Why cyber security matters
Why cyber security should be important to you
When we think about protecting our business, security is one of our first thoughts. We often make our physical security a priority, including it in day 1 training for new hires, and perhaps employing people or security firms to directly control our properties. But what about cyber security? Besides having complex passwords, what do we need to do as a company to protect our cyber-properties? What are we even trying to protect?
These difficult questions can cause us to ignore the issue of cyber security, or leave it for another day. However, ignoring a major area of risk is never the right solution! Let me take you through some of the reasons why you need to be thinking about cyber security for your business in 2022.
What are we protecting?
To keep our physical property safe, we make an inventory of items, and cover these with appropriate insurance for their value. Without this asset register of what you want to protect, and how much it is worth, you wouldn’t be able to purchase the insurance to protect it. In the same way, you need to know what your assets are in the cyber world that you want to protect, and their value, in order to determine how best to protect them.
For example, you may have employee or customer data stored on your company computers, or in company cloud locations. This information is something known as Personally Identifiable Information or PII. It may seem like common sense to you that names, telephone numbers and email addresses are all included in this definition, as it is something you would want a company to keep confidential on your behalf, but what about the PII for your technology and devices? An IP address is a unique logical address that is used to identify a network device - such as a computer or phone - and is another example of PII which needs to be protected. You may also have sensitive data related to your work - such as trade secrets - stored in electronic files.
Once you have compiled a list of what your logical (non-physical) assets are, it is much easier to understand how to protect them. You decide the value each asset has, which correlates to the risk associated with losing it, or losing control of it - for example through ransomware attacks, or hackers stealing your data and sharing it online. We use cyber security controls as a response to manage this risk.
How can we protect it?
There are three main types of control that are used in cyber security to provide protection: Administrative controls, Physical controls, and Technical controls. All three types of control should be used to effectively protect your business, using what is known as Defence in Depth; layered controls means that if one control is compromised and fails, another should still be in place to provide protection.
Physical controls are the area of security we are most familiar with, from both our personal and professional lives; they are used to manage our PROPERTY. Having locked doors to the building, and keycodes or door fobs for staff can prevent theft, as people who are not supposed to be there can’t get in. Alarms, security guards and CCTV all help to reinforce your physical security. Over the past few years, we have seen staff more commonly working from home, often using company laptops and accessing company data either remotely or stored on these devices. However, as we cannot control the physical security of our employees’ home offices in the way we can secure our own buildings, this makes the areas of security we can control in these situations a lot more important.
You can also control people’s physical ability to access a system through the use of Multi-Factor Authentication (MFA). This includes the combination of 2 or more of the following types of identification: Something you KNOW, something you HAVE and something you ARE. This can include passwords (that you know), one-time passcodes, OTPs, (sent to a device you have) and biometrics (e.g. fingerprints or face-ID, something you are). Requiring MFA leads to a reduction in the likelihood that a hacker would be able to access your systems through guessing a password alone. According to Microsoft, using MFA reduces the risk of compromise by as much as 99.9% over using passwords alone.
Administrative controls are used to manage PEOPLE and their behaviour, often through documentation such as policies, procedures, and through regular staff training. Ensuring you have clear, easy-to-follow company policies for all staff will let you manage their behaviour to help keep your data safe. A good example of this is Acceptable Use Policies (AUP), which explain to people what they should and should not do when using internet services. Asking staff to agree to this can keep your computers safe, by making sure that company computers which contain sensitive data only visit secure websites, reducing the risk of compromising your systems, which can leave you vulnerable to malware or hacking attempts. These policies should be made easily available to all staff, and regular training on the safe use of internet and computer systems should be provided to maintain this security control. You may personally know not to open an attachment in an email from an unfamiliar email address, because you are aware that this is a technique used to introduce malware onto your computer systems. However, this does not mean all of your colleagues have this same level of knowledge and understanding as you do. Therefore, these security policies need to be in place to ensure all staff behave in the same way in these situations to provide the best protection.
Technical controls manage the ACCESS people have to your technical data, such as electronic files, software and cloud services. You want staff to be able to access everything they need in order to do their jobs, but you don’t want anyone from the outside (i.e. hackers or competitors) to be able to get in. Just as you would put up a locked fence to reduce the risk of burglars gaining entry to your property, you can put up technical fences - such as a firewall - to reduce the risk of hackers gaining entry to your systems. If your business is back in the office, you can have all your machines connected to each other and any file sharing drives safely behind your company firewall. This can prevent unknown devices from having the ability to access your work files. It is also important to have sufficient endpoint security on each PC, such as antivirus software, to regularly check that your devices have not become infected with malware. Encryption of data and the password protection of encrypted files can also strengthen your cyber security. Whatever controls you have in place should be reviewed regularly; the frequency of this will be based on the value you have determined your logical assets to have.
By thinking about the cyber security of your workplace, you can ensure that your important files or trade secrets are only viewed by those that should have access, and not malicious actors. Competent cyber security policies, procedures and controls will reduce your risk of malware or ransomware attack, which is becoming an increasingly common and expensive problem to solve. You will also build confidence in your staff and customers that you care about the protection of their data, and grow your business in a safe and protected manner.
We help companies like yours to make sense of Cyber Security and to introduce the right level of protection for your business and budget.
Arrange a free initial consultation to discover how we can help.