Managing Director Steve Vowles recently provided a column for the Guernsey Press as part of a dedicated cyber security supplement. Steve’s column on Cracking the Cyber Security jargon code, exploring the various terms used and how to protect a business.
Can be read below:
Key cyber security threats facing SMEs and larger businesses – and how to protect yourself.
A simple definition of Cyber Security is the practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks.
The term incorporates many contexts and disciplines: –
· Networks Security
Perimeter Next Generation firewall with Threat prevention covering all or some of :-Intrusion Prevention, in-line Anti-Virus, Bot detection, Anti-Spam, Content filtering and identity awareness.
Mobile Threat Protection, there is a multitude of malware that can infect a mobile device (Apple and Android). Many companies allow work email to be accessed via personal phones; this is a rich source of information for hackers.
· Application Security
Ensure that Operating Systems and Applications have the latest security patches. Applications that are accessible from the Internet or are Cloud based should be tested for vulnerabilities regularly and Penetration testing should be a key part of any new implementations.
· Information Security
Ensure any data that is stored locally or in cloud storage is encrypted both at rest and in transit and that access is limited to only authorised users. Have adequate password policies and refresh periods (this traverses all of the contexts here)
· Operational Security
This spans across all other disciplines and defines the method and permissions to access networks, data and applications. For example, using two factor authentication.
· Disaster recovery and backups
The advent and growth of ransomware has highlighted the necessity to ensure your data is backed up regularly, and that there are procedures and infrastructure accessible for business recovery in the event of catastrophic hardware failure or data loss.
· Endpoint Protection
Most businesses have mobile workers who utilise laptops and portable devices such as tablets and even mobiles to access company data. These devices are often used outside of the office and connected to public wifi networks, thus the perimeter firewall would not be in-line to provide protections for these devices.
Endpoint protection needs to be considered, this can range from standard desktop Anti-Virus to cloud based protection, forced VPN tunnels to ensure that the device continues to benefit from the corporate firewalls and full threat emulation services.
· Education of End users
Probably the most important of all – 90% of incidents and breaches incorporate an element of Phishing (inciting users to click on embedded links).
There should be a company security policy which incorporates compulsory security training and awareness, repeated at least twice yearly. There are also services that will carry out non-invasive phishing assessments on your behalf to measure the effectiveness of the training.
What is often overlooked by Small Businesses is that all of these contexts relate to them as well.
Primarily the difference between SME and large enterprise is the attack surface area, i.e. a large enterprise may have many offices, wide area networks cloud environments and ‘Software as a Service’ applications as well as many more devices and applications at large.
Whilst this sounds like a large task, there are many systems and services are now available targeted at the SME marketplace. In a nutshell, SME’s need to develop a Security Culture, by creating a comprehensive security policy, investing in appropriate technology at all levels, train staff and monitor the effectiveness of the steps developed above.