(If you’re not addressing the basics first)
The instant reaction to a cyber attack for most small businesses is shock and panic. It doesn’t matter how many times they’ve been told the attitude to cyber attacks remains ‘it’ll never happen to me’. Until it does.
Once the dust settles, the next reaction is normally to throw money at the problem. Suddenly the business is buying every shiny solution that promises ‘total security’ and hoping they’ll prevent anything bad ever happening again.
We have news for you. Your expensive cyber security solutions are worthless!
OK, lets qualify that a bit. Your expensive cyber security solutions are worthless, unless you’ve got the basics in place.
We love a car analogy here at Your IT, and here’s another. If your brakes fail and you narrowly avoid hitting a tree do you a) get the brakes fixed or b) wrap the entire car in bubble wrap? If you answered b) please stop reading this blog isn’t for you!
What Do We Mean By The Basics
What we are talking about here is your infrastructure, your software and your policies and procedures.
Old machines running old version of software, especially old operating systems, are a huge security risk. If you’re running any Windows 7 machines in your business then you need to get them replaced as quickly as possible.
And think about physical security. Access control, e.g. who can get in your building and access your IT is hugely important. You can have a fantastic set of tools, but if a disgruntled employee can walk up to your server and copy information onto a USB stick it becomes a bit pointless!
Is your software, including your antivirus, patched and up-to-date? Even if you’re running the Windows 10, if it’s not patched it’s not secure. It’s the same with all of your business software. If you’re accounting software, management software, CRM, Project Management tools etc. are not cloud based you need to be sure you are running the latest version. You need a process for patching and updating, and a way to check it’s being done.
Get Your Policies In Place
Perhaps the most important, and most overlooked, area of cyber security is policies and procedures. Your IT Partner or Managed Service Provider (MSP) can only have a very limited impact here. This is very much about how you run your business. Password policies are a great place to start. You should set a minimum complexity requirement, and stipulate how often passwords should be changed. Your IT company can help impose the policy, but you need to think about yourself.
Other policies would normally include Acceptable Use, Bring Your Own Device, Social Media, Access Control and Data Protection. Again you could work with your IT provider, and they can help you implement those policies. For example blocking access to certain websites, password protecting or limiting access to folders on the network etc. However it is the business that needs to decided who gets access to what, and inform the IT company if this changes.
Then there are the less obvious policies. Those that are not ‘IT’ as such. The biggest one being a Payments Policy. The vast majority of cyber attacks come down to an individual making a mistake. And the most costly tend to be paying someone who has tricked the individual into believing they are a legitimate payee. To guard against this you might insist a second person checks any non-standard outgoing payments.
Once the policies and procedures are in place then make sure people are trained on them. Then audit that they are being followed. It might be worth adding some general cyber security training too, to help them spot potential threats.
OK. So Your Expensive Cyber Security Solutions Are NOT Worthless
But you’ve got to get the basics right first. You make yourself so much more vulnerable to attack if you’ve got old software, poor physical security and weak passwords.
Once you’ve got the basics you can then add layers of security that reduce your risk. The more phishing emails you prevent, the less likely you are to click on one. If you’ve got multi-factor authentication AND a strong password you’re much less likely to get hit with a brute force attack.
And when it comes to prioritising tools remember to think about those that help you detect, respond and recover as well as those that protect. Nothing gives you 100% protection from cyber attack, there are too many factors involved. It’s sensible to put in place protection but reducing the effect of any attack that does get through can be the difference between a business blip and a business disaster.
How Can We Help
We offer all businesses a free Cyber Security Assessment. We’ll help you identify whether you have the basics in place and then offer expert advice on how to strengthen your security. All with no obligation to buy anything, ever.
The report will be yours to take away and implement yourselves. Or you can use it to hit your current IT Provider over the head!!
Book a Cyber Security Assessment with our Cyber Security Expert Angus Unwin-Rose today: