In the below article our Founding Partner, Irwin Mitchell outline straight forward ways to manage cyber-risk effectively. Initially, all businesses should have a cybersecurity strategy and someone to own it. This should focus on identifying your current cybersecurity status and gaps, and what you want to achieve and by when.
You can’t do everything and you’ll have a limited budget, but a great way to start is to pick an industry cybersecurity standard. Many good cybersecurity frameworks can be found on the internet and many are free (including Cyber Essentials). A pragmatic one for SME’s is the NCSC’s 10 Steps to Cybersecurity.
1. Cloud Services are the primary target for criminals
The risk is that online services can be hacked into from anywhere in the world with just a username and a password.
As more ‘cloud’ services are used, particularly Office365, this has become the primary target for criminals due to them being easy to exploit with just a (stolen or guessed) username and password.
Use two-factor authentication for all remote access, including email and other key online services such as Office 365.
Educate colleagues on the use of strong passwords and not reusing passwords.
Sign up to haveibeenpwned.com for free, to automatically check if any of your accounts have been compromised. If your email account has been involved in a 3rd party breach, change the password on all online services that used the same email-password combination as the breached account.
2. Ransomware
Malware (malicious software) locks up your files and demands a payment to release them. Typically, ransomware is delivered to victims via phishing emails or compromised websites.
Remove ‘local admin rights’ from normal user accounts (this mitigates 85% of the malware risk).
Use antivirus on all your computers and ensure it is kept up to date automatically.
Ensure your laptops and desktops are automatically kept up to date with security patches.
Block malicious emails using a Secure Email Gateway (email filtering).
Disable ‘macros’ in Microsoft Office products, especially in Outlook email.
Maintain regular back-ups of critical data & systems.
3. Phishing is the most common type of cyber-attack
The digital equivalent of the confidence trick used to plant malware, steal your online services password or other confidential information, or to trick you into financial fraud.
According to the FBI, phishing remains the most common type of cyber-attack and results in the largest financial losses (for example fake CEO bank transfer emails).
Conduct all-colleague security awareness training on cybersecurity at least annually, with a particular focus on phishing awareness.
Conduct regular phishing testing to keep up a good level of awareness.
Clearly mark an email as from an external sender (“THIS IS NOT FROM US”).
Put financial controls in place to ensure checks are made for large payments by bank transfer.
