The Essential Cyber Hygiene for your business
We hear about the Travelex, British Airways, Maersk and Equifax data breaches. Then some of us huddle together to figure out the plan to avoid such breaches with our business. We think we need to get Penetration testing done on our network, Sign up for Darkweb monitoring, threat intelligence, etc... No to mention some of us just think 'it won't happen to us'. Over 90% of these incidents can be prevented by following basic Cyber Hygiene for your business. If you haven't already implemented any of these in your business I highly recommend you do. Here are the hygiene standards.
This is the very first thing we need to do. We need to know what we are protecting and hence we need to what we have on our estate. Inventory of all the hardware, software and data/information. It will also help you with high priority and low priority elements so that can you can start focussing on the right stuff. There are a number of free and paid tools that can help with this process.
If there is one low hanging fruit (quick win) in security it is this. You can do this straight away with very fewer resources required. Harden your authentication methods for your systems. Implement two-factor authentication. Most businesses are on Office 365 for their emails now and it's easier than ever to implement 2-factor authentication on your emails. After all, 95% of the successful cyber attacks start with an email. We need to protect it.
Also, if you have multiple logins for various different applications look into Single Sign-On. It will make life easy for users. Help to eliminate the risk of using weaker passwords. I recommend having Single Sign-On with two-factor authentication enabled. Most applications now support SSO and two-factor authentication now.
Change the default passwords on the firewalls. Close the unnecessary ports. Restrict the remote admin access to specific IP addresses. Keep the firmware up to date.
I am amazed when I hear the printers, routers, firewalls, etc... still have the same default login details. Change them and change them now. Remove the unnecessary applications and features on your network. Having them only cost you time and money as you need to maintain them. If you deploying new PCs or infrastructure it is the best time to harden and standardise your security controls. Also, have proper onboarding and offboarding procedure for employees. Remove/disable the accounts that have left the company.
Don't use the free Antivirus software. They are free for a reason. Get robust software that can block the known and unknown threats. Keep them up-to-date. Have regular scanning enabled.
As I said above 95% of the successful cyber attacks start from an email. Stop the SPAM and Phishing Emails before they hit in your users' inbox. Implement an email spam-filtering solution. This won't cost you much and yet improves your security posture a lot. There are some really good solutions out there including Office 365 Advance Threat Protection, Mimecast, EveryCloud, etc...
User Education & Awareness Training
Make sure your employees know what good security practise is. Having strong passwords, not acting on the link in emails, verifying the changed bank details, double-checking the funds' transfer request, posting sensitive business on social media, writing down the passwords and leaving under the keyboard, etc... Provide adequate training to your users. The training can be online, offline, whatever suits your business needs.
There are no silver bullets in Cybersecurity but this as close as you can get. Patch your systems. I am not just talking about Microsoft patches but also 3rd party applications. Java, Adobe, Chrome, VLC, etc... you get the gist. Having a centrally managed patch solution will help you a lot. I would also recommend you to have a vulnerability management solution or regular vulnerability assessments done on the network. You will know where your loopholes are and fixing priority.
Backup, backup and backup. Did I say Backup? This will save your bacon. Backup your systems regularly, keep the backups offsite, don't leave them in your car boot, test them regularly. A backup that is not tested is not a backup. If you are backing on the same network it's a good idea to segregate the backup to a separate network.
Do you have a DR site? Depending on the budget you might have a cold, warm or Hot site for your DR. When did you last test it?
Who has access to what? Exercise the least privileged method. You will only enable the users to have the least amount of privileges on the network to perform their job. If you are not sure where to start o a quick permissions audit. Use the administrative privileges to perform only the admin tasks and not regular activities like web browsing, checking emails, etc... Restrict admin access to authorised personnel only.
Monitor the activity on the network. Some companies use Security Information Event Management platform to collect the logs across the network and stay on top of the network activity. If the incident happens they can trace back the incident through the SIEM. It may not be suitable for all business as it does come with a cost. There are other cost-effective solutions available and you only need to look around to see what fits your business.
Also, monitor your controls on a regular basis and make improvements.
The large companies usually have an Incident Response Plan. What about the rest of us? Prepare your plan. What happens when the incident happens, who investigates them, what's the course of action, where are your backups, who pulls the trigger on the Disaster Recovery plan, who speaks to the media, how do you ensure the business continuity, etc... Regardless of the size of the business, you will need to have a plan.
Lastly, cyber insurance. Consider taking one. There is nothing in Cybersecurity called 100% secure. We are only trying our best to mitigate the risk as much as possible. The incidents do happen. When they do our backups might save us, the plan might us and when everything else fails your Insurance will cover some of the costs.
I hope that helps. No business is an exception for Cyber Risk. Prevention is 100 times better than cure. Be proactive. If you have skills in-house do all the above that's brilliant if not hire an expert. We are here to help. Thank you.
FOR LATEST UPDATES SUBSCRIBE HERE: