Sam Vesey 21st August 2019 Advice 5 Minute

As with most things in life, one size doesn't fit all when it comes to Cyber Security strategy.  It's often difficult to know where to start with this topic, mainly due to the mountain of information available and the fact different advice is relevant in each individual case. Our tips here are just quick snippets that every business should, at the very least, consider but they in no way substitute tailored professional advice.

If you're looking to go in to more detail with your Cyber Security strategy,  we suggest you take a look at the Cyber Essentials Standard as a good fundamental reference point for your organisations security policy. If you'd like help putting together a strategy, why not get in touch!

Tip 1 - Backup up your data

Our first point is one we can't honestly state enough. The rise of Cyber crime has had an impact on many SMEs, the NCSC even suggesting 1 in 2 businesses have been impacted! The best way you can ensure your business will keep running in the event of a disaster is to operate a good backup and disaster recovery strategy. Besides, even without the threat of cyber crime it's not a perfect world and accidents happen, not all data loss is due to malicious intent after all!

If there's one piece of advice to take away from this point for SMEs, it's to utilise the cloud. We advise the use of OneDrive for workstations, the application automatically replicates your files to the Microsoft Cloud. If you were to lose access to your machine, an exact replica can be found in your personal SharePoint site online, even with document revision history!

Your first step to creating a robust data backup strategy is to identify what data your business can't afford to lose, think about what your weekly routine looks like and where you'd fall down if you couldn't complete it.

Once you've identified all the business critical data, it's time to think about where you're going to copy it and how frequently. How often do you change the documents and what time frame could you afford to lose are good questions. USB drives offer a good low cost solution but if you'd like to automate the routine we suggest the use of a network attached storage device (NAS) or as mentioned earlier, the cloud.

You can use many technologies or methods to copy the data from one location to another (backing up). What we suggest always vary upon use case but as a starting point look for Windows Backup, TimeMachine, Altaro, Veeam and many others.

Tip 2 - Avoid phishing attacks

Phishing is a type of attack that comes under the category of Social Engineering - an attempt to glean confidential information from end users directly bypassing traditional technical controls. You can invest significant resources in technical controls but the path of least resistance for a malicious actor will always be through users.

IT Security awareness training is of paramount importance to covering this point. Educating your users to; recognise the telltale sign of illegitimate emails; exercising diligence as to where they enter credentials; and most importantly communicate any communication they feel is malicious.

There are many good educational resources available to help you on this, our commercial suggestion is KnowBe4 but if you want to digest the information, check out the NCSC site for good advice.

Tip 3 - Keep your mobile devices safe

It's likely your smartphone has access to confidential information - your company email account, photos and perhaps even documents. Whilst it doesn't seem it, that represents a huge risk to the business should it be lost, stolen or otherwise compromised.

The first layer of protection every device should implement is authentication in the form of a pin or biometric. Most devices now have a lockout policy to reduce the risk of brute forcing against even short length codes. 

All smart devices now have the capability to be tracked remotely once lost or stolen. If you can't get the device back, the second best option is to make sure your data is removed from it. Take a look at the find my phone from Apple or for a vendor neutral solution take a look at the Exchange Online offering (included in most Office365 licenses). Make sure you look at this before you need it! Scrambling around trying to access your FindMyPhone portal isn't ideal, especially seen as you'll be panicking about your lost device too!

Tip 4 - Use passwords to protect your data

This one seems obvious but it's commonplace for workstations to have the login functionality removed for easier, quicker access to resources - think wallboard's, workshop terminals, or role shared accounts etc.

You should never use shared credentials, if 10 people know the password to a single account, how do you know who deleted or edited the file maliciously? Passwords should be used to protect access to all confidential resources, if you need help in remembering them a good starting place is a password manager like LastPass, OnePass or KeePass (recurring theme in the name!)

The biggest factor in creating secure passwords is character length. Think joining three or four random words or creating using memorable song lyrics. For more advice on this topic, see our password advice post.

Tip 5 - Protect against malware

Use and activate an anti-virus! The applications come in many different flavours and there will be one that fits the bill for you. Our recommendations are normally BitDefender or ESET but we concede there is no one size that fits all.

Your anti-virus is designed to protect against known signatures of files or programs that have been seen to cause damage elsewhere. Whether that be in exact file or even just in the methods used to exploit your machine. Either way, it isn't the Golden Bullet but does go some way to protecting you against known threats.

Related posts