The Basic Cyber Security Check List
Businesses in the UK face more Cyber Security threats than ever before! Supercharged by the pandemic the threat level have seen new highs, and with daily attacks, it is parental that businesses protect themselves, their information and data to protect businesses continuity.
Is your business protected?
Have a a look here to make sure that you have covered the basics to keep your business safe.
The cyber security landscape is changing by the day, and the cyber criminals are targeting small and large organisations alike. Impossible to stay fully secure, there is a lot of policies and strategies you can implement in your business to make sure you stay as safe as possible. This list states all the basic cyber security tools any business should have in place in their organisation, so let’s get started!
1. Patch Management
Patch management refers to the installation of updates to core operating systems and common software.
But what exactly does patch management do?
Basically, it makes sure that you don’t have any updates waiting around putting your security at risk.
Core operating systems include, but are not limited to, Microsoft Windows, Windows Server and Apple macOS (OSX). Common software includes things like Acrobat Reader, Google Chrome and Microsoft Office. When we are talking about security, we focus on the timely manner in which security patches are rolled out. It is recommended that security patches are rolled out within 14 days of release! A good patch management solution will ensure that patches are rolled out automatically within this time frame, and if there are errors, these are proactively resolved by the managed service provider.
Are you currently doing this manually, when and if remembered?
Unpatched software is one of the biggest cyber security risks – but luckily one, a patch management solution will take away from you.
2. Support OS
Every device has an operating system, or OS for short. Once a devices operating system is considered end of life by the vendor, security updates are no longer being released. This means that devices that have reached ‘end of life’ are a big security to your organisation. Therefore, you must ensure that these devices are upgraded, updated or decommissioned before they become end of life.
3. Next Generation Antivirus
Antivirus is essential for all Windows endpoints, and every business should have a business-grade, centrally managed antivirus solution installed.
There is some debate as to whether Apple OSX, iOS (iPhones) and Android require antivirus, and this decision will ultimately depend on your business strategy, operations and attitude towards security.
Antivirus software has undergone heavy development over the last 36 months, to allow it to cope with modern threats.
The result of this?
A new type of antivirus has emerged, which has been coined ‘next-generation’. Over time this will eventually become the standard.
Traditional antivirus works by comparing programs and process to a signature file, that is updated every day. If a program or process matches one that is in the antivirus solutions signature file, then the item is blocked from running.
How is next-generation antivirus different?
Next-generation antivirus goes a few steps further. A program or process is compared to the signature file and a cloud database, containing real-time data from around the world. Not only that, but most next-generation antivirus solutions include application white listing. This applies a principle of “guilty until proven innocent”. If a program or process is not recognised and not included in the signature file, it will be blocked.
This provides a high level of protection which is recommended in today’s environment.
Firmware is the name given to the software that is stored on a hardware device. Every piece of technology has firmware. Firmware can be updated to improve performance, reliability and security. Therefore, firmware on key equipment must be kept up to date. Key equipment includes but is not limited to routers, firewalls, servers, clients computers, wireless access points, printers and even IoT devices.
Typically, firmware updates cannot be automated and will require an IT administrator to apply it safely.
5. Remote Access
During the last year, most of us have been working from home at some point.
This is resulting in remote access, now being an essential part of a businesses IT agility solution.
Traditional VPNs (Virtual Private Networks) were used to facilitate remote access, but modern solutions, such as Microsoft 365 do not require a VPN to be initiated. Whatever your remote access method is, you must ensure that for a VPN L2TP or SSL is in use, and for direct connections, that SSL is applied.
For any questions about remote access, your managed service provider will be able to provide you with information for the best solution for your business needs.
6. Network Publishing
Network publishing (also described as port forwarding or IP routing) refers to the access of an on-premise service via the internet. If you have an on-premise server and this is accessed remotely, then you have network publishing in place.
There are many other examples of network publishing, such as remote access to firewalls, routers, switches and client computers. You should always ensure that your managed service provider reviews your network publishing regularly, and that only the necessary services are published. Where possible, restricted by user, location or IP addresses.
7. Password Policing
Password policies should be enforced by your systems and always following your written company policies.
Many user don’t realise the importance of having safe passwords. Too often we find that short passwords including birthdays of children’s names are still a favourite! But did you know that a password in 8 or less characters can be hacked in less than a minute?
Users should be trained to understand what constitutes a secure password and what does not.
There is some debate over the specifics of a complex password, but some guidelines are – 8 characters minimum, contains numbers, special characters and no complete dictionary words or names.
We know how difficult it can be to remember these long passwords! Read our guide on how to create a strong password which is easy to remember here!
Finally, we will not recommend regularly forced password resets (password expiry), but the reasons behind this are outside the scope of this checklist.
Many devices and operating systems come installed with an easily guessable username such as admin or administrator.
As convenient as it might be, these are simply just too insecure to use.
A policy should be in place to change these usernames before the device is implemented. Furthermore, usernames for individuals should never be in a first name format. A good policy is to have a First name, Surname or email address format. For shared accounts such as sales, scanner or hotdesk, a company name prefix is recommended, such as CompanynameSales.
9. User Purge
You should regularly review the users who have access to your systems and disable accounts that no longer require access. This is important both when too many employees within the business have access to accounts they need, but especially when past employees don’t get removed from accounts after they have left their position in your business.
10. SPF/Reverse DNS/DMARC/DKIM
These technologies help ensure that your email domain is not spoofed.
But what does spoofed mean?
Without these technologies in place, it is easy for a threat actor to send an email from your company’s email domain name.
Yes you read that right! Cyber criminals can use this as a way into your email account and ‘act’ on your behalf to send emails both internally and externally. When criminals send internal emails this way, they often use it to send ex invoices to the finance department, causing financial loss to the business.
