How Strong Is My Password?

Here’s how you can create a strong password

In the digital era, the strength of your password can be the thin line between security and vulnerability. At CYAN Solutions, we understand the importance of robust passwords and are here to guide you through creating one that’s both strong and memorable.

What is a strong password?

A strong password need not be a complex maze of characters. In fact, a lengthier password often trumps complexity. We recommend crafting a password that’s a mix of familiarity and unpredictability. Think about using phrases or combinations of words that are significant to you but would be obscure to others.

Our Top Suggestions for Crafting a Strong Password:

  • Combine your favourite book, food, and colour. For example, “GatsbySushiBlue.”
  • Use a line from a song or a movie quote that resonates with you.
  • Pick a motivational quote that inspires you.
  • Blend the names of TV shows, apps, or brands you love.
  • Mix different animal breeds, cities, or counties.
  • Create a string of three completely random words.

Enhance these combinations by inserting numbers or symbols between the words, adding an extra layer of security.

Assessing Password Security

A password might be weak if it is:

  • A single, common word.
  • An easily guessable name or date of birth.
  • Simple numeric sequences or phone numbers.
  • Basic word-number combinations.
  • Only lowercase letters or using the bare minimum length required.

Avoid using easily deduced details like your name, business name, or simplistic words on their own.

Remember, passwords such as “Password” and “123456” are alarmingly common and vulnerable.

So, to make your password more secure, avoid using your name, anyone else’s name, your house number, phone number, business name or simple words on their own.

Using strong passwords isn’t the only step you can take to keep your information safe. There are other cyber threats that you can protect yourself against. See how you can avoid falling victim to a phishing attack, and find out what other simple steps you can take to protect yourself.

Industry News Roundup August 2020

We aim to keep on top of all the latest IT developments here at Cyan, and like to make sure our customers are kept in the loop as well.  Each month we round up the most relevant and newsworthy information from around the internet, and deliver it straight to you in simple terms that doesn’t skimp on details. This time, we’re talking cyber security as Microsoft Office allows phishing simulations and there’s an eye-opening look at cyber-attacks during the pandemic.

Microsoft Research shows Uptake in Digital Cyber Security

The Covid-19 crisis and lockdown period plunged businesses across the globe into chaos, forcing companies to quickly look more closely at their cyber security measures. New data from tech giant Microsoft recently released showed that the pandemic caused a huge 58% of businesses surveyed to increase their security budgets, while an even bigger 82% expressed an interest in hiring security staff in the future.

The report also released details on the most popular security measures adopted during the pandemic. 20% of businesses had invested in multi-factor authentication (MFA), while endpoint device protections came in second at 17%.

Check out the full report on the Microsoft blog.

Microsoft Office Enables Phishing Simulations

Phishing emails are the kind of nightmare you want to stop before they’ve even started. Which is why we’ve welcomed the news this month that Microsoft has added an attack simulator to their Office 365 package.

Users who have signed up for the Office 365 Advanced Threat Protection (ATP) Plan 2 will soon be able to run imaginary scenarios on spear phishing, password spray, and brute force attack to test their employee’s responses. Phishing emails remain one of the main forms of cyber attack, and are often easy to miss, which is why Security Awareness Training is a security-must.

For more information, head over to the Microsoft website.

SMEs at Increased Risk of Cyber Attacks

Small businesses already have it tough enough, but a report from global recruiter Robert Walters has uncovered some worrying statistics regarding SMEs and cyber crime.

The report, carried out in collaboration with data provider Vacancysoft, showed that there are around 65,000 cyber security attacks on SMEs every day, and at least 4,500 of those end up being successful. Data breaches can cost companies vast amounts of money, data showed, with each attack having the potential to cause £2.48m worth of damage.

To read the full report, head over to the Robert Walters website.

Keep devices protected while remote-working

With businesses actioning their continuity plans, and many now working remotely, we’d like to share our guide to help you protect your business from cyber-attacks.

1. Always make sure your device’s operating system (e.g. Windows or iOS / Android) is kept up to date with the latest security patches. You can automate this process in your device settings to make it easy.

2. Antivirus software must be installed on laptops and PCs, and where possible, mobile devices. Keep this software up to date to make sure it’s protecting you against the latest threats.

3. Stop attackers guessing your passwords by combining multiple random words, or by using a sentence, to create a ‘passphrase’. Don’t write it down, don’t share it with anyone, and make sure you change it if you think it has been compromised.

4. Don’t click on links in emails or on websites unless you are certain that they are legitimate. Be skeptical of emails sent from people you don’t know, or where the content doesn’t match their normal character. Especially if they are encouraging urgent or immediate action.

5. Avoid storing or processing company information on laptops and PCs, instead use the web version of applications such as Microsoft Outlook, Word, PowerPoint etc.

