Why Cyber Security is Important?

According to ThoughtLab’s “Cybersecurity Solutions for a Riskier World,” in 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year, and between 2022-2023, it’s expected to see a rise in attacks as hackers get more sophisticated.

Poor IT maintenance, lack of staff education and unknown assets are likely to play a big part in these attacks

The UK Government’s report on Cyber Security for 2021/2022 found that 39% of UK businesses had suffered some form of attack.  In the main, these were phishing attacks but 1 in 5 identified a more sophisticated attack like DoS, ransomware or malware.

If company data is lost, through encryption via ransomware or a hacked account, then this can be costly to retrieve and the Company needs to ensure it has the correct process in place to quickly recover the data.

If a company suffers a data breach and client or confidential information is stolen, this could then be used to extort money or further information from those businesses.

Any data loss where 3rd parties data and information may have been compromised must be reported and this can have a big impact on a company’s reputation, leading to loss of contracts and sales.

It is estimated that 34% of UK businesses who suffer a serious cyber attack are forced to close – some permanently.

Educating Yourself and Your Staff

82% of data breaches analysed in 2021 involved some sort of human intervention. Making sure both yourself and your staff can recognise a potential attack and can take steps to improve data security and mitigate potential cyber threats is really important and a big step towards securing your business

There are several things you can do to help educate staff members and to keep Cyber Security at the forefront of everything they do.

This can include:

  • Display posters and signs in different areas of the building to raise interest and awareness
  • Short webinar sessions to educate staff on different areas of IT security and allow them to ask questions
  • Run cyber smart tests
  • Restrictions on the use of personal devices– ie Guest WIFI unconnected to the main company network
  • Educate users on the harm cyber attacks can do to a company and its reputation and why they are a key factor in preventing them.
  • Make all employees aware of procedures and policies

What is Cyber Essentials & Why Get Accredited?

Cyber Essentials is a self-assessment which makes sure you have key controls in place to protect your systems and data.  Although it is a self-assessment, there is still a lot of work involved in completing the questionnaire and also ensuring that the relevant policies and systems are actually in place and operational.

Cyber Essential Plus builds on the initial CE certification where a hands-on verification by an independent certification body is carried out to confirm that everything is in place and working correctly.

Obtaining CE and CE+ shows your clients and colleagues that your Company take Cyber Security and their data seriously and that you have measures in place to protect your business against the more common forms of attack.

Many Government and large corporate organisations will also insist on CE+ being in place before you can tender for contracts.

How do I get Compliant?

There may not be too much you need to alter to get accredited so long as best practices have been followed during the setup of your systems and there are steps in place to regularly monitor for changes.

The main challenges will probably be around passwords, user accounts and securing cloud services, which now come under the remit of CE and CE Plus.

As a guide (and this is not an exhaustive list!):

  • Password policies must be in place and enforced to ensure complexity requirements are met
  • You must differentiate between User and Admin accounts. Admin accounts should not be used day to day.
  • All default equipment passwords must be changed and meet your password policy requirements
  • Any cloud services must have multi-factor authentication in place
  • All systems must be installed with current, in-support software and operating systems and you must update regularly – within 14 days of a new release being issued.
  • There should be no outside access to your network or devices such as routers other than via a secure VPN or using MFA
  • Data must only be accessible to those that require access to carry out their work.
  • Ensure services such as auto-run are disabled to limit auto-installation of software without the user’s knowledge or permission.
  • Anti-virus software must be installed on all machines and be kept up to date.
  • Mobile Device Management should be implemented for laptops, tablets and phones that access company data.
  • You should check all your systems regularly to confirm they are all still compliant. This covers PCs, laptops, servers, mobile phones – anything that can be used to access Company data
  • You need to document how you manage the above as well as procedures such as when staff join and leave and devices are stolen or lost.
  • The above applies to ALL devices that access company data, whether they belong to the Company or are staff-owned.

Blog author Ruth Wildman is the owner of ACS Technologies – IT Services for the smaller sized businesses – and is a TCD Trusted Provider