How to Create a Cyber Security Policy for Your Business

Whether you are a new start-up, an existing small or medium size business or a large corporation, dealing with cyber security risks is vital in the modern commercial environment.

According to the Government’s Cyber Security Breaches Survey 2019:

  • Nearly a third of businesses have identified cyber security breaches or attacks in the last 12 months.
  • This resulted in a negative outcome, such as a loss of data or assets, in 30% of cases.
  • Only 33% of companies have a cyber security policy in place.

This last statistic is astounding when you consider the threat from cyber criminals that we face at the moment. While a cyber security policy can’t fully guarantee you won’t become a victim of cybercrime, it greatly improves your chances of avoiding a breach and gives you the tools to respond if one does occur.

What is a Cyber Security Policy?

All businesses have certain assets, including data and software, that they need to protect. A cyber security policy is a formal document that can be used by a whole range of stakeholders to understand their responsibilities and what measures are in place to protect the technology and assets of the business.

Most importantly, it is not a document that is set in stone. It needs to be reviewed regularly and updated to respond to current and future cyber security threats.

Who Should Be Involved in Creating Your Cyber Security Policy?

A cyber security policy is not simply put together by your IT service provider. It involves input from a wide range of individuals. That includes management and leaders within your organisation, HR departments that may need to enforce dissemination of the policy to employees, and even a legal team who may need to input on the wording of the document.

Main Elements of a Cyber Security Policy

The core part of your cyber security policy should outline the risks that your business faces and why the measures you are taking are important. It should also outline who is accountable for implementing the policy and the processes that need to be followed in respect of a breach, including following current GDPR guidelines.

Obviously, the complexity of the cyber security policy will depend on the size of the business and the number of different departments that may be affected.

From the perspective of employees, providing guidelines on the daily use of technology within the business is also important. It should include guidance on:

  • Password control: including how to store passwords, how to create robust passwords and how often these must be updated.
  • Email protocol: including how to spot potential phishing emails, not opening links or attachments from dubious sources, deleting suspicious communications and methods for blocking spam, scam or junk emails.
  • Dealing with sensitive data: including how data such as customer details are stored, how they are used and who has access to them, as well as measures for deleting data that is no longer needed or legally required.
  • Using removable devices: including the safe use of USB/flash sticks and preventing malware attacks by scanning before opening removable devices.
  • Using technology and hardware: including using BYOD and accessing hardware such as laptops outside of the business environment.
  • Social media and accessing the internet: including protocols for what is appropriate information about the business to share on social media and guidelines on which sites are allowed to be accessed during work hours.
  • Managing cyber security breaches: including who takes the lead and has responsibility, who needs to be informed, and what action must be taken.

The last point is an important one for all businesses nowadays, especially in light of the introduction of the General Data Protection Regulation in 2018. Businesses that don’t have the appropriate measures in place and fail to follow the current guidelines not only face damaging their own reputation they can be liable for huge fines or prosecution.

Auditing Your Cyber Security Policy

As we said at the beginning, your cyber security policy should be a live document that is regularly updated. There should be regular times where the policy is reviewed and assessed in line with current business goals and cyber security threats. This should include:

  • How the current cyber security policy is working in the real world.
  • The exposure of your business to both internal and external threats.

Using Your Cyber Security Policy Properly

It happens in a number of businesses that the cyber security policy is developed and covers all the bases required. Unfortunately, it is not disseminated properly to those who need to know. If you have a policy that is stuck on the equivalent of a shelf gathering dust, it’s not going to be much use.

Included in the policy and implemented by your business in the real world is how this information is going to be conveyed to relevant stakeholders, including employees. That can involve, for example, training new and existing staff to spot phishing emails, regularly updating the current security threats facing the business and ensuring that robust passwords are used for accessing data and software.

How Cyan Solutions Can Help

There’s no doubt that cyber security is a serious concern for businesses across the UK, whatever their size. It’s also a huge challenge to get all the pieces in place that deliver the protection individual businesses are looking for.

Creating a cyber security policy is a vital process in setting up the infrastructure to keep your business safe online. You cannot entirely trust, for example, that all your employees will follow the right protocols all the time. But you at least need to have a formal document that outlines and reinforces what their responsibilities are.

At Cyan Solutions, we’ve got a great track record of helping small and medium-size businesses put the right cyber security measures in place. We can work with you to develop a strong cyber security policy document that will act as a protective umbrella for your business. We can also help audit and review any policy that you may already have in place to ensure that it is fit for purpose. Contact our expert team today to find out more.

3 Reasons Businesses Are Still Getting Their Cyber Security Wrong

Cyber security is one of the biggest challenges faced in the business world today. How do you protect your online services, including the sensitive data of your customers, effectively while still being able to function productively?

The list of recent high profile cyber security breaches highlights how difficult a challenge this really is. The 2018 attack affecting 500 million customers of Marriott Hotels and the more recent 2019 breach of Facebook user records that exposed 540 million accounts are just two examples.

Data breaches and cyber security attacks are not solely a problem for large corporations and big business. Small and medium-size commercial enterprises are just as vulnerable. The truth is, businesses are still failing to implement the strong security measures that are needed in the 21st century.

Here, we identify three major issues that business cyber security faces today. These are areas where many are failing to implement the right policies and procedures or having difficulty keeping up with the latest technological advances through lack of time and lack of budget.

1. Prioritising Cyber Security Risk Management Across the Business

Many companies we speak to say they have difficulty managing cyber security risks across their whole enterprise. There’s no doubt that the security landscape has become increasingly complicated over the past decade, so this isn’t a surprise.

Where having a solid virus and firewall protection in place was the basic requirement in years gone by, businesses now face a whole host of different threats. This highlights the importance of not only having a full cyber security policy in place that is adaptable to future threats and changes but ensuring it is communicated properly across the business.

One important issue is the huge increase in companies that operate a “bring-your-own-device” (BYOD) policy where existing hardware is boosted by employees using their own smartphones, tablets and laptops. While these add a certain level of convenience, they also increase security concerns and challenges.

Simple processes such as updating and patching software when necessary can become a hit and miss affair with many businesses when there is not a concerted attempt to prioritise cyber security risk management.

Certain parts of the business may be protected adequately but others can still be vulnerable. In addition to this, many businesses, particularly small to medium-size enterprises, may be entirely unaware that they are vulnerable through lack of knowledge.

2. The Need for Prioritising at Management Level

We also find that executive-level managers and leaders are often most focused on creating growth and moving their business forward. An issue like cyber security does not bring in money and it can be an expensive undertaking simply to keep up with the basic requirements.

Without the input and engagement of C-suite business executives, it can’t be expected that the rest of the workforce take their responsibility seriously. When you consider that 2018 was the biggest so far for data breaches, this represents a real dereliction of duty for leadership teams and priorities are not being aligned to address the real threat of cybercrime.

3. Shortfalls in Business Cyber Security Budgets

The final, significant issue that stops businesses developing the correct IT security posture is budget. In some cases, this can be because there simply isn’t the money to develop adequate systems and processes. In others, it comes down to managers and executives prioritising budgets for other ‘more important’ projects, usually focussed on growth and business development.

This latter point is also undoubtedly influenced by a lack of understanding of the role that cyber security plays in the business environment. With this being an increasingly complicated landscape, it is difficult to keep up with the current developments without having the appropriate IT staff on board at executive level who can provide clear and meaningful advice.

For small and medium-sized businesses, employing someone directly to provide IT services is often prohibitive and can drain a significant part of the cyber security budget before any measures are even put in place.

Improving Your Business Cyber Security

The challenges facing companies of all sizes cannot be underestimated. The first step in making sure that your organisation is on top of its cyber security measures is to stop treating this issue as a purely technical problem. Businesses also trust their IT professional to ‘do the right thing’ far too often and don’t delve too deeply into the different aspects of cyber security and what it means to their operation.

In most cases:

  • Businesses want to hand over responsibility to someone else or an external third party without putting in the hard yards to understand the issues and find solutions in a more collaborative way.
  • A business can also fall into a false sense of security – nothing has happened so far, the cyber security must be working well.
  • A business may have certain areas covered but not be aware, through lack of knowledge or even lack of interest, that there are vulnerabilities elsewhere that are just as threatening.

Cyber security takes place in a broad ecosystem where each individual component has the potential to impact on its neighbour. It’s important to work with a partner that understands the current challenges in cyber security and is focused on getting to know your business and working with executives to deliver an adaptable solution that protects the entire ecosystem rather than a few small parts.

A business cyber security breach could expose your client data, stop your systems working and cause untold damage not just to your ability to function but your reputation in the wider commercial world.

At Cyan Solutions, we provide a full cyber security management and support service that protects your business, adapting to current and future threats and ensuring you receive a tailored solution that meets your needs. Contact us today to find out more.

Cyber Security Risks You Need to Focus on in 2020

When you run a business nowadays it can seem you are continually battling the potential of malware threats and cyber attacks. It’s no longer enough to have standard virus software on your desktop – anyone with a digital presence needs to have a much more strategic approach to their company security.

That’s even more important now as, according to recent reports, the biggest challenges are yet to come. With cyberattacks becoming increasingly sophisticated, business of all sizes need to make sure they have the measures in place that protect them and strategies to facilitate recovery in the event of a breach.

Here we take a closer look at what you need to be thinking about when it comes to cyber security risks as we head into the next decade.

Ransomware remains a potent threat to businesses

Ransomware is a type of malware that stops your computer from working and issues a demand for money in order to free it up again. It’s normally delivered via a link in an email the user unwittingly clicks on and which then initiates the download of the malware.

According to the statistics, around 40% of businesses have been subject to some form of ransomware attack with more than 58% of these paying up to avoid damage to their operation and reputation. Only 4% of businesses that were asked in a recent survey were confident of dealing with a ransomware attack if it happened.

Our tip: Educate and train your staff about ransomware and how to recognise it, keep software up to date, and have a backup system or recovery process in place in the event of an attack.

Phishing set to become even more sophisticated

Phishing remains the easiest way for criminal actors to get access to our data. These are emails that purport to be from genuine sources that you may recognise, but attempt to coerce you into giving away vital information – such as your login credentials. While they are the most popular way of gaining access to privileged information, they can also be used to deliver ransomware, or hack systems.

Our tip: Always check who is really sending you an email before you click on any link. When in doubt, do not click.

Third-party IT that puts your business at risk

The biggest problem with today’s digital environment is that we’re all so well connected online. While this is great for better communication and productivity, it also presents problems when it comes to cyber security risks. Vendors may have information concerning your company and your customers or clients that can be at risk if they don’t have the right security measures in place. If they get attacked there could be a knock-on effect for your business.

Our tip: Be careful who you do business with and what information you share with vendors and third party suppliers. You need a process in place for handling liability and protecting sensitive data and ensuring that partners have a high level of cyber security in place.

The cyber security risks of cloud

There’s no doubt that using cloud-based services has added to the productivity and success of many businesses around the world. There are plenty of strengths here – you don’t have to worry about how to work remotely, your systems get updated without you having to do anything and you can tailor your IT provision to your needs.

But there are also cyber security risks that you need to understand here. Choose the wrong partner and you can find your company data at risk and your business subject to reputational damage.

Our tip: Make sure you partner with a reputable cloud service provider who has a good track record and protects your business while still being responsive to your needs.

The Hidden Threat of the Internet of Things

Almost everything with a digital footprint is beginning to get connected to everything else. Most of us own at least one smart device, whether that’s a mobile phone, smart TV or voice command box such as Alexa. Our heating can be connected up to our smartphone, we can even monitor home appliances while we’re on holiday, change the lighting remotely in the office or perform a host of other tasks.

The trouble is that the Internet of Things is designed for convenience rather than security. Many businesses that produce systems with an internet connection have found underlying flaws that may mean they are vulnerable to cyberattack.

Our tip: This is one to keep a close eye on, especially if you use a lot of smart technology in your office. Understand what you have and how it connects together and make sure you use strong passwords for the devices you own.

Expect to spend more on cyber security

While some business owners may baulk at the thought of paying more if you’re not properly protected it can have devastating consequences for if you are the victim of a cyber attack. It pays to make sure you have the right strategy in place and work with an IT service provider that delivers on your cyber security requirements.

According to research by the Department for Digital, Culture, Media and Sport:

  • The average cost to a UK business of a data breach is £4,180 (not including reputational damage).
  • Nearly 50% of businesses have identified a breach in the last year.
  • Only 31% of businesses have done a cyber security risk assessment in the last year.

Businesses need to be more focused on what cyber security measures they have in place. Yes, that may well lead to a bigger spend. This is especially true as attacks become increasingly sophisticated. But it’s worth it in the long run.

Our tip: Work closely with your IT service provider to ensure that you have the right measures in place but also formulate a cyber security budget and ensure this is invested in protecting your critical assets.

Data compliance means having a robust security strategy in place

Finally, with the introduction of the General Data Protection Regulation (GDPR), even more onus has been put on businesses to include operational measures that keep the personal data of their customers safe. While a breach will damage your reputation, it also puts you at risk of a substantial fine if you are on the wrong side of the current rules.

According to recent reports, many companies are still not compliant and are putting themselves at risk.

Our tip: Get together with your IT service provider to make sure that your company meets the current regulations and has the processes and strategic support in place to deal with a data breach or cyber attack.

If you are looking for an IT partner who can deliver on all your needs, contact the team at Cyan today.

Cyber Security Services

Cyan’s entire cyber security ecosystem, including full management and support, is delivered as a subscription – so you only pay for what you need.

Cyber security breaches disrupt business and can cause considerable financial and reputational damage. If you suffer a cyber-attack, you not only stand to lose business, you may also face regulatory fines and litigation. All this on top of the costs of remediation.

Most cyber-attacks are automated and indiscriminate. Rather than targeting specific organisations, cyber criminals prefer to exploit the low hanging fruit and attack known vulnerabilities or points of weakness. Your business is always under threat, even though you may not even be aware. On average, each UK business with an internet connection will experience over 500 attempts a day to breach their corporate firewalls. Yet only half of these firms have applied even the most basic cyber security controls.

The most effective way to protect your business and minimise the risk of a cyber-attack is to reduce the surface area that is open to exploitation and educate staff how to recognise and act on threats. This cannot be achieved with a single product or service. In fact, the most effective cyber security strategies comprise of multiple products and services, each intended to address specific threats.

In partnership with some of the world’s leading and best-in-class cyber security vendors, our team of experts will help you plan and implement a cyber security strategy that’s tailored to your needs. Our approach to IT security ensures that all areas of your business are carefully considered – this is essential as threat protection cannot be one-size-fits-all. Gaps quickly appear if, for example, you have remote workers, or if you use cloud services.

Cyan offers the following Cyber Security Services:

Managed Anti-Virus/Malware

To successfully protect against known viruses and emerging malware and ransomware threats, you need an antivirus solution that not only uses traditional signature-based protection, but that also uses sophisticated heuristic checks and behavioural scanning to protect against previously unknown threats.

Our expert security team will help prevent the unexpected with full, real-time proactive monitoring of your systems to provide continuous data and hardware protection from viruses, malware and ransomware. We’ll ensure everything is kept up-to-date and we’ll even handle security alerts as they happen.

Managed Firewall

As the first line of defence for your network, firewalls are a critical layer of threat protection that should form the foundations of your security, compliance and risk posture. To be effective, firewalls require continuous monitoring and management to ensure your network stays online and malicious attacks are prevented at the gateway.

Our team of certified SonicWall experts install and configure next-generation firewalls for maximum security and provide ongoing administration, monitoring and response to security events. We take care of everything and make sure your network is protected against known vulnerabilities and exploits that could be used to attack your business.

Managed Web and Email Threat Intelligence

The vast majority of cyber threats attempt to exploit the weakest link – your end users – and what often looks like an innocent email containing a harmless web link can quickly turn into a data breach or full-blown ransomware attack. All it takes is one click of a mouse. This type of attack will often evade traditional anti-virus protection by coercing end-users into giving away credentials or browsing to infected websites.

Our advanced protection for web and email is designed to shield your end-users from both known and emerging cyber security threats. This is a 100% cloud-delivered service designed to protect users from zero-day malware, ransomware, spam, botnets and phishing. Instantly block access to malicious websites, quickly identify and remove inbound and outbound email threats. Sandboxing provides real-time analysis of suspicious files and links in email traffic before they reach your teams. We can also enforce web usage policies and monitor web usage across your organisation.

Managed Security Information and Event Management (SIEM)

Cyber-attacks increasingly use mutation to reduce the chances of being successfully detected. In fact, the global average time it takes for companies to identify a data breach is as a staggering 6 months.

The Cyan Managed SIEM service is a 24/7 proactive monitoring and threat detection/response platform designed to give instant visibility into unexpected security events. We monitor your entire IT estate for anomalies and suspicious network activities and can respond instantly to remediate, block, or terminate harmful threats or hackers.

This is a powerful tool that significantly reduces your exposure to the risk of a cyber breach. Real-time processing and correlation gives us a complete picture of what’s new or changed. From failed login attempts to a system-wide configuration change, a new mailbox added to Microsoft Office 365 to company files being moved to removable media (eg a USB drive) – we can analyse, categorise and respond to these events instantly.

Managed Password Security

Establishing an effective password policy is critically important. Attackers are commonly looking for easy ways to access data using valid, trusted credentials – and weak passwords are an easy attack vector. Cracking simple and even moderately complex passwords is no longer a difficult task and powerful password hacking tools are now freely available to download. On top of this, leaked credentials from data breaches yielding billions of user accounts and passwords are giving cybercriminals the upper hand. Implementing secure a password policy is absolutely essential, however, relying on your staff to remember strong or complex passwords can be a burden on productivity.

The Cyan Managed Password Security service removes this burden while ensuring that company-wide secure password policies can be set and implemented effectively. Your staff are automatically guided through the process to ensure all password security recommendations are met. If at any time they forget their password, or need to change it, they have access to a secure 24/7 service that will walk them through the process. The dictionary feature adds further protection by blocking the use of weak passwords, or passwords that have made it on to breached lists.

Managed Multi-Factor Authentication (MFA)

Managing IT risk is complex, especially with the dynamic nature of today’s business world. Users have the flexibility to work from anywhere on any device and often connect to company data and email from outside the network perimeter. Establishing strong password policies is vital but securing access to privileged information needs more than just good password management. If a hacker breaches security using stolen login credentials they will gain access to a company network undetected. They could even pose as an employee and send email, or worse, manipulate payment transactions.

Adding a second factor or layer to your authentication workflow is the most effective way to minimise this risk. MFA asks the user to verify their identity by requesting an additional step be taken during the login process. This could be a PIN code, a push notification to a mobile app, or even a phone call.

Penetration Testing

Sustained and continued adoption of new and emerging technologies has made it difficult to discover and remove all of an organisations’ vulnerabilities and successfully defend against cyber-attacks. Missing a simple software application update, or not applying firmware upgrades to key network infrastructure can leave your business and assets worryingly exposed. Without appropriate testing, there is no way of ensuring that other cyber defences provide adequate protection against cyber-attack.

Vulnerability Scanning for PCI DSS Compliance ​

66% of customers say they would be unlikely to do business with an organisation that experienced a breach where their financial and sensitive information was stolen (source: Verizon 2017 Payment Security Report). Firewalls must leave certain ports open for the operation of web, mail, FTP and other Internet-based services, leaving you vulnerable to exploitation.

The PCI-DSS standard is the result of collaboration between some of the major credit card brands and was developed to encourage and enhance cardholder data security, and to facilitate the broad adoption of consistent data security measures involved in payment card processing. To comply with PCI DSS, merchants and service providers must conduct and pass a quarterly vulnerability test (meaning one scan every 90 days, or 4 scans per year). This service provides the PCI scan certification necessary to demonstrate quarterly compliance.

Cyber Security Essentials

Any organisation with an Internet presence is at risk from automated cyber-attacks, but not all organisations have equal resources to deal with them. Cyber Essentials offers a sound foundation of cybersecurity hygiene measures that any business can implement and build upon. In fact, implementing these measures could significantly reduce your exposure to vulnerabilities.

The Cyber Essentials scheme provides five security controls, which, according to the government, could prevent around 80% of cyber-attacks. There are two levels of certification – Cyber Essentials or Cyber Essentials Plus. Each will enhance your business’s reputation by proving to customers that you take the security of their information seriously and are taking the necessary steps to reduce cyber risks. Working in partnership with a CREST-accredited certification body our team of experts will manage the entire certification process for you and oversee all assessments and vulnerability scans to ensure that the security controls you implement are effective.

Staff Awareness Training

For most businesses, employees are still the weakest security link, leaving companies exposed to risk. Over 90% of cyber-attacks start with a phishing email, and recent studies suggest that the fastest growing security threat to business is no longer malware but impersonation email attacks. To protect against this overwhelming threat, you need to develop an effective education programme to raise awareness among staff.

Cyan offer a range of user awareness courses that will demonstrate to staff why their organisation is a target for cyber criminals and how attackers will seek to target them. The short courses are delivered via an online E-learning portal and staff can study from their desk and around their existing workload. The courses use non-technical terminology, making it easier for staff to understand. Attendees will learn practical and simple tips to better protect themselves at work covering areas such as social engineering, password security and e-mail attacks. By giving staff an awareness of the cyber threat they face, it means they are more likely to detect and respond to suspicious activity, resulting in actual incidents being dealt with quicker and reducing the risk of potential damage.

IT Security Strategy: What You Need to Know

Most businesses are critically dependent on the internet. Survival means having a strong IT security strategy in place. The hacking of telecommunications giant Talk Talk in 2015 reminds us that it’s not just smaller businesses that are at risk either.

The Government has taken steps to build a national cybersecurity strategy and this acknowledges that threats can come from many different sources: foreign governments or state sponsored actors, terrorists, hackers, hacktivists concerned about a particular issue, and even insiders, people who work for a company and who have a grievance of some sort.

Protecting your business has never been more important or more challenging. Having the right tools and processes in place is key if you want to stay safe.

How to Develop an IT Security Strategy

The digital landscape has become increasingly complicated over the last couple of decades. Businesses will not only operate online through portals and third-party sites but use tools such as social media to market their services and products. On top of that, they will have key IT requirements within their office environment that need solutions. Many will use remote working and promote collaboration and better communication through cloud-based services.

All this means that there is no clearly defined, one-size-fits-all IT security strategy for modern businesses.

1. Understand What You Have

The first major step to developing the appropriate IT security strategy is defining what you are trying to protect in the first place. Yes, you may have lots of customer and employee data but what about documents relating to your business such as your plan for the future or a new product you are intending to bring onto the market?

To make sense of everything, you need to understand what each asset is and clearly define its value to your business.

2. IT Security Risk Assessment

The next part of the process is to look at the current state of your IT security in relation to these assets and whether it fulfils its purpose. A risk assessment looks at a range of different aspects of your business, including the software you have in place, who has access to data, what they do with it when they are using it, and what protocols other than digital that you have in place to ensure security.

3. Elements of Strong Cybersecurity

The Government has produced a useful infographic (download here) relating to IT security which includes 10 steps all businesses and organisations should be taking:

  1. You need to implement a risk management regime that allows you to regularly review your cybersecurity processes.
  2. You must protect your network from attacks using anti-virus software and other technological solutions.
  3. You need a process in place to educate users and build awareness through activities such as staff training and the production of easy to follow practices (such as having a definitive password policy for your business).
  4. You need to establish anti-malware practices and defences to protect your business like having the appropriate software and educating staff on threats such as phishing emails.
  5. You need to limit or control the use of removable media such as flash sticks which can hold malware.
  6. You need to update your systems when a new patch or update is available and ensure they are configured properly across your whole business.
  7. You should carefully manage user privileges particularly for parts of your network that have access to sensitive data.
  8. Your business should have a process in place for handling any breach incidents or disaster recovery and be able to test these plans. If you lose data for whatever reason, being able to get up and running again may be vital to the survival of your business.
  9. Your business also needs to have in place a system or protocol for monitoring your IT and cybersecurity, producing reports and understanding if you are at risk of attack.
  10. You need to develop a policy for home and mobile working especially if you advocate using BYOD. Your company needs to create a secure baseline for all devices and build this into its cybersecurity activity.

While many businesses will be able to implement some of these measures, it can be challenging to get them all in place. That’s why it’s important to work with an IT and cybersecurity specialist to make sure all the bases are covered.

At Cyan Solutions, we have the teams in place who will be able to help you develop a robust IT security strategy that will safeguard your business now and in the future. Contact us today to find out more.

Essential Recommendations for Business IT Security

One of the key factors that effects almost every business with a digital profile is IT security. It’s a constant challenge to get right whether you are a small start-up or a large corporation.

Unfortunately, there are organised criminal gangs in this world who are fixed on trying to do us harm. It’s something that has been with us since the birth of the internet.

The biggest question we get asked at Cyan Solutions, is what best practice can be employed to ensure better business IT security.

Here’s a list of things you can do right now to help protect your business:

1. Don’t Assume It Won’t Happen to You

This is something we find with many SMEs. They think they’re too small for hackers to worry about. It’s simply not true.

Most attacks come through automated delivery such as Phishing email. The hackers and malware developers are looking for someone, anyone whose system they can get into. Whether you are just a one-person outfit or have many staff, treat cybersecurity with the same level of seriousness as you do other aspects of your business.

According to a recent report by Verizon, 71% of cyberattacks happen to smaller companies with less than 100 staff on the payroll. That is in part because there are more of them but the clear message is to be aware and have robust cybersecurity policies in place.

2. Use a Firewall

The first line of defence against cyberattacks is an effective business-grade firewall. Think of this as a barrier that repels common attacks and prevents malicious threats getting to your network. Companies often neglect to invest in this area as they don’t understand the importance of good perimeter security. They assume a generic router does the same job, it doesn’t. You need to improve network security measures if you want to remain safe online.

And, it’s not just external firewalls that are important – if you have sections of your network that contain sensitive data, for example, you may want to protect these with additional cybersecurity measures.

3. The Challenge of BYOD

Bring Your Own Device (BYOD) has largely been accepted in the business world over the last decade after some initial reticence by employers. It can often be easier for an employee to use their own smartphone or tablet or even laptop to do their work.

The trouble is that these are not generally as secure as the hardware and software that you have for your business. Staff can download the wrong apps or visit the wrong sites that open them (and your business) to potential cyberattack.

This is something that is unlikely to change in the future. BYOD offers too many benefits. The challenge is to make sure that mobile devices are updated with the right security and that staff understand their obligations.

4. Having Comprehensive Cybersecurity Policies

This brings us to the strategy for your cybersecurity protection. All businesses, whatever their size, need to have a robust set of policies that staff can adhere to. Many smaller companies do this in an ad-hoc manner which can mean their business IT security is missing vital core components. Ensure that you document your policies and make them readily available to all members of staff – including senior managers and executive teams.

5. Password Protection

It might seem like a simple thing to include in a best practice list but passwords are a real issue for businesses. Enforcing a robust policy in this area is important and could well protect your business from cyberattack. Passwords should ideally include upper- and lower-case letters, symbols and numbers. For more sensitive areas of your business, you also want to consider multi-factor identification.

It might seem like a simple thing to include in a best practice list but passwords are a real issue for businesses. Enforcing a robust policy in this area is important and could well protect your business from cyberattack.

Passwords – when implemented correctly – are an easy and effective way to prevent unauthorised access to systems. Always change the default password that comes with a new device.
If two-factor authentication is available, make sure it is enabled and use it. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.

6. Educating Staff

One failing, particularly for smaller businesses, is not educating their staff on the right IT security protocols. There’s plenty of evidence to suggest that, even if a company has a password policy in place, in the majority of cases it is not enforced.

You have to bring your staff into the loop and make sure they are well educated with regards to cybersecurity risks. For example, User Awareness Training is a great way to educate staff to the dangers of email threats, such as Phishing attacks, which are not always easy to identify.

7. Regularly Update Your Devices and Software

It’s quite worrying the number of small and midsize businesses that do not make the effort to patch their systems, devices and software. Manufacturers release regular updates which not only add new features, but also fix security vulnerabilities that have been discovered. Applying these updates (a process known as patching) is one of the most important things you can do to improve security.

8. The Right Level of Protection

Finally, the fight against cyberattacks is a never-ending battle and you should have the appropriate virus and anti-malware software in place which is regularly updated. One big mistake businesses make is to assume that standard anti-virus software alone is adequate protection for their needs. How security should be tailored to better protect your organisation is something you need to discuss with your IT provider. Understanding what threats are targeting and putting additional layers of security in place to protect against them is an essential part to any cybersecurity strategy.

At Cyan Solutions, we deliver cutting edge IT services and support. If you want access to the best cybersecurity expertise for your business, tailored to your needs, contact our team today.

How Often Should You Audit Your Business Cybersecurity?

For many businesses, cybersecurity tends to sit in the background. It’s something we often seem to have a lot of confidence in without really fully understanding it. The only time we pay attention and question its suitability is when something goes wrong.

As it is one of the more important parts of running a modern company or organisation, it pays to step back and have a review of your cybersecurity processes, software and hardware on a regular basis.

According to Forbes recently, cyberattacks are only like to get smarter over the next few years and we all need to be on guard to prevent breaches.

Why You Need Regular Cyber Security Audits

The first thing to note is that you can’t say whether your business cybersecurity is performing as expected unless you carry out an audit. Most IT services will advise that this needs to be done on a regular basis, either monthly, quarterly or even just twice a year as a bear minimum.

A lot will depend on the size of your organisation or business, of course, and how many different departments you have. It’s much easier to keep track of a company that has ten employees than one which has thousands. Another factor is the amount of confidential data you handle and the sector you operate in.

What is a Cybersecurity Audit?

A regular audit is something that can be carried out fairly easily and, in some cases, remotely. It’s a service that many outsourced IT support companies provide nowadays. If there has been an incident or issue with your IT infrastructure, however, it pays to have a more in-depth audit that considers a wider range of parameters.

This kind of audit tends to use more advanced technology and will not only look at the software installed but the practices that you employ in your business.

You may have had a security breach or data loss, for example. It’s important to discover how this occurred and what processes you need to put in place to improve security. Or you may have updated or put in a new system, in which case, you’ll want to ensure your cybersecurity is working well with it.

There can be plenty of other reasons to carry out a more intensive audit. For example, if the compliance laws change for your business (as happened for many companies with the new GDPR). Perhaps you’ve merged with another business and want to ensure IT services across the board are uniform.

Outsourcing Your Business Cybersecurity Audit

It’s important to work with a partner that is able to deliver the kind of audit you are looking for. There are off-the-shelf auditing packages available but these may not be entirely suitable, especially if your company has specific cybersecurity needs.

Outsourcing your business cybersecurity audit to a third party is the most popular route and has a number of advantages, not least that you have access to the appropriate level of expertise. It’s not easy to find suitable companies that have a track record of delivering security testing within a range of organisations.

You should be looking for one that has a deep knowledge of operating platforms and understands how your business security fits into these and other IT deliverables. The other thing you will want is an IT audit service that will give you clear reports which you can then act on. Good communication is key.

While you may be able to undertake at least some of this internally, for a deeper audit most companies will lack the appropriately qualified staff. Even using the latest auditing software, it can be difficult to decipher the results and come up with appropriate recommendations if you do not have expertise in this area.

A competent audit team will be able to:

  • Interpret the data from your audit and understand how to action any changes to your systems.
  • Prioritise which are the most important factors and what steps you need to follow to improve your business cybersecurity.
  • Understand if information is missing and what other software and scans need to be applied to provide a full picture of your current cybersecurity.
  • Set benchmarks so that you have a baseline for future audits and a clear understanding of what you need to achieve.

At Cyan Solutions, we work with a wide range of businesses across different sectors. We understand that each company has its own set of requirements when it comes to fulfilling strong cybersecurity. Our team works closely with all stakeholders to ensure that we deliver a robust audit that keeps your business safe.

Contact us today to find out more.

Managing Cybersecurity Solutions for SMEs

Small and medium size businesses have particular challenges when it comes to cybersecurity solutions. Size doesn’t always equate to vulnerability but the fact that SMEs have lower budgets can be a major issue when it comes to protection.

Making the right choices when managing your cybersecurity needs, therefore, is important and the most recent statistic back this up.

In a 2018 survey by Ipsos Mori, two out of five small businesses identified a cybersecurity breach in the previous year. In 17% of these cases, the breach prevented the company from operating properly for at least a day. The more troubling statistic, however, is that only 58% of small businesses are likely to have sought out information or advice about cybersecurity.

Cybersecurity and GDPR

One major change your small business needs to understand is the General Data Protection Regulation. This was brought in last year and basically means that any business that holds data (which means the majority of companies or organisations) has a duty of care to protect it. That includes having the appropriate cybersecurity solutions in place, including what to do if there is a breach.

The problem is that hackers and malware developers generally unleash their nefarious activities indiscriminately and smaller, less protected businesses are a target. It’s not unusual for a hacker to specifically target a certain corporation or larger organisation but it’s rarer than the millions of attack attempts that take place on small and medium size businesses as a whole around the world.

How to Manage Your Cybersecurity Solutions

A data breach or cyberattack can happen to any business and the consequences is not just loss of customer information but damage to reputation. It can take a long time to recover. That’s why your business needs to have certain building blocks in place to help combat any potential online attack.

Here are the vital components that you need to have for your business to mitigate the risk of cyber-attack.

  • Patch management: While they might be slightly annoying on older devices, patches are there to make sure your operating system is up to date and properly protected. You’d be amazed at the number of businesses that turn automatic updating off and leave their systems open to hacking and virus attacks.
  • Regular back-ups: Another mistake that SMEs make is not backing up their data regularly. This is relatively easy to do nowadays and there’s really no excuse for not doing it. If your system crashes or your data is stolen or infected with malware, back-up allows you to recover everything and get back up and running.
  • Data encryption: This should be standard for any business, whatever it’s size. It ensures that any information in transit is kept protected, particularly when it comes to financial data.
  • Firewalls, anti-malware and anti-phishing tools: The tools that we use for our home computers are not necessarily the same that we should be using for a business that has a lot of data. Working with your IT supplier is vital to ensure that you have the appropriate software to suit your industry.
  • Mobile device management: With so many of us using our own smartphones and tablets nowadays, your business needs to understand the risks that this involves. You should have a clear, set policy for staff who use BYOD and regularly make checks to ensure this is being complied with.
  • Two factor authentication: This is where an additional authentication such as an SMS text is used above and beyond the standard password to ensure the identity of the individual looking to gain access to your data. It’s now the industry standard when it comes to logging in to accounts.
  • Secure collaboration tools: Many SMEs make use of a range of collaborative tools including Office 365, Google Docs, Dropbox and the like. Mitigating the risks of using these tools is vital in maintaining the security of your company.
  • Incident response: How you respond to an incident such as a data breach is almost as important as having the processes in place to prevent it happening. Especially since the introduction of GDPR, small businesses have a duty of a care and obligation to have the appropriate steps in place.

How to Review Your Cybersecurity Solutions

It can be pretty easy to pay less attention than you should to your IT and cybersecurity. As a small business, you probably have a lot more to worry about. Failure to spot issues or make sure your security is up to date can, however, have catastrophic consequences.

If you would like to review your current cybersecurity practices, contact the team at Cyan Solutions today to see how we can help.

Top 5 Ways To Avoid Phishing Emails

Five top ways to prevent phishing attacks

Cyber attacks are on the increase, and it is vital to protect yourself and your business against the rising security threats. For most companies, the employees are the weakest security link, leaving the company open to potential attacks and breaches. Over 90% of cyber attacks start with a phishing email, and recent studies suggest that the fastest growing security threat to businesses is no longer malware but impersonation email attacks.

The reason employees are often the weakest link in your security is due to human error, and cyber attackers have learnt it is easier to trick someone into revealing secure information such as logins and passwords, rather than trying to exploit a secure system. The number of impersonation email attacks sent has increased by 50% quarter-over-quarter compared with malware and harmful files being sent rising by 15%. This means your business is seven times more likely to be subject to an impersonation email attack than a malware attack.

The figures are staggering, and even still there are thousands of companies out there who are not doing everything they can to protect themselves against phishing emails. The most common type of phishing emails is spear phishing; a highly targeted scam email that is sent to a business or individual. If the cybercriminal does enough research into an individual or business, spear phishing can be very effective, and research has shown that 97% of individuals can be tricked by a spear phishing email attack. Here are some of the top 5 ways to avoid phishing emails and protect your business.

Invest In Your Systems

One of the best ways to protect your business from phishing emails is to prevent them from getting through to your employees in the first place. There are many technological approaches to avoid phishing attacks, such as powerful filters and protection systems. Implementing a smart security system can help to identify phishing emails and block them from being received by your employees.

This is a great place to start when it comes to avoiding phishing emails, but even the best technology can’t detect every single phishing email. There will always be some that slip through the filters, so it is vital to have other precautions in place as well.

Educate Your Employees

As personnel are often the biggest downfall for a company’s security, it is essential that they are provided with appropriate training and knowledge to protect themselves against phishing emails. While many phishing emails are poorly written and easy to detect, there are often highly sophisticated attacks that are much more difficult to spot.

To properly protect your business against phishing emails you should develop an effective security education programme to raise awareness among staff of the growing cyber threats.

Go Phishing

One very effective method to identify the weak links in your security and determine where further training is required is to send phishing emails to your employees. Craft an email based on the kind of ones that your employees do receive and then measure for these main four metrics: clicking on the link, opening attachments, reporting the email and response time.

After the ‘attack’, discuss the results of the tests with your employees; it is usually best to keep results anonymous or break them down by department or team to avoid employees feeling like they are being individually called out. Your goal with this exercise should be to raise awareness and educate your employees, not to embarrass them.

Develop A Strict Protocol

Ensure you have a strict and well thought out protocol in place for phishing attacks. Encourage all employees to report all attacks or potential attacks immediately so that they can be dealt with effectively and quickly.

Make it clear that every employee can ask for help if they think they might have been a victim of a phishing email attack and be sure never to punish staff if they do get caught out; it will only discourage your employees from reporting the attacks in future. Once an attack has been reported, take steps to scan the affected devices for malware and change all passwords as soon as possible.

Review Your Digital Footprint

Cybercriminals will use information that is publicly available about your business and employees to make phishing emails more convincing. This information can be found on your website and social media accounts and is known as your digital footprint. Carefully consider what information is necessary for your website visitors and what could be used by potential attackers.

It is also vital to offer support and training to your employees on how to best manage their digital footprint; you should not expect them to remove themselves from the internet entirely but help them understand what information isn’t necessary to share.

Increase your phishing protection with Cyan Solutions

At Cyan Solutions we can develop robust IT security to reduce the risk and prevent cyber attacks. If you would like friendly advice on how to increase your IT security, talk to our experts now.

Key Technology Trends Impacting the Energy Sector

The energy sector has been evolving rapidly in recent years thanks to new and upcoming technologies. 2018 is looking to be a milestone year for the energy industry, with the introduction of many new technology trends that are set to be revolutionary in the sector.

The rise of digital has affected many businesses over the years, and the electricity industry is no exception. With everything from artificial intelligence through to increased technological demands in the home, there are a number of technology trends set to impact the energy sector over the coming months and years.

Growing Cybercrime Threat

Cyber-attacks are increasing in every industry across the globe, and the energy sector is no different. Earlier this year the United States Department of Energy announced it was planning on setting up its own Office of Cybersecurity, Energy Security and Emergency Response to tackle the upcoming security challenges. There is also evidence that hackers have been targeting the energy and nuclear facilities for the last couple of years.

Cybersecurity concerns are one of the most pressing issues within the energy sector, and as companies introduce more complex technology systems, the risk and potential for an attack are increased. Many utilities are upgrading systems to provide a higher level of grid intelligence and better communication with customers devices, opening themselves up to more potential security threats.

The Rise in Artificial Intelligence

Artificial Intelligence (AI) has evolved rapidly in recent years and provided the energy sector with a variety of new capabilities such as machine learning, cognitive analytics, deep learning and robotics process automation. These advances in technology have led to powerful systems that can automate increasingly complex workloads and develop cognitive agents that can simulate human thinking and engagement.

AI can be used in the energy sector to streamline, automate and eliminate processes within customer interactions, taking customer experience to the next level. As well as customer service benefits, AI can also be an excellent tool for customer engagement by giving companies the ability to compute a customer’s smart metre data to develop invaluable insights into their consumption habits.

Blockchain

Blockchain has been on the cards for quite some time and is slowly growing in popularity across a variety of industries. While it is currently limited within the energy sector, the potential of this technology should definitely not be ruled out, in fact, it may end up being invaluable in the industry in coming years.

Blockchain offers a permanent and transparent solution that is entirely digital making it really easy to work with. Within the energy sector, blockchain could potentially be used for easily recording transactions and contacts in a transparent and searchable form. The energy sector involves a considerable amount of customer paperwork and blockchain could provide some significant operational benefits such as easily locating records, detecting fraud and clarifying bill disputes.

3D Printing and Smart Materials

In recent years there have been significant steps forward in 3D printing, particularly with print metals becoming significantly cheaper. This will likely be used widely in the energy sector for the creation and maintaining of equipment and systems.

An increased use of smart materials would also have a significant impact on the energy market, and the use of materials that can self-heal could potentially change the industry altogether.

Digital Transformation in Homes

It is no surprise that there is an increased demand for energy in homes across the world. With technology coming on in leaps and bounds in recent years, the amount of electricity being consumed today is very different from that of a few years ago. The introduction of smart technologies such as smart lightbulbs and smart metres has transformed the way consumers use their energy within their homes, and this is only set to become more complex and readily available in the coming years.

The uptake of smart energy products by consumers has been relatively minimal so far, and according to recent research, 72% of people are unlikely to introduce any form of smart home technology in the next five years. However, the individuals who already make use of smart devices have noticed a significant impact on the day to day running of their homes. Many believe the uptake has been slow as consumers are still sceptical of smart energy products, but the market is expected to accelerate rapidly once the popularity of the technology increases.

The energy sector is set for a rapid transformation for the rest of 2018 and the following years, and those within the industry should be preparing themselves or the upcoming changes and opportunities that these technology trends are sure to bring. Not embracing these new technologies will leave your business at risk of being left behind the curve. At Cyan we have experience of providing transformational technology infrastructures for growing businesses the energy sector. Talk to us today to see how we can help your business.