6. Enable the inbuilt firewall on the device to protect against incoming attacks. Learn more at: https://support.microsoft.com/en-us/help/4028544/windows-10-turn-microsoft-defender-firewall-on-or-off

Have You Considered These Risks to Your Business?

The dangers of cyber risks and threats to a business aren’t at the top of the agenda for many small and medium sized companies, but they should be. In recent years, the increase in high-profile data breaches has increased dramatically, and affected millions of people globally.

And because of the increasing commonality of these threats, society is becoming somewhat desensitised to the alarming numbers of risks that affect thousands of large-scale corporations that hold masses of personal information.

It’s often reported that big businesses are hit all the time. For example, Facebook, Tesco Bank, Talk Talk, Travelex and Three Mobile are recent prime examples. It can be forgiven to think that start-ups and small businesses are less of a target, but the reality is that no business, big or small, is 100% safe in the current climate. In fact, International Data Corporation (IDC) recently revealed that approximately 71% of data breaches are now targeted at small businesses.

What is a Risk and what is a Threat?

Before you strategically plan how to prevent your business from being affected by cyber-attacks, it’s essential to understand the difference between a risk and a threat.

Risks are business issues with technical aspects that impact, and is impacted by, all areas of the organisation. The risk element is the potential for uncontrolled loss of something of value, so in the case of data, this would include sensitive information or programs, for example.

A threat can be both unintentional and intentional, targeted or non-targeted attack. A threat can come from a variety of sources, including foreign nations engaged in espionage and information warfare, criminals, hackers, scammers and even disgruntled employees and contractors working within an organisation.

In a nutshell, a risk means the potential for loss, damage or destruction of an asset due to a threat exploiting a vulnerability. While on the other hand, a threat is what we’re trying to protect against. This can be in the form of vulnerability, weaknesses or gaps in a security program that can be exploited by threats to gain unauthorised access to an asset.

In most cases, small and medium sized businesses will deploy several technical defences such as Firewalls and Anti-virus software to protect their organisation from such threats. While these technical defences help protect the business, additional steps do need to be taken.

These additional steps are often forgotten about or not considered as they aren’t seen as technologically positioned, but they are a critical starting point for reducing the overall risk to the organisation. These additional steps include:

Leadership

In all organisations, information security needs to be driven from the top down. Most information security initiatives will fail without the support and sponsorship from the Board. The information security strategy needs to align with the business strategy and objectives to ensure the business is doing all it can to prevent serious attacks.

Behaviours and Culture

Information security isn’t just about technology, people also play a critical role. Everyone in the organisations plays an active role in information security and should be tooled with the knowledge on what to do and what not to when faced with a cyber risk or threat.

Asset Management

The organisation should maintain an up to date asset register of hardware and software in use within the business. Each asset should be assigned an owner and a level of criticality. As the saying goes, “you can’t protect what you don’t know you have”.

How can I mitigate these Risks and Threats?

Leadership

Leaders of any organisation, big or small, must have support from the Board or whoever is the ultimate decision-maker and change-enforcer of the business. First and foremost, it can be beneficial to become Cyber Essentials accredited. Cyber Essentials helps guard you against the most common cyber threats and demonstrate your commitment to cybersecurity.

A business must align the information security strategy with the business strategy and objectives, ensuring that this is communicated with all employees. To get started and equip you with the tools, the National Cyber Security Centre (NCSC) offers a comprehensive toolkit designed to encourage essential cybersecurity discussions between the Board and their technical experts. They also provide a free service called ‘Exercise in a Box’ which can help determine how resilient a business is to a cyber-attack.

Behaviours and Culture

The practical implementation of a measurable security awareness program can be incredibly beneficial in mitigating cyber risks and threats within a business. A security awareness program should include security news on the latest threats, information posters and regular employee training to enable your employees to detect threats within the business. What’s pivotal to employee security awareness is that they everyone within the business, no matter job role, should be trained on who to report any security threats and suspicious behaviour to.

Asset Management

Asset management is vitally important. Every piece of hardware and software that’s used within your business must be accounted for. If not already in place, the first thing to do is to create an asset register of all hardware and software within the business. Use the register to prioritise the implementation of security controls, starting with the most critical assets first.

How can CYAN help your business?

When it comes to the cyber safety of your business, it’s our number one priority. When you choose Cyan, we follow steps to ensure your business is safe against the ever-growing cyber risks and threats. Here’s how:

  • We start by understanding your business
  • We assess the security maturity of your people, processes and technology
  • We identify risks and provide recommendations
  • We can create and implement a security strategy to reduce risk within your organisation
  • We can provide and manage the latest technology to secure your company assets
  • We can provide the platform and expertise to deliver a security-aware business

For more information on how we can help secure your assets and data, get in touch.

