3 Key Ways to Defend Your Business From Cyber Threats in 2023
Recent years have seen a rise in the prevalence and potency of cyber attacks, both globally and here in the UK. In March of this year, the Department for Digital, Culture, Media & Sport published its annual Cyber Security Breaches Survey, and the findings made for some concerning reading. In the preceding 12 month period it found that:
- 39% of UK businesses identified a cyber attack
- 31% of those reporting attacks say they occurred more than once a week.
- 21% of businesses report being negatively impacted by a cyber attack.
- £4200 was the estimated average cost incurred to businesses falling prey to effective attacks, with the same figure rising to £19400 when only medium-large businesses are considered.
The consequences of cyber attacks can be wide-reaching, ranging from the immediate revenue loss to long term reputational damage and even legal repercussions.
Both your business and your IT provider have shared responsibility in ensuring your data and systems are comprehensively defended against cyber threats, but what are the critical actions you, as a business leader, should take? Here are 3 key ways to defend your business from cyber threats in 2023.
1) Engender a cyber security culture in your organisation
Your people may be your greatest asset, but if they aren’t up to speed with the latest online threats they could make your business vulnerable to attacks.
Phishing
Among all the breach attempts reported in the 2022 Cyber Security Breaches Survey, Phishing attempts were the most commonly encountered, with 83% of attacked organisations experience such an attack.
‘Phishing’ refers to a range of attacks that rely on coercive techniques designed to encourage users to voluntarily surrender sensitive information, grant access to accounts or perform certain actions – often the transfer of funds to the hacker. Phishing attacks rely on end user compliance in order to be successful, making staff training a vital line of defence.
Educate your end users on the techniques used by phishing scammers, including BEC (business email compromise) which involves the impersonation of someone close to the intended victim, as well as smishing and vishing which employ the same coercive techniques using text messaging and phone calls. Implore your staff to be cautious whenever a sender or caller users emotive language, and establish protocols for identity verification whenever sensitive information is sought or fund transfers are requested. Encourage users to cross-check email domains and to avoid using the ‘reply’ button when an inbound email appears suspicious in any way.
Create security policy documents
Comprehensive policy documents are a great way to help your team understand where their individual responsibilities lie in terms of protecting the integrity of organisational data.
If your team use personal devices for work purposes (to any degree) establish a BYOD policy, which should contain guidance for acceptable use, a list of permitted apps and instructions for securely connecting to corporate resources.
Separate information security policies should be written up, each applicable to a distinct field of information security. Include policies relating to password management, remote access, the use of portable media and the sharing of information with external parties.
Consider Cyber Security Awareness training
Regular security awareness training and ‘refresher’ exercises are a great way to keep cyber security knowledge fresh in the minds of your team.
Consider running regular workshops throughout the year designed to refocus the minds of your team on the most pressing cyber threats and test their knowledge of security best practice. Third-party training providers can be a simple, cost effective way to grant access to educational resources, with flexible online material and test portals that allow staff to fit learning around work commitments.
2) Implement rigorous access and authentication controls
Access and authentication controls are about ensuring only authorised individuals are able to access your sensitive data. This means applying access privileges so that employees are only able to access resources relevant to their job roles, and taking steps to further verify the identities of individuals logging in to your accounts.
Account takeovers occur when hackers obtain correct username/password combinations, often using phishing tactics or the deployment of password-cracking tools. Depending on the nature of the besieged account, such attacks can be devastating, and sometimes go undetected for many hours due to the account entry appearing legitimate.
Limit privileged access
Accounts featuring the broadest permissions (often known as ‘admin’ accounts) are prime targets for cyber criminals, as they permit widespread data access and the ability for hackers to reconfigure security settings in their favour.
To limit the risk associated with these accounts, restrict such privileges to as few users as possible, or better yet, host such privileges in accounts dedicated to administrative purposes. These accounts should feature limited non-essential functionality (such as web browsing or email) in order to reduce the number of entry points available to cyber criminals.
Establish protocols for decommissioning accounts
When an employee leaves your organisation it’s important to swiftly withdraw access to resources and ensure no corporate data remains on employee-controlled devices. Instate a written protocol for such scenarios and make sure employees know that they may be requested to submit devices to your IT team to ensure the removal of sensitive information. Access management services like ‘Azure Active Directory’ make it easy to withdraw access to corporate resources remotely from a single interface.
Implement multi-factor authentication (MFA)
Multi-factor authentication requires users to provide 2 or more pieces of identifying information in order to gain access to a device or account. A strong, complex password that’s easy to remember but hard to guess is an essential initial line of defence, but with the sophisticated password-cracking tools available to hackers more advanced authentication measures are recommended where available. Identifying information in addition to a password might include:
- Biometric data – Fingerprints of facial recognition scans.
- One-time passwords – One-off, auto-generated passwords created upon each sign-in request, typically sent to the user’s registered smartphone or email address.
- Location-based data – Some systems can be configured to permit access only when IP addresses and location data of devices making access requests align with expectations.
3) Manage your risk profile and maintain your digital assets
With the growth of remote working in recent years, modern digital estates are more unwieldy than ever, with many employees using numerous devices (including portable devices) to access company resources. With software and data hosted on so many devices cyber security governance can be a challenge, but by following taking a few simple measures you can reduce the attack surface available to hackers and sure-up the integrity of your remaining systems.
Perform device security audits
Start by creating a comprehensive list of the devices your team are using to access company resources. Then audit the devices, ensuring each is security-optimal in its configuration.
Start by listing apps and functionality required for work purposes, and use this to remove or deactivate software and internet-connected features you don’t need.
Then, ensure any default passwords are changed in favour of more secure replacements, and remove dormant user accounts altogether. Activate multi-factor authentication at device-level, and implement device lockout policies which lock login portals upon a certain number of failed sign-in attempts.
Lastly, disable ‘autorun’ to prevent the automatic execution of programmes hosted on removable storage devices. Such devices could be afflicted by malware, and ‘autorun’ could inadvertently transmit that malware onto your computer.
Keep on top of software maintenance
As software systems age, their developers become aware of latent security vulnerabilities. Software manufacturers develop ‘patches’ to address these flaws, but in most instances the responsibility for applying these updates lies with the end user. If you outsource your IT support, your IT provider should have a handle on device maintenance, and should be ensuring your devices feature the latest updates, applied soon after they’re made available.
If any devices fall outside the scope of your IT provider or IT team’s scope, you must ensure the most recent software updates and security patches are applied. It’s important to ensure personal, non-work devices are equally well maintained, as such devices could act as a vessel for malware transmission should they come into contact with your business’s network.
Lastly, it’s vital to promptly discontinue the use of software programmes that no longer benefit from manufacturer support. Without the provision of patches to correct security deficiencies, these programmes could pose a substantial data security risk, and should be retired as swiftly as possible.
Ensuring you get the most from the tools at your disposal
Our team of experts will take the time to get to know you, your team, the way you do business, and your goals and visions for the future. We will work together with you to learn what compliments the way you do business and will ensure that you are constantly up-to-date with the latest tech that is beneficial to you, whilst simultaneously ensuring you stay compliant to regulations at all times. We will help you with your Digital Transformation and educate your team on how to use the new tools at their disposal to their full potential. With our help you can introduce up-to-date tools, remain compliant, and be confident that your team are doing everything they can to aid in both. Don’t hesitate get in contact with us and see how we can help you.