Cyber Security 12 Practical Steps

We have put together a list of practical steps that you can take to safeguard your business based on our experience of what has worked for us and our clients. These steps may be viewed in any order and may be used in isolation to provide incremental improvements or may be incorporated into a broad cyber security program. Throughout the guidance we use the terms “business” and “organisation” interchangeably. Any advice is equally applicable to businesses and organisations that aren’t primarily regarded as business institutions.

1. Antimalware

It almost goes without saying, you should ensure your computers have at least a good antivirus product installed. The limitation of a lot of AV software is that there is no central reporting of detected malware. You have to rely on individuals to monitor when the AV on their computer detects malware and then make the decision as to whether it is a significant enough event to report.

Although they are generally more expensive than standard AV products, Endpoint Detection and Response (EDR) solutions go a step further and provide centralised security, where all computers can be monitored through a single management console, giving relevant staff, visibility of malware events across the organisation.

2. Updates, updates, updates!

It can’t be stressed enough, just how important it is to keep applications and computer operating systems up to date. Hackers are constantly discovering vulnerabilities in software that they can exploit to compromise IT systems.

As soon as vendors become aware of the vulnerabilities, they release patches and updates to eliminate them. Typically, around 500 new IT security vulnerabilities are discovered and published each week. Hackers will seek to exploit these vulnerabilities before a patch is made available or before organisations can install the patches. In 2021, for example, an estimated 250 thousand Microsoft email servers were exploited due to unpatched software vulnerabilities.

In addition to updating computer operating systems, you should also aim to install any software updates for web browsers and other applications, such as Adobe Reader, within 14 days of their release.

It isn’t just computers that are prone to software vulnerabilities, though. Many devices such as firewalls, switches, routers and even printers require updates to counter software vulnerabilities, so keep this in mind.

Manually visiting each computer and installing software updates can be very time consuming and impractical. If you have a Windows Server environment, Windows Server Update Service may be used to push out updates to computers connected to the network. Mobile Device Management (MDM) solutions provide a way to deploy updates to computers and other devices wherever they are located. In addition, there are a number of patch management solutions for centrally managing the deployment of updates.

Whatever method you choose, a patch management plan should form part of your cyber security policy.

3. User awareness

It is often said that people are an organisation’s greatest asset. Unfortunately, humans are also… human. People make mistakes, they can also be tricked into giving attackers access to your business systems.

Implement user awareness training to improve your employees’ ability to spot and combat potential cyber breaches. This should be carried out on an annual or bi-annual basis. You can purchase commercial user awareness training. The UK National Cyber Security Centre (NCSC) also offers free training materials.

In addition to user awareness training, ensure employees are familiar and compliant with the organisation’s cyber security policies. You should monitor this on an ongoing basis.

4. Password management

Passwords are the proverbial keys to the kingdom. Unfortunately, they are also a perennial weakness in cyber security. A typical person may have in excess of 100 passwords to try and remember. Because of this, people develop bad habits:

- They may use simple passwords that are easy to remember (and crack).

- They may reuse the same password for multiple sites, meaning that if a password is compromised on one site, it potentially compromises any other site where the password is used.

- They may save their passwords in spreadsheets or notebooks. We have seen labels with usernames and passwords stuck on computers on many occasions.

Password managers (sometimes known as password vaults) enable individuals and teams to save strong unique passwords for multiple sites. These can then be used without the user having to remember them or even see them each time they access a site.

5. Multi-factor authentication

Security can be strengthened by implementing multi-factor authentication (MFA) sometimes known as 2-Factor authentication (2FA), where possible.

Authentication factors are commonly considered to be:

- Something you know, such as a password or pin number.

- Something you have, such as a chip and pin card or smart phone.

- Something you are, which is a unique physical characteristic, such as a fingerprint or retina pattern.

When you combine two or more of these factors, you have MFA.

Most cloud vendors offer the ability to set up and use MFA. Where possible, you should implement this for greater protection.