You can imagine how ‘easy’ it can be to trick a team member this way, so you should always check with your managed service provider, to make sure that these technologies are in place for all your domain names.
11. Email Forwards
How to the cyber criminals get all this information?
When a threat actor gains access to a mailbox, they often put a rule in place to BCC themselves into all incoming and outgoing email communication. These rules are discrete and not often noticed by the managed service provider or end-user.
By reading your emails, they quickly find out what tone of voice to use when acting on your behalf. But, these rules also allow the threat actor to run a password reset against the account or wait for an opportunity to make money or infect the system.
To overcome this, you should ask your managed service provider to disable the ability for end-users to set their own automatic forwards and have this functionality restricted to IT administrators.
12. Review File Access
You should regularly review the permissions on any location that stores files. This could be network shares on a server or document libraries and team sites within Microsoft 365.
When connecting to a wireless network, different security technologies are running in the background. Therefore, you should ask your managed service provider to ensure that your wireless access points use WPA2 technology for full security.
14. Removable Data Storage and AutoRun
Data exfiltration refers to data leaving the business IT estate, when it was not supposed to. Where your business’ operations allow it, always ensure that removable data storage, and autorun of removable storage, is blocked.
15. Screen Locking
After a period of inactivity, your computer should display the password screen (lock screen) asking for a password to continue operating. It is recommended that screens lock after maximum 10 minutes of inactivity. This helps prevents unauthorised physical access to your devices. Depending on where you work from the inactivity time should be even shorter, eg. if you are working out of public or shared work environments.
16. Physical Security
Servers and all kinds of communications devices should be physically secured. If you follow the principles in this document, you will be digitally secured to a good standard. For this reason, threat actors are attempting to physically access devices on a network. You cannot completely prevent physical access to user devices, but servers and core network equipment is best stored in a locked coms room.
17. MFA (Multi-Factor Authentication)
One-factor authentication is something that a person knows, such as a password.
Two-factor authentication is something that the person knows and something they have with them, such as a smartphone.
Three-factor authentication is something that they know, something they have on them, and something that is part of them, such as a fingerprint or retina scan.
Multifactor authentication refers to technologies that do not just require a password. A secure business uses 2FA or MFA at a minimum.
Microsoft 365 makes MFA easy and transparent to the end user. By implementing MFA your business gets a significant increase in its security, so check with your managed service provider to make sure MFA is implemented on all your devices.
18. Endpoint Encryption
The term encryption is used broadly, and means different thing depending on the hardware, software and process that it applies to.
Broadly speaking, encryption scrambles data so that only the intended recipient can read it.
When we refer to endpoint encryption, we describe the process by which data on a hard drive cannot be accessed, without a password or decryption key. Without encryption applied it is very easy to physically remove the hard drive from any device (computer, server, smart phone or tablet) and without knowing the password, access the data.
Most smartphones and tablets are encrypted by default, but Windows and Apple clients and servers are not. Therefore, you must ensure that Windows clients/servers are protected with Microsoft BitLocker, and Apple OSX devices protected with File Vault.
19. Perimeter Firewall
A firewall monitors traffic entering and leaving a device or network. Most modern devices such as Windows 10, OSX or routers have a basic firewall built-in. However, it is recommended that your business networks have a hardware firewall at their perimeter.
Do you have on-premise servers?
Then it is essential.
But having a hardware firewall is not enough. Security services must be activated on the device. Different firewall vendors refer to security services with different names, but broadly speaking, active security services allow the firewall to be updated each day for new security threats. Despite what a managed service provider tells you, a firewall without security services enabled is only acting as a router. When a firewall is working, it’s the last thing on your mind. However, most firewalls have a lifespan of about three to five years! Your current product may lag or it might be reaching the end of its support life. In some cases, your license renewal is coming up or you need to support more remote staff. Of course, an end-of-life firewall with no regular updates will be more vulnerable to new attacks.
20. Web Filtering
Web filtering is a technology that discriminates against websites and end-user accesses.
Are you considering the cyber essentials certification for your business?
Web filtering is now a requirement of passing the Cyber Essentials requirements.
There are two broad types of web filter.
The first type of filter will block the suspect sites such as illegal, unethical and inappropriate. Most antivirus software will stop these types of sites.
The second is a filter that will block a legitimate website, if it has been compromised. These filters are often called a Web DNS filter, and a monthly subscription is required.
Most businesses do not adopt a DNS filter due to cost, but we suspect that it will become as standard as running AV, over the next few years.
21. End-User Security Training
The final defence in your security arsenal is a properly trained end user.
Did you know that the majority leaks happens because of an end user?
This makes your team your biggest defence against cyber crime, and they should be duly trained in this. Using online bite-sized videos and personalised content, your team can be well-trained in a cost effective manor.
Technically, backups are not a security feature. However, they are a critical part of your IT estate and provide business owners peace of mind, from all manner of threats, security, and otherwise. Ensure that your backup is checked daily, restores tested at least weekly, and data is stored in an offsite location. Finally, it is also important to understand the security in place, to protect your data in the offsite location, which a managed service provider can advice you on.
Will these steps make my business secure?
By following these 22 steps, your business will have a good basis for operating safely.
That being said the cyber threats are growing by the day, and as soon as security tools are coming out the cyber criminals find new ways to break into a company. Day after day, we find that the ‘easy’ way in, is the most used so implementing your cyber security policy on the back of this article will put you a good while ahead and allow you to continue your business with peace of mind!
Do you want a health check on your business cyber security?
Get in touch here, reach out in the chat box, or call us on 020 8166 4540