“Trouble’s Coming”, the #1 Hit Song by… Cyber-Crime?
Do you ever find yourself humming a song and thinking about the lyrics in certain situations, and then find it impossible to get that tune out of your head? My song is “Trouble’s Coming” by Royal Blood. This sound could easily have been created by a band called, Cyber-Crime. Allow me to explain why.
The lyrics begin to play in my head when I start to delve into a business’s IT processes and procedures, often finding that these have been handed down from one generation to the next as people come and go within the business, and each new individual has applied their personal views on what security of data is. The end result is often a business trying to accommodate investments or ideas that may be inadequate or irrelevant. The common question is then, “How do we fix this and appropriately protect the business from cyber threats?”
The person asking the question is usually expecting me to tell them about some easy-to-install tool or piece of kit. However, my immediate answer is always, “When did you last conduct a risk assessment of your information systems?” This is often meant with a blank look and once again in pops that song.
It might seem too simple to start with an assessment. After all, you’ve heard the stories about all the tools that you should have in place to protect your business from the array of threats, such as malware, ransomware, and Tupperware (I’m kidding with that last one). But those threats work when they exploit vulnerabilities. You can’t put up the right defences (tools) without first understanding your vulnerabilities.
To get you started, here’s a simple formula for assessing your cyber security vulnerabilities: (P + M) x CIA = Prepared & Protected.
As a business, you should know what information assets are more high-risk than others. For example, a HR laptop that contains highly personal and sensitive data that often leaves the site is a greater risk than a desktop computer in marketing that goes nowhere. Or your CRM database that is accessed every second of the working day compared to HR’s timesheets for staff.
Action: identify and prioritise your high-risk assets.
Risks are measured against confidentiality, integrity, and availability. These are often called the CIA principles. When applying the CIA principles consider the severity of the impact on the business and the likelihood of the risk occurring. This will help you to identify the greatest risks and apply technical and procedural measures to counter them. In some cases, you may just need to accept the risk, but at least your aware of it now.
Action: think of a situation or scenario that would feature Trouble’s Coming as the background music and apply the CIA principles to it. For example, remote working that your business isn’t prepared for.
The CIA Principles
All businesses have a duty to ensure that sensitive information is not disclosed to the wrong people. There are some easy-to-implement ways to ensure maximum confidentiality:
Access controls ensuring the correct people have restricted access to information and systems;
Employee awareness training in handling categories of information, including disclosure and transfer. Awareness of suspect emails, activities, or behaviour, and when to report a suspected security breach.
Effective password policy: strong passwords and 2FA where available.
Continual awareness and refresher updates on best practice principles: Your staff are your biggest asset and unfortunately your greatest liability, you need to let your staff know the do’s and don’ts this may include - don’t leave the screen unlocked, acceptable mobile device use, installing unlicenced or compromised software, don’t let the kids play and install what they like on work laptops etc.
Install and maintain effective firewalls, anti-malware, and conduct frequent vulnerability scans to ensure non-compromised systems.
Maintain accurate, consistent, and quality data protection protocols:
Ensuring that only trained people have access to the data.
Employ “least privileged access rights”, ensuring only the right people have access.
Encryption of data in-transit and at-rest to prevent unauthorised interception and alteration.
Employ remote backups for the restoration of data in the event of a disaster.
Ensuring the right framework is available to protect information:
Patch management of systems and software.
Ensure you have enough utility capacity to prevent bottlenecks.
Effective and frequently-tested disaster recovery plan.
The goal is to avoid “Trouble’s Coming” becoming the background music to your own cyber security nightmare. Invest in an awarenesss of the risks and the options available to you to minimise them now, and you’ll be able to forget that song even exists.
Are you worried that trouble’s coming for your business? Find out how well you score against the CIA Principles by claiming your FREE cyber security audit.