Originally published on 01 Feb 2019
Updated on 15 Nov 2021
When carrying out cyber review work for organisations and their supply chains in the past, we consistently found many “common” cyber threats that could be easily fixed with an understanding of cyber security basics. Over the last couple of years, we have carried out many more of these reviews, brought to market new products, helped dozens of new customers and expanded our team by 30%.
In this time, GDPR has become a part of UK law under the Data Protection Act 2018, allowing users to halt unauthorised access to their sensitive information and shield a whole network of personal data online. Off the back of this, we have also seen the FCA issue their first cyber security-related fine.
However, within this period of fast-paced digital progress, what improvements have we seen to the fundamental systems, tools and security measures used to protect organisations from these cyber attacks? Not many, if any. The same cyber threats that were most common before introducing GDPR and the added protection to sensitive information are still posing high-risk threats to the cyber security, information security and internal networks of many organisations.
With these cyber attacks and the risks of network security breaches now higher than ever, this is the time for all organisations to assess their current cyber security systems. You can start to tackle this by learning the cyber security fundamentals, putting these tools to use, then improving them over time. Let’s start with the basics.
Do You Understand Your Cyber Risks?
When we carry out our detailed cyber reviews for customers and their supply chains, we still see a fair number of risky, basic cyber security measures being used. In fact, most organisations we visit are completely unaware of the levels of risk their sensitive data is regularly exposed to online, let alone exactly what these risks are. This is largely because they either haven’t run into one of these attacks yet or because the risks they are being exposed to aren’t communicated to top-level management appropriately — meaning essential cyber security systems aren’t being implemented.
We’ve learnt that 80% of cyber risks businesses are exposed to could be reduced by implementing cyber security basic protection tools. Throughout this article, we’ll break down some of the critical risks that all cyber networks and organisations face and provide some simple strategies for reducing these threats to acceptable levels. After all, great information security risk management is all about reducing risk to a level that top management in your organisation can accept. Ultimately, it is the company that will suffer from an exposed cyber network. And therefore, it is the company that needs to make decisions about accepting those cyber security risks.
So, we’ve started to dive into the basics of what a cyber attack might look like, but to avoid the hackers, ransomware and extensive malware out there, you need to learn exactly how to tighten your cyber security, protect your sensitive data and avoid a data breach. Here are five easy security fixes to protect your company from cyber attacks.
Cyber Security Basics: Fix 1 — Install Internet Facing Firewalls
Over the years, we have met with more than one organisation with no internet-facing firewalls whatsoever, surprising as that may seem. As one of the fundamentals of digital protective measures, all businesses should be utilising these protective resources. Having an appropriate firewall device is at the top of the list on the Cyber Essentials scheme — and for a good reason. It is your key line of cyber security against phishing, malware and other network security threats.
Let’s say that your organisation has no firewall. Now let’s say your entire customer database of 500 thousand people is stolen by hackers or malware, resulting in an ICO investigation as per GDPR guidelines. Their investigation discovers that your business lacks the most basic of technical controls. The likely result? A very big fine, massively negative press and reputational damage, most certainly leading to a loss of customers. Avoid this by utilising the basics throughout your internet networks and devices.
Cyber Security Basics: Fix 2 — Avoid Free Antivirus Software
The commercial focus of an organisation is high on any agenda, and part of any good commercial cyber approach is being aware of your risks and managing them appropriately. We have seen many organisations relying on free antivirus programs to protect them from cyber threats just because it reduces company costs. The perception being, in many business leaders’ minds, that it is the same as the paid-for versions. Not so much the same, as it happens.
One organisation we visited had installed a free system from a commercial vendor a few years back. They didn’t realise that the free version didn’t carry out “on-access” scanning (scanning files and executables as they open), regular scheduled scans or automated updates — these were all features in the premium or paid-for options. In effect, they didn’t have antivirus software and were at risk of phishing, cyber attacks and loss of sensitive information.
Be aware: a “good” antivirus solution will get regular automated updates, scan all files and executables when they are opened, carry out regular scheduled scans and scan websites as they are accessed for malicious downloads, scripts and other issues. If your free version doesn’t provide all of this, consider upgrading your devices and networks with the appropriate resources.
Cyber Security Basics: Fix 3 — Lock down Admin Account Use
The purpose of a domain admin account is to access and carry out high-level administration activities. By default, this user has access to everything on your network. This makes it very easy for different employees to access resources on the network, like scheduled tasks, backups and other software that needs to run (web servers, for example).
The potential risk here is that if you were to run your web server with domain admin privileges and it was in some way compromised, your entire network could be exposed to an attacker. This would allow them unauthorised access to a whole system of devices, tools and sensitive data.
Despite this risk, about 70% of the organisations we visit still run all their services through a central domain admin. We found that, within these organisations, the IT employees “share” a password and use that single account for all administration activity, which isn’t a great idea as it leaves businesses at a much higher risk of cyber attacks and data breaches.
When building your cyber security, the best practice is to have individually named accounts for all users with individual logins for all services, set to just the personal permissions they require and nothing else. That way, if that device or network does find itself under attack, the potential access that an attacker has will be much more limited.
Cyber Security Basics: Fix 4 — Train Your Users
Although it is number four on this list, training your users the basics of data safety is one the best cyber security methods available for avoiding an attack. It is the first thing that all organisations should do and a topic we cover in depth in our Practical Cyber workshops.
Why is staff training vital to avoid cyber threats? Most critical attacks on organisations are known for directly hacking user devices, as they consider them the “weak link”. They do this by using social engineering tactics to carefully hide ransomware, so the simple act of opening a compromised attachment can have a devastating effect if the ensuing ransomware encrypts everything, including all the data on your network.
Training your users to recognise social engineering attacks, including phishing emails, is some of the best cyber-security money you can spend. Plus, providing your users with valuable tools to safeguard their personal data too speaks wonders to the world on the ethical values of your company.
Cyber Security Basics: Fix 5 — Update Your Software and Operating Systems
New vulnerabilities and opportunities to attack are discovered within systems daily, allowing potential attackers to use these to break into computer systems. Updating software with security patches secures these vulnerabilities and makes it more difficult for criminals to gain unauthorised access to your cyber data and systems.
Be aware: it’s not just your operating system that needs updating — any unpatched software presents a risk, especially if there are known “exploits” available. An exploit is a well-known method when it comes to cyber attacks, often crafted into executable code that attackers use to compromise a vulnerable system.
Protect Your Organisation from Cyber Attacks with Optimising IT
Since any of the previous cyber threats could breach the integrity of a range of systems and computers, any connected organisation is potentially at risk. Using these simple but effective cyber security basics can help all organisations avoid the repercussions of system breaches. Get fixing!
With the pragmatic approach and range of services we offer at Optimising IT, we can always highlight and reduce your cyber risks. Our services are crafted to suit your individual business needs. Contact us or call us on 0330 403 0011 to see how we can help.