Today, businesses operate in the digital realm to a greater degree than ever before. Offering extended global reach and the potential to explore new, innovative ways of working, plus greater flexibility and cost efficiency, digitisation helps businesses of all sizes stay relevant and competitive in an age when consumers expect a digital-literacy from the businesses they interact with. This trend in digital migration is illustrated by a report from IBISworld, which found that 28% of business activity is being conducted online in 2023, compared with just 9% in 2002.
By now you may be thinking: what does digital adoption have to do with cyber security?
Digitisation, rather predictably, has resulted in a corresponding rise in the number of internet-connected devices used by businesses. It’s seen a vast increase in the amount of digital data businesses hold on their customers and partners. And it’s given rise to an unprecedented number of digital transactions, with retail e-commerce sales alone accounting for an estimated $5.7 trillion in digital transactions in 2022. All of these factors present new opportunities for criminal activity, and the bad actors have been keen to capitalise, with recent years witnessing a sharp rise in both the volume and sophistication of cyber-attacks, globally and in Ireland.
The challenge for your business is to mitigate these online threats as much as you feasibly can, but this is often easier said than done. Modern IT systems can be cumbersome, unwieldy things, crammed with applications, networks, desktop computers, servers, cloud deployments, mobile devices and user identities: all of which must fall within the scope of robust and consistent security protections in order to remain secure.
So how do you go about implementing the cyber security protections your business needs? You should develop a comprehensive cyber security strategy that harnesses people, policy and technical measures to provide multi-layered protection across all your digital vulnerabilities. This might sound like an ambitious prospect, but with a methodical and fastidious approach, you’ll be able to create a formidable set of cyber security controls that defend your business against the vast majority of online threats.
In this article we’ll shed a little light on the key components every cyber security strategy should contain, and we’ll outline some of the consequences that could befall your business if your fail to bring your cyber security measures to the required standard. Let’s begin…
Technical Defences
The tenacity and sophistication of modern cyber threats means that no cyber security strategy can consist of policy and procedure alone. You need wide-ranging protections that prevent your employees accessing nefarious corners of the web, keep malware out of your devices, shield your communications from prying eyes and safeguard your user identities. Here are some things to consider:
User Identity and Access Controls
If your business uses web-based applications, cloud systems, remote devices or any other system or arrangement that makes it possible for staff to access resources out-of-office, then you need to be able to manage user identities and access rights centrally, and have robust measures in place to authenticate those attempting to access your systems and data. An Identity and access management service is key to achieving this, with solutions like Microsoft’s Azure Active directory making it possible to govern access and identities across devices and applications from a central command portal. Whichever solution you use, make sure you’re able to do the following:
- Enforce Multi-factor authentication. Ensure you’re able to apply an extra layer of authentication to your login requests, such as a pin, fingerprint, face scan, or code sent to a user-registered device – in addition to the standard username/password combination.
- Manage Applications. Your system should allow you to control access, assign and withdraw privileges and manage configurations at application level.
- Manage Devices. In the case of company-issued devices, it’s vital to be able to enforce security settings, prevent risky behaviours and even lock the device down, to prevent data misuse or theft. Using a solution with mobile device management capabilities will enable your IT team to securely govern portable devices.
- Apply Conditional Access Controls. Conditional access controls allow you to stipulate additional access criteria to further mitigate account takeover risks. For example, permitting access only from specific devices or at certain locations helps to fully determine the legitimacy of login attempts.
- Monitor and Review Activity. Your identity and access management system should allow your IT team to monitor sign-in events in real-time, and review user access trends and sign-in events using time-stamped activity logs. Recording access activity in this way ensures that suspicious activity and breach events can be fully investigated.
Network Security
Network security refers to devices and systems that monitor data traffic transiting to and from a trusted network (an internal network) and an untrusted network (the internet). The aim of these systems if to defend the integrity, confidentiality and availability of data in the trusted environment by enforcing user-defined, rule-based controls as well as privacy safeguards like encryption. Network cyber security measures can take a variety of forms. Ensure that at least one of the following is safeguarding your business’s network:
Firewalls
Firewalls are network cyber security devices designed to block traffic deemed ‘high risk’ according to a predefined set of user-configured rules. Firewalls are synonymous with messages like ‘The network administrator prohibits access to this site,’ whereby websites are blocked on the basis of being inappropriate for the workplace or associated with heightened cyber security risks.