Cyan Approved to Join NCSC Cyber Information Security Partnership (CiSP)

Cyber threats are at an all-time high, and as cybercriminals become increasingly sophisticated and threats continue to rise, organisations across the globe are becoming more and more susceptible to very serious potential cyber-attacks.

In recent years, a multitude of new and evolving cybersecurity threats have put businesses in varying industries on high alert. Increasingly complex cyber attacks involving malware, phishing, machine learning, artificial intelligence and cryptocurrency have placed the data and assets of many businesses at risk.

New Membership with CiSP

Because the safety of your information is at the forefront of everything we do, we are delighted to announce that we have been approved to join the National Cyber Security Centre (NCSC) Cyber Security Information Partnership (CiSP).

A cyber threat does not become a managed organisational risk until it is fully understood, and at Cyan, you can be guaranteed that we understand the significance of cyber risks and how to prevent them from creating a catastrophic outcome. Good situational awareness is key to managing cyber risks, and as an approved member of CiSP, we will have the full backing and regulated support to be able to ensure cyber threats to the businesses we support are significantly reduced.

In order for Cyan to have become a recognised member of CiSP, we have gone through a process of being vetted, and sponsored, which has led to us being successfully approved. Our sponsors is the highly regarded and skilled UK South East Regional Organised Crime Unit.

What Are the Benefits of CiSP To Your Business?

In recent years, there have been a number of notable attacks on both large and small-scale organisations, with some high-profile cases taking the limelight. A particular spate of cyber-attacks had detrimental effects on the political frontier, and more importantly, the government.

This particular incident was the 2017 attack on Managed IT Service Providers (MSP’s) that was conducted through popular platforms such as Gmail and Twitter (to name but a few) on which sensitive and confidential information was leaked. Following on from this targeted attack, the NCSC, which is part of the Government Communications Headquarters (GCHQ), recommended the following crucial advice to organisations who outsource their IT:

“Organisations who outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage your services. If their model is unsatisfactory, the organisation should demand that they change it immediately.”

The NCSC recommends that MSP’s who are unwilling to work closely with customers, or are reluctant to share information, should be treated with extreme caution. They also advise that having an independent audit of your MSP is critical for security management – “an organisation that neglects such monitoring is unlikely to ever be able to effectively manage the risk.”

This reinforces the importance of being a member of CiSP. We will get early warnings of cyber threats, such as the above, meaning we can manage and prevent an entire host of potential cyber threats from actually happening to the businesses we work with.

How Will Cyan Help My Business Benefit from CiSP?

As briefly touched upon above, there is a massive benefit to you in that Cyan will always be alerted of potential cyber threats, meaning that we can act fast and take preventative measures. Some other key benefits as detailed by CiSP are:

  1. Engagement with industry and government counterparts in a secure environment
  2. Early warning of cyber threats
  3. Ability to learn from experiences, mistakes, successes of other users and seek advice
  4. An improved ability to protect your company network
  5. Access to free network monitoring reports tailored to your organisations’ requirements

From the above list provided by CiSP, point 4 refers to Cert-UK Network Reporting Service (CNR). To be described in a nutshell, CNR is a free but intellectual service that can scan for any signs of potential network abuse events (such as cyber threats or potential attacks) and vulnerable network services. These searches are conducted on an organisation’s Internet-facing services so that all possible threats can be picked up and dealt with effectively. As we’re now a member of CiSP, we are able to offer this excellent and comprehensive network protection service to all of our valued existing and future clients.

Here to Serve You

By providing enterprise-class IT solutions and exceptional support to businesses, our professional team of IT specialists, consultants and advisors are passionate about cybercrime and ensuring that your business doesn’t face what many others have to.

We work closely in partnership with businesses like yours to deliver tailored technology solutions, provide expert advice, and above all, offer comprehensive IT support. The fact that we are now members of CiSP adds another string to our bow and will help us to serve your business with the utmost professionalism and industry understanding. To find out more about the services we offer or if you’d like to know more about our new membership with CiSP and what this means for your business, please get in touch.

What Is Cyber Insurance and Does My Business Need It?

Cyber-attacks are not a new phenomenon, but they are, unfortunately, on the rise. A cyber-attack on your business can be utterly detrimental, leaving computers and computer networks exposed, disabled, and even destroyed.

Due to the rise in cyber-attacks, cyber insurance (also referred to as cyber risk or cyber liability insurance) has become a hot topic in recent years, and it makes sense as it’s always better to prevent a cyber disaster than deal with the consequences. Cyber insurance pretty much does what it says on the tin; it’s a type of insurance for businesses that’s put in place for digital threats. With so many cyber threats affecting businesses, no wonder it has become a highly popular service for SMEs and businesses, large and small around the globe.

Should My Business Have Cyber Insurance?

In a nutshell, yes. Your business more than likely should have cyber insurance in place. However, it’s important to understand what it does and doesn’t cover.

