Cyber Security for SMEs
Protecting the devices your teams use (laptops, smartphones and tablets), and the systems your teams have access to wherever, whenever they may be working should always be a top priority.
With data protection becoming an increasingly important aspect to organisations with huge fines, reputational damage and even business loss being associated with data breaches. Your Cyber Security plan should be focused around data protection, such as how you secure and prevent unauthorised access to critical data.
Email Security for Microsoft 365
Using Barracuda Sentinel technology, threats are detected that traditional email security solutions would miss.
We will guide you through Cyber Essentials and Cyber Essentials Plus, helping you to achieve the accreditation.
Extend your on-premise protection with WatchGuard Total Security, suspicious behavior will be flagged with immediate action taken.
End User Education
Your team are your best defence against cyber crime, education is key to protecting your organisation’s systems.
Endpoint Security and Compliance
Your devices are protected and monitored 24/7 with malicious activity detected before malware is deployed.
Advice and Guidance around Cyber Security for SMEs
The following solutions will go some way to helping protect your organisation against a cyber attack or data loss. Although no preventative measure is guaranteed, by adding multiple layers of security you will vastly reduce the risk of becoming the victim of a cyber attack.
Passwords and Two Factor Authentication (2FA)
Securing access to systems with a username and password has been commonplace for decades now. Known as single-factor authentication, the requirement of a username/password combination to allow access to a system is of course essential for information security within every organisation.
Every organisation should have a password policy in place to enforce specific requirements for length, complexity, and history, but you should also publish guidance for users on password best practice.
- How to avoid choosing obvious passwords – such as those based on easily discoverable information, like the name of a favourite pet.
- Avoiding the use of common passwords
- Not to use the same password anywhere else, at work or at home
- Where and how they may record passwords to store and retrieve them securely
- Using a password management software
A business may have several different applications or platforms, each with their own authentication systems, meaning employees must remember multiple usernames and passwords. Alongside this, everyone now has multiple personal accounts for various services. Even with the appropriate guidance, it is well known that people will generally reuse passwords across multiple accounts; business and personal which of course creates a security concern. In addition, there have been widespread data breaches putting millions of username/password combinations up for sale on the dark web, which of course makes passwords much less secure and puts business systems at risk of attack.
With the shift to cloud computing over recent years, many organisations now host their IT infrastructure within the cloud, making their systems very accessible. This accessibility brings additional security concerns as these cloud-based systems are prone to brute force attacks. The systems themselves are not necessarily insecure, but the use of weak passwords from their users has vastly increased successful brute force attempts and therefore data breaches.
To combat this, an additional layer of authentication security is required in the form of two factor or multi-factor authentication. Instead of trying to enforce better password hygiene practices amongst employees, adding an additional layer of authentication security combined with their password provides a much stronger authentication system. This second form of authentication is generally in the form of something you have and may be a physical smart card or a USB security key, but more often, a code which has a shelf life of around 30 seconds. These codes can be delivered via physical tokens, or more commonly now, via a mobile app. Some apps even provide “push” technology where you simply click an Allow or Deny button from your phone.
Nowadays you will struggle to find a business or personal cloud platform that does not offer 2FA or MFA as part of its authentication platform. This is generally included at no extra cost as the cloud platform provider wants to ensure their environments are considered safe and secure and some will enforce 2FA is enabled.
Email is a core component of everyday working life within organisations and is a great way to communicate with anyone from around the globe. Email however is one of the main sources for a hacker to successfully compromise a network. Email attachments that contain malware and links that send you to a malware infected website are all common ways that a hacker will gain entry. There are also more and more sophisticated ways that hackers develop and use phishing techniques to socially engineer their way into a network.
There are of course ways in which you can secure your email environment to reduce the likelihood of your network being compromised.
Email Security Solutions
For many years, business have implemented anti-spam technology to help protect against email users receiving large amounts of unwanted or spam email. These were an essential component to filter out all the rubbish you didn’t want to see and would generally use list, keyword search and heuristic search to filter out the spam. There would then generally be anti-virus engines built into these solutions to protect against virus infections to the email environment.
Many businesses these days will use a completely hosted email solution such as Microsoft 365 or Google G Suite. As a standard, these all have built in traditional spam filtering as part of that service, giving you the minimum email security any business should have in place. There are then additional subscription services that can be purchased to further extend this.
Modern email security solutions utilise three main weapons in the fight against cyber crime:
- Utilising AI to learn how people communicate within your organisation and therefore reducing spear phishing attacks
- Scanning the content of attachments to ensure no malware is present
- Checking links within emails to ensure they’re legitimate and are not redirecting to malicious websites
All users should be provided with Cyber Security awareness training to help them understand how email-based threats operate and how they can be avoided. Phishing techniques have become very adept at using AI to mimic how people communicate with their colleagues.
Training employees on how to identify and handle suspicious email, including how to report this content to the relevant IT teams within your organisation should be a top priority. There are now many platforms that provide this type of service, generally delivered via video training in bite size chunks so that employees can easily understand and re-visit if required. Any training should not be a one-off and should be undertaken on a regular basis to ensure everyone always has it in their mind.
In addition, phishing simulation tools can be used to create test content that an organisation can send to all employees to see how they respond once they’ve had their training and identify any individuals that may need some additional training.
In order to protect an organisation’s email domain reputation, there are several measures that should be put into place. These are fairly simple measures that provide controls and validation for a recipient mail server ensuring they know that email received is genuine which helps protect email senders and recipients from spam, spoofing, and phishing, alongside protecting the reputation of your email domain:
- SPF (Sender Policy Framework). This is a DNS record added for each email domain used and defines a list of authorised email servers for the domain, so that receiving email servers can check the source of incoming email against the SPF list.
- DKIM (Domain Keys Identified Mail). DKIM will sign emails to prove they came from your organisation. It authenticates email is genuine via a digital signature and makes it easier to identify spoofed emails. The sending email server signs the email with a private key and the receiving mail server uses the public key to verify the signature.
Protecting endpoints with an anti-virus solution has been a basic requirement for decades. Traditional anti-virus clients are signature based – they monitor for known virus types and behaviours, with these signatures being regularly updated on a central database to ensure protection against new and emerging threats.
In modern times, there are many more sophisticated threats that can cause huge disruption, system downtime and data loss. A lot of these may use legitimate processes or actions in a malicious way. For example, crypto-locker, which uses the legitimate action of encryption, but in a malicious way to lock you out of your data.
New technology has emerged in recent times to extend on a traditional anti-virus. Known as an EDR (Endpoint Detection and Response), this will look at behaviours and activity on endpoints and record these to a central repository for additional analysis and investigation. The EDR will stop suspicious processes from executing or stop legitimate processes running if the EDR detects they are being used maliciously.
This additional layer of protection will become the norm in the not so distant future and there are already many security software companies with EDR offerings.
The Cyber Essentials scheme is a framework devised by the UK Government to adopt good practice on information security. It contains a set of security standards which organisations can be assessed and certified against.
The scheme focuses on the following five essential mitigation strategies:
- Boundary Firewalls and Internet Gateways
- Secure Configuration
- Access Control
- Malware Protection
- Patch Management
By completing this accreditation, it will demonstrate to all of your clients and partners that your data is adequately protected and that you take cyber security seriously.