There is no doubt now that cyber security is an extremely important topic for all businesses. Cyber-attacks cost time, money and reputational damage and there are becoming more and more common today with the number of attacks continually rising.
It isn't just large companies being attacked though; companies of all sizes are targeted and SMB's are just as vulnerable as Enterprises if not more, as their security can be weaker. The most common attacks tend to be: socially engineered attacks, phishing emails, CEO Fraud emails, identity theft, malware and unpatched software.
Change in technology consumption
The way in which people now access their IT has changed. This is all because of the adoption and rise in cloud computing – which is going to continue to become the norm. Thanks to cloud computing, people can access their apps and data from anywhere and on any device. This brings lots of benefits to organisations and its staff but it also brings new security concerns.
The Old Model vs the New Model
Traditional IT security used to follow a 'perimeter security model' (aka 'castle and moat') where you built a wall of protection around your IT and systems but this no longer effective. As networks, apps and users are no longer contained it is no longer possible to build a perimeter. Combine this with 'shadow IT' where users store their work data outside of the knowledge of their IT department (i.e. Dropbox etc) and you simply don't know where to build the wall. To overcome this, a 'newer' cybersecurity method has evolved: zero trust networking.
You still need to ensure that your network is protected and you have the right defence in place, but you now need to assume that you cannot build a wall around everything and therefore attackers will get through. Instead, efforts need to be focused on ensuring when someone is in, they cannot do anything. This is done by following the motto "never trust, always verify". The four areas to verify are:
- User – who is trying to access something
- Location – where are they accessing this from
- Device – what device are they using
- Apps – what are they trying to access
This ensures that anyone trying to access your data is verified to ensure that they are a trusted person, in a trusted location, using a trusted device and have permissions to access the app or data in question. The difficulty here is getting the balance between tight security and simple user experience. If users have issues accessing their data then this will cause frustrations, but not challenging these factors leave your organisation at risk.
How to do this?
We recommend beginning with an IT security assessment to assess your current situation and to then create a risk and remediation plan, which outlines steps to improve your security. You may need additional security tools – we often recommend Microsoft 365. Most organisations are already running Office 365 and Microsoft 365 is a combination of Office 365, Windows 10 and Enterprise Mobility + Security. These solutions combine a variety of applications, which cover:
- Identity-driven security – protect your users and identity with tools such as multi-factor authentication, single sign-on and conditional access policies
- Threat protection – monitor threats with advanced detection and analytics (which analyses threats based on all the data Microsoft collects, which is 450 billion authentications each month and 400 billion emails every month)
- Information protection – this keeps your data safe; rather than building a wall around all your data, data becomes self-protecting with classifications, rules and policies in place
- Security management – manage and monitor your security through holistic dashboards
Using Microsoft 365 gives you the tools to set policies and procedures and then allows your trusted users to access their data securely and simply with a great user experience. Meanwhile, threat detection software continues to run so if any threats do come through they cannot access your data and can be quickly stopped through automated remediation.
Finally, you will need to then ensure ongoing management of your security – this could be done in-house if you have the right resources and skillsets or you can work with a cybersecurity partner to manage ongoing support.
Cybersecurity maturity roadmap
Each organisation will already have a certain level of cybersecurity standards in place and these can vary from basic through to robust. We recommend once the necessary tools, processes and support are in place that you get your organisation certified. Not only does this clarify that you have the right measures in place but it also publicly shows that you are taking your cybersecurity seriously - giving peace of mind to clients, suppliers, partner etc.
We would suggest the following three-tier certification:
- Cyber Essentials - This shows that the basics are in place and you are guarded against the most common attacks. This is fairly quick to achieve and involves a self-assessment.
- Cyber Essentials Plus - The Plus certification goes a step further and you must have the basic Cyber Essentials certification first to go onto the Plus certification. This also ensures the core areas are covered but you are then also externally audited to ensure the tools in place are effective. This takes a little longer to achieve due to the external audit.
- ISO27001 - This certification really shows that you have sophisticated and robust IT security measures in place and are well protected and prepared. As a consequence, this is time-consuming and a large commitment involving legwork and then a thorough external audit.
Cyber security remains a top concern for businesses but you need to make sure the efforts being put in are going to be effective, especially against the new methods of attacks. A great step is moving away from a perimeter method towards zero trust networking and we would recommend Microsoft 365 to give the tools required to enforce your security measures.