Cyber Security for “The Quasi IT Director” ®

Hardly a week goes by without news of another cyber-attack, or the release of confidential information into the public domain.

As a non-technical Board Director who is responsible for IT, “The Quasi IT Director” ®, it is your responsibility to ensure that your company’s IT remains secure to stop hackers getting in, but also to ensure that data doesn’t leak out!

Since the introduction of the General Data Protection Regulation (GDPR), businesses that fail to secure their data, could face heavy fines and so we have set out some of the areas that you should review when considering your IT security policy.

Understand the landscape and identify what is applicable and relevant to your business:What can I do?
Accreditation standards,Sanctions,Regulation – Industry related, GDPR (General Data Protection Regulation) – applies to everyone.Identify where your data is and who has access,Review your data policies and processes and ensure your employees are aware of them,Review the tools in place to: Prevent, Detect, and React.
Threat intelligence will assist in helping your business understand the risks by providing insight on:How can I get it?
The mechanisms used,How to detect a breach,What are the implications,What you can do to protect your assets.Sign-up to security newsletters,Outsource your security to a third-party organisation or Threat Intelligence service,Speak to your IT support organisation.

Don’t be Complacent, the Risks are Increasing:

  • Security is not something that you address and then move on. It must be continually monitored and reviewed,
  • In the recent HM Government, Cyber Security Breaches Survey 2018, it was reported that, for micro/small organisations:
    • 42% had identified a cyber security breach in the past 12 months.
    • Only 19% have undertaken all 10 steps of the Government’s 10 Steps to Cyber Security guidance.
    • Only 26% had any formal security policies.
    • Only 19% had any cyber security training.

Apply Security That is Appropriate for the Assets you Wish to Protect:

  • Define your baseline security that applies to everything in your organisation.
  • Identify the assets that require additional protection, for example:
    • Customer databases,
    • Intellectual Property,
    • Sensitive information, etc.
    • …and apply appropriate protection to them.

Keep your Hardware and Software Up-to-Date:

  • Ensure you use current versions of supported applications. Older applications are prone to security vulnerabilities and should be avoided.
  • Keep operating systems current and patched. This may also require periodic hardware updates.

Ensure you Have a Robust Password Policy:

  • A password should have a minimum of eight characters and contain a mixture of upper and lowercase plus special characters and numbers. The addition of each extra character will greatly improve the strength of the password.
  • Using current hacking techniques, the time taken to crack a password is demonstrated in the table below:
  • Avoid using the same password for multiple accounts.
  • Avoid common passwords and ensure that they expire periodically and cannot be reused.
  • Consider using pass phrases which are commonly made up from the first letter from each word of a sentence that you can remember.
  • Consider the use of a password manager to help you remember them, but don’t write them down!

A guide to how strong your password is can be found here, although this should not be considered to be fool proof.

Be Aware of Phishing:

  • Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an email.
  • Email addresses and personal details are often captured through social media sites, chain emails or stolen databases.
  • The email will contain links to websites that may look legitimate but are indeed fake and will ask you to enter sensitive information.
  • The email may also include attached documents which you should NEVER open.
  • Be aware of spoofed email addresses that contain domain names that are very similar to yours.
Viruses, Malware and Ransomware:How can I prevent this from happening to my organisation?What should we do if we get infected?
Computer viruses are not new, they have been around for many years. Sometimes they are just annoying. For example, adware that places unwanted adverts on your screen, or high jacking your search results so that you are directed to certain web retailers.Viruses in the form of malware are also not new, however, it is now becoming a lucrative money-making opportunity for cyber criminals.Ransomware is a malware virus that infects computers and network storage devices. They are often difficult to detect and can remain dormant, sometimes for many weeks, but in the background, they are encrypting your data. Once they have finished they will display a message requesting that you pay a ransom before you can access your data again.Ensure you make regular backups of all important data and keep them safe for several weeks before they are overwritten.Ensure you use a respectable antivirus (AV) solution. Free AV solutions, and those bundled with the operating system, will prevent some well-known viruses, but are traditionally not as good as those for which you pay a subscription, and will not be updated as regularly.The use of user accounts with admin privileges should be avoided to limit the impact of a virus outbreak.All staff (including senior management) should attend regular IT security awareness training to understand the risks.Turn your computer off. Don’t try and shut it down. You may need to hold the power button in for a few seconds. If this doesn’t work, pull the power from the computer or wall socket.Disconnect any network cables and/or external storage devices. This will help limit the damage if the computer is inadvertently switched back on again.Don’t pay any ransom demands. There is no guarantee that you will get your data back anyway.Call your IT helpdesk or support organisation for assistance.

Cyber Security requires more than just a common-sense approach and our Technology Advisory Services Team has vast experience in helping organisations ensure their IT systems and services are resilient, reliable, scalable and secure, whilst also keeping a watchful eye on cost.

If you would like to find out how we could help your business or if you have any queries relating to this or any other IT matter, please contact Hannah Farmborough or call on 0207 429 4147 to be put in contact with a member of our team.  

This article originally appeared on the blog of our member firm, MHA MacIntyre Hudson.