A question we get asked a lot by customers, contacts, friends and new business clients is how to protect your business from a cyber attack. The answer is complex and there is no quick fix or definitive list that works for every company alike.
Every business has a unique makeup and design of their IT which means answering the question on cyber security protection is widespread. However, there are still common foundations that are specific, intrinisic and absolutely required to be put in place by every business in order to provide a solid starting point to act as the first line of defence in the event of a cyber security attack and to minimise the fallout.
So here we are, our top 6 cyber security recommendations to protect your business.
Managed security & support
It’s so important to have all of your devices patched, managed and up-to-date with the latest security fixes from Microsoft, Apple and third party applications, together with the latest definition updates for your anti-virus software. Running daily virus scans are essential to remove viruses, malicious files, ransomware and malware and so is having up-to-date definitions for your web content filtering and firewall.
Ensuring you have local IT support in London and Hertfordshire to manage all of your devices and cyber security for you is essential to give you that 360 degree circle of support and protection from proven IT experts rather than a DIY attitude.
Backups in place
Backups, backups, backups and having at least 30 days worth of recovery capability is a must. I cannot stress this enough. Should you be faced with a business continuity crisis as a result of ransomware and have to implement a disaster recovery plan, you need to be 100% certain that you can recover your files and systems.
With USB backup drives now extremely easy to compromise, your backup files might also be affected. So ensuring you have put in place a two-step backup solution, by that I mean secure encrypted local backups together with an addional layer of cloud online backup is essential.
Permissions on local and cloud platforms
This is a really important security stage to implement but is often overlooked. However, ensuring that you have the correct users setup, with the correct permissions and administrator priviledges and locking down your folder structure to meet these requirements is a huge weapon in the defence of your critical data and company information. Deleting old users or disabling their access and permissions is good IT management that ultimately helps protect your systems from unauthorised access and attack.
So to is ensuring your backup drive is hardware encrypted, is networked and not locally attached by USB to your server and without any share to it, as well as a separate administrator user to manage and access the backup drive and network location (not the same as your local or domain administrator) is again extremely vital to ensure the validity of your backups should you need to use them in an IT disaster.
Two-Factor Authentication (2FA)
Already rolled out across millions of small, medium and enterprise businesses and IT vendors, two-factor authentication is a brilliant and crucial cyber security foundation to protect your data and network from uninvited access and hack attempts. Very simple to setup and in many cases, free, setting up two-factor-authentication will ensure that the only people able to access your critical services are those that have been given those permissions.
The majority of good and reliable cloud platforms for productivity and security also have 2FA implemented, for example Office 365. We will see 2FA in much wider capacity over the coming years, especially within our homes as a result of IoT devices but security experts predict that having two-factor-authentication setup on all of your critical infrastructure, devices and cloud services will be one of the biggest and vital technologies in the defence against cyber attacks and cyber fraud. And we totally agree.
Cyber security training
Training and more specifically training all of your staff is another tool in the shed to combat cyber security. You would be very suprised how many of your staff do click on those “HMRC,” “Royal Mail Delivery”, “Your Password Needs To Be Changed” or “Bank Transfer Approval” emails with a link and before they or you know it, your systems have been compromised, data has been lost or worse company finances have been de-frauded.
Cyber criminals are finding new and complex ways to compromise networks, ransom sensitive data and steal financial assets.It’s more crucial than ever to understand how your business is exposed to cyber security threats, get the right training for your first line of defence (your staff) to be aware of and recognise these phishing attack attempts and then know how to deal with them. The rule of thumb is: if the email seems to good to be true, doesn’t feel right or is asking for sensitive information, do not click on any link or reply to the email and delete it immediately.
Cyber Essentials certification
With the GDPR in force and cyber attacks high on the rise, it’s crucial to implement a cyber security foundation for your business IT. Created and backed by the HM Government, GCHQ and ISF, Cyber Essentials is a baseline of technical controls for organisations to put in place to mitigate the risks of cyber threats. In fact, much of the above recommendations are in line with Cyber Essentials and GDPR.
Once certified, Cyber Essentials will help keep UK businesses inline with the cyber security compliance requirements and ensuring they continually and annually meet internal and public GDPR guidelines and technical cyber assurance measures.
The Cyber Essentials scheme enables organisations to gain one of two levels of certification. Cyber Essentials (Level 1)requires an organisation to make all of the necessary technical cyber security and internal process changes first and then complete a self-assessment questionnaire. Once completed, the responses are reviewed by an external certification body. Cyber Essentials Plus (Level 2), requires Cyber Essentials to be completed first and then the organisation’s systems are tested externally by a certification body.