Overlay
Technology

Security fundamentals: eight basics you need to get right

Tim Rawlins, Director and Senior Adviser at NCC Group, looks at the must-dos for any business seeking to become cyber secure.

“Getting the basics of cyber security right has never been so important,” says Neil Bellamy, our Head of Technology, Media, Telecoms (TMT) & Services. “Not only does the risk of certain attacks threaten a business’s intellectual property, it may also damage, reputation, operations, and, ultimately, finances. It’s critical that leaders get on top of the cyber-security challenge.” 

Here are some security fundamentals that small businesses need to know to stay safe:

1. Secure your remote access now with MFA

Complex passwords (like the three random words suggested by the UK’s National Cyber Security Centre (NCSC) are essential for all employees, contractors and suppliers with access to your network and systems. But, this is not enough. You really must use an additional measure to help keep unwanted individuals out of your email and systems. Multi-factor authentication (MFA) – such as Google Authenticator or Signify from NCC Group on a mobile – gives the user an additional number to log in with. A physical smart card or key that generates a code are other examples of MFA.

Remember to add MFA to your virtual private network login process so that you have to put in the additional number before you get inside your systems; it’s too late if the criminals come in on that trusted link by stealing a username and password or just guessing a likely combination of the two. 

Privileged users (like the IT admin team) and employees with access to sensitive data (your HR and Finance Director for example) need additional measures in place, such as a separate account to do their internal work from their email and internet access. They may even use a separate laptop for their sensitive work only. And the systems they log into should have that MFA turned on of course. Role-based access control, where not everyone has access to everything, is a great way to segment and protect information, especially on cloud services

2. Teach your employees about phishing

Phishing emails can be hard to spot. Eventually, almost everyone will fall for a well-crafted email sent to an individual user based on information that criminals have found on their social media sites, your business website, or a previous data theft. Unfortunately, personal information is bought and sold by the criminals to create files on people.

Reminding your employees about phishing threats, and encouraging them to be extra vigilant, are some practical steps that may help. Some email services have the capability to report phishing directly from an inbox and can create a note of caution at the top of an email that has been sent from an external address. 

Look at your systems and check when they were last updated. Invest in new ones if your legacy systems can’t run the latest updates

Tim Rawlins, Director and Senior Adviser, NCC Group

Don’t punish people for clicking on a link; fear is not the key in this situation. It is far better to reward people for doing the right thing – spotting and reporting a potential phishing email should be celebrated and commended. You might ask your IT team to help stop the impact of someone accidentally clicking on a bad link or website; there are several programs that can help.

3. Back up your data offline

Everyone knows to back up data. but you need to make a copy that is stored where the criminals can’t access and delete it. Consider creating multiple backups, with at least one copy taken and stored safely on a backup drive that is disconnected from your network. This seems to be a step backwards from the always on, hot backups that we have become used to, but we see criminals searching for connected backup solutions and encrypting or wiping the data before running ransomware. You may just need that clean, remote safe backup to get you up and running again. 

4. Patch, patch, patch or turn on automatic updates

Systems that run old software are an attractive target for criminals. And when new problems or vulnerabilities are identified, like the recent Log4j issue, manufacturers and software suppliers rush to issue updates or patches to help protect you. So, look at your systems and check when they were last updated. Invest in new ones if your legacy systems can’t run the latest updates.

5. It takes more than anti-virus to protect you

Anti-virus programs you may have used on your computers for years are struggling to keep up with criminals who have mutated their attacks. Thankfully, endpoint detection and response (EDR) is a new type of tool that watches what is happening on your computer. If it spots a criminal at work it reports it, stops them, and, depending on your settings, can disconnect that computer from the network. 

6. Protect your cloud applications

Most companies now rely to some extent on cloud-based software. Investing in mobile applications, such as Office 365, with multiple security layers and robust user and access permissions, can limit some of the risks but you are still responsible for protecting your data.

Keeping files and data in the cloud can help ensure security, without restricting access for those working remotely using their own hardware. However, there are a number of vulnerabilities within these services so it is essential to regularly assess your cloud configuration and ensure the security of your environment and critical assets. 

Cloud-based applications and software, particularly from the new ‘Techs’ (FinTech, InsureTech, MedTech, RegTech etc), can still be vulnerable to the supplier going bust, critical people leaving or failing to get the next round of investments. To protect yourself you should ask them to put their software into ‘escrow’. This means it is held by a trusted third party and, should something happen to the software supplier, you can get access to the source code and data that your business needs. 

7. Continuously scan for vulnerabilities

Network changes, additional web applications and increased online traffic all increase your risk, so more businesses are considering continuous vulnerability scanning. These scans will help you identify problems before the criminals exploit them by highlighting your security weaknesses and allowing you to take action.

8. Keep compliant and improve your security

The UK’s Cyber Essentials (CE) certification is a great baseline security level to achieve. You will increasingly need to demonstrate to clients that you have thought about cyber security and implemented appropriate controls. Certifications such as CE and Cyber Essentials Plus (CE+) can be earned without having to set foot in an office through a series of remote assessments and vulnerability scans. What’s more, you’ll get the satisfaction that you’re doing the right thing to protect yourself and your clients.

For more information on cyber security services, visit NCC Group.

This article was written in collaboration with NCC Group Software Resilience, the world's largest Software Escrow provider. Visit their insight blog for actionable resources and helpful information. 

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of the NatWest Group Economics Department, as of this date and are subject to change without notice.

scroll to top