Get in Touch
The Cyber Security Maze for startups and SME’s – Part II
  • No Comments

In part I, we talked about some of the common challenges smaller businesses face from a cyber security perspective.

As promised (but a little later than planned), let’s now turn our attention to what can be done to minimise the impact these have, and improve the overall level of security.

Of course, as is well known, there is no silver bullet (is there ever?).

But you may be familiar with the fairly well-known mantra of people, process and technology. Addressing each of these through relatively simple steps can provide a solid cyber security foundation.

Here are a few points worth considering.

Staff training and awareness regarding cyber security.

This is a simple step but can often prove to be very beneficial.  Given the majority of cyberattacks require user intervention (opening attachments, clicking on links, and so on) it makes perfect sense to educate employees about the dangers involved.  There are plenty of SAT (Security Awareness Training) options, from free content through to dedicated vendors and associated platforms.

Training can easily be integrated into a normal office or work routine.

However, it is important to keep the content interesting and relevant.  Consistency is also key – a one-off webinar or automated fake phishing campaign probably won’t deliver the intended outcome.

Once basics are in place, it’s a good idea to go beyond education alone and explore running simulations.  Not only will these keep users vigilant, but they’ll help to measure the effectiveness of the training and identify areas that may need improvement.

Conducting a simple risk assessment. 

A detailed risk assessment requires time and effort, and although there are good frameworks and guides available, it can still appear to be a little daunting.

But there’s no reason why a simpler approach can’t be taken.  Instead of having a rigid and focused scope, consider a general and wide ranging analysis.

The objective is to understand the assets that you have as an organisation (essentially the makeup of your network – laptops, servers, whether running on your premises or through a hosting provider like Amazon), the likelihood of these being attacked (via the most common types of threats applicable to those assets) and the severity of the consequences should an attack succeed.

By scoring the risk, which is subjective, it’s possible to arrive at an understanding of the types of threats that present the biggest problem (and hence mitigation of these should be prioritised).

An assessment helps to answer questions like:

What is our risk profile?  In other words, what level of risk are we facing, and what is our appetite or comfort level to this risk?
What data are we handling, where does it reside and which data is particularly sensitive (e.g. personally identifiable information or PII, contracts, invoices, intellectual property)?
Who has the final responsibility for securing that data?  Especially pertinent if a third party hosts and/or provides IT systems and services to you.

It’s also worth branching out (again, brevity is fine) and thinking a little about related issues.

For example, many organisations fall victim to supply chain attacks – either as a stepping stone or as the final target themselves.  So, do our suppliers take security seriously?

Regulations.

Many industries now have regulations that cover the securing of data and systems.

For example, PCI-DSS is a well established framework of policies and procedures, that help to protect card payments and personal information.

The growing ramifications of security breaches have led to greater urgency and adoption of regulations designed to safeguard data.

As a result, it makes a lot of sense to do a little digging and find out whether the industry you operate in has any such policies.

If so, are any of them mandatory?  In which case, meeting those obligations is a clear priority.

Not being compliant runs the risk of being hit with penalties and fines, especially if data or systems are breached and it becomes clear that adequate measures are not in place.

If there are no such regulations (or they are recommended) it is still best practice to adhere to those requirements, though of course existing priorities will dictate when these are added to your roadmap.

Data management.

Consider implementing simple security hygiene by following Cyber Security Essentials Plus or similar.

Cyber Essentials is a UK government backed scheme that constitutes a good (if basic) first step, especially if the risk profile is low and/or the industry you operate in doesn’t mandate stringent security controls.

Website.

It’s surprising how often this is overlooked, but ‘everyone’ has a website.  So how secure is it? 

And are there other public facing resources that need to be properly secured?
Again, that fact that for smaller businesses it is likely to be hosted by a third party (for example, GoDaddy) doesn’t relinquish the need to ensure it is secure – third parties aren’t ultimately responsible, even if they do provide some security controls.

And even if your website is fairly static, and doesn’t collect user data (for example, not requesting personal information, or processing payments), there is still the danger of the site being defaced, taken down or otherwise rendered unusable.  What level of impact would that have on the brand and hence the business?
For dynamic sites, especially where users are supplying credentials, or financial transactions occur, it’s that much more important to ensure the site is stable and secure.

Application development.

Cyber criminals are constantly looking for weaknesses in applications.

If you’ve developed (or are developing) an application – very common for tech startups, amongst others – what is the plan to test the security of the app?
Have you developed in house or used a third party?  And do the development team have the experience and ability to conduct thorough security testing?

Though the pressure is on to complete and ship the product, asking questions earlier in the development cycle can really help prevent potential security issues from cropping up further down the line.

Technology.

Ensure you have basic security technology in place – a mix of antimalware, firewalls, and so on.
Patch software regularly.  It’s always a good idea to limit user privileges on machines (no need for everyone to be an Admin user!).
And it’s helpful to know what software is installed – consider restricting the software that can be installed on work machines, or those devices being used to access work resources.

Enlisting the help of security professionals.

A security assessment, such as a vulnerability assessment and penetration testing activity (VAPT), is a great way to bridge the gap between assumption and reality.

It can provide excellent insights, helping you understand how vulnerable you are to cyber attacks and how effective your existing defences are.

And, where the risk profile is higher, engage outside resources so you can benefit from proactive round-the-clock security, such as a managed Security Operations Centre.
Keep in mind this doesn’t (and shouldn’t) have to follow a cookie cutter approach – the right provider can develop a tailored service, to meet your specific requirements, without the associated designer label price tag.

To conclude, simple steps taken in the right direction, can provide a meaningful base from which to build.

Circumvensys is a managed security services company on a mission to offer simple and effective solutions. No nonsense Cyber Security. For everyone.

Contact Us

Get Connected

Facebook-f Instagram Linkedin
© 2023 Circumvensys | All Rights Reserved | Privacy Policy