10 steps to Cyber Security - Guidance for SMEs
In September 2012, BIS (UK government Department for Business Innovation and Skills), in conjunction with Cabinet Office and CESG (the Information Security arm of GCHQ) published guidance on 10 steps to cyber security. These 10 steps, if implemented as a set, can substantially reduce the cyber risk by helping to prevent or deter the majority of types of attacks. We recommend that you download the 10 steps information here.
IASME has had feedback that the official 10 steps guidance can be complex for some owners of small companies without access to IT teams and here we hope to give some practical advice to help understand and implement the guidance. Please note that this advice is not intended to replace the advice from government.
All your information has a value, not just to you but to a range of other organisations, such as organised crime or your competitors. You might be surprised what other people would find valuable. If it’s valuable to anyone, it’s at risk.
Incidents can bring about huge financial burdens to a business, with direct financial loss estimated at £2,500-£4,000 and £13,000-£22,000 for small and large businesses respectively. Information Commissioner's Office (ICO) fines can also be expensive.
No security can be 100% effective. People make mistakes, equipment fails and the threats keep changing. However the threats are real for small and large business alike, and are not going away.
If a company can implement the recommendations in these steps then they should be ready to achieve IASME accreditation and prove that they are cyber secure.
10 (well, 11) Steps
We have included some simple, extra ideas reflecting use of personal devices (BYOD), Cloud services, Social media etc. which are becoming more common in small businesses.
1. Protect your Network (Network Security)
- Find out if your device which connects the organisation to the Internet – most commonly a router supplied by the Internet Service Provider (ISP) which often have a firewall built in. If not then install a proprietary firewall (for example mainstream suppliers like Symantec, Sophos, Kaspersky etc. which is often included in a suite of software) on your PC or laptop. Follow the instructions to keep it properly configured and updated.
- Take note of any warning messages and follow the guidance offered.
Consult an expert if you think your network has been compromised - you might know this had happened if you noticed unusual activity - such as unusually high activity or no activity.
2. Teach Good Practice (User Education and Awareness)
- Make knowledge of your Security Policy part of your induction process for new staff and make compliance with the Policy part of staff contracts
- Remind staff regularly about good security practices, especially when the risk or the policy changes. Make sure they know not to click on links in emails from unknown sources.
- If you use social media for business purposes, you should ensure that all staff know that no sensitive material, intellectual property (IP) or similar material should be disclosed and that users behave responsibly while using social media for business or personal use, bearing in mind that they directly or indirectly represent the business
3. Manage IT Access (Managing User Privileges)
- Employ usernames and good passwords to control log-in. Good passwords contain upper and lower case characters, numbers and symbols.
- Don’t write passwords down or share them between users. Limit admin privileges to those who need them.
- Ensure staff only have access to the folders they need to see. Keep sensitive data separate.
4. Keep Your Own IT Up-To-Date (Secure Configuration)
- Document your IT assets so you know what you’ve got. IT assets will include hardware, software and even key IT staff.
- Install current software and operating system patches, firmware updates etc. immediately they are issued. You usually get this option when you install the software or you should find it in the configuration menu. Ensure all software is licenced.
- Check for technical weaknesses regularly (e.g. vulnerability or pen testing). Regularly would mean when you update the risk assessment, perhaps annually or after major change of hardware or software.
5. Removable Media (Removable Media Controls)
If you transfer data using CD, DVD, USB, SD or any type of flash memory drive:
- Only permit business issued and controlled devices in your business systems
- Issue, retrieve and track the devices - know where they all are, who has them and, ideally, what software is on each.
- Ensure they are encrypted (some removable media devices already have encryption software on them) and scanned for malware on each use. Many commercial anti-malware packages (anti-virus) have the ability to scan removable media.
6. Mobile Working (Home and Mobile Working)
Use of mobile devices for business purposes (privately or business owned) should require Board-level approval. Such devices must at a minimum have
- anti-malware software installed and updated daily (this can be set to happen automatically)
- pin, password or other authentication installed,
- be encrypted wherever possible and
- be capable of being remotely tracked and wiped.
All of the above can usually be done at little or no cost without technical expertise. Many of the mobile devices, particularly the newer models, can do this and you can set it up through the options or set-up screens.
- Staff should inform the Board-level risk owner (see above) immediately if the device is lost or stolen, and the device must be remotely wiped.
7. Use Anti-malware Defences (Malware Protection)
- Use a proprietary anti-malware or security package (One you can buy from a mainstream supplier like Symantic, Sophos, Kaspersky etc.) . Use this across the whole business.
- Use all the facilities of the anti-malware package even if you have to modify your business practices a little. Ensure ‘sweeping’ is done automatically.
- Update the protection as often as possible. Providers usually offer automatic free updates – ensure updates occur at least daily.
8. Understand Your Risk (Information Risk Management Regime)
- Decide who on your Board (or senior manager in your company if you have no board) is responsible for managing the risk. Work out how much risk you face and how much risk you want to take. The IASME self-assessment questionnaire can help you do this. If you would like to be sent this questionnaire free of charge then please contact us.
- Identify your most valuable information in the company and mark documents containing this data clearly as "confidential" or similar.
- Create a Security Policy describing what you want to do to manage the risk and include all the steps here. Distribute the policy to your staff. Review the Policy regularly to ensure it meets your needs.
- Allocate security responsibilities clearly to other staff and ensure staff understand the importance.
9. Monitoring (Monitoring)
- Monitoring can detect potential hardware faults and unusual activity on your network or internet-connected devices. Modern laptops often come with the former installed and some anti-malware packages also have the latter.
- If your business has a large network you should use network management tools to detect unusual activity. This includes monitoring traffic flow, IP usage etc.
- Ensure that your staff report unusual activity to a central point and that you have sufficient plans and expertise on hand to react quickly.
10. Incident Management and Business Continuity (Incident Management)
- Spotting an incident - an attack should be flagged by the firewall or security package. Anything which interferes with the business is an incident.
- Decide what to do (and who does it) if you have an incident such as a malware attack, loss or corruption of data, laptop theft etc. and document it with the approval of the Board.
- Get in-house or outsourced expertise ready to deal with your incidents. Just knowing of a company with the relevant skills so you can call them quickly is important.
- Document any incident and decide what caused it, how much it cost to fix and whether there is anything you could do better in future.
- You should ensure that you know what to do (and document the actions to be taken) on the catastrophic failure of anything critical to your business such as information, applications, systems or network. Don’t wait for an incident to try out the plan.
11. Using the Cloud
- Where you use data storage, applications or other services which are provided by another business (e.g. a ‘cloud provider’) you should choose one that has security which has been independently audited (e.g. certified to ISO 27001 or IASME). You can find this out by looking for details of accreditation on their website or contact them and ask. Do make sure to ask the scope of the certification as some companies will accredit a small aspect of their business and then it may appear that the whole business is accredited.
- The use of the cloud should be treated like any other out-sourced provision and (ideally) be subject to service level agreements. You can contact them and ask for a Service Level Agreement.
- Do ensure that you know where and how your data is stored on the cloud and who is liable / responsible for that data. A particular issue is the country where the data is stored, which will have repercussions legally as anything stored outside of Europe requires different procedures. The cloud company may be based in the UK but have data stored anywhere and could even sub-contract it out to a third party. Even though the content of a website can be seen worldwide it is the location of the storage that is the legal requirement.