Here are the basic precautions essential to minimizing the possibility of Ransomware or other cyber attack.
If it isn't clear from recent media reports, it should be; it's only a matter of time before the cyber-criminals come after your business. You must protect yourself and do so now. While comprehensive cybersecurity is expensive. But that’s no excuse for not doing the simple things that will protect you most of the time.
Think of it this way: just because you can’t afford 24-hour manned patrol of your premises doesn’t mean you should go home at night leaving all the doors unlocked and the windows wide open.
Here are ten activities, recommended by the UK National Cyber Security Centre, that we’ve analysed as part of our ISO 27001 course research to demonstrate how cybersecurity impacts all business processes. We've added some columns to help evaluate those activities.
And if you haven't got the capability in-house, hire an IT Expert for just one day to do it for you. The table below can then be used as instruction and check on the work done.
Table of Contents
- 10 Precautions to Protect Your Business Against Most Cyber Security Threats
- Analysis of the 10 Precautions Against Cyber Security Threats
- Cyber Security for SMEs
- Cyber Security vs Information Security
- Cyber Security Standards
- ISMS Definition
- Cyber Security Training Courses
10 Precautions to Protect Your Business Against Most Cyber Security Threats
|
# |
PRECAUTION |
P-D-C-A Cycle |
Activity type |
Focus on |
|||||
|
Plan |
Do |
Check |
Act |
Proactive |
Reactive |
Infra* |
People |
||
|
1 |
CREATE A CYBER SECURITY PROJECT TEAM Involve functional heads from across the organization. Analyse ICT systems and requirements. Develop Policies. Develop Project Plan. Implement & Control Plan. Establish a cyber incident management team - what do we do if we are attacked? - have we a recovery plan? |
P |
|
|
|
X |
|
|
X |
|
2 |
MANAGE USER PRIVILEGE Establish account management processes and limit the number of privileged accounts. Limit user privileges (access only to files and folders needed for work) and monitor user activity. Control access to activity and audit logs. |
P |
D |
C |
A |
X |
|
|
X |
|
3 |
SECURE YOUR NETWORK Protect your networks against external and internal attacks. Manage the network perimeter. Filter out unauthorised access and malicious content. Monitor and test security controls. |
P |
|
C |
|
X |
X |
X |
|
|
4 |
CONTROL REMOVABLE MEDIA Produce policy to control all access to removable media (e.g. flash drives). Limit media types and use. Scan all media for malware before importing it into the corporate system. Better still, stop using removable media and electronically block all USB ports. |
P |
D |
|
|
X |
|
|
X |
|
5 |
IMPLEMENT HOME & MOBILE WORKING POLICIES Develop a Mobile Working policy and train staff to adhere to it. Apply the secure baseline ** build to all devices. |
P |
D |
|
|
X |
|
|
X |
|
6 |
SET UP REAL-TIME MALWARE PREVENTION Produce relevant policy and establish anti-malware defences that are applicable and relevant to all business areas. Scan for malware across the organization. And that should be every device being scanned continuously. |
P |
D |
C |
|
X |
|
X |
|
|
7 |
CONDUCT CYBER SECURITY TRAINING Develop user security policies covering acceptable and secure use of ICT systems. Establish a training programme including induction training. Maintain awareness through ongoing refresher training or events. And Anti-Phishing must be included as phishing is arguably your greatest vulnerability. |
P |
D |
|
|
X |
|
|
X |
|
8 |
SECURE CONFIGURATION Apply security patches promptly and maintain secure configuration of all ICT systems. Create a system inventory (information assets) and define a baseline build** for all ICT devices. |
|
D |
|
|
X |
|
X |
|
|
9 |
CONDUCT REGULAR MONITORING Establish a monitoring strategy and develop supporting policies. Continuously monitor all ICT systems and networks. Analyse logs for unusual activities that could indicate an attack. |
P |
|
C |
A |
|
X |
X |
|
|
10 |
PROVIDE INCIDENT MANAGEMENT TRAINING Establish an incident response and disaster recovery capability. Produce and test incident management plans. Provide specialist training to the incident management team. Report criminal incidents to law enforcement. |
|
|
C |
A |
|
X |
|
A |
* - Infrastructure (hardware and software)
**- Security baselines: Every organization faces security threats. However, the types of security threats that are of most concern to one organization can be completely different from another organization.
For example, an e-commerce company may focus on protecting its Internet-facing web apps, while a hospital may focus on protecting confidential patient information. The one thing that all organizations have in common is the need to keep their apps and devices secure. These devices must be compliant with the security standards (or security baselines) defined by the organization.
Analysis of the 10 Precautions Against Cyber Security Threats
There are three points we’d like you to notice about the table:
- We’ve characterised the activities using the P-D-C-A Cycle (Plan-Do-Check-Act) and you’ll notice how much effort must be devoted to planning and the development of policies and strategies suited to the nature of the business.
- Considering the business from a cybersecurity point of view will be a significant learning experience for many of the Cyber Project team. Some training of the team may be needed especially regarding incident management.
- The majority of activities are proactive rather than reactive and there may well be a resource deficiency relating to activities such as white hat testing of ICT systems. External resources may be required from time-to-time to test systems and maintain effectiveness. Pen (for Penetration) Testing is expensive (£20.000 would be typical) partial tests on critical infrastructure costs a lot less.
Notice too how the focus is predominantly on people. Those of a technical bent often seek solutions to problems in technology (where they’re comfortable) rather than in people (where they’re less comfortable). But experience shows that the weakest link in cybersecurity is people. Training and awareness must be a major component of any effective plan to achieve and maintain cybersecurity.
Cyber Security for SMEs
Always remember, it’s not all about you! With the interlinking of information management systems nowadays SMEs are often targeted as a weak link through which to breach the security of their customers, who may be large multinationals (and so the real target).
Cyber Security vs Information Security
Cybersecurity is NOT the same as Information Technology Security. Physical security measures and the protection of hard copy data also offer vulnerabilities. See Annex A of ISO 27001 for a listing of 100+ such vulnerabilities and examples of typical controls use to reduce risk.
Cyber Security Standards
Consider certification to ISO 27001, the information security management system. Customers and potential may well respond very positively to your holding such certification. ISO 27001:2013 is the internationally-recognised Standard for an Information Security Management System (ISMS).
ISMS Definition
An ISMS provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving the protection of information assets to achieve business objectives based upon a risk assessment and the organization’s risk acceptance levels (that is, the level of risk you are prepared to accept).
It is designed to effectively treat and manage risks. Analysing requirements for the protection of information assets and applying appropriate controls to ensure the protection of these information assets, as required, contributes to the successful implementation of an ISMS.
Cyber Security Training Courses
Check out the links above to learn more about ISO 27001 courses we offer, including ISO 27001 Lead Implementer Training for those wishing to implement an information security management system.
Note: First posted on Apr 19; updated and revised on Jun 21.
Related Articles
- Integrating Cyber Security in Medical Device Management
- ISO 27005:2018 Information Security Risk Management
- Navigating the fifty-six ISO 27000 Series of Standards
deGRANDSON Global is an ISO Certified Educational Organization
In
October 2021 we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of …
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.