Cyber attacks are becoming more and more commonplace in the world of SMEs.
Attackers are often aware of the fact that they are likely to have a lower level of security than large enterprises, whilst holding almost identical data. In the evolving world of cyber-security, the bare minimum is no longer enough.
Nutbourne – a managed services provider – has been certified under the Cyber Essentials initiative. This is a government-backed scheme that encourages SMEs to take on the same security practices found at enterprise level.
Patrick Burgess, technical director at Nutbourne, has offered his professional insight on the various ways you can tighten your network security and ensure the safety of all your company’s data. No matter the size of your business, skimping on your network’s security is a mistake you can’t afford to make.
Whilst you may be well-versed in the intricacies of your security system, your staff may not be. A lack of understanding in the ways your company protects its data can swiftly create problems.
Educating your staff is one of the simplest and most effective ways to prevent security breaches. Making them aware of how breaches occur, how phishing attacks take place and how ransomware manifests are all very effective measures in ensuring your network is secure.
It is important and considerably easy to give your staff clear guidelines, make sure they understand the company policy and make them aware of what the best practices look like. This is critical for employers who offer flexible working, or companies whose executives work remotely.
With the current climate in mind, it is worth reminding your teams of their responsibilities. We are already seeing a huge rise in the number of phishing attempts, and similar attacks, with a large percentage of the UK’s workforce working from home. Making staff aware of these dangers, and encouraging them to be vigilant will help to reduce the risk of security breaches.
Understanding your systems
It is impossible to ensure the security of your data if you don’t have a full understanding of what systems you have and where your data is stored. If you don’t know where the data is or what people are using to access it, you have lost before you even start.
Within SMEs, employees are often allowed to install program’s to remove the burden of IT support staff – a role that is not usually full-time – but here an issue arises. If people are given the ability to install whatever they like, then they will. Alongside this, it is common for employees to take advantage of Cloud systems, such as Dropbox and OneDrive, whilst under the impression they are being efficient by utilising these systems. On the contrary, they may be compromising the business’ data without realising it by storing it in unknown locations.
There are lots of systems which can help you run a scan on your network to understand what people are using. From this information you can start to work out what policies and systems you need to put in place to protect your data.
Having a clear guiding policy set in place will protect against chaos and provide you with a framework that governs your IT security strategy. It will also indicate the behaviours you expect from employees and the practices that you expect them to follow.
It’s important to remember that cyber security is all about protecting your information. With this in mind, focus first on your information, rather than the technology you’ll use to protect it. This will give you a solid base to start from.
You need a framework that keeps your information confidential, protects its integrity and manages its availability. This model, known as the CIA triad, is robust and lends itself to iterative and constant improvement. In practice, you should encrypt your information to make it secure, grant access only to those that need it, and maintain its integrity by checking that it hasn’t been corrupted in any way.
Audit and test
It is important to make sure that once a process is put in place, it is continually reviewed. You should meet quarterly to look at your systems and your known risks register, as well as the information hold. Check that it is all up to date, accurate and secure. Is everything that’s still on their correct? Are the risks still being mitigated?
This is as much about creating a process through which you can educate your staff as it is about assessing how robust your IT security is. The more you educate your staff, the better. Employees are likely to think twice about starting new, unsecure spreadsheets and creating unnecessary information points if they understand how this can create a breach risk.
Keep it simple
All that’s required within the realms of IT security is a consistent approach fuelled by common sense: clear and simple frameworks, guiding policies and regular evaluation. In applying this approach, and making sure to update your software regularly, you will find that 99.9% of all risks will be mitigated.
A complete overhaul of your IT security is rarely required. Focus instead on a tune up. A 1% improvement each week is better than aiming for a 50% improvement over night because you’ve had a security breach.
By committing to the basic principles – ‘secure, enforce, monitor and improve’ – you will foster systems, processes and procedures that readily identify, mitigate risk, and move your IT security away from the ‘break-fix’ model.