Message

Send us a message
and we'll get back
to you shortly

EMAIL US

Five things Cyber Security tools don’t do, and what you can do about it

Five things Cyber Security tools don’t do, and what you can do about it

As you may have noticed by now, we feel there needs to be a bigger conversation when it comes to securing your company’s information. Cyber tools, when properly deployed, can help protect against certain technically-related risks, but they don’t address the other areas where risks commonly present themselves, through the day-to-day operations of a business. These areas are just as important to address as cyber security.

We have prepared the list below which we hope you find helpful:

What Cyber tools will not do What to do about it
1. Determine if your suppliers are creating additional risks. Develop a method for assessing suppliers, both new and old. If you don’t get the answers you like, put pressure on them or it may be time to change suppliers.
2. Provide company specific guidance on what staff can and cannot do with company owned assets such as email, phones and laptops. Have everyone sign an acceptable use policy which clearly states acceptable and unacceptable use of company assets, responsibilities in protecting information, the consequences of failing to do so, and who to contact if they have questions.
3. Teach your staff the risks that they can help control. Identify staff awareness training resources. A mixture of generic e-learning and company specific quizzes, a couple of times per year, will help ensure continuity of awareness.
4. Help your business recover from a disaster. If you have a plan, review it and update it as required. If you don’t have a plan, you really should create one!
5. Prepare your business on how to respond to an Incident, such as ransomware. If you have an incident response procedure, review it and update it as needed. If you don’t have a plan, start making one.

 

If you would like to learn more about a comprehensive information security program and discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

Is your IT provider giving you the whole picture of information security?

Is your IT provider giving you the whole picture of information security?

If you outsource your IT support, do you know their overall approach to protecting your business’s information?

Most IT support businesses will deploy and manage a number of cyber security tools to address the most common risks they think a business might experience. Because we, in the IT service provider industry, consider ourselves as experts in technology, the solutions our industry provides are typically focused on technology. We acquire cyber tools from a third party, install or deploy them, then manage them to make sure they continue to work as expected, stopping risks before they become an issue.

But this approach, while effective to a degree, fails to address the other two pillars of a comprehensive security program; people and processes. The risks in these two areas are just as important in an information security program. Some might even argue that the risks in these areas are more important because they exist on a daily basis and are more visible in the organisation. Some examples of these are:

  • People:
    • Hiring
    • Staff awareness
    • Training
  • Process:
    • Risks in management systems
    • Governance of information security
    • IT practices (vendor selection, access controls, security testing).

If you would like to learn more about a comprehensive information security program, and discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

What is the difference between cyber security and information security?

What is the difference between cyber security and information security?

There is a lot in the press these days about cyber security, and for good reason. Hacks and ransomware attacks occur on a daily basis. But by limiting the conversations to IT, some of the largest risks never get attention.

For starters, cyber security only addresses the security of IT; things like viruses, spam and access controls. There are huge numbers of cyber tools with more being created every day, which is why you hear so much about it. Don’t get me wrong, these can be important tools when used as part of a larger information security program, but there are some risks that cyber tools just cannot address.

This is where information security comes into play. An information security program is about addressing ALL risks to ALL information, not just the technical. The objective is to protect the confidentiality, integrity and availability (a.k.a the C.I.A.) of information.

Following are some common areas typically excluded from the purview of cyber security:

  • Physical environment where your information may exist:
    • Access to office space
    • Visible information on desks
    • Information taken home or in transit
  • Hiring practices:
    • Vendor assessments
    • Business continuity plans
    • Incident response procedures

Each of these areas presents real risks and if not addressed, pose risks at least as great as a those dealt with by cyber security tools.

If you would like to learn more about a comprehensive information security program and discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

Nine tips for an Incident Response Procedure

Nine tips for an Incident Response Procedure

Many companies have a Business Continuity Plan, but what about an Incident Response Procedure? What happens if your business is hacked, attacked by ransomware or someone loses a phone? A well thought-out and publicised plan will clarify what to do when an incident occurs, lessen its impact, and help prevent future incidents.

