spector, Author at Spector

Top 4 Business Technology Trends for 2022

Top 4 Business Technology Trends 2022
Photo by Vinicius “amnx” Amano on Unsplash

Reading Time: 4 Minutes
Over the last few decades, technology has been a driving force in business transformation and doesn’t show any signs of slowing down. The fact that direct digital transformation investments are projected to total €7 trillion between 2020 and 2023 demonstrates this. If you want your firm to succeed, you must have the appropriate technologies to help you keep up with the changing business world. Learning what are the current business technology trends is the first step to do so.

In the present scenario, your technology must enable you to overcome three recent pandemic-induced issues:

Supply chain disruptions

In 2021, supply chain interruptions cost businesses throughout the world an average of $184 million. As production sites and borders were strongly impacted by Covid 19, the world has seen ongoing shortages.

The great resignation

In 2021, tens of millions resigned from their jobs in Europe and the United States, setting a new record. This global phenomenon has been called “the great resignation”. Its effect is being widely noticed and studied in the business world.

A rise in ransomware attacks

Ransomware affected 68.5% of businesses surveyed in 2021, according to research from Statista. As companies rushed to remote work, cybercriminals exploited vulnerabilities and caused considerable damage. Learn more about Ransomware.

As Covid 19 continues to impact organisations worldwide, this article discusses more trends likely to take place during the year. Businesses must keep up with the demands of the evolving technology landscape if they wish to achieve their goals and remain competitive despite the changes brought about by the pandemic.

Track the latest business technology trends to know if you are moving in the right direction. Having a managed service provider (MSP) on your side allows your business to stay up to date without doing the heavy lifting.

Top 4 business technology trend predictions for 2022

Third-party risks will increase

In 2022, third parties will be involved in 60% of security incidents. This means that firms that fail to invest in the risk management trifecta of people, processes and technology may face cyberattacks.

Proactive businesses will include risk assessment, supply chain mapping, real-time risk intelligence and business continuity management in their IT stack.

We have a selection of articles discussing third-party risks, available in the links below:

One-third of companies will fail at implementing “work from anywhere”

To successfully and securely empower remote workers, organisations need to deliver: 

  • A precisely designed digital workplace that allows for seamless working from anywhere
  • A leadership team capable of leading a virtual team
  • An organisation with high levels of digital literacy across all departments
  • A thorough mastery of work-from-anywhere concepts

However, a third of the companies still lag in these areas. Leaders have not been trained effectively, and organisational culture is suffering. Despite being the most prevalent business technology trend for the past couple years, companies haven’t mastered this challenge.

If you think there’s still room for improvement in your business, check our articles and guides on Remote Working below.

Should you want an individualised solution, get in touch and learn more about our Remote Working Services.

Migrating Cloud

Cloud-native takes centre stage in enterprise cloud

The Cloud has been involved in emerging business technology trends for over a decade now, and its potential still hasn’t been fully explored. Cloud customers will change their business strategy to be completely cloud-native rather than using the cloud for only a portion of their portfolio.

Also, cloud-native adoption is predicted to reach 50% of enterprise organisations by 2022, spanning all major technology domains such as big data, artificial intelligence and the Internet of Things.

Migrating to the cloud is not as straightforward as it may seem, and it requires careful planning and consideration. There are many solutions and setups available that may be adequate for your business, involving a private, public or hybrid cloud.

We have a Guide on Cloud Migration available for free, and our team would be happy to understand your needs and discuss solutions. Get in touch!

Tech execs leap from digital to human-centred technology transformations

In 2022, technology executives will concentrate on fixing long-term problems. The best ones will embrace a customer-centric approach to technology, allowing their organisation to meet future customer and employee needs with adaptability, innovation and resilience.

This business technology trend was identified by a Forrester report, and it allows companies to quickly reconfigure business structures and capabilities. It’s the realisation that business technology must be designed for the end users – people who will be able to maximise its value.

Our Guide on Technology Transformation is a couple of years old but still provides practical guidelines to apply changes in your business. Download it for free and get in touch if you want to talk to our specialists.

Apply these Tech Trends and Collaborate for success

Get your technology infrastructure ready for a successful year! With the help of a technology partner, you’ll have a much easier journey getting there.

Keeping up with the rapid pace of technology and learning how to leverage it to your business’ success can be time-consuming. Not all business technology trends will be applicable to your reality and industry. A trusted partner will not only lend you their know-how of what’s best in tech but will also implement these tools for you securely.

Spector can handle your IT, cybersecurity and compliance needs. If you’re choosing between providers, click here to download our Checklist that contains a list of questions to ask any MSP before working with them. This should help you filter between providers and make the right decision.

Get in touch with us or click here and set up a free consultation. Our expertise and skillsets may be what your company needs to help remote workers thrive.

 

 

Sources:

  1. Statista (worldwide-digital-transformation-market-size)
  2. Statista (cost-supply-chain-disruption-country)
  3. Job Openings and Labor Turnover Survey, 2021
  4. What is the Great Resignation?
  5. Statista (businesses-ransomware-attack-rate)
  6. Predictions 2022, Forrester

Refreshing Your Business Technology Infrastructure in 2022

Refreshing your Business Technology in 2022
Photo by Microsoft on Unsplash

Reading Time: 3 Minutes
After the ups and downs of the last couple of years, the business world enters 2022 with renewed optimism. Business executives are contemplating strategies to start the year with a strong quarter by adapting to the new normal. Do you have the best technology infrastructure to help you kick off the new year with a bang? If not, it’s time to consider a technology refresh.

Every company wants to grow, but if you treat your technological infrastructure as an afterthought, you may be severely limiting your company’s potential. Your team’s productivity, efficiency, flexibility and security are directly impacted by your business technology.

An up-to-date and high-quality IT infrastructure is an asset that enables you to do business without falling prey to cyber threats and helps you achieve your goals. Your IT infrastructure is a critical component of your business – and its importance is often underestimated in SMEs.

How about beginning the year with the right foot? A technology refresh enables a company to analyse the current state of its IT infrastructure and weigh the merits of trying something better. For a company’s long-term success, it’s best to review the present IT infrastructure — hardware, software and other technology solutions — and determine what additional solutions are available that would better suit its needs.

Reasons Worth Considering Before Refreshing Your IT Infrastructure

The following are the top four reasons to refresh your technology infrastructure:

Increased Security

The threat landscape is constantly evolving. We know this because of the projected increase in the cybersecurity market size from around 217 billion in 2021 to about 240 billion in 2022. If you want to keep cybercriminals out of your business, you must understand where your technology and security measures fall short, leaving you vulnerable.

Some of the threats that small and midsized business IT infrastructure must defend against are:

Assurance That You’re Meeting Compliance Requirements

Regardless of your industry, you’re probably subject to compliance regulations that your company must follow. If you use outdated technology that no longer receives software patches and is no longer supported, you may jeopardise your compliance status. Finding these gaps in your infrastructure as early as possible allows you to close them, thereby avoiding reputational damage and getting into hot water with regulators.

Read: How a ‘Compliance First’ Mindset Limits Liabilities for SMEs

Never take compliance lightly since failure to comply can result in:

  • Hefty penalties
  • Uninvited audits
  • Criminal charges
  • Denial of insurance claims
  • Forced closure or even imprisonment

Reliable Backup

Having a backup solution is a must if your business has any reliance on technology. It’s a critical component of a resilient organisation. If you already have a backup solution, you should test and verify it regularly to ensure that it is still functional. A backup is only good if you can restore from it, and if it stops working when your organisation needs it the most, you’ll be in a tough spot.

In addition, some cyberattacks specifically target backups. As a result, it is critical to regularly review and refresh your backup solution.

Learn more about our Backup and Disaster Recovery services and best practices with our dedicated articles.

Stay Competitive Using Artificial Intelligence (AI) and Other Emerging Technologies

According to Gartner, 33% of technology and service provider organisations intend to invest $1 million or more in AI over the next two years. AI and other emerging technologies are rapidly altering the landscape of every industry. If you want to stay ahead of your competitors, you must use the most up-to-date technology that is appropriate for your industry and goals. This could explain why around 60% of SMEs have invested in emerging technologies.

Collaborate for Success

A timely technology refresh could act as an energy boost for your company, enabling it to be more resilient. Begin your IT infrastructure refresh journey with a specialised partner. Knowing that the process is in expert hands gives you peace of mind and allows you to focus on building your business. Get in touch with us today.

Thank you for reading! If you have found value in this content, please share it with others who may feel the same way. Follow us on Social Media for more exclusive content.

 

 

Sources:

1. Statista 

2. Adobe Digital Trends Report 

How to Build a Security-First Culture That Empowers Your Hybrid Workforce

Hybrid Work Environment
Photo by Shridhar Gupta on Unsplash

Reading Time: 4 Minutes
Tools are only as good as their users. This should be your guiding philosophy as the world shifts to a hybrid work model to deal with the complexities posed by the COVID-19 pandemic. While it’s great to define and implement essential security controls and tools, if it isn’t backed up by workforce buy-in and participation, you could be in for a bumpy ride.

Related Article: Securing your Hybrid Work Environment

A Ponemon survey of IT security leaders revealed that 62% of remote employees do not follow security protocols closely. And that’s only half of it. Think of all the logistical and monitoring challenges posed by hybrid working environments. You may have some employees working remotely, some from your office and a few others at a co-working space. If you have rotational shifts, you will have employees working throughout the day. To put it bluntly, building a security-first culture in this new era is a massive undertaking.

You will need to devise a comprehensive cybersecurity strategy that involves and empowers your hybrid workforce. Here are the critical components of this strategy:

Perimeter-Less Technology

In a hybrid work model, you will have employees spread over multiple locations, working together online. Some may use less secure home internet connections for work, while others may use personal devices to get the job done. That’s why it is critical to upgrade your security systems, tools and controls to make sure they match the demands of a hybrid environment.

This means going truly perimeter-less and investing in cloud-based SaaS applications, secure VPNs, identity and access management tools, patch management applications, unified endpoint management systems, and backup and recovery solutions. 

Make sure the application you choose supports Zero Trust architecture. Zero Trust is a security concept that dictates that every attempt to access company networks and systems must be verified first, whether within your network perimeter or outside it.

Documented Policies and Procedures

If your security policies and procedures are not clearly documented, you will struggle to enforce them. Your staff may not know what steps are involved or the purpose of the whole process. There will be no buy-in from their side. For instance, if you don’t have an Acceptable Use Policy for your VPN in writing, your employees may end up using it for non-work purposes.

Recommended Read: How to Ensure Compliance when Working Remotely

Identify critical IT policies and procedures like change management, remote access, incident response, etc. Then, have all of them documented and shared with the concerned teams and your staff members. Remember to keep the files up to date and in an easily accessible, central location. This will make it easier to enforce policies. Employees will know what is expected of them and why. Finally, make sure policies are reviewed periodically and make changes if needed.

Security Awareness Training Programs

Aim to make your employees the first line of defence against cyberattacks. Although this approach has been around for years, it is even more relevant in a hybrid work environment. The risk factor is higher, so you must take it seriously—no more gimmicks to meet compliance requirements.

Deploy engaging training programs to help reduce human errors, develop good security habits and create awareness about the current threat landscape. Create training videos and a knowledge base covering security best practices and SOPs.

Read – Your biggest cyber security risk: Your employees

Along with that, you should set up interactive training programs that help employees learn how to defend against phishing, ransomware, brute-force password attacks and social engineering. After training, reinforce what they learned by conducting routine tests and simulations.

Communication and Support Channels

You can handle threats more effectively when communication and support channels are clearly defined and easily accessible. Every staff member will know how to raise an alarm, whom to contact and what to do after reporting it. More importantly, it will help you detect threats early, thereby minimising their impact.

Additionally, you should clearly define what tools can be used for communication and collaboration. For instance, employees should be discouraged from using personal apps like WhatsApp and Facebook for official communication and file transfer. Not only does it put company data in danger, but it might also hurt your chances of achieving compliance.

Friction-Free Systems and Strategies

When it comes to devising new security strategies or evaluating new systems, ensure that you give due importance to user experience and efficiency. For instance, if your company’s antivirus solution slows down employee workstations, they may resort to disabling it to get work done, which is a recipe for disaster.

Although security is critical, it shouldn’t come at the cost of efficiency and user experience. Following security measures and policies shouldn’t feel like extra work, otherwise employees could grow weary and abandon security best practices altogether. Ensure your security systems and strategies dovetail nicely with their workflow.

Next Steps

The truth is, building a security-first culture is challenging. The hybrid work model has only made it more complicated by adding dozens of new layers and steps to the process. You will undoubtedly need skilled staff, 24/7 support and specialised tools if you want to implement a security-first culture within a hybrid work environment. 

If you are thinking about going down this path, we can help ensure proper and effective implementation and ongoing management of necessary IT, cybersecurity and data security controls.

Our specialists will be happy to help and understand your situation to provide a tailored solution. Get in touch today!

The Beginner’s Guide to Cyber Liability Insurance for Business

Cyber Liability Insurance
Photo by Kevin Lehtla on Unsplash

Reading Time: 3 Minutes
The COVID-19 pandemic has impacted everyone in one way or another. If one category most benefited from the pandemic, it’s cybercriminals. That’s why cybercrime has shot up by almost 300% since the start of the pandemic, and that’s why you must adopt necessary measures to protect your business from malicious cyber players. One of these measures is to have Cyber Liability Insurance.

Related Article: How to Become a Resilient Organisation

Cyber Liability Insurance covers the financial loss that results from cyber events such as data breaches. However, cyber liability is not typically included within general liability insurance and must be purchased separately. Also, each company offering a policy has different coverage options available and exclusions included.

Why Invest in Cyber Liability Insurance?

Experts estimate that the damage inflicted by cybercrimes will add up to about $6 trillion globally in 2021. That’s higher than the GDP of the world’s third-largest economy, Japan, which sits at $5.38 trillion.

These statistics stress why SMBs, in particular, must have cyber liability insurance:

  • Over 40% of cyberattacks target small businesses.
  • Over 60% of SMBs have experienced a cyberattack in the past 12 months.
  • Over 45% of SMBs say that their processes are ineffective at mitigating attacks.

Cyber liability insurance could be the difference between your business sinking or staying afloat after a security incident. Without cyber liability insurance, the various expenses you might have to bear after an incident could financially harm your business in the short term or, in the worst case, result in permanent closure.

Over 60% of businesses that suffer a severe cyberattack close their doors within two years. As a business owner, you don’t have to panic. The point we’re trying to make with this article is that being prepared is better than pretending the problem doesn’t exist. So if you’re still not confident about your business resilience, don’t wait until after a hack to do something!

Read: Organisational Resilience Starts with Cyber Resilience – Here’s Why

Here are a few expenses that a business would have to manage following a severe data breach incident:

  • Cost of downtime
  • Cost of investigation
  • Cost of recovering data
  • Cost of legal procedures
  • Cost of notifying stakeholders about the incident
  • Cost of restoring the personal identities of those affected

Good cyber liability insurance would usually cover these expenses. But always remember that before you commit to a policy, you must get clarity from your insurer about what they do and do not cover.

Photo by Markus Spiske on Unsplash

Does your business need it? 

Any venture with cyber exposure must consider having cyber liability insurance. However, cyber liability insurance should be your top priority if your business handles or stores sensitive information online, such as electronically protected health information (ePHI) or personally identifiable information (PII).

Make sure your cyber liability insurance has the following essential coverages:

First-party coverage: 

  • Network security and privacy liability: Covers breach response costs like forensic investigations, public relations, credit monitoring, legal fees and fines/penalties.
  • Business interruption losses and extra expenses: Covers lost revenue and added costs to continue business.
  • Digital data recovery and cyber extortion expenses: Covers losses such as ransom paid due to ransomware.

Third-party coverage: 

  • Cyber liability: Covers claims of lawsuit expenses resulting from breaches in client systems or networks.
  • Media liability: Covers claims of libel, copyright/trademark infringement, etc., resulting from media use.

Cybercrime coverage: 

  • Covers losses from digital theft of money or securities and social engineering fraud

Who Are the Top Cyber Liability Insurance Carriers?

Finding the right cyber liability insurance provider is not easy. While most general insurance providers offer general liability coverage, they don’t always provide comprehensive cyber liability coverage. Choosing an insurance provider rated ‘A’ or higher by the most reputable insurance rating agency is always ideal. 

The following insurance carriers are worth considering:

  • Hiscox
  • Chubb 
  • AIG 
  • Travelers
  • AXA XL 
  • AmTrust Financial 
  • Co-Operators

But remember, just committing to a policy is not enough. You will also have to track/measure compliance with the agreement to make sure your contract is always valid and will, therefore, pay out in the event of an issue.

Recommended: What to Include in Your Incident Response Plan

Suppose your business is not following the recommended procedures for cyber security or doesn’t have the correct efforts in place. In that case, you’re facing the risk of cybercrime and not having the desired coverage. Be sure not to fall in that limbo!

Having the right partner by your side simplifies this process.

Whether you are looking to find a cyber liability insurance policy that is right for your business or trying to find and measure your policy’s compliance with cyber liability insurance contracts, we are here to help.

Contact us now to assist you in developing your cyber security strategy, including finding the right cyber liability insurance policy!

 

 

Protecting the Meat Processing Industry from Cybercrime

Protecting the Meat Processing Industry from Cyber Crime - Free Webinar

Recently some of the most significant players in the meat processing industry have suffered from cyber-attacks and exposed how unprepared the sector is to handle cybercrime. World-leading companies like JBS and Euro Farm Foods were hit by Ransomware and had to bring their operations to a halt immediately.

Cybercrime is at an all-time high and doesn’t show signs of slowing down anytime soon. Nevertheless, it usually takes some shocking incident for most people and businesses to begin taking action and protecting their valuable digital assets. 

If you are part of the meat processing industry or any field related to manufacturing and are looking to know what it takes to protect yourself, you came to the right place. In this article, we’ll be sharing a free Webinar we did on this exact topic soon after the hacks took place. In this chat, our CEO Mark Hurley spoke to our partners from Threat Locker and Westcoast Cloud to explain the critical points below:

  • Why is the meat processing industry being targeted?
  • How can you protect your business?
  • What is Zero Trust Security, and how does it help?
  • Is moving to the Cloud the answer?

Why is the Meat Processing Industry a Target for Cybercriminals?

Let’s begin with the most common question. This industry is becoming a target for many reasons. Criminals are looking for businesses that don’t traditionally invest much in security, as they are easier targets and pose virtually no risk or resistance.

Not only that, but almost every single industry in today’s economic landscape is increasingly being targeted by cybercriminals. This happens because everybody is becoming more reliant on technology, and businesses have a lot to lose if they lose access to their systems. Criminals are also becoming better and utilising more sophisticated tools, sending automated messages to thousands of people while investigating potential targets to hack.

Like any other industry with low cyber maturity, this industry is an untapped gold mine for criminals. It will continue to be until the core notions are implemented throughout the sector and people and businesses are better equipped to handle cyber threats.

Watch the Full Webinar

We hope this Webinar can provide value for your business and ultimately leads to better protection and security. The discussion held at the Webinar is valid for companies in most manufacturing lines, so feel free to share if you know anyone who could benefit from it. 

Please don’t hesitate to get in touch if you are looking for specialised guidance – our team will be happy to help.

 

Thanks for watching. Visit our blog and social media for more exclusive content.

 

Securing your Hybrid Work Environment

Securing a Hybrid Work Environment

Reading Time: 4 Minutes
The COVID-19 pandemic caused an unprecedented shift in the way people work. Although most companies initially relied on a fully remote work model, the vaccine rollout has led to popularising hybrid work environments. Which in turn, has raised the question: how can businesses secure their hybrid work environment and ensure both on-site and remote staff can avoid cyber threats?

This question is relevant because hybrid work has never existed at this scale, and most businesses were not structured to function like this. A hybrid work environment has elements of both the traditional on-site work model and the remote work model. Employees can choose to work from home, at the office or a combination of both.

Recommended Read: Lessons in Lockdown – Our Guide to Smarter Remote Working

If you are planning to bring all your workforce back to the offices when you have the chance, consider some of the advantages hybrid environments have, such as:

Employee happiness

Hybrid environments help boost employee morale since there is an opportunity for collaboration with colleagues at the office and while working remotely.

