Have You Considered These Risks to Your Business?

The dangers of cyber risks and threats to a business aren’t at the top of the agenda for many small and medium sized companies, but they should be. In recent years, the increase in high-profile data breaches has increased dramatically, and affected millions of people globally.

And because of the increasing commonality of these threats, society is becoming somewhat desensitised to the alarming numbers of risks that affect thousands of large-scale corporations that hold masses of personal information.

It’s often reported that big businesses are hit all the time. For example, Facebook, Tesco Bank, Talk Talk, Travelex and Three Mobile are recent prime examples. It can be forgiven to think that start-ups and small businesses are less of a target, but the reality is that no business, big or small, is 100% safe in the current climate. In fact, International Data Corporation (IDC) recently revealed that approximately 71% of data breaches are now targeted at small businesses.

What is a Risk and what is a Threat?

Before you strategically plan how to prevent your business from being affected by cyber-attacks, it’s essential to understand the difference between a risk and a threat.

Risks are business issues with technical aspects that impact, and is impacted by, all areas of the organisation. The risk element is the potential for uncontrolled loss of something of value, so in the case of data, this would include sensitive information or programs, for example.

A threat can be both unintentional and intentional, targeted or non-targeted attack. A threat can come from a variety of sources, including foreign nations engaged in espionage and information warfare, criminals, hackers, scammers and even disgruntled employees and contractors working within an organisation.

In a nutshell, a risk means the potential for loss, damage or destruction of an asset due to a threat exploiting a vulnerability. While on the other hand, a threat is what we’re trying to protect against. This can be in the form of vulnerability, weaknesses or gaps in a security program that can be exploited by threats to gain unauthorised access to an asset.

In most cases, small and medium sized businesses will deploy several technical defences such as Firewalls and Anti-virus software to protect their organisation from such threats. While these technical defences help protect the business, additional steps do need to be taken.

These additional steps are often forgotten about or not considered as they aren’t seen as technologically positioned, but they are a critical starting point for reducing the overall risk to the organisation. These additional steps include:

Leadership

In all organisations, information security needs to be driven from the top down. Most information security initiatives will fail without the support and sponsorship from the Board. The information security strategy needs to align with the business strategy and objectives to ensure the business is doing all it can to prevent serious attacks.

Behaviours and Culture

Information security isn’t just about technology, people also play a critical role. Everyone in the organisations plays an active role in information security and should be tooled with the knowledge on what to do and what not to when faced with a cyber risk or threat.

Asset Management

The organisation should maintain an up to date asset register of hardware and software in use within the business. Each asset should be assigned an owner and a level of criticality. As the saying goes, “you can’t protect what you don’t know you have”.

How can I mitigate these Risks and Threats?

Leadership

Leaders of any organisation, big or small, must have support from the Board or whoever is the ultimate decision-maker and change-enforcer of the business. First and foremost, it can be beneficial to become Cyber Essentials accredited. Cyber Essentials helps guard you against the most common cyber threats and demonstrate your commitment to cybersecurity.

A business must align the information security strategy with the business strategy and objectives, ensuring that this is communicated with all employees. To get started and equip you with the tools, the National Cyber Security Centre (NCSC) offers a comprehensive toolkit designed to encourage essential cybersecurity discussions between the Board and their technical experts. They also provide a free service called ‘Exercise in a Box’ which can help determine how resilient a business is to a cyber-attack.

Behaviours and Culture

The practical implementation of a measurable security awareness program can be incredibly beneficial in mitigating cyber risks and threats within a business. A security awareness program should include security news on the latest threats, information posters and regular employee training to enable your employees to detect threats within the business. What’s pivotal to employee security awareness is that they everyone within the business, no matter job role, should be trained on who to report any security threats and suspicious behaviour to.

Asset Management

Asset management is vitally important. Every piece of hardware and software that’s used within your business must be accounted for. If not already in place, the first thing to do is to create an asset register of all hardware and software within the business. Use the register to prioritise the implementation of security controls, starting with the most critical assets first.

How can CYAN help your business?

When it comes to the cyber safety of your business, it’s our number one priority. When you choose Cyan, we follow steps to ensure your business is safe against the ever-growing cyber risks and threats. Here’s how:

  • We start by understanding your business
  • We assess the security maturity of your people, processes and technology
  • We identify risks and provide recommendations
  • We can create and implement a security strategy to reduce risk within your organisation
  • We can provide and manage the latest technology to secure your company assets
  • We can provide the platform and expertise to deliver a security-aware business

For more information on how we can help secure your assets and data, get in touch.

Cyan Approved to Join NCSC Cyber Information Security Partnership (CiSP)

Cyber threats are at an all-time high, and as cybercriminals become increasingly sophisticated and threats continue to rise, organisations across the globe are becoming more and more susceptible to very serious potential cyber-attacks.

In recent years, a multitude of new and evolving cybersecurity threats have put businesses in varying industries on high alert. Increasingly complex cyber attacks involving malware, phishing, machine learning, artificial intelligence and cryptocurrency have placed the data and assets of many businesses at risk.

New Membership with CiSP

Because the safety of your information is at the forefront of everything we do, we are delighted to announce that we have been approved to join the National Cyber Security Centre (NCSC) Cyber Security Information Partnership (CiSP).

A cyber threat does not become a managed organisational risk until it is fully understood, and at Cyan, you can be guaranteed that we understand the significance of cyber risks and how to prevent them from creating a catastrophic outcome. Good situational awareness is key to managing cyber risks, and as an approved member of CiSP, we will have the full backing and regulated support to be able to ensure cyber threats to the businesses we support are significantly reduced.

