For European Cybersecurity Month, we have been posting daily tips on our LinkedIn and Twitter feeds. This post rounds up the advice from our October blogs into one post for ease of reference. We hope you find the advice useful.
Our first week of tips focused mainly around good cyber hygiene. To clarify, that is the correct habits that help to minimise risk. Subsequently, what to do if a security incident happens. Our first tip warned against the risk of business email compromise. This is also known as CEO fraud. Many businesses have been tricked into making payments to criminals who pretend to be legitimate suppliers. We recommend guarding against these scams through staff awareness training and payment processes.
Good cyber hygiene
Secondly, we looked at another aspect of good cyber hygiene. Many organisations are unaware of what hardware and software they own. Therefore, this makes it difficult to know what to protect. We advise keeping a record of all hardware to know what your IT estate looks like. This list is sometimes called an asset register. We recommend to keep a record of all software to ensure it’s properly patched. Patching software ensures that it is protected against security vulnerabilities and other bugs.
Next, we turned our attention to protecting your network. As a result, this reduces the risk of malicious activity. Our tip explained the importance of managing data inside and outside of the network, and scanning all incoming emails. The UK National Cyber Security Centre publishes high-quality free information about cybersecurity. Furthermore, we included a link to its guides for small businesses.
In addition to the above points, running regular, secure backups is one of the most effective ways of protecting important data. This also helps to recover from incidents like ransomware. Ransomware is a virus that blocks victims from being able to access their data, essentially encrypting it. It then demands payment in order to unblock the data. Businesses should also test their ability to restore from the backups they make.
Incident response planning
We rounded off the first week of tips by asking a question: what would your business do if it suffered a security incident or breach? Most importantly, a solid incident response plan is essential. The whole business is involved in this plan and it should be tested regularly. This helps to minimise business disruption and resume operations faster. In a follow-up post, we linked to a guide from ENISA (Europe’s network and information security agency) on good practice incident management.
For our sixth tip, we looked at encryption. This helps to keep information away from prying eyes. By enabling HTTPs on its website and having an SSL certificate installed on servers, businesses can ensure all data transferred from ‘browser to server’ is encrypted. Consequently, we linked to free certificates from LetsEncrypt.
Up next, we looked at the role of people in protecting a business. By creating a culture of cybersecurity within the workplace, companies can better protect themselves. This includes educating staff on good behaviour, like picking passwords carefully and spotting potential phishing emails.
Best practice security often uses frameworks to help businesses and organisations to do the right thing. Our eighth tip referred to industry guidelines such as ISO 27001, HPAA and PCI-DSS.
Resilience’s role in good cybersecurity
Good security is about resilience. We linked to the useful 12-step guidance from Ireland’s National Cyber Security Centre which includes tips on developing a response plan.
We advise installing reputable anti-malware software on all computers that a business uses. This includes servers, PCs, laptops, or tablets. Similarly, if employees use home computers for business, or to remotely access the company network, we recommend that these devices should also run security software.
We also suggest having a trustworthy company conduct regular penetration tests (sometimes abbreviated to ‘pen’ tests) on a business’ infrastructure and systems to uncover potential vulnerabilities. The results of those pen tests highlight gaps or weak points that a business should fix.
Privacy on the move
For our next tips, we looked at security from a privacy perspective when on the move. Some smartphone apps constantly run in the background or use default permissions that gather personal information. We suggested people should review apps to check if they’re comfortable with the level of sharing the apps supposedly need.
In addition, we also warned how using public WiFi networks from a work device could put passwords or other sensitive data at risk. Therefore, we advise using a virtual private network (VPN) and avoiding accessing payment sites from open networks. Europol has more detail about the risks of connecting to a public WFi.
Mid-month, we posted a reminder to carry out regular backups to protect important data. We also covered the importance of storing these backups off site as an extra precaution.
Next came a tip for technical professionals. We recommend monitoring for suspicious network activity, using systems that detect unusual behaviour and send alerts. The UK NCSC has tips on setting up a basic logging system. We followed up with a post that warned about the threat of malicious downloads. Businesses should scan all files downloaded from the Internet for viruses before opening them. Ideally, this scanning should happen at one central point on the network to check all files properly.
As previously mentioned, good security relies on policies that clearly set out what employees can and can’t do. So, our tips covered the need for a Bring Your Own Device (BYOD) policy. This is needed in organisations that allow staff to do work on their personal phones. To avoid leaving the organisation vulnerable, a policy can help to educate employees on using their devices appropriately. Consequently, minimising security risks.
As European Cybersecurity Month draws to a close, we recapped some of the main tips and advice. We covered the need for an incident response plan. To minimise disruption, we advised knowing any reporting obligations, rehearsing the plan, and involving all necessary staff members.
Echoing our advice on cyber hygiene, our 21st tip recommended classifying all of the data your organisation holds. This step helps in applying the most appropriate security measures to protect it.
Likewise, we also looked at how to keep data safe by choosing different passwords for every online service you use. Passwords must be complex. Alternatively, it is best to invest in a password manager or use two-factor authentication.
We brought European Cybersecurity Month to a close with a look to the near future. Internet of Things technology has huge potential for innovation. However, it relies on low-cost sensors that are prone to security weaknesses. This makes it a ripe target for attackers. Companies wanting to tap into the technology’s potential need to know the risks and understand how to make their IoT systems secure.
In conclusion, security is a very broad subject that covers so many aspects. However, small steps can make a huge difference to protect against the many risks and threats outlined above. Let us know if you found the guidance useful. Contact us at [email protected].