This can be quite simple, that said it does depend on the size of your business and the complexity of your network. Below are some ideas and methodologies to help protect your business although this is not a complete or exhaustive list rather some ideas to aid your information security. If you have any questions please do feel free to reach out and we are more than happy to assist.
Protecting your business
There are two main factors in protecting your business.
- Technical controls
- People and policy
The technical controls are the barriers in place so that hackers can’t gain access to your network and information. Cyber essentials lays out the technical controls framework laid out by the National Cyber Security Centre (NCSC). These cover 5 main topics for the controls listed below.
It is required that you have a boundary firewall, that said most ISP routers are also firewalls and this is OK for the job so long as it is supported by the vendor with updates. Having a software firewall on all of your endpoints is also a very good idea as another layer of protection. All default passwords must be changed even though they may look complex (they are a string of numbers and letters) they were made using an algorithm and if anyone were to find out this algorithm they would know all the passwords for that piece of hardware.
To make your network configuration secure requires several elements, only have necessary accounts on the devices. Remove or disable any unused software. Change any default passwords, also change all passwords that are believed to be compromised. Make sure all passwords are complex in construction. Disable the “auto-run” and “auto-play” functions on all devices. If you have home workers that require to access data from your network, use a Virtual Private Network (VPN) to achieve this.
This may seem trivial however this is very important because in the event that a hacker gains access to your system, the least amount of access they have the better. Only supply users with user accounts (not admin accounts) and admin users should have user accounts for user activities (such as emails and internet access) and a separate admin account for admin activities such as changing settings. Don’t have generic accounts and don’t share passwords. You must delete or disable accounts from employees that have left the company as soon as possible. Users should only have the privileges they require to do their job. There should be a formal process for issuing admin accounts and these accounts should be tracked and reviewed regularly. Where possible 2 factor or multi factor authentication should be enabled.
Malware protection should be installed on all devices, this should perform regular scans and be updated regularly. It is also advised to limit the installation of software and applications to an approved list. It is also good practice to “sandbox” applications, this is first testing them out on a system that is segregated from the rest of your network and test it thoroughly prior to allowing it on the approved list.
All software, applications and firmware must be supported by the supplier, if it is not then it is time to upgrade or simply remove it. This is particularly important for the operating systems. All software must have the correct license. Updates should be applied automatically where possible and all security patches should be installed as soon as possible (within 14 days is recommended).
People and policy
Here we must talk about the people within your company, how they are trained and the policies that govern how these employees go about doing their jobs. IASME Governance provides a framework and a standard to conform to with respect to aspects of people and policy. It is important that the policies are readily available to all the employees all of the time so they can refer to them if they need to. This can be achieved by having a SharePoint, noticeboard, folders available or any other method for ease of access by the employees only. Employees should also be given a briefing about how to access this information when they start their employment and refreshers are always welcomed.
Staff training should be attended regularly by all employees, on the policies, policy updates and security training required for the company. All of this should be documented and reviewed.
Several policies and documents should be held to protect the company and it’s critical information. All policies should be reviewed and amended where applicable at regular board meetings.
- Security policy
- Information register
- Asset register
- Risk assessment
- Risk assessment action plan
- Subject access policy
- Data privacy statement
- Backup/restore policy
- Incident response plan
- Business continuity plan
The information security policy is single most important document and must reflect your organisation’s view on information security and should contain
- Provide clarity on the information security direction for your organisation
- Include information security objectives (SMART objectives)
- Include information on how you should meet your business, contractual, legal or regulatory requirements
- Contain a commitment of continual improvement
An information asset register is a record of the data that is processed by your organisation. In accordance with the General Data Protection Regulation, an asset register allows you to accurately record
- What data you process
- How long you keep it
- The legal basis for processing the information
- Who you share the information with
- Where the information is located
An asset register is a comprehensive list of all of your business’ physical assets.
- What is the asset
- The location of each asset
- Procurement details including purchase date and price
- Estimated life expectancy
- Depreciation value
- Insurance and compliance details
- Maintenance history including repairs and downtime
A risk assessment is used to identify any risk to a companies assets or operational ability. Also it will be able to estimate and prioritise these risks. It is as a result from the operation and use of information systems i.e. a computer network.
- Identify the hazards
- Decide who might be harmed, and how
- Evaluate the risks and decide on precautions.
- Record your findings and implement them
- Review your risk assessment and update if necessary
Risk assessment action plan
A risk assessment action plan should be used to record the actions that are needed to be taken to reduce and manage the hazards identified by the risk assessments previously carried out.
- General information and holder/assessor responsibility
- Reference numbers in respect of risk assessment forms
- Descriptions of actions to be taken
- Priority identification
- Responsibility for the actions
- Target dates
- Completion dates
- Verification of completion
- Review timetable
Subject access policy
The right of access, also referred to as subject access, gives individuals the right to gain a copy of their personal data, as well as other information you may have gathered. This helps individuals to understand how and why you are using their data, and check that you are doing it lawfully.
Data privacy statement
A data privacy statement explains how and what personal data we collect from you through our website. Personal data means all data that can relate to you personally, such as your name, address, e-mail account(s), user behaviour.
- Use of Information. (This should explain to your users how and why you use the information that you collect from them)
- Third Party Disclosure
- Information Protection
- Notification of Changes
- Contact Information
A backup policy sets the importance of information and system backups. It defines the rules for planning, executing and validating backups and includes activities to ensure that critical information is backed up to secure storage media located in a secure off-site location.
- Back up all mission-critical data during organisations oﬀ -peak hours this helps to avoid performance delays during office hours
- All backups to be stored off-site, not be located at your businesses primary location. As an example in the Cloud
- Make sure all backups are encrypted to safeguard all data from falling into wrong hands.
- Only allow small number of trusted employee’s access to backups, this is a measure, to avoid unwanted intrusions.
- Ensure your Vendor (if you require one) offers 24×7 support, this is often essential just in case an incident occurs outside of business hours.
- Work with a reputable cloud vendor that has been properly vetted to confirm the security and accessibility of business data
Incident response plan
A cyber incident response plan is a document that tells IT & cybersecurity professionals what to do in case of a security incident like a data breach or a leak of sensitive information. An effective cyber incident response plan has 6 phases.
- Lessons learned
Business continuity plan
A business continuity may be defined as the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident i.e. a cyber attack.
- A clearly defined team
- A detailed plan
- Effective testing
- Crisis communications
- Employee safety
- Uninterrupted access to business resources
- Continuous IT operations
UK Cyber Security Ltd is here to help
Please check out our Cyber Essentials Checklist
Please check out our Free Cyber Insurance
If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us