Blog

9 Essential cyber-security measures every business must take

/ Security
July 20th, 2015

IT security - What are the cyber-security basics for businesses?

Many businesses still hold the mistaken belief that the cyber-security basics they implemented a few years ago (a firewall, antivirus and maybe some intrusion detection software) are the same security basics they can be using today.

They’re wrong.

The IT security measures of a few years ago are no longer anywhere near sufficient to protect against the new breed of attacker. Cyber-crime is no longer a hobby for misguided computer enthusiasts, it’s now a criminal industry that produces over £1 trillion in revenue for cyber-criminals. Money can be gained by using social engineering to persuade employees to transfer money to a fake bank account, ransomware to encrypt a company’s files and hold them for ransom, network penetration to enable mass data theft and crypto-jacking to harvest crypto-currencies by stealing your machine’s processing power.

Fortunately, there are ways to prevent this.

What are the essential cyber-security measures every business needs?

You really shouldn’t be looking to achieve the bare minimum but it’s at least a start toward securing your business from attacks and potential regulatory fines. To achieve the cyber-security basics you will need:

1. A Unified Threat Management (UTM) system

This is a combination of security appliances and acts as your gateway to the internet.

2. A SPAM filter

This stops potentially malicious files from entering your network via email.

3. Antivirus/anti-malware software

These are applications which protect your servers, laptops and other devices from malware.

4. A patch management system

This manages the installation of software updates to close security holes.

5. 2-Factor authentication

This gives you a second level of authentication, preventing unauthorised sign-ins.

6. Device encryption

This makes any data stored on the machine useless to criminals and keeps your data secret.

7. A regular data backup

This should keep a copy of your business data at a secure off-site location in case the original is lost.

8. Content filtering

This prevents access to dangerous or illegal websites which reduces the risk of infection.

9. A disaster recovery plan

This sets out how you will recover from an unplanned event such as a fire or cyber-attack.

If you don’t have every single one of these protections and systems in place on every applicable device in your business, you are at incredibly high risk. Your number one priority must be to get all of these systems in place right now because if you don’t, you’re easy pickings for a cyber-criminal and as a result are open to immense fines or lawsuits for failing to protect the information you store.

I’ve already met the security basics, what’s next?

If you do have these systems in place, you’ve made a good start. But if this is all you have, then for proper security there are still a few more steps. The absolute worst thing you can do at this point is thinking that settling for the minimum is good enough because you believe the information you have isn’t of interest to criminals. If you make this mistake then you’re in for a painful surprise further down the line.

The next step beyond the basics is to become Cyber Essential certified.

Cyber Essentials is a government-backed accreditation that acts as a way to understand where your security succeeds and where it needs improvement. It’s similar to a cyber-security audit and allows you to see what your next steps in improving security will be.

Cyber Essentials still covers fairly basic security concepts such as having the ability to remotely wipe devices, application whitelisting, daily virus scans and the disabling of OS utilities. All of which are simple things that you should already have in place. But it’s well worth going through the accreditation process if you haven’t already as it can improve your company’s image as well as open you up to working with more cyber-conscious clients.

What to do after getting Cyber Essentials certification?

After getting the basic accreditation, you can work towards achieving Cyber Essentials Plus. This is a similar experience in achieving the basic Cyber Essentials accreditation. The difference is that it deals with security at a higher level and demands more rigorous policies and practices to be in place.

If you have any questions about either of the Cyber Essentials accreditations, you can read our FAQ on the subject.

How else can you secure your business?

Cyber Essentials covers a broad range of topics regarding security and so will likely cover most of your basic security needs. But we also have a brief list of some security systems and techniques which are worth looking into.

ISO 27001 accreditation

ISO 27001 is an internationally recognised certification you can get which proves your cyber-security is at a high level. It is no easy undertaking and should not be taken lightly. However, once you achieve the certification, it can be used as a compelling point for people to choose your business over competitors.

Staff security training

Employees are often considered to be the weakest link in the cyber-security chain. But with regular training, they can become one of the strongest as they are able to spot and prevent threats.

Warm and hot standby

Because of the rising cost of an outage, getting systems back online quickly is vital to prevent minute by minute money from burning. The rise of virtualisation and the cloud has made disaster recovery and business continuity a much simpler and cost-effective venture than before. So it’s worth considering.

Multiple connections

With connectivity being so critical to a firm, it’s essential to have backup network and Internet connections to prevent a failed connection from leaving the firm isolated from clients and the wider world. Multiple firewalls and/or routers are also recommended.

Securing the LAN

The LAN has previously been left relatively unprotected but it’s now imperative that you secure the internal network to restrict access from undesirable third parties. You also need to secure any wireless or virtual networks to stop a single breach from creating an open door across the entire firm.

Mobile Device Management (MDM)

Bring Your Own Device (BYOD) is a popular policy, but it’s also dangerous without the correct measures in place. Procedures need to be set up for when a device is lost or stolen or when an employee leaves the company. Don’t adopt BYOD for the sake of it, do it for an important reason. And if employees do need personal devices, look into Choose Your Own Device (CYOD) as a more secure alternative.

Data leak protection

In order to implement an effective data leak protection policy, you need to really understand what data you have and the risks you face. Because only then can you begin to implement controls. These will vary from sector to sector but should include things like portable encryption, endpoint protection, email content control and intelligent firewalls.

Conclusion

Every business and security landscape is different. But this advice can be used to kick start your journey towards a secure environment. Just remember that if you think it won’t be you who is targeted or that basic security is enough security then you might as well hand your data over to the criminals. There’s only one way to stay secure and that’s to ensure your defences beat the attacks that are out there and are coming your way.