Industry issue:

Cyber security for the “Reluctant IT Director”

29 October 2018

Hardly a week goes by without news of another cyber attack, or the release of confidential information into the public domain.  As a non-technical Board Director who is responsible for IT, “The Reluctant IT Director”®, it is your responsibility to ensure that your company's IT remains secure to stop hackers getting in, but also to ensure that data doesn’t leak out!

With the General Data Protection Regulation (GDPR) just around the corner and the heavy fines that could be imposed on businesses that fail to secure their data, we have set out some of the areas that you should review when considering your IT security policy.

Understand the landscape and identify what is applicable and relevant to your business:

  • Sanctions
  • Accreditation standards
  • Regulation - GDPR (General Data Protection Regulation) applies to everyone

What can I do?

  • Identify where your data is and who has access
  • Review your data policies and processes and ensure your employees are aware of them
  • Review the tools in place to:
    • Prevent
    • Detect, and
    • React

Don’t be complacent, the risks are increasing:

  • Security is not something that you address and then move on. It has to be continually monitored and reviewed
  • In the recent HM Government, Cyber Security Breaches Survey 2017, it was reported that:
  • 68% of large organisations,
  • 66% of medium organisations; and
  • 45% of small organisations

               …had identified a cyber security breach in the past 12 months

Threat intelligence will assist in helping your business understand the risks by providing insight  on:

  • The mechanisms used
  • How to detect a breach
  • What are the implications
  • What can you do to protect your assets

How can I get it?

  • Sign-up to security news letters
  • Outsource your security to a third party organisation or Threat Intelligence service

Speak to your IT support organisation

Apply security that is appropriate for the assets you wish to protect:

  • Define your baseline security that applies to everything in your  organisation
  • Identify the assets that require additional protection, for example:
    • Customer databases
    • Intellectual Property
    • Sensitive information, etc

…and apply appropriate protection to them.

Keep your Hardware and Software up-to-date:

  • Ensure you use current versions of supported applications. Older applications are prone to security vulnerabilities and should be avoided.
  • Keep operating systems current and patched. This may also require periodic hardware updates.

Ensure you have a robust Password Policy:

  • A password should have a minimum of eight characters and contain a mixture of upper and lowercase plus special characters and numbers.
  • Avoid using the same password for multiple accounts.
  • Avoid common passwords and ensure that they expire periodically and cannot be reused.
  • Use the first letter from each word of a sentence or consider the use of a password manager to help you remember them, but don’t write them down!

Be aware of Phishing:

  • Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an email.
  • Email addresses and personal details are often captured through social media sites, chain emails or stolen databases.
  • The email will contain links to websites that may look legitimate but are indeed fake and will ask you to enter sensitive information.
  • The email may also include attached documents which you should NEVER open.
  • Be aware of spoofed email addresses that contain domain names very similar to yours.

Viruses, Malware and Ransomware:

  • Computer viruses are not new, they have been around for many years.  Sometimes they are just annoying for example, adware that places unwanted adverts on your screen, or high jacking your search results so that you are directed to certain web retailers.
  • Viruses in the form of malware are also not new however, it is now becoming a lucrative money making opportunity for cyber criminals.
  • Ransomware is a malware virus that infects computers and network storage devices.  They are often difficult to detect and can remain dormant, sometimes for many weeks, but in the background they are encrypting your data.  Once they have finished they will display a message on your computer screen requesting that you pay a ransom before you can access your data again.

How can I prevent this from happening to my organisation?

  • Ensure you make regular backups of all important data and keep them safe for a number of weeks before they are overwritten.
  • Ensure you use a respectable antivirus (AV) solution.  Free AV solutions, and those bundled with the operating system, will prevent some well known viruses but are traditionally not as good as those for which you pay a subscription, and will not be updated as regularly.
  • The use of user accounts with admin privileges should be avoided to limit the impact of a virus outbreak.
  • Staff should attend regular IT security awareness training to understand the risks.

What should we do if we get infected?

  • Turn your computer off.  Don’t try and shut it down.  You may need to hold the power button in for a few seconds. If this doesn’t work, pull the power from the computer or wall socket.
  • Disconnect any network cables and/or external storage devices.  This will help limit the damage if the computer is inadvertently switched back on again.
  • Don’t pay any ransom demands.  There is no guarantee that you will get your data back anyway.
  • Call your IT helpdesk or support organisation for assistance.

Cyber Security requires more than just a common sense approach and the BDO Technology Advisory Services Team has vast experience in helping companies become and remain secure.