What should your business be doing to decrease cyber security risks?

Make cybersecurity (part of) someone’s job 

Cybersecurity is far too important to be fitted in as, when and if somebody has the time. Ensure that cybersecurity is properly managed by making it (part of) somebody’s job. This doesn’t necessarily mean that you need to hire in-house IT staff. In fact, there is often a lot to be said for using a managed cybersecurity service (especially for SMEs). 

There should, however, still be somebody on staff who owns cybersecurity as part of their job. That person will have the responsibility for determining what resources are required and sourcing them. They will also be the main point of contact for any vendors you use. 

Keep track of your assets 

You can only protect what you have if you know that you have it. This applies to both physical and digital assets. Ideally, one person should have responsibility for the purchase of any devices that will be linked to your network. 

If this is not practical, then there needs to be one person responsible for overseeing the purchase of any devices that will be linked to your network. There also needs to be a robust process for reporting purchases to them. 

Similar comments apply to software. Never let employees install their own software. Firstly, it could be malicious. Secondly, you need to ensure that all software is used with the appropriate licence. Be aware that software that is free to use for personal activities may not be free to use for businesses. 

Your data should already be managed per the requirements of GDPR. If it isn’t then you need to address this urgently. 

Stay on top of your maintenance schedule 

One of the big advantages of using managed service providers is that it ensures that regular maintenance is carried out according to schedule. In particular, it ensures that updates are applied promptly. This is a hugely important part of cybersecurity. 

It’s also worth noting that the importance of updates extends beyond regular desktops and laptops. It certainly includes tablets and smartphones (both iOS and Android). It may include other devices, particularly smart ones. For example, many smart devices have firmware that needs to be updated periodically. 

Assume that your perimeter is going to be breached 

No matter how strongly you defend your perimeter, there is always the risk that somebody will find a way to breach it. If they do, then you want to limit the potential for damage. The way to do this is to encrypt your data as standard and ensure that it is regularly backed up. 

Encryption basically means scrambling data to render it unusable without a decryption key. All personally identifiable data should be encrypted by default. This includes data from your employees. It’s highly advisable to encrypt any data you would not wish to be made public. You might even choose to encrypt all data to ensure that nothing slips through the net. 

Backing up data protects you if attackers delete or corrupt data. You simply restore it from a copy. The standard rule of data backups is known as the 3-2-1 rule. You need three copies of your data, on two different media with one copy being kept off-site. If you’re in the cloud, that means you can have two copies of your data in one cloud. One must be either in another cloud or offline. 

Another important rule is that you need to be sure that you actually can restore from your backups. Test this regularly so that you quickly find out about any issues. You don’t want to learn about them the hard way by finding out you can’t restore after an attack. 

Secure all your internet connections 

Fewer and fewer companies are requiring all employees to be on-site all of the time. Most support some level of remote/hybrid work. Many also have some element of mobile work, even if you don’t necessarily think of it that way. For example, staff quickly checking email on the way to work is still remote work. 

The easiest way to ensure that staff use safe connections when they’re outside the workplace is to implement a VPN. A VPN is a virtual private network. It’s also known as a tunnel. VPNs create private links between network users to keep everyone safe.  

As an extra precaution, you can equip mobile staff with portable routers (MiFi’s) and/or mobile data connections. They can use these instead of public WiFi. 

Use a “trust but verify” approach with your staff 

In modern cybersecurity, often your biggest potential risk is your staff. Protecting against this risk starts at the recruitment stage with appropriate vetting. Once a person is in a post, they should be given the minimal level of systems access needed to do their job. The lower their level of access, the less damage can be done if that access is compromised for any reason. 

You should do as much as possible to protect your staff from social engineering attacks. These are essentially digital confidence tricks. Many of them are totally unsophisticated and hence can easily be detected by automatic filtering. Some, however, are very sophisticated. These can often only be detected (in time) by staff vigilance. 

The better you can protect your staff from the unsophisticated attacks, the more time they will have to defend themselves (and hence you) from the sophisticated ones. All staff should be given training on how to keep safe online. 

Any staff that regularly use phones should also be given training on how to keep themselves safe from phone-based social-engineering attacks. This is particularly important for senior staff as they are especially attractive targets for social engineering. 

Businesses that have VoIP do have something of an advantage when it comes to protecting staff on the phones. VoIP systems generally have extensive call-management features that can help to deter and block cyberattackers.