In addition to programmable prohibitions, modern firewalls use a catalogue of known attack signatures to block traffic that signals imminent danger. Many also now incorporate artificial intelligence, allowing them to detect anomalous traffic patterns and user behaviours that bear the hallmarks of malicious activity. Firewalls can also act as an access control mechanism, ensuring only authorised users operating from trusted IP addresses can gain access to the network.
Firewalls can either be network-based or host-based, and come in software, hardware or virtualised forms. This makes it possible (as well as advisable) to provision firewall protections around all your data, no matter where it resides.
Virtual Private Networks (VPNs)
Virtual private networks create a secure connection between computer networks or between a network and individual devices. Encryption is a common feature of VPNs, which sees data transiting between connected devices scrambled into an indecipherable format with only the intended recipient holding the ‘key’ to restore readability.
The encryption provided by VPNs offers substantial protection against various types of cyber-attacks, including ‘man-in-the-middle’ attacks, which see hackers intercept data transmission across poorly protected wireless networks.
Remote access VPNs can be particularly useful for remote or hybrid workforces, providing fully-encrypted access to network-hosted files, services and applications as though the employee was in the office.
Secure Email Gateways (SEG)
A secure email gateway is a network cyber security device that functions a bit like a firewall specifically for corporate email services. Situated between the public internet and a business’s email server, a secure email gateway inspects inbound for signs of malicious intent.
Malware, spam and phishing attempts all feature on the SEG’s hit list, with detection capabilities that leverage known-threat signatures and AI algorithms to identify and intercept inbound viruses, nuisance communications and emails that bear the hallmarks of social engineering scams.
Antivirus Solutions
Antivirus solutions refer to cyber security products designed to detect and remove malicious code (malware) from computers, laptops and other network-connected user devices. Malware is surprisingly easy to come by, often found concealed within email attachments, lurking on spoofed websites that imitate legitimate brands or lying dormant on USB devices waiting for an opportunity to infect a network.
Most antivirus products use a signature-based detection mechanism whereby programmes are scanned and compared against a library of known threats. This detection method requires antivirus software to be updated on a regular basis so that newly discovered malware signatures can be added to the threat library.
Installing antivirus capabilities across all network-connected devices (including mobile phones, tablets and other small portable devices) is highly recommended. These systems should be configured to scan incoming files automatically, in addition to the continuous scanning of files already present on the system.
Extended Detection and Response (XDR)
Positioned on the vanguard of cyber security technology, extended detection and response amalgamates multiple threat mitigation technologies into a single unified platform that offers holistic protection across devices, apps, identities, networks and clouds.
Extended detection and response platforms combine elements of the solutions we’ve already discussed, including endpoint detection and response capabilities, network security and user behaviour analytics and more, to create a system that defends on multiple fronts at once. XDR systems complement traditional signature-based detection capabilities with advanced machine learning algorithms that can spot anomalous behaviour, configurations and network traffic, resulting in more effective and anticipatory threat protection. These advanced systems also have the ability to spot correlations across unrelated network components: something most segregated cyber security tools simply cannot do.
Representing the next generation of organisational cyber security, extended detection and response could prove a wise investment if you’re keen to protect your business using the best tools available.
Patch Management
As software and operating systems age, their developers become aware of vulnerabilities in the underlying code. In response, software fixes known as ‘patches’ are released, which users are usually required to proactively apply themselves, in order to sure up the vulnerability it was created to fix.
As soon as a patch is released, software users are under pressure to apply it fast. This is because the predatory cybercriminal community is constantly looking for new vulnerabilities to exploit, with the announcement of a patch effectively acting as a ‘call to arms.’ Failure to apply a patch in a timely manner could see your business fall victim to a ‘zero-day attack’ (or zero-day exploit) where an attacker essentially gets to a vulnerability before you’d had a chance to reinforce it.
