Good security does not have to be an enterprise roll-out of ISO 27001 or considerable investment in security products, and there are good measures any company can take, even those struggling with a limited budget. With the advent of Cyber Essentials, there is no excuse for a business not to adhere to good practice, and follow the five baseline controls it recommends:
- Secure the perimeter - Ensure physical, network, application and logical perimeter controls are in place that define and secure your boundary.
- Secure configuration – Ensure systems are configured in the most secure way for the needs of the organisation.
- Access control – Ensure only those who should have access to systems have access and at the appropriate level.
- Malware protection – Ensure that virus and malware protection is installed and is up to date.
- Patch management – Ensure the latest supported version of applications is used and all the necessary patches supplied by the supplier have been applied.
Most data breaches have all been caused by the lack of one or more of the above controls, without exception.
Most companies should be able to meet the above with ease, and with limited spend. We all have firewalls (even on our PCs), we all know what services we should or should not be using, we all know who should have access to sensitive data, we all know malware is a continued risk, and we are all aware that systems need patching on a regular basis.
Where companies might struggle with implementing these controls is if their growth and systems they use have not been well thought out. For example, company directors might have put data in the cloud, or allowed employees to use their own devices, or engage a third-party support company with unfettered access to systems without thinking about what might happen should things go wrong.
User accounts might have been left active following employee termination, anti-malware deployed on systems that already have malware on them, and unauthorised software may have been installed on PCs meaning the company is not entirely sure what it should be patching.
I would recommend that companies start out with an informal audit to assess:
- Where is my data (company machines, the cloud, employee devices, mobiles)?
- Who has access to it (employees, ex-employees, third parties)?
- Is my data kept within a secure perimeter (think about cloud, employee devices, third parties too)?
- Are my devices secure and have they been configured properly?
- Does my anti-malware solution protect, detect and remove malware?
- What software is running on the devices where I keep my data, or devices that have access to my data?
I do not mean just pay lip service to these points. Assess them properly. Do not leave things out. If there are any unknowns - put them in scope, do not leave them out.
The one thing good security will take is time and resource. It is not about defining a security budget and spending it all on firewalls, it is about engraining security into the organisation and taking a data-centric approach to securing data.
In this day and age, unfortunately, many companies sit on the wrong side of the law when it comes to security, and are often found negligent in not implementing basic security controls, and thus liable in the event of security breaches, which can have devastating consequences.
Companies seem to be good at filing tax returns, insuring their property against fire and theft, investing in good legal advice, but when it comes to cyber security, where the probability of a data breach far outweighs the risk of your office burning down, levels of internal investment are alarmingly poor.
It is not a matter of if your company will experience a data breach, it is a matter of when. Even taking a day out of the company to consider the above would be immensely valuable, and if you are unsure, hire in an expert, just as you would with your company accounts or legal issues.