9 Essential cyber-security measures every business must take
July 20th, 2015
Many businesses still hold the mistaken belief that the cyber-security basics they implemented a few years ago (a firewall, antivirus and maybe some intrusion detection software) are the same security basics they can be using today.
The IT security measures of a few years ago are no longer anywhere near sufficient to protect against the new breed of attacker. Cyber-crime is no longer a hobby for misguided computer enthusiasts, it’s now a criminal industry that produces over £1 trillion in revenue for cyber-criminals. Money can be gained by using social engineering to persuade employees to transfer money to a fake bank account, ransomware to encrypt a company’s files and hold them for ransom, network penetration to enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power.
Fortunately, there are ways to prevent this.
What are the essential cyber-security measures every business needs?
You really shouldn’t be looking to achieve the bare minimum but it’s at least a start toward securing your business from attacks and potential regulatory fines. To achieve the cyber-security basics you will need:
This is a combination of security appliances and acts as your gateway to the internet.
This stops potentially malicious files from entering your network via email.
These are applications which protect your servers, laptops and other devices from malware.
This manages the installation of software updates to close security holes.
This gives you a second level of authentication, preventing unauthorised sign-ins.
This makes any data stored on the machine useless to criminals and keeps your data secret.
This should keep a copy of your business data at a secure off-site location in case the original is lost.
This prevents access to dangerous or illegal websites which reduces the risk of infection.
This sets out how you will recover from an unplanned event such as a fire or cyber-attack.
If you don’t have every single one of these protections and systems in place on every applicable device in your business, you are at incredibly high risk. Your number one priority must be to get all of these systems in place right now because if you don’t, you’re easy pickings for a cyber-criminal and as a result are open to immense fines or lawsuits for failing to protect the information you store.
I’ve already met the security basics, what’s next?
If you do have these systems in place, you’ve made a good start. But if this is all you have, then for proper security there are still a few more steps. The absolute worst thing you can do at this point is thinking that settling for the minimum is good enough because you believe the information you have isn’t of interest to criminals. If you make this mistake then you’re in for a painful surprise further down the line.
The next step beyond the basics is to become Cyber Essential certified.
Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.
Cyber Essentials still covers fairly basic security concepts such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already as it can improve your company’s image as well as open you up to working with more cyber-conscious clients.
What to do after getting Cyber Essentials certification?
After getting the basic accreditation, you can work towards achieving Cyber Essentials Plus. This is a similar experience in achieving the basic Cyber Essentials accreditation. The difference is that it deals with security at a higher level and demands more rigorous policies and practices to be in place.
If you have any questions about either of the Cyber Essentials accreditations, you can read our FAQ on the subject.
How else can you secure your business?
Cyber Essentials covers a broad range of topics regarding security and so will likely cover most of your basic security needs. But we also have a brief list of some security systems and techniques which are worth looking into.
ISO 27001 accreditation
ISO 27001 is an internationally recognised certification you can get which proves your cyber-security is at a high level. It is no easy undertaking and should not be taken lightly. However, once you achieve the certification, it can be used as a compelling point for people to choose your business over competitors.
Staff security training
Employees are often considered to be the weakest link in the cyber-security chain. But with regular training, they can become one of the strongest as they are able to spot and prevent threats.
Warm and hot standby
Because of the rising cost of an outage, getting systems back online quickly is vital to prevent minute by minute money from burning. The rise of virtualisation and the cloud has made disaster recovery and business continuity a much simpler and cost-effective venture than before. So it’s worth considering.
With connectivity being so critical to a firm, it’s essential to have backup network and Internet connections to prevent a failed connection from leaving the firm isolated from clients and the wider world. Multiple firewalls and/or routers are also recommended.
Securing the LAN
The LAN has previously been left relatively unprotected but it’s now imperative that you secure the internal network to restrict access from undesirable third parties. You also need to secure any wireless or virtual networks to stop a single breach from creating an open door across the entire firm.
Mobile Device Management (MDM)
Bring Your Own Device (BYOD) is a popular policy, but it’s also dangerous without the correct measures in place. Procedures need to be set up for when a device is lost or stolen or when an employee leaves the company. Don’t adopt BYOD for the sake of it, do it for an important reason. And if employees do need personal devices, look into Choose Your Own Device (CYOD) as a more secure alternative.
Data leak protection
In order to implement an effective data leak protection policy, you need to really understand what data you have and the risks you face. Because only then can you begin to implement controls. These will vary from sector to sector but should include things like portable encryption, endpoint protection, email content control and intelligent firewalls.
Every business and security landscape is different. But this advice can be used to kick start your journey towards a secure environment. Just remember that if you think it won’t be you who is targeted or that basic security is enough security then you might as well hand your data over to the criminals. There’s only one way to stay secure and that’s to ensure your defences beat the attacks that are out there and are coming your way.
10 things every business leader needs to know for successful business continuity planning
Business Continuity planning is the process of creating a strategy which identifies and documents risks to a company and outlines processes of prevention and recovery. It ensures that, in the event of a disruption, disaster or accident, personnel and assets are protected and able to function normally. It should include steps to take before, during and after […]
In the press: Seven months to go: ‘Business as usual’ throughout the 2012 Olympic games
In just seven months time, the world’s greatest sporting event will be taking place in Great Britain. The Olympic and Paralympic sailing competitions, hosted in Weymouth and Portland, are expected to attract up to 50,000 people a day – as residents and visitors make the most of a free live site and cultural events. An opening […]
How to protect your business from social engineering
IT security has been at the forefront of business news at the moment, highlighting how vulnerable companies are to targeted attacks by hackers. Symantec reported that five out of six companies suffered an attack of some kind in the previous year whilst the BBC emphasised a report compiled by Verizon which suggested that it takes […]