By Neville Armstrong, Service Strategist, Fordway
We’re all looking for the best ways to improve our cyber security to keep the hackers and bad guys out.
So, you’d expect that businesses would be falling over themselves to act on free advice from the UK’s National Cyber Security Centre (NCSC). After all, the NCSC is part of GCHQ, whose role is to keep the country secure against cyber attacks; so they should know what they’re talking about.
However, that is not the case. The NCSC has developed a straightforward security tool designed to help all businesses improve security, but although it’s been available for almost five years, less than ten per cent of UK businesses have implemented it. We’re talking about Cyber Essentials, which is a Government-backed scheme to help organisations protect themselves against the most common cyber threats; it gives them a solid security baseline which will mitigate the majority of these threats, and demonstrate to their customers that they take cyber security seriously.
The reasoning behind Cyber Essentials was that many organisations would not have the time or resources to develop a comprehensive security system themselves. It is designed in three stages: free basic security information and checklists; Cyber Essentials certification, which is self-certified; and Cyber Essentials Plus certification, where verification is carried out by an independent assessor, who tests that the security controls implemented actually work by simulating basic hacking and phishing attacks.
Having become certified ourselves to the advanced level, Cyber Essentials Plus, we believe that the scheme gives every organisation a solid security baseline which will mitigate the majority of cyber attacks and minimise the damage if something does go wrong e.g. someone accidentally opens a malicious attachment.
It also covers mobile device protection and basic security policies, and will assist with GDPR compliance by demonstrating that the organisation has clearly defined security processes in place, so can be used as a bridge to a more comprehensive standard such as ISO 27001.
Any business which works with the public sector should be aware that Cyber Essentials is increasingly an essential requirement for pitching for public sector contracts, so they should be implementing it as a matter of priority.
Five basic controls
Cyber Essentials recommends five basic security controls which every organisation should put in place. We’ve added our own tips to their advice, based on our experience.
- Ensure that firewalls are implemented, either for a device’s internet connection or for your organisation’s network as a whole.
- Configure equipment securely, including setting effective passwords and, where appropriate, using two-factor authentication. We recommend also educating users about good password practice, as surveys show that many people still use incredibly basic passwords such as 123456 and password. For two-factor authentication, we find that solutions that allow use of a hardware or software token and/or mobile application with a one-time password are preferable, as those that call or send a text message to a mobile phone are easier for someone with malicious intent to circumvent.
- Control who has access to your organisation’s data and service. This includes limiting the number of people who have administrator access, something which we find is given out far too easily.
- Implementing malware protection, such as antivirus software (e.g. Windows Defender, MacOS XProtect), whitelisting and sandboxing. If a member of staff accidentally brings in a virus from their home computer, it can quickly be quarantined by local antivirus software.
- Keeping devices and systems up to date with patching – something which we find many organisations let slip down their ‘to-do’ list. It can then quickly become too onerous to tackle! One option is to automate patching, using tools such as SCCM, which many organisations will have within their existing software licences. For those with limited time or expertise, patching can be provided via a third party managed service and is even available through the cloud (patching as a service).
Going through the certification process also reminds users of their own security responsibilities. No security policy will be successful unless employees adhere to it, so organisations need to develop a security-conscious culture in which everyone follows clearly defined policies and procedures. Education is key: users are much more likely to comply if they understand the risks rather than seeing security as a set of annoying rules which prevent them working as they wish. Security policies should be enforceable, realistic, acceptable to users and should not violate personal privacy laws. There should be no ambiguity and everyone should be clear on exactly what is and is not allowed, as well as the penalties for policy violations.
One effective policy which we recommend is to have Security Champions in every department. This ensures that security is embedded in day-to day activities, while sharing knowledge and best practice and providing a channel for feedback to the IT team. Fordway’s Security Team also runs security awareness courses across the company to advise our users on how to recognise and manage the latest threats.
Be prepared for the worst
Even the best cyber security cannot be 100 per cent effective. Every organisation should have an appropriate level of security monitoring, so it knows if it has been breached and to what extent. As a minimum, this means monitoring and analysing internet traffic flowing out of the organisation to help identify any potential compromises on internal systems.
Finally, every organisation should adopt the mentality that one day it will be breached and as a minimum ensure it has a cyber security incident response procedure in place, a back-up of all business critical systems and a disaster recovery plan.
For further information visit www.fordway.com