9 Essential cyber-security measures every business must take
July 20th, 2015
Many businesses still hold the mistaken belief that the cyber-security basics they implemented a few years ago (a firewall, antivirus and maybe some intrusion detection software) are the same security basics they can be using today.
The IT security measures of a few years ago are no longer anywhere near sufficient to protect against the new breed of attacker. Cyber-crime is no longer a hobby for misguided computer enthusiasts, it’s now a criminal industry that produces over £1 trillion in revenue for cyber-criminals. Money can be gained by using social engineering to persuade employees to transfer money to a fake bank account, ransomware to encrypt a company’s files and hold them for ransom, network penetration to enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power.
Fortunately, there are ways to prevent this.
What are the essential cyber-security measures every business needs?
You really shouldn’t be looking to achieve the bare minimum but it’s at least a start toward securing your business from attacks and potential regulatory fines. To achieve the cyber-security basics you will need:
This is a combination of security appliances and acts as your gateway to the internet.
This stops potentially malicious files from entering your network via email.
These are applications which protect your servers, laptops and other devices from malware.
This manages the installation of software updates to close security holes.
This gives you a second level of authentication, preventing unauthorised sign-ins.
This makes any data stored on the machine useless to criminals and keeps your data secret.
This should keep a copy of your business data at a secure off-site location in case the original is lost.
This prevents access to dangerous or illegal websites which reduces the risk of infection.
This sets out how you will recover from an unplanned event such as a fire or cyber-attack.
If you don’t have every single one of these protections and systems in place on every applicable device in your business, you are at incredibly high risk. Your number one priority must be to get all of these systems in place right now because if you don’t, you’re easy pickings for a cyber-criminal and as a result are open to immense fines or lawsuits for failing to protect the information you store.
I’ve already met the security basics, what’s next?
If you do have these systems in place, you’ve made a good start. But if this is all you have, then for proper security there are still a few more steps. The absolute worst thing you can do at this point is thinking that settling for the minimum is good enough because you believe the information you have isn’t of interest to criminals. If you make this mistake then you’re in for a painful surprise further down the line.
The next step beyond the basics is to become Cyber Essential certified.
Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.
Cyber Essentials still covers fairly basic security concepts such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already as it can improve your company’s image as well as open you up to working with more cyber-conscious clients.
What to do after getting Cyber Essentials certification?
After getting the basic accreditation, you can work towards achieving Cyber Essentials Plus. This is a similar experience in achieving the basic Cyber Essentials accreditation. The difference is that it deals with security at a higher level and demands more rigorous policies and practices to be in place.
If you have any questions about either of the Cyber Essentials accreditations, you can read our FAQ on the subject.
How else can you secure your business?
Cyber Essentials covers a broad range of topics regarding security and so will likely cover most of your basic security needs. But we also have a brief list of some security systems and techniques which are worth looking into.
ISO 27001 accreditation
ISO 27001 is an internationally recognised certification you can get which proves your cyber-security is at a high level. It is no easy undertaking and should not be taken lightly. However, once you achieve the certification, it can be used as a compelling point for people to choose your business over competitors.
Staff security training
Employees are often considered to be the weakest link in the cyber-security chain. But with regular training, they can become one of the strongest as they are able to spot and prevent threats.
Warm and hot standby
Because of the rising cost of an outage, getting systems back online quickly is vital to prevent minute by minute money from burning. The rise of virtualisation and the cloud has made disaster recovery and business continuity a much simpler and cost-effective venture than before. So it’s worth considering.
With connectivity being so critical to a firm, it’s essential to have backup network and Internet connections to prevent a failed connection from leaving the firm isolated from clients and the wider world. Multiple firewalls and/or routers are also recommended.
Securing the LAN
The LAN has previously been left relatively unprotected but it’s now imperative that you secure the internal network to restrict access from undesirable third parties. You also need to secure any wireless or virtual networks to stop a single breach from creating an open door across the entire firm.
Mobile Device Management (MDM)
Bring Your Own Device (BYOD) is a popular policy, but it’s also dangerous without the correct measures in place. Procedures need to be set up for when a device is lost or stolen or when an employee leaves the company. Don’t adopt BYOD for the sake of it, do it for an important reason. And if employees do need personal devices, look into Choose Your Own Device (CYOD) as a more secure alternative.
Data leak protection
In order to implement an effective data leak protection policy, you need to really understand what data you have and the risks you face. Because only then can you begin to implement controls. These will vary from sector to sector but should include things like portable encryption, endpoint protection, email content control and intelligent firewalls.
Every business and security landscape is different. But this advice can be used to kick start your journey towards a secure environment. Just remember that if you think it won’t be you who is targeted or that basic security is enough security then you might as well hand your data over to the criminals. There’s only one way to stay secure and that’s to ensure your defences beat the attacks that are out there and are coming your way.
How to reduce risk by aligning business strategy and IT strategy
On the ‘business’ side you have the long term business strategy and plans or business requirements. On the other side lies the IT function. This visible gap is where misalignment begins, but it’s often compounded by the negative preconceptions each side holds of the other. What business executives think of the IT department What IT […]
Tips for managing multiple devices for IT teams
BYOD, CYOD, IaaS and SaaS may have been buried under waves of new acronyms, but although they’re buried, they can’t be forgotten. These four acronyms changed the way businesses’ networks are structured, they multiplied the complexity of connectivity, they incited the development of mobile apps for traditionally desktop software and, along with cloud, gave life […]
Why should you choose an ISO 27001 accredited IT support provider?
The ISO 27001 standard is a signal that an accredited business is not only taking information security seriously but is committed to continuing upholding that standard. ISO 27001 requires a great deal of commitment to achieve and so if you have the choice between a supplier who is accredited and one who isn’t, go for […]