How do I know I have covered all bases with my IT security?

Security awareness training must be the cornerstone of any organisation’s IT strategy…

Having to deal with IT security and the layers of protection that can be placed between your intellectual property/data and the rest of the world can be an overwhelming prospect.

But you have a trusted IT partner (ITGUYS) who can manage this for you. What is important is that whilst we clearly are here to support and guide you, simply abdicating security to any provider (instead of delegating) does not absolve yourself of the responsibility for protection.

Put it another way, even with all the bells and whistles you can have implemented this does not equal 100% immunity. IT security breaches are not purely anonymous “bots” and programs finding holes and then causing havoc. Frequently, a human will be involved. Either by using stolen login credentials to, for example, get into your Office 365 network (on average, a breached Office 365 network will have been broken into 3 to 6 months BEFORE anything bad happens) or by way of social engineering, the bad guy needs to process and exploit what he/she has obtained.

I recently read an outstanding book on this called Whaling for Beginners.

This book describes the roller coaster ride that a fictitious company went through after being breached. The moral of the story is clear. Without cognisance, without taking responsibility, no amount of cyber security will really protect you from being hacked.

There is no one right answer to IT security. The level of protection that a business chooses should be an exercise in risk analysis. I will give you a simple example. A 5-user company that makes stationery for their three clients will have a very different level of security concerns to a 28-user creative agency that interacts with dozens of clients. The latter will have far more information assets that, if lost or leaked could cause untold damage to their clients as well as themselves. As a result, that company would be prepared to implement greater levels of protection to stop malicious access to their network. (They may, for example, see risk being reduced by purchasing an industry-standard firewall that would cost 4 figures).
Covering the bases will not break the bank:

In the Venn diagram of preventative steps a business could take, there are five key areas that would be a good idea whatever your business size is. And some of them are free! The approach may vary depending on your size and industry but there really is no reason not to implement all of them.

Step one: The “human” firewall. Your company’s workforce must take responsibility for their online/work activities. What we are talking about here is security awareness training, so your team understand their responsibilities, especially knowing what to do when they are not sure. (Hint – if you are unsure, get advice before proceeding, don’t click anyway and hope for the best!)

Step two: Bona Fide malware protection. Pay-for, reputable, malware protection should be seen as essential. Older school “detect and response” products should be considered the bare minimum. More advanced products that are collectively labelled “Endpoint Detection and Response” (EDR) add visibility to a cyber attack and can help to show what is happening at the point of detection and what happened afterwards. The latter is really not much more expensive than the former.

Step three: MFA. Standing for multi-factor authentication, it is a no-brainer free add-on. Most banks have some flavour of this. This would typically be a code sent to your phone which you need to input before the bank transaction can be processed. Many of the main tech companies have this functionality (e.g. Microsoft, Google and Apple). Having this protection in place on every possible work-related account makes it that much harder for a bad guy to infiltrate your system.

Step four: Unique and ideally randomised, complex passwords. If you use the same password for all your accounts and the bad guy guesses it, they have access to everything! Even a password “theme” with some different numbers at the end (as an example) is inherently weak. Password management software takes all this pain away. Running on your phone, computer and as a browser extension, your passwords are securely stored in a vault which can be “unlocked” and can even fill in your credentials and log in on your behalf. It does the remembering not you: it saves you time and your productivity is enhanced.

Step five: Whatever device you are using for work should be fully updated with all security releases. Unfortunately, the bad guys out there are constantly trying to find gaps or “exploits” in our devices (be it an iPhone or Windows laptop) which could bypass your malware protection and other layers of security you have in place. This is why when there is a security update to your Mac or Windows device they should be updated. The consequence of not doing this could be catastrophic. (This is how ransomware can spread).

ITGUYS goes to great lengths to protect our clients with technology – which is what we are paid to do. But this does only paint part of the picture. The weakest part of any organisation’s IT security is the workforce that operates and uses its technology. Security awareness training must be the cornerstone of any organisation’s IT strategy and an understanding of their responsibilities when working with company assets.