Ultimate Guide to IT Security
Ensure your security procedures are up to scratch with our ultimate guide to IT security, including software, hardware, policy and education.Technology is a key contributor to business productivity, efficiency and competitive advantage. Most businesses are highly dependent on their technology and expect accessible and reliable IT systems.
However, this accessibility and reliability is not a given and can be severely compromised by a cyber-attack. Unfortunately, businesses now operate in a landscape of growing cyber-crime. Hackers are constantly attempting to access business and personal data. In fact, since the start of the pandemic, cyber-crime has increased by a staggering 600%. The threat to businesses is very real. Unfortunately, many are ill-equipped to deal with the potential repercussions of downtime, data loss and even reputational damage. It is well recognised that IT security is the biggest challenge for all businesses, regardless of size. Businesses need to develop and implement a robust cyber security plan. As cyber-attacks continuously evolve, this plan needs to take a holistic and multi-layered approach to ensure maximum protection. So how can you ensure your IT security is up to scratch? This ultimate guide to IT security is a great place to start.
What is IT Security?
IT security refers to a set of cybersecurity strategies to protect your computer systems, networks and data from unauthorized access. It ensures the integrity and confidentiality of sensitive information within an organization by blocking access from sophisticated hackers. As hackers get smarter, the need to protect your digital assets and network devices becomes more pressing. While providing IT security can be expensive, a significant breach is far more costly. These costs include loss of revenue from downtime, damage to your reputation and customer loyalty, recovery costs, data loss and even potential fines. Developing a multi-layered IT security strategy increases your protection from a potential cyber-attack and the associated costs.
What types of businesses are affected by cyber-crime?
Cyber-crime is an area which affects all businesses, regardless of size. There is a common misconception that small businesses are a less attractive target to cyber criminals. The reverse in fact is often true. Small businesses generally have smaller budgets and resources allocated to cyber security. This makes them an easier target to infiltrate. A vast 66% of small businesses experienced a cyber-attack in the last 12 months.
What cyber security threats exist?
Threats to IT security come in many different forms. The most common source of threat however is via email. In fact, 91% of all cyber-attacks start through email. This includes email impersonation tactics, like spear-phishing and whaling, as well as malware, ransomware and viruses. We provide a brief explanation of each below:
- Viruses: Code sent via an email attachment which if activated, can destroy files on your computer. It can also potentially resend the attachment to everyone in your address book. Fortunately, these are a diminishing threat for businesses thanks to anti-virus software. They do however still target home computers.
- Malware: Short for malicious software, this generic term relates to software designed to cause damage to your computer or steal information. It includes viruses, spyware and ransomware.
- Ransomware: A type of malware that prevents or limits users from using their systems until a ransom is paid. More modern crypto-ransomware, such as Cryptolocker, encrypts files on infected systems. It subsequently forces users to make an online ransom payment to get a decryption key.
- Spear-phishing: A type of phishing whereby an email falsely claims to be from a legitimate enterprise to obtain sensitive information. Spear phishing is more targeted and often refers to targets by their names and positions, using sophisticated social engineering tactics. Recipients are convinced to download malicious attachments or click on links to malware-laden or credential stealing websites.
- Whaling: Another type of impersonation attack which is particularly threatening. Cyber-criminals use social media, such as LinkedIn, to gather information and disguise themselves as the CEO, CFO or other senior executive. They target lower-level members of the organisation, often a controller or someone in HR, and convince them to start a bank or data transfer. Key to the success of this scam is making the target react to the perceived power of the impersonated executive.
Cyber threats are becoming increasingly sophisticated and difficult to detect. This means it is more important than ever to have robust IT security practices in place.
What measures can I put in place to protect my business from a cyber-attack?
It is impossible to completely prevent a cyber-attack, however there are measures you can put in place to significantly increase your protection. As in most situations, prevention is better than cure when it comes to IT security. We advocate a holistic and multi-faceted approach to securing your IT systems. This should include your policy, software, hardware and education. We detail our recommendations below.
