All information obtained, processed or generated by your organisation is valuable. This value is not only apparent to you but also to a range of other entities such as organised crime, malicious individuals and even your competitors. You would be surprised at what information other people find valuable.
It, therefore, follows that, if it is valuable to anyone, it is at risk. Incidents of cybersecurity breach bring about huge financial loss not to mention the fines imposed by the Information Commissioners Office which can be very expensive.
It is important to note that people make mistakes, equipment fail and cyber threats keep evolving meaning no security can be 100% effective. There will always be an element of risk due to the unknown. However, the impact to your business is dependent on the opportunities you give the attackers in the form of vulnerabilities within your systems and measures. While you cannot control the motivations or capabilities of the attackers, you can make it harder for them by reducing your vulnerabilities.
The 10 steps to cyber security is a foundational guidance for businesses looking to protect themselves in cyberspace. The framework is currently used by the majority of FTSE350 with commendable effectiveness. Your business can even use the following 10 steps to cyber security to gain accreditation through the cyber essentials scheme.
If you have any challenge understanding or implementing any of the steps below, you can always consult a trusted IT or Managed Service Provider.
Information Risk Management Regime
Businesses must first understand the risks they face before implementing any security measures. Therefore, assess all risks facing your businesses information assets by embedding an appropriate risk management regime. This allows you to converge support from the board, senior managers and an empowered information assurance structure. Ensure that all contractors, employees and suppliers are aware of the regime as well as all relevant risk boundaries.
Introduce corporate processes and policies to develop secure baseline builds as well as manage the use and configuration of your ICT systems. Disable or completely remove unnecessary functionality from your ICT systems and keep them patched against established vulnerabilities. Failure to do this will expose your business to vulnerabilities and threats while increasing risk to integrity, availability and confidentiality of information and systems.
The connections between your network and untrusted networks such as the internet contain vulnerabilities that could be exploited. Although it is not possible to eradicate all vulnerabilities, ensure that you are aware of these vulnerabilities. Implement architectural changes to remove as many risks as you can. You should also implement technical measures and policies to reduce the likelihood of these measures being exploited.
Managing User Privileges
All individuals with access to your ICT systems should only be provided with the user privileges they need to accomplish their tasks. The number of privileged accounts for roles such as database or system administrators should be under strict control while also ensuring that these accounts are not used for day to day or high-risk user activities. Monitor user activity particularly all access to privileged actions such as changing user passwords, creating new user accounts and deleting user accounts or audit logs as well as access to sensitive information.
User Education and Awareness
Employees play a critical role in the security practices of your organisation. As such, it is important to teach them their responsibilities as well as show them what they can do to prevent data breaches. Develop user security policies that describe secure and acceptable use of the ICT systems in your organisation. These policies should be formally acknowledged in employment terms and conditions. All users should receive regular training on the different cyber risks they face in their capacities. Specialist training is required for security-related roles such as forensic investigators, incident management team members and system administrators.
Develop an incident response capability that can address all possible incidents that could occur. Regularly test all incident management plans including the business continuity and disaster recovery plans. Specialist training is needed for your incident response team in various technical and non-technical areas. You should also report online crimes to the relevant authorities to enable the UK to develop a clearer view of the various threats facing it and subsequently deliver an appropriate response.
Develop practical policies that directly address the various business processes that are vulnerable to malware. These processes include; web browsing, email, personally owned devices and removable media. Scan for malware throughout your organisation and protect all client and host machines with antivirus solutions that actively scan for malware. Additionally, all information to or from your business should be scanned for malicious content.
Develop a monitoring strategy as well as supporting policies. In doing this, you should take into account previous security attacks and incidents as well as your business incident management policies. Regularly monitor outbound and inbound network traffic to isolate unusual trends or activity that could indicate the compromise or attack of data. Additionally, monitor all ICT systems using (NIDS/HIDS) Network and Host Intrusion Detection Systems as well as (NIPS/HIPS) Prevention Systems.
Removable Media Controls
Establish removable media policies that control the use of all removable media devices for the export or import of information. If the use of removable media is unavoidable, instil controls on the types of media that can be used with the systems, users and types of information that can be moved. Use a standalone media scanner to scan all media for malware before any data is imported into your systems.
Home and Mobile Working
Assess all the risks associated with all types of mobile working and establish appropriate security policies to negate them. These risks include those associated with working remotely with devices connected to the corporate network infrastructure. Educate mobile users on the secure use of mobile devices for the various locations they work from. Apply the secure baseline build to all types of mobile devices used by anyone with access to your ICT infrastructure. If the devices permit, use encryption to protect data at rest while also using properly configured (VPN) Virtual Private Network to protect data in transit.
The 10 steps to cyber security are put in place to protect businesses against the majority of cyber-attacks aimed at ICT systems. Majority of the measures listed above are baseline remedies mainly involving low levels of technical ability. Though effective, businesses should also strive to institute additional measures as the cyberspace landscape and associated threats change.
If you do not have in-house expertise, we recommend enlisting the expertise of a trusted IT or Managed Service Provider such as Adept. Our cyber security services are based on the understanding that only good practices can keep computer and information assets safe. We deploy various systems including BYOD and End Point policies as well as cloud security to make good practice easy and intuitive to all individuals connected to your systems. Behind the scenes, these efforts are backed by behavioural analytics and industrial-grade encryption for maximum effectiveness.
Contact our experts today to learn more about how we can reinforce your cyber security measures or take a look at the other IT business services and solutions that we offer. It is our pleasure to serve you.