Source: GCHQ, BIS & CPNI (Executive Companion, 10 Steps to Cyber Security) 2012
Did you know? Yahoo, Google, eBay and AOL, some of the world's largest organisations have all fallen victim to cyber-attacks and 'lost' their customer details. The Institute of Risk management states that:
Cyber Risk means any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.
Don't worry though, just by implementing some good habits you can avoid becoming a victim.
- Protect data that leaves your organisation with your staff. Most organisations large or small have staff that work from home or out in the field so it is important to train and protect them well from cyber-risk. Create baseline security to all IT and mobile devices to protect data with passwords and create a specific policy in your handbook for mobile workers to adhere to. Complement this with staff training and refreshers to keep standards high.
- Train your staff. Not just mobile workers but office based staff need training to help protect your IT network. Even the largest organisations can suffer from virus or malware as they are being written and used by cyber criminals just as fast as the antivirus software is updated. Ensure that even the most junior member of staff is aware of a virus threat; after all they are most likely the ones who would naively open a suspect email attachment.
- Create a back-up plan. Inevitably there will be a breach at some time within your organisation so make sure you have a manager or team in charge of handling it as quickly as possible. Get them specialist training to produce a disaster recovery plan and make sure it includes reporting the incident to the Police.
- Develop a robust Information Risk Management Regime. Ensure that cyber-risk is part of your overall risk management system and produce supporting risk management policies.
- Control & manage access to confidential data. The less people who have access to data the less the risk of it being unintentionally disclosed. Create a hierarchical password structure that limits user privileges and build in second user authorisation practices to maintain this. Try and keep ADMIN level users to a bare minimum.
- Control usage and scan USB, card and other flash drives or mobile media. Produce a policy to control your staff usage of mobile media storage and limit their types and use. Scan all media for malware before importing on to corporate system.
- Keep on monitoring your security measures. Create a schedule to analyse your IT system and networks for unusual activity that could indicate and attack. Make this someone's role and implement a monitoring strategy and policies for when they are on leave so the schedule can be maintained by another member of staff.
- Keep Secure Configurations. Build into your schedule the continuous update of security patches, making sure all your existing PCs and devices are updated as well as newly introduced hardware. Use an Asset log to help with this procedure.
- Keep scanning for Malware. Establish anti-malware defences that are relevant to all your business functions and keep scanning for malware across the organisation.
- Maintain high standards of Network Security. Use firewalls and specialist hardware to keep your network's perimeter robust to filter out unauthorised access and malicious content. Monitor and test these security controls regularly.
Get Started Today...
These 10 steps will help prevent attacks but of course cannot ensure the protection against all attackers. You will need to tailor them to suit your organisation and the environment it operates in. In terms of both hardware and staff, it is vital to identify threats, manage risks, create anti cyber-crime policies and uphold and update them regularly.
Having even the most basic system security in place can prevent a large amount of cyber-attacks, but this won't stop them all. The technology to protect against cyber risks also needs to be managed, it is important to recognise what the companies most valuable assets are, such as confidential information and intellectual property. Identify any risks to the company's information assets, such as the people who have access to the information and the type of people who might want to target that information from the outside. Always plan for the worst case scenario, so if a cyber-attack occurs the company can recover quickly and effectively, assess how and why the attack occurred and prevent it happening in the future.
Insurance is always important in the event of a cyber-attack and can help cover the costs, but insurance can't protect you from a damaged reputation. Having the technology in place to protect you from a cyber-attack in the first place is very important, but cyber risks aren't just a concern for the IT department, organisational and human factors are just as important, educating staff in the correct procedures and potential risks can be highly effective in preventing an internal breach of security.
Source: GCHQ, BIS & CPNI (Executive Companion, 10 Steps to Cyber Security) 2012
Article Posted: 18/09/2019 10:51:43