1. Establish a Risk Management Regime
Just as appropriate financial controls are overseen by your accountant and auditors, and regulatory compliance within your sector may be managed by a dedicated Compliance Officer, cyber security demands proper oversight.
Regardless of the size of your organisation, an appropriate steering group must be established, sponsored by the Chief Executive and the Board, and inclusive of senior managers across various disciplines. In short, cyber security is not merely an I.T. function.
The steering group must advise the Board in order that the ‘risk appetite’ may be fully understood. As Deloitte explain, ‘finding the optimal level of risk exposure for the business in pursuit of strategic goals and objectives is becoming more difficult than ever before. To achieve this, businesses need to adopt some structure in determining how much risk they should be, and already are, taking’. Organisations will have different risk appetites depending on their sector, culture and objectives.
With your tolerance of risk now understood, the steering group must draft appropriate policies and procedures to mitigate the risks, i.e. reduce them to acceptable levels. Since all cyber security risks can never be fully prevented, this approach ensures that appropriate resources are devoted to the highest priority threats.
The goal is not to spend money to fix problems, but to improve processes. Perhaps certain IT investments are demanded, but rarely is that the correct starting point.
2. Network Security
Protecting the internal network from attack spans innumerable facets of security. Examples include ensuring your website is configured with a Secure Socket layer (SSL) certificate, password protecting your guest Wi-Fi network, to configuring your printers so they are not ‘visible’ to the internet and thus accessible to all and sundry.
Protecting the network from the outside demands the correct implementation of firewalls and routers, and screening incoming communications to filter malicious content at source. An example is the blocking of specific email content before it reaches the users.
3. User Education & Awareness
Cyber security training forms the very bedrock of your security. If your staff have not been trained on how to recognise a phishing attempt, then how can they be faulted for divulging critical data? Phishing is often more sophisticated than a mere email: often the attack starts with a telephone call from someone pretending to be a legitimate supplier. Criminal techniques are evolving, and refresher training is essential.
4. Malware Prevention
The author audited an international software corporation in 2018 and discovered that of the 61 computer workstations within one subsidiary, 32 were operating without any protection against malware or viruses. The reason was simple enough: the refurbishment program was behind schedule and the users disabled these applications to improve workstation performance.
Apart from the failure to require administrative rights to control the protections, the company had failed to properly risk assess, measure and log these major security lapses.
5. Removable Media Controls
In October 2012, the Greater Manchester Police was served with a £150,000 monetary penalty after the theft from an officer’s home of a memory stick containing details of more than 1,000 people with links to serious crime investigations compiled over an 11-year period. The memory stick had no password protection.
In May 2017, they were fined the same amount again after video interviews with victims of violent and sexual crimes got lost in the post. The force sent three unencrypted DVDs containing the sensitive footage to the serious crime analysis department of the National Crime Agency but they were never received. The DVDs, which showed named victims talking openly, have never been found.
In June 2018, the data of more than 1,000 pupils at Rochester Grammar School were exposed when an unencrypted memory stick was lost. The stick held information on every pupil, including the names, years, school house, date of birth, email address and special educational needs of the pupils as well as target and attainment grades, and whether they speak English.
The use of portable media devices, whether USB memory sticks, CDs or DVDs etc., poses an existential threat to the security of an organisation. Where they are required for specific roles or functions, then there must be an absolute and enforced policy of what data may be transferred, as well as how enforced encryption, and strict accountability are delivered.
The risk posed by these devices extends beyond data breaches, since they remain a significant threat vector for the introduction of malicious software which ranges from viruses to keyboard loggers.
Invariably, such devices should be prohibited in favour of more modern technologies for effecting data transfers.
6. Secure Configuration
Only software which is supported by the manufacturer should be deployed. For example, obsolete software, such as Windows XP and Windows Server 2003 have no updates, patches or other support and yet remain in use across the UK, and a data breach which results might reasonably be declared to be through negligence.