What are the Benefits of Cyber Insurance?

As technology continues to become increasingly important for a business to operate successfully, the value and need of a robust cyber-insurance policy will continue to rise. No matter the size of your business, its location or industry, the technological nature of the modern-day world exposes vulnerable businesses to cyber-threats every single day.

A cyber-attack will not only threaten your finances and disrupt your operations, but it can also tarnish the reputation of your business. In order to protect your business from the devastating effects of a cyber-attack, it’s essential that you protect yourself with a strong cyber-insurance policy that covers all grounds.

10 of the most significant benefits of taking out cyber insurance are, but not limited to:

  1. Forensic support – When you have cyber insurance in place, forensic support provides your business with near-immediate around the clock support from cyber specialists following a data breach or hack. They will be able to confirm the impact of the breach and establish solutions.
  2. Consultancy fees – Your insurer may reimburse any costs of a consultant that has helped manage a response or solution to the incident.
  3. Interruption of business – If your business experiences an IT failure or cyber-attack that disrupts the operations of the business, your insurer may cover your loss of income during the interruption. In addition, increased costs to your business operations in the aftermath of a cyber-attack may also be covered.
  4. Privacy breach costs – A breach costs clause is a single clause that provides cover for security breach costs, such as notifying customers or recovering files.
  5. Privacy liability clause – A privacy liability clause provides cover for privacy infringement claims plus any legal costs in the event of a cyber breach. This is critical for all businesses that handle or store personal information in line with GDPR.
  6. Cyber extortion – A policy may cover your business if it’s infected by ransomware or other malicious software that attempts to seize control of or withhold access to operational or personal data until a ransom or fee is paid.
  7. Digital asset replacement expenses – In the event that your business’ digital assets are corrupted, lost, or altered in any way by a cyber-criminal, your policy may cover the costs incurred.
  8. Reputational damage – Your policy may recover lost profits directly attributable to cyber-attacks. Particularly those that have been detrimental to the reputation of the business and/or any of its employees.
  9. Management liability – Your policy may cover costs associated with defending senior management from cyber-attack fallout.
  10. Restoring data – After a massive security breach, your insurer can help to cover costs for restoring vital business data.

While there are many benefits to having cyber insurance in place, it’s equally important to understand what’s not included. For instance, if you’re using outdated or unsupported software or systems, many cyber insurance policies will not cover you.

Examples of this are using end of life operating systems such as Windows 7 or end of life equipment such as a Firewall that is no longer receiving firmware or security updates. However, when you do choose to take out cyber insurance, speak with the insurer about the terms and conditions and what potential breaches could affect your policy.

How Much Should I Expect to Pay for Cyber Insurance?

First and foremost, when it comes to buying the right cyber insurance for your business, what’s important to understand is what your business’ assets are worth. An example of an asset could be a laptop, workstation, server or database, and, more importantly, the information or data that it contains.

In most cases, a robust cyber insurance policy will cost in the region of £1000 per year. It’s also important to invest in training employees to recognise and react at the first signs of cyber compromise. Often, cyber insurance can create a false sense of security, so splitting your budget between a robust cyber security policy and trained and knowledgeable staff can strike the perfect balance.

Something to remember is that once you’ve taken out an insurance policy, you shouldn’t just leave it and get on with things. Your cyber insurance policy should be reviewed regularly and updated based on the continually evolving needs and current cyber-threat dangers directly related to your business. Above all, invest your budget wisely with a certain per cent in preventive controls with the leftover percentage invested in insurance.

What Level of Cover Do I Need?

The insurance policy requirements of every single business will differ based on a number of factors. But a good starting point would be to speak with different insurers to see what they can offer you. Things to consider include, but are not limited to:

  • The amount of sensitive information stored
  • Where sensitive or confidential information is stored
  • What measures would need to be taken if your business experienced a data breach
  • What the costs would be to replace the damaged software/hardware
  • Does your business have trained employees to mitigate the damage?
  • Does your business require the assistance of external security specialists?
  • Does your business have PR staff to deal with crisis management if a data breach occurred?

Answering the above questions and gathering as much information about your business as possible will help you get an idea of how much insurance coverage your business may require.

How to Pick the Right Insurance Provider?

It’s essential to shop around and speak to different providers, understanding what each can offer your business in times of crises. Word of mouth is the strongest form of marketing, so it may also be beneficial to speak with other industry professionals for recommendations.

At Cyan, we’ve got a great track record of helping small and medium-size businesses put the right cyber security measures in place. We can work with you to develop a strong cyber security policy document that will act as a protective umbrella for your business. We can also help audit and review any policy that you may already have in place to ensure that it is fit for purpose. Contact our expert team today to find out more.

What Is Ransomware and How Should I Protect My Business?

With more and more business transactions taking place online, it’s vital that you have the correct and preventative measures in place to protect your business from cyber-attacks. One form of cyber-attack that has been on the rise in recent year is ransomware. But what exactly is it?

Ransomware is malware that demands some form of payment from an individual or business in order to recover control of their computer or data. Most commonly, when it comes to personal attacks, the attacker will encrypt personal files on the victim’s computer in a way that means they cannot be opened unless the victim has access to the decryption key. Thus, access to the decryption key is what the attacker wants the victim to pay for. In other cases, such as in a business setting, the attacker may threaten to publicise or leak sensitive information that could be detrimental to business.

A Spike in Ransomware

Based on data from a report by California-based cybersecurity firm, SonicWall, findings revealed that in the first 6 months of 2019, ransomware was on the up. Here are some key findings:

  • Ransomware volume was up 15% globally
  • Encrypted threats spiked 76%
  • IoT malware attacks were up 55%
  • Malware attacks across non-standard ports dipped 13%
  • With bitcoin value spiking, crypto-jacking volumes were up 9%

What’s more worrying is that the firm reported; “The UK has been the biggest target for ransomware attacks for the first half of 2019 with the number rising 195%, as compared to the 59% reduction in attacks of the same kind in 2018, it has been claimed.”

They went on to say that “Almost half of all infected businesses in the UK now opt for paying the ransom.” This is the main reason that ransomware has spiked. In addition, with more businesses taking out cyber insurance, there is a higher chance that a business will just fall back on their cyber insurance policy and let their insurance provider pay-out, making ransomware a lucrative business for attackers.

High-Profile Attack

In recent cases of ransomware, Travelex is among one of the more high-profile cases. On New Year’s Eve 2019, hackers launched their attack on the Travelex network. As a result, the company took action by taking down its websites across 30 countries to, in their words, contain “the virus and protect data”. The way in which Travelex handled this attack really highlights the importance and need for a good business continuity plan (BCP) should the worst happen.

But despite ransomware being a lucrative venture for hackers, it’s not just large companies like Travelex that are being hit. In relation to this, Simon Bond, CEO of Cyan, says; “Unfortunately, it has become more common for cyber criminals to develop and use sophisticated tools to target the vulnerabilities of smaller businesses.”

“These vulnerabilities are caused due a range of system issues such as technical glitches, unpatched software, or by hardware that hasn’t been configured properly. However, the most common of the vulnerabilities tend to involve employees who use weak or compromised passwords, or inadvertently click on something that opens the business up to an array of issues.”

Glyn Cheesman, IT Security Manager at Cyan, believes many cyber criminals know that SME leaders may not truly understand the impact and importance of cyber security. He goes on to say, “We live in an age where cyberattacks continue to evolve, and of course there is a threat to businesses of all sizes, but it’s particularly more challenging for small to mid-size businesses. It’s therefore critical for companies to understand the risks and work on developing strong risk-mitigation strategies to lessen the devastating impact of cyber threats and attacks.”

How Do I Protect My Business?

The best thing you can do to protect your business and colleagues is to cyber insure your business. Insuring against cybercrime and data risks means you’re protected against new and existing threats, but with cyber insurance, your business will you will also receive help with the practicalities of getting experts to restore systems, recreate data and deal with any demands being made where data is stolen.

Additionally, you can carry out some good business practice to prevent cyber-attacks, which include but are not limited to:

  • Ensuring access control is in place. Restricting user access can limit the extent of the encryption to just the data owned by the affected user. Often, employees can have access to data that’s not relevant to their role. Therefore, it’s crucial to re-evaluate the permissions placed on shared network drives regularly in order to prevent the spreading of ransomware. System administrators with high levels of access should always strive to avoid using their admin accounts for email and web browsing.
  • Backing up your data. Organisations should ensure that they have thoroughly tested backup solutions in place whether controlled in house or externally. But remember that backed up files should not be accessible by machines that are at risk of encountering ransomware. Remember that backups should not be the only protection you have in place against ransomware; the implementation of adequate security practices will mean not getting ransomware in the first place.

To Pay or Not to Pay: What to Do If You Are Held to Ransom?

The general advice is not to pay if you or your business are held to ransom. However, it is likely that in some cases, insurers will pay out on your behalf depending on the specific circumstances. The reason businesses are advised not to pay out is because there is no guarantee that the attacker will provide the decryption key and/or not sell or publish any company sensitive information.

Almost half of all infected businesses in the UK now opt for paying the ransom, but if you do find yourself in that situation, immediately report the incident to your IT helpdesk. In addition, report the attack to the authorities and your cyber insurance policy provider.

