Is your cybersecurity approach helping you win business?

Cybersecurity – it’s one of those subjects that is everywhere these days, and everyone has a view on what ‘good’ looks like.

You might feel that ‘common sense’ is enough for any young business, or that you’re unlikely to be a target due to not being a big brand. Unfortunately, the reality is different: as many as 42% of small businesses suffered some form of cyber-attack or data breach in the past.

Security is about more than warding off evil empires:  in the majority of breaches, the culprit is closer to home, with employees – intentionally or unintentionally  – the most common cause. And if your business works on behalf of others, or has access to client data? The fallout could be catastrophic,  with ramifications ranging from loss of reputation and GDPR fines through to being completely unable to conduct day-to-day business.

The big challenge for many SMEs is that they simply don’t have anyone with either the time or technical knowledge to look after their security on an ongoing basis: Security probably wasn’t even a consideration when the business was formed and has never found its way up the priority list. But as the cyber security landscape changes – both in terms of the kinds of threats out there and in terms of the new challenges presented by remote and hybrid working, there is a real need for all businesses to ensure they are protected.

As more and more businesses place increased due diligence on their suppliers, not having the right security measures in place is not just an issue for business continuity, it also becomes a very real commercial factor:  lack of visible appropriate standards can now have a direct impact on your ability to win those hard-fought pitches and tenders.

So where do you start? How do you ensure a good level of security for your business without breaking the bank?  And how can you ensure your customers (and prospects)  are reassured that you have taken the appropriate steps to protect their business?

Here at Cubit Towers, we like to make IT as simple as possible. It makes our life much easier of the people we work with understand what we’re doing, and most importantly why. So, to hopefully bring some clarity, we wanted to distil down what we think the key areas of focus should be for most small-and-medium sized organisations:

1: Controlling access to your data

Did you know, most data or security breaches around the world usually start with poor access control? Often that comes down to an overly simple password, one that’s shared across multiple logins (if you’re using the same password at work as you do for your Netflix account, just stop it, please) or an employee falling foul of a phishing or social engineering scam.

There are many simple ways of tightening things up at this point – Multi-factor Authentication is now finally becoming commonplace, despite the technology being available to businesses for 30 years, while more complex Access Management solutions can enable business owners to manage employee access to specific devices, tools, or data at an individual or group level. Oh, and it’s not always about software fixes – having a good lock on your server room is always a good start!

2: Restricting remote access to networks and devices

Of course, managing access to your network – and managing what destinations traffic from within your network can access – is a big part of cyber security. To be effective, it will need to be configured to block unauthorised inbound traffic & connections.

Most internal IT administrators will also frequently block file-types via their respective transfer URLs within their firewall solution. For example, any site ending in ‘.exe’ will automatically be blocked, therefore preventing the installation of any potential malicious files.

Many web browsers also have the functionality to ask a user before they download a file. By enabling this, it means the user has full control over what files they are downloading, as well as where they are storing them.

Where network storage is perfect for small corporates, this form of storage must also be regularly administrated. One malicious file being stored on a shared network drive, opens the possibility for other devices on the same network to be infected. Make sure network storage drives are mapped to those that exist on virtual machines. This way, administrators can easily revert to previous backups. If local storage is being used on the other hand, ensure all drives are encrypted.

Of course, remote working brings additional challenges. It’s important that any networked devices are subject to regular password changes and that any remote admin functionality is restricted to known IPs, while use of VPNs (Virtual Private Networks) or host-based firewalls provide an additional level of protection to remote devices and users.

3: Protecting yourself from malware

One of the trends we’ve seen with the rise of remote working is the increase in “grey” applications and devices used by employees in the course of their work. This can cause serious implications for the security of your data and systems if those applications have come from unknown sources.

Good practice here means implementing restrictions on users’ machines to prevent any unrecognised apps from being installed, blacklisting known sources of questionable applications, and sandboxing any new instals in a safe environment before any release.

Anti-virus solutions such as Windows Defender can also adopted to protect users against malware. Best practice would be to use a solution which can be managed and maintained by IT administrators. Functionality like this means regular scans can be scheduled and coordinated automatically in the background whilst users are working on their day-to-day tasks. It is also important that the solution being used is actively being updated by its developers – anti virus applications that don’t have up-to-date databases, could potentially mean that certain files don’t get flagged despite being malicious.

4: Ensuring “security by default”

Crazy as it may sound, many default configurations for software and hardware are insecure by default:  admin logins for devices such as routers are still being set to a common, predefine password, and many businesses still don’t update them. You can even google the make and model of many off-the-shelf devices and you’ll find the default logins.

Frighteningly, there are businesses around the world with weak access to web servers and applications – potentially opening the doors to all their data to even the most amateur hacker. The simple act of checking and changing passwords and admin logins for all networked devices (and enforcing periodic changes thereafter) can make a significant difference to your business security.

5: Keeping up to date with updates

Software and firmware updates can be a burden – they inevitably seem to schedule themselves for the time you least want to do them, and so can get pushed to one side to do ‘later’  Annoying as they might be, they are critical to the ongoing security of your business.

Remember the WannaCry virus that took down and held to ransom parts of the NHS, Boeing, and numerous car manufacturing plants in 2017? A large part of the devastation caused was due to affected businesses running out-of-support, unpatched versions of Windows. Being on top of those patches and updates really should be a habit as engrained as locking the office door at night.

Making it all happen

One of the most popular approaches to tick both the “security” and the “perception” boxes is Cyber Essentials – a set of  baseline security measures recommended by the Government National Cyber Security Centre.

The good news is, for a small to medium sized business operating in a vertical such as marketing or HR, security needn’t be a major expense, and bringing the business up to the standard of that required for Cyber Essentials certification can be relatively straightforward. The right choice of IT partner should be able to guide you through what you need to do, and what protective measures make most sense for your organisation. And that’s where we come in.

At Cubit, we treat our clients’ security as we do our own – with diligence, passion (believe it or not we love this stuff!)  and transparency. And we do this for small and medium businesses in PR, Marketing, and the creative sectors, all over London.

Whether you are specifically interested in acquiring Cyber Essentials accreditation, or simply want to be able to sleep easily at night knowing that your business is protected, we’d love to work with you too.