Better productivity

The flexibility provided by the hybrid work model helps employees focus on their work when they are at their most productive. In a survey by Microsoft, 82% of business leaders reported good productivity when flexible work schedules were adopted.

Reduced costs

Companies no longer need to provide office spaces for their entire workforce at once, and employees need not commute daily to their offices. It helps reduce costs significantly.

Better protection against the pandemic

Although vaccination is encouraged worldwide, the World Health Organization has suggested that everyone follow measures like social distancing for an extended period of time. Keeping this in mind, a hybrid environment certainly ticks all the boxes.

Related Article: Securing Company Data with a Remote Workforce.

On the flip side, hybrid work environments do have their share of disadvantages as well. Of these, heightened cyber risks need immediate focus.

The Problem and the Solution toward Securing Hybrid Work

Flexible work locations lead to cyberattacks and associated pitfalls like data loss because many endpoints operate outside the secure corporate perimeter. That is why 88% of businesses believe it is vital to secure remote work tools and protect customer or employee data in the distributed work environment. This puts the responsibility on the companies to protect their digital assets through regular software updates, proper password management, robust data backups and business continuity solutions, continual employee training, etc.

Hence, asset management is imperative for the diagnostics and mitigation of vulnerabilities and threats. Keeping a tab of all software and hardware your business possesses can be an ideal first step towards successfully managing digital assets. It should not just be a one-dimensional process of noting down the model number, serial number, location, etc. Asset management for security and data breach protection related to hybrid environments needs an in-depth set of inventories. For this, there should be a clear picture of the operating system, the patch levels, the configurations and even the state of known vulnerabilities.

Multi factor authentication

This will provide will with accurate information and an overall view of your technology assets, which is why it should be the first step in securing your environment. Clarity is vital at this moment, and it will conduct you through the following steps.

Asset management provides a firm foundation for risk assessment of your business’ hybrid work environment. A risk assessment helps you identify:

  • Internal and external vulnerabilities in your organisation.
  • Threats to the business’ data, systems, software, cloud and networks.
  • Consequences/impact if the threats exploit vulnerabilities.
  • Possibility of harm that may eventually unfold.

We have a dedicated article explaining what you need to know to begin Building an Asset and Risk Register to Tackle Technology Risk, with a sample risk register available for download as well. Click the link to dive in!

Remember, regular risk assessment offers the following benefits to your business:

Identifying your risk profile and defining priorities: 

Detecting threats and sorting risks based on their potential for harm help you focus your efforts on urgent pain points.

Protecting your digital assets: 

A risk assessment helps you determine ways to protect your critical assets and vital data in the distributed work environment. 

Read: Importance of Secure Cloud Backup Solution for Remote Workers

Reduce security spending: 

Regular risk assessments help you reduce security spending because you know where to allocate funds to ramp up security. You may also find you have more than one tool doing the same thing, thus avoiding redundancy.

Actionable analytics:

Having access to information provides insights into the future and helps you take adequate actions to improve your business’ security.

Keeps you compliant: 

When you handle your business assets and data securely through regular assessments, you can save your business from a regulatory violation. Learn more about How to Ensure Compliance when Working Remotely.

This is just the beginning to secure hybrid work environments

As mentioned above, risk assessment and asset management can help you address, reduce or avoid security challenges. After knowing your risk and defining priorities, you’ll need to pursue the appropriate solutions to address each of these risks.You can get started with the asset and risk register by yourself. Read our dedicated article on it if you’re looking for more guidance.

However, doing everything by yourself, with no experience, may be confusing. Learning which solutions are best suited for your business could also be tricky, as there is a wide variety of tech solutions available today. If you think you could use some help about where to start, simply get in touch.

By collaborating with a specialised partner in technology, risk assessment and asset management, you can prevent vulnerabilities from escalating into full-blown disasters. Our knowledge comprises all you will need to both identify, plan and implement a tailored solution to protect your business and help your team avoid cyber threats. Schedule a discovery call today!

Sources:

  1. Building resilience & maintaining innovation in a hybrid world, Microsoft
  2. Accelerating Digital Agility, Cisco

What to Include in Your Incident Response Plan

What to include in your incident response plan
Photo by Kristine Wook on Unsplash

Reading Time: 3 Minutes
A security incident can topple an organisation’s reputation and revenue in a short amount of time. As billionaire Warren Buffet once said, “it takes 20 years to develop a reputation and five minutes to ruin it.” Keeping that in mind, it’s ideal to have an incident response plan in place before a security breach occurs. 

An incident response plan is a set of instructions intended to facilitate an organisation in detecting, responding to and recovering from network security incidents such as cybercrime, data loss and service disruptions. Having a plan in place contributes to the development of cybersecurity as well as overall organisational resilience.

Recommended Read: How can Cyber Resilience Help SMEs in Ireland

Since most small and medium-sized businesses (SMBs) have limited resources and funds, incident response is usually given less attention. However, failing to respond swiftly and effectively when a cyberattack occurs can cost far more than putting an incident response plan in place.

Essential Elements of an Incident Response Plan

Every incident response plan should include the following five key elements to successfully address the wide range of security issues that an organisation can face:

Incident Identification and Rapid Response

It’s critical to evaluate the threat effectively and decide whether to implement the incident response plan. This requires two prerequisites:

  • An authorised person to initiate the plan
  • An online/offline place for the incident response team to meet and discuss

The sooner the incident is detected and addressed, the less severe the impact.

Resources

In case of a cyber event, an incident response team will usually have emergency kits on hand and have the following resources to help navigate through the event:

  • Tools to take all machines offline after forensic analysis
  • Solutions to regulate access to the organisation’s IT environment and keep hackers out of the network
  • Measures to employ standby machines to ensure operational continuity

Knowing what resources you will need and having them ready in these circumstances could be critical for recovery.

Roles and Responsibilities

An incident could occur in the middle of the night or at an unexpected time, such as the busiest week of the year for your business. That’s why it’s critical to establish the roles and responsibilities of your incident response team members. They could be called in at any time. You must also have a reserve team in case any of the primary contacts are unavailable.

In the event of a cyber incident, time is critical, and everyone must know what to do. You must insist on the importance of accountability both within your team and with external providers and partners. 

Detection and Analysis

This is, without a doubt, one of the most crucial elements of an incident response plan. It emphasises documenting everything, from how an incident is detected to reporting, analysing, and containing the threat. The aim is to create a playbook that includes approaches for detecting and analysing a wide range of risks.

Containment, Eradication and Recovery

  • Containment specifies the methods for restricting the incident’s scope. A ransomware attack, for example, must be tackled very differently compared to an insider threat. 
  • Eradication is all about techniques to eliminate a threat from all affected systems. 
  • Because incidents cannot always be prevented, recovery efforts concentrate on reducing potential harm and resuming operations as quickly as possible. Learn more about Disaster Recovery.

Considerations for an Incident Response Plan

An incident response plan must address any concerns that arise from an evolving threat landscape. Before you start crafting your plan, there are several considerations to be made, including:

  • Building an incident response plan should not be a one-off exercise. It should be reviewed regularly to ensure that it considers the most recent technical and environmental changes that may influence your organisation.
  • Your incident response plan and the team working on it must be supported and guided by top management.
  • It’s critical to document the contact information of key personnel for emergency communication.
  • Every person in the incident response team must maintain accountability.
  • Deploy the appropriate tools and procedures to improve the effectiveness of the incident response.
  • Your security, backup and compliance postures must all be given the same attention.

Related Article: Becoming a Resilient Organisation

We live in an era where only resilient organisations can navigate through all the complexities created by technological advancements and other unexpected external influences. That’s why having an incident response plan is essential.

Trying to develop and deploy an incident response plan on your own might be tricky, and this is not a situation where you can afford to make mistakes. Partnering with a specialist can take the load off your shoulders and give you the advantage of having an expert by your side. Contact us today to schedule a discovery call, where our team will understand more about your challenges and guide you through our process.

Thank you for reading! If you have found value in this content, please share it with others who may feel the same way. Follow us on Social Media for more exclusive content.

 

 

A Resilient Organisation Starts with Cyber Resilience —Here’s Why

Resilient organisation begins with cyber resilience
Photo by Nastuh Abootalebi on Unsplash

Reading Time: 3 Minutes

Global events, such as recessions and pandemics, create enormous social and economic challenges that impact organisations and their management. From employee and customer satisfaction to financial difficulties, supply chain disruption and skyrocketing cyberattacks, top-level management oversees a wide range of concerns.

As business owners aim to address multiple challenges that may threaten their organisations’ success, resilience is a trending buzzword. Organisational resilience is an organisation’s ability to foresee, plan for, respond to and adapt to gradual change and unexpected disruptions to survive and thrive.

Recommended Read: Becoming a Resilient Organisation

Even during the most recent COVID-19 pandemic, organisations that already practised methods to cultivate resilience through remote/hybrid work, digital transformation and more, showed that they could quickly recover from setbacks and have an advantage over competitors.

If you want to prioritise resiliency within your own business, one of the first steps you should take is building cyber resilience. Cyber resilience refers to an organisation’s ability to consistently deliver the desired outcome in the face of adverse cyber events.

Cyber Resilience Powers Transformation

According to Forrester, cyber resilience is more than just a security imperative. It’s the foundation of a strong business and brand. This is one of the reasons why over 65% of organisations are investing in improving their cyber resiliency posture. Companies across the globe have begun to realise that it’s time to look inward and identify and close security gaps to build a more resilient future.

While establishing cyber resilience, consider the following:

  1. You must deploy tools to detect, evaluate and handle network and information system risks, including those that affect your supply chain.
  2. It’s critical to identify irregularities and potential cybersecurity issues through continuous network and information system monitoring before they become severe threats.
  3. Implementing an incident response strategy is crucial to ensure operational continuity where you can bounce back quickly even if you are the victim of a cyberattack.
  4. Always ensure that your cyber resilience strategy is overseen by top management and integrated into day-to-day operations.

Companies that invested in cyber resilience expected to get the following results:

  • Increased secure collaboration within the organisation
  • Better preparedness, response and remediation skills in the event of a security incident
  • Improved integration of people, processes and technology

How to Improve Your Cyber Resilience

Employee training

Providing continual security awareness training to your employees enables them to identify threats and vulnerabilities. It enhances employees’ defensive abilities and prepares them to effectively deal with a crisis. Learn more about the importance of cyber security training.

Stay current with technological advances and the threat landscape

It’s crucial to keep up with the latest technology developments and threats. If you have no understanding of what you’re up against, you can’t protect your business.

Reset your security systems

Regularly audit your digital and physical systems to identify vulnerabilities. Set the critical systems to their best available configurations to prevent unauthorised access.

Adopt advanced technologies

Legacy technologies may be ineffective in dealing with today’s challenges. As a result, having the most up-to-date and effective technologies and tools to secure your organisation is critical.

Partner with an MSP

Resiliency is no longer a choice but a necessity. However, it requires a significant amount of time, effort and expertise. It’s always best to collaborate with an expert partner like us who can handle resiliency and technology matters for you. Learn what a cybersecurity company can do for your business.

If you’re ready to take the first step towards building cyber resiliency in your organisation but aren’t sure where to start, contact us to schedule a no-commitment call. Our team will understand your needs and suggest a tailored solution to bring your organisational resilience to the next level.

Thanks for reading. Feel free to visit our blog and social media for more exclusive content.

 

 

How to Become a Resilient Organisation

How to Become a Resilient Organisation

Reading Time: 3 Minutes
The last year and a half have taught us that the world can experience a tremendous change in a short time. Whether it’s rapid technological advancements, political transitions, cyberattacks, stalling economies or even a global pandemic, only resilient organisations can weather these storms.

That’s why the concept of organisational resilience is now more relevant than ever before. Organisational resilience is all about how well a company anticipates, plans for and responds to gradual change and unexpected disruptions in its business environment so that it can continue to operate and thrive.

Related Read: How Can Cyber Resilience Protects SMEs in Ireland?

Organisations and individuals that discovered meaningful ways to practise resilience in the face of change, from remote and hybrid working to digital acceleration, proved to have an enormous strategic advantage. Cultivate a resilient culture so that you aren’t caught off guard when disruptions occur.

Remember, if your people, processes and technologies aren’t resilient, your business will have a tough time recovering from setbacks such as downtime-induced financial loss as well as dissatisfied employees.

What Does a Resilient Organisation Look Like?

Organisations that recover quickly from setbacks typically do the following:

Create an environment for innovation

An organisation’s employees are among its most valuable assets. You can encourage innovation among your employees by creating a work culture that supports creative thinking and effective communication. This will empower them to contribute their knowledge, abilities and suggestions.

An innovative work culture ensures that everyone in the company works towards improving business practices, productivity and overall resilience. An innovative organisation can quickly come up with multiple strategies to deal with a crisis.

Adapt to meet changing customer needs

Consumer demands and behaviour are influenced by global events. With that in mind, if a customer-focused company wants to survive and prepare for the future, it must understand and adapt to changes.

Asking these three questions will provide organisations with perspective:

  • What are our customers’ behaviours?
  • Why do our customers behave that way?
  • What do we need to alter to cater to a new set of demands and behaviours?

Overcome reputational and organisational setbacks

Almost every firm will face reputational or organisational setbacks at some point during its life span. Some businesses may crumble as a result of their inability to prepare for and recover from change and challenges. However, the resilient ones will do everything in their power to identify the source of the setback, rectify the damage caused and make communication with stakeholders transparent.

Read: How Backup and Disaster Recovery Protects SMEs

Rise to the challenge

While it’s impossible to control what challenges your business encounters, you can certainly control how you deal with them. A resilient organisation will be better equipped to stand firm in the face of severe adversity and will have the means to recover as quickly as possible.

Tactics of Resilient Organisations 

Prioritise the following tactics to nurture a resilient organisation:

Proactive cybersecurity planning 

Being proactive regarding cybersecurity means your business won’t just be waiting for a potential attack, but rather have tools and procedures in place to avoid these threats even when you become a target. Implementing standards and guidelines such as ISO27001, or the NIST (National Institute of Standards and Technology) Cyber Security Framework, is often an excellent choice, depending on your industry and location.

More on these guidelines: Our Detailed Guide on NIST and an article comparing both: NIST or ISO27001 – why choose one?

Protection of intellectual property (IP) 

This is more of a legal and operational task and includes having the right employee, contractor and partnership agreements in place to avoid critical organisational IP from being disclosed.

Implementation of uptime safeguards

This requires being able to restore service via automatic failover or backup and recovery. Learn how much downtime costs your business.

Contingency plan mapping 

Build a business continuity and disaster recovery plan that lays out contingency plans for events like downtime, evacuations, and so on to be prepared for tricky situations.

Read: What is Business Continuity, and why does it matter?

First Step to Organisational Resilience: Understand your Path

Organisational resilience doesn’t happen by accident; it requires a structured and well-thought plan made for your business. To build this plan, you need to understand which areas are lacking and thriving so that priorities may be addressed and remaining gaps can be closed.

Trying to build a resilient organisation on your own is a massive challenge and will consume a great deal of time and resources. Partnering with an expert like us takes the worry and heavy load off your shoulders. Contact us today to schedule a consultation, and we’ll guide you through every step of the process.

 

Thanks for reading. Feel free to visit our blog and social media for more exclusive content.

 

 

The Role of Compliance in Cybersecurity 

Role of Compliance in Cyber Security
Photo by Christin Hume on Unsplash

Reading Time: 3 Minutes
The overall technology landscape is evolving at a breakneck pace. While these changes are meant to improve the quality of life, the unfortunate flip side is an increase in cyber threats. This is why global cybersecurity spending increased from nearly $40 billion in 2019 to $54 billion in 2021. Unfortunately, due to a lack of spending on personnel or technology, SMBs are most frequently targeted by threat actors.

Recommended Read: How a ‘Compliance First’ Mindset Limits Liabilities for SMEs 

Many businesses fall victim to cybercrime because compliance and security are not a high priority for them. For your organisation to run smoothly, both compliance and security are critical. While compliance ensures that your organisation stays within the bounds of industry or government laws/regulations, security ensures that your organisation’s integrity and vital data are safeguarded. 

Know These Benefits 

The following are the reasons why adhering to industry compliance regulations is so important from a cybersecurity perspective:

Encourages trust 

Customers usually put their trust in an organisation while sharing their personal information, but unfortunately, personally identifiable information (PII) gets exposed in around 80% of security breaches. Following regulatory standards demonstrates that the organisation cares about its customers and wants to protect sensitive data. 

Improves security posture 

Regulatory compliance helps improve an organisation’s overall security posture by establishing a consistent baseline of minimum security requirements. 

Reduces loss 

Data breaches are less likely to take place when security is improved. This lowers the cost of data loss, which can skyrocket when you factor in lost revenue, restoration costs, legal penalties and compensation. 

Increases control 

Improved security leads to increased control over the IT infrastructure. This can help prevent data loss/corruption and reduce the amount of time spent fighting cyberattacks. 

Industries and Regulations 

While each industry has its own set of cybersecurity issues, some overlap. Phishing, for example, is a threat that almost all industries face. To combat these challenges, each sector has its own set of compliance and regulatory standards with specific provisions for security and privacy.  

Some regulations apply to multiple industries as well. Note that compliance regulations change from one country to the next and sometimes even within the same country. Let’s take a look at some of the industries and their associated rules:

Healthcare 

In the healthcare industry, shared data is highly sensitive. Cybercriminals who steal protected health information (PHI) usually fetch a high price for it on the dark web. Therefore, there are regulations in place, like the ones mentioned below, to ensure the secure handling of data: 

  • The Health Insurance Portability and Accountability Act (HIPAA) prohibits the disclosure of PHI without the patient’s consent. 
  • In the European Union, generic data protection laws, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), regulate the handling of health-related data. 

Is your business ready for HIPAA and PCI-DSS? Find out in this article.  

Finance 

Finance is often the most regulated sector because a big chunk of data revolves around payments and financial transfers. Some of the most popular regulations in this industry are listed below. 

  • The Payment Card Industry Data Security Standard (PCI-DSS) is an information security standard aimed at reducing payment card fraud for organisations that deal with branded payment cards. The scope of this regulation goes beyond the financial industry. 
  • In Japan, the Act on the Protection of Personal Information (APPI) regulates the commercial usage of personal data. 
  • The EU’s Payment Services Directive (PSD2) governs data transfer during end-to-end payments.  

Defence 

There are strict regulations in the defence sector since a breach could result in the disclosure of national secrets. 

  • The Cybersecurity Maturity Model Certification (CMMC) governs the Defense Industrial Base (DIB) in the United States. 
  • In Australia, the Defense Industry Security Program (DISP) assists organisations in understanding and meeting their security duties when working on defence projects, contracts and tenders. 

Data Protection Standards – ISO27001 

Having compliance standards or frameworks to direct your efforts tends to be an effective strategy. One of the most respected and requested standards globally is ISO27001, and for excellent reasons. If your business is following guidelines required by the standard and the right policies, tools and procedures are in place; you’re bound to be in a much better place in terms of security. 

Read: ISO27001 vs NIST CSF – Why Choose One? 

As is the case with the regulations mentioned above, a business that seeks to adhere to compliance best practices will generally improve its security as a requirement. Hence, compliance and security walk side by side and compose the GRC (Governance, Risk & Compliance) discipline.
 

Reaching your Compliance Goals 

Upgrading your business’s compliance and security posture is no more an option but rather a necessary undertaking. And you can save a tremendous amount of time and effort by finding the right partner to guide you along the way.

No goal is too far. Our expertise will break down what seems to be a daunting task into achievable steps, and you’ll soon be in a much better place. Contact us to schedule a Gap Analysis or read our brochure to learn all advantages of our Compliance and Cyber Security Programme. 

