What is your IT security strategy?

As a business the last thing you should have to worry about is your IT security strategy and if you have the right IT team behind you, then it shouldn’t be a concern. But what if you don’t have that confidence in your team or you haven’t taken the first steps to securing your network. What do businesses need to do to protect their clients and any intellectual property?

Well let’s see if we can shed some light on the approach. Here is a list of some of the most common attack vectors and a few quick wins that you can implement as an action plan, to help manage those vulnerabilities and protect your business.

Spoofing

The use of electronic communication to disguise oneself. The attacker’s objective is to trick their target into to providing sensitive information.

Phishing

A fraudulent attempt to obtain sensitive information or data, such as usernames, passwords, and credit card details. This is typically carried out by email, instant messaging, and text messaging. Users are often encouraged to enter personal information at a fake website which matches the look and feel of a legitimate site.

Man-in-the-middle-attack

This is an attack where the perpetrator secretly eavesdrops, relays and possibly alters digital communications between two parties.

Viruses

The infection of a device to perform localized attacks or to spread across multiple devices using an application that performs malicious instructions. The virus is usually downloaded from the internet, rogue USB devices and can even be pushed over remote connections using Bluetooth or  networks depending on the level of access the virus has at the point of infection. There are many ways to be infected by a virus.

Ransomware

Usually deployed as a secondary payload to malware or a virus. Ransomware encrypts your data and then holds the encryption key for ransom until you pay to have it decrypted by the attacker.  Not even offsite backups are at safe from ransomware so make sure your IT provider has secured them. Common attack vectors used to remotely encrypt server data includes the use of RDP (remote desktop) and UNC network shares. Scary stuff right.

Data theft

Each mobile device, be that a company phone or laptop that is taken outside of a controlled and secure company network, is a risk to the business. All it takes is one stolen laptop that is not properly secured. Best case is access to the data on the laptop. Worst case is access to the entire company network. Furthermore, with the wide adoption of BYOD (bring your own device), businesses face the difficulty and complexity of adhering to compliance within the scope of an IT security strategy and policy. All while not restricting the free use of said devices in a personal capacity.

Quick wins

• Start working towards the goal of achieving CSE (AKA Cyber Security Essentials) certification. This will include processes focused on centralised account, password management, password policies and a few other security measures built on best practice.
• Use threat protection at the perimeter of your network. You cannot protect every single device as you may have a client’s laptop on the network which could unintentionally act like a trojan horse, but you can protect the traffic on your network which should prevent this.
• Make sure you have a good Antivirus solution. Do not go with the cheapest option. You need a solution that has consistently delivered over time and is a market leader in the industry. Review market trends and use the ‘Gartner Magic Quadrant’ as reliable reference point.
• Invest in Realtime ransomware scanning as part of your antivirus solution. There is no point having a great antivirus, but you are at still at risk of having your data encrypted and held to ransom.
• Both Google and Office 365 have advanced threat protection that helps businesses to manage the risk of being phished. It is a small cost on top of your subscription, but it is worth every penny.
• Consider MDM management tools that can segment company data on a personal device and allow you to enterprise wipe devices. This only deletes company applications and data whilst leaving personal data intact.
• Deploy SSO (single sign on) to leverage the same username and password across all services and devices. Locking your account or changing the password means this change is applied across everything you log in to.
• Make use of MFA (multi factor authentication) which is a secondary layer of authentication on your phone. This means an attacker will not be able to get access to your device even if they do somehow know your password.
• Encrypt company devices. Encryption means your data cannot be accessed if your device is lost or stolen.
• Most importantly educate your staff on best practice when dealing with potential phishing emails and what to look out for when browsing sites where they may be required to use personal information.

Failing to act

Having a client experience phishing attacks from within your own business creates a negative perception.  If that is the way a business treats its own data, then what does that say about the attitude to a client’s intellectually property? Costs are exponentially more to fix a problem or security breach retroactively and in some cases the damage is irreparable. As opposed to a proactive and strategic approach to your security. As the saying goes, prevention is better than the cure. Think about the cost of decrypting your backups due to ransomware because you did not apply the correct measures to address the vulnerability before it happened.

Honestly, it is not worth the risk when you truly understand the impact.

Final Thoughts

Obviously, there is more to it, but the ‘quick wins’ in this article should help to prepare most businesses for the next level of their IT security strategy.  Once you have achieved the fundamentals, start focusing on building an IT security policy that you can use as a framework to adhere to and revise as the business grows in the future.

Don’t be the person that thinks it is not going to happen to them. It inevitably will and when it does happen, you will wish you acted sooner. And most importantly, never be ashamed to ask for advice. Your preferred IT provider is a phone call away. So reach out and ask for help with your IT security strategy!