Top Tips to Protect Your Business Against Ransomware

It may not happen, but it’s always better to have preventative measures in place should your business encounter ransomware. There are a few ways to do this, including:

  • Implement an incident response plan to help identify, respond and recover from an attack. This will include the steps you plan to take should your business encounter an attack.
  • Ensuring there are strong technical and administrative controls in place with security control frameworks.
    • A secure and robust Internet connection
    • Secure/password-protected devices and software
    • Robust access control measures in place
    • Updated virus protection software
    • Keep your devices and software up to date

For further advice and to discuss implementing robust and secure security measures, get in touch.

The End of Life for Windows 7

Windows 7 end of life

On 14th January 2020, Microsoft will officially ‘end the life’ of support for Windows 7 and Windows Server 2008 (including 2008 R2); a change that will pose a significant challenge for many businesses throughout the UK.

Not only does 2020 mark the beginning of a new decade, but it also commemorates the end of an era for Windows 7 and Server 2008. Not so long ago, these trusted operating systems were one of Microsoft’s most popular, so much so, that many businesses still use them on a daily basis.

But what exactly does end of life mean for small and medium-sized enterprises (SMEs)? Well, if you continue to use these operating systems after support has ended, your systems will still work, but will become considerably more vulnerable to security risks and viruses. As SMEs represent 99% of all businesses in the UK, there’s potential for a significant number of companies to be effected.

Assessing the Risks

In a nutshell, this rather significant operating system end of life means no more bug-fixes, security patches or new functionality. In addition, Microsoft customer service will no longer be available to provide technical support and related services will also be discontinued over time.

This considerable change, therefore, may cause concern for existing users as the risk of running systems beyond 14th January means that computers and data can become vulnerable to exploitation, hackers and bugs, to name but a few.

Vulnerabilities can be very dangerous as attackers can more easily comprise unpatched systems. Once compromised, the attacker can gain control of the system to steal information and potentially launch further attacks on other IT systems within an organisation’s network.

When an operating system becomes end of life, the vendor will no longer release security updates or patches to remediate any discovered vulnerabilities. This leaves systems at serious risk of being compromised.

Is Your Company at Risk?

It’s vital to assess the risks to business before deciding what action needs to be taken – and, in this case, both the likelihood and impact need to be determined. To achieve this it’s essential to consider the following:

  • Does the system contain business-critical and/or confidential data?
  • Does the system contain any sensitive data such as personally identifiable information?
  • Does the system support a business-critical process?
  • Will running an end of life operating system be in non-compliance of:
    • GDPR
    • PCI
    • Supply chain agreements
    • Insurance policies
  • What would the cost be to the business if the system was compromised?
  • Would the reputation of the business be damaged if the system was compromised?
  • Is the system exposed to the internet, if so, can this be limited or removed completely?
  • Has the user(s) of the system received adequate security awareness training?
  • Do we have the capabilities, including the skills and knowledge to manage the risk?

Once the likelihood and impact have been determined, it’s then about calculating the risk. If the risk is low, it should then be recorded in a risk register and treated to reduce the likelihood of it occurring.

Managing the Risks

At CYAN, we believe that the best option and one that should always be considered before anything else is to terminate all risks by upgrading operating systems to a supported operating system before the end of life date. Which in this case, is 14th January.

However, in some cases, it may be necessary to run a system with an operating system beyond its end of life date. This could be due to several reasons, from budget constraints to a dependency on a legacy application that requires a specific version of an operating system version in order to work. If this is the case, the risk should be assessed and treated to reduce the likelihood of the system being compromised.

But it’s important to note that this should only be a short-term measure while measures are put in place to upgrade to an updated operating system. We know that business survival during a huge change such as this requires having a strong IT security strategy in place.

Effectively Treating Risks

At CYAN, we balance our intricate knowledge of IT with a personal approach to understanding the businesses and people that use it every day. And so, to reduce the likelihood of the risk occurring when Windows 7 or Server 2008 reach end of life, multiple techniques and controls can be applied to treat the risk. There are a number of ways in which this can be done:

Reducing the Attack Surface

Removing all unnecessary applications from the system and only allowing signed and trusted applications to run can effectively reduce the risk. Additionally, isolating the system to a tightly controlled security zone and limiting exposure to the internet can also help to decrease the attack surface.

Applying Patches

First of all, it’s important to know what patches are in the IT realm. A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. So, by applying the final update and security patch from Microsoft, as well as continually keeping all required applications up to date, can significantly treat risks.

Implementing Strong Technical Controls

Use a comprehensive endpoint security solution to protect against malware and unauthorised access and harden the system by disabling unrequired services and system features. Not sure where to start? Speak to us for expert help and advice.

Control Access

You can also prevent access by removing unused accounts and restricting access on a need to know basis. Using strong passwords and multi-factor authentication can also be highly effectively when it comes to watertight access control.

Backup and Event Logging

Regularly performing backups as well as enabling event logging to a safe, secure and restricted location is vital to contain, eradicate and recover from a security breach.

