Skip to content
digital-safety-for-cyber-security
10 min read

Digital Safety - How to Make Cyber Security Work for Your Business

A cyber-attack can devastate any business overnight. Most business are affected from a reputational, financial and/or regulatory perspective, to which some businesses never actually manage to recover.

Cyber criminals can target vulnerable business IT systems or its personnel, to compromise internal systems. In recorded incidents, evidence confirms that on average, systems are compromised for >200 days, before being detected.

According to Verizon (2021 Data Breach Investigation Report), the most likely way a cybercriminal will gain access to business systems are via:

• Social Engineering (85% of cyber breaches involved humans)
• Basic Web or Exposed Systems vulnerability attacks (61% of breaches involved credentials)

The current trend shows that cyber criminals will adopt well known tactics to gain access to business systems. Once in, they will attempt to escalate their privileges and begin to map the network and copy core business data. They will operate carefully and slowly, in order to avoid detection. Once they have siphoned enough data, they may expose themselves by encrypting your business systems, and demanding a ransom payment to get it back. This is known as Ransomware.

Looking at cyber defences

Previously, the defence to Ransomware was to ignore all threats, remediate any vulnerabilities and restore all business systems from backups (hopefully offline). However, it is extremely common that businesses do not have adequate (and tested) system backups, which meant it was not possible.

Cybercrime tactics have also evolved to combat good backup processes, by taking a copy of your data first and threatening you with…"pay up to get the data back, or we release it to the internet".

Where it can become a real concern, is where they have:
• Copied sensitive intellectual property, which you may not want exposed to competitors, or the market.
• Copied sensitive business data, which may reveal your commercial position, or cause embarrassment, if released in the wild.
• Copied Personal Data, which may expose you to a breach of Data Protection Regulation.
• Encrypted file storage, preventing your business to operate.

In the last two-to-three years, organised crime syndicates have actually built their brand and reputation on making sure they give the business the encryption keys to retrieve their data, if they pay up. However, be warned…there have been a number of reported incidents where the encryption keys have been returned, but the vulnerable systems have not been remediated, and the cyber criminals strike again!

8 top tips to help protect your business

Whilst larger organisations may have the resources to recruit and fund Cyber Security Programmes, we find that Small to Medium Enterprises (SME’s) are often left confused, or unsure of what actions are appropriate to take.

We have written these basic principles, to help anyone in this position:

Educate your employees – you have already seen that humans are the most likely cause of cyber incidents. Train them in processes, basic cyber hygiene, and support them when it goes wrong. The UK National Cyber Security Centre (NCSC) have produced some great cyber awareness and guidance materials. Check them out! I strongly recommend you look at Password Guidance and build Phishing Simulation Training, into your future security programme.

Consider Cyber Essentials – the UK Government produced a set of basic principles, which any business with a digital presence should adopt. This certification is a requirement, for any organisation wishing to do business with the Public Sector. The scheme is called Cyber Essentials, or Cyber Essentials + (CE+), for higher risk engagements. The scheme covers basic principles that, when adopted, will mitigate more than 80% of threats from the internet. It costs ~£300 to achieve (~£2000 for CE+), and will make sure you focus on common threats and best practices.

Control your Access – ensure that you limit admin accounts, and that personnel only get access to what they need, to perform their job. If possible, assign permissions based on a users role (RBAC). Make sure you also revoke access, when it is no longer needed. A few other basic considerations:
• Do not use generic accounts, such as ‘user1’. You want to know who did what and when.
• Separate your normal user account (for business email etc), from any administrator / privileged accounts.
• Do not use generic passwords, and make sure passwords are not shared amongst the team (refer to NCSC Password Guidance).
• Use a password manager, where possible.
• Educate your users…

Enable Multi-Factor Authentication (MFA) – MFA is one of the best ways to secure your accounts, especially when connecting over the internet. If the solution allows it, turn it on.

Backup your essential data – even cloud services (Software as a Service) can be compromised - although you reduce the risk with RBAC and MFA. How devastating would it be to your business if your M365 was compromised, and your data lost?? Make sure you take separate offline backups, and test them to make sure they can be recovered, if the worst happened.

Cloud First – there is so much opportunity with cloud services, in particular, the ability to scale up and down, when required. Take advantage of Platform as a Service or Software as a Service, as the responsibility for securing the IT systems can be a shared responsibility or fully owned by the vendor.

Patch, Patch, Patch – patching systems is fundamental. Make sure you know what you have, and monitor for updates (including emergency or out of bounds updates). Consider this across your infrastructure, platforms, applications, laptops, desktops and mobile devices.

Deploy Anti-Virus – most laptop and mobile vendors include inherent anti-virus solutions, such as Windows Defender. Make sure you have it enabled, and are monitoring endpoints to ensure they are receiving updates. We typically see gaps in anti-virus solutions across server estates (cloud or on-premise), so make sure these are considered too. Prevent users (where possible) from being able to download executable files, or plug in removable media devices into company assets.

For Extra Help – feel free to reach out to our team with any questions, or additional support. I also recommend looking at the below sources, which you may find useful for finding your security baselines:

avatar
An influencer, with experience in operating across an enterprise information technology and software organisations, at Chief Information Security Officer level. Adam has a proven history of building and running diverse, high-performance teams, with a track record of exceeding objectives and targets.

COMMENTS