Familiarising yourself with and taking even the most basic security steps can go a long way to protecting yourself or organisation from a cyber attack. The National Cyber Security Centre's (NCSC) small business guide provides easy to follow guidance on the measures you can take to enhance your cybersecurity. It is equally applicable to households as it is to small businesses.
Watch these short videos from the NCSC and apply these tips to help secure your home or organisation.
All businesses, regardless of size, should take regular backups of their important data. Make sure that these backups are recent and can be restored. By doing this, you're ensuring your business can still function following the impact of flood, fire, physical damage or theft.
Steps to be taken:
- Identify what data needs to be backed up
- Keep your back up separate from your computer
- Consider the cloud
- Make backing up part of your everyday business
Malicious software (also known as 'malware') is software or web content that can harm your organisation, such as the recent WannaCry outbreak. The most well-known form of malware is viruses, which are self-copying programs that infect legitimate software.
Steps to be taken:
- Install (and turn on) anti-virus software
- Do not download dodgy apps
- Keep all your IT equipment up to date (patching)
- Control how USB and memory cards can be used
- Switch on your firewall
Mobile devices are now as powerful as traditional computers, and because they often leave the safety of the office (and home), they need even more protection than 'desktop' equipment.
Steps to be taken:
- Switch on password protection
- Make sure lost or stolen devices can be tracked, locked or wiped
- Keep your device up to date
- Keep your apps up to date
- Don’t connect to unknown wi-fi hotspots
Your laptops, computers, tablets and smartphones will contain a lot of your own business-critical data, the personal information of your customers, and also details of the online accounts that you access. It is essential that this data is available to you, but not available to unauthorised users. Passwords - when implemented correctly - are a free, easy and effective way to prevent unauthorised users accessing your devices.
Steps to be taken:
- Make sure you switch on password protection
- Use two-factor authentication for important accounts
- Avoid using predictable passwords
- Change all default passwords
Phishing emails are getting harder to spot, and some will still get past even the most observant users. Whatever your business, however big or small it is, you will receive phishing attacks at some point.
Steps to be taken:
- Configure accounts to reduce the impact of successful attacks
- Think about how you operate
- Check for the obvious signs of phishing
- Report all attacks
- Check your digital footprint
The ways that we patch our IT may change over time, but patching - in general - has always been good for security. Patching closes vulnerabilities before attackers can exploit them. It is the single most important thing you can do to secure your technology.
Many attacks are a result of credential-stealing or data compromise. Attackers use cleverly designed social engineering or exploit data breaches, resulting in our credentials being stolen and offered for sale or use on the dark web.
You can use the Have I been Pwned? service to check whether your personal data has ever been compromised by a data breach. It is important to act if you have been the victim!
Our advice is to protect your credentials through the use of two factor (2FA) or multi-factor authentication (MFA) where possible.
Two-factor authentication (2FA)
is a security process in which the user provides two different ways to verify themselves to better protect both the user's credentials and the resources the user can access.
is an authentication method in which a device user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is).
Cyber threats and mitigations
The following common cyber threats are explained and the protections listed.
- Email compromise
- Vulnerability scanning
- Supply Chain attacks
- Internet of Things (IoT)
Email compromise protection
Email compromise or Business Email Compromise (BEC) for organisations is where an email account has been compromised and an attacker is impersonating you to scam others in your contact list of associates to gain trust to exploit them for money or data or to get someone to click to download some form of malware.
This can take the form of the following types of BEC attack :
- Bogus Invoice fraud
- CEO fraud
- Account Compromise
- Solicitor Compromise
- Data and IPR Theft
Understand these most common methods of attack and ensure that these are communicated around your household or organisation so that you know what to look out for and always verify through a trusted channel e.g. known telephone number if uncertain.
Combined this with multi-factor or two-factor authentication and well-known processes with staff or friends and family or your bank around verification of changes to the requests for payments or changes to payment details will help reduce the probability of being a victim to this type of attack.
