Tony Proctor, principal lecturer and consultant specialising in information security at the University of Wolverhampton discusses some key measures businesses should consider to tighten their security. Most of us consider ourselves aware of physical risks but have less vigilance when using technology. It’s important to educate people to be more security conscious with technology. The old adage: “if it looks too good to be true it probably is too good to be true” certainly applies to the internet. One common “cyber-security” misconception is the expectation that systems are secure, but they are only as secure as the person that made them. Just like physical security, no defensive system, anti-virus, or firewall can guarantee complete immunity to problems – although without them a system is much more open to attack. Fortunately, there are things that a business can do to make problems much less likely to occur.
Make sure that all staff understand the need to be cautious with emails. To not automatically supply information; to question whether they really should click on links; to understand what phishing is and to check who they are sending emails to before clicking ‘send’. This needs to be an on-going process as the threats continue to change.
Make sure all your protection is up-to-date. Suppliers aware of a problem will issue an update (patch) to address it – but it’s up to you to make sure you use it. Ensuring defensive software is installed and working and programs are updated can prevent hackers finding weaknesses and gaining access to your systems.
Keep in mind that hackers will go where the consumer goes. Although there are currently many more malware programs (eg. viruses) for PCs, we can expect to see more issues with Apple and Android devices as their markets continue to increase. Many of us do not have antivirus etc. for our smartphones and yet we use them to do the same things as we use our laptops for – so install these products where available.
Ensure your office computers are protected from theft – is the main server locked away securely in offices that themselves are adequately secured and alarmed? Think about what would happen if someone hacked into the system and destroyed all the data, or if the business suffered a fire or flood. It can be fairly straight-forward to replace a PC, but consider the information held within it. Ensure you have effective backups of the right information – taken regularly, stored correctly, and tested routinely.
Does anyone access systems remotely or copy data onto USB sticks or laptops? If this is necessary, make sure data is transferred correctly – especially if it’s sensitive. It is relatively easy to protect data on the move by using encryption. This means that additional programs scramble the data and that it can only be unlocked with a key (typically a PIN or password).
It is important to know what personal devices staff are using, particularly if they are connecting to the business network with them. If they are using their own devices these need to be properly secured and protected. Equally, if supplied with take-home equipment check it’s being used securely and appropriately.
Computers, photocopiers and printers all store data – even once everything has been “deleted”. Find a reputable company to dispose of any equipment to ensure the data within it is destroyed correctly. By increasing vigilance and implementing these measures you can help reduce the risks to your business of breaches in cyber-security and safeguard your assets. One of the latest developments to specifically improve cyber-security of small and medium-sized enterprises (SMEs) is a new information security standard known as Information Assurance for SMEs (IASME). Tony, having recently qualified as one of the first four assessors for this standard believes that it will help businesses who may not be confident about addressing security issues on their own. It involves a straightforward process that seeks to reward existing good practice as well as identifying areas for improvement.
Tony Proctor is a member of the Information Assurance Advisory Council, which develops security policy recommendations to government and corporate leaders. He is responsible for the development of cyber-security Warning, Advice and Reporting Points (WARPs) in the West Midlands and beyond. WARPS are information sharing networks that aim to improve organisations’ information security by alerting specific problems and cyber security issues; confidentially sharing information advice; and reporting any cyber-security incidents. For information on how to secure your data and systems, gain maximum benefits from technology by using it safely, and WARP, email: email@example.com