With new cyber threats constantly emerging, we’re often asked for advice on how to stay one step ahead of the hackers and cyber criminals. A good first step is to review your organisation’s cyber security against five key controls set out in the National Cyber Security Centre’s Cyber Essentials scheme (see our recent blog), and it’s also vital to ensure that everyone in your organisation is prepared in case the worst happens.
Implementing a standard such as Cyber Essentials reminds everyone, from the most junior member of staff to the MD and the board, of their security responsibilities. No security policy will be successful unless all your employees adhere to it, so you need to develop a culture in which everyone follows clearly defined policies and procedures. Going through certification to an external standard is a timely check and reminder of what everyone needs to do.
We recommend a mixture of carrot and stick. Users need to understand why security is important and the consequences of getting it wrong, as they’re much more likely to comply if they understand the risks rather than simply seeing security as a set of annoying rules which prevent them working as they wish. Your security policies should be enforceable, realistic and acceptable to users, and of course should not violate personal privacy laws. There should be no ambiguity - everyone should be clear on exactly what is and is not allowed, as well as the penalties for policy violations.
However, make sure that people aren’t afraid to report problems. Anyone can make a mistake, and it’s vital that they feel able to ask for help if they’ve clicked on a rogue attachment, rather than burying their head in the sand and hoping for the best. It helps if you educate people about the different types of threat to help them avoid falling for attacks such as phishing and social engineering.
One effective policy we’ve implemented as part of our user education is to have Security Champions in every department. This ensures security is embedded in day-to-day activities and reminds everyone of their security responsibilities, while sharing knowledge and best practice and providing a channel for feedback to the IT team. It can unleash previously hidden knowledge and assist in prioritising security activities using facts from staff across the organisation, helping to ensure a holistic approach to security. Our security team also runs security awareness courses across the company to advise our users on the latest threats and how they should be recognised and managed.
Finally, prepare for the worst and adopt the mentality that one day you will be breached. This means having a cyber security incident response procedure in place, a backup of all business critical systems and data (including data on mobile devices) and a disaster recovery plan. You should test a restore of the backup and ensure it is in a location that will not become encrypted should the system or service it is protecting become affected through a ransomware attack.