 

Sources: 

  1. Statista 
  2. IBM CDBR 2020 

 

What You Should Know if Your Business Is Targeted by Ransomware

What to do if hit by ransomware
Photo by freestocks on Unsplash

Reading Time: 4 Minutes

It may not be news to you that ransomware is on the rise, but the numbers may leave you shocked. In 2020 alone, there were close to 300 million ransomware attacks worldwide. The cost of ransom payments demanded by hackers is also increasing in tandem with the increase in attacks. According to a recent projection, the global annual loss from ransomware attacks will touch $20 billion by the end of 2021.

Offerings like ransomware-as-a-service have made it easier for criminals with little technical knowledge to become threat actors. These attackers are less predictable and seem to lack a code of ethics. For example, groups in the past had lists of organisations they wouldn’t attack, such as cancer treatment facilities. That’s often not the case anymore, as we’ve seen in recent attacks in the HSE and NHS (click the link below for more details on those cases).

Read: Ransomware – The Cybercrime that has struck the HSE

A ransomware attack can affect any organisation, regardless of size or industry. However, SMBs are the most vulnerable since cybercriminals count on these businesses to lack the resources to battle cybercrime or the IT teams to evaluate cybersecurity measures regularly. Even though SMBs continue to be disproportionately affected by these nefarious attacks, reporting and notifications rarely make the news unless a huge corporation experiences a breach.

With ransomware expected to hit businesses every 11 seconds, always remember that it isn’t a question of IF but instead WHEN your business will come under attack. Keep in mind that with the right security solutions and measures in place, your business won’t have to experience a devastating breach. But first, there are a few things you should know if you experience a ransomware attack.

1- Before Reacting to a Ransomware Attack, Remember:

The FBI advises against paying a ransom because spending money does not guarantee the hackers will share the keys to decrypt your data. Most respected security organisations worldwide also advise against it.

It doesn’t make any sense to place your trust in cybercriminals who have already demonstrated that they aren’t afraid to break the law and take advantage of you for financial gain. However, many businesses find themselves in this situation because they don’t have sufficient security, backup or compliance measures and are desperate to get their data back.

Want to dig deeper? Check our Complete Guide on Ransomware and How to Avoid it

Keep in mind that another reason the FBI advises against giving in to ransomware demands is that you are encouraging criminals to conduct further attacks. If nobody ever paid the ransom, there wouldn’t be as many ransomware attacks. Criminals would have to find new ways to make money and would disregard ransomware as a viable venture.

IT Cyber Security Audit

2- If you fall victim to a ransomware attack and have no option other than paying, “ransomware negotiators” are available for hire.

In ransomware negotiations, the most crucial moment occurs long before the victim and hackers discuss the ransom. This is because by the time both sides start to discuss, hackers have already gained considerable control over the organisation’s network by encrypting access to sensitive business data and other digital assets. The more data they encrypt, the greater the negotiating power they have.

So, even before you begin negotiations, you need to know how much data has been compromised and what negotiating methods have been employed in the past by the criminals. Professional ransomware negotiators can help at this stage. Although a ransomware negotiation rarely results in a ransom demand being totally withdrawn, it can significantly bring down the asking price.

3- Victims of ransomware should expect the following:

  • The data will not be erased in a trustworthy manner. It will be sold, improperly handled or stored for future extortion attempts.
  • Multiple parties would have handled the exfiltrated data, making it insecure. Even if the hacker deletes a large portion of the data once the ransom is paid, other parties who had access to it may have made duplicates to make payment demands later.
  • Before a victim can respond to an extortion attempt, the data may be leaked intentionally or inadvertently.
  • Even if the threat actor explicitly promises to release the encrypted data after payment, they may not keep their word.

Make Your Move Before It’s Too Late

You’re probably wondering what steps you can take right now to combat the menace of ransomware targeting vulnerable systems. Our best recommendations are layered security and a robust backup strategy.

Related Read: Backup Strategies to Prevent Data Loss

Since no security technology or measure is flawless or guaranteed, layered security assumes that attackers will infiltrate different layers of an organisation’s defences or have already done so. This approach aims to provide multiple security measures so that if an attack gets past one security tool, there are others in place to help identify and stop the attack before your data is stolen.

If the idea of protecting your business is overwhelming, don’t worry. You don’t have to do it alone. Collaborate with an experienced partner like us to do the heavy lifting for you. Our cybersecurity expertise and knowledge will help you pave the way to a more secure future. To get started, contact us and talk to one of our specialists.

Our team will be happy to understand your concerns and propose a tailored solution to address your business challenges. Don’t spend another minute worrying about cyber threats and find true peace of mind by knowing we got your back!

Sources:

  1. Statista
  2. Cybersecurity Ventures

Cybersecurity: What Every Business Owner Should Know

What Business Owners should know cyber security
Photo by Medienstürmer on Unsplash

Reading Time: 3 Minutes
While organisations and workers have certainly benefitted from the advancement of technology, it has also introduced an unprecedented number of cybersecurity risks. Ransomware attacks, for example, hit businesses every 11 seconds in 2021. Therefore, if you want your business to grow and succeed, you must understand the realities of cybersecurity.

Recommended Read: What can a Cyber Security Company do for my Business?

The Reality of the Current Threat Landscape

Did you know that the cost of cybercrime downtime is typically higher than a ransom?

Almost every organisation will encounter cybercrime at some point. It’s not a question of IF, but rather WHEN it will happen. While that reality can be alarming, there’s no need to panic. There are proactive steps you can take to protect your business and achieve peace of mind. But first, let’s discuss what you need to be aware of.

Here are some of the most severe and prevalent cyberthreats facing business owners right now:

Ransomware:

Ransomware is malicious software that threatens to reveal sensitive data or prevent access to your files/systems until you pay a ransom payment within a set timeframe. Failure to pay on time can result in data leaks or irreversible data loss. Learn more about Ransomware in our complete guide.

Phishing/Business Email Compromise (BEC):

Phishing is a cybercrime involving a hacker impersonating a legitimate person or organisation, mainly through emails or other methods such as SMS. Malicious actors employ phishing to send links or attachments that can be used to extract login credentials or install malware. Learn how to avoid phishing and deal with suspicious emails.

Similarly, business email compromise (BEC) is a scam in which cybercriminals use compromised email accounts to trick victims into sending money or revealing sensitive information.

Insider Threats:

An insider threat arises from within a company. It could happen because of a current or former employee, vendor, or other business partners who have access to critical corporate data and computer systems. Insider threats are hard to detect because they emerge from within and are not always intentional. Protecting your Business from Human Threat.

Denial-of-Service/Distributed Denial-of-Service (DoS and DDoS):

These attacks are widespread and easy to carry out. When a DoS or DDoS attack occurs, hackers flood the targeted system with repeated data requests, forcing it to slow down, crash or shut down. It’s just as if millions of people tried to access your website or app at the same time.

NIST Cyber Security Framework

If you are still unsure whether you should be concerned about these sophisticated threats or not, the following statistics may help you make up your mind:

  • It takes an average of 280 days to identify and contain a breach.
  • Malicious attacks with financial motivations were responsible for 52% of breaches.
  • Personal Identifiable Information (PII) is compromised in 80% of data breaches.

Implement These Measures to Secure Your Business

Now that you know what types of cyber threats to look out for let’s take a look at some measures you can put in place to protect your business against cybercrimes.

Strict Password Policies/Management Tools

Strict password policies and the use of proper password management solutions can help improve your organisation’s overall password hygiene. It is, in a way, the first line of protection against cybercriminals.

Strong Identity Controls – Multifactor Authentication (MFA) 

To combat the current threat landscape, strong identity controls that go beyond traditional username-password authentication are required. Consider using Multifactor authentication, which includes features such as one-time passwords (OTPs) and security questions.

Regular Risk Assessment 

This process aids in the detection, estimation and prioritisation of risks to an organisation’s people, assets and operations. Learn why you need a Risk Assessment.

Virtual Private Network (VPN)

To avoid a security breach, you should set up a corporate VPN that encrypts all your connections. Make sure your employees test it in their respective locations to avoid any hassles.

Business Continuity Strategy 

When disaster hits, a solid business continuity strategy ensures that mission-critical operations continue uninterrupted and that IT systems, software and applications remain accessible and recoverable. Learn more about Business Continuity.

Continual Security Awareness Training 

Continuous security training empowers your employees to recognise complex cyberthreats and take appropriate action, resulting in a transformative security culture within your organisation. Most cyber security incidents could be avoided with due training.

If you’re ready to strengthen your cybersecurity posture but aren’t sure where to start, don’t worry. We can help your company build a digital fortress of protection solutions. Contact us today to schedule a Discovery Call – a consultation free of charge and commitment. Our team will be happy to understand your concerns and discuss a personalised solution for your business to handle the immediate issues and future-proof your technology.

Sources:

  1. Cybersecurity Ventures
  2. IBM Cost of Data Breach Report

The Top Supply Chain Vulnerability: People

Supply Chain Employee Risk
Photo by Jeriden Villegas on Unsplash

Reading Time: 4 Minutes
The supply chains of this digital era are long and complex, and any disruptions caused by security threats will have a massive impact on the entire organisation. While supply chains are prone to different types of external risks, such as supply disruption, high demand, financial instability, etc., businesses can usually plan against them and ensure continuity. What most companies often overlook are the internal threats arising from malicious or negligent employees within a company.

The risk of someone infiltrating your systems through an external vendor is at an all-time high right now. Since you are not in direct control of the employees who work for your vendors, you might find it more challenging to mitigate the people risks in your supply chain. However, this does not mean that supply chain risks cannot be mitigated at all. With proper security awareness training extended to your vendors and the building of a resilient defence against various threats, supply chain risks can be reduced to a great extent.

Related Article: Biggest Cyber Security Risk – Your Employees

The most significant vulnerability in a supply chain is the human element, so let’s discuss the different measures you can incorporate to overcome this risk.

Why Hackers Target Supply Chains

Cybersecurity risks targeting the supply chain of an organisation have grown exponentially worse over the years. As the pandemic lockdown took effect, supply chain cybersecurity risks increased by about 80% during the second quarter of 2020, with remote working scenarios making things worse for suppliers. However, there are some specific reasons why hackers target the supply chains of large organisations.

With most large organisations now taking adequate precautions against various cyberthreats, gaining access through the front door isn’t as easy as it used to be for hackers. On the other hand, the supply chain offers cybercriminals a creative way to infiltrate a large organisation.

Recommended Read: Recommended Best Practices to Secure your Supply Chain

Small vendors often don’t have the budget to invest in extensive cybersecurity measures. Moreover, these companies are also likely to have legacy hardware and software products that can be exploited in an attack. As a result, these vendors tend to act as a conduit for cybercriminals to inflict a bigger attack on a large organisation.

People Risks Originating From Supply Chains

The employees working in these supply chains often offer the path of least resistance to attackers. Although organisations have well-defined processes to vet and evaluate their suppliers and third-party vendors, it isn’t easy to measure the risks originating from the people who work for these companies. Moreover, organisations don’t have a centralised view of the third-party members accessing their applications and critical data. 

An employee opening an email containing a malicious link and clicking on it can inject a botnet into the IT environment or download a ransomware program. These types of phishing emails can also be used to steal an employee’s login credentials or conduct social engineering attacks. Once these attackers gain a foothold in the IT environment of the vendor, they can use it as a backdoor entry to a larger organisation and infiltrate their IT networks. 

Learn how to avoid Phishing and Suspicious emails.

In addition to potential phishing scams, other activities like using unsecured Wi-Fi networks or personal devices for work in the supply chain can also create significant security issues. Opportunistic cybercriminals look forward to exploiting any possible loophole in an organisation’s security. When these threats carry on from your vendor’s network to yours, it has the potential to disrupt your operations and damage your reputation.

Mitigating Internal Risks in the Supply Chain

Most organisations already have formal programs to assess and manage third-party risks. However, these programs are not always adequate to deal with employee risks. For instance, companies have questionnaires for their vendors regarding their security requirements. A survey by Riskrecon has estimated that only 14% of companies believe the questionnaire responses regarding security from their third-party vendors.  

In this scenario, additional measures are required to deal with the human risks that third parties pose. Follow these measures to mitigate your risks:

  • Limit access to critical information: Many third-party users require access from your end to perform their tasks. However, this access must be limited to their job roles. You also need to have a full list of individuals accessing your information and the type of information they are accessing. 
  • Extend security awareness training to vendors: The cybersecurity awareness training you have for your internal employees should also extend to members of your third-party vendors. There should be strict guidelines on security measures that should be followed by everyone accessing your data. 
  • Create a backup strategy: One of the best ways of mitigating data security risks is by backing up your critical data. You need to be prepared for the worst possible scenarios and have a disaster recovery strategy to get your operations up and running immediately after an unexpected attack. Learn how to create an effective backup and disaster recovery strategy.
  • Audit your vendors regularly: Choosing your third-party vendors is not a one-and-done process. Regular audit of your vendors and business partners will expose new vulnerabilities in their systems.

Secure Your Critical Data 

With supply chain risks at an all-time high, you need a trusted partner by your side to protect your data from all kinds of human threats emerging from the supply chain.

Our expertise in data security and storage can help you overcome supply chain obstacles and secure your data from all kinds of threats. Give us a call now!

Data Sources:

 

Monitor, Test, Restore – Making Sure Your Backups Are Ready! 

Mail Protection Insight

Reading Time: 4 Minutes
Backups play a critical role in any data protection strategy. If you are counting on your backups for disaster recovery and business continuity, unexpected backup failure can prove to be disastrous for your business. Especially when backups are scheduled automatically, you risk falling victim to media failure, software issues, cyberattacks or even a simple human error. A study estimated that three-fifths of backups are incomplete, and nearly half of all data restoration efforts result in failure. 

Related Article: Backup Strategies to Prevent Data Loss

Fortunately, backup failure can be avoided to a great extent through consistent monitoring and frequent testing. This, in turn, will ensure proper restoration of your data when disaster strikes. To ensure complete restoration of your data, you need to have a comprehensive plan for monitoring and testing your backups. In this article, we’ll explore the step-by-step process involved in monitoring your backups, testing them and ensuring full restoration during an unexpected disaster. 

Backup Status Monitoring

Most businesses that rely on data for their everyday operations have a consistent schedule to back up their generated data. Depending on the importance of the data stored, this schedule may vary from once every few hours to once a week or even longer in some cases. However, if your backup fails at some point, you might lose your data till the moment of its last successful backup. By identifying these weaknesses early, you can mitigate your overall losses and fix the issues.

This is why backup status monitoring is vital. Failing to monitor your backups might result in a snowball effect that could continue unabated until it gets detected.

How to prevent this

You must make backup monitoring part of your backup strategy. Although monitoring is an essential activity, most businesses cannot afford to perform it on an everyday basis. The frequency of monitoring can be based on your recoverability objectives. For instance, if you are dealing with critical data essential to your business, you could set up monitoring every week. This will help you identify any problems instantly and allow you to fix them without affecting your backup goals. 

Backup monitoring for remote workers

When employees work remotely, implementing a backup system for all their devices can be a bit challenging. However, this does not mean that you have to compromise on the safety of your data. The Cloud also needs to be part of your backup strategy. More specifically, a 3-2-1 approach is recommended, where you have at least three copies of your data – two on different platforms and one at an offsite location (Cloud). With a centralised remote monitoring and management tool, you can get total visibility into your backup tasks and remotely monitor and validate them. 

Read: The Importance of Secure Cloud Backup for Remote Workers

Backups

Spot Checking for Accuracy and Quality 

This is a relatively simple approach used in backup testing. Once you have backed up everything in your environment, you can go to the backup drive or Cloud to ensure that the files or folders are available there. If you cannot access any of the files, you might have a problem with your backups. In such cases, you need to check your backup configuration and drives to ensure everything is functioning correctly. You should perform these backups in multiple areas to ensure everything is running smoothly.

Full Restore Testing 

This method is more advanced than spot-checking, and it tests your ability to recover from complete data loss after a disaster. To perform this, you need to prioritise critical files essential to your immediate recovery and test them successfully. 

Prioritising files and folders for testing

When prioritising data for testing, you need to begin with data, applications or systems that have a low Recovery Time Objective (RTO), which refers to the maximum allowable time or duration within which a business process must be restored. These files and systems are the ones your business can’t go long without and are typically associated with the core activities. So if you can recover this data quickly, you can resume operations and avoid downtime.

How much does downtime cost your business? Learn with our Downtime Calculator

Determine the testing approach

There are various aspects to consider when testing your backups. For instance, you can create individual scenarios of virtual machines and test their ability to recover a system. You could also consider a disaster recovery approach in testing that simulates the entire environment and performs various scenario-based recovery tests. 

Here, the ultimate goal of testing is to verify the integrity of the backups you have created. You need to choose a suitable testing approach for your business that better reflects your IT environment.

Frequency of testing

How often should you test the integrity of your backups? That’s another big question you need to ask once you have decided to proceed with the testing process. For this, you need to consider various factors like workload, applications, systems, etc., in your environment and develop a testing schedule that works for you.

In addition, you need to consider your Recovery Point Objective (RPO), which is the maximum duration your business can survive after a disaster. Always make sure that the frequency of testing is well within your RPO if you wish to conform to the parameters of business continuity. For instance, if your RPO is 24 hours, you need to test your backups at least once a day to ensure a good copy of data is available to recover from a loss.

A Backup Solution That You Can Count On

The last thing you want during a disaster recovery process is to find out that your backups have been failing for a long time. By monitoring and testing your backups regularly, you can overcome this issue and rely on your backups at the time of need.

Most importantly, you need to invest in the right backup solution that ensures full recoverability of your valuable data. Reach out to us today and count on us to build a backup solution that is tailor-made for your business.

 

Data Sources: 

Data Protection Regulations: The ‘New Normal’ For All Businesses

Data Protection Regulations
Photo by Alexander Kovacs on Unsplash

Reading Time: 3 Minutes
In today’s global information economy, your business data is the golden goose chased by cybercriminals. Given how this data has an endless life, who can ensure that it isn’t exploited for unsavoury gains? Well, governments worldwide have stepped up to the plate. 

The implementation of the General Data Protection Regulation (GDPR) in 2018 by the European Union (EU) opened the floodgates for this global wave of change. Such was the impact of GDPR holding businesses accountable for data protection and privacy that today, 132 out of 194 countries have put in place legislation to ensure the security of data and privacy, as per the United Nations Conference on Trade and Development (UNCTAD). 

Related Article: GRC Fines, Penalties and Violations – Oh My!

Wondering how is this related to compliance and your organisation? Any business in the world, including yours, must comply with at least one data protection and privacy regulation. Whether you are a local or a global company, you must understand that ignoring this international consensus can leave your business’ future in the lurch. 

Give us a few minutes, and we’ll help you understand the difference between data protection and privacy, the prevalent global awakening and how it’s time for you to be smart about compliance. Let’s hit the ground running! 

Data Protection Versus Privacy: Related But Not The Same 

While data protection is about securing data from unauthorised access, data privacy is related to how authorised access is defined – who can access the data and the ways in which they can manage it. Your business must understand this distinction and the fact that the existence of one doesn’t eliminate the need for the other. 

Dig deeper with our article: Data Protection vs Data Privacy – A Closer Look

While you might avail the right technology to build a robust data protection posture, it still might not ensure the privacy of personal data in compliance with regulatory standards. Even authorised individuals who can access the data could also exploit it. Simply put, you must deploy the right technology and the right policies to ensure every bit of data you store and process remains secure and private. It’s time to quit stalling and start moving forward with proper security and privacy standards.

A Global Awakening

UNCTAD data also showcases how 66% of countries already hold legislation on data protection and privacy, while 10% have drafted one, and the remaining countries are likely to follow suit. Do not ignore this global consensus assuming that it would not impact your business as you would not be operating outside your home country. Even if you are not based in Europe or in a country where the legislation is active, it’s not going to be long before your state’s or country’s government decides to take the plunge themselves. 