Don’t let niggling vulnerabilities in your software open the door to a data breach. Ensure your software and operating systems feature the latest security updates and apply patches as soon as you practicably can upon release. Ensure patches are downloaded from legitimate sources and discontinue the use of unsupported programmes and operating systems. Liase with your IT support team if you’re unsure that all the above is being undertaken.
Policy
In addition to a range of technical measures to mitigate cyber security risks, businesses are encouraged to adopt a range of organisational measures which should seek to underpin the entire cyber security strategy. In fact, this is a key stipulation of GDPR, as contained in its ‘security principle,’ which states that personal data must be:
“processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”
‘Organisational measures’ refer to security measures applied at the level of individual users, consisting of policy, procedure and practices that aim to maintain the privacy and integrity of data. When creating a cyber security strategy, the first of these – policy – plays a leading role, as information security policies help codify standards and practices, ensuring that staff at all levels of an organisation understand their roles and responsibilities within the cyber security context.
Information security policies – What information should they contain?
An information security policy document should set out instructions, guidance and best practices for maintaining data security either specific to one domain of your digital activities or your IT infrastructure as a whole. We’d recommend creating a series of documents, each pertaining to a data processing activity, environment or business department to achieve greater clarity for your staff.
So how should you go about creating one? Here is a brief guide to what each policy should contain:
Define the policy’s purpose
Start by stating the objectives of the policy clearly and precisely. If the policy relates to email security, the purpose might say:
“This policy establishes an instructional code of practice for staff and associates of {insert company name} relating to the secure use of the company’s email service.”
Set out the policy’s objectives and scope.
Elaborate on the policy’s purpose by explaining exactly what it seeks to achieve. Use the 3 principles of information security as a basis for this step: confidentiality, integrity and availability.
The ‘scope’ refers to the people, hardware, software, business departments, activities and processes that the policy makes provisions for. Be thorough here and leave no room for doubt.
Outline Roles and Responsibilities
List what you might call the plan’s ‘actors’ – those responsible for implementing it – and connect these individuals and teams with their respective duties. For convenience, it might be helpful to divide your team into groups such as: executive management, IT department personnel and employees.
Draw attention to security controls that should be used
Clearly outline the technical controls and measures that staff are required to implement and create guidelines for their use where this is appropriate. Examples of these might include multi-factor authentication, encryption, incident reporting procedures and physical security measures.
Create Best Practice Guidance
Include best practice guidance that staff are expected to adhere to. For example, if you’re creating a password policy, specify the minimum length that a password should be and instruct staff to change account passwords a few times each year. If the policy pertains to company-issued devices, require that staff use lockable drawers for devices when unattended, and enforce the use of lock screens to further enhance cyber security.
What should my information security policies apply to?
Information security policies should be created for any data handling activity or environment where the actions of end users are instrumental in achieving your cyber security objectives. There are no right or wrong answers here, but here are a few topics that policies often centre around:
- Acceptable Use. An ‘acceptable use’ policy often acts as the fulcrum for an organisation’s information security policies, setting out clear instructional guidance to staff on secure interaction with company, data, devices, information systems and other resources.
- Secure Data Handling. This policy should clearly define how different types of information should be classified, as well as any heightened protections afforded to specific data categories. This is particularly important in the age of GDPR, with ‘special category data” requiring more stringent cyber security controls.
- Access Control and User Management. This policy should contain instructions on user account management, the application of authentication controls and the extension and withdrawal of user privileges and access rights. For optimum security, this policy should implement the principle of least privilege, which sees access rights and privileges extended to users on the basis of ‘strict need,’ t fulcrum minimise risks associated with compromised accounts.
- Business Continuity and Disaster Recovery. An extensive policy document should be created to clearly express your business’s intended plan of action following a disruptive incident or disaster. This document should clearly define the plan’s stakeholders as well as any backup systems and redundancy infrastructure to be used to restore critical business functions.
