised websites.
Remove ‘local admin rights’ from normal user accounts (this mitigates 85% of the malware risk).
Use antivirus on all your computers and ensure it is kept up to date automatically.
Ensure your laptops and desktops are automatically kept up to date with security patches.
Block malicious emails using a Secure Email Gateway (email filtering).
Disable ‘macros’ in Microsoft Office products, especially in Outlook email.
Maintain regular back-ups of critical data & systems.
3. Phishing is the most common type of cyber-attack
The digital equivalent of the confidence trick used to plant malware, steal your online services password or other confidential information, or trick you into financial fraud.
According to the FBI, phishing remains the most common type of cyber-attack and results in the largest financial losses (for example fake CEO bank transfer emails).
Conduct all-colleague security awareness training on cybersecurity at least annually, with a particular focus on phishing awareness.
Conduct regular phishing testing to keep up a good level of awareness.
Clearly mark an email as from an external sender (“THIS IS NOT FROM US”).
Put financial controls in place to ensure checks are made for large payments by bank transfer.
4. Vulnerability scanning
A common reconnaissance method used by criminals to find weaknesses in your internet-facing systems (for example your remote access solutions).
This can be used for good too, for your own threat intelligence to proactively find weaknesses to fix.
Activate the intrusion prevention systems (IPS) feature on your network boundary firewalls.
Use a ‘vulnerability scanning’ service to scan your public internet-facing network regularly to proactively find weaknesses for fixing (or join the NCSC’s Cyber Security Information Sharing Partnership (CiSP) and have your network monitored for free).
Put a system patching process in place to ensure that software and systems are kept up to date.
5. Is your Supply chain at risk?
When a third party your business uses fails to secure your sensitive data adequately or a software provider you use is insecure or is compromised and used to spread malware to your business.
Implement a process to conduct security and privacy risk assessments for any new technology suppliers or suppliers who store or process your sensitive data. (Consider a Remote Vulnerability Assessment).
Educate colleagues that they must follow approval processes to use new suppliers and new technologies to ensure they are secure and compliant.
6. Home physical security
IT assets, paper documents, voice and video calls at home may not have the same levels of physical security and privacy as when in the office.
Educate your colleagues on how to work safely and securely at home with guidance on:
Locking away or securing physical assets when not in use.
Shredding business documents, or securing them until they can be securely disposed of back in the office.
Being conscious of sensitive conversations being overheard.
Being conscious of what’s in the background on video calls.
Heightened awareness of phishing and other scams.
Only using authorised IT devices, online services and apps for business purposes.
Only download mobile apps from the official app stores.
Additional guidance on how organisations can protect themselves in cyberspace can be found through the NCSC.
The EU/UK trade deal, how does this affect digital trade and data?
The Government has also recently announced that the Treaty agreed with the EU will allow personal data to flow freely from the EU (and EEA) to the UK, until adequacy decisions have been adopted, for no more than six months. If this is likely to affect your business, please see the full ICO statement.