The recent ransomware attack on Amey rattled nerves in the construction industry. Amey’s response to the breach was seemingly responsible, but when all is said and done, it was largely a case of shutting the stable door after the horse had bolted. So how can you avoid the same thing happening to you?
Fix obvious points of exposure fast
Before you think about your long-term approach to cyber security, act now to address immediate points of exposure that could leave you vulnerable to attack. Here are five basic cyber defences you should make sure are implemented straight away.
Note: The way in which you address the points below may alter depending on the technologies you use (such as Cloud services), however the principles remain the same!
- Software updates: Is software on all devices (including servers, laptops, desktops, smart devices) up to date? Manufacturers and software companies are in a race to stay ahead of hackers who are constantly looking for ‘hidden back doors’ in their products. Keeping firmware, operating systems and applications up to date will help ensure you’re keeping those hidden back doors firmly shut.
- Passwords: Are staff required to change passwords regularly (at least every six months), and are passwords set to a minimum length, comprising different types of character? Is password sharing prohibited? Are staff encouraged to use different passwords for different applications? You’ll be surprised at the number of people who use the same login credentials for all their devices and applications. If a staff member uses the same password for their local gym membership as they do for their work systems, a hacker who has access to the gym’s database will be well on the way to accessing your systems. Scarily, lists of hacked emails, usernames and passwords are freely available for sale on the ‘dark web’.
- Anti-virus and anti-malware software: Are all devices protected by up-to-date antivirus and/or anti-malware features? In addition to regular automatic scanning of system activity, are these features configured to perform a ‘deep scan’ (including all boot records) at least weekly? Security vendors constantly update their products to protect against the latest threats. Delaying updating anti-virus signatures by even a few days could lead to unnecessary exposure.
- Firewalls: Is your business network protected by well-configured firewalls? In basic terms a firewall will monitor network traffic and block certain types of (often malicious) connection between the outside world and your network. If not configured properly, it’s possible that malicious traffic will get through.
- Staff awareness: Are all staff warned of the potential dangers of unsolicited emails and clicking on suspicious links? Cyber-attacks often rely on users clicking on a link that triggers the download of malicious software; or they invite the user to unwittingly share information (such as login credentials). Consequently, staff education is in itself a basic cyber defence.
Plan and execute your longer-term cyber security strategy
Once you have assurance that you’re applying basic cyber security disciplines, step back and plan your longer-term cyber security strategy. For most organisations, this will likely require expert input to map out a pragmatic approach that fits the risk profile of the business. Experience tells us that there are some key features to get right.
Be guided by the risk: Many organisations make the mistake of trying to boil the ocean when it comes to cyber security. This can prove costly and ineffective. Identify the information that’s valuable to you and protect it accordingly. For critical information, apply additional levels of protection (such as dual-factor authentication or encryption). Deliver risk reports to management that help them make decisions based on the most important risks.
Recruit the Board: Your cyber security strategy won’t succeed unless it has the backing of the Board. Do they understand the true extent of the cyber threat? Are they equipped to make decisions about cyber risk? Have they approved enough budget? Have they appointed a senior individual to take ownership of cyber security?
Apply structure: Your cyber security capability won’t be effective if it’s applied piecemeal. A good security governance approach features clear policies and standards at the top, supported by ‘how to’ guidance describing how the business should comply on a daily basis. This also provides a common structure against which you can measure compliance over time.
Don’t forget about your suppliers: Cyber criminals will often target an organisation’s supply chain as an ‘easy way in’. Work closely with Procurement and Legal to ensure that suppliers apply a minimum level of security that reflects the nature of the relationship.
What happens if you suffer a cyber breach?
Even the most cyber-mature organisations get hit. If that happens, it’s all about keeping the business running whilst minimising damage. Here are some basic measures that will help you know you’ve been hit, and then recover.
System monitoring: Will you know if your systems have been breached? Ideally, you’ll want to find out before a client or external authority notifies you. Strange symptoms might give you a clue that something’s up (users locked out, random popups, unexpected software installation being but a few). But remember it’s possible to be breached and know nothing about it for an extended period. The purpose of spyware is to lurk unnoticed to gather valuable information (such as login credentials) over time. While security software will often notify you if something is wrong, you should have a good helpdesk that can act on anomalous activity reported by users. For critical systems you might wish to explore more specialist software or monitoring services.
Up-to-date Backups: Is important data backed up automatically to a separate environment on a regular basis, and have backups been tested? Recovering your systems quickly in the event of them being rendered unavailable is critical. If you have recent backups that haven’t been compromised by the breach, you’re far more likely to be able to recover swiftly. In the case of ransomware, the hacker will usually encrypt sensitive data and then demand a ransom in return for decrypting it. Up-to-date, unaffected backups will go a long way in helping you to recover.
Business Continuity Plans: Is there a plan in place that details how the business should respond if an incident occurs? Many large companies will have sophisticated plans in place, but even a basic set of recovery actions (along with a contact list of numbers for senior managers) will help everyone stay level-headed and enable the business to respond. Don’t forget to include liaison with relevant authorities (such as the Information Commissioner’s Office and Police) who will need to be informed in the event of a data breach.
While cyber security can be daunting for some, no business can afford to ignore basic cyber protection measures. Building on these to implement a risk-based approach to cyber security – that becomes ‘business as usual’ over time – will pay dividends in the longer term.
If you would like to arrange a one-to-one phone call with CRMG to discuss your current cyber security arrangements and cyber security strategy, please contact us at info@crmg-consult.com.
About the author
Simon Rycroft
Co-Founder & Director, CRMG
simon.rycroft@crmg-consult.com
