What We Do Who We Are Solutions   Commercial Solutions   Technical Solutions   Technology Support Blogs

BLOGS 28 March 2016 - Cyber Security for SMEs - You should be doing more The government is urging companies of all sizes to increase their resilience to cyber-attack in order to safeguard their businesses and demonstrate their security credentials to customers and partners. Pick up any newspaper and you will find yet another big company has suffered financial loss or a damaged reputation through cyber attack. December 2014: Sony/ November 2015: Talk Talk/ January 2016: Linconshire County Council. But there is a plethora of advice out there to help you. Reasons for SMEs to do nothing: "We have anti-virus" "We are too small" "It is too hard" "It is too expensive" "We do not know where to start" "We wil cross that bridge later" A sensible discussion! One approach is to try to scare you to death Or try to drown you in techno babble Or push "silver bullet" products Need to avoid these routes and keep it practical and grounded THREATS Cybercrime, e-crime, computer crime - it's all crime Cybercrime: computer as tool or computer as target Same old crimes are committed in new ways: destruction, sabotage, theft, fraud and extortion Jargon terms: botnet/ddos, malware/exploits, spear phishing Meaningful terms: sledgehammer, lock pick, con trick Cyber threat actors: nation state, state proxy, organised criminal, hacker, hacktivist, competitor, journalist, researcher, partner, employee Internet malware: exploit kits - breaking and entering Internet malpeople: phishing or spear phishing - deception Why should SMEs get cyber secure: (a) Theft, compromise or destruction of critical assets (b) Useful target practice for criminals (c) Stepping stone to bigger targets (d) Free processing power ("botnet") (e) Supply chain contracts: PCI-DSS, ISO27001, Data Protection Act, Freedom of Information Act, Official Secrets Act, etc. "My key issue? Individuals and SMEs who have no mature risk management capability let alone cyber security" - Jamie Saunders, Director of National Cybercrime Unit, 30 October 2014 Simple risk management: assets, threats and vulnerabilities, e.g. Threat = hackers, Vulnerability = weak passwords, Asset = customer data, credit card data, intellectual property RESPONSE Cyber Essentials/Cyber Essentials Plus Basic cyber security hygiene Reduce vulnerability to basic cyber attack Demonstrate security credentials to customers, investors, insurers, regulators 1. Boundary firewalls and Internet gateways Aim: protect information, applications and computers against unauthorised access and leakage Install firewalls and gateways Configure and maintain rules Change default passwords to strong No remote administrator access 2. Secure configuration Aim: configure computers and network devices to reduce inherent vulnerabilities and provide minimum required service Remove unnecessary user accounts Change default passwords to strong Remove unnecessary software Disable "auto run" feature Set up personal firewalls on PCs 3. Access control Aim: ensure only authorised people have special access privileges and others have minimum required access Formalise account creation Strong user passwords Restrict special access privileges No admin access to email or Internet Regular admin password change Remove old and dormant accounts 4. Malware protection Aim: ensure malware protection software is installed and kept up-to-date Install malware protection software on all devices Keep malware protection software up-to-date Configure to scan files and websites when accessed Configure to scan all files daily Configure to avoid blacklisted websites 5. Patch management Aim: ensure all software is kept up-to-date and has the latest security patches installed Use fully licensed and supported software Apply software updates and security patches when they become available Remove out-of-date (unsupported) software Also Think passphrase rather than password - keep them LONG Consider getting a password manager (e.g. LastPass) enhanced with two-factor authentication (e.g. Yubikey) Treat wifi/wireless as inherently insecure "The Cloud" = someone else's (fallible) computer Encrypt sensitive information - especially on "the Cloud" Employ segregation to divide up data, process, machines, etc Backup data regularly - and backup your backup - and not just on "the Cloud" Have an incident response/business continuity/crisis management plan ready and regularly tested/updated Be super-cautious publishing anything on Facebook, Twitter, LinkedIn, etc - even seemingly innocuous information Internet-enabled devices (kettles, toys, etc) are inherently insecure and can leak confidential data or act as insecure backdoors MORE Steps along the cyber security journey Do nothing Cyber Essentials: Self-certification independently verified Cyber Essential plus: External testing and certification 10 Steps to Cyber Security ISO27001 information security standard Even more secure CHECK and CREST information security accreditation standards Vulnerability scanning: technology assessments Penetration testing: "ethical hacking" service CBEST and STAR: intelligence-led penetration testing Useful links Small businesses: what you need to know about cyber security: https://www.gov.uk/government/publications/cyber-security-what-small-businesses-need-to-know Cyber Street: https://www.cyberstreetwise.com 10 Steps to Cyber Security: https://www.gov.uk/government/publications/10-steps-to-cyber-security-advice-sheets Factsheet on cyber insurance: http://nsureinsurance.co.uk/factsheets/cyber-insurance Free online training course (general public) "Introduction to cyber security" - a good overview for everyone https://www.futurelearn.com/courses/introduction-to-cyber-security Free online training course (SMEs) "Responsible for information" - a good overview for SME employees http://www.nationalarchives.gov.uk/sme/ ActionFraud Unified reporting facility: http://www.actionfraud.police.uk So, stay safe and at the very least just do these FOUR things: Unique long passwords for each application Two-factor authentication wherever possible Regular software patching for each application Don't open emails, attachements etc, if you don't know who they are from BLOG ARCHIVE    Blog: Improve The Digital Employee Experience In Hybrid Working    Blog: How Managers And Small Business Owners Can Make Hybrid Work A Success    Blog: Hybrid Working - Tips for Employers    Blog: Managing Remote Workers Today    Blog: Employee Benifits of Working Remotely Or Flexibly    Blog: Managing Remote Workers Today    Blog: Bring Hybrid Working To The Workplace Without Hassle And Create A Productive Business    Blog: Create a Security Culture Within Your Small Business - Septembert 2021    Blog: Improve Cost-Efficiency And Productivity With A Tailored CRM Using Microsoft 365 - August 2021    Blog: Use Technology To Promote Well Being At Work - June 2021    Blog: Choose Ai In The Workplace For A Meteoric Boost In Company Productivity - May 2021    Blog: Cloud Computing - Make it easy to work from anywhere - April 2021    Blog: Should Micro Businesses Worry About Cyber Security - March 2021    Blog: Flexible Working - The Future of Work - January 2021    Blog: Parental Controls - December 2020    Blog: Video Conferencing Etiquette - November 2020    Blog: Flexible Working - October 2020    Blog: Dont Be Alone - May 2020    Blog: Is your IT behaving itself? - May 2019    Blog: Lets do it - The Integrated Business - May 2018    Blog: Technology-What can we do to help ourselves - December 2017    Blog: Let's Simplify Technology - November 2017    Blog: Marketing and the SME - March 2017    Blog: Stay Safe - January 2017    Blog: The Year - December 2016    Blog: Marketing - September 2016    Blog: Digital Marketing - August 2016    Blog: Integrated Technology - June 2016    Blog: Cyber Security - March 2016    Blog: Introduction - March 2016

© Copyright 2018-25, Absolute Solutions	All rights reserved