Network segmentation – Let’s start with getting your corporate network properly set up, by placing systems with different levels of risk into their own network, separated from other systems by firewalls or other filtering devices. For example, if you have web servers facing the Internet to provide services to your customers, they are also at risk of being attacked, so you don’t want your company database housing sensitive date into the same network segment. Similarly, place your users into their own network segment so that a rogue employee can’t get direct access to core systems unless they are authorised to do so.
Anti-malware software – We have had anti-virus installed on our machines for years, but is it keeping pace with modern attacks? For anti-malware software to be effective, it needs to look beyond commodity viruses and incorporate protection against the behaviour of malware, phishing attacks, and endpoint compromises attempted by insiders. Obviously, this needs to be kept up to date regularly, and it needs to be deployed on mobile devices where they present a risk.
Patching – The bad guys find a hole in the software that runs your systems, and unless you patch it quickly, you could be hacked. Patching is easy to automate on non-business critical systems, and is by far one of the most essential elements to maintaining a more secure and robust network and organisation. This becomes harder with business-critical systems and you may require a test environment to ensure nothing is going to come crashing down when applying a patch, but if you are at this size or stage your IT/InfoSec team or partner should know how to handle this. Critical fixes are released all the time and I hate to think how many organisations are missing these through bad practices.
Multi-factor authentication (MFA) – Using a simple username/password combination only provides a certain amount of protection, and if people use the same password across different accounts, or store their passwords insecurely, then abusing these credentials becomes more likely. MFA will use an additional method of verifying a genuine logon, these days usually through a code sent to a phone. In most cases businesses can do this for free using services provided by Microsoft, Google or Authy. Do it! It may just save you some embarrassment and money.
Secure standard build – How do you know your systems are built in a secure manner, every time they are deployed? Having a template secure build process should be part of the standard method of setting up systems before they are allowed to be used in your business. It makes patching easier, makes deployment easier and additionally makes management of devices easier. There are documented standards available online that can be used to create your baseline configuration, and deployment tools can automatically push this to new devices, even including things such as malware protection, firewalls and approved applications.
Security awareness training – With the mainstream news constantly full of stories of companies being breached (and fined!), investing in training for all staff is key, to embed secure behaviours into daily life. There are some awesome companies out there that offer solutions from fully hosted and managed, to providing the material for staff to read through in their own time. They are cost effective, easy to manage, easy to audit and provide a method of staff improvement and education.
Backup, backup, backup! – Amazing how many organisations I speak to are not doing this, not even for their business-critical systems and data. Again, usually it can be done at no extra cost using current services, e.g. Office 365 or Google Docs, but if you need a more comprehensive backup solution, then there are plenty of options available at a suitable subscription cost. Just imagine if you lost all company data via either a breach or fire, how would you handle it?
Incident response plan – If s*** hits the fan do you know who to turn to? Do you know what to do? This does fit in with my other post around “IT Support is NOT Information Security” - give it a read. You need to be confident that the person or people who will be helping know what they are doing. I also recommend that companies run through these plans on a regular basis, to catch any problems before a real incident occurs.
Auditing and logging – These count for what is happening on the network and on your systems. Are all assets accounted for and in working/compliant state, are there are signs of malicious activity? If you have been breached or believe you have, can you investigate? This may require some investment, but the NCSC just released a free solution called LME which is worth looking at for SMEs, just don’t expect the world, but it’s a good start.
Policies and procedures – There is no point in having a policy and procedure for every single thing under the sun, and they won’t be effective if they are not practical and suited to the culture and practices of the organisation. Think what is relevant to your business, what will help the company run efficiently, securely and realistically. Don’t just push out policies to staff without consultation, and make sure to check that everyone has understood the policies and why they are in place. Rolling these into the staff training systems mentioned above is recommended.
Correct access controls – Why does a weekend staff member or a receptionist need access to company/customer or supplier financial and payment details? Why does someone in the sales team need to view staff members’ salaries? Too often I see all staff set up with the same level of access, which creates problems with access to data, and is difficult to undo. Setting up different access profiles for different roles will control this, helps to reduce the likelihood of an insider attack, and makes investigating what has happened if there is a breach more efficient, in theory.
Most of the above can be done on minimal budgets and it is possible to ‘kill two bird with one stone’ across different steps, so no excuses really. Additionally, they are for the most part essential to ensuring you maintain compliance. Whether that is to PCI DSS, ISO 27001, GDPR, NIST or Cyber Essentials. I am sure I have missed some and feel free to let me know and I will update as appropriate.
If you want to discuss any points above in more detail get in touch.
Lee Gilbank is one of the founders of Yorcybersec. When he’s not working with his clients, he geeks out on jigsaw puzzles, cycling, and playing video games with his children.