Here’s just a glimpse of where regulation is in place or will be eventually implemented:  

  • Australia: The Privacy Act (1988) 
  • Brazil: General Personal Data Protection Act (LGPD – 2018) 
  • Canada: Personal Information and Protection and Electronic Documents Act (PIPEDA) 
  • China: Personal Information Security Specification (2018) 
  • The European Union (EU): General Data Protection Regulation (GDPR) 
  • Japan: Act on the Protection of Personal Information (2007) 
  • Kenya: Data Protection Bill (drafting in progress) 
  • Nigeria: Data Protection Regulation (2019) 
  • Russia: Federal Law Regarding Personal Data (2006) 
  • Singapore: Personal Data Protection Act (2012) 
  • South Africa: Protection of Personal Information Act (2013) 
  • South Korea: Personal Information Protection Act (2011) 
  • Thailand: Personal Data Protection Act 
  • Uganda: The Data Protection and Privacy Bill (2015) 
  • Uruguay: Law on the Protection of Personal Data and Habeas Data (2008) 

Countries currently deliberating a regulation include Argentina, Chile, Ecuador, India, Malaysia, New Zealand, Switzerland, USA (a federal legislation) and more. 

That’s 50 countries already! Could this phenomenon be any more global? 

Cyber Security Assessment

Be Smart. Start Now! 

Compliance is an intelligent business, even if it is complex and unfair. Therefore, keeping it on the backburner is just an open invitation to trouble. How much do you value the reputation and integrity of your business? Please remember that your failure to demonstrate compliance with just one regulation standard alone can take your business straight into a dark phase of uncertainty. You can suffer losses in the form of license cancellations, hefty fine(s), damage to reputation, expensive lawsuits, and loss of business.

Watch video on our LinkedIn: Top 5 GDPR Fines Issued so Far

Let A Trusted Partner Help You

It takes special skills and tools to look ‘under the skin’ of your network to ensure it is both secure and compliant. It helps having a trusted partner that has managed both cybersecurity and compliance for businesses before. You will sleep better at night knowing your data is protected and precisely in the manner regulations need it to be. 

You are just one step away from assessing your compliance needs and addressing them. Call us today. Let’s talk compliance! Our team will understand your needs and help you get where you want with small, actionable steps. No challenge is too big to tackle, and you can take your business to the next level!

How Can Cyber Resilience Protect SMEs in Ireland?

Resilience
Photo by Dan Stark

Reading Time: 3 Minutes
Small and Medium Businesses (SMBs) usually invest less in cybersecurity, making them easier targets for cybercriminals. Close to 30% of businesses experience a cyberattack at least once per week.

The need for constant vigilance and defence against hackers has led many SMBs to complicate cybersecurity matters. Though the percentage of businesses that have adopted formal, business-wide incident response plans has increased from 18% in 2015 to 26% in 2020, the ability to contain an actual attack dropped by 13%. This is because: (1) businesses do not consistently test threat-readiness of incident response plans, and (2) many of them use too many security products that hamper the ability to identify and respond to a cyberattack.

It is here where a cyber resilience strategy can help organisations protect uptime and recover from incidents faster. Some people use the terms cybersecurity and cyber resilience simultaneously, but the meanings are different.

Learn: What can a Cyber Security company do for my business?

While cybersecurity primarily aims at blocking nefarious cybercriminals from attacking your network, cyber resilience is more about planning, defending, responding to and recovering quickly from a cyberattack. Endpoint protection, email security, network security, backup and data recoveryidentity and access management and a host of other critical solutions together fuel a comprehensive cyber resilience strategy. 

Arm Your Business with Cyber Resilience

The cyber threat landscape is evolving at lightning speed and traditional security measures can’t keep up with it. Experts have predicted that a ransomware attack occurs every 11 seconds in 2021. The only way forward for businesses, including yours, is to draft a cyber resilience strategy that highlights ways to move forward in the face of a cyberattack. 

Your business is cyber resilient when: 

  • You’ve implemented measures to guard against cyberattacks
  • Proper risk control measures for data protection get deployed
  • Hackers cannot severely disrupt business operation during or after an attack

The major components of a cyber resilience strategy are:

Threat protection

By deploying efficient attack surface management and risk management, you can easily take your business through the path of cyber resilience. Doing so helps you minimise first-party, third-party or fourth-party risks arising from data leaks, data breaches or misconfigurations. Additionally, assessment reports identify key risk areas that require attention. Our process is supported by our Gap Analysis, which will tell you exactly where you are and what’s missing to reach your goal.

Adaptability  

Cybercriminals are shapeshifters who constantly change their devious tactics. Ensure your business can adapt to emerging cyber threats. 

Recoverability  

Your business must have all the necessary infrastructure, including robust data backups, to quickly bounce back after a security incident. Conducting mock drills that let you understand the employee readiness to counter cyberattacks is also essential. Learn why Backup Strategies are vital.

Durability 

Your IT team can improve the business’ durability through constant system enhancements and upgrades. No matter what strategy the criminals use, prevent their actions from overwhelming you through shock and disruption. 

Modern approach to IT

5 Ways Cyber Resilience Protects SMBs

Adopting cyber resilience proves beneficial before, during and after cyberattacks. Five ways cyber resilience protects SMBs:

1- Enhances system security, work culture and internal processes

By implementing a cyber resilience approach within your business, you can easily design and develop strategies tailor-made for your existing IT infrastructure. Additionally, cyber resilience improves security within each internal process, so you can communicate desired behaviour to employees.

2- Maintains business continuity

Cyber resilience ensures that operations are not significantly affected and business gets back to normal after a cyberattack. 

3- Reduces financial loss

The financial damage caused by a breach can be so severe that businesses go bankrupt or even close. Cyber resilience keeps threats in check, reducing the chances of business disruption and limiting financial liabilities. 

4- Meets regulatory and insurance requirements

Cyber resilience helps keep your business out of regulatory radars by satisfactorily following all necessary criteria. Also, complying with regulations can be beneficial to your organisation for cyber insurance claims. 

5- Boosts company reputation

Having cyber resilience by your side gives you better control in the event of a successful cyberattack. It helps you block attacks, bounce back quickly if an incident happens and minimise the chaotic aftereffects of a breach. This improves your business reputation among partners and customers. 

Don’t worry if the concept of cyber resilience is tough to crack. We can guide your business to and through cyber resilience. We can begin with a discovery call to learn about your concerns and requirements and follow with a Gap Analysis to identify precisely the main points that need to be prioritised. Wherever you are in the world, we’ll be more than happy to assist, so talk to us and count on us!

Article curated and used by permission.

Sources:

1. Infosecurity Magazine 

2. The 2020 Cyber Resilient Organization Study 

3. JD Supra Knowledge Center

Importance of Secure Cloud Backup Solution for Remote Users 

Secure Cloud Backup Solution

Reading Time: 4 Minutes
A Secure Cloud Backup Solution is no longer a luxury – it’s a must. In today’s world, businesses gather, analyse and process large volumes of digital data on an everyday basis. From identifying typical customer behaviour to creating campaigns that target the right audience, business data plays a critical role in the day-to-day functioning of a company. Considering the critical need for data, businesses cannot afford to lose their data at any cost. However, data loss is quite common owing to various factors such as natural disasters, human errors, security breaches and more. If you expect your business to continue operations even after a catastrophic data loss, cloud-based data backup is the best option for you. 

Recommended Read: Why Security Awareness Training is Essential for Backups

Since threats to business data have skyrocketed in this new remote working age, the need for the cloud to be a part of the backup solution has become extremely important for businesses of all sizes. According to Microsoft, 94% of companies report security benefits after moving their data and services to the cloud. This is the main reason why organisations have started embracing cloud technology at a dramatic phase.

This short read will provide you with some decisive insights about the importance of cloud backup, especially in remote working environments, and how you can bolster your cybersecurity with a proper cloud strategy.

Need for Cloud Backup During Remote Work 

It’s one thing to lose your data during a cyberattack or another unexpected event, but losing your integrity and goodwill is an entirely different ballgame. All the years of hard work you invested in building your company will be in jeopardy if you suffer a loss of customer data. When your customers have no reason to trust you, they will take their business elsewhere rather than waiting for you to bounce back. Whether it is an ordinary human error or a deliberate cyberattack, the risk of losing your critical data is significantly higher when your employees are working remotely. 

The 2020 User Risk Report by Proofpoint has estimated that about 45% of employees in the United States believe that public Wi-Fi networks are safe for work. This number is likely to be close to what we see in Ireland. When you don’t control the environment in which your employees operate, the risk is much higher and stands as an indication for you to take suitable data security measures.

Security solutions such as antivirus, firewall, patching, etc., can only get you so far. What if there is a manual oversight or a natural disaster? Human error also plays a significant role in many security breach incidents. In such situations, the survival of your business depends on your ability to bounce back fast with the help of backed up data. This is why you need a business continuity and disaster recovery solution through cloud-based data backups.

Learn more about Business Continuity and Disaster Recovery 

Best Practices for Cloud Backup 

When you use the 3-2-1 backup rule, cloud storage inevitably becomes a part of your backup strategy. As per this rule, you make three copies of your data, store two copies on different media (e.g., hard drive and local storage appliance) and store one copy off-site in the form of cloud backup. You may also expand this rule by storing multiple copies of your data in different cloud locations. 

Apart from the data storage rule, the following best practices could guide you with your backup planning: 

  • Know your recovery objectives: In case of data failure, you need to know how quickly you can recover before your losses become irrecoverable (Recovery Time Objective) and how much data can you afford to lose from your last backup time (Recovery Point Objective). This helps you come up with a solid plan that ensures business continuity and disaster recovery. 
  • Prioritise your data: Businesses store all kinds of data every day. But which data is critical to your business recovery? Your backup plan should prioritise that first and then proceed with other data. A good cloud backup plan should outline different strategies for different kinds of data. 
  • Monitor your backup process: What’s worse than losing your data during a data loss event? Finding out that the backup data you have diligently stored is corrupted. You don’t want to be in such a position, especially after a catastrophic data loss. You need to monitor your backup process to ensure your backup operations are carried out without a glitch.
  • Test your backup and recovery: To ensure everything works as planned when disaster strikes, testing is a must. It is also a great way to identify the issues in your backup process and should be a part of your regular backup plan. Learn more about backup best practices.
  • Backup your SaaS data: Your G Suite and Office 365 data is secure. However, there is a misconception that these don’t need any backups. Although your SaaS vendors are responsible for providing the backup infrastructure, they do not guarantee the safety of your data or take accountability for any financial losses resulting from it. Make sure your backup plan has a strategy for your SaaS data as well.  

Migrating Cloud

Partnering With a Reliable Cloud Backup Provider 

With the volume of critical data increasing every day, businesses often face challenges protecting this data from unauthorised access. Cloud backup is the best way to ensure that vital data is always available in case of an unexpected disaster.  

Apart from ensuring data security, cloud storage can also make your backup process more efficient and cost-effective. To make the most of your cloud storage benefits, you want to have a trusted partner who you can rely on when things go south. 

This is where we come in. Our years of expertise in data backup and cloud storage can help you protect your business data in an incredibly effective way. Give us a call today and find out how we can help build your cloud backup plan and secure your data so you can access it anytime, from anywhere. 

 

Data sources: 

Potential Risks That Insider Threats Pose to PII 

Cyber Security

Reading Time: 5 Minutes
Personally Identifiable Information (PII) refers to any information maintained by an agency that can be used to identify or trace a specific individual. In other words, it includes data points such as social security number, date of birth, mother’s maiden name, biometric data, tax identification number, race, religion, location data and other information that can be used to deanonymise anonymous data.

If your organisation handles Personally Identifiable Information, you must take steps to secure your customer data. Not only is it essential from a compliance standpoint, but with security breaches on the rise, you have to make sure customer PII is not being compromised. Risk-Based Security revealed that by the end of 2020, a total of 36 billion records had been exposed and compromised. Of such data breaches, 60% are caused by insider threats or security threats originating from within an organisation. To make things worse, reports indicate that the number of insider incidents has increased by 47% over the last two years.

Related Article: Protecting your Business-Critical Data from Human Threat

Let’s deep dive into the potential risks that insider threats pose to Personal Identifiable Information, especially for healthcare and financial institutions, and how you can protect your organisation against such threats.

Potential Risks

An insider threat is a security risk that originates from within your organisation and is usually someone with authorised access misusing data (intentionally or unintentionally) to harm your company or your customers. The culprit could be any individual who has authorised access to confidential and sensitive company information, right from your present or former employees to consultants, partners or contractors.  

If you don’t secure your employee or customer PII, you leave yourself vulnerable to data breaches. Insider-led data breaches are widespread and can happen in multiple ways – from a negligent employee inadvertently downloading malicious malware to a disgruntled contractor selling customer data on the Dark Web to make money.  

Read: Your Biggest Cyber Security Risk: Your Employees

Insider-led data breaches are hard to detect because the threat actors have legitimate access and are probably familiar with your cybersecurity defence tools as well. It is much easier for them to circumvent your defences, access sensitive customer data and expose it. 

As a healthcare or financial institution, if your customer personal identifiable data is exposed, it can cause a great deal of trouble to both your company and your customers. Let’sLet’s look at some of the potential risks: 

Risks to Your Company

Reputational damage

According to a study by Ponemon, 44% of companies believe it takes anywhere from 10 months to over two years to restore a company’s reputation after a breach. This is bound to be worse for healthcare or finance institutions since the data collected is extremely personal and sensitive. Even if you respond promptly and adequately to your customers regarding a data breach, it could still result in a PR disaster and a decline in the customer base. 

Financial loss

The average cost of a data breach in the U.S. is $8.19 million. Some of the consequential costs that companies find themselves paying include compensation to affected customers, fines and penalties for non-compliance with regulations such as GDPR, expenses for forensic investigations and more. On top of that, the valuation of your company could tumble as well. 

Ransomware costs

A malicious insider who gains access to your data systems can steal sensitive customer PII from your network. Once your systems are hacked, the cybercriminal can block access to your data and then threaten to sell the information on the Dark Web if you don’t pay the ransom. Malicious insiders could be current or former employees or an outsider who uses or manipulates an unsuspecting employee to get past your security perimeter. Learn more about Ransomware and its risks.

Operational standstill

Data breaches have the potential to paralyse your business operations. You will have to conduct a detailed investigation to determine what data has been compromised and the cause behind the breach. In case data has been lost, you will have to take steps to recover it. Furthermore, you may be faced with expensive lawsuits and settlements. Unless you have substantial emergency resources, you will have to halt your business operations temporarily.

Multi-Factor Authentication

Risks to Your Customers

Identity theft

Cybercriminals may acquire sensitive customer data and use it to their advantage. For instance, they could use your customers’ credit card numbers, social security numbers, health plan beneficiary numbers or biometric identifiers to impersonate them to commit fraud or gain financial benefits. Learn more about Identity Theft.

Social engineering attacks

Data breaches could uncover your customers’ PII, especially sensitive data, such as name, address, contact details, date of birth and so on, that could end up on the Dark Web. Cybercriminals might use this data to launch social engineering attacks on your customers. The attackers may then psychologically manipulate or trick customers into sharing their confidential details. Learn how to avoid Phishing attacks.

Blackmail campaigns

Data breaches could result in sensitive medical information, such as psychotherapy reports or blood test reports, being leaked online. Cybercriminals could then use this type of information to run blackmail campaigns against your customers.

How to Secure Personally Identifiable Information

With the insider threat landscape constantly evolving, businesses need to step up and secure PII and other sensitive data more effectively. By failing to do so, you could end up putting the future of your customers, employees and company in grave danger. Here are a few tips to help you get started:

  • Use behavioural analytics to set up unique behavioural profiles for all insiders and detect insiders accessing data not associated with their job functions.
  • Implement access and permission controls to review, revise and restrict unnecessary user access privileges, permissions and rights. 
  • Review the PII data you have already collected, where it is stored and who has access to it, and then securely delete what is not necessary for the business to operate. 
  • Set up an acceptable PII usage policy that defines how PII data should be classified, stored, accessed and protected. 
  • Make sure your PII policy is compliant with different privacy and data regulations that apply to your business.  
  • Upgrade your storage holdings to ensure the data lives in a SOC2-protected data centre.
  • Cut down on inadvertent insiders by implementing mandatory cybersecurity and data security training programs. 
  • Make use of software that will help you protect PII, such as third-party risk management solutions, data loss prevention tools, Dark Web monitoring applications and secure documentation solutions, among others.

Taking adequate measures to secure personally identifiable information can significantly strengthen your cybersecurity posture against insider threats.

Protecting your customers’ PII is a challenging task, but one that has to be taken seriously. If you’re looking for expert assistance to take this weight from your shoulders, look no further. Get in touch today to speak to one of our specialists and learn how we operate. We’ll be happy to offer a tailored solution to handle your cyber security, compliance and technology development.

 

Data Sources: 

 

 

 

Data Privacy Versus Data Security: A Closer Look 

Data Privacy versus data security a closer look
Photo by Leon, on Unsplash

Reading Time: 4 Minutes
The importance of data privacy and data security has grown exponentially as organisations today collect and store more information than ever before. Having a robust data protection strategy is critical to safeguard confidential information and ensure the smooth functioning of your business. But before we move on, let’s take a step back to understand the fundamental concepts of data privacy and data security.    

Recommended Read: Protecting your Business Critical Data from Human Threat

The terms data privacy and data security are often misunderstood and used interchangeably. However, they are two separate concepts! Data privacy focuses on how information is handled, stored and used, while data security is concerned with protecting your organisation’s assets. 

Understanding Data Privacy 

Data privacy deals with the regulations and practices to ensure data is responsibly handled. It includes how information is collected, processed, stored and disseminated. Any organisation that collects and stores data or does business across the globe should comply with several privacy regulations, such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), Children’s Online Privacy Protection Act (COPPA) and other privacy laws.  

These regulations aim to protect and enhance consumer and personal privacy. These rules give individuals the right to know what information is collected, why it’s collected and how it’s processed. As data privacy regulations are growing globally and becoming more complex, privacy requirements are also changing. Non-compliance with these laws could cost your business dearly. In 2019, Google was fined $57 million under the European Union’s GDPR law. Click to learn more about penalties, fines and violations regarding compliance. 

Importance of Data Privacy 

Data privacy is an individual’s right to control who has access to personal information and how it should be used. This also protects personal data from being sold or redistributed to third parties. When organisations collect customers’ data, it is their responsibility to protect and preserve their clients’ sensitive information. Not having a privacy policy in place or failure to comply with privacy laws can lead to severe consequences, apart from legal actions and financial loss. 

Understanding Data Security 

Data security is the process of protecting information from unauthorised access, data corruption and data loss. A data security process includes various techniques, data management practices and technologies that act as defence mechanisms to protect data from internal and external threats.  

Read: Protecting your SaaS Data is your Responsibility

Data security concerns with what an organisation does with the data collected, where and how the data is stored and regulates who can access the information. A comprehensive data security strategy will help prevent data breaches, ensure business continuity and keep your company’s data safe from cyberthreats. 

Importance of Data Security 

The term “Data is the new oil,” coined by Clive Robert Humby in 2006, stands true in today’s competitive business environment. Data security is critical for the smooth functioning of day-to-day operations and running a business successfully. Failure to protect your organisation’s confidential data can damage your brand’s value, result in regulatory penalties or shut down your business.  

The alarming rate at which cyberattacks are growing has forced organisations of all sizes to consider data security as a top priority. It is estimated that organisational spending on cybersecurity has reached $123 billion in 2020.  

Depending upon the purpose, type of industry or geographical location, your business can implement security compliance frameworks and international standards, such as the National Institute of Standards and Technology (NIST), the International Organisation for Standardisation (ISO) and Payment Card Industry Data Security Standard (PCI DSS). These frameworks provide guidance and best practices for information security to help you assess IT security measures, manage risks, respond to security incidents and improve your information security management system. 

Server Management Monitoring Support

Difference Between Data Privacy and Data Security 

In simple terms, data privacy and data security are two sides of the same coin. They have distinct concepts but are closely related. Achieving data security doesn’t ensure data privacy and vice versa, but both are required to establish a comprehensive data protection strategy. Knowing the difference between these terms will help you strategise better, prevent data breaches and stay legally compliant. 

Let’s distinguish the two concepts with a hypothetical example. 

Assume you own a laptop, where you store personal information. To avoid people from accessing those files, you pasted a sticker on the cover that reads ‘Do Not Touch’. But to add an extra layer of privacy, in case people don’t read or ignore the sticker, you locked the computer with a secure password. 

