Staff digital behavior
Most successful attacks rely on human error at some point, which is why staff training, coupled with good governance, is so important.
- Passwords: are you disciplined? Do staff use strong passwords and know how dangerous it is to use work emails and passwords for non-work purposes? Do you really know if the rules you have defined are applied?
- Transfer of information: do you really know how data is transferred and stored? Can company information be easily found in G-drives, Dropbox and on WeTransfer?
- Speed and Trust: How quickly do staff trust and tap links on their mobile phone? Could your staff fall for the increasingly sophisticated tricks of criminals?
At worst, using cloud services can mean loss of control and lack of risk visibility.
Supply chain weaknesses
The third parties that provide services to your organization are often one of the weakest links in your cybersecurity. Most commentators predict an increase in supply chain attacks this year. The National Cyber Security Center (NCSC) has released a good explanation of the risks involved.
Cybersecurity action plan 2022
Cybersecurity Vulnerability Assessment
You need to start by identifying your biggest risks and vulnerabilities, so they can be addressed.
The list of common vulnerabilities mentioned above is a good starting point for this process. Consider how well each of these areas has been set up. Do you have proof that cybersecurity has been properly taken into account? Be sure to check where your valuable information is kept and how your checkout process works, as these are common goals.
You may have heard of cybersecurity buzzwords such as penetration testing, vulnerability assessments, and network security scanning, all of which will help you assess your vulnerability to attacks. A good place to start would be to use our assessment tool here.
Define how the company will strive to reduce risk, for example, clearly define acceptable personal use of a work device.
We recommend that you focus your policy on key areas; digital uses and behaviours, password and access management, storage and transfer of information. Next, make sure all staff know the rules and what is expected of them.
You should have a defined policy in place for software patches, backup testing, and virus protection to clarify actions and responsibilities. It’s also important that you find a way to measure compliance.
This may seem expensive, but it is absolutely necessary and an expectation of your regulators and the Information Commissioner’s Office (ICO).
Vulnerability closure, robust controls and alerts
Once you have completed the steps above, you should ensure that you close any identified vulnerabilities, that technical policies are implemented, and that the correct system controls are in place to protect you. It is essential to have a qualified person advise you on how to properly configure your software and hardware from a security perspective.
The job here obviously depends on how your business operates, but here are just 3 examples of what we look for in our assessments.
- Antivirus software: is it on every device? is it kept up to date; can it be switched off locally; Has it been too “relaxed” and does anyone view critical alerts centrally?
- Windows network patches: Are Windows patches deployed on laptops, PCs, and servers on time? How long can a laptop last without a critical patch being deployed?
- Email account login failures: If you’re on Office365, someone needs to be alerted to suspicious login attempts and you need to set up controls to restrict access to your systems.
Ensure that regular training keeps staff alert to risks. It’s time to invest in good cybersecurity training, and we believe that performing attack simulations frequently will improve your cybersecurity culture.
Incident response planning
Yes, sometimes the worst happens. In most cases I’ve been involved in, quick, pre-planned emergency response measures can significantly reduce the impact on your business.
That’s a subject for another article, but start by getting the key people together in a room and discussing how you would deal with a ransomware attack. Write your plan, communicate it and put it into practice.