Typically, after business closure periods such as the Christmas holidays and bank holiday weekends, we power up our devices without giving their health a second thought. It’s very common that cybercriminals will use times like these to strike, going unnoticed until you return to the office or until your systems are restarted.
This poses a serious threat to your business as you can defend against something you don’t know exists. To help you tackle the threat before it wreaks havoc in your systems and on your devices, we have created a Cyber Fitness Plan for 2022! This has been designed to help you kick-start your business’s new year in a safe and secure manner.
The plan is composed of 12 mini workouts for your business to help take the first steps to tackle any threats that may have arisen during the festive break. You can download the mini workout plan as a PDF, here.
The 12 cyber workouts are:
Workout One: Password Management
Ensure your passwords are complex, random, and secure! 64% of individuals reuse passwords over multiple accounts, and in 2021, compromised credentials accounted for 20% of all data breaches!
Power up your security by switching your passwords to passphrases, a series of random words with no relation to one another.
Introduce a password manager to store your credentials in a secure location - this helps prevent password fatigue.
Enable multi-factor authentication to your company accounts and devices - adds an additional layer of security in the login process.
Workout Two: Software Updates Keep your software solutions up to date! During the winter break, your company devices may be in need of a software update - enabling updates ensure your technologies have the latest security defences and resolves any bug issues.
Keep track of which versions of software are installed on your devices so that you can promptly target security updates.
Install software updates as soon as they become available in order to fix exploitable bugs in your devices.
Enable automatic updates for OSs, applications, and firmware, if possible.
Workout Three: Update Your Response Plan When did you last test your incident response plan? Ensuring you have a solid and up to date response plan can minimise the fallout in the event of an attack or breach. Hopefully you won’t ever need to officially use it, yet it is absolutely fundamental to implement!
If you don’t have a response plan in place, look to implement one throughout your organisation covering data backups, the communications process, and steps to recovery.
Once you have your response plan implemented, look to test this every 6-12 months - this includes looking at how long your backups take to restore your data, what communication methods you use, and who has ownership of each action.
Workout Four: Cyber Health Check
2023 is the year to take control of your cyber health! Whether your business is starting out on its cyber security journey, or you would like some peace of mind knowing that your internal capacities are operating as they should be, a cyber security health check is the optimal way to help get you going.
A cyber health check will help you gain valuable insight into your organisation’s current risk level.
Identify the gaps in your security so you can implement the appropriate security defences that your business needs.
Remain compliant with regulations such as the UK GDPR 2021.
Workout Five: Security Awareness Training
Strengthen your human firewall this 2023! One of the most effective ways you can strengthen your workforce is through regular awareness training. In fact, businesses can see a 70% reduction in socially engineered cyber threats when effective cyber awareness training is implemented.
Power up your human firewall with targeted training that equips your staff with the latest guidance to remain cyber secure.
Ensure training is regularly implemented to help keep your workforce ahead of the curve with the latest security defences.
Take your training one step further by implementing phishing simulations to keep your people vigilant and robust.
Workout Six: Vulnerability Assessment - A Network Vulnerability Assessment tests your IT system configuration using the same techniques used by hackers to ensure your company is not wide open to a cyber attack.
We can scan and review your internal networks and systems looking for weaknesses such as poorly maintained or designed systems, insecure Wi-Fi networks, insecure access controls, or opportunities to access and steal sensitive data.
If you've never had a Vulnerability Assessment, make a note to get tested in 2023. Our focus with a Network Vulnerability Assessment is to identify weaknesses that might compromise your network. With a plain language report, we can share with you our results alongside simple instructions on how any vulnerabilities might be fixed.
Workout Seven: Backups – Always back up your data, as restoring your files from a backup is the quickest way to regain access to your data. Remember it’s vital to keep one copy of your data separate to the original home of the data.
Workout Eight: Phishing Simulation – Phishing scams are becoming harder to spot, poor grammar and spelling and low-quality versions of recognisable logos are common signs of Phishing attacks. Other things to look out for include checking the sender's email address to see if it looks legitimate or whether a company logo has been manipulated to look legitimate.
Workout Nine: Board Level Training - New regulations (such as GDPR) as well as high-profile media coverage on the impact of cyber incidents have raised the expectations of partners, shareholders, customers, and the wider public. Quite simply, organisations - and board members especially - have to get to grips with cyber security. If you are not regularly talking about cyber security at your board meetings, it’s critical that you start. The National Cyber Security Centre have produced a Board Toolkit to help encourage essential discussions about cyber security to take place between the Board and their technical experts.
Workout Ten: Cyber Security Policies - Every business will follow a First Aid or Fire Alarm procedure, so why is cyber security any different? There are several policies that businesses need to adopt, they include a Bring Your Own Device Policy, Social Media policies and Risk Management/Incident Response policies. Take a look at our Cyber Incident Response Plan that will help you to identify the gaps within your business https://www.secrc.co.uk/post/cyber-incident-response-plan.
Workout Eleven: Supply Chain – Cybercriminals target supply chains as a means of reaching the broadest possible audience with their malware. Identifying and compromising one strategically important element is an efficient use of resources and may result in a significant number of infections.
It’s often perceived that small businesses are not big enough to be hit by a supply chain attack, however, it is not about how many people work for you or how many office locations you have. A supply chain attack can be carried out through the systems that you use.
To help you secure your supply chain, you should ensure that your suppliers regularly conduct security audits or have security certifications and put this within your contract with them.
Workout Twelve: Cyber Essentials Certification - Cyber Essentials is an effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber-attacks.
Recently, the National Cyber Security Centre announced they are running a funded Cyber Essentials programme which will help small and micro businesses to implement baseline security controls and prevent the most common types of cyber-attacks.
Qualifying organisations will receive around 20 hours of remote support with a Cyber Essentials Assessor. To qualify for this scheme, an organisation must either be:
Ø a micro or small business (1 to 49 employees) that offers legal-aid services
Ø a micro or small charity that processes personal data, as defined under GDPR
Fight back against cybercriminals with The Cyber Resilience Centre for the South East
The Cyber Resilience Centre for the South East works with businesses, small or large to help reduce cyber-related risks and vulnerabilities and enabling companies to follow cyber best practices to avoid these incidents.
To help you to guard your business against cyber-attacks in the way you would protect your premises against fire and flood, the SECRC offers a free membership package. Membership is hassle-free and, doesn’t commit you to anything that you’ll later be charged for. There are options to upgrade your membership to utilise our cyber services, but these upgrades are not compulsory – the crux of the offer is free.
Businesses can find out more information about the centre at https://www.secrc.co.uk/. To keep updated with all the latest SECRC developments follow @SouthEastCRC on Twitter or on LinkedIn.
Comments