1. Establish an IT Security Policy
Every organisation should have an IT security policy, which sets out the critical assets of the organisation and what happens if there is a breach of IT security. The policy should consider where the threats lie and how to minimise risk. Having a documented IT security policy helps to clarify your security practices, educate your team and ensure compliance. Policies should address password privacy and management, regular patch updates and restricted administrator access. In addition, they should provide guidance on internet and email usage.
2. Secure your endpoints
An endpoint is any hardware device that can be connected to a network and which communicates back and forth with this network. Examples of endpoints include computers, laptops, smartphones, tablets and servers. The list is vast and includes non-traditional items, such as digital cameras, smart watches and health trackers. It also includes Internet of Things devices, such as doorbells, and generally any device that can be connected to the internet. With the rise in home working, endpoint protection has grown in importance. According to a recent report by IDC, 70% of successful breaches originate at an endpoint. In addition to reviewing all your endpoints and ensuring you change default passwords, we recommend the following:
- Protect your devices with sophisticated antivirus / antimalware software
While many phones and computers come with some form of free antivirus software, it is not usually powerful enough to fully protect those devices. We recommend securing endpoints with advanced anti-virus software. This helps protect against malware when using the internet, email or transferring files. Whilst there are numerous products available, we recommend Trend Micro. This software offers heightened levels of protection, without affecting user performance or speed.
- Use business devices where possible
Where possible, we recommend that businesses encourage their staff to use company devices when working from home. This is because it is easier to manage company devices and ensure they are secure. If a personal device becomes infected, your IT team is unlikely to know and the virus could subsequently pass onto your entire network. If staff do use personal devices, you should request they install anti-virus software on them. We recommend that you have clear best practice guidelines for staff and ideally keep work and personal data separate through some form of sandboxing. For more tips, read Why you should think twice before implementing BYOD.
- Ensure you have email security
As mentioned previously, 91% of attacks start through email via phishing or spear-phishing. Attacks are becoming increasingly sophisticated and difficult to detect. If your business currently uses Outlook and Microsoft 365, there are several features included for free, which can help increase your email security. These include stopping auto-forwarding for email, message encryption and anti-phishing protection. For more information, read our Top tips to improve your Microsoft 365 security. In addition, there are software solutions, such as Mimecast Email Security Services, that offer a superior level of protection against advanced email threats. Mimecast provides a Cloud-based offering that sits at the gateway to your systems. It provides always-on protection, ensuring threats are removed before they even reach your network.
- Review your firewall
Your router is the gateway, and thus gatekeeper, to your network. It is often the primary target for attack. Firewalls inspect all data passing in and out of your network, helping to identify and block unwanted traffic. Depending on your budget and requirements, the specification of firewalls varies significantly. We are happy to discuss and recommend options.
- Use multi-factor authentication
Basic Authentication which requires a username and password is increasingly recognized as too basic for today’s cyberspace. Attackers can easily target accounts by applying guessable passwords across an organization. Multi Factor Authentication (MFA) or two factor authentication, is a process of confirming your identity more than once before granting access to an account or service. It may ask users to enter a code sent to their phone or a memorable answer, as well as the password. Implementing MFA helps protect against stolen or compromised passwords by adding an extra barrier of entry for anyone attempting to access your account.
- Update patches and software
Microsoft and other software vendors regularly issue patches to secure vulnerabilities, fix bugs and improve features. Deploying these patch updates quickly fixes vulnerabilities which may otherwise be exploited by cyber-criminals. Patching is arguably one of the most important aspects of your IT security strategy. The longer you wait to install these patch updates, the greater the risk of targeted malware attacks. This is because cybercriminals exploit the identified vulnerabilities to breach your data. Whilst software update notifications may seem like a nuisance, they are a key preventative measure for your network security.
