If you think IT security is solely the responsibility of your IT team, think again.
Cyber security is everyone’s responsibility, from the boardroom downwards. That’s the view from the National Cyber Security Centre, which has published new guidance to help business leaders understand cyber threats, so they can better direct their organisation’s response to them.
Despite the ever-increasing threat from cyber criminals, a 2017 survey of the UK’s biggest companies revealed that 68 percent of boards had received no training in dealing with a cyber attack, and that 10 percent of FTSE 350 companies operated without a cyber incident response plan.
Those are worrying statistics, and NCSC’s board toolkit takes the shape of five questions designed as part of its plan to reshape the way that senior management regards cyber security, and bring the issue to the boardroom table.
Q1: How do we defend our organisation against phishing attacks?
Phishing is usually done via email, and involves sending persuasive, realistic looking messages that encourage users to click on a rogue link. The best place to start tackling phishing is at its source, by monitoring incoming emails and filtering out any obvious phishing attempts. Attackers can make emails look as if they came from a reputable source. Educating staff and giving them a channel to report suspicious messages is key. If something looks not quite right, it should be flagged up immediately.
Q2. How does our organisation control the use of privileged IT accounts?
Staff should be given just enough privileges and rights to do their job properly, without having access to data or systems they do not need to see. The accounts of administrators and those with more extensive rights should be tightly controlled, particularly when people leave the organisation, and it is useful to involve your HR team in creating, modifying and deleting accounts. With access to your security settings and sensitive data a hacker can do far more damage through an administrator account than a standard user account.
Q3. How do we ensure that our software and devices are up to date?
Suppliers and vendors issue regular patches to fix any bugs and vulnerabilities. It’s easy to overlook patch management but exploitation of bugs and vulnerability is the biggest risk after phishing and we see too many organisations breached by a ‘known’ bug that could have been easily patched. Replace devices or software approaching end of life, before they become unsupported or obsolete. Your network should be designed so that the impact of any hardware or software being compromised is contained. Consider the use of cloud or managed services, so that a third party takes the strain of hosting and maintaining an increasingly complex technology infrastructure, while your IT team focus on critical ‘business as usual’ tasks.
Q4. How do we make sure our partners and suppliers protect the information we share with them?
Sharing information with third parties opens your systems up to risk. You need confidence in their cyber security as well as your own, particularly if you allow direct network connectivity. Work on the principle that at some point your partners or suppliers will be compromised, and make sure you have the right technical controls in place when that happens.
Q5. What authentication methods are used to control access to systems and data?
Weak passwords are an easy way for hackers to break into your systems. Your password policy should be robust, with a requirement for passwords to be regularly changed, and be supported by other controls such as a restricted number of login attempts. Two-factor authentication provides extra protection, and means even if a cyber criminal knows a password, they will be unable to access the account.
These questions are designed to spark discussions between the board and the IT team. Only when senior management fully understand the issues, will attitudes to cyber security change at boardroom level.
Cyber crime is constantly evolving and the best way to protect your business is to work with an expert IT security partner. Come along to one of our regular security events and hear from security professionals and ethical hackers about the topical issues, and how to avoid being the next victim.