6. Implement least privileges

Give people only the amount of access they need to do their jobs. If people have more access than they need, then there is a greater potential for human error or a disgruntled employee to have a significant impact on the business. Identify your information resources, determine who should and shouldn’t have access to a particular resource and implement appropriate access controls.

7. Use non-admin accounts or User Access Control

When users log onto their computers with local admin rights, any malware that infiltrates their system has the same elevated permissions. Admin rights make it easier for ransomware to lock down critical data and even spread through the network. Without admin privileges, malware often cannot execute or propagate fully, as it lacks permissions to make significant changes to system files.

Some people argue that restricting admin rights can reduce operational efficiency and produtivity, as users need to request IT support for some routine tasks such as installing software or adding printers. Windows built-in User Account Control (UAC) can reduce risks without needing to restrict admin rights, if it is configured correctly.

8. Implement a 3-2-1 backup strategy

The basic concept of the 3-2-1 backup strategy is that three copies are made of the data to be protected. The copies are stored on two different types of storage media and one copy of the data is sent off site.

If you only have one external device such as a disk that you use to back up your data and this is lost, stolen, damaged or fails over time, then you may find yourself in a position where you have no means of recovery. This is why you should alternate data backup over 2 or more devices.

If you keep all backup media on-premises you could lose access to these in an event such as fire, flood or theft. This is why it is recommended to keep one copy offsite. Putting one of the backup devices in a fireproof safe won’t do you much good if the building is structurally unsound and you can’t gain access to it.

Backing up your data to the cloud, provides a second type of storage media. This type of backup used to be relatively expensive, but costs have come down, with some solutions now being very cost effective.

Carry out periodic checks to make sure backups are working. You can do this by carrying out a test restore of a small amount of data. Set up daily email alerts to notify you whether your data backup has completed successfully.

9. Backup your cloud resources

Many businesses and organisations are now incorporating the cloud into their business operations in one form or another. Microsoft 365 is one common example of this.

It is easy to imagine that the cloud service provider will ensure your data is backed up and available to recover in the event of an incident. This is a common misconception. Whilst cloud providers have many service level agreements relating to system availability, they are not responsible for backing up your data. A number of commercial solutions are available for backing up data that is stored in the cloud.

10. Have a recovery plan in place

Studies carried out by universities, and financial institutions typically show that up to 60% of SMEs that suffer a serious cyber-attack cease trading within 6 months.

If you are unfortunate enough to find yourself at the stage where your systems have been compromised, it’s too late to start thinking about how you are going to recover from this and resume normal business operations.

Your cyber security strategy should be incorporated into your business continuity planning. Identify the key elements of your business and the key people, processes and systems that make these possible. Think about the risks to these key elements: cyber-attacks, human error, fire, flood, etc. Have contingency and disaster recovery plans in place. Think about who the members of the response team will be. Ensure that responders have access to the necessary information and resources they need to restore operations as quickly as possible.

11. Implement clear cyber security policies

An effective cyber security policy should provide clear purpose and objectives. It should cover risk assessment, access controls, password management, employee training, acceptable use, incident response plans, disaster recovery and more. The policy should provide necessary information and guidance to stakeholders and provide evidence to support governance and compliance. Importantly, any documentation should be kept up to date.

12. Stakeholder buy-in

Don’t overlook the importance of stakeholder buy-in at all levels within the organisation. The starting point for success is when business owners, senior management and leaders are fully invested in the importance of cyber security to the continued operation of the business and are able to effectively communicate this throughout the organisation. As with any endeavour, stakeholder buy-in and ongoing commitment is crucial to achieving your objectives.

Don’t fall into the trap of satisfying a tick-list. It can be easy to treat the implementation of a cyber security program as a number of boxes to tick and to believe that once the boxes are ticked, you can forget about them.

Once you have decided on a course of action and committed the resources to put cyber security policies in place and act on them, you need to have regular reviews to ensure that they remain effective. It’s all too easy to
treat cyber security as a one-off event and then assume everything is ok. As with any other area of the business, it is important to hold periodic reviews to ensure you are achieving the desired results.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.