One business suffered a data breach where the attacker gained full control of the company’s email accounts, trying to get multiple fake invoices paid after sending a successful phishing email. It was only caught when the person in accounts wanted to check they were paying with the correct card. The IT support company who assisted with this suggested the breached company change their email passwords, utilise multi-factor authentication on all email accounts, let the staff know what had happened and inform the ICO. To be fair all is this is technically correct, but just the tip of the breach response iceberg.
I asked if the breached account used the same username and password combination anywhere else, shock shock they did but no asking of this by the IT support company; I asked if their customers and suppliers had been notified since full access to all emails and contacts was gained by the attacker, again it was a no; the final question I asked was apart from what their IT support did, were there any other updates or suggestions to policies, procedures, solutions or training by IT support? Long silence followed by a slightly worried no.
IT support is NOT information security!!
If you are unable to afford a dedicated internal resource, I would suggest utilising the skills and expertise of a security professional in the role of virtual CISO / CIO / ISO. This service could be as little as annual meetings with senior managers, alongside quarterly reviews and phone assistance when required. Having this resource means a company should be able to have an up to date and understood incident response plan, improve the level of security, both with regards to systems and personnel, and have a trusted expert they can call upon with confidence.
For small businesses this is the most efficient and cost-effective way to increase security maturity.
If you want to discuss this in more detail get in touch.
Lee Gilbank is one of the founders of Yorcybersec. When he’s not working with his clients, he geeks out on jigsaw puzzles, cycling, and playing video games with his children.