People
Your people are your business’s greatest asset, but without the right training they could represent a huge cyber security liability. According to research by cyber security firm Tessian, 85% of all data breaches are attributable to employee errors. This figure illustrates the importance of situating cyber security awareness training at the heart of your cyber security strategy, and educating staff on secure data handling, good password practice, and how to spot and counter one of the most prolific and damaging cyber threats: phishing scams.
Phishing scams are widely recognised as the most widespread cyber threat facing businesses and individuals today. So, what are they? ‘Phishing’ refers to a number of methods that deploy deception and manipulation to compel victims to comply with an order or set of instructions: a concept commonly referred to as ‘social engineering.’ These instructions might contain requests for login credentials, demands for payments to be made to the scammer, or requests for other forms of compromising information such as company secrets or data that could be used to steal someone’s identity. Scammers typically attempt to extract this information from victims by assuming the identity of a trusted person or entity, either within or outside the target organisation. Examples might include banks, utility providers, partner organisations or senior management personnel.
How can you protect your business from phishing scams? The most effective way is to partner with an IT support provider or security training provider that can offer tailored cyber security awareness training. Often such training will consist of convenient online learning modules that can be moulded to fit around a busy schedule, as well as test exercises or phishing simulations to help evaluate leaning outcomes and determine levels of employee security vigilance. Cost-effective and convenient, cyber security awareness training is possibly the best single investment organisations can make to improve their cyber security posture.
What steps can I take to protect my business from Phishing today?
Here are a few tips to reduce the risk cyber imposters pose to your business:
- Learn how to read email headers. If an email from a seemingly legitimate source seems odd somehow, you can inspect the email header to determine where it came from. Email sender information can be easily spoofed by criminals, so knowing how to read the header will help you separate legitimate correspondence from the con artists.
- Don’t open links or attachments from suspicious sources. Never click an email link unless you’re able to fully verify the sender. Generally, try to avoid opening or sending email attachments at all. Use cloud storage instead to distribute files among staff and clients where possible, as this is far more secure.
- Don’t hit ‘reply.’ If you receive an email from someone familiar but something doesn’t feel right, you should write a response using the ‘new email’ button rather than hitting ‘reply.’ This ensures your response is sent to the legitimate recipient whose address is stored in your contact list.
- Contact banks and other institutions through verified channels. If you receive an urgent message that appears to be from your bank or a similar trusted institution, get in touch with them via channels you KNOW to be legitimate. Don’t reply to the email, click on links contained within it, open attachments or call phone numbers given.
- Don’t be alarmed or persuaded by emotive language. Phishing scammers often leverage fear, alarm or excitement to prompt a quick response from victims. Keep a level head when encountering alarming or troubling news and contact institutions through trusted channels as we’ve discussed. Don’t fall for free giveaways, one-time offers or prizes: if it sounds too good to be true it probably is.
Conclusion
Cyber security is a journey! To keep your organisation secure, you need to build a comprehensive set of defences that encompass people, policy and technical measures, and be willing to review and evolve your posture on an ongoing basis to stay ahead of emerging threats. Do all of the above and stay vigilant, and you’ll be well on your way to defending your livelihood from the vast majority of online threats.
Of course, achieving 360° cyber security protection is not easy, and it’s a task that many businesses struggle with on their own without the proper support. Thankfully, help is at hand!
Introducing Security 360 from PAQ IT
We’ve developed our Security 360 solution to give our customers a complete arsenal of cyber security defences, designed to address every vulnerability present in modern businesses. Our customers tell us that they want resilient cyber security measures designed to counter persistent and sophisticated modern threats, as well as data protection controls that allow them to demonstrate compliance with confidence. Security 360 provides all of this and more, combining cutting-edge technical controls with user-friendly security training to create a comprehensive security framework that unites people, policy and technology.
Get in touch today to find out how managed security from PAQ IT can make your business more secure, resilient and productive.
IT Support Limerick PAQ IT
Your Limerick IT support specialists are equipped with the knowledge and experience necessary to handle a range of IT-related issues, from fixing hardware and software issues to providing guidance on network security and data management. Due to their commitment to delivering top-notch service and in-depth understanding of the local technological environment, PAQ IT is in a perfect position to support the region’s thriving tech industry. Contact us here if you have any enquiries.