Seven top information security tips
How to be vigilant against cyber attacks
The UK’s Information Commissioner’s Office (ICO) has recently issued reprimands to two companies who failed to have appropriate technical and organisational measures in place to protect personal data. Both cases provide helpful insight and serve as a reminder to others to be vigilant.
One case involved a ransomware attack on a company which provides accountancy, tax and employment solutions. In the other case an unauthorised third party gained access to and exfiltrated personal data from a recruitment company’s systems twice within a 12-month time frame.
I’m not going to get into the hot debate about whether the ICO should issued reprimands or fines. What I would say is no company wants to have to go through the painstaking and embarrassing ordeal of an ICO investigation, fine or no fine. Needless to say, the regulator took into account some mitigating factors.
Key findings
I’ve summarised and combined the key findings from both cases, just to give a broad picture of the areas where failures were identified. These are failings by either company, not by both.
- Lack of multi-factor authentication
- No clear Bring Your Own Device Policy
- Inadequate ‘account lockout policy’
- Personal data held longer than necessary
- Significant delay in notifying those affected by the breach
- Lack of awareness in relation to patch management and associated risks
- Unsupported software
- Insufficient system logging, resulting in limited analysis of the attack
For many small and medium sized businesses, it’s not always obvious how to address cyber security threats. There are some core security arrangements which can really help to address the most obvious threats.
We’d highly recommend looking at Cyber Essentials or Cyber Essentials Plus accreditation. These are information assurance schemes operated by the National Cyber Security Centre (NCSC). They provide a framework for organisations to carry out a review of their security arrangements, and to make sure basic controls are introduced to protect networks/systems.
7 information security tips
1. Control who has access to your data and services
- Role-based access – give people access to only the specific data they need based on their job role.
- Separate administrative accounts from accounts which are also using email or browsing the web, to minimise the damage caused by an attack.
2. Choose the most secure settings for your devices and software
- Check your device settings, make sure they’re providing a higher level of security.
- Always password protect your devices and change any default passwords.
- Wherever it’s available, always use Multi-Factor Authentication on your accounts.
3. Protect yourself from viruses and other malware
- Make sure antivirus software is in place and updated regularly.
- Create a list of applications which are allowed to be installed on a device.
- Only use software from official sources and control who can install software. In other words stop staff downloading dodgy apps!
4. Keep your devices and software up to date
- Make sure all software is up-to-date with the most recent version – known as patching.
- If software becomes obsolete or is no longer supported, upgrade to a more modern version.
5. Logging and monitoring
- Make sure you have suitable logs and monitors in place to detect and investigate any information security incidents.
6. Control use of USB / memory drives
- Block access to external storage/upload devices – as the NSCS warns us it only takes one person to plug an infected memory stick containing malware to devastate the whole organisation.
- Only allow approved drives and cards to be used.
7. Back up your data
- Make sure you make backups of your important data very regularly and make sure backups can be restored very quickly, e.g. in the event of a malware attack. This will help your business get back on its feet quickly in the event of a critical data incident.
These are just a few key security steps to take and the above is by no means an exhaustive list. The NCSC has published a wide range of resources to help understand Cyber Essentials and become accredited: Cyber Essentials Overview. NCSC has also published helpful guidance on matters such as passwords, bring your own device and multi-factor authentication.
Any company whose suffered a cyber attack will know all too well how damaging they can be on so many different levels. We’d just stress you can’t prioritise enough doing all you can to reduce this risk to your business.