An inventory of all applications in use is demanded, along with appropriate controls to prevent users from installing software at their convenience. The IT team should have the resources to ‘sandbox’ new applications in order that the impact of new software may be tested thoroughly prior to a roll-out.
There must be a ‘secure build’ of workstations and servers, such that the configuration is deployed without excessive manual set-up.
7. Management of User Privileges
A guiding principle if user administration is to limit the number of accounts with privileges beyond that which is absolutely necessary. Think of this as similar to the HR filing cabinet: perhaps only the Director and manager hold the key, and not every director?
Where IT staff hold administrative accounts, they should only use such accounts for the performance of administrative tasks. When drafting emails or writing reports etc., they should be logged-in with a limited user account.
8. Incident Management
There are countless scenarios which may be regarded as actionable incidents and very often these may result in an obligation to report to specific authorities. Examples include:
- Loss of a smart phone enabled with email or systems access;
- Loss of a laptop or tablet computer, or removable media;
- Loss of paper files which contain organisational data;
- Viruses or malware detected on any infrastructure;
- Indications of unusual data transfers, including by staff;
- Loss of access to a system which contains personal data;
- Disasters, which disable all or some of the organisation’s critical infrastructure;
An incident involving the personal data of an E.U. resident may need to be reported to the Information Commissioner’s Office (ICO), and perhaps to the individual. Managing such an event is not something to learn on-the-fly: a Privacy Impact Assessment (PIA) may demand a Data Protection Impact Assessment. From here, there are formalised approaches to effect the notification;
Consider also, that under the GDPR, the failure to properly notify the ICO when required (and within the 72-hour timeframe), or to conduct a DPIA properly, may attract fines of up to €10m or 2% of turnover, whichever is the higher;
There’s much to consider. In the event of ransomware, the Metropolitan Police Action Fraud team should be notified, and depending upon your industry perhaps regulatory bodies, such as law firms notifying the Solicitors Regulation Authority (SRA). Are you required to advise your insurers too?
Above all, evidential incidents must be logged. Such registers of activity form your evidential trail in the event of further harm arising from the event.
Just because you don’t see any sign of a breach, it doesn’t mean your organisation is not totally exposed. Monitoring utilities are of paramount importance, as are audit logs to document what has been happening. The creation and preservation of an evidence log and audit trail is critical.
Such logs demand review. These might range from simple Microsoft Active Directory functions to sophisticated systems which report immediately if a user views or prints a document with a specific classification.
10. Home and Mobile Working
It’s common for smaller organisations to permit staff to use their own smartphones and tablets, a so-called Bring Your Own Device (BYOD) approach. Remember that while this might reduce costs and be appealing to staff, your security is only as strong as its weakest link: is the device secure?
A BYOD approach demands a specific policy, with training and safeguards too. How can you ensure the erasure of that device when the employee leaves the organisation? Equally, have you ensured the necessary password security and device erasure should it be lost or stolen?
Have you read:
- The Relationship Between GDPR and Cyber Security
- The 5 Hidden Risks of File Sharing
- 10 Step Guide to Cyber Security
- Cyber Security vs. Printers and the IoT
- 12 Cyber Security Readiness Tips
- Cyber Security: Integrating Risk and the CIA Triad
- Why Understanding RISK is Central to Cyber Security
- A GDPR Centred Approach to Cyber Security
⏱ 5 Second Summary
A guide to the 10 areas for any organisation to address in its efforts to improve cyber security, from establishing a risk management regime to managing mobile working, training, incident management and more.
Director of Consulting Services
Humperdinck has a 30-year career spanning Document Management Systems (DMS), data protection, Artificial Intelligence, Data Protection and Robotic Process Automation. With many articles published in print internationally, he believes the advances in office technology are such that we're entering the 4th Industrial Revolution. Now Director of Marketing and Consulting Services at Advanced UK, he's as active with clients as he is in endeavouring to write original blog articles.