Fundamentals of Security

 

This article is about the Fundamentals of Security for SME’s.  Small Business Owners often downplay or ignore  threats to their business with a common belief they would not be targeted and too small.  In 2023 38% of Small Business suffered a Cyber Attack of some kind. Cyber Guidance for SME

We don’t want to scare you into action.  But most of the steps to help protection your business are simple, some of them free and mostly inexpensive.  Below are a few common steps you can take to protection your business from threats.  This isn’t exhaustive, you don’t necessarily need all of the steps, but if you take some you will be going in the right direction.

So what are these Fundamentals of Security?

 

So before we dip into the specifics lets talk about a couple of overriding principles worth bearing in mind.

1. Security is created through a number of layered solutions.  It’s not just about (for example) having Antivirus (AV). AV is important but it needs to be thought of as a component and one of a number of solutions
2. Policy based application of the tools you use to.  There is no point having AV if you are going to allow users to disable or uninstall it.  A policy based solution will ensure these changes cannot take place OR that you are at the very least notified to take action.

Access Control

Passwords, Single Sign On (SSO), Password Managers & Multi-Factor Authentication (MFA) and Bio-metrics.

As a simple place to start you should always have 2 of these as a minimum.  Password + MFA or Bio metrics + MFA are good examples.  Depending on your environment, the applications you use, how they are accessed, by whom and from where might lend weight to some of the other options.  At Cirrus we use ALL of these for different systems, different reasons and situations.   We mandate strong passwords + MFA, these are selections we insist our team subscribe to.  In addition to this we use SSO in all situations where an application allows us.

SSO for Starters & Leavers

The attached article from Gartner Advantages vs Disadvantages talks about client experience in deploying SSO.  Like everything else on the topic, SSO is not a silver bullet but a useful and practical approach to Access and Security.  SSO also simplifies administration for starters & leavers as you will have less to setup and less to remove.  The fact users have to remember, manage and set fewer passwords also improves the experience and removes the more hard to ignore prompts for passwords.

Password Managers

In situations where passwords are less avoidable, password managers provide a great way to store and generate SECURE passwords.  Password Managers coupled with MFA provide really robust access and decrease the need to have regular password changes.  If the password for a system is secure and the password it self is 20 Characters, has upper and lower case letters, contains numbers and special characters breaching the password itself requires a very different act

Disk Encryption

If you are running Windows 10 or 11 in your business environment Disk Encryption is built and FREE to use.  Depending on settings it may need to be enabled but it’s a no-brainier of a step to take.  If you are running MacOS, all versions support Encryption too.  Disk Encryption protects in the event of the equipment being stolen

Patch Management

Most high profile data breaches of the last few years;  BA, NHS & Talk Talk are largely attributed to exploiting a vulnerability that had been previously addressed but not deployed to devices .  Patching applications, Operating Systems & Hardware all need to form part your defense strategy.  A policy based solution can ensure updates happen outside of core working hours and  do not interrupt productivity.

AntiVirus

An Antivirus solution should certainly be part of your strategy.  The subject of Antivirus is a commonly understood aspect of security so we won’t dig too deep into the merits of this.   Having a solution that is policy based, that does not allow users to disable it and , importantly, report/ alert when malicious content has been detected should be a must and be something you look for.  All vendors have this management capability

Mail Scanning

Mail is a huge part of any business and as a result e-mail is the number one vehicle for transmitting threats and attempting to exploit your organisation. ViPRE Security Report highlights the volume and scale of this issue with criminals evolving fast in terms of the volume of messages but also the types of threats.  Mail threats often appear genuine or familiar.  Increasingly they contains links to external sites, attach documents or ask you to call a number.

 

Considerations

Our Fundamentals of Security are not the only aspects for consideration.  Backing  up your data is also important as are network policies and having a robust firewall.  Clients also look toward Cyber Essentials certifications or full Information Security as part of their strategies to bolster security but also raise awareness with employees.  All of these are valid and as as a minimum should be discussed

Conclusion

It’s a big topic.  We understand.  But broken into a number of workable action items everyone can take some basic steps to protect their business from on-line threats.  Cyber criminals are not targeting your SME, they are targeting everyone’s SME.

For more information contact us :

hello@thinkcirrus.co.uk

T: 03303 130966

#cybersecurity
#manageditservices

#cheshirebusiness