What are the cyber-security basics for businesses?
Last updated on April 15th, 2020
Many businesses still hold the outdated and mistaken belief that the cyber-security basics they had a few years ago (a firewall, antivirus and maybe some intrusion detection software) are the same security basics they can be using today.
The IT security measures of a few years ago are no longer anywhere near sufficient to protect against the new breed of attacker. Cyber-crime is no longer a hobby for misguided computer enthusiasts, it’s now a criminal industry which produces over £1 trillion in revenue for cyber-criminals. Money can be gained by using social engineering to persuade employees to transfer money to a fake bank account, ransomware to encrypt a company’s files and hold them for ransom, network penetration to enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power.
Fortunately, there are ways to prevent this.
What are the cyber-security basics?
You really shouldn’t be looking to achieve the bare minimum but it’s at least a start toward securing your business from attacks and potential regulatory fines. To achieve the cyber-security basics you will need:
- A unified threat management system
- This is a combination of security appliances and acts as your gateway to the internet.
- A SPAM filter
- This stops potentially malicious files from entering your network via email.
- Antivirus / anti-malware software
- These are applications which protect your servers, laptops and other devices from malware.
- A patch management system
- This manages the installation of software updates to close security holes.
- 2-Factor authentication
- This gives you a second level of authentication, preventing unauthorised sign-ins.
- Device encryption
- This makes any data stored on the machine useless to criminals and keeps your data secret.
- A regular data backup
- This should keep a copy of your business data at a secure off-site location in case the original is lost.
- Content filtering
- This prevents access to dangerous or illegal websites which reduces the risk of infection.
- A disaster recovery plan
- This sets out how you will recover from an unplanned event such as fire or cyber-attack.
If you don’t have every single one of these protections and systems in place on every applicable device in your business, you are at incredibly high risk. Your number one priority must be to get all of these systems in place right now because if you don’t, you’re easy pickings for a cyber-criminal and as a result are open to immense fines or lawsuits for failing to protect the information you store.
I’ve already met the security basics, what’s next?
If you do have these systems in place, you’ve made a good start. But if this is all you have, then for proper security there are still a few more steps. The absolute worst thing you can do at this point is thinking that settling for the minimum is good enough because you believe the information you have isn’t of interest to criminals. If you make this mistake then you’re in for a painful surprise further down the line.
The next step beyond the basics is to become Cyber Essential certified.
If you don’t know what Cyber Essentials is, it’s a government-run accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.
Cyber Essentials still covers fairly basic security concepts such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already as it can improve your company’s image as well as open you up to working with more cyber-conscious clients.
What to do after getting Cyber Essentials certification?
After getting the basic accreditation, you can work towards achieving Cyber Essentials Plus. This is (to no-one’s surprise) a similar experience to getting the normal Cyber Essentials accreditation. The difference is that it deals with security at a higher level and demands more rigorous policies and practices to be in place.
If you have any questions about either of the Cyber Essentials accreditations, you can read our FAQ on the subject.
What else is there besides Cyber Essentials?
Cyber Essentials covers a broad range of topics regarding security and so will likely cover most of your security needs. But we also have a brief list of some security systems and techniques which are worth looking into.
- ISO 27001 accreditation
- ISO 27001 is an internationally recognised certification you can get which proves your cyber-security is at a high level. It is no easy undertaking and should not be taken lightly. However, once you achieve the certification, it can be used as a compelling point for people to choose your business over competitors.
- Staff security training
- Employees are often considered to be the weakest link in the cyber-security chain. But with regular training, they can become one of the strongest as they are able to spot and prevent threats.
- Warm and hot standby
- Because of the rising cost of an outage, getting systems back online quickly is vital to prevent minute by minute money from burning. The rise of virtualisation and the cloud has made disaster recovery and business continuity a much simpler and cost-effective venture than before. So it’s worth considering.
- Multiple connections
- With connectivity being so critical to a firm, it’s essential to have backup network and Internet connections to prevent a failed connection from leaving the firm isolated from clients and the wider world. Multiple firewalls and/or routers are also recommended.
- Securing the LAN
- The LAN has previously been left relatively unprotected but it’s now imperative that you secure the internal network to restrict access from undesirable third-parties. You also need to secure any wireless or virtual networks to stop a single breach from creating an open door across the entire firm.
- Device control / mobile device management
- Bring Your Own Device (BYOD) is a popular policy, but it’s also dangerous without the correct measures in place. Procedures need to be set up for when a device is lost or stolen or when an employee leaves the company. Don’t adopt BYOD for the sake of it, do it for an important reason. And if employees do need personal devices, look into Choose Your Own Device (CYOD) as a more secure alternative.
- Data leak protection
- In order to implement an effective data leak protection policy, you need to really understand what data you have and the risks you face. Because only then can you begin to implement controls. These will vary from sector to sector but should include things like portable encryption, endpoint protection, email content control and intelligent firewalls.
Every business and security landscape is different. But this advice can be used to kick start your journey towards a secure environment. Just remember that if you think it won’t be you who is targeted or that basic security is enough security then you might as well hand your data over to the criminals. There’s only one way to stay secure and that’s to ensure your defences beat the attacks that are out there and are coming your way.
Where are we with Remote Access?
Remote access to internal IT systems is still a big enabler for any sized business. Business is no longer 9-5, and staff are no longer just sat in the office. The world has changed, so surely remote access has as well? Well, not as much as you’d think, but bandwidth has dramatically improved, as has […]
Technology trends forecast for 2015
As we are at the end of the year, here is my forecast for the key technology trends for 2015: 1. Mobile exploits will grow significantly We’ve seen a rise in exploits on mobile devices over the last 12 months, across all platforms. This is just the start of a trend, there’s absolutely no doubt […]
Microsoft’s new server offering: Windows 2012
I just wanted to take some time out to write about Microsoft’s new server offering, Windows 2012. There has been lots of hype over this operating system as a ‘Cloud OS’ and it certainly has lots of exciting features. But what a lot of people aren’t speaking about is how it can help the SMB […]