In order for Cyan to have become a recognised member of CiSP, we have gone through a process of being vetted, and sponsored, which has led to us being successfully approved. Our sponsors is the highly regarded and skilled UK South East Regional Organised Crime Unit.

What Are the Benefits of CiSP To Your Business?

In recent years, there have been a number of notable attacks on both large and small-scale organisations, with some high-profile cases taking the limelight. A particular spate of cyber-attacks had detrimental effects on the political frontier, and more importantly, the government.

This particular incident was the 2017 attack on Managed IT Service Providers (MSP’s) that was conducted through popular platforms such as Gmail and Twitter (to name but a few) on which sensitive and confidential information was leaked. Following on from this targeted attack, the NCSC, which is part of the Government Communications Headquarters (GCHQ), recommended the following crucial advice to organisations who outsource their IT:

“Organisations who outsource IT infrastructure are recommended to have an open dialogue with their provider and to understand what model they use to manage your services. If their model is unsatisfactory, the organisation should demand that they change it immediately.”

The NCSC recommends that MSP’s who are unwilling to work closely with customers, or are reluctant to share information, should be treated with extreme caution. They also advise that having an independent audit of your MSP is critical for security management – “an organisation that neglects such monitoring is unlikely to ever be able to effectively manage the risk.”

This reinforces the importance of being a member of CiSP. We will get early warnings of cyber threats, such as the above, meaning we can manage and prevent an entire host of potential cyber threats from actually happening to the businesses we work with.

How Will Cyan Help My Business Benefit from CiSP?

As briefly touched upon above, there is a massive benefit to you in that Cyan will always be alerted of potential cyber threats, meaning that we can act fast and take preventative measures. Some other key benefits as detailed by CiSP are:

  1. Engagement with industry and government counterparts in a secure environment
  2. Early warning of cyber threats
  3. Ability to learn from experiences, mistakes, successes of other users and seek advice
  4. An improved ability to protect your company network
  5. Access to free network monitoring reports tailored to your organisations’ requirements

From the above list provided by CiSP, point 4 refers to Cert-UK Network Reporting Service (CNR). To be described in a nutshell, CNR is a free but intellectual service that can scan for any signs of potential network abuse events (such as cyber threats or potential attacks) and vulnerable network services. These searches are conducted on an organisation’s Internet-facing services so that all possible threats can be picked up and dealt with effectively. As we’re now a member of CiSP, we are able to offer this excellent and comprehensive network protection service to all of our valued existing and future clients.

Here to Serve You

By providing enterprise-class IT solutions and exceptional support to businesses, our professional team of IT specialists, consultants and advisors are passionate about cybercrime and ensuring that your business doesn’t face what many others have to.

We work closely in partnership with businesses like yours to deliver tailored technology solutions, provide expert advice, and above all, offer comprehensive IT support. The fact that we are now members of CiSP adds another string to our bow and will help us to serve your business with the utmost professionalism and industry understanding. To find out more about the services we offer or if you’d like to know more about our new membership with CiSP and what this means for your business, please get in touch.

What Is Cyber Insurance and Does My Business Need It?

Cyber-attacks are not a new phenomenon, but they are, unfortunately, on the rise. A cyber-attack on your business can be utterly detrimental, leaving computers and computer networks exposed, disabled, and even destroyed.

Due to the rise in cyber-attacks, cyber insurance (also referred to as cyber risk or cyber liability insurance) has become a hot topic in recent years, and it makes sense as it’s always better to prevent a cyber disaster than deal with the consequences. Cyber insurance pretty much does what it says on the tin; it’s a type of insurance for businesses that’s put in place for digital threats. With so many cyber threats affecting businesses, no wonder it has become a highly popular service for SMEs and businesses, large and small around the globe.

Should My Business Have Cyber Insurance?

In a nutshell, yes. Your business more than likely should have cyber insurance in place. However, it’s important to understand what it does and doesn’t cover.

What are the Benefits of Cyber Insurance?

As technology continues to become increasingly important for a business to operate successfully, the value and need of a robust cyber-insurance policy will continue to rise. No matter the size of your business, its location or industry, the technological nature of the modern-day world exposes vulnerable businesses to cyber-threats every single day.

A cyber-attack will not only threaten your finances and disrupt your operations, but it can also tarnish the reputation of your business. In order to protect your business from the devastating effects of a cyber-attack, it’s essential that you protect yourself with a strong cyber-insurance policy that covers all grounds.

10 of the most significant benefits of taking out cyber insurance are, but not limited to:

  1. Forensic support – When you have cyber insurance in place, forensic support provides your business with near-immediate around the clock support from cyber specialists following a data breach or hack. They will be able to confirm the impact of the breach and establish solutions.
  2. Consultancy fees – Your insurer may reimburse any costs of a consultant that has helped manage a response or solution to the incident.
  3. Interruption of business – If your business experiences an IT failure or cyber-attack that disrupts the operations of the business, your insurer may cover your loss of income during the interruption. In addition, increased costs to your business operations in the aftermath of a cyber-attack may also be covered.
  4. Privacy breach costs – A breach costs clause is a single clause that provides cover for security breach costs, such as notifying customers or recovering files.
  5. Privacy liability clause – A privacy liability clause provides cover for privacy infringement claims plus any legal costs in the event of a cyber breach. This is critical for all businesses that handle or store personal information in line with GDPR.
  6. Cyber extortion – A policy may cover your business if it’s infected by ransomware or other malicious software that attempts to seize control of or withhold access to operational or personal data until a ransom or fee is paid.
  7. Digital asset replacement expenses – In the event that your business’ digital assets are corrupted, lost, or altered in any way by a cyber-criminal, your policy may cover the costs incurred.
  8. Reputational damage – Your policy may recover lost profits directly attributable to cyber-attacks. Particularly those that have been detrimental to the reputation of the business and/or any of its employees.
  9. Management liability – Your policy may cover costs associated with defending senior management from cyber-attack fallout.
  10. Restoring data – After a massive security breach, your insurer can help to cover costs for restoring vital business data.