  1. Create an Incident Response Team (IRT). The size of the team will depend on the size of your organisation but it should at least be made up of a senior member of management, your technical lead, and someone who deals with information security, if that role exists in your business.
  2. Determine what law enforcement or regulatory bodies might need to be informed such as the police or the ICO (depending on the incident).
  3. Determine the process for reporting an incident. What form should be completed? Who should it be sent to or who should be emailed?
  4. Identify the type of breach. Common ones are:
    • Breach of physical security/unauthorised access to the building or office space
    • Loss or theft of property
    • Lost or incorrect data
    • Breach of information security
  5. Determine what information needs to be collected such as location, date and details of the incident and what actions have already been taken.
  6. In the event of an incident, collect and secure any relevant evidence.
  7. Discuss and document what measures can be put in place to avoid the incident re-occurring.
  8. Train staff on different types of incidents, what to do if they are involved in an incident (or observe one) and the location where the Incident Response Procedure can be found. It is a good idea to keep a soft copy in a location that can be accessed when outside the office, as well as a hard copy in the office.
  9. Review the plan at least annually or if there is a significant change to the business. Update any information if necessary, then re-print/re-publish.

If you would like to learn more about business continuity, a comprehensive information security program or discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

Top ten considerations for a good Business Continuity Plan

Top ten considerations for a good Business Continuity Plan

A Business Continuity Plan can significantly decrease the impact of a disruption or disaster to a business. If you already have one, great, check it off against our list here and be sure to review your plan at least annually, or if there is a significant change to your business. If you do not have one, hopefully this list will give you a good template to start from.

  1. Have a plan. First and foremost you need one before a disaster strikes. It should cover the risks of disruption to:
    • Your supply chain – What if a key supplier is no longer available or has their own business continuity issue?
    • Key technologies – What are the key technologies you use? What happens if it is not available?
    • Staff – public transport strikes, bad weather. Do they know how to work from outside the office?
    • Access to office – Can the business still operate if your office space is not available?
  2. Create a recovery team with contact information. These should be people who know the business processes and systems.
  3. Clearly document the responsibilities of each of the recovery team.
  4. Copy of BCP should be held by team members in a secure location (both printed and digital)
  5. Rehearse the plan. Schedule time for team members to review and agree the steps and their responsibilities. Let staff work from home occasionally to adjust to home working.
  6. Create a list of contact names and numbers for key clients and suppliers.
  7. Establish a secondary location for staff to work from, if necessary.
  8. Make sure ALL your data is being backed-up offsite
  9. Train employees on the plan. They should know things like what to do, where to go, how updates will be communicated
  10. Review the plan at least annually or if there is a significant change to the business. Update any information if necessary then re-print/re-publish.

If you would like to learn more about business continuity, a comprehensive information security program or discuss if your business should be looking beyond cyber security, feel free to reach out to us through one of the following methods:

The CIA of Information Security

The CIA of Information Security

Confidentiality, Integrity and Availability – A Deep Dive…

Information is becoming an increasingly valuable commodity, and for a business, it presents not only value but a responsibility too. You may have all the necessary guards in place to protect your data, however not all information is digital. Trade secrets, good old printed paper and various other physical threats like USB keys all provide unique challenges to implementing thorough protection throughout a business.

Threats can have varying levels of effects, but breaches can provide good reason for termination, and lost revenue may not be the only result. Legal action, compensation and ongoing loss of reputation, and even a lot of expensive PR to get a business on track again, may all be required.

With Scandinavian firm Norsk Hydro announcing in a BBC interview that they spent £45 million restoring their business after a ransomware attack took out tens of thousands of computers throughout the company’s 170 sites, there is proof in the logic of investing in information security, no matter your industry.

With all information security decisions, you can boil them down to three key themes: Confidentiality, integrity and availability.

Information Confidentiality

This helps secure a business’s most valuable information; trade secrets, customer data, analytics, etc. from prying eyes in order to protect a business’s future success.

Keeping vital information secret is important because once a secret has been outed, it becomes very hard to close Pandora’s Box. Even if the leak is found and deleted, the nature of the internet means that there is a very high likelihood that any leaks will be copied and distributed so quickly and frequently, that the information will never be fully removed.

Simply put, the easiest way to provide information confidentiality is ensuring only people who should have access to certain data, have access. However, this simple sentence can take a lot of complicated principles to enact.

