10 ways to secure your IT environment
How can you protect your business in cyber space? With data breaches and cyber-attacks occurring on a daily basis, the threat to your business is very real. But there are steps that you can take to give your business a fighting chance of resisting attack.
Cyber-attacks are becoming ever more sophisticated. Investing in cyber security isn’t just a nice-to-have, it’s absolutely vital. With major financial losses, operational disruption and reputational damage at stake, safeguarding your business’ sensitive information is a no-brainer.
But how?
“Make it as difficult as possible for the hackers to get in,” advises David Starsmeare, vCIO at Mirus.
That may sound a simplified answer to a complicated issue, but it’s the fundamental approach to take. Keep your business as resilient as possible to cyber threats to reduce your risk of attack.
Below, you’ll find the ten most important steps to take to maximise security of your business’ IT environment. Consider this the starting point of an information security journey. It won’t eliminate every risk or threat that your business may be exposed to. But it will certainly help to secure the sensitive, critical or personal data businesses are required by law to protect.
What’s the greatest cyber security risk to businesses?
“Phishing is still, by far, the greatest threat to any business,” warns David Starsmeare.
Phishing is defined as “the practice of tricking Internet users (as through the use of deceptive email messages or websites) into revealing personal or confidential information which can then be used illicitly.”
It can take various forms, the most common of which is via email. The email and its content will look legitimate but will either contain a virus or will entice the user to share confidential or personal information.
Blanket phishing – this tactic casts a wide net. The ‘phish’ is sent out to every active user on an email list.
Whale phishing – also known as ‘spear phishing’, this method is targeted. These scams are aimed at the ‘bigger fish’ like finance team members or senior executives. Their aim is to interact with a business process such as getting funds transferred.
A phishing attack isn’t always immediately obvious. The impacts can be felt later. For example, there could be a business email compromise whereby the attacker takes over a user’s mailbox. They lurk in the background to monitor and understand what’s going on. For a financial person, that may reveal when invoices are sent and received. The hacker can then intercept the invoice and change the bank details on it to siphon off that payment. Phishing emails can also be a link to a virus that leads to ransomware. That will affect everything that you have access to.
Recent research by cybersecurity experts, KnowBe4 reveals that the healthcare and pharmaceutical sectors are the most targeted, followed by energy/utilities. In order to entice users to engage with the phishing link or attachment, attacks often employ “urgency and emotional manipulation”. Frequently, they’ll use HR-related subject lines that prey on people’s fears. Claiming IT issues or Microsoft Teams messages purporting to be from a senior manager are other common phishing techniques.
10 expert steps to cyber security
As an expert in this field, David advocates the National Cyber Security Centre’s advice for organisations. Their suggested ten steps will maximise your business’ security and reduce your vulnerability to attack. By implementing these security measures, you’ll not only reduce the likelihood of a cyber-attack, but you’ll also minimise the impact of an incident if it does occur.
Here, you’ll find the National Cyber Security Centre’s advice coupled with expert suggestions from David Starsmeare.
1. Risk management
Secure your data and systems.
David’s advice: Make data the priority. That includes personally identifiable information, but also intellectual property and business critical information and systems.
Ensure anyone with admin access is secured at the highest level. For others, determine a base level of security and implement it.
Check where the data’s stored and who looks after it. Evaluate any third-party services associated with that data (including any service providers from Microsoft to Mirus IT).
2. Engagement and training
Collaboratively build security that works for people in your organisation.
David’s advice: Have information security training as part of your induction process or a one-off training session for all staff if you’re bringing in something new. Get all staff trained up to a base level. Don’t roll out the same, boring online course every six months as people don’t take it in. Engage users with some clever training that nudges them to take in the key points.
At Mirus, we recommend Know Be4 who are market leaders in this field. They produce Netflix style training solutions in a 6-10 min video format which are very effective.
3. Asset management
Know what data and systems you have and what business need they support.
David’s advice: What’s being used to access your data? Obtain all of this information including laptops, tablets, mobile phones, personal phones and laptops, or even a public computer in a cafe. You need to know about all of this so that you can get handle on what’s being used to access your data.
4. Architecture and configuration
Design, build, maintain and manage systems securely.
David’s advice: By default, most products are not secure. They’re all inherently flawed in some way. However, there are best practices and guides to follow so that you configure each platform to be more secure.
5. Vulnerability management
Keep your systems protected throughout their lifecycle.
David’s advice: Make sure your operating systems are patched. Application updates usually address security flaws, not just improving functionality. Make sure software, hardware, network equipment and firewalls are all up to date.
It’s also important to ensure your third-party suppliers are updating their applications that you’re consuming.
6. Identity and access management
Control who and what can access your systems and data.
David’s advice: Conduct a thorough audit of the identity platform. Look at all accounts to determine when they were last used. In hybrid environments, there are password auditing tools to identify current account passwords that have been breached. They can also check for any compromised information relating to the account or email address.
Importantly, teach people how to create a password. Most people’s perceptions of what constitutes a secure password is wrong. For example, people still use memorable information about their life that you can obtain by doing some open-source intelligence scans. Provide best practice guidance on password security.
7. Data security
Protect data where it is vulnerable.
David’s advice: When you identify any vulnerabilities in your business systems, it’s important to act on them.
Once you know where your data is, it needs to be protected whether that’s in transit, at rest, in back-ups or at the end of its useful purpose. You can use technical controls (such as encryption) for protection. Also, make sure that back-ups are completed, and permissions structures restrict access only to users who require it and no more.
It’s vital to understand your legal responsibilities and any regulations that apply to this data. This includes all types of data that you hold as some require additional consideration.
8. Logging and monitoring
Design your systems to be able to detect and investigate incidents.
David’s advice: Security incidents occur with alarming regularity. Only logging and monitoring can provide the relevant forensic detail on the impact.
Managed detection and response (MDR) is the next level of auditing. It will automatically flag risks and provide responses around the clock.
9. Incident management
Plan your response to cyber incidents in advance.
David’s advice: Work out your plan of action in the case of a cyber-attack. Put the processes and procedures in place so that you can follow them when it happens.
If you’ve had a full breach with ransomware, you need to engage with specialists. If you’ve got cyber insurance, it may specify that you need to go to certain businesses.
Test how your business would react to an incident. This will test your business continuity plans and your disaster recovery. Think of it like a fire drill for cyber-attacks!
10. Supply chain security
Collaborate with your suppliers and partners.
David’s advice: It’s not just about your internal systems, you need to ensure the security of third parties that you work with.
Set up a supplier evaluation process to determine whether their products and processes are secure. Put in specific security controls to enforce that. Ensure they sign NDAs. Ask detailed questions to understand the measures they have in place to optimise security.
Optimise your cyber security with Mirus IT’s help
How many of these ten steps have you implemented in your business? Do you have the plans, processes and security measures in place to protect your business from cyber-attack?
Our experts at Mirus IT can support you with this. There’s no ’one size fits all’ solution. We’ll make recommendations and apply solutions that are appropriate to your business.
We have a wealth of experience and knowledge that enables us to assess the risks to your business and devise the best approach for you.
Whether you want advice or cyber security services, we have the knowledge and expertise you need. Contact our approachable team and make your IT systems more secure.