In the below article, our Founding Partner, Irwin Mitchell, answers the question; How do I reduce the risk of cyberattacks?
All businesses should have a cybersecurity strategy and someone to own it. This should focus on identifying your current cybersecurity status and gaps, what you want to achieve and by when.
You can’t do everything, and you’ll have a limited budget, but a great way to start is to pick an industry cybersecurity standard. Many good cybersecurity frameworks can be found on the internet, and many are free (including Cyber Essentials). A pragmatic one for SMEs is the NCSC’s 10 Steps to Cybersecurity.
For many SME’s, the key take-home message is simple: ask a professional for some help.
How do I reduce the risk of cyberattacks?
1. Cloud Services are the primary target for criminals
The risk is that online services can be hacked into from anywhere in the world with just a username and a password.
As more ‘cloud’ services are used, particularly Office365, this has become the primary target for criminals because they are easy to exploit with just a (stolen or guessed) username and password.
Use two-factor authentication for all remote access, including email and other key online services such as Office 365.
Educate colleagues on the use of strong passwords and not reusing passwords.
Sign up to haveibeenpwned.com for free to check if any of your accounts have been compromised automatically. If your email account has been involved in a 3rd party breach, change the password on all online services that used the same email-password combination as the breached account.
2. Ransomware
Malware (malicious software) locks up your files and demands payment to release them. Typically, ransomware is delivered to victims via phishing emails or compromised websites.
Remove ‘local admin rights’ from normal user accounts (this mitigates 85% of the malware risk).
Use antivirus on all your computers and ensure it is updated automatically.
Ensure your laptops and desktops are automatically updated with security patches.
Block malicious emails using a Secure Email Gateway (email filtering).
Disable ‘macros’ in Microsoft Office products, especially in Outlook email.
Maintain regular back-ups of critical data & systems.
3. Phishing is the most common type of cyber-attack
The digital equivalent of the confidence trick used to plant malware, steal your online services password or other confidential information, or trick you into financial fraud.
According to the FBI, phishing remains the most common type of cyber-attack, resulting in the largest financial losses (for example, fake CEO bank transfer emails).
Conduct at least annually all-colleague security awareness training on cybersecurity, focusing on phishing awareness.
Conduct regular phishing testing to keep up a good level of awareness.
Clearly mark an email as from an external sender (“THIS IS NOT FROM US”).
Put financial controls in place to ensure checks are made for large payments by bank transfer.
Test your staff with a Simulated Phishing Exercise.
4. Vulnerability scanning
A common reconnaissance method used by criminals to find weaknesses in your internet-facing systems (for example your remote access solutions).
This can be used for good too, for your own threat intelligence to proactively find weaknesses to fix.
Activate the intrusion prevention systems (IPS) feature on your network boundary firewalls.
Use a ‘vulnerability scanning’ service to scan your public internet-facing network regularly to proactively find weaknesses for fixing (or join the NCSC’s Cyber Security Information Sharing Partnership (CiSP) and have your network monitored for free).
Talk to the Cyber Resilience Centre about their Network Vulnerability Assessment.
Put a system patching process in place to ensure that software and systems are kept up to date.
5. Is your Supply chain at risk?
When a third party your business uses fails to secure your sensitive data adequately or a software provider you use is insecure or is compromised and used to spread malware to your business.
Implement a process to conduct security and cyber risk assessments for any new technology suppliers or suppliers who store or process your sensitive data. (Consider a Vulnerability Assessment).
Educate colleagues that they must follow approval processes to use new suppliers and new technologies to ensure they are secure and compliant in the supply chain.
6. Home physical security
IT assets, paper documents, and voice/video calls at home may not have the same physical security and privacy levels as in the office.
Educate your colleagues on how to work safely and securely at home with guidance on:
Locking away or securing physical assets when not in use.
Shredding business documents or securing them until they can be securely disposed of back in the office.
Being conscious of sensitive conversations being overheard.
Being conscious of what’s in the background on video calls.
Heightened awareness of phishing and other scams.
Only using authorised IT devices, online services and apps for business purposes.
Only download mobile apps from the official app stores.
Additional guidance on how organisations can protect themselves in cyberspace can be found through the NCSC.
The EU/UK trade deal, how does this affect digital trade and data?
The Government has also recently announced that the Treaty agreed upon with the EU will allow personal data to flow freely from the EU (and EEA) to the UK, until adequate decisions have been adopted, for no more than six months. If this is likely to affect your business.
