By Pete Bowers, COO at NormCyber
As companies mature and grow, the host of cybersecurity attack vectors they face is also expected to mount – warranting many to consider large-scale technological solutions to surmount these challenges. While it’s true that a sophisticated technology stack can be effective against a myriad of threats, a large upfront investment or vendor lock-in is not the only way to go. What’s more, there must be organisation-wide processes and practices in place that uphold good cyber hygiene and compliance on top of any technical measures.
In fact, when we scratch beneath the surface, many businesses, including SMEs, often have a number of ‘cybersecurity blind spots’ which can render even the best solutions money can buy powerless in the face of a serious attack. The good news is that enhancing defences in these key areas needn’t be costly nor difficult. Let’s look at these one by one.
What’s the password?
It’s tempting to take the easier path when it comes to passwords, and opt for something familiar which doesn’t take long to type in, but do so at your own peril. Hackers are becoming increasingly familiar with the keystrokes and logic individuals gravitate towards when composing passwords.
Until recently, it was generally advised that people use a combination of upper and lower-case letters plus numbers and symbols to throw hackers off the scent, however, cyber criminals are always honing their skills and, depending on the password length, can crack these almost instantly.
Now, the National Cyber Security Centre (NCSC) advises the use of three random words composed of upper and lower-case letters in random assortments, to make a strong passphrase that would take cybercriminals years to crack. The longer it takes the cybercriminal to crack the password, the less likely they are to persist, and will move on to some lower-hanging fruit.
Having the MFA factor
Multi-factor authentication (MFA) is the next best, and in today’s climate, an essential line of defence to thwart cybercriminals. Often a free feature with most software providers, MFA requires a unique six-digit passcode alongside the password to gain access to an account. So, if the cybercriminal cracks your password or stumbles upon it on the dark web, they won’t be able to gain access to the account without the multi-factor authentication code.
Many well-known cyber incidents could have been prevented by implementing multi-factor authentication. The reason most SMEs cite for not enabling this feature is their fears of it slowing down day-to-day operations. Ultimately though, businesses must weigh this up against the potential disruption, loss of data and revenue, and services grinding to a complete halt that ensure in the aftermath of the most primitive of cyberattacks.
Patching vulnerabilities is easy
When the topic of ‘patching vulnerabilities’ is raised within businesses, many people tend to lose interest, as it might seem like an overly-technical job, or an inconvenience to ask technical support to perform on their behalf. In reality, the core updates for most laptop PCs can often be deployed by simply hitting the ‘Update and restart’ button on Windows when it shows.
When we’re busy, it is easy to ignore the update alerts, but updates are issued for a reason, to enhance the features of installed software. Your provider might have identified a weak spot in the operating system and acted to fix it, but now it falls to you and your organisation to allow the patching to go ahead as planned. Every deferred update could put businesses one step closer to a damaging attack, so it pays not to leave such stones unturned for long.
Antivirus – small cost, huge payoff
Like their real-life counterparts, computer viruses have a basic function, to enter a system, propagate and do as much damage as possible while they can. One of the only measures on the list to come with a price tag, it is important to have anti-virus in place to detect any malware that may be inadvertently installed on the machine, isolate them and prevent them from infecting other users on the server.
Ensure anti-virus is installed on all machines within the business and keep it up to date. The anti-virus software may also require updates, and these should be allowed to commence as soon as possible to ensure effectiveness.
Keep admin rights tight
While you wouldn’t think to restrict administrative rights on a personal laptop – it is your laptop, so you can install and delete anything that you want – the same shouldn’t be said about work devices. If a cybercriminal were to gain access to a user’s laptop, you don’t want them to have full administrative access. If they do, they’ll be able to leverage their way around the entire network and you’ll find yourself in a very sticky situation – files could be wiped or exfiltrated easily. Worse still, malware could be installed in the event of a breach, to not just compromise a single device but all devices on your server.
Whereas if the user’s laptop is restricted to necessary access only, then an attacker won’t be able to inflict wide-spread damage. By maintaining tight admin rights from the start, the potential attack surface available to hackers is drastically reduced.
Going one step further – when to outsource the cybersecurity management burden
A common thread among these five aspects is people. Secure organisations have vigilant staff who know how to spot malicious emails and understand the responsibility that lies with them in reporting a suspected incident. They also have well-staffed teams that can oversee and advise on all aspects of an effective cybersecurity and data protection programme: people, process and technology. When this task gets too complicated and starts spilling into the laps of people in roles who don’t have the appropriate knowledge, it’s worth investing in the expertise of others.
Rather than navigate the maze of cybersecurity products, compliance procedures and evolving business needs alone, more and more SMEs choose to outsource this management burden to managed service providers, staffed by technical and legal experts who are guaranteed to have advised other businesses in similar situations. Acting as the extended cybersecurity arm of the organisation, they can also train and test staff in the latest cyber hygiene practices and immediately alert organisations of new or emerging threats spotted in their dedicated Security Operations Centres.
Whether your organisation just needs help with the basics covered in this article, or something more sophisticated, the key point is this: ensuring good cyber security doesn’t ever need to be too much of a headache!