There are two things to note here. First, the ‘Do Not Touch’ sticker tells people to keep away from your laptop, thereby authorising your privacy. Second, the password ensures no one can access your data, thereby protecting your data from unauthorised access. 

Find the best advice for creating strong passwords with this article.

How to Achieve Data Privacy and Security While Being Legally Compliant 

Achieving data privacy and data security and complying with several laws have their own set of challenges. Even large organisations struggle to understand and implement the proper security management and compliance measures.  

But that shouldn’t be the same for your business. To learn how you can achieve and maintain compliance for data privacy and security, contact us today.    

 

Data Sources: 

 

 

Why Security Awareness Training Is Essential for Backups 

Specialist IT Support

Reading Time: 3 Minutes
According to IBM’s 2020 Cost of Data Breach Report, human error causes nearly 25% of data breaches, meaning that a negligent employee can become a tangible threat to your business’ invaluable data. The only way to prevent your employees from compromising your business data is by providing regular security awareness training. Conducting a one-time training program will not suffice amid today’s ever-changing threat landscape.

Related Article: Navigating Backups and Training during unprecedented times

Cybercriminals are waiting to exploit your business’ vulnerabilities, one of which could be your employees. There are multiple ways your negligent employees could jeopardise the security, integrity or accessibility of your business data, including: 

  1. Password reuse: Reusing the same password for multiple accounts is a widespread poor password habit utilised by careless employees. Unaware of the security consequences, the average user uses the same password across an average of five account logins, both personal and business, according to Ponemon research. Learn more about password security here.
  2. Accidental sharing and exposure: A moment of carelessness can lead to an employee sending data to a cybercriminal. This can have severe ramifications and lead to your sensitive business data ending up in the wrong hands. 
  3. Falling for phishing scams: Since the start of the COVID-19 pandemic, phishing attacks have gone up by over 60%. An untrained employee may find it difficult to detect these deceiving scams, leading to the leakage of sensitive business information. Learn how to identify a phishing email here.

You must intentionally develop a security-focused culture within your organisation through comprehensive and continual security training if you wish to avoid or mitigate unplanned downtime or disruptions due to data loss incidents. Employees consistently exposed to security training are more likely to follow cybersecurity best practices, thereby ensuring your business data is not left in the lurch. 

Read: Protecting your Business-Critical Data from Human Threat

Implementing security awareness training is as vital to preventing data loss incidents as having a robust backup strategy. Backups can help you recover mission-critical data quickly in the event of data loss or corruption event that may impact your business and could save your business from losing crucial revenue or clients. In addition to safeguarding critical business data, a robust backup can also ensure that: 

  1. You have access to complete copies of your business’ data assets in one place 
  2. You can significantly reduce business downtime following a data loss incident 
  3. The overall confidence in your business increases among customers and partners 

Recommended Read: How Backups and Disaster Recovery Protect SMEs

An effective backup strategy is characterised by multi-layered mediums and failover options, proper policy and procedure development, regular testing, and the implementation of comprehensive and consistent security awareness training.  

Regular Training Limits the Need to Excessively Depend on Backups  

Cybercriminals are experts at exploiting global events to scam people and businesses. The COVID-19 pandemic gave hackers a golden opportunity to exploit the loopholes left unaddressed by companies adopting the remote work model. 

With incidents of phishing and ransomware attacks going through the roof, security awareness training is more relevant now than ever before. By mitigating the human errors and mistakes that often factor into many data loss or corruption incidents, you can dramatically minimise costs and consequences that could impact your business’ success.  

Related Article – Your Biggest Cyber Security Risk: Your Employees 

During the pandemic in 2020, 56% of businesses recovered their data using backups after a ransomware attack. Many of these businesses could have avoided the damages inflicted by these attacks if they effectively trained their employees to spot common warning signs of cyberthreats such as ransomware scams. 

Deploying a data protection strategy that incorporates both backups and security awareness training will help your business counter data loss effectively. 

Incorporate Your Employees Into Your Backup Strategy 

With cyber threats becoming increasingly prevalent and malicious, you must take any measure possible to protect your business and its mission-critical data.  

Building and implementing the right strategy for backups and security awareness training can be easier with the right partner. We can help you implement a comprehensive data protection plan that incorporates employee training and data backup solutions that will enable your business to avoid data loss events that can jeopardise your business’ future. Talk to us now and find true peace of mind with the right solution.

 

Data Sources: 

  • Security Magazine Verizon Data Breach Digest 
  • 2020 Cyberthreat Defense Report 

GRC Fines, Penalties and Violations! Oh My! 

Compliance and Cyber Security Standards and Frameworks

Reading Time: 3 Minutes
Global data protection regulations (new or updated) are being enforced aggressively, resulting in a tsunami of hefty fines and penalties to violators. The majority of these violations result from the failure to conduct regular risk assessments, which form an integral part of the ‘appropriate measures’ a business must take to ensure information security. 

For example, in 2017, credit agency Equifax lost personal and financial information of nearly 150 million consumers due to an unpatched Apache Struts framework in one of its databases. Regulatory authorities found Equifax guilty of “failing to take reasonable steps to secure its network”. The credit agency was mandated to pay a hefty fine, valued at potentially $700 million, which it is still paying to the Federal Trade Commission (FTC), Consumer Financial Protection Bureau (CFPB) and all 50 U.S. states. 

Read: Understanding and Calculating Organisational Risk

If Equifax had implemented an ongoing risk assessment strategy, it could have avoided the subsequent financial fallout and reputational damage. A single risk assessment would have helped Equifax uncover and fix the patch-related vulnerability promptly. 

You must understand that regulatory agencies don’t expect you to cast a magic spell that can protect your network from threats indefinitely. They simply strive to hold you accountable for the steps you need to take to ensure consistent data protection and privacy. For example, the most enforced HIPAA audit requirement out of a total of 180, which has been cited in more than 50% of recent penalties, is an accurate and thorough risk analysis. 

Recommended: Is your Business ready for HIPAA and PCI-DSS?

Disasters Businesses Could Have Avoided

Here are a few instances where businesses were pulled up by the regulatory bodies and slapped with hefty fines for the lack of a risk assessment and management strategy. This will help you understand how risk assessment can go a long way towards building a resilient cybersecurity defence and demonstrating full compliance. 

Marriott International Shelling Out Over €20 Million 

Marriott International, Inc. was fined a whopping €20,450,000 in fines for failing to implement sufficient technical and organisational measures to ensure information security. The basis of the penalty was Article 32 of the General Data Protection Regulation (GDPR), which clearly states the need for “a process that regularly tests, assesses and evaluates the effectiveness of technical and organisational measures to ensure the security of the processing.”

Capital One Fined $80 Million

In 2019, Capital One suffered a breach affecting 100 million people in the U.S. and 6 million in Canada. By exploiting a configuration vulnerability in the company’s web application firewall, an “outside individual” obtained personal information of Capital One’s credit card customers as well as people who had applied for credit cards. The Office of the Comptroller of the Currency fined Capital One $80 million for its “failure to establish effective risk assessment processes” when migrating operations to a public cloud environment.

Premera Blue Cross Coughing Up $6.85 Million

Washington-based health insurance company, Premera Blue Cross, was fined $6.85 million for HIPAA violations for a breach that affected over 10.4 million people. While handing Premera the second-largest HIPAA fine on record, the Office for Civil Rights (OCR) cited “system non-compliance” with HIPAA requirements. The OCR concluded that Premera had failed to conduct a risk analysis, implement risk management, or put audit controls in place.

Related ArticleFirst Step to Compliance – a thorough and accurate risk assessment

It goes without saying that if all three companies paid heed to expert compliance advice and implemented a meticulous risk assessment and management strategy, their balance sheets would have looked significantly different.

Deploy Risk Assessment and Avoid a Financial Setback

Several data regulations have defined the importance of risk assessment in ensuring data privacy and protection. For example, the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA) clearly mandates covered entities and their business associates to conduct a risk assessment.

Learn more with the article Managing your Technology Risk

By merely implementing this cybersecurity best practice – continuous risk assessment – you will be able to significantly reduce the likelihood of a security breach and a compliance audit; both of which can lead to a tremendous loss of revenue. Think about all the financial implications you could avoid. That should convince you.

Seek Expert Help for Implementation

Implementing a comprehensive risk assessment and information security strategy as part of routine operational procedures is no easy feat. You need specialised tools and experienced and dedicated support to ensure you get thorough and accurate risk assessments regularly to achieve and maintain compliance obligations.

Compliance is complicated and stressful, which is why partnering with an IT and Data Security specialist can help you simplify the risk assessment process and take the chaos and confusion out of the equation. Talk to us today to learn about our specialist approach to compliance and how we can help any business – including yours – be compliant without effort.

Backup Strategies to Prevent Data Loss 

Backup Strategy to prevent data loss
Photo by Alvaro Reyes on Unsplash

Reading Time: 5 Minutes
We live in a digital age where data has become one of the most valuable commodities in the world. Businesses collect vast volumes of data every day from their customers, which plays a critical role in their day-to-day operations. If business organisations happen to lose their data under any circumstance, the consequences can be catastrophic.

This is the harsh reality of today’s digital business landscape. Businesses can experience data loss in many ways, ranging from natural disasters to cyberattacks. Should you suffer an unexpected data loss, your competitive advantage lies in how quickly you can get your operations up and running without experiencing significant downtime.

Related Article: Securing Company Data with a Remote Workforce

In this blog, we’ll take a brief look at the various dangers to business data and how you can prevent them with the proper backup strategy. We’ll also look at the different ways of backing up data and the advantages of using a robust business continuity and disaster recovery (BCDR) solution. 

Why Do You Need Data Backup? 

Before we look at the different ways of backing up data, you need to know why your business requires data backup. Businesses commonly encounter the following data security threats to data in their everyday operations.

Cyberattacks: As technology evolves, cyberattacks continue to evolve as well. The growing threat of ransomware is a testament to that. According to the latest Verizon report, 27% of malware incidents can be attributed to ransomware attacks. While antimalware and antivirus programs can certainly offer protection, businesses need to think about what might happen in case of an unavoidable security breach and eventual data loss when formulating a data security strategy.

Natural disasters: Natural disasters such as floods, fire, earthquakes and the like pose a meaningful threat to the traditional form of data storage and security. Do you have what it takes to bounce back if these disasters catch you off guard and wipe out your company’s data?

Hardware issues: Mishaps originating from hardware issues play a major role in business data loss. With traditional data storage methods, data is stored in a physical location on hard drives and backup appliances. Any hardware issues arising in these devices can pose a severe threat to your valuable data. 

Human errors: Human errors still play a central role in data loss. According to Verizon, as much as 30% of data loss incidents are caused by internal actors. This could be attributed to anything from poor password practices to falling for phishing scams. Human error can be avoided with employee training.

All these factors indicate that data loss can happen to any organisation irrespective of their size or the security precautions taken. You need a solid data backup solution to make sure that your lost data is not entirely unrecoverable. 

How to Back Up Your data

As you understand the importance of data backup, certain questions may inevitably spring to mind – What is the best way to store data? How many copies should you take?

Regarding the best way of storing data, both cloud backup and on-site backup appliances need to be considered. This is because both have their own advantages and limitations. On-storage devices are faster, giving organisations complete control over their data. However, they are prone to physical mishaps and hardware issues. On the other hand, Cloud-based backup is not vulnerable to natural disasters but requires a lot of bandwidth to backup large files.

Navigating Backups and Training during Unprecedented Times

The ideal backup strategy combines both these approaches, with multiple copies stored in different locations. When backing up your data, you need to consider the 3-2-1 rule, which simultaneously answers your questions on the right approach to data backup and the number of copies that need to be made. 

As per this rule, it is prudent to have at least three copies of data – one production copy and two backup copies on two different media (internal hard drive and removable storage media) along with one off-site copy (cloud) for disaster recovery. Newer variations of this rule suggest having at least two copies (3-2-2 rule) on the cloud depending on the importance of your data. Ultimately, the more copies you make, the higher your chances of recovery after a loss. 

Advantages of BCDR Over File-Only Backups

Backups
Photo by benjamin lehman on Unsplash

In crude terms, data backup is simply the process of making copies of your files and storing them. However, the primary purpose of a backup is to get your business up and running in no time following an unexpected disaster. Hence, an effective backup strategy is symbiotic with business continuity as well. Business continuity refers to the ability of your organisation to get back in working order as quickly as possible following an unexpected data loss.

 Recommended Read: Why an Impact Analysis is Essential for Business Continuity

When you think about business continuity, you must think in terms of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO refers to the maximum time an application can be down without affecting the business. RPO refers to the maximum amount of data that can be lost without harming the company. 

A good Business Continuity & Disaster Recovery solution will provide you with the following benefits: 

  • Significant reduction in RTO and RPO 
  • Ability to predict business restoration following an unexpected disaster 
  • Reduction in downtime and associated revenue losses 
  • Lower interruption to critical business processes 
  • Avoid compromise to business reputation 
  • Ability to customise disaster recovery as per your needs

Best Practices for Data Backup

While incorporating an effective backup strategy, you need to implement the following best practices to limit data loss:

  • Increase frequency: Digitally-run businesses are required to back up their data multiple times a day. Doing it once a day, at the end of business hours, is no longer sufficient, especially with the number of threats gunning for your data. 
  • Use cloud backup: The Cloud has become an indispensable component of data backup in this digital age. Cloud backup comes with a multitude of benefits such as easy recovery, easy scalability, better cost efficiency and more. 
  • Use the power of automation: Automation has become a game-changer regarding various IT tasks, and backup is no exception. When you automate your disaster recovery process, you can bounce back from severe disasters and continue business operations without suffering too much downtime. 
  • Determine your retention span: Retaining all data backup versions forever is not feasible for most small businesses. Due to this, you need to determine the duration for which you will retain your data. This requirement will vary based on your industry, needs and compliance regulations. You need to come up with a solution that ticks all parameters. 

To Sum Up

Backup should be a part of every organisation’s business strategy, irrespective of its size, location or industry. Threats to business data are widespread and are happening at an alarming rate. In this scenario, a solid data backup plan could be the preventative measure that saves your business when disaster strikes. 

Talk to us today so we can help you zero in on an effective backup strategy that’s tailor-made for you. 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

How A ‘Compliance First’ Mindset Limits Liabilities for SMBs

Compliance First limit liability SMEs
Photo by Benjamin Child on Unsplash

Reading Time: 3 Minutes
By adopting a Compliance First strategy, when choosing solutions and vendors, you will identify those that do not comply with your requirements, eliminate them from your selection process, and then select from the rest. It also means evaluating your current solutions and vendors and replacing those that cannot support your compliance requirements. 

In simple terms, compliance is anything someone else makes you do. This means laws, regulations, contracts, and even the terms of a cyber insurance policy. Failure to act responsibly can have devastating results — hefty penalties, lawsuits, investigations, and failing to have insurance cover big claims that can exceed $1 million.

Related Article: How to Ensure Compliance when Working Remotely?

If you think compliance is unimportant for you or only applies to enterprises, think again. No business is immune to compliance regulations, which is, in fact, a good thing. By knowing your business must be compliant, you can avoid fines and penalties, improve operational safety, improve public relations, prevent attrition and above all, ensure that liability insurance claims pay out in the event of an incident. Compliance has a measurable Return on Investment (ROI). 

By making the ‘Compliance First’ approach your first step, you can meet minimum regulatory requirements to protect against fines while also staying in compliance with liability insurance requirements. After this, you can improve your business’ compliance posture further by adopting additional measures. 

A Single Compliance Mistake Can Invalidate Liability Insurance Claims 

Many small and medium-sized businesses prefer to use free or the most affordable solutions possible. If you’re one of them, keep in mind that this is not a safe practice. Without solutions that meet security, encryption and reporting standards outlined by regulations that you must abide by (HIPAA, CMMC, PCI-DSS and GDPR), you could face three fundamental problems:   

  1. Suffering a preventable catastrophic breach 
  2. Risk of non-compliance and subsequent fines  
  3. Risk of violating and nullifying liability insurance policies, leaving you financially exposed 

Using cheap or low-cost non-compliant solutions may be tempting, but it can cause your business to assume all the reputational and financial risk and cost in the event a compliance violation comes to light. Remember that you do not have to use multiple non-compliant solutions to invalidate your insurance; even using just a single non-compliant solution can cause your claim to be denied.

All your insurance claims that cover compliance regulation infractions specific to HIPAA, CMMC, GDPR or PCI-DSS can be invalidated by a single act of negligence. If the vague regulatory guidelines overwhelm you, you are not alone. But it is worth taking the time to learn more about your requirements, so your organization can become adequately protected. 

The Cost of Non-Compliance 

Many businesses think of compliance spending as an unrewarded cost of business rather than considering it as an investment in protecting assets. This leads to less spending on compliant software or even under-staffing of compliance teams. If your business eventually ends up being non-compliant, it can have devastating reputational and financial consequences.  

HIPAA penalties often exceed $ 1 million. Defence contractors can lose their primary source of revenue by not complying with cybersecurity requirements. 

Recommended read: Is your business ready for HIPAA and PCI-DSS?

If you accept credit cards, PCI-DSS violations can draw penalties ranging from $5,000 to $100,000 per month by payment providers (VISA, Discover and others). Penalties depend on the volume of clients and transactions. 

GDPR violations lead to hefty violation fines worth 2% to 4% or more of company revenue based on the severity of the violation.  

Even the information you have about your workforce is protected by state and federal laws. 

Begin With a ‘Compliance First’ Approach for Product Selection 

A ‘compliance first’ approach covers a broad range of critical considerations to keep a business compliant. However, if you do not know where to begin, start with a business tool audit. The internal tools to audit for compliance are:  

  • Voice services like VoIP 
  • Cloud storage and file hosting 
  • Document sharing and transfer services 
  • Productivity tools 
  • Communication tools 
  • Any digital tool, product or service used for business 

Many regulations require data, including voice messages and emails, to be encrypted in transit and when stored. Find out if your version is compliant by reviewing each solution’s product sheet or release notes. If it’s still unclear whether or not the solution provides the type of compliance you’re looking for, contact the technology vendor directly to get an independent audit report of their compliance with the requirements you must meet. 

The ‘Compliance first’ approach can help develop a compliance-oriented culture within your business, thus preventing your business from falling into the quicksand of non-compliance. 

We understand that implementing the ‘compliance first’ approach can be a bit challenging. Don’t worry. We can help you seamlessly integrate this approach into your business operations to meet legal and insurance obligations. Get in touch with us today to get started. 

 

Are Your Business Partners and Vendors Potential Security Weak Links?

People working in office. Business partners potential weak security links

Reading Time: 3 Minutes

A modern supply chain consists of people, systems and technologies that enable the delivery of goods and services to end-users. However, this dependency on third-party business partners opens doors to many security risks.

A lot can go wrong throughout the supply chain operation, which is why you should pay close attention to risks associated with third-party partners. Since many of them have varying degrees of access to your organisation’s systems and sensitive data, they could potentially be the weak link that jeopardises your entire security strategy.

Related Article: Recommended Best Practices for a Secure Supply Chain 

According to a survey conducted by Opinion Matters for BlueVoyant in June 2020, a whopping 80% of organisations have suffered a third-party related breach.

Supply Chain Challenges and Security Risks

It is common for modern-day companies to outsource core functions to improve efficiency and save costs. Working with multiple vendors that address your unique needs is vital to thrive in a competitive business landscape. However, managing different types of vendors can not only be daunting but can also expose your organisation to several threats. That’s why understanding the challenges and risks that come with third-party vendors or suppliers is critical for the safety and security of your business.

Listed below are some of the challenges and risks that organisations constantly face in a supply chain ecosystem.

Inadequate Visibility and Lack of Direct Control

According to the survey commissioned by BlueVoyant, 77% of respondents said they had limited visibility into the functioning of their third-party vendors. Multiple vendors and lack of resources limit organisations from continuously monitoring the entire vendor ecosystem and maintaining control of the supply chain. Without adequate visibility and control into third-party networks, it can be extremely challenging to identify potential risks or respond to threats appropriately.

