Cyber security for SMEs
- Published: Friday, 26 May 2017 13:18
In September 2012, UK Government department of Business Innovation and Skills (BIS) and the Cabinet Office and CESG (the information security department of GCHQ) published guidance on 10 steps to cyber security. The steps can substantially reduce the risks by helping to prevent or deter the majority of types of attacks.
The full article: https://www.ncsc.gov.uk/guidance/10-steps-cyber-security
The UK government introduced a Cyber Essentials and Cyber Essentials plus standard in order to provide a good-practice certification that companies can use to show other companies that they are achieving the required standards.
The Cyber Essentials covers 5 key step areas:
- Secure Configuration
- Boundary firewalls and internet gateways
- Access control and administrative privilege management
- Patch management
- Malware protection
Depending upon the assessment board you select, you may also have an external vulnerability scan.
For Cyber Essentials plus, both an external and internal vulnerability scans are required.
1. Protect your Network - network security
- Locate the device which connects your company to the Internet - this is generally the router provided by your Internet Service Provider (ISP) and check that it has a firewall built in to provide a layer of protection. Regularly check/install if there are firmware/software updates.
- If you are using mobile devices ensure they have firewalls enabled.
- Quite often your operating system will have a built in firewall as well as a basic antivirus software, ensure these are enabled and up to date.
2. User Education
- When a member of staff joins your company, ensure they know your company policy in regards to computer usage.
- Remind staff regularly about good security practices, such as changing passwords. If your policy changes ensure everyone has understood the changes.
- Make sure they know not to click on website/email links unless they know the source or not to open attachments if they are not expecting them.
3. Manage User Access
- Implement Usernames and passwords to control log on. Good passwords contain upper and lower case characters, numbers and symbols, minimum number of characters is 8 but as the speed of processors improve, use of bio-security and two-factor authentication will improve protection.
- Don't write down passwords or have shared users.
- Only give users enough permissions for their roles. Keep data separated
4. Secure configuration
- Document your IT assets including hardware, software and key IT staff
- Install current software and patches or firmware immediately they are issued. Ensure your software is fully licensed.
- check for technical weakness regularly (vulnerability or pen testing). Regularly can mean annually, or after a change of hardware or software.
5. Removable media
- If you transfer critical data via DVD, USB or Flash drive, only permit business issued devices are used or devices controlled by the business.
- Keep a log of the data and who has it and any software installed.
- All removable media should be encrypted or password protected and scanned for malware upon use.
6. Home and Mobile working
- Mobile devices should be approved and maintained so that the software such as anti-malware and operating systems update automatically on a daily basis.
- Users should authenticate to access the PC and over VPN.
- Devices should be encrypted when possible.
- Devices should be remotely tracked and wiped.
- Staff should inform management if the device is lost or stolen immediately so they can be wiped.
7. Malware Protection
- Use anti-malware or security package from mainstream suppliers and use across the whole business.
- Ensure that regular scans are completed daily and updates are enforced.
- Follow manufacturers best practice for software features
8. Information Risk Management
- Decide who is responsible for management of the risk and how much you wish to take.
- Identify your most valuable information in the company and if appropriate mark as "confidential" or similar
- Create a Security Policy describing what you want to do to manage the risk and include any steps. Distribute the policy to all staff.
- Allocate security responsibility clearly to ensure staff understand.
- Monitoring can detect potential hardware faults and unusual activity on your network or internet connection. Some anti-malware or anti-virus suites will include some monitoring or notification service.
- If your business has a large network, use a network management tool to detect unusual activity. This could include monitoring traffic or IP usage.
- Ensure that your staff report unusual activity and that you have sufficient plans and expertise to react quickly.
10. Incident Management
- Any attacks should be flagged by the firewall or security packages.
- Log anything that interferes with the business as an incident
- Decide what to do and who does it in the event of an incident.
- Get expertise to deal with your incidents. This may include having an IT support agreement with an outsourced company even if you have in-house expertise, or having the a warranty details for the manufacturers support team.
This article highlights a number of key areas for SMEs would need to address before they can attain the Cyber Essentials certification.
Should your company need assistance with any part of this process please contact us.