3. Consider penetration testing
Penetration testing is one of the best ways to ensure organizations – and their data – are safe from intruders. Companies can patch holes and secure their networks by taking a proactive approach. Penetration testing is the systematic process of looking for vulnerabilities in your applications and networks. In essence,
it is a simulated cyber-attack whereby an expert mimics the techniques used by hackers to identify security weaknesses that criminals could exploit. The information gleaned from these tests can be used to make strategic decisions and prioritise remediation efforts. The aim is to find and fix any vulnerabilities before criminals do. It is therefore an important part of a business’ overall IT security strategy.
4. Educate employees on best practice
Raising awareness of IT security among employees will help them react appropriately when exposed to a threat. In fact, employee education is one of the most effective ways to enhance your company’s overall IT security strategy. It is important to establish a strong culture of cyber security awareness and to train staff to identify phishing attacks. Human error is the number one cause of breaches and phishing continues to be the leading method of attack. The actions and precautions employees take is an essential part of ensuring the security of your network. Whether it is not clicking on a phishing link or using a more cryptic password, employees can do a lot to help. Many employees are not aware of these risks so training them on essential security protocols is paramount.
Firstly, start by creating a best practice guide to work alongside your updated security system. Secondly, train employees on how to spot and handle phishing attacks and other forms of social engineering. Employees should be warned to be suspicious of emails from people they don’t know, particularly if asked to click on a link or open a file. Even emails sent from people they know, but asking for unusual things, should be suspect. Advise employees to double check by phone call when in doubt. We also recommend using phishing simulations to help staff identify vulnerabilities and raise awareness. These are designed to test and educate employees to avoid them falling for a phishing scam and becoming the weak link in your systems.
5. Review your backup procedures
We strongly recommend establishing a robust and secure backup system that is separate from your network. Regular backups provide more recovery points and ensure your data remains up to date. As a minimum, we recommend daily backups. This will protect your data from cyberattack, data loss, or any other kind of damage. If your data is backed up and easily retrievable, it cannot be held ransom! We also recommend that you encourage your remote workers to backup data frequently so that a lost device doesn’t mean lost data. Cloud storage services such as OneDrive help ensure data is up to date and accessible from anywhere, while also being secure. Finally, we recommend automating your backup process to reduce the risk of data loss from a missed backup and regularly testing your backups to ensure your data can be successfully retrieved.
6. Proactively monitor and manage your systems
Adopting a more proactive approach to your IT management can improve the performance, reliability and security of your systems. We strongly recommend engaging with an IT company who offers Managed IT Support Services to give you this peace of mind. By using a single management console, you will have greater visibility of your network.
This includes seeing if an endpoint is running out of date software or requires patching for vulnerabilities. By proactively monitoring and managing your systems, you can detect and resolve issues before they impact your business. Mobile device management software (MDM) can also help your team manage mobile devices that access company data and scan them regularly for any issues.
7. Become Cyber Essentials certified
We recommend becoming Cyber Essentials certified. This is a government led scheme which identifies 5 key control measures to protect your business against the most common cyber threats. According to the UK government, it could prevent around 80% of cyber-attacks. It can also help demonstrate your security commitment to customers and suppliers, as well as helping to meet your GDPR compliance requirements. Certification starts from as little as £300+VAT.
What should my business do in the event of an IT security breach?
If your organisation suffers an IT security breach you should commence your incident response plan, begin gathering evidence, inform the Information Commissioner and inform your customers.
What is cyber insurance and how can it help?
Cyber insurance is a type of business insurance that protects from the financial losses associated with a cyber-attack. This includes damage or loss of information from your IT systems and networks. It helps to minimise the financial and business damage of a hacking attempt, covering costs related to data recovery, business disruption and system damage. Increasingly, businesses are turning to cyber insurance to provide additional protection by helping them recover in the event of a cyber-attack. For more information, read What is cyber insurance and why is it important.
Final Thoughts
The cost of an IT security breach can be devastating, not only in terms of compromising your systems, but also potential data loss and damage to your reputation. With increased regulation and more sophisticated cyber threats, protecting your systems has never been more important. Putting steps in place to strengthen your cyber security and protect your business now can avoid future downtime, reputational damage, data loss or fines. For more information on any of the above or for help improving your IT security, please get in touch.
