Reports on cyber-attacks and company breaches are at large at the moment but what are the minimum steps you can take to make sure your business is secure?
Reports on cyber-attacks and company breaches are at large at the moment but what are the minimum steps you can take to make sure your business is secure? Courtesy of the Government and GCHQ here are 9 steps which outline exactly what you can do…
1. Network Security
“Protect your networks against external and internal attack. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls.”
Connecting to untrusted networks can expose your organisation to cyber-attacks. To reduce this risk traffic can be filtered to only allow the traffic needed to support your business through your network. Also, traffic should be monitored for unusual or malicious incoming and outgoing activity that could indicate an attack or attempted attack.
2. Malware protection
“Produce relevant policy and establish anti-malware defences that are applicable and relevant to all business areas. Scan for malware across the organisation.”
The government advises policies should be produced that directly address email, web browsing, removable media and personally owned devices.
To reiterate part of step 1, your business should protect itself from malware by monitoring all traffic for malicious activity. Anti-virus solutions can do this to some extent by actively scanning for malware but this should be used alongside a Next Generation Firewall – see our previous blog for more information about the reasons for this:
“Establish a monitoring strategy and produce supporting policies. Continuously monitor all ICT systems and networks. Analyse logs for unusual activity that could indicate an attack.”
Monitoring strategies can be established by taking into account any previous security incidents and attacks.
4. User education and awareness
“Produce user security policies covering acceptable and secure use of the organisation’s systems. Establish a staff training programme. Maintain user awareness of the cyber risks.”
Everyone in a business is responsible to protect it. Staff training and awareness should take place but this cannot be done wholeheartedly until you as a business realise the cyber-threats that are out there and take appropriate actions to secure your business. Don’t let one click on a malicious link be the result of all your hard work. More information about staff training can be found in our recent blog: https://equilibrium-security.co.uk/one-click-away-from-business-success-or-failure/
All users should receive regular training on the cyber risks they face as employees and individuals. Security related roles (such as system administrators, incident management team members and forensic investigators) will require specialist training and this should be undertaken on a regular basis.
5. Home and Mobile Working
“Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline build to all devices. Protect data both in transit and at rest.”
BYOD (bring your own device) further leads to the susceptibility of cyber-attacks within the realms of your business. The rise of personal smartphones, iPads, tablets and laptops being equipped with the latest technology needed for business purposes have been welcomed at work. However, it is important to realise that just as you wouldn’t let a stranger into your home, you should be mindful of the gadgets your employees are bringing into work. Devices owned by employees create potential risks of the loss or leakage of confidential data and, as customer data is downloaded to these devices there is a danger that viruses could be uploaded.
Again, to mitigate these risks staff should be trained and encryption should be used. All types of mobile working should be assessed for risks including remote working where the device connects to the corporate network infrastructure.
6. Secure Configuration
“Apply security patches and ensure that the secure configuration of all ICT systems is maintained. Create a system inventory and define a baseline build for all ICT devices.”
7. Removable Media Controls
“Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing on to the corporate system.
Where the use of removable media is unavoidable the types of media that can be used together with the users, systems and types of information that can be transferred should be limited. Additionally, all media should be scanned for malware before any data is imported into your business’s system.
8. Managing User Privileges
“Establish account management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.”
All users of your ICT systems should only be provided with the user privileges that they need to do their job. Control the number of privileged accounts for roles such as system or database administrators, and ensure this type of account is not used for high risk or day-to-day user activities. Monitor user activity, particularly all access to sensitive information and privileged account actions (such as creating new user accounts, changes to user passwords and deletion of accounts and audit logs).
9. Incident Management
“Establish an incident response and disaster recover capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement.”
Establish an incident response and disaster recovery capability that addresses the full range of incidents that can occur. All incident management plans (including disaster recovery and business continuity) should be regularly tested. Report online crimes to the relevant law enforcement agency to help the UK build a clear view of the national threat and deliver an appropriate response.
Here at Equilibrium Security we are dedicated to providing businesses with security best matched to their needs. To discuss any of these steps further or if you need more advice then don’t be shy to contact us.