Grouping information into classes of severity (if leaked) and planning steps accordingly, like using permissions to decide who has what levels of access, can help mitigate the risks attached. However, permissions are only as secure as the person holding them. Provide special training for those in the know on information security best practices. This could include password design, social engineering (phishing) prevention or implementing solutions like biometrics and air gapped computers (not connected to the internet) or even keeping hard copies locked away so there is no chance of digital access.

If files must be accessed digitally, which is the case for most, encryption is widely used to prevent hackers from plucking the data as it travels through internet cables from A-B. Encryption comes at the cost of increasing the size of the data but, depending on the exact standard of
encryption, can take the fastest computers hundreds of years to crack.

Get you FREE Information Security Risk Assessment Pack Here

Information Integrity

This refers to ensuring the authenticity of information; that information is not altered and is from the assumed source. There are two specific sub-categories: System and data integrity.

Data integrity means taking steps to ensure your data can’t be altered by a third party. One simple example of ‘Data Integrity Risk Mitigation‘ that you are probably using without realising is that every time Microsoft Office asks you if you want to ‘Enable Editing’ in a document, it is preventing you from making what could possibly be unintended alterations.

This can be a hard thing to keep on track of, especially when working with suppliers and partners. With the constant toing-and-froing of files between associates, an accidental edit could mean a change to a spreadsheet or document that changes a price or date of delivery that could have significant consequences to both parties.

Human error would usually fall under data integrity, as the slip of a finger can cause mistypes or the deletion of important data, and while you can put every measure in place remember, “Pobody’s nerfect.”

At times, an employee may not be at fault, but the way they interact with their system may be the root cause. Preventing this could include regular maintenance, using file permissions (so only approved employees have access to the data) or using hashes to verify the integrity of the information. Hashes can give users a quick ‘summary’ of the information contained using a combination of letters and numbers unique to that document. This can then be compared with other versions of the document and if the hashes are identical, you know the documents are too.

Maintaining systems and keeping them protected so that neither employees nor hackers can manipulate the data is vital to protecting the integrity of your information. The NHS’s WannaCry attack several years ago was the result of missing security updates that may have prevented the attack in the first place.

Information Availability

Our third tenet deals with the availability of your information, or how your staff gain access to the data. Challenges present themselves via ‘Acts of God’ like flooding or forest fires, and other disasters to failed or stolen hard drives.

Disaster Recovery Plans, or DRPs, are essential for the continual success of a business that suffers outages from hackers, the environment and anything in between.

Creating redundancies in your system will help prevent small scale issues like a blown server. These redundancies are usually some form of back-up, but depending on the size and scope of the business, these can require very different systems.

The established solution for SOHO businesses is keeping all data copied on to a hard drive and placed somewhere secure, so that in the case of a computer failing, the data on it can be replaced quickly.

For larger offices, RAID servers are a common solution to duplicate your information over one or several drives. Depending on configuration, RAID systems have the ability to build in their own redundancy by copying data to several RAID drives in case one fails.

Even larger businesses tend to opt for Failover Cluster solutions that geographically separate servers, so that a business can switch in case of scheduled downtime, an extended power cut or even a DDoS attack.

These would in no way replace any cyber security tools like firewalls or DDoS prevention services, as they all work in tandem to create a secure network that limits the chance of unwanted access, while ensuring all data is still available if the main repository is corrupted.

We use the Information Security Risk Assessment as the basis of all information security planning. This document should be updated regularly and include all of your information assets, both digital and physical, and from there you can start planning how to mitigate the risks associated with each asset. You can download a free Information Security Risk Assessment Pack here.

Just because a particular threat is mentioned under one of the headings above, does not mean it wouldn’t be applicable to the others. Cyber security tools are just as vital to protecting integrity as well as the availability and confidentiality of the information, and your information security tools will be the same. Rather than wasting time deciding which of the three principles a particular risk should be allocated to, focus on what can be done to most prevent the risk in question.

If you’d like more info on how to assess your own security – try here – or contact us to find out more about how On Line Computing can help guide you through securing your business.

Get you FREE Information Security Risk Assessment Pack Here