Lack of Data Integrity

Today’s organisations are data-driven, and as such, data integrity is crucial for informed decision making, improving operational efficiency and gaining a competitive advantage. Since a supply chain involves a mix of multiple third parties who have access to sensitive information, such as customer details, financial data, trade secrets and more, ensuring the integrity of the sheer volume of data on hand can be a hurdle.

Dig deeper with the article: How to Effectively Manage Supply Chain Risks

One mistake from a third-party business partner could lead to a potential security breach, which could have a devastating impact on both your business and the entire supply chain ecosystem. Having a comprehensive third-party risk management strategy, backed by a robust backup and recovery solution, is vital to better manage and secure your organisation’s data when unexpected disaster strikes.

Poor Security Practices

Over 75% of organisations have been victims of a data breach due to security vulnerabilities in their partners’ networks. While your IT security posture may be solid, bad actors can easily infiltrate your third party’s weak network. It is hard to control the security practices of supply chain partners, which makes it even more difficult to identify potential threats that might be lurking in their unpatched servers or systems. Since a supply chain is deeply interconnected, a weak link can sabotage the entire network.  

Working with a diverse portfolio of supply chain vendors also translates into increasing third-party access to your organisation’s IT infrastructure, applications and data. Therefore, defining roles and controlling user access to sensitive data is critical to mitigating security and compliance risks. Learn more about Access Control.

The Human Factor

While companies rely heavily on technology to improve efficiency and service delivery, human error is one of the leading causes of data breaches. From browsing infected websites to failing to maintain password hygiene, an untrained and unaware workforce can leave security gaps throughout the supply chain and within your own organisation as well. Although these actions may be unintentional, they open doors for cybercriminals who are constantly looking for opportunities to infiltrate your company’s network.

Read: The Biggest Risk for your Organisation – Your Employees

Protect Your Business and Data

When it comes to protecting your business and data, you must not ignore the threats posed by your supply chain. Not only should you secure your IT infrastructure and data, but you should also ensure your third-party systems, data and applications are appropriately backed up and protected.

Contact us today to find out how you can securely protect your company’s assets against growing cyberthreats. Leverage the power of technology and enjoy your well-earned peace of mind.

 

 

 

Article curated and used by permission. 

Data Sources: 

  • Blue Voyant Global Insights: Supply Chain Cyber Risk Report 

Protecting Your Business-Critical Data From Human Threat 

Protecting Business Data from Human Threat
Photo by Austin Distel on Unsplash

Reading Time: 4 Minutes
The technology-driven era we live in has made information sharing and data access very efficient. Still, it has also brought forth a new set of challenges. One of the notable challenges businesses face in this day and age is the rising threat to data security. However, the threat to business data does not always come from external actors. According to a study by CybSafe, human error, whether intentional or unintentional, was the main reason behind 90% of data breaches in 2019. To make matters worse, insider-related cybersecurity incidents have increased 47% in the last two years. 

Recommended Read: How can SMEs Apply Zero Trust Cyber Security Practices?

Therefore, it’s safe to say that the biggest threat to business-critical data comes from human elements inside an organisation. Since data is the lifeline of most businesses in this digital environment, any compromise can jeopardise operations and bring businesses to a complete halt. To avoid this, companies need to be aware of the threats posed by insiders and incorporate the necessary measures to prevent them.

In this blog, we’ll discuss the risks the human factor poses to cybersecurity and how you can overcome them.

Actors and Motivations Behind Insider Threats

There are two main types of actors behind all insider threat incidents: negligent insiders who unwittingly act as pawns to external threats and malicious insiders who become turncloaks for financial gain or revenge. 

Negligent Insiders: These are your regular employees who do their jobs but occasionally fall victim to a scam orchestrated by a cybercriminal. These actors do not have any bad intentions against your company. However, they are also the most dangerous since they account for about 62% of all insider threat incidents.

Negligent insiders contribute to data security breaches by: 

  • Clicking on phishing links sent by untrusted sources 
  • Downloading attachments sent from suspicious sources 
  • Browsing malicious or illegitimate websites using work computers 
  • Using weak passwords for their devices 
  • Sending misdirected emails to unintended recipients 

Train your staff with these tips on How to Avoid Phishing and Creating Stronger Passwords.

Malicious Insiders: These are disgruntled employees who wreak havoc on your data security for financial gain or revenge. While financial gain is the top reason behind most malicious insider actions, it isn’t always the case. Despite being rare in occurrence, these threats often have much more severe consequences since the actors have full access and credentials to compromise your security. For instance, a Chinese national allegedly stole trade secrets from a US-based petroleum firm, with the value of these secrets estimated to be about $1 billion. Losses of this magnitude are usually quite severe for any organisation, irrespective of its size.

Best Ways to Prevent Insider Threats and Protect Data

When a business falls victim to a data security breach, it faces more than just financial repercussions. The organisation’s reputation, competitive advantage, intellectual property, etc., often come under fire following an insider threat incident. Additionally, some compliance regulations impose hefty fines on businesses for allowing such a breach to occur. It is estimated that 60% of companies go out of business within six months of a major data breach incident. That’s why you must take a proactive approach when it comes to combating insider threats. 

Detecting Insider Threats 

Certain factors can help you identify insider threats before you experience a full-blown breach: 

  • Human behaviour: A potential insider with malicious intent against an organisation will exhibit abnormal behaviour. For instance, an employee trying to access privileged information and frequently staying late after office hours could be suspicious behaviour to watch out for. 
  • Digital signs: Before a major breach due to insider threats, you may witness some abnormal digital signs like a substantial amount of data downloaded, high bandwidth consumption, traffic from unknown sources, unauthorised use of personal storage devices, etc. 

Defence Strategies Against Insider Threats

There are a few strategies that you can implement throughout your organisation to minimise the possibility of insider threats.

  • Insider threat defence plan: Your strategies against insider threats start by creating a defence plan specific to insider threats. You need to define what constitutes abnormal behaviour in your employees and set up alerts for digital signs in your IT environment. Most importantly, you need to limit access to critical data and provide unique credentials for those with access to your data. Learn more about Access Control.
  • Data backup: Backups are essential to protect your data in case of an unavoidable loss. With regular backups for your critical data, your business can get back up and running after a security breach involving an insider. Before you back up your data, you need to classify what data is worth protecting and create a strategy accordingly. Learn more about Backup and Disaster Recovery.
  • Employee training: When properly trained, employees could be your first line of defence against various cyber threats. You need to create an organisational-level best practices policy that outlines clear instructions on BYOD (Bring Your Own Device) policies, passwords, remote working, etc. Learn more about Employee Training.

Reach Out to Us to Protect Your Critical Data

The average cost of insider threats increased by 31% between 2017 and 2019 and is estimated to be around $11.45 million. With this cost expected to rise over the years, having a trusted partner by your side to protect your data from all kinds of human threats can go a long way towards securing your business.

With our years of expertise in data security and storage, we can help you incorporate innovative strategies to protect your data. Give us a call today, and one of our specialists will be happy to discuss your needs and propose solutions tailored to your business. 

Article curated and used by permission.  

Data Sources:  

  • https://www.venafi.com/blog/7-data-breaches-caused-human-error-did-encryption-play-role 
  • Ponemon 2020 Cost of Insider Threats Global Report 
  • https://www.tessian.com/blog/insider-threat-statistics/#:~:text=According%20to%20one%20study%3A,for%2014%25%20of%20all%20incidents. 
  • https://www.justice.gov/opa/pr/chinese-national-charged-committing-theft-trade-secrets 
  • https://cybersecurityventures.com/60-percent-of-small-companies-close-within-6-months-of-being-hacked/

 

 

 

Securing Company Data With a Remote Workforce  

Securing Data with Remote Workforce

Reading Time: 4 Minutes
In 2018, BlueFace predicted that remote work would start competing with office work by 2025. Little did they know that the pandemic would accelerate this process tenfold. Businesses were thrown into the deep end when they had to suddenly switch to a fully remote workforce. While some adapted to the ‘new normal’ by taking immediate measures to deal with the shift, the vast majority were unprepared to manage such an enormous transformation.

Amid this chaos, a host of challenges emerged, with the biggest being the unprecedented surge in cyberattacks. Cybercriminals caught businesses in a state of panic and exploited their lack of preparation to wreak havoc worldwide. A survey by Barracuda found that 46% of global companies encountered at least one cybersecurity scare since moving to a remote working model during the lockdown.

Recommended Article: 8 Steps to Secure Remote Working in the Pandemic

With today’s decentralised work environments here to stay, it is imperative that you act proactively towards securing your business’ data from unauthorised access, accidental loss and wilful destruction.

Due to the threats emerging as a result of remote work, businesses need to avail enterprise-class business continuity and disaster recovery solutions. Here’s why.

5 Reasons Why Your Remote Workforce Is a Prime Target for Cybercriminals

Remote work is making businesses uniquely vulnerable to cyberattacks. However, with the additional strain of the pandemic, the stakes have been raised significantly. Here are five reasons that make your remote workforce a darling of cybercriminals. 

  • Unsafe Home Networks: It goes without saying that remote workers logging in from their home networks pose a greater threat than on-site workers using their company’s secure network. Despite being aware of this quite apparent vulnerability, most businesses still tend to invest heavily in on-site security while cutting corners when it comes to securing remote work. 
  • Extended Vulnerabilities: When a significant chunk of work occurs over the internet, it opens up a Pandora’s box of threats targeting web services and applications. The greater the number of hazards, the higher the possibility of at least one threat penetrating the limited barriers securing remote work.
  • Challenges With Remediation: Infected or vulnerable machines need immediate technician attention, which is easy to accomplish in a conventional office environment. However, carrying out remediation efforts on remote endpoints presents a significant challenge, both in terms of access and structure, which are often not ideal. This makes it more likely for security to be compromised.
  • Limited Security: Most cybersecurity solutions don’t do such a good job securing remote endpoints as they do with in-house assets. This leaves the safety of remote devices, especially personal/BYOD devices, in the lurch.
  • Isolated Devices: Devices that have been updated with standard security settings that apply to all IT assets of a business are less vulnerable to security lapses. However, personal devices of employees used for company work do not hold the same security safeguards, making them an easy target.

Now that we have established why your remote workforce needs adequate protection let’s find out what measures you can take to achieve it.

Securing Your Remote Workforce Promptly 

The longer you take to secure your remote workforce, the more you jeopardise the safety of your business’ mission-critical data.

Here’s a list of measures you must undertake immediately to secure your company data:

Cloud-Based Backup and Recovery: While managing an increasingly remote workforce, you must turn to a robust and reliable cloud backup platform that allows you to efficiently back up endpoint data and recover it whenever needed. 

Business Continuity and Disaster Recovery (BCDR): Formulate a comprehensive BCDR strategy immediately to ensure no incident grinds your business to a halt for a long time. Please remember to recalculate and revise your recovery objectives, given how remote work is now normalized.

Regular Recovery Testing: Implement a strategy to regularly test data recovery to ensure your data recovery solution does not give way when you need it the most. 

Customer Scenarios Applied Technology

 

Safeguarding SaaS Data: Most businesses do not implement a strategy for securing SaaS data since they assume SaaS platforms secure it anyway. Unfortunately, that isn’t true. Your SaaS data is your responsibility, especially when most of your workforce will rely on SaaS applications while working remotely. While building a policy for it, you must also consider optimizing the storage for each user to ensure no data gets lost in transit. 

Awareness Training: 51% of businesses that responded to the Barracuda survey admitted that their workforce wasn’t proficient enough or adequately trained on cybersecurity risks associated with remote work. You must assess if this is also the case at your business and immediately develop a strategy to rectify it. The more aware your employees are, the more diligently they will follow backup policies. For more info, read Navigating Backups and Training in Unprecedent Times.

Ongoing Risk Management: Consider it a top priority to assess the potential risks your network and backed up data is exposed to. Without this, any corrective action would seem futile. This will help you address your backup needs as soon as they emerge. 

We have several resources concerning Risk Management. If you’re looking for more info on this topic, we recommend starting with the article Managing your Technology Risk.

Undertaking these measures will not only tighten the security of your data but also help your business demonstrate compliance with data protection regulations that apply to your industry.

Tackling remote work-related threats and securing your business data isn’t as taxing as it seems when you have proper assistance and support. Our team will be happy to help. Contact us today to learn more directly from one of our specialists, who will look to understand your challenges and work on a plan tailored to your business. Book your no-commitment, 30-minute Discovery Call to find out what good looks like.

Thanks for reading. Feel free to visit our blog and social media for more exclusive content.

  

Data Sources: 

  • https://www.blueface.com/blog/infographic-2018-bct-report-key-takeaways/ 

How can SMEs Apply Zero Trust Cyber Security Practices

Zero Trust Cyber Security Practices
Photo by FLY:D on Unsplash

Reading Time: 3 Minutes

Adopt Zero Trust Security for Your SMB

With the cyber threat landscape getting more complicated with every passing minute, cyber security deserves more attention than ever. Fully trusting applications, interfaces, networks, devices, traffic and users without authentication is no longer an option. Misjudging and misplacing your trust in a malicious entity can lead to severe breaches that can damage your business. Zero Trust Security practices, however, can go a long way towards helping small and medium-sized businesses minimize cyber security risks and prevent data breaches.

Zero Trust was introduced in 2010 by John Kindervag, a former Forrester analyst. The concept has since gained wide acclaim and approval as a trusted framework for cybersecurity. The Zero Trust approach trusts nothing within or outside its perimeter and insists on verifying everything attempting to connect to the company systems before granting access. In simple terms, the National Institute of Standards and Technology (NIST) refers to it as a “never trust, always verify” approach. 

Security Frameworks: NIST or ISO27001? Which one to choose?

Implementing Zero Trust Security within your business can help guard against data breaches, downtime, productivity loss, customer churn and reputation damage. Over 70% of companies planned for the deployment of Zero Trust in 2020, and it is even more critical for SMEs in an era where workforces and networks are becoming heavily distributed.

Three Misconceptions and Facts About Zero Trust Security

First Misconception: Zero Trust Security is only for enterprises. 

The Zero Trust cybersecurity framework is a proven counterthreat strategy. While it’s true that enterprises prioritise the protection of their data and networks by deploying the best solutions and approaches, SMEs must also protect sensitive data and networks.

Smaller companies might not have access to the fanciest solutions but can still take adequate measures to minimize internal and external vulnerabilities. Thus, Zero Trust Security isn’t just for enterprises. It is equally significant for SMEs as well.

Second Misconception: Zero Trust Security is too complex. 

By applying Zero Trust concepts at a scale that makes sense for your business, you will realize it isn’t as complex as you thought. Once you have the right policies, training and tools in place, the process becomes routine.

Third Misconception: The cost of implementing Zero Trust is too high.

Zero Trust adoption is operationally and economically feasible if you focus on your most critical applications and data sets first. To learn about the main aspects you should improve, we recommend performing a Gap Analysis.

Still Not Convinced?

Let’s look at a few statistics that should convince you of the seriousness of today’s cyber threat landscape as well as the need for a Zero Trust approach:

  • Human error causes close to 25% of data breaches – Unfortunately, you can’t completely mistrust an external network, nor can you fully trust even a single user within your network. 
  • Experts predict that ransomware attacks will occur every 11 seconds in 2021 – This gives you no time to be complacent. 
  • Over 40% of employees are expected to work from home post-pandemic – When this happens, many devices, users and resources will interact entirely outside the corporate perimeter. This increases the risk of an incident occurring. 
  • Phishing attacks have increased by over 60% since the pandemic started – To counter such a scenario, cybersecurity policies must be dynamic and adapt to address additional concerns. 

If you’re not equipped with a solid defence against cyberthreats, you may regret it later when a breach happens. Chances are, your current approach to cyber security comes short of stopping cybercriminals from accessing your network. The Zero Trust approach can change all that.

Adopting Zero Trust Security within your business does not mean throwing away your existing security tools and technologies. In fact, according to NIST, Zero Trust Security must incorporate existing security tools and technologies more systematically.

Build an effective Zero Trust model that encompasses governance policies — like giving users only the access needed to complete their tasks — and technologies such as:

  1. Multifactor authentication
  2. Identity and access management
  3. Risk management
  4. Analytics 
  5. Encryption
  6. Orchestration 
  7. Scoring 
  8. File-system permissions

Taking your business down the path of Zero Trust may not be easy, but it’s undoubtedly achievable and well worth it. Don’t worry about where and how to begin. With the right MSP partner by your side, your journey becomes easier and more likely to succeed. Contact us to get started.

Our specialists will be happy to provide advice and answer any doubts about technology and security you might have. Then we can outline priorities and develop a plan to bring you where you want to be.

Thanks for reading. Feel free to visit our blog and social media for more exclusive content.

Source:

  1. Solutionsreview.com 
  2. IBM 2020 Cost of Data Breach Report 
  3. JD SUPRA Knowledge Center 
  4. Gartner Report 
  5. Security Magazine Verizon Data Breach Digest

Compliance Standards: Is your business ready for HIPAA and PCI-DSS?

Photo by Markus Spiske on Unsplash

Reading Time: 3 Minutes
One of the many challenges you probably face as a business owner is dealing with the vague requirements present in HIPAA and PCI-DSS legislation. Due to the unclear regulatory messaging, “assuming” rather than “knowing” can land your organization in hot water with regulators.

Recommended Article – Governance: Understanding Guidelines, frameworks and standards

The Health and Human Services (HSS) Office for Civil Rights receives over 1,000 complaints and notifications of HIPAA violations every year. When it comes to PCI-DSS, close to 70% of businesses are non-compliant. While you might assume it’s okay if your business does not comply with HIPAA or PCI-DSS since many other companies are non-compliant as well, we can assure you it’s not. Keep in mind that being non-compliant puts you and your business at risk of being audited and fined.

Risks of Failing to Meet Minimum Compliance Requirements

Never take compliance lightly because non-compliance can lead to:

  1. Hefty penalties: HIPAA violations can draw fines ranging from $100 to $50,000 per violation, with a maximum fine of $1.5 million per calendar year of non-compliance. PCI-DSS can squeeze your budget too, with penalties ranging from $5,000 to $100,000 per month.
  2. Uninvited audits: Non-compliance can lead to unpleasant inspections and audits that can result in fines. 
  3. Denial of liability insurance claims: You must be extra careful while selecting solutions for your business. Using a single non-compliant solution can cause your insurance provider to deny a liability insurance claim. 
  4. Loss of business reputation: It takes years to build a reputation and just minutes to ruin it. Don’t let your business fall into the pit of non-compliance – it’s all under your control. 
  5. Imprisonment or even forced closure: In cases of severe non-compliance, regulatory bodies can sanction the arrest of top executives or even close the business.

First Step to Compliance: A Thorough and Accurate Risk Assessment.  

Are Your Existing Business Tools Compliant? 

If you are unsure where to start, assessing your business tools — cloud, VoIP, email service, electronic file-sharing service, applications, etc. — is an excellent place to start.

Protecting your SAAS Data is your Responsibility – learn more with our article on the topic

If your main business activities are being performed within such tools, their standards will directly interfere with your compliance level. Here are a few ways to check your existing business tools for compliance: 

HIPAA

  • Does the tool use AES 256-bit encryption? It doesn’t matter if sensitive data, like electronic Protected Health Information (ePHI), is at rest or in transit. Encryption is required by HIPAA. (how does encryption work?)
  • A tool with proper access controls ensures those who genuinely need sensitive data can access it. What’s your tool’s access control policy?
  • Is there automatic log-off in place if no user activity is detected over a specified timeframe? HIPAA requires this in order to safeguard high-risk data. 

PCI-DSS

  • Were the default passwords during the initial setup changed after installation? PCI-DSS specifies the importance of changing passwords to keep threats at bay
  • Are inactive user accounts removed or frozen after the warning period? Inactive accounts are easy targets for attacks. 
  • Does your tool store, retrieve or transmit cardholder information? If so, it must have the newly mandated version of the Transport Layer Security (TLS) protocol. 

These lists are not comprehensive and only scratch the surface. Also, none of the points mentioned above ensures the tool is HIPAA or PCI-DSS compliant. Just consider it a starting point.

If you’re confused about what your next steps should be, don’t worry. We’re here to help.