Security User Awareness Training

Within a business, it’s vital to practice safe clicking and carry out regular security awareness training and measure its effectiveness with all members of the team. This is of the utmost importance when it comes to the end of life of operating systems such as Windows 7.

The Next Steps…

While end of life operating systems will continue to work after their end date and additional techniques and controls can be applied to reduce the likelihood of the system being compromised, it’s best practice to terminate the risk by upgrading the system to a supported operating system before the end of life date.

This means the end of regular security updates which puts any system running Microsoft Windows 7 or Server 2008 beyond 14th January 2020 at serious risk. Businesses that use these systems and that have failed to update to newer systems are at risk of severe and very dangerous security breaches.

Skill and Knowledge for The Steps Ahead

It’s worth noting that to manage the risks involved in such a drastic change will require skilled resources and additional time and effort, which isn’t always something that can be carried out within a small or medium sized business. And much like any massive business change, the cost of managing the risk should be weighed up against terminating the risk by upgrading the system to the next available operating system. You might just find that it’s more cost-effective, and ultimately, will be far safer for the business to simply upgrade the operating system.

At CYAN, we have seen security threats from outdated operating systems, unpatched vulnerabilities, and various other security breaches. The longer your company waits to update systems, the bigger the risk becomes of a potentially costly and nasty attack. Please don’t wait any longer, get in touch to find out more about how we can help you with a safe and speedy upgrade.

Wherever your organisation goes after Windows 7, upgrading should be done in a measured and controlled way, and certainly not rushed at the last moment without careful consideration of the impact to business.

What is Cyber Essentials and Why is it Great For Your Business?

The vast majority of cyber attacks can be classified into a few different types that businesses can protect themselves against.

Understanding what your cyber security risks are and how to mitigate them is not just something you should be worried about because of the potential damage to your systems. You have a legal duty of care to protect data pertaining to the customers you provide products or services for.

Small and medium-size businesses on strict budgets are just as much at risk as larger organisations when it comes to cyber crime. Initiatives such as Cyber Essentials are integral in ensuring that these companies are able to put in place real solutions that help reduce the risk of a security breach.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed initiative that has been in place since 2014. The scheme outlines the basic steps your business can take to mitigate up to 80% of the risks that it might face from external and internal malicious influences.

It’s a recognised scheme that has been designed specifically with small and medium-size businesses in mind and is a relatively low-cost IT security framework that any company can employ.

The Benefits of Cyber Essentials

It’s not just businesses that are concerned about cyber security. Consumers are worried too and they are more likely to choose a business that can demonstrate it’s taken precautions to protect data rather than one which hasn’t. Cyber Essentials certification gives you an easy way to show what your business is doing to keep your customers’ data safe.

If you are a B2B organisation, in particular, one seeking to bid for government projects, Cyber Essentials certification is the evidence that proves you are serious about mitigating cyber security risks in your company.

5 Ways to Improve Your Cyber Security through Cyber Essentials

The five main ways to improve your cyber security means having these important controls in place:

1. Secure your Internet connection

You should protect your Internet connection with a firewall to create a secure buffer between your company network and devices and external networks and the Internet. This allows you to have more control over remote access to internal systems and data, as well as outbound access to the Internet.

Most businesses will have a boundary firewall on their router and a personal firewall on devices, but few understand how they work or how to configure them to better protect data and software. The Cyber Essentials scheme is designed to give businesses more control and greater knowledge in this area.

2. Secure your devices and software

Most new devices will come bundled with pre-installed software applications, have auto-run features enabled, or even have a manufacturer default password. All of which give hackers an opportunity to exploit common settings.

By removing any unnecessary software applications, disabling unused features and changing default passwords to something secure you will make the device far more secure. Where applicable, using two-factor authentication will increase security further.

3. Control access to your data and services

Another important part of security is understanding what data and sensitive information relates to your business and who has access to it. To minimise the damage if a user account were to be misused or stolen, staff should only be given permissions to access the data they need to do their job. This goes for senior managers and directors too, as giving full access rights to this type of account will make them a prime target and will cause the most damage if they are breached.

4. Protect from viruses and other malware

Malware can come in many forms and you need to make sure that your computers and devices are protected by suitable anti-virus software.

Infection can come from Internet worms and viruses, hacked websites, ransomware, botnets and spyware and each of these present their own challenges. Modern day malware attacks are designed to deceive computer users and bypass common methods of protection. Often, a multi-layered approach to securing your systems is more effective. Cyber Essentials will help you to choose the appropriate protection for your business.

5. Keep your devices and software up to date

It’s surprising the number of businesses that don’t download updates and patches for operating systems when they are available. This often happens when older systems are being used in the company.

These software updates are vital in combating cyber-attacks and businesses need to ensure that systems download and install at the earliest opportunity. The easiest way to do this in most cases is to initiate automatic downloads.

