Cyber–crime is indiscriminate. Whether a large multinational, national enterprise, or a small local start-up – your organisation is a target for cyber-criminals.
The latest Cyber Security Breaches Survey has revealed that 42% of small businesses have been breached in the previous 12 months. SMEs are therefore increasingly desirable targets for cyber criminals – typically due to a lack of staff training or technology.
Furthermore, the General Data Protection Regulation (GDPR) holds all organisations to account for data breaches, irrespective of size. And with business professionals calling on government and business to unite in the fight against cyber-crime, cyber security is in the spotlight.
Now is the time to improve your cyber security. Here are our top 12 steps to help your business stay cyber safe:
An IT consultancy is the best place to start when it comes to cyber security. An IT consultant will review your existing security solutions and assess whether they are able to protect your systems and data from a cyber-attack. They will perform a comprehensive review of all your security backup solutions to measure their capability to mitigate against disaster.
In addition to this, an IT consultant will look at the budgeting within your IT department. An IT consultant’s role is to assess your existing processes, procedures, and infrastructure as part of a business needs analysis. From there, they will recommend improvements that align with your overall business objectives.
A significant part of an IT consultant’s remit is to assess the risk associated with your business’s data and make recommendations in line with the level of risk. The value of an IT consultant comes from their honest, expert advice, designed with your security in mind.
Once your consultation has identified the areas where your cyber security requires improvement, you can begin to develop a detailed IT strategy with the help of your IT consultant. Using their years of experience helps to avoid common pitfalls and adopt best practices.
Your strategy must have a clear, top-down cyber security objective. Your IT consultant can help you define your main objective by assessing:
- How this objective adds to your cyber security arsenal.
- The description of how your business intends to achieve it.
- Key business benefits; and
- The tools required to carry it out.
It might be that your business already has an existing IT strategy, but does it have enough focus on protecting against cyber security attacks?
Research and Acquire an MSSP
Consider working with a Managed Security Service Provider (MSSP) to help put your strategy into practice and assist with the day-to-day running of your IT systems.
With a well-documented IT skills shortage in the UK, hiring your own team of experts can be costly and resource-intensive. A good MSSP already has an experienced team of experts and selects its technicians with great care. So, by outsourcing your security, risk, and compliance to an MSSP, you can focus on your key business goals, knowing that your cyber security is in safe hands.
Unsure of where to start? Speak to various MSSPs and measure them against the following criteria:
Backup and Business Continuity & Disaster Recovery (BCDR)
The next step is to bolster your business with an efficient business continuity plan. With cyber threats evolving at an astonishing rate, a backup solution is an insurance policy that always pays out.
Whether it’s a ransomware attack denying access to your IT systems, a hardware failure, or even an office fire – as little as an hour of downtime can cost your business thousands of pounds.
With the best backup solution available in place, you can roll back your IT systems to a clean version within the hour, and some even allow for instant virtualisation of your business systems in the Cloud. Most enterprise-grade backup solutions are highly-customisable and allow for frequent backups to mitigate against data loss.
Backup and BCDR should therefore be a priority. A business-as-usual approach saves money for your business and establishes a reputation in your supply chain as a trusted data protection partner.
Reviewing your email security is the next key step in strengthening cyber security due to its critical communication role in your business.
Email security protects against phishing, email-borne ransomware, and impersonation fraud by scanning incoming content, attachments, and URLs. A good email security solution also scales with your business – increasing your safety net as your head count grows, at no extra cost.
If your existing solution does not offer these benefits, then it is highly recommended that you consider a new solution. Your MSSP can advise on this.
Endpoint (or antivirus) security is one of the most important aspects of cyber security, fortifying your PCs, laptops, mobiles, and other business devices.
Most Windows devices come shipped with very basic endpoint security which is adequate for personal use, but your industry-grade business equipment requires an industry-grade endpoint solution.
When reviewing your endpoint security, consider the benefits your existing antivirus program offers. Does your current solution protect against browser, file, hyperlink, advert, and app-based attacks? If not, it’s worth discussing the available options with your MSSP.
