Gone are the days when organisations can deny the need to improve their security due to being "too small" or "of little interest" to malicious actors. All organisations hold data that is valuable to them, and the services they provide, and therefore can be held to ransom should that data be exfiltrated.
Furthermore, due to the continuing rise in cyber crime, it is no longer a "what if" scenario, it's a "when". Data breaches can be devastating, costing organisations millions and damaging their reputation. The IBM Cost of a Data Breach report estimated the global average cost of a data breach to be approaching a staggering $4.5m.
Protecting your information doesn't have to be overwhelming, with a significant proportion of cyber attacks being seemingly avoidable, should security hygiene have been in place. Here are some essential cyber security practices that every organisation, big or small, should implement.
1. Prioritise Updates
Outdated operating systems and software have vulnerabilities that can be exploit. Make sure all devices and systems have the latest updates installed as soon as they become available. Enable automatic updates, whenever possible, to ensure continuous protection.
Where enabling automatic updates is not feasible, due to testing requirements, then ensure you have a streamline process in place to deploy critical and high risk updates are patched no later than 14 days after release.
2. Implement Strong Authentication
Passwords alone, offer little protection, they may be guessed, replayed, or leaked - especially where passwords are reused. Complex passwords, however, often lead to poor hygiene around their use and storage. The NCSC recommend the use of three random words. Consider educating your staff to use this approach. Do not regularly expire password, unless suspected to have been compromised.
Multi-factor authentication (MFA) adds an extra layer of security, requiring a second verification (like a push notification to your phone) after a password is entered, this can reduce the risk of a password being compromised or guessed.
3. Authorisation
Alongside strong authentication techniques, see section 2 above, ensure the principle of least privilege is also followed. This means, that users are only provided with the access necessary to perform their jobs.
This helps manage risks associated with the compromise of that account, and also insider risk, as staff do not have sprawling access, and any misuse of their accounts will be limited to smaller portions of your data.
Make sure privileged users have separate accounts for the day-to-day tasks of reading emails or browsing sites, again to reduce the impact of a compromise of their accounts.
4. Backups
Backing up your data regularly, daily or in real-time in some cases, ensures that in the event of a cyber attack, or system failure, data and operations can be restored effectively.
Explore cloud-based backup solutions or designate an offsite location for data storage, ensure backups are air-gapped, and require strong authentication methods to gain access. Separate the control of the back up solution, from the data it holds.
Regularly test your backups to ensure they're working properly. You do not want to discover an issue with your backups at the point you need them.
5. Staff Education
Employees are often the first line of defence, due to the increasing use of phishing to gain access to company networks and data. Your staff should be trained on how to identify suspicious emails, and other cyber threats.
Phishing emails are designed to trick people into clicking malicious links or downloading malware through attachments. Train your team to be wary of generic greetings, misspelled URLs, and urgency tactics used in these emails.
Regularly update them on best practices and your organisation's security processes, such as how to report a security incident.
6. Secure Your Data Everywhere
Firewalls and Intrusion Detection/Prevention Systems (ID/PS), where deployed and managed correctly, provide an effective line of defence. However, this only considers those elements of your estate that you host or control in another hosting environment.
Consider your Theoretical Perimeter, which will include cloud providers and third-parties. Understand and validate the security controls in those environments, and implement compensatory controls where required.
8. Encryption
Encryption effectively makes your data unreadable to anyone that does not have the key. This is especially important for sensitive information like customer data or financial records.
However, that data will need to be decrypted at some point to make it useful to your organisation. Ensure where this happens is well protected, and the keys are managed independently to the location the data is stored encrypted.
9. Be Prepared to Respond
Define, document and communicate an incident response plan that outlines the steps to take during and after a cyber attack. This plan should include steps for identifying, containing and eradicating the breach, notifying relevant authorities, and restoring affected systems.
Include a lessons learnt step, to ensure the process remains effective.
10. Regular Assessments
Regularly assess your organisation's cyber security posture to identify and address vulnerabilities. This proactive approach helps you stay ahead of evolving threats and minimise your residual risk.
Consider an industry standard, such as Cyber Essentials (UK) or ISO 27001 (International) to certify your business against. This demonstrates your commitment to security, whilst giving you a framework to implement.
Closing Remarks: Security Hygiene
Remember, cyber security is an ongoing process. By implementing these practices and fostering a security-conscious culture, you can significantly reduce your organisation's risk of cyber attacks.
Comments