While there are many benefits to having cyber insurance in place, it’s equally important to understand what’s not included. For instance, if you’re using outdated or unsupported software or systems, many cyber insurance policies will not cover you.

Examples of this are using end of life operating systems such as Windows 7 or end of life equipment such as a Firewall that is no longer receiving firmware or security updates. However, when you do choose to take out cyber insurance, speak with the insurer about the terms and conditions and what potential breaches could affect your policy.

How Much Should I Expect to Pay for Cyber Insurance?

First and foremost, when it comes to buying the right cyber insurance for your business, what’s important to understand is what your business’ assets are worth. An example of an asset could be a laptop, workstation, server or database, and, more importantly, the information or data that it contains.

In most cases, a robust cyber insurance policy will cost in the region of £1000 per year. It’s also important to invest in training employees to recognise and react at the first signs of cyber compromise. Often, cyber insurance can create a false sense of security, so splitting your budget between a robust cyber security policy and trained and knowledgeable staff can strike the perfect balance.

Something to remember is that once you’ve taken out an insurance policy, you shouldn’t just leave it and get on with things. Your cyber insurance policy should be reviewed regularly and updated based on the continually evolving needs and current cyber-threat dangers directly related to your business. Above all, invest your budget wisely with a certain per cent in preventive controls with the leftover percentage invested in insurance.

What Level of Cover Do I Need?

The insurance policy requirements of every single business will differ based on a number of factors. But a good starting point would be to speak with different insurers to see what they can offer you. Things to consider include, but are not limited to:

  • The amount of sensitive information stored
  • Where sensitive or confidential information is stored
  • What measures would need to be taken if your business experienced a data breach
  • What the costs would be to replace the damaged software/hardware
  • Does your business have trained employees to mitigate the damage?
  • Does your business require the assistance of external security specialists?
  • Does your business have PR staff to deal with crisis management if a data breach occurred?

Answering the above questions and gathering as much information about your business as possible will help you get an idea of how much insurance coverage your business may require.

How to Pick the Right Insurance Provider?

It’s essential to shop around and speak to different providers, understanding what each can offer your business in times of crises. Word of mouth is the strongest form of marketing, so it may also be beneficial to speak with other industry professionals for recommendations.

At Cyan, we’ve got a great track record of helping small and medium-size businesses put the right cyber security measures in place. We can work with you to develop a strong cyber security policy document that will act as a protective umbrella for your business. We can also help audit and review any policy that you may already have in place to ensure that it is fit for purpose. Contact our expert team today to find out more.

What Is Ransomware and How Should I Protect My Business?

With more and more business transactions taking place online, it’s vital that you have the correct and preventative measures in place to protect your business from cyber-attacks. One form of cyber-attack that has been on the rise in recent year is ransomware. But what exactly is it?

Ransomware is malware that demands some form of payment from an individual or business in order to recover control of their computer or data. Most commonly, when it comes to personal attacks, the attacker will encrypt personal files on the victim’s computer in a way that means they cannot be opened unless the victim has access to the decryption key. Thus, access to the decryption key is what the attacker wants the victim to pay for. In other cases, such as in a business setting, the attacker may threaten to publicise or leak sensitive information that could be detrimental to business.

A Spike in Ransomware

Based on data from a report by California-based cybersecurity firm, SonicWall, findings revealed that in the first 6 months of 2019, ransomware was on the up. Here are some key findings:

  • Ransomware volume was up 15% globally
  • Encrypted threats spiked 76%
  • IoT malware attacks were up 55%
  • Malware attacks across non-standard ports dipped 13%
  • With bitcoin value spiking, crypto-jacking volumes were up 9%

What’s more worrying is that the firm reported; “The UK has been the biggest target for ransomware attacks for the first half of 2019 with the number rising 195%, as compared to the 59% reduction in attacks of the same kind in 2018, it has been claimed.”

They went on to say that “Almost half of all infected businesses in the UK now opt for paying the ransom.” This is the main reason that ransomware has spiked. In addition, with more businesses taking out cyber insurance, there is a higher chance that a business will just fall back on their cyber insurance policy and let their insurance provider pay-out, making ransomware a lucrative business for attackers.

High-Profile Attack

In recent cases of ransomware, Travelex is among one of the more high-profile cases. On New Year’s Eve 2019, hackers launched their attack on the Travelex network. As a result, the company took action by taking down its websites across 30 countries to, in their words, contain “the virus and protect data”. The way in which Travelex handled this attack really highlights the importance and need for a good business continuity plan (BCP) should the worst happen.

But despite ransomware being a lucrative venture for hackers, it’s not just large companies like Travelex that are being hit. In relation to this, Simon Bond, CEO of Cyan, says; “Unfortunately, it has become more common for cyber criminals to develop and use sophisticated tools to target the vulnerabilities of smaller businesses.”

“These vulnerabilities are caused due a range of system issues such as technical glitches, unpatched software, or by hardware that hasn’t been configured properly. However, the most common of the vulnerabilities tend to involve employees who use weak or compromised passwords, or inadvertently click on something that opens the business up to an array of issues.”

Glyn Cheesman, IT Security Manager at Cyan, believes many cyber criminals know that SME leaders may not truly understand the impact and importance of cyber security. He goes on to say, “We live in an age where cyberattacks continue to evolve, and of course there is a threat to businesses of all sizes, but it’s particularly more challenging for small to mid-size businesses. It’s therefore critical for companies to understand the risks and work on developing strong risk-mitigation strategies to lessen the devastating impact of cyber threats and attacks.”

How Do I Protect My Business?

The best thing you can do to protect your business and colleagues is to cyber insure your business. Insuring against cybercrime and data risks means you’re protected against new and existing threats, but with cyber insurance, your business will you will also receive help with the practicalities of getting experts to restore systems, recreate data and deal with any demands being made where data is stolen.

Additionally, you can carry out some good business practice to prevent cyber-attacks, which include but are not limited to:

  • Ensuring access control is in place. Restricting user access can limit the extent of the encryption to just the data owned by the affected user. Often, employees can have access to data that’s not relevant to their role. Therefore, it’s crucial to re-evaluate the permissions placed on shared network drives regularly in order to prevent the spreading of ransomware. System administrators with high levels of access should always strive to avoid using their admin accounts for email and web browsing.
  • Backing up your data. Organisations should ensure that they have thoroughly tested backup solutions in place whether controlled in house or externally. But remember that backed up files should not be accessible by machines that are at risk of encountering ransomware. Remember that backups should not be the only protection you have in place against ransomware; the implementation of adequate security practices will mean not getting ransomware in the first place.

To Pay or Not to Pay: What to Do If You Are Held to Ransom?

The general advice is not to pay if you or your business are held to ransom. However, it is likely that in some cases, insurers will pay out on your behalf depending on the specific circumstances. The reason businesses are advised not to pay out is because there is no guarantee that the attacker will provide the decryption key and/or not sell or publish any company sensitive information.

Almost half of all infected businesses in the UK now opt for paying the ransom, but if you do find yourself in that situation, immediately report the incident to your IT helpdesk. In addition, report the attack to the authorities and your cyber insurance policy provider.

Top Tips to Protect Your Business Against Ransomware

It may not happen, but it’s always better to have preventative measures in place should your business encounter ransomware. There are a few ways to do this, including:

  • Implement an incident response plan to help identify, respond and recover from an attack. This will include the steps you plan to take should your business encounter an attack.
  • Ensuring there are strong technical and administrative controls in place with security control frameworks.
    • A secure and robust Internet connection
    • Secure/password-protected devices and software
    • Robust access control measures in place
    • Updated virus protection software
    • Keep your devices and software up to date

For further advice and to discuss implementing robust and secure security measures, get in touch.

What is Cyber Essentials and Why is it Great For Your Business?

The vast majority of cyber attacks can be classified into a few different types that businesses can protect themselves against.

Understanding what your cyber security risks are and how to mitigate them is not just something you should be worried about because of the potential damage to your systems. You have a legal duty of care to protect data pertaining to the customers you provide products or services for.

Small and medium-size businesses on strict budgets are just as much at risk as larger organisations when it comes to cyber crime. Initiatives such as Cyber Essentials are integral in ensuring that these companies are able to put in place real solutions that help reduce the risk of a security breach.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed initiative that has been in place since 2014. The scheme outlines the basic steps your business can take to mitigate up to 80% of the risks that it might face from external and internal malicious influences.

It’s a recognised scheme that has been designed specifically with small and medium-size businesses in mind and is a relatively low-cost IT security framework that any company can employ.

The Benefits of Cyber Essentials

It’s not just businesses that are concerned about cyber security. Consumers are worried too and they are more likely to choose a business that can demonstrate it’s taken precautions to protect data rather than one which hasn’t. Cyber Essentials certification gives you an easy way to show what your business is doing to keep your customers’ data safe.

If you are a B2B organisation, in particular, one seeking to bid for government projects, Cyber Essentials certification is the evidence that proves you are serious about mitigating cyber security risks in your company.

5 Ways to Improve Your Cyber Security through Cyber Essentials

The five main ways to improve your cyber security means having these important controls in place:

1. Secure your Internet connection

You should protect your Internet connection with a firewall to create a secure buffer between your company network and devices and external networks and the Internet. This allows you to have more control over remote access to internal systems and data, as well as outbound access to the Internet.

Most businesses will have a boundary firewall on their router and a personal firewall on devices, but few understand how they work or how to configure them to better protect data and software. The Cyber Essentials scheme is designed to give businesses more control and greater knowledge in this area.

2. Secure your devices and software

Most new devices will come bundled with pre-installed software applications, have auto-run features enabled, or even have a manufacturer default password. All of which give hackers an opportunity to exploit common settings.

By removing any unnecessary software applications, disabling unused features and changing default passwords to something secure you will make the device far more secure. Where applicable, using two-factor authentication will increase security further.

3. Control access to your data and services

Another important part of security is understanding what data and sensitive information relates to your business and who has access to it. To minimise the damage if a user account were to be misused or stolen, staff should only be given permissions to access the data they need to do their job. This goes for senior managers and directors too, as giving full access rights to this type of account will make them a prime target and will cause the most damage if they are breached.

4. Protect from viruses and other malware

Malware can come in many forms and you need to make sure that your computers and devices are protected by suitable anti-virus software.

Infection can come from Internet worms and viruses, hacked websites, ransomware, botnets and spyware and each of these present their own challenges. Modern day malware attacks are designed to deceive computer users and bypass common methods of protection. Often, a multi-layered approach to securing your systems is more effective. Cyber Essentials will help you to choose the appropriate protection for your business.

5. Keep your devices and software up to date

It’s surprising the number of businesses that don’t download updates and patches for operating systems when they are available. This often happens when older systems are being used in the company.

These software updates are vital in combating cyber-attacks and businesses need to ensure that systems download and install at the earliest opportunity. The easiest way to do this in most cases is to initiate automatic downloads.

If a manufacturer no longer supports hardware or software, new updates are not available. In this case you should consider replacing the hardware.

What Should You Do Next?

Once you have taken the time to investigate your security needs and have put these five basic controls in place, you will put your organisation on the path to better cyber security. Cyber Essentials Certification should be your next target, but you can work towards that goal at a pace which suits you.

Improving your online security by obtaining Cyber Essentials certification won’t guarantee you will never be the victim of an attack but it should help mitigate about 80% of the risks at a relatively low cost to your business.

Cyan Solutions can guide you through the process and work with you to deliver a more secure future for your company or organisation. Contact our expert team today to find out more.

The Cyber Security Basics You Should be Covering Now

Achieving full protection when it comes to cyber security risks can seem daunting for even the smallest of businesses. Even if you can’t access the huge budgets that big corporations have at their disposal, there are some basic solutions you can put in place to protect your business.

5 Cyber Security Basics You Can Implement Relatively Cheaply

Even if you are a small or medium-size business with a very limited budget, there are a number of solutions which need to be implemented with relative immediacy.

1. Understand What Assets Are At Risk

We use a wide range of devices to access software and the internet nowadays. You might use a desktop in the office, a laptop at a local café or a smartphone or tablet while on the move. Software and data is no longer placed on a protected server within the organisation but can be accessed from anywhere in the world via the cloud.

Our assets when it comes to cyber security are more wide-ranging and, in some cases, can seem quite nebulous, than ever before. They are all, however, vital to daily operations and need to be protected. It’s important to know what you use and how it might affect your online security.

That means carrying out a regular inventory:

  • What hardware such as desktops, laptops and smartphones do you have?
  • If you use remote workers to support your business, how are you connecting to them and protecting data?
  • What remote or local servers are you using?
  • What cloud services are you and your staff employing?
  • What virtual machines are you using? What software?

This inventory gives you the basis for understanding your cyber security risks and needs. For example, you may allow BYOD in your business which can present specific challenges when you incorporate your software and data sharing onto someone’s private device.

2. Fill in the Gaps

Once you do an inventory, the likelihood is that you will spot areas where your security isn’t covering your business as you might like. This can happen for a variety of different reasons:

  • You may not have implemented a cyber security solution in the first place.
  • There might have been a solution, but it was turned off by someone using the software.
  • You might already have been the victim of a malware attack that turned the security measure off.

Once you know where the problems lie, you have the chance to put things right and repair your system so that it works more effectively.

The more assets that you use in your business, the more complicated it can be to address all the issues, especially if you are short of time. That may mean outsourcing your IT to a third party who can ensure the gaps are plugged, allowing you and your teams to focus on the business. The key here is that plugging the gaps in your security should be a priority.

3. Auditing Permissions

Who has access to the vital parts of your business? Most companies will limit permissions depending on what job someone does and their position within the organisational structure. These are often not monitored closely enough which means that the potential for a cyber security breach increases. For instance, if someone gives another person their password to access important information, it is putting your business at risk.

It’s also important to check things like user passwords and how these are managed:

  • Are they robust and are they changed at regular intervals?
  • Do some people have access to more areas in your business than they really need?
  • Are there old accounts still operational even though staff have left the business?

Checking permissions on a regular basis is important and will ensure that everyone has the right access and security is kept intact.

4. Developing a Cyber Security Policy and Implementing It

It’s important also to have a cyber security policy for your business, even if you are an SME. The purpose of this is to provide the framework on which all your company security works.

It should include clear guidelines on how employees should behave online, how they use your data and software, who is responsible for ensuring compliance, and what you need to do in the event of a breach.

Even if you do have a cyber security policy in place, it’s vital to ensure that this is being implemented properly. That means having a regular audit to check processes are being adhered to and any changes that need to be made are actually being made and recorded.

For example:

  • You may have run a training session to make staff aware of your cyber security policy and what is expected of them. But have you onboarded new employees properly? Do you need to provide a refresher session?
  • Is the person who is responsible for implementing certain parts of your cyber security policy doing it properly? Do they need further training, or do you need to change personnel?
  • Are there things that need to be added to your cyber security policy following changes in the operation of your business?

5. Embrace Automation

Finally, it’s important as much as possible that you don’t leave your cyber security at the mercy of human error. That includes making sure you have automatic updates and patch downloads for devices rather than waiting for employees to do it themselves. Automation not only reduces human error it can save time and money as well.

When you undertake your audit, do it with a mind of looking for areas where you can include automation.

Cyber security is most certainly a big challenge to businesses, particularly SMEs. These small steps should help tighten up and streamline your current posture and keep you safer online.

If you’d like to find out how a fully managed, tailored IT support service can benefit your business, contact the team at Cyan Solutions today.

How to Create a Cyber Security Policy for Your Business

Whether you are a new start-up, an existing small or medium size business or a large corporation, dealing with cyber security risks is vital in the modern commercial environment.

According to the Government’s Cyber Security Breaches Survey 2019:

  • Nearly a third of businesses have identified cyber security breaches or attacks in the last 12 months.
  • This resulted in a negative outcome, such as a loss of data or assets, in 30% of cases.
  • Only 33% of companies have a cyber security policy in place.

This last statistic is astounding when you consider the threat from cyber criminals that we face at the moment. While a cyber security policy can’t fully guarantee you won’t become a victim of cybercrime, it greatly improves your chances of avoiding a breach and gives you the tools to respond if one does occur.

What is a Cyber Security Policy?

All businesses have certain assets, including data and software, that they need to protect. A cyber security policy is a formal document that can be used by a whole range of stakeholders to understand their responsibilities and what measures are in place to protect the technology and assets of the business.

Most importantly, it is not a document that is set in stone. It needs to be reviewed regularly and updated to respond to current and future cyber security threats.

Who Should Be Involved in Creating Your Cyber Security Policy?

A cyber security policy is not simply put together by your IT service provider. It involves input from a wide range of individuals. That includes management and leaders within your organisation, HR departments that may need to enforce dissemination of the policy to employees, and even a legal team who may need to input on the wording of the document.

Main Elements of a Cyber Security Policy

The core part of your cyber security policy should outline the risks that your business faces and why the measures you are taking are important. It should also outline who is accountable for implementing the policy and the processes that need to be followed in respect of a breach, including following current GDPR guidelines.

Obviously, the complexity of the cyber security policy will depend on the size of the business and the number of different departments that may be affected.

From the perspective of employees, providing guidelines on the daily use of technology within the business is also important. It should include guidance on:

  • Password control: including how to store passwords, how to create robust passwords and how often these must be updated.
  • Email protocol: including how to spot potential phishing emails, not opening links or attachments from dubious sources, deleting suspicious communications and methods for blocking spam, scam or junk emails.
  • Dealing with sensitive data: including how data such as customer details are stored, how they are used and who has access to them, as well as measures for deleting data that is no longer needed or legally required.
  • Using removable devices: including the safe use of USB/flash sticks and preventing malware attacks by scanning before opening removable devices.
  • Using technology and hardware: including using BYOD and accessing hardware such as laptops outside of the business environment.
  • Social media and accessing the internet: including protocols for what is appropriate information about the business to share on social media and guidelines on which sites are allowed to be accessed during work hours.
  • Managing cyber security breaches: including who takes the lead and has responsibility, who needs to be informed, and what action must be taken.

The last point is an important one for all businesses nowadays, especially in light of the introduction of the General Data Protection Regulation in 2018. Businesses that don’t have the appropriate measures in place and fail to follow the current guidelines not only face damaging their own reputation they can be liable for huge fines or prosecution.

Auditing Your Cyber Security Policy

As we said at the beginning, your cyber security policy should be a live document that is regularly updated. There should be regular times where the policy is reviewed and assessed in line with current business goals and cyber security threats. This should include:

  • How the current cyber security policy is working in the real world.
  • The exposure of your business to both internal and external threats.

Using Your Cyber Security Policy Properly

It happens in a number of businesses that the cyber security policy is developed and covers all the bases required. Unfortunately, it is not disseminated properly to those who need to know. If you have a policy that is stuck on the equivalent of a shelf gathering dust, it’s not going to be much use.

Included in the policy and implemented by your business in the real world is how this information is going to be conveyed to relevant stakeholders, including employees. That can involve, for example, training new and existing staff to spot phishing emails, regularly updating the current security threats facing the business and ensuring that robust passwords are used for accessing data and software.

How Cyan Solutions Can Help

There’s no doubt that cyber security is a serious concern for businesses across the UK, whatever their size. It’s also a huge challenge to get all the pieces in place that deliver the protection individual businesses are looking for.

Creating a cyber security policy is a vital process in setting up the infrastructure to keep your business safe online. You cannot entirely trust, for example, that all your employees will follow the right protocols all the time. But you at least need to have a formal document that outlines and reinforces what their responsibilities are.

At Cyan Solutions, we’ve got a great track record of helping small and medium-size businesses put the right cyber security measures in place. We can work with you to develop a strong cyber security policy document that will act as a protective umbrella for your business. We can also help audit and review any policy that you may already have in place to ensure that it is fit for purpose. Contact our expert team today to find out more.

Cyber Security Risks You Need to Focus on in 2020

When you run a business nowadays it can seem you are continually battling the potential of malware threats and cyber attacks. It’s no longer enough to have standard virus software on your desktop – anyone with a digital presence needs to have a much more strategic approach to their company security.

That’s even more important now as, according to recent reports, the biggest challenges are yet to come. With cyberattacks becoming increasingly sophisticated, business of all sizes need to make sure they have the measures in place that protect them and strategies to facilitate recovery in the event of a breach.

Here we take a closer look at what you need to be thinking about when it comes to cyber security risks as we head into the next decade.

Ransomware remains a potent threat to businesses

Ransomware is a type of malware that stops your computer from working and issues a demand for money in order to free it up again. It’s normally delivered via a link in an email the user unwittingly clicks on and which then initiates the download of the malware.

According to the statistics, around 40% of businesses have been subject to some form of ransomware attack with more than 58% of these paying up to avoid damage to their operation and reputation. Only 4% of businesses that were asked in a recent survey were confident of dealing with a ransomware attack if it happened.

Our tip: Educate and train your staff about ransomware and how to recognise it, keep software up to date, and have a backup system or recovery process in place in the event of an attack.

Phishing set to become even more sophisticated

Phishing remains the easiest way for criminal actors to get access to our data. These are emails that purport to be from genuine sources that you may recognise, but attempt to coerce you into giving away vital information – such as your login credentials. While they are the most popular way of gaining access to privileged information, they can also be used to deliver ransomware, or hack systems.

Our tip: Always check who is really sending you an email before you click on any link. When in doubt, do not click.

Third-party IT that puts your business at risk

The biggest problem with today’s digital environment is that we’re all so well connected online. While this is great for better communication and productivity, it also presents problems when it comes to cyber security risks. Vendors may have information concerning your company and your customers or clients that can be at risk if they don’t have the right security measures in place. If they get attacked there could be a knock-on effect for your business.

Our tip: Be careful who you do business with and what information you share with vendors and third party suppliers. You need a process in place for handling liability and protecting sensitive data and ensuring that partners have a high level of cyber security in place.

The cyber security risks of cloud

There’s no doubt that using cloud-based services has added to the productivity and success of many businesses around the world. There are plenty of strengths here – you don’t have to worry about how to work remotely, your systems get updated without you having to do anything and you can tailor your IT provision to your needs.

But there are also cyber security risks that you need to understand here. Choose the wrong partner and you can find your company data at risk and your business subject to reputational damage.

Our tip: Make sure you partner with a reputable cloud service provider who has a good track record and protects your business while still being responsive to your needs.

The Hidden Threat of the Internet of Things

Almost everything with a digital footprint is beginning to get connected to everything else. Most of us own at least one smart device, whether that’s a mobile phone, smart TV or voice command box such as Alexa. Our heating can be connected up to our smartphone, we can even monitor home appliances while we’re on holiday, change the lighting remotely in the office or perform a host of other tasks.

The trouble is that the Internet of Things is designed for convenience rather than security. Many businesses that produce systems with an internet connection have found underlying flaws that may mean they are vulnerable to cyberattack.

Our tip: This is one to keep a close eye on, especially if you use a lot of smart technology in your office. Understand what you have and how it connects together and make sure you use strong passwords for the devices you own.

Expect to spend more on cyber security

While some business owners may baulk at the thought of paying more if you’re not properly protected it can have devastating consequences for if you are the victim of a cyber attack. It pays to make sure you have the right strategy in place and work with an IT service provider that delivers on your cyber security requirements.

According to research by the Department for Digital, Culture, Media and Sport:

  • The average cost to a UK business of a data breach is £4,180 (not including reputational damage).
  • Nearly 50% of businesses have identified a breach in the last year.
  • Only 31% of businesses have done a cyber security risk assessment in the last year.

Businesses need to be more focused on what cyber security measures they have in place. Yes, that may well lead to a bigger spend. This is especially true as attacks become increasingly sophisticated. But it’s worth it in the long run.

Our tip: Work closely with your IT service provider to ensure that you have the right measures in place but also formulate a cyber security budget and ensure this is invested in protecting your critical assets.

Data compliance means having a robust security strategy in place

Finally, with the introduction of the General Data Protection Regulation (GDPR), even more onus has been put on businesses to include operational measures that keep the personal data of their customers safe. While a breach will damage your reputation, it also puts you at risk of a substantial fine if you are on the wrong side of the current rules.

According to recent reports, many companies are still not compliant and are putting themselves at risk.

Our tip: Get together with your IT service provider to make sure that your company meets the current regulations and has the processes and strategic support in place to deal with a data breach or cyber attack.

If you are looking for an IT partner who can deliver on all your needs, contact the team at Cyan today.

IT Security Strategy: What You Need to Know

Most businesses are critically dependent on the internet. Survival means having a strong IT security strategy in place. The hacking of telecommunications giant Talk Talk in 2015 reminds us that it’s not just smaller businesses that are at risk either.

The Government has taken steps to build a national cybersecurity strategy and this acknowledges that threats can come from many different sources: foreign governments or state sponsored actors, terrorists, hackers, hacktivists concerned about a particular issue, and even insiders, people who work for a company and who have a grievance of some sort.

Protecting your business has never been more important or more challenging. Having the right tools and processes in place is key if you want to stay safe.

How to Develop an IT Security Strategy

The digital landscape has become increasingly complicated over the last couple of decades. Businesses will not only operate online through portals and third-party sites but use tools such as social media to market their services and products. On top of that, they will have key IT requirements within their office environment that need solutions. Many will use remote working and promote collaboration and better communication through cloud-based services.

All this means that there is no clearly defined, one-size-fits-all IT security strategy for modern businesses.

1. Understand What You Have

The first major step to developing the appropriate IT security strategy is defining what you are trying to protect in the first place. Yes, you may have lots of customer and employee data but what about documents relating to your business such as your plan for the future or a new product you are intending to bring onto the market?

To make sense of everything, you need to understand what each asset is and clearly define its value to your business.

2. IT Security Risk Assessment

The next part of the process is to look at the current state of your IT security in relation to these assets and whether it fulfils its purpose. A risk assessment looks at a range of different aspects of your business, including the software you have in place, who has access to data, what they do with it when they are using it, and what protocols other than digital that you have in place to ensure security.

3. Elements of Strong Cybersecurity

The Government has produced a useful infographic (download here) relating to IT security which includes 10 steps all businesses and organisations should be taking:

  1. You need to implement a risk management regime that allows you to regularly review your cybersecurity processes.
  2. You must protect your network from attacks using anti-virus software and other technological solutions.
  3. You need a process in place to educate users and build awareness through activities such as staff training and the production of easy to follow practices (such as having a definitive password policy for your business).
  4. You need to establish anti-malware practices and defences to protect your business like having the appropriate software and educating staff on threats such as phishing emails.
  5. You need to limit or control the use of removable media such as flash sticks which can hold malware.
  6. You need to update your systems when a new patch or update is available and ensure they are configured properly across your whole business.
  7. You should carefully manage user privileges particularly for parts of your network that have access to sensitive data.
  8. Your business should have a process in place for handling any breach incidents or disaster recovery and be able to test these plans. If you lose data for whatever reason, being able to get up and running again may be vital to the survival of your business.
  9. Your business also needs to have in place a system or protocol for monitoring your IT and cybersecurity, producing reports and understanding if you are at risk of attack.
  10. You need to develop a policy for home and mobile working especially if you advocate using BYOD. Your company needs to create a secure baseline for all devices and build this into its cybersecurity activity.

While many businesses will be able to implement some of these measures, it can be challenging to get them all in place. That’s why it’s important to work with an IT and cybersecurity specialist to make sure all the bases are covered.

At Cyan Solutions, we have the teams in place who will be able to help you develop a robust IT security strategy that will safeguard your business now and in the future. Contact us today to find out more.

Essential Recommendations for Business IT Security

One of the key factors that effects almost every business with a digital profile is IT security. It’s a constant challenge to get right whether you are a small start-up or a large corporation.

Unfortunately, there are organised criminal gangs in this world who are fixed on trying to do us harm. It’s something that has been with us since the birth of the internet.

The biggest question we get asked at Cyan Solutions, is what best practice can be employed to ensure better business IT security.

Here’s a list of things you can do right now to help protect your business:

1. Don’t Assume It Won’t Happen to You

This is something we find with many SMEs. They think they’re too small for hackers to worry about. It’s simply not true.

Most attacks come through automated delivery such as Phishing email. The hackers and malware developers are looking for someone, anyone whose system they can get into. Whether you are just a one-person outfit or have many staff, treat cybersecurity with the same level of seriousness as you do other aspects of your business.

According to a recent report by Verizon, 71% of cyberattacks happen to smaller companies with less than 100 staff on the payroll. That is in part because there are more of them but the clear message is to be aware and have robust cybersecurity policies in place.

2. Use a Firewall

The first line of defence against cyberattacks is an effective business-grade firewall. Think of this as a barrier that repels common attacks and prevents malicious threats getting to your network. Companies often neglect to invest in this area as they don’t understand the importance of good perimeter security. They assume a generic router does the same job, it doesn’t. You need to improve network security measures if you want to remain safe online.

And, it’s not just external firewalls that are important – if you have sections of your network that contain sensitive data, for example, you may want to protect these with additional cybersecurity measures.

3. The Challenge of BYOD

Bring Your Own Device (BYOD) has largely been accepted in the business world over the last decade after some initial reticence by employers. It can often be easier for an employee to use their own smartphone or tablet or even laptop to do their work.

The trouble is that these are not generally as secure as the hardware and software that you have for your business. Staff can download the wrong apps or visit the wrong sites that open them (and your business) to potential cyberattack.

This is something that is unlikely to change in the future. BYOD offers too many benefits. The challenge is to make sure that mobile devices are updated with the right security and that staff understand their obligations.

4. Having Comprehensive Cybersecurity Policies

This brings us to the strategy for your cybersecurity protection. All businesses, whatever their size, need to have a robust set of policies that staff can adhere to. Many smaller companies do this in an ad-hoc manner which can mean their business IT security is missing vital core components. Ensure that you document your policies and make them readily available to all members of staff – including senior managers and executive teams.

5. Password Protection

It might seem like a simple thing to include in a best practice list but passwords are a real issue for businesses. Enforcing a robust policy in this area is important and could well protect your business from cyberattack. Passwords should ideally include upper- and lower-case letters, symbols and numbers. For more sensitive areas of your business, you also want to consider multi-factor identification.

It might seem like a simple thing to include in a best practice list but passwords are a real issue for businesses. Enforcing a robust policy in this area is important and could well protect your business from cyberattack.

Passwords – when implemented correctly – are an easy and effective way to prevent unauthorised access to systems. Always change the default password that comes with a new device.
If two-factor authentication is available, make sure it is enabled and use it. A common and effective example of this involves a code sent to your smartphone which you must enter in addition to your password.

6. Educating Staff

One failing, particularly for smaller businesses, is not educating their staff on the right IT security protocols. There’s plenty of evidence to suggest that, even if a company has a password policy in place, in the majority of cases it is not enforced.

You have to bring your staff into the loop and make sure they are well educated with regards to cybersecurity risks. For example, User Awareness Training is a great way to educate staff to the dangers of email threats, such as Phishing attacks, which are not always easy to identify.

7. Regularly Update Your Devices and Software

It’s quite worrying the number of small and midsize businesses that do not make the effort to patch their systems, devices and software. Manufacturers release regular updates which not only add new features, but also fix security vulnerabilities that have been discovered. Applying these updates (a process known as patching) is one of the most important things you can do to improve security.

8. The Right Level of Protection

Finally, the fight against cyberattacks is a never-ending battle and you should have the appropriate virus and anti-malware software in place which is regularly updated. One big mistake businesses make is to assume that standard anti-virus software alone is adequate protection for their needs. How security should be tailored to better protect your organisation is something you need to discuss with your IT provider. Understanding what threats are targeting and putting additional layers of security in place to protect against them is an essential part to any cybersecurity strategy.

At Cyan Solutions, we deliver cutting edge IT services and support. If you want access to the best cybersecurity expertise for your business, tailored to your needs, contact our team today.