5 minute read

Doing the basics need not cost the earth

cyber security

Doing the basics need not cost the earth

Advertisement

Not all of us are lucky enough to have 100 full time staff working on Information Security, let alone a budget to match! But that’s no reason to stick your head in the sand and assume no-one will be interested in hacking you. There are many things you can do - often free or low cost - that could provide an incremental level of protection on where you are today

WORDS: BY PAUL SIMMONDS

1. Patch everything and patch fast

The bad guys out there are lazy; why bother crafting a specific attack when you can simply walk in using a known exploit that has been around for years. The fact is that the time to patch 50% of systems in a typical company is around nine months, so simply don’t be one of them.

• Switch on automated patching for every system you can, especially Windows systems.

• For all your key systems, understand the patch cycle for your software vendors (most have a monthly patch cycle), and put those dates into a diary to review and action.

2. Understand what assets you have within your business

The old saying “if you can’t measure it, you can’t manage it” is truer today in a world where we use more outsourced and cloud services (Gmail, Office 365 etc.) than ever before. There are free services that allow you to gain a global insight into your assets such as Qualys Asset View (https://www.qualys.com/ apps/global-assetview/) (Full disclosure: I am on the Qualys advisory board)

3. Regularly check your systems for patch level and misconfiguration

There are many tools available that automatically scan your systems, check

for their patch level and look for misconfiguration. You should be demanding from your IT Manager (or CIO) a full report from such an automated tool, on a regular basis. Experience says that the first time you run such a tool/report, two-thirds of your systems will have a vulnerability or misconfiguration that allows exploitation by a trivial attack.

4. Ensure all your systems, especially user devices, are running without Admin privileges.

If you are using a standard “out of the box” Windows PC, there is a good chance they are running with full administrator privileges. Simply create a separate “admin” account and change the users account to only having “user” privileges. While you are at it, produce a simple help-sheet so people can also do this to their home PC’s.

5. Understand where your data is – and back it up

Data is the life-blood of any organisation, whatever the size. But do you have a robust strategy for backing it up? As well as a tested recovery strategy. You need to consider how the data is protected not only from loss (say, hard disk failure) but also corruption (say a ransomware attack which encrypts your data). Could you transition back to data that was two days old or even from a week ago?

6. Invest in email security

Most threats will probably come into your business from people clicking on links or downloading attachments in email. Best-in-class email security will not only protect you from spam, but also eliminate rogue attachments and links.

7. Also look at your strategy for web security

Access to the web is probably essential for large parts of your business, so a good strategy for how you let your people have the access they need while remaining protected is essential. But, as we found during the pandemic, this should not mean everyone that is working remotely needing to connect to the company, only to go straight back out to the Internet. There are lots of “cloud-based” solutions available that allow people to work from wherever, yet still remain protected.

8. Look at Cyber-Essentials

When you’ve done the basics, then the UK Government’s cyber essentials program is a good place to start. https://www.ncsc.gov.uk/ cyberessentials/overview There is a great resource on their website called “Cyber-Aware” for small businesses, and “10 Steps to Cyber Security” for larger SMEs, as well as loads of other (free) resources and downloads. There is also “Cyber Essentials Plus” and the opportunity to get certified; though

9. Your staff are the front line of protection

Human targeted attacks, whether through email, phone, social media or web are on the rise, and the quality of them is increasing to the point that even professionals find it hard to determine whether it’s real or fake. A good, simple, awareness campaign on what to look out for will augment the technology that is cleaning your email and web and need not cost too much. There is some great free guidance on running such a campaign and a good place to start is https://www.cpni.gov. uk/ and search for “Embedding Security Behaviours: using the 5Es”.

10. Rinse and repeat

Good information security is about embedding it into your culture. This not only means leading from the top in your expectations, but processes and procedures that are institutionalised.

Paul Simmonds is the CEO of the Global Identity Foundation. He was formerly global Chief Information Security Officer (CISO) of AstraZeneca, and prior to that the global CISO of ICI and global CISO with Motorola Cellular Infrastructure.

14 SME magazine www.smeweb.com

This article is from: