As an IT partner working in the Alternative Investment space, one of the most common questions we get asked is: “What cyber security does my business need?”
The vast array of technology on the market makes it difficult to decide budget priorities, especially as the cyber security space is evolving all the time to keep up with increasingly frequent and sophisticated cyber attacks.
This business cyber security guide is a starting point to protect against both external and internal security threats. While it is applicable to any kind of business, these tips are particularly important for businesses in the financial sector, considering they routinely deal with highly sensitive customer data which is particularly attractive to cyber criminals.
1. Do the basics well
Make sure you are on top of Asset Management and Patch Management. You can’t protect your assets properly if you don’t know what you are trying to protect, and your efforts are equally wasted if you don’t keep assets up to date with all security fixes.
Start your assessment with a physical inventory of hardware, such as laptops and mobile phones. Then, take an inventory of information assets, starting with your most important and sensitive (those a hacker would target first). Read our blog on the fundamentals of cyber security for more tips about Asset Management.
2. Multi Factor Authentication (MFA)
Everywhere, all of the time, across as many systems as possible. The process of requiring users to provide two or more steps of verification is your first line of defence against cyber criminals. Your goal should be to integrate every IT service within your organisation into the same Identity solution, protected by MFA.
3. End User Education and Testing
If MFA is your first line of defence, then your staff are the last line of defence. The cyber security training you have provided so that your team know what they need to look out for and how they can best protect your business is invaluable. Test your team to recognise common traps, such as phishing, and ensure that they fully understand your incident reporting procedure.
4. Robust Email and Endpoint Security
As a minimum, you should invest in fit for purpose Email and Endpoint security solution to protect your business. Email is still the most popular payload mechanism for attacks against your business. Implementing a sophisticated Email Security solution with URL re-writing and impersonation protection as an example, will massively help reduce the number of successful attacks that reach your teams mailbox.
Another area to invest is a robust Endpoint security solution. We now recommend that clients use a Managed Detection and Response (MDR) service that includes a Next-Generation Endpoint Security agent backed by a 24/7 Security Operations Centre to ensure that threats are found and quarantined as quickly as possible.
5. Backups and Disaster Recovery
Have separate, air-gapped backups of all business critical data, so that, in case of a breach, you are able to recover it. Ensure that your Disaster Recovery Plan is kept up to date and fit for purpose. Does it meet the needs of your organisation? For example, if there was a problem, could you restore your systems quickly enough to minimise the impact on day-to-day business?
6. Cyber Incident Response Plan
It’s not enough to have a plan. You need to test it. Consider how often you scroll through the news and see a story about a data breach at a major company – if it could happen to them, why wouldn’t it happen to you? Business leaders need to adopt a mindset of ‘when’ rather than ‘if’ and work with their MSP to build a robust response plan. Include plans for internal and external communication, including key stakeholders and regulators.
In addition, we recently launched the Tribeca Trust Centre so that our clients can have absolute confidence we are maintaining the highest certified standard in Information Security, including compliance with strict annual audits.