Use our expertise in compliance matters to conduct a comprehensive assessment of your business’s current state of compliance. We call this the Gap Analysis, and with it, you’ll have a clear understanding of where you are and what is missing to reach your goals.

This analysis also covers the cybersecurity and technology perspective, both crucial for business success in the long run. Talk to us now to learn more.

 

Sources: 

  1. National Library of Medicine 
  2. Help Net Security Magazine 
  3. Security Boulevard 

 

How Backup and Disaster Recovery Protects SMEs 

Photo by DocuSign on Unsplash

Reading Time: 3 Minutes
Many SMBs operate with a sense of unrealistic optimism when it comes to data loss and disaster recovery. However, the reality can be quite different and negatively affect your business if you’re not vigilant. As the rate of digitalization increases, so does the risk of data loss. Can your business afford a data-loss incident?

It doesn’t matter if data loss happens because of human error, cyberattack or natural disaster. It can have far-reaching consequences such as:

  1. Severe downtime: For SMBs, per-hour downtime costs vary from $10,000 to $50,000.1 
  2. Damage to reputation: One-third of customers will end their association with a business following a severe data loss.
  3. Regulatory penalties: Failure to protect data can draw penalties worth 2% to 4% or more of company turnover.
  4. Permanent closure: Some businesses are unable to recover from an incident and close permanently.

Navigating backups and training during unprecedent times.

Prioritising backup and disaster recovery for your business is very important. A comprehensive backup and disaster recovery solution provides secure, uninterrupted backup and quick data recovery — with a cloud-based architecture that ensures the company runs seamlessly in the event of a disaster. 

Key Terms Used in Backup and Disaster Recovery 

The following terms will give you an idea about the type of actions and processes you should aim to implement within your business:

Minimum Business Continuity Objective (MBCO) 

MBCO signifies the minimum level of output needed after severe disruption to achieve business objectives. It is the minimum acceptable level of products or services that must be provided during a disaster. Articulated correctly, the MBCO gives guidance on what should be recovered as a priority and how extensive the recovery should be.

Business Continuity – why it matters during Covid 19

Maximum Tolerable Period of Disruption (MTPD)

MTPD is the duration after which the impact on a business caused by disrupting critical services and products becomes intolerably severe. This has to be well discussed and agreed upon with your service provider to ensure your expectations will be met when a disaster strikes.

Visit our Downtime Calculator on our Resources Page to estimate how much each hour of downtime would cost you. 

Recovery Time Objective (RTO)

RTO is the time it takes before employees can start working after a disruptive event. It’s usually measured in minutes and derives directly from the MTPD. 

Recovery Point Objective (RPO) 

RPO is the amount of work that can be lost and will need to be done again after a data-loss event. It’s usually measured in seconds. The shorter this time is, the better, as it means less data will be lost.

Outsourced It Support
Photo by Andrea Davis on Unsplash

Deploy Backup and Disaster Recovery Today

Having an effective backup and disaster recovery solution provides several benefits. Here are the top six: 

1. Stay protected against natural disasters

The first half of 2020 alone had close to 200 reported natural disasters. While it’s impossible to stop a natural disaster, you can ensure your data is protected and take the necessary measures to prevent downtime. 

2. Minimize the impact of a cyberattack

With the rate of cyberattacks going through the roof and SMEs being a constant target of attacks, it is essential to have a robust backup and disaster recovery solution to protect your business.

3. Safeguard sensitive data

If your business handles sensitive data like Personally Identifiable Information (PII), measures should be taken to ensure it never ends up in the wrong hands. Safeguarding all critical data can build your business’s reputation and prevent regulatory penalties.

4. Quick recovery

It doesn’t matter how disaster strikes. What matters is how quickly your business bounces back. A good backup and disaster recovery solution helps you get up and running as soon as possible. 

5. Reduce the impact of human error

From accidental or intentional misdelivery or deletion to corruption of data, employees can pose a security threat to your business. Deploying backup and disaster recovery is, therefore, crucial. You must also train your employees on the difference between acceptable and unacceptable behaviour.

6. Tackle system failure

Unexpected system failure can lead to downtime if you don’t equip your business with backup and disaster recovery.

Remember, it’s your responsibility to protect your business from data loss and its chaotic aftereffects. If you can’t handle this alone, don’t worry. We’re here for you. With our backup and disaster recovery solutions, we can help build a resilient strategy to protect your business against data loss and give you much-needed peace of mind in the event of a disaster.  

Get in touch today and our specialists will be happy to assist in all things technology, GRC and cyber security.

 

Article curated and used by permission. 

Sources: 

  1. TechRadar 
  2. IDC Report 
  3. GDPR Associates 

Encryption Explained – A Clear and Simple Guide

Encryption Explained - A basic and clear guide
Photo by Markus Spiske on Unsplash

Reading Time: 6 Minutes
The science of encryption has been the answer to the fundamental human need to masquerade and protect sensitive information from prying eyes. Although the technology has witnessed a drastic metamorphosis over the ages, the fundamental concept behind encryption has remained unchanged. Encryption involves substituting the original information with codes that can be deciphered only by authorized parties.  

From the first hieroglyphics of Ancient Egypt appearing almost 4000 years ago and the Scytale used by the Spartan military in 700 BC, to Thomas Jefferson’s Jefferson wheel in 1797 or the Enigma machine popularized by the Nazis during the second world war, encryption has taken different forms over the centuries.

However, one of the major breakthroughs that continue to inspire the modern-day science of encryption came in 1961 when MIT’s CTSS (Compatible Time-Sharing System) developed the first-ever username and password methodology of user authentication.

What can a cyber security company do for my business?

Some of the more recent developments in the encryption technology include the introduction of AES (Advanced Encryption Standard) in 1997, the launch of reCAPTCHA in 2007 and the emergence of personal data lockers in 2012, all of which are used widely to this day.

What Distinguishes Encryption from Cryptography

To fully understand encryption, we must first define its parent category: cryptography. Although often confused with each other, encryption and cryptography are inherently different. We have put together the following list to demonstrate what sets the two apart: 

Cryptography is: 

  • The concept of securing sensitive information by converting it into a secure format for the purpose of transmission across insecure networks. 
  • A field of study that concerns with creating codes through the application of encryption and decryption techniques. 
  • Finds widespread application in digital currencies, electronic commerce, chip-based card payments and military communications.  

Encryption is:

  • Described as the primary application of cryptography and involves concealing confidential data in a way that renders it unintelligible for unauthorized users. 
  • The process of encoding a piece of information by using an algorithm for encrypting and a secret key for decrypting it. 
  • A critical aspect of modern data security. It is used for securing digital signatures and the data stored on smartphones and other mobile devices. It is widely used for safeguarding confidential electronic data, including emails, folders, drives and files.  

Types of Encryption You Must Know About

There are two main ways in which data encryption is carried out today, namely shared secret encryption (symmetric cryptography) and public key encryption (asymmetric cryptography).  

Shared Secret Encryption

As the name suggests, this form of encryption employs a single secret key that is required to encode the data into unintelligible gibberish. The intended receiver can then use the same secret key (shared by the sender) to decrypt and decipher the data at their end.  

Since it uses a single private key, symmetric encryption is faster than asymmetric cryptography. However, since the secret key needs to be shared between the sender and the receiver, there are relatively high chances of hackers intercepting the key and gaining unauthorised access to the coded information. 

Public Key Encryption

Asymmetric cryptography employs public-key encryption that splits the key into two smaller keys — one public and the other, private. While the public key is used to encrypt the message, the receiver must use their private key to decrypt it at their end.    

The fact that there is no prior exchange of secret keys for decryption makes public key encryption more secure than shared secret encryption.

Cyberthreats and Security Risks to Data Protection & Privacy on the Rise

According to the latest report by the Ponemon Institute, the average cost of a data breach is $3.86 million globally. These costs can almost double when broken down by country, industry or business size, jumping to an average of $8.64 million in the United States or $7.13 million for the healthcare industry.

The report points out that 80% of the data breaches included records containing customer PII (personally identifiable information). The study determined that the average cost of each compromised record was $150 and discovered that over 39% of the total cost of a data breach resulted from lost business.

Ransomware Equals a Data Breach

You might be wondering how this impacts you? It means a single data breach could result in a significant hit to your company’s profits and could also result in your brand reputation being tarnished or irreparably damaged.    

Intriguingly, the same report also highlights that extensive data encryption can be a critical factor in mitigating the costs of a breach by as much as $237,176

Most businesses, like yours, deal with loads of sensitive data every single day. Unless adequately secured, this confidential data can be exposed to the risk of being accessed by unauthorized users. Although no business is entirely immune to security breaches, implementing data encryption is your best bet when it comes to protecting your confidential information and safeguarding your reputation as well. 

Multi-Factor Authentication

Backup Encryption is the Way to Go  

With multi-national enterprises like Target, Yahoo and Equifax undergoing major data breaches in the not-so-distant past, you can never be too sure of the fact that your privacy is not at stake. Keeping that in mind, it is worth noting that along with encrypting their original data, many users now are also opting for encryption of their data backups. Here’s some food for thought for those of you who are still mulling over whether or not you need backup encryption:

Pros of Encrypting Your Backups  

  • Encrypting the backup data stored on a local hard drive can prevent unauthorized access to private information in the event of a theft.
  • Most of the businesses today have moved to the cloud for storage of backup data. However, the data stored on the cloud is not as secure as you might think. Encrypting your backup data stored on the cloud is an excellent strategy for strengthening your cybersecurity stance.
  • Since the cloud services provider controls the backups stored on the cloud, encrypting the same will help secure the integrity of the data against unauthorised access by the service provider.
  • Lastly, by encrypting your backups, you can enjoy peace of mind knowing that every last piece of data associated with your business is fully encrypted and secure.

Navigating Backups and training in unprecedent times 

Cons of Encrypting Your Backups

While data encryption is designed primarily to benefit the user and rarely has any drawbacks when properly implemented, one of the risks associated with encrypting your backup data is losing the decryption key. You need to keep your decryption key secure (just like your other passwords) and handy for easy access to your data backups.

Implement Data Encryption Now to Ward Off Cyberattacks

We have compiled a list of our three main reasons why data encryption is imperative for your business:

It is the Last Line of Defense 

Cyberattacks such as phishing and social engineering that thrive on human error or negligence can be efficiently thwarted with the help of encryption. So, even if the attacker is able to reach within your network, it’s impossible to access the encrypted data without a decryption key.

It Protects Your Data on the Go 

With the concept of the workplace becoming more fluid, data stored on portable devices such as tablets, USB flash drives, laptops and smartphones becomes especially vulnerable to cyberattacks as soon as the device leaves the office network. Encrypting this data is the safest way to ensure that even if your device gets stolen, the data will remain unintelligible and unreadable without a decryption key.

It Helps You Stay Compliant 

In a world where you need to stay compliant with laws and regulations to steer clear of hefty penalties, implementing data encryption is a great option to protect your critical data from cyberthreats and abide by the applicable compliance standards. For instance, the European Union’s General Data Protection Regulation (GDPR) recommends encryption as an effective tool against breaches.

Now is the Time to Invest in Encryption Technology

Cybersecurity is one of the most integral aspects of running a business in the modern world, and encryption is one of the most effective strategies that you can deploy to bolster the integrity of your sensitive data against malicious attacks.

Want to know more about how you can leverage encryption to secure your business? Get in touch with us today! Our specialists will be happy to advise in preparing your business with the best systems available in the market.

Want to learn more about Cyber Security? Our blog is full of helpful articles on the topic.

First Step to Compliance: A Thorough and Accurate Risk Assessment

First Step for Compliance
Photo by Long Phan on Unsplash

Reading Time: 3 Minutes
Complying with data privacy and protection regulations wouldn’t give several business owners sleepless nights if it only meant installing a predefined list of security solutions. Compliance goes way beyond this, and for good reasons. In principle, regulators, local or international, want businesses to:

  • Assess the type of data they store and manage 
  • Gauge the potential risks the data is exposed to 
  • List down the remediation efforts needed to mitigate the risks 
  • Undertake necessary remediation efforts regularly 
  • And most importantly, document every single step of this seemingly arduous process as evidence 

Each of the above steps is mandatory and non-negotiable. A closer look will tell you that installing a list of expensive security solutions comes only after the first three steps in the process have been followed. Skipping past these initial steps and acting merely on presumptuous knowledge is tantamount to leaving your business’ future to sheer chance. It’s anyone’s guess what that would lead to. 

To get started in compliance, it’s crucial to Understand and Calculate Organisational Risk.

That’s why we’re going to explain to you why a thorough and accurate risk assessment is truly the first step towards achieving compliance. Moreover, when repeated regularly, it can help you demonstrate continuous compliance while keeping cyber threats at bay.

Security Risk Assessments Unearth Crucial Insights 

A thorough and accurate risk assessment can unearth a host of crucial insights from even the deepest and darkest alleys of your IT environment to ultimately empower your decision making. Having actionable insights at your disposal can help you build strategies to reduce risk levels in practical ways instead of shooting in the dark by testing various tools. 

Here are some of the essential details that become more apparent and unambiguous with every risk assessment. 

The baseline of the System
A risk assessment helps you chart out the lifecycle of all data that is collected, stored and managed in your entire network. 

Identification of Threats
A detailed risk assessment identifies all the possible threats, such as intentional, unintentional, technical, non-technical and structural, that your business data is exposed to.  

Identification of Vulnerabilities
With each assessment, you get the latest list of vulnerabilities prevalent in your network concerning patches, policies, procedures, software, equipment and more. 

Current Status of Existing Controls
From the assessment report, you can also understand the existing security and privacy controls protecting your business against vulnerabilities. 

 RelatedLearn how to create an Asset Register and Risk Register.

Probability of Impact
An accurate assessment report is fully capable of anticipating the probability of a threat that might exploit one of your network’s existing vulnerabilities.  

Strength of Impact
Risk assessment also helps you gauge the possible impact of any threat hitting your business. 

Imagine how easy it would be for you to build and implement a strategy to fix the security loopholes in your business while maintaining a well-documented record of your efforts. 

Why Risk Assessment Is Needed for Compliance 

While assessing whether you did everything in your capacity to ensure full compliance with the regulations, you also need to keep in mind that a regulator seeks evidence of compliance – documented reports. Besides helping you chart a successful path to compliance, a thorough risk assessment adds significant weightage to demonstrating evidence of compliance. When you present the risk assessment reports along with other documentation, you demonstrate how your business carried out due diligence in upholding principles of data privacy and protection. 

Learn more in our article: Gathering evidence to prove compliance.

Please remember that no regulator expects you to have a fail-safe strategy. What matters is uncompromising intent, informed action and undeterred consistency. If you can demonstrate all this, you will most likely avoid any punitive action, as well as a long list of problems that could surface afterwards. 

Help Is Just a Conversation Away 

Contrary to what is often claimed, there are no shortcuts to compliance or to any of the steps that lead to it. At the outset, achieving compliance might seem gruelling. However, it isn’t as bad as it looks when due process and expert guidance is followed. 

A conversation with us is all you need so we can help you walk through the complexities of risk assessment with diligent and customised guidance. Get in touch today to receive specialised advice.

Looking for more info on risk management? We have many articles addressing this topic in the Compliance section of our blog. Check it out and let us know if it brought more clarity to your business.

Navigating Backups and Training During Unprecedented Times 

Navigating during unprecedent times - backup and security awareness training
Photo by Heidi Fin on Unsplash

Reading Time: 3 Minutes
The surge in cybercrimes against businesses during the COVID-19 pandemic proved how flexible nefarious cyber players are, ready to twist and turn according to a situation to make profits out of a business’ failure. Remember that it could happen to any organisation, including yours, if you do not arm your business with a robust backup solution and periodic security awareness training.

It’s alarming that phishing shot up by 67% since the start of the pandemic. Initially, when this turn of events stunned the world and businesses struggled to adapt to the new normal, hackers pretending to be the World Health Organization (WHO) duped people into clicking on malicious links or sharing sensitive information. Such evil tricks, if not tackled, can easily violate your business network and lead to a terrible disaster, compromising invaluable data. 

8 Steps to secure remote working for the Covid 19 lockdown 

For instance, in November 2020, the Internal Revenue Service (IRS) in the USA issued a warning regarding an SMS-based phishing scam through which hackers cheated citizens in the name of a ‘COVID-19 TREAS FUND’. When someone clicked on the link provided, they were redirected to a website identical to www.irs.gov, and the site collected their data. This scam is just the tip of an iceberg of phishing scams that unfurled in 2020. 

Cyber security awareness is vital. What if one of your employees fell prey to such a scam? A careless mistake like that could result in a successful cyberattack on your business that can have severe repercussions like data loss, downtime, hefty penalties, lawsuits or even permanent closure.  

The sudden appearance of COVID-19 caused a sense of panic among businesses. With the virus spreading like wildfire, the work-from-home model was the only available option to maintain a safe working environment. However, the unprecedented scale of remote work has endangered the security of several businesses, including yours. If you do not fix the gap between the preparedness and efficacy of your backup and security defences, data loss might be the first of many problems you could face.

Why Backups and Security Awareness Training Matter?

Backups can be a lifesaver for your business by protecting your valuable business data from being deleted or altered by malicious cybercriminals. Although the pandemic acted as a catalyst for backup adoption, only 41% of businesses back up their data at least once a day. That is not a very healthy practice, and you must make sure proper policy development, regular testing and continual reviews fuel your backup strategy.

Backups are part of a broader Disaster Recovery strategy. Read Does my SME need Disaster Recovery? to learn more.

Besides protecting your sensitive data, backups can help reduce severe downtime, improve your business’ reputation and act as a single access point for your entire database.

Backups

Even if you have all your backups in order, a negligent employee can still be a threat to your business data. In 2020, the San Jose Federal Court convicted an employee from a global MNC for carelessly deleting business-sensitive data. Thus, the only way to tackle the factor of human error is through regular security awareness training.

For more details on security training, read: Employees are your biggest cyber security risk

Always bear in mind that backups and security awareness training are equally important when it comes to your business successfully warding off cyberattacks that can result in downtime, data loss and more. Selecting one over the other can dilute your business’ counter-threat strategy. Undoubtedly, by meticulously implementing a robust backup and regular security awareness training, your business can deal with harsh times like the current pandemic as well as cyber threats that exploit such difficult periods. 

Empower Your Business Now 

If there’s one lesson the pandemic has taught businesses, it’s that it’s better to be safe than sorry. The business world is at a critical juncture, and your proactive approach can make or break your business’ future. While a world without cybercriminals would be great, such a utopian world unfortunately does not exist. The only way forward is through the smart implementation of the best strategies to protect your business data, processes, systems and people. And for that, you must empower your business by integrating backups and comprehensive security awareness training.

Remember, you don’t have to take the first step to a safer tomorrow alone. The right partner by your side can make your journey easier and more successful. It all begins with a simple email to us. Get in touch today

 

Data Sources:

  • Security Magazine Verizon Data Breach Digest 
  • Security Magazine 
  • Help Net Security Magazine 
  • Bloomberglaw.com 

Ransomware Equals a Data Breach

Ransomware Equals Data Breach
Photo by Charles Deluvio on Unsplash

Reading Time: 3 Minutes
From a data regulator’s perspective, it is the responsibility of your business to keep data safe from cyber threats, inform clients about a breach within a stipulated period and provide necessary documentation as proof of your efforts. Although different regulations have laid down separate mandates for breach notifications, the principle remains intact.  

While there is an overarching belief that data isn’t really “stolen” in a ransomware breach, no organisation hit with ransomware has been able to back this up as fact. That’s why compliance regulations such as HIPAA, GDPR and CCPA, among others, mandate businesses to notify their clients if their data is in jeopardy.

Learn more about Ransomware and how to avoid it in our complete guide. 

Many businesses, however, tend to operate in something of a ‘grey area’ when it comes to notifying their stakeholders about data breaches. In this blog, we’ll tell you why going down this route can backfire and why your business needs to adopt an inclusive approach that combines the best of cybersecurity and compliance.  