Advanced endpoint security is developing constantly in response to emerging threats, so ensure that your business is taking advantage of these new developments. It’s crucial that you don’t remain static.
The next step to becoming cyber-safe is to assess your network security. With critical business operations dependent on IT infrastructure, it’s crucial that your network is fortress-like.
The true value of your MSSP is highlighted when it comes to implementing a next-generation firewall solution. Firewalls are essential cyber security solutions, but a poorly set-up firewall can be the difference between a network breach and ongoing security.
Properly implemented, a next-generation firewall can offer:
- Direction of illegal traffic away from your network;
- Real-time alerts on any attempted attacks;
- An extra layer of security for your critical services;
- Granular customisation of firewall settings; and
- Prevention of malicious attempts to take your server offline.
Dark Web Monitoring
Information is a commodity on the dark web – if a service any of your employees use suffers a cyber-attack, their information will often be made available for purchase on the dark web. The danger is that anybody can then use their credentials to attempt to gain access to your business network.
Once your organisation’s credentials make it into in the public domain, the risk of a data breach is increased severely, leaving your business open to exploitation.
The role of a dark web monitoring service is to wade into the dark web so that you don’t have to. Monitoring notorious hacker forums, chatrooms, and exclusive communities, dark web technology identifies your compromised data, affording your business the opportunity to act pre-emptively before a serious breach occurs.
If you’re aware that your organisation’s data is being bought and sold on the dark web, you can take steps to mitigate the damage – if you aren’t aware, you cannot.
Use your MSSP’s Resources and Experience
Your MSSP is filled with experts – use their knowledge. They should be able to provide in-depth analytics and insight into how your cyber security solutions are performing. Through this, you can gain a fuller understanding of how to protect your organisation.
Fostering a positive relationship between your existing IT department and your MSSP is a great way to share intelligence on cyber security, but also ensure that all parties are working with a common purpose in mind.
Information Security Policy
Once you’ve implemented all of the necessary software and hardware safeguards, it’s time for you to develop a coherent information security (InfoSec) policy.
The purpose of an InfoSec policy is to ensure that there is a common baseline of information security culture across your organisation. It is essential that an InfoSec policy is treated as equal to your other HR policies.
Examples of areas you may choose to focus on within your InfoSec policy include:
- Acceptable Use – Ensures that staff use company property for busy purposes exclusively, preventing the risk of browsing websites that could cause damage to your company
- Bring-Your-Own-Device (BYOD) – If you permit the use of personal devices, including mobile phones, then a BYOD policy is essential. It will ensure that external devices meet your company’s minimum standard of security before they carry business data.
- Password Construction – A password policy will define best practices for the creation of strong passwords, ensuring that your business is protected on an end user level.
- Clean Desk/Screen – Encourages a culture of ensuring that staff lock their devices when they leave their desk. An unlocked device, whether used in public or in the office, is open to exploitation. The same applies to confidential paperwork on your desk.
These are but a handful of examples of policies you must consider in order to enforce cyber security best practices amongst your colleagues and staff. Your MSSP can assist you with the formation of a comprehensive policy.
Security Awareness Training
With your InfoSec policy in place, you can then filter this information down via security awareness training for your staff. Without this training, you leave your business vulnerable to commonly used cyber-crime techniques including phishing and social engineering.
How you approach the training is just as important, however. Training days and long-winded tick-box assessments can be alienating and switch staff off from digesting this information. Working with cyber security experts within your MSSP, you can look at the available options for rolling out training.
Ultimately, if you provide your colleagues with new skills and foster an inclusive cyber security culture, your business will see reduced downtime and therefore save money in the long-term.
So, you’ve equipped your business with the means to defend itself against the latest cyber-crime threats. Why not go one small step further and get certified for your efforts?
Cyber Essentials, a UK-Government-backed accreditation scheme, assesses your business’s cyber security through a series of strict criteria. By meeting these criteria, your business can be recognised for its commitment to cyber security, demonstrating to your customers and supply chain that their data is secure.
It also shows cyber criminals that your business is a more difficult target than most.