If a manufacturer no longer supports hardware or software, new updates are not available. In this case you should consider replacing the hardware.

What Should You Do Next?

Once you have taken the time to investigate your security needs and have put these five basic controls in place, you will put your organisation on the path to better cyber security. Cyber Essentials Certification should be your next target, but you can work towards that goal at a pace which suits you.

Improving your online security by obtaining Cyber Essentials certification won’t guarantee you will never be the victim of an attack but it should help mitigate about 80% of the risks at a relatively low cost to your business.

Cyan Solutions can guide you through the process and work with you to deliver a more secure future for your company or organisation. Contact our expert team today to find out more.

The Cyber Security Basics You Should be Covering Now

Achieving full protection when it comes to cyber security risks can seem daunting for even the smallest of businesses. Even if you can’t access the huge budgets that big corporations have at their disposal, there are some basic solutions you can put in place to protect your business.

5 Cyber Security Basics You Can Implement Relatively Cheaply

Even if you are a small or medium-size business with a very limited budget, there are a number of solutions which need to be implemented with relative immediacy.

1. Understand What Assets Are At Risk

We use a wide range of devices to access software and the internet nowadays. You might use a desktop in the office, a laptop at a local café or a smartphone or tablet while on the move. Software and data is no longer placed on a protected server within the organisation but can be accessed from anywhere in the world via the cloud.

Our assets when it comes to cyber security are more wide-ranging and, in some cases, can seem quite nebulous, than ever before. They are all, however, vital to daily operations and need to be protected. It’s important to know what you use and how it might affect your online security.

That means carrying out a regular inventory:

  • What hardware such as desktops, laptops and smartphones do you have?
  • If you use remote workers to support your business, how are you connecting to them and protecting data?
  • What remote or local servers are you using?
  • What cloud services are you and your staff employing?
  • What virtual machines are you using? What software?

This inventory gives you the basis for understanding your cyber security risks and needs. For example, you may allow BYOD in your business which can present specific challenges when you incorporate your software and data sharing onto someone’s private device.

2. Fill in the Gaps

Once you do an inventory, the likelihood is that you will spot areas where your security isn’t covering your business as you might like. This can happen for a variety of different reasons:

  • You may not have implemented a cyber security solution in the first place.
  • There might have been a solution, but it was turned off by someone using the software.
  • You might already have been the victim of a malware attack that turned the security measure off.

Once you know where the problems lie, you have the chance to put things right and repair your system so that it works more effectively.

The more assets that you use in your business, the more complicated it can be to address all the issues, especially if you are short of time. That may mean outsourcing your IT to a third party who can ensure the gaps are plugged, allowing you and your teams to focus on the business. The key here is that plugging the gaps in your security should be a priority.

3. Auditing Permissions

Who has access to the vital parts of your business? Most companies will limit permissions depending on what job someone does and their position within the organisational structure. These are often not monitored closely enough which means that the potential for a cyber security breach increases. For instance, if someone gives another person their password to access important information, it is putting your business at risk.

It’s also important to check things like user passwords and how these are managed:

  • Are they robust and are they changed at regular intervals?
  • Do some people have access to more areas in your business than they really need?
  • Are there old accounts still operational even though staff have left the business?

Checking permissions on a regular basis is important and will ensure that everyone has the right access and security is kept intact.

4. Developing a Cyber Security Policy and Implementing It

It’s important also to have a cyber security policy for your business, even if you are an SME. The purpose of this is to provide the framework on which all your company security works.

It should include clear guidelines on how employees should behave online, how they use your data and software, who is responsible for ensuring compliance, and what you need to do in the event of a breach.

Even if you do have a cyber security policy in place, it’s vital to ensure that this is being implemented properly. That means having a regular audit to check processes are being adhered to and any changes that need to be made are actually being made and recorded.

For example:

  • You may have run a training session to make staff aware of your cyber security policy and what is expected of them. But have you onboarded new employees properly? Do you need to provide a refresher session?
  • Is the person who is responsible for implementing certain parts of your cyber security policy doing it properly? Do they need further training, or do you need to change personnel?
  • Are there things that need to be added to your cyber security policy following changes in the operation of your business?

5. Embrace Automation

Finally, it’s important as much as possible that you don’t leave your cyber security at the mercy of human error. That includes making sure you have automatic updates and patch downloads for devices rather than waiting for employees to do it themselves. Automation not only reduces human error it can save time and money as well.

When you undertake your audit, do it with a mind of looking for areas where you can include automation.

Cyber security is most certainly a big challenge to businesses, particularly SMEs. These small steps should help tighten up and streamline your current posture and keep you safer online.

If you’d like to find out how a fully managed, tailored IT support service can benefit your business, contact the team at Cyan Solutions today.