TRAINING, AUDITS/REVIEWS, CYBER INSURANCE, PROCESSES AND PROCEDURES

So far, the papers in cyber security month have looked in the main at some of the more technical sides of understanding the causes of and the prevention of potential cyber-attacks. This paper looks in more detail at how you can manage to embed cyber-attack awareness into your workplace. It examines the ways you can mitigate the possibility of one occurring and looks to break down these into processes and procedures, relying on people as the first line of defence against potential attacks.

To understand the measures you can take to help create a best practice environment?

  • Managing People
  • Managing Systems
  • Manage the working environment at the Office and at Home
  • Managing Communications
  • Utilising expertise and your Cyber Review Processes
  • Cyber Insurance
  • Other Best Practice approaches

Consistent application across these areas will directly help reduce the impact of cyber threats.

Managing People

Ensure that appropriate permissions only are given to each member of staff. Regular reviews of permissions and enforcing a strict process that controls joiners, leavers, and changing of roles are in place. Ensure there is a regular, minuted Cyber Security meeting.

Invest in ongoing training to ensure that everyone understands their responsibilities in respect of cyber security, including;

  • Communication encryption
  • Updating software, firmware, etc.
  • Recognition of a threat/breach and what to do when one occurs
  • Physical security

Appoint someone to oversee and own the staff cyber security responsibilities including training.

Raising General Awareness – The key to a successful Cyber Security policy is ensuring that everyone in your organisation is briefed on the risks and is aware of their responsibilities.  Cyber attackers often use phishing techniques to obtain employees’ credentials and infect an organisation’s systems with malware, or to acquire employees’ financial information. Examples are.

  • Phishing and its variations like smishing and business email compromise (BEC) were the most common types of cyber-attacks in 2021.
  • Smishing, or SMS fishing, is when a malicious link is sent to mobile devices through text messages or SMS. In such a way, attackers try to gather valuable confidential information.

Managing Systems

It is important to assess what IT support you have in place. Are they accredited and provide you with a regular status update against all potential areas of cyber security breaches?

Automatic backups and security updates will help keep operating systems up to date on the most current patches. Or where no automated capability exists, ensure that the appropriate staff is trained to carry out the required updates.

A regular annual audit of all your software is recommended to ensure ongoing readiness against threats.

A Virtual Private Network (VPN) can help counter attacks. A VPN creates another layer of security for your computers, laptops, mobile devices, etc. Effectively changing the address of the device used to strengthen your encryption capability.

Manage the working environment at the Office and at Home

It is hard to check all protocols are followed at home. Ensure that the employment standards expected in the office space apply equally at home. Physical security is as important at home as in the workplace or even when out of the office/home. Education and prevention are the keys to ensuring you can minimize your cyber risk from home workers.

The use of VPNs – Most home workers utilise the internet capability available at home to access their workspace. Ensure that there is sufficient robustness around the use of VPNs at the appropriate points in your Network security.

Managing Communications

Many of the breaches that occur start with the members of staff in an organisation and often occur unwittingly. It is important to ensure the point(s) at which communication begins with the outside of your organisation is as secure as it can be. This means employing best practices around email in particular.

Email Best Practice

Ensure that your business has encryption software available to allow the author of the email to send the email securely at the point of origin.

There are a number of systems widely available to utilise in this respect. Remember that GDPR principles warn against sending personal data, including sensitive personal data in a non-secure way.

The use of secure email encryption should be standard practice for all employees.

  • Train employees on email security best practices.
  • Create strong passwords.
  • Don’t reuse passwords across accounts.
  • Consider not changing passwords regularly.
  • Use multifactor authentication (MFA).
  • Take phishing seriously.
  • Be wary of email attachments.
  • Don’t click email links.
  • Don’t use business email for personal use and vice versa.
  • Avoid public Wi-Fi.
  • Use email security protocols and tools.

Employee negligence and a loose authentication framework have led to a substantial level of breaches. Best practice will help reduce these along with the adoption of strong email encryption

It is important to speak to your IT support to ensure that they have an appropriate email established for your business. Many cyber security publications warn about the use of social email for business use. So the use of @yahoo, @google, @hotmail, etc. should be considered as vulnerable. These email providers themselves have now created additional business versions to improve their own security.

Peer to Peer communication

One of the benefits of the improved use of technology by the advice industry is the increasing use of portal technology. Portals allow the secure communication of information between users of the same system. Effectively they allow peer-to-peer communication to take place. This is a very secure method of communication as it will require a username and password protocol as a minimum level of security for a user to gain access.

Utilising expertise and your Cyber Review Processes

As previously mentioned, look into a professional IT support company that can help you manage your IT needs against the ISO standards. The support company should be able to give you a report about their approach and how they continue to protect themselves and your business against threats.

Cyber Insurance

With all the inherent risks that Cyber-attacks continue to pose, Cyber Insurance has become an increasingly attractive option for firms. There are more Cyber insurance providers available although adoption is still relatively low. There are a number of factors to consider and these are highlighted further by the National Cyber Security Centre www.ncsc.gov.uk/guidance/cyber-insurance-guidance

Seek professional IT help if needed and ensure you review your processes and procedures regularly. Whilst Cyber Security Insurance can provide peace of mind should anything untoward happen and materially impact your business and your clients.

Our Cyber Security Month is Supported By Our Sponsors

Beyond Encryption is the industry standard for secure digital communications, working with major household brands such as Aegon, HSBC, Royal London, Origo, Paragon Customer Communication and Westcoast Cloud.

We’ve built the world’s most secure encrypted communications network, protecting and connecting advisers, providers and platforms throughout financial services and other aligning industries with our secure email solution, Mailock.

Mailock is our versatile software platform, enabling organisations to send customer communication securely via email. Mailock protects sensitive data through end-to-end encryption and multi-factor authentication capabilities, helping our customers to remain compliant, reduce costs, and improve operational efficiencies – not to mention achieving a positive environmental impact through the reduction of print, pack, and post.

With nearly 100,000 customers across 1.8k companies, we give organisations the freedom to exchange information confidently, cost-effectively, and with full compliance, supporting businesses on their digital transformation journey.

Westcoast Cloud are a pureplay cloud distribution partner, enabling over 750 partners to make the most of public cloud services, and the associated security that is needed to support their use.

From email security, anti-phishing software for Microsoft365, to advanced tools and security for Microsoft Azure, we educate and train partners to be able to provide the best-in-class Microsoft security solutions to over 34,000 end user customers.

Alongside these tools we partner with best in breed solutions such as Beyond Encryption. This ensures markets that need that extra layer of security such as financial services and legal organisations, can stop potential attacks and disrupters accessing your customer information without your knowledge. With Beyond Encryptions advanced toolset, customers can control, manage, and maintain the security layers around their emails to ensure that the right information is reaching the right people all the time.