Phishing emails range from extremely easy to spot to almost impossible. Hackers use increasingly sophisticated techniques to fool you into parting with your sensitive information.
There is no ‘catch-all’ method for stopping phishing, you must remain vigilant at all times and treat all emails and websites with caution when online.
The threats posed by today’s advanced phishing techniques can be significantly reduced by understanding what to look out for and vigilance.
This video highlights some steps to be aware of to identify a Phishing attempt.
The following layered approach from NCSC is advised.
- Make it difficult for attackers to reach your users
- Help users identify and report suspected phishing emails
- Protect yourself from the effects of undetected emails
- Respond quickly to incidents
See the NCSC's new Phishing Guidance
This is mainly aimed at organisations to ensure that they have a process in place with their IT Support to have their systems tested for known vulnerabilities and to have these remediated.
This process is often referred to as vulnerability scanning and penetration testing. The Cyber Essential Plus scheme includes this additional element of reassurance that your systems are secure.
Supply Chain Attacks
As your organisation grows and starts to work with more customers, suppliers and partners, you become a link in one or more complex supply chains. Being a desirable, trustworthy supplier or customer now extends far beyond delivering good products or services, providing great customer care and paying on time.
Today’s way of conducting business means that you must observe good practice (and in many cases, compliance) when it comes to cyber and information security because vulnerabilities put not only your own organisation at risk … but also that of the others up and down the supply chain.
- Customer / client, supplier and partner data is held increasingly on disparate, distributed databases, so one vulnerability could compromise the integrity of the entire chain.
- Data could also be shared between more links in the chain, for example via email or single point of access online portals.
- Every time a new organisation joins the supply chain, the greater the risk of a security breach.
- Financial safety, employee safety, intellectual property, data compliance, finances and reputation are all at stake, for all organisations in the chain.
Achieving acceptable standards in the supply chain
An organisations supply chain is the suppliers and services that an organisation needs for it to deliver its business. It is essential that every organisation in the supply chain has secure systems and practices, can demonstrate this to the others in the chain, and also has confidence in the others in the chain.
You should also establish at the earliest possible point in your entry into the supply chain, the existence, nature and level of security required (if any), and agree or negotiate according to your own requirements and standards, and those of your partners in the chain. Large partners are more likely to have rigid stipulations, but these may vary according to the size and nature of your organisation and its role in the chain.
It may be that one of the levels of the IASME or Cyber Essentials certification is acceptable.
Internet of Things (IoT)
Smart home devices offers more access points than ever before – wireless lights, thermostats, home security sensors, intelligent streetlights, smart meters, and many more. These millions of sensors and devices present a great opportunity for hackers, and a great vulnerability to us all. Many of these are without proper security measures to protect them and in turn you and your organisation.
Without proper security measures in place, every piece of data we generate, whether intentionally or passively, could be open for misuse such as identity theft, financial gain, and potentially even damaging to our health. Implementing security will continue to be critical for controlling how data is used.
Many of these devices are very beneficial to us and our organisations but is essential that we also understand the risks and potential threats associated with their use and implementation in our homes and organisations.
The UK government are working with suppliers to implement their code of practice that will help ensure that products in the UK are designed with security in mind.
Whether an individual or a multi-national organisation their people use technology and everyone needs to have an understanding of what actions and behaviours make us more cyber secure.
- Cyber awareness and training
- Password protection – basic authentication
- Two or multi-factor authentication
- Be phishing and scam aware
- Routines for better cyber health
- Use of pen drives (USB sticks)
- Get assurances – get an IT trusted party to provide advice and support.
- Basic IT training & awareness - Know how to recover your systems and data
Process and policy for businesses
- No USB devices – lock down access to these where possible
- Passwords – random or two-factor authentication
- Training and awareness
- Access controls and secure configuration
- Patching policy
- Reduce/remove legacy systems
- Incident and recovery processes