Tips to Ensure Your Cyber Security is Protecting Your Online Business

You may (or may not) be bringing your staff physically back into the workplace. You will, however, almost certainly be using an internal network and/or the internet to some extent. In fact, it’s increasingly likely that your business will depend on them. With that in mind, it’s vital that you maintain robust cybersecurity. Here are some tips to help.

Luke Watts of RoundWorks IT, shares his expertise on how to ensure cyber security is protecting your online business.

Make sure your connections are safe

Even if you’re very much an “on-site” business, you’re probably going to find yourself supporting multiple internet connections. For example, your office may use a combination of wired and WiFi connections. Some employees may work from home part of the time. Some employees might travel part of the time.

All of these connections need to be secured. The security of your own internal networks depends partly on your physical infrastructure and partly on its settings. If you aren’t confident in managing these yourself, get a reputable managed IT services provider to help you. Do not rely on an employee who “knows about IT” (unless they genuinely have relevant qualifications/experience).

You cannot directly control the security of external internet connections. You can, however, minimize the extent to which your employees use them by providing mobile data connections for employees on the go. All employees using external connections should access the company network via a virtual private network (VPN). This very much includes employees working from home.

Deploy appropriate security software wherever it’s needed

As a minimum, all businesses should be running a firewall and anti-malware-scanning software. A firewall is basically a shield between your internal network (and its attached devices) and the internet. Anti-malware-scanning software is often called antivirus software. This is, however, misleading. It’s been many years since viruses were the only threat in cyberspace.

If you’re running your own website, then it needs its own protection. You should therefore be looking at a Web Application Firewall (WAF) and anti-malware-scanning software. As the name suggests, WAFs essentially perform the same functions as regular firewalls. The technicalities of them, however, are a bit different.

Protect all your devices with VPNs and anti-malware-scanning software. This includes phones and tablets as well as laptops and desktops.

Implement robust access controls

Firstly, only grant people access to anything when there is a clear business justification for doing so. This does not have to mean a strict need, although it generally should. A meaningful want may be sufficient. Either way, there should be a clear reason for granting a person any kind of access to anything.

Access privileges should be reviewed any time circumstances change even if the access-holder remains within the company. For example, accesses relevant to one role may not be relevant to another. Access privileges should also be reviewed periodically regardless of changes.

In particular, look for users who have been added without appropriate documentation or users who are not using their accounts. The former may be a sign that you have been hacked. It is certainly a sign of a security breach you need to investigate. The latter may be dormant accounts that should be deactivated for security reasons.

All accesses should be secured with appropriate controls. As a minimum, they should require strong and unique passwords. Ideally, two-factor authentication (or even multi-factor authentication) should be implemented as much as possible. Two-factor authentication combines something you know (your password) with something you have, usually a one-time access code.

Managing passwords

Strong and unique passwords are still very much the bedrock of access controls. It is, however, extremely difficult for employees to remember strong and unique passwords for all the applications they use. It may therefore be advisable to invest in a password manager. Like most security tools, they are neither infallible nor invulnerable. These days, however, they are often the most pragmatic option.

Whatever else you do, always change any weak, default passwords you come across. You are unlikely to find many of these on commercial products. You are, however, still very likely to come across them on open-source software. They are a security breach waiting to happen so change them immediately.

Keep your systems updated

If you are doing everything in the public (or a managed) cloud, your cloud vendor will take care of all updates for you. That said, you will still need to update the devices you use to access the cloud. If you’re running any of your own infrastructure, including software/apps, then you’ll need to make sure that they are promptly updated.

For example, if you’re running networked and/or “smart” devices, they may need their firmware updated. Mobile devices, laptops and desktops will all need their operating systems updated. Any locally installed software/apps will generally need periodic updates.

The reason these updates need to be installed promptly is that they often fix recently-discovered security vulnerabilities. These vulnerabilities will usually have become public knowledge (possibly because of the update). As such, they may be exploited by cyberattackers in what are known as “zero-day attacks”.

Assume you’re going to experience a security breach

Even with all the best precautions in the world, there is always the possibility that you will experience a security breach. You, therefore, need a plan in place to deal with it. This plan starts by knowing what assets you need to protect. In the context of cybersecurity, that means you need to know what data you have and where it is.

All sensitive data should always be stored encrypted. This is now a non-negotiable. It means that even if cyberattackers get access to your data, it is useless to them. That protects your data subjects (and keeps you out of trouble with the ICO). All important data must be appropriately backed up and/or archived.

In simple terms, backups are “warm” (fast-access) storage. Archives are “cold” (slow-access) storage. Any important data should be backed up/archived twice. One backup/archive is usually kept locally and the other offsite. If you’re in the cloud, that translates as keeping one backup/archive in your regular cloud and the other somewhere else. This could be another cloud or somewhere offline.

There is a lot of strategy to taking effective backups. This is outside the scope of this article. Again, however, a managed IT services company will be able to help. Whatever you do, make sure you can restore from your backup.