What are the cyber-security basics for businesses?
Last updated on August 19th, 2019
Many businesses still hold the outdated and mistaken belief that the cyber-security basics they had a few years ago (a firewall, antivirus and maybe some intrusion detection software) are the same security basics they can be using today.
The IT security measures of a few years ago are no longer anywhere near sufficient to protect against the new breed of attacker. Cyber-crime is no longer a hobby for misguided computer enthusiasts, it’s now a criminal industry which produces over £1 trillion in revenue for cyber-criminals. Money can be gained by using social engineering to persuade employees to transfer money to a fake bank account, ransomware to encrypt a company’s files and hold them for ransom, network penetration to enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power.
Fortunately, there are ways to prevent this.
What are the cyber-security basics?
You really shouldn’t be looking to achieve the bare minimum but it’s at least a start toward securing your business from attacks and potential regulatory fines. To achieve the cyber-security basics you will need:
If you don’t have every single one of these protections and systems in place on every applicable device in your business, you are at incredibly high risk. Your number one priority must be to get all of these systems in place right now because if you don’t, you’re easy pickings for a cyber-criminal and as a result are open to immense fines or lawsuits for failing to protect the information you store.
I’ve already met the security basics, what’s next?
If you do have these systems in place, you’ve made a good start. But if this is all you have, then for proper security there are still a few more steps. The absolute worst thing you can do at this point is thinking that settling for the minimum is good enough because you believe the information you have isn’t of interest to criminals. If you make this mistake then you’re in for a painful surprise further down the line.
The next step beyond the basics is to become Cyber Essential certified.
If you don’t know what Cyber Essentials is, it’s a government-run accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.
Cyber Essentials still covers fairly basic security concepts such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already as it can improve your company’s image as well as open you up to working with more cyber-conscious clients.
What to do after getting Cyber Essentials certification?
After getting the basic accreditation, you can work towards achieving Cyber Essentials Plus. This is (to no-one’s surprise) a similar experience to getting the normal Cyber Essentials accreditation. The difference is that it deals with security at a higher level and demands more rigorous policies and practices to be in place.
If you have any questions about either of the Cyber Essentials accreditations, you can read our FAQ on the subject.
What else is there besides Cyber Essentials?
Cyber Essentials covers a broad range of topics regarding security and so will likely cover most of your security needs. But we also have a brief list of some security systems and techniques which are worth looking into.
- ISO 27001 accreditation
- ISO 27001 is an internationally recognised certification you can get which proves your cyber-security is at a high level. It is no easy undertaking and should not be taken lightly. However, once you achieve the certification, it can be used as a compelling point for people to choose your business over competitors.
- Staff security training
- Employees are often considered to be the weakest link in the cyber-security chain. But with regular training, they can become one of the strongest as they are able to spot and prevent threats.
- Warm and hot standby
- Because of the rising cost of an outage, getting systems back online quickly is vital to prevent minute by minute money from burning. The rise of virtualisation and the cloud has made disaster recovery and business continuity a much simpler and cost-effective venture than before. So it’s worth considering.
- Multiple connections
- With connectivity being so critical to a firm, it’s essential to have backup network and Internet connections to prevent a failed connection from leaving the firm isolated from clients and the wider world. Multiple firewalls and/or routers are also recommended.
- Securing the LAN
- The LAN has previously been left relatively unprotected but it’s now imperative that you secure the internal network to restrict access from undesirable third-parties. You also need to secure any wireless or virtual networks to stop a single breach from creating an open door across the entire firm.
- Device control / mobile device management
- Bring Your Own Device (BYOD) is a popular policy, but it’s also dangerous without the correct measures in place. Procedures need to be set up for when a device is lost or stolen or when an employee leaves the company. Don’t adopt BYOD for the sake of it, do it for an important reason. And if employees do need personal devices, look into Choose Your Own Device (CYOD) as a more secure alternative.
- Data leak protection
- In order to implement an effective data leak protection policy, you need to really understand what data you have and the risks you face. Because only then can you begin to implement controls. These will vary from sector to sector but should include things like portable encryption, endpoint protection, email content control and intelligent firewalls.
Every business and security landscape is different. But this advice can be used to kick start your journey towards a secure environment. Just remember that if you think it won’t be you who is targeted or that basic security is enough security then you might as well hand your data over to the criminals. There’s only one way to stay secure and that’s to ensure your defences beat the attacks that are out there and are coming your way.