10 steps for better cyber security
The best way to handle a serious data breach is to prevent it from happening in the first place. While no security system is 100% effective, a substantial number of major breaches are very preventable.
We give you 10 tips on how to avoid a cyber attack on your business with some key points for consideration:
1. Ensure you understand what is important, applicable and relevant to your organisation
If you work in a regulated industry, ensure you comply with any applicable policies. Has your organisation considered the impact of the General Data Protection Regulation?
- Make sure you know where your data is and who has access to it;
- Review any measures you have in place to Prevent, Detect, and React to any breach
2. Seek expert advice
It can be difficult to understand the jargon around Cyber Security and the areas that are applicable to your organisation.
- • Consider outsourcing your IT. If it is already outsourced, then ensure that your supplier provides proactive monitoring and keeps you updated on the latest threats
- Make sure you subscribe to any security newsletters or updates from your security vendors (Firewalls, Antivirus vendors etc)
3. Identify your “crown jewels”
Each of your assets will have a different value and require different levels of protection. You should, therefore, identify your “crown jewels” and apply elevated security measures to them. For example:
- Your customer databases
- HR records and Payroll
4. Keep your software up to date
Outdated applications and operating systems are vulnerable to security breaches. Maintain software support agreements to provide access to the latest updates.
5. Ensure you have a robust password policy
A good password will be unique to the application (don’t reuse passwords) and have a decent complexity. As a minimum, 10 characters and contain a mixture of upper and lowercase plus special characters and numbers. Each additional character will greatly improve the strength of the password.
- Avoid common passwords such as “12345678”, “Password”, “qwerty” etc.
- If two-factor authentication is available, you should use it
6. Educate your staff on phishing techniques
Phishing is the most commonly used method for initiating a data breach. Hackers attempt to obtain sensitive information such as usernames and passwords by masking their identity in an email, which may appear to originate from a trustworthy organisation.
- Most phishing emails will contain links to websites that may look legitimate but are fake and will ask you to enter sensitive information
- Some phishing emails may include attached documents which you should NEVER open
7. We have never had a security issue so why should we be concerned now?
- Cyber security is evolving all the time, as are the threats (and the fines from the Information Commissioners Office). It must be continually monitored and reviewed
- You may think that your data has no value, but what about your confidential employee data and payroll information? Would your organisation survive if all your digital data was lost?
8. Backup your data
A data breach in a large organisation usually results in customer databases or intellectual property being stolen. In smaller organisations, however, the Cyber criminals are not interested in your data, they are looking for financial reward. But they are not obliged to provide you with the key to unlock your data, so paying a ransom will only make the situation more painful.
The only sure-fire way of restoring your data is from a recent backup. Backups should be taken at regular intervals, typically once a day, but certainly no less than the duration you can afford to lose.
9. We might be infected, is it too late?
If you have been infected by a virus or malware, it may be too late to recover the data from the local hard disk (unless you have a backup) so you should try and limit the damage and prevent the virus from spreading to other workstations. The first things you should do are:
- Turn your computer off by the power button
- Disconnect any cables that are plugged into it
- Ignore any ransom demands. It is unlikely they will unlock your data anyway
- Call your IT helpdesk or support company for assistance
10. Above all, be prepared
No organisation wants to experience a cyber security incident, but the reality is that most do at some point and, without preparation, it could put your entire organisation at risk.
It is good practice to conduct a risk assessment and identify areas of your business that could be susceptible to a cyber security incident. Larger organisations, or those that provide services to government or regulated businesses, may be required to comply with a recognised Information Security Management System (ISMS) such as ISO/IEC 27001:2013.
For further information or advice, visit the National Cyber Security Centre website.