The Grey Area of Notifying Customer about a Data Breach

An increasing number of businesses seem to think that not all ransomware attacks need to be reported since not all hackers can decrypt the data they have encrypted themselves. They assume that only during sophisticated attacks do hackers possess the necessary skills to encrypt, exfiltrate and misuse data. Only in such cases do businesses accept that a breach has occurred and is hence, reportable.

However, this assumption is dangerous for two reasons. First, with enhanced ransomware-as-a-service tools readily available in the market, even a hacker with minimal skills can catch you off guard and wreak havoc. Second, regulatory agencies perceive the situation differently.

Having IT security controls in place will minimise your risk. Learn more in this article.

For example, as per HIPAA’s Privacy Rule, the U.S. Department of Health and Human Services has advised companies to assume that ransomed data contains Personal Health Information, even in “low probability” cases. In fact, some state data breach notification regulations mandate businesses to notify customers even in the case of “unauthorised access” without the need to prove that personal data was stolen. 

Why Businesses Choose Silence Over Breach Notification

Accepting a data breach of any kind isn’t easy for any business due to the severe financial and reputational repercussions. But there are other reasons why companies choose to stay quiet.

Inability to Comply With Data Breach Notification Norms

As rudimentary as it may seem, most businesses lack the ability to adhere to breach notification norms set by several regulations worldwide. Even if a company avoids reporting a ransomware attack, failing to notify its customers or clients on time will still invite stringent action from regulators.  

GDPR – the European Union’s data privacy and protection regulation – has set a 72-hour deadline to report the nature of a breach and the approximate number of data subjects affected. From the moment a business’ IT team establishes, with a level of certainty, that a violation has occurred, the clock starts clicking. 

Is your business capable of adhering to such norms?

Secure Remote Working

The ‘Victim Versus Victimizer’ Perception

Let’s assume a business reported a ransomware breach to its stakeholders and the relevant authorities. On one hand, the law enforcement agencies investigating the matter would perceive the business as a victim, even if it paid the ransom, while on the other hand, the regulators might deem the business to be the victimiser of its customers for failing to protect their data. 

If the business is found to be non-compliant with the necessary security mandates after an audit, the regulators will undertake punitive action after assessing a list of factors. Sony Pictures faced a similar scenario in 2014 post a security breach, which impacted some of its employees. 

Reputational Damage

A staggering 78% of people stop engaging with a brand online following a data breach. While your business could still recover from the financial damage caused by ransomware-induced downtime, rebuilding its reputation and regaining the trust of your customers is a long, tedious and, more often than not, futile process. This is one of the main reasons why businesses abstain from reporting a ransomware breach. 

In these situations, having a Disaster Recovery strategy in place could be life-saving for a business.

You Need to Cover Both Ends

While there isn’t a 100% fail-safe strategy to avoid cybersecurity attacks such as ransomware, your business can undoubtedly demonstrate its commitment to preventing security breaches or data loss incidents. This is exactly what compliance regulators, as well as your key stakeholders, look for – how proactively your business can mitigate risk and handle the aftermath of a breach while also adhering to applicable regulations. 

Adopting an inclusive approach that involves the best of cybersecurity and compliance is a step in the right direction. Partnering with an experienced MSP that has a track record of protecting businesses from sophisticated cybersecurity threats and non-compliance risks will greatly benefit your business.

Schedule a call with us today and let us help you proactively meet all your cybersecurity and compliance needs. Our specialists will be happy to explain how we do things and develop a strategy tailored to your business.

Ransomware Explained – The Cybercrime that has struck the HSE

Ransomware Cyber Attack hits HSE Ireland

By: Mark Hurley
Reading Time: 6 Minutes
Recently, the HSE – Irish Health Service Executive and the Department of Health – were struck with a Ransomware attack that shocked the country and made news all over. We’re looking to bring more information on how such attack was made possible and how you could protect your business from one. Keep in mind that small and medium organisations are the main targets for cybercriminals today, mainly because of their lack of awareness and protection.

In today’s article, we’ll be explaining what is Ransomware, how it happens, and a few basic methods to avoid it. If you’re looking for a full detailed guide including info on the best tools and procedures to protect your business, we have it in this link: What is Ransomware and How to Avoid it – The Complete Guide.

What is Ransomware

A successful ransomware attack can be devastating to a business. Organisations caught unprepared could be left with the choice between paying a ransom demand and entirely writing off the stolen data. 

In our day-to-day cyber security practice, we perform many assessments with new and potential clients. Among this wide variety of professional companies, we find a very different understanding of the threat Ransomware poses to their businesses.

There are the unknowledgeable optimists that believe it will never happen to them. Clearly, this is not a recommended stance.

There are also the informed optimists that believe they have all angles of protection covered. That may or may not be the case. Assumptions can be dangerous. 

Finally, there are the affected pessimists – the ones who have suffered from a Ransomware attack and for whom it may be too late. We receive calls from complete strangers asking how they deal with a Ransomware hit. We always ask the same two questions – do you have a backup, and do you carry Cyber Liability Insurance. The silence at the end of the phone can be deafening. 

Whichever of these groups you belong to, it is vital to become informed and engage with preventative measures. That way, you can plan for the worst outcomes so your business can continue to thrive after such an attack.  

The purpose of this article is to provide that information and to provide some of the measures required to both prepare and recover if your business is impacted by a ransomware attack. 

Ransomware is a multibillion dollar criminal enterprise executed by Cyber Criminals to disrupt access to your systems, business, and personal information. It is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.

Mail Protection Inboud & Outbound Protection

Once infected, the attackers demand a ransom (generally in Bitcoin) to liberate access to your data and critical business systems. Worryingly, this activity is on the rise at an exponential rate. Research suggests that in 2020 a new organisation was hit by a ransomware attack every 14 seconds and that Ransomware incidence increased 50% in Q3 in 2020 alone.

Adding insult to injury, the Cyber Criminals are leveraging the current Covid crisis to target vulnerable remote workers and infect susceptible organisations. Cybersecurity Ventures predicts that ransomware damage will exceed $20 billion by 2021. It is so effective because it takes many guises. You must be aware of all of them to protect your data and your entire network effectively.

Case Study: The NHS

The HSE attack was not the first time cybercriminals targetted healthcare organisations. A famous example of ransomware is the WannaCry attack of May 2017. This was a piece of malware that infected over 230,000 computers across 150 countries within a single day. It encrypted all files it found on a device.

WannaCry mainly affected large organisations. The National Health Service in the UK being one of highest profile targets affected. Surprisingly, the attack’s impact in the UK was lower than it could have been. Due to the fact it was stopped quickly, and it did not target extremely critical infrastructure, like railways or nuclear power plants. However, economic losses from the attack were still estimated to be over 90 million pounds for the UK alone and about 6 billion pounds worldwide. 

Recently, 22 cities in Texas were hit with ransomware in September 2019. The attackers demanded $2.5 million to restore encrypted files, leading to a federal investigation. Moreover, ransomware is especially prevalent in financial and healthcare organisations, with cyber-criminals targeting 90% of these businesses last year.   

How Does Ransomware Happen?

Ransomware begins with malicious software being downloaded by an unwary person through an infected email or link onto their computer or smart device.

Once Ransomware infects an endpoint, it will run free wherever it has access. In seconds, the malicious software will take over critical process on the device. Then search for files to be encrypted, meaning all the data within them is inaccessible.

The ransomware will then infect any other hard drives, network attached devices etc, taking out everything in its path – including backups. 

This entire process happens extremely quickly. In just a few minutes, the device will display a message that looks like this:  

Wannacry Ransomware Attack instructions screen
Figure 1: WannaCry Ransomware Attack

This is the message that displayed to users who were infected with the WannaCry ransomware attack. As you can see, it’s a ‘cyber blackmail’ note. Users are informed that they have been locked out of their files and must pay to regain access.  

The people within your organisation are often your most significant security risk. The major issue here is a lack of awareness and staff education about security threats. Many people are unaware of what threats look like and what they should avoid downloading, leaving you open to risk. 

There has been a massive growth in Security Awareness Training platforms, which train users about the risks they face online, at work, and at home. Awareness Training teaches users what a suspicious email looks like and the best security practices to follow to stop ransomware. Such as ensuring their endpoints are updated with the latest security software. Security Awareness Training solutions typically also provide phishing simulation technologies.   

It may not seem obvious, but identity theft lies at the core of a lot of backdoor Ransomware attacks. Hackers use administrative and other accounts to gain a foothold in your core systems. Adding MFA – MultiFactor Authentication makes the possibility of elevating privileges and giving the attacker the keys to run ransomware without barriers. MFA comes free with most Microsoft 365 packages, and more in-depth solutions also exist that extend more granular protection to all devices in the organisation.

Continuing the use of End of Line hardware and software increases your risk heavily. Over time, attackers discover the security vulnerabilities that are widely released by larger corporations. Many organisations rely heavily on older computers/software that are no longer supported, meaning they are open to vulnerabilities. Organisational security policies often overlook hardware/software that is out of date.

This dramatically increases the organisation’s risk of falling victim to an attack. Keep your operating system and 3rd party applications patched and up to date to ensure you have fewer vulnerabilities to exploit.

Preventing and Stopping Ransomware

One of the most important ways to stop ransomware is to have strong endpoint security. A program that blocks malware from infecting your systems when installed on your endpoint devices (phones, computers, etc.). Just be sure that Ransomware protection is included when you’re searching for a security package, as many traditional Anti-Virus products are not equipped to defend against modern Ransomware attacks.

As ransomware is commonly delivered through email, email security is key in preventing ransomware. Secure Email Gateway technologies filter email communications with URL defences and attachment sandboxing to identify threats and block them from being delivered to users. This stops ransomware from arriving on endpoint devices, while blocking users from inadvertently installing malicious programs onto their machines.

How to Identify a Suspicious Email? Click here to learn more. 

DNS Web filtering solutions stop users from visiting dangerous websites, downloading malicious files, and blocking ransomware spread through viruses downloaded from the internet, including trojan horse software. DNS filters also block malicious third-party adverts. Isolation technologies completely remove threats away from users by isolating browsing activity in secure servers and displaying a safe render to users. Moreover, Isolation does not affect the user experience. These solutions deliver high-security efficacy and seamless browsing.

Backups

Once a ransomware attack succeeds and your data is compromised, the best protection for your organisation is to restore your systems quickly and minimise downtime. The most effective way to protect data is to ensure that it is backed up in multiple places, including your main storage area, local disks, and a cloud-continuity service. In the event of a ransomware attack, backing up data means you will be able to mitigate the loss of any encrypted files and regain functionality of your systems. Cloud data backup and recovery is a crucial tool in remediating against Ransomware.

Learn more about Disaster Recovery in this article.

Reducing the risk and damage of Ransomware requires a mix of frameworks, policies, training, and technology. The best companies perform a detailed GAP analysis using a Cyber Security framework such as the NIST CSF in conjunction with security controls such as the CIS 20 controls. This approach leads to better outcomes, and it’s how we commonly proceed with our customers.

Feel free to get in touch if you have doubts or would like to learn more about protecting your business against cyber security threats. Our team of experts will be happy to offer advice and guide you through what an effective strategy looks like for your business.

How to Ensure Compliance When Working Remotely

Compliance Regulations Remote Work
Photo by Siniz Kim on Unsplash

Reading Time: 4 Minutes
The ongoing COVID-19 pandemic has presented businesses worldwide with many unique challenges when it comes to their day-to-day operations. With every company trying its best to survive in this unprecedented climate, remote working has become a critical factor in keeping operations up and running. However, this adaptation has exposed businesses to a whole new level of cybersecurity and compliance threats. 

With cybercriminals preying on vulnerable home networks and work-from-home employees saving files on their local drives, the threat to business data is at an all-time high. According to the Coverware Ransomware Marketplace Research report, the average ransomware payment for Q2 2020 stood at $178,254. This is a whopping 60% increase from the Q1 2020 average payment.  

Despite the increasing magnitude of cyber threats, organisations can still make the most of the great solutions available to them to successfully overcome this menace even when their entire workforce is working remotely. 

Is your business vulnerable? Read our 8 Steps to secure remote working during the covid 19 lockdown

In this blog, we’ll take a look at the most significant compliance and security concerns associated with remote work and how to overcome them.

Challenges to Security and Compliance With Remote Work 

When remote working became ubiquitous across the world, most organisations were forced to adapt to this change without solid policies or processes to maintain standards. Due to this, even some of the top companies are still catching up on their compliance adherence measures while facilitating remote work. 

Businesses of all sizes face the following challenges when working with remote employees:

  • Reduced security: When the lockdown started, employees took their business devices home and used them on their home networks. They also occasionally use their personal devices for office work. This poses a great threat to business data since organisations have very little control over security. 
  • Inability to enforce best practices: When operating within their office environments, companies can ensure their employees follow data security best practices. However, the scenario is vastly different with remote work. There’s every possibility that employees may use shared networks or public Wi-Fi connections to perform their work, adding to security complications. 
  • Inadequate backup: With remote work becoming the norm, the threat to data is significantly higher now. Unfortunately, data backup failure is quite common as well. That’s why organisations need to make sure they have multiple copies of their critical data in case their remote servers are compromised. 
  • Lack of employee awareness: Although most organisations follow best practices regarding employee and customer data, human error is still a major threat to security and compliance. Remote employees need to be provided with proper awareness training on how to handle data and on the best practices to follow. The most secure companies manage to make cyber security awareness second nature.

Best Ways to Ensure Compliance During Remote Work 

Although remote setups make compliance more challenging than usual, organisations can incorporate the following best practices to boost their security and comply with various regulations.  

1. Create a cybersecurity policy

If you don’t have a cybersecurity policy in place already, it’s time to create one. Organisations must develop a cybersecurity policy suitable for remote work. This policy should cover the various steps employees need to follow at personal as well as professional levels. By establishing proper standards and best practices for cybersecurity, organisations can minimise their risk exposure.

Cyber Security
Photo by Maarten Van den Heuvel

2. Incorporate a consistent data storage policy 

Without a standard cloud storage policy, employees are likely to store and handle data the way they see fit, which is certainly not advisable. There should be a shared repository on the cloud to back up files instantly from different sources. In many cases, the rogue copies that employees store on their local drives can pose a major threat to data security and create inconsistencies in storage policies. You need to make sure that data storage policies are strictly followed throughout the organisation. 

3. Increase remote monitoring 

During remote work, endpoint management and cybersecurity policies are impossible to incorporate without the power of automation. You need a robust remote monitoring solution that manages all your endpoints and helps you adhere to compliance regulations. When you have complete visibility into the entire remote working network, you can minimise vulnerabilities and security threats.

4. Increase employee awareness through training

Since human error is highly likely in all organisations, proper training should be provided to remote working employees. This training should focus on some of the most common and significant issues such as clicking questionable links, being wary of messages from untrusted sources, having strong passwords, implementing multi-factor authentication, etc. If your organisation falls under specific compliance regulations, you need to provide additional training to data-handling employees regarding the best practices to be followed. 

Your Employees are your biggest Risk. Learn more about this and how to train them in this article.

5. Use the right tools and solutions 

As cybercriminals and their tactics continue to evolve, you need to make sure that you use the right software tools and solutions to combat this threat. In addition to remote monitoring software, you need to use the appropriate antivirus, cloud backup, password manager and more. You also need to make sure that these solutions are properly integrated into a comprehensive platform.  

What Businesses Need 

Ensuring compliance is a critical task by itself. Doing that while implementing remote working policies and procedures can be overwhelming for many organisations. Your business must invest in a security solution that allows it to protect your valuable data and meet compliance regulations even in a remote working setup. 

With the right partner, this task becomes much more manageable. Reach out to us today, so we can help you develop an effective compliance strategy suitable for your needs.

Thanks for reading! For more articles on Compliance and Remote Work, visit our blogFollow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

Protecting Your SaaS Data Is Your Responsibility

Protecting your SaaS Data is your Responsibility
Photo by Austin Distel on Unsplash

Reading Time: 4 Minutes
Businesses worldwide are investing heavily in software-as-a-service (SaaS) or cloud computing solutions in the search for flexible, reliable and affordable software infrastructure. The International Data Corporation (IDC) anticipated the cloud software market to reach $151.6 billion by 2020, but that was before the global pandemic hit, which triggered a rapid shift to remote work environments. However, it’s still highly probable that this prediction has already been surpassed, with this exceptional growth only bound to strengthen in the ‘new normal.’ Unfortunately, this growth has also made the cloud a darling of cybercriminals, which means nothing on the cloud is 100% safe. 

Your SaaS data, which is more accessible, and in some cases, more secure within a cloud infrastructure, is not fully protected from loss or corruption. If you, as a business, choose to look away from this glaring reality, you would be acting willfully ignorant. Through this blog, we’ll tell you how your SaaS data is only partially secured by SaaS platforms and give you three reasons why you must back up your SaaS data.  

How Your SaaS Data Is Actually Protected 

While responding to a survey by ESG, 37 per cent of IT executives admitted that they believed SaaS providers fully protected their business data. While this is not entirely false, it isn’t entirely true either. SaaS providers protect your data only concerning accessibility and availability (downtime at their end) and infrastructure-related failures or threats.   

Here’s how leading SaaS providers, like Google and Microsoft, for example, secure your SaaS data. 

G Suite: Google stores multiple replicas of your data at various locations, ensuring the data remains accessible in the event of a hardware failure. Although its infrastructure doesn’t offer native backup capabilities, it provides high availability (HA) with erasure code. 

Office 365 (O365): Given that the infrastructure of O365 is not unified, the backup capabilities for each application differ. O365 offers various backup options, but you must remember that even in its service level agreement (SLA), Microsoft only addresses the availability of data, not its recoverability. And yet, 57% of those responding to ESG’s survey relied on O365’s native recovery functionality, while 27% did not have any in-house recovery capabilities. 

Simply put, both G Suite and Office 365 offer, at best, temporary archives of your data. However, archives are not the same as reliable backups that you can recover or restore from. They neither guarantee protection of your data from prevalent threats nor data recovery post a security disaster. 

Three Reasons Why You Need SaaS Backup 

Having understood that your SaaS data is only partially protected, it’s time to look at three reasons why you need to tighten up loose ends and avail SaaS backup immediately. 

Reason 1: Various Data Loss Risks and Security Threats at Your End 

Here are some threats looming over your organization’s data and hardware/software infrastructure that can cause severe damage – enough to grind your business to a temporary or permanent halt:  

  • User error: Whether it’s falling for a phishing scam or mistakenly deleting crucial data, user errors have accounted for 23% of security breaches in 2020. 
  • Illegitimate deletion requests: It’s impossible for a SaaS provider to determine whether a deletion request was done in haste or with malicious intent. It will honour your deletion request no matter what. One illegitimate command and poof! Your data will vanish. 
  • Sync errors: While introducing third-party tools into your IT environment helps streamline your business, it leads to the possibility of your valuable SaaS data becoming vulnerable. 
  • Insider threats: Malicious insiders have accounted for 30% of data breaches in 2020. One employee with malicious intent is enough to bring the whole house down. 

In their respective SLAs, not even leading SaaS platforms, such as G Suite, Office 365 and Salesforce, guarantee the security of your data from vulnerabilities at your end.

Photo by DocuSign on Unsplash

Reason 2: “Shared Responsibility” 

Contrary to popular belief, SaaS providers are not responsible for protecting the integrity or availability of your data. Cloud security and data protection is a shared responsibility where cloud service providers (CSPs) are responsible for the security, reliability and accessibility of their cloud product or solution infrastructure, while customers are responsible for securing the data they upload and store on the cloud. 

Essentially, you are ultimately responsible for protecting your organization’s data from loss, destruction or unauthorized access and ensuring that the data is logistically, operationally and contractually secure and viable.  

Even global data protection regulations, such as GDPR and HIPAA, have defined and emphasized the accountability to be shared by the controller (your business) and the processor (third-party service providers such as SaaS companies). It’s time for you to do your part. A study by Extra Hop claimed that by 2022, at least 95% of cloud security failures would be the customer’s fault. You wouldn’t want to be counted among those businesses, would you? 

Reason 3: SaaS Providers Lack a Robust Backup 

A robust backup should ideally fulfil four basic needs – ease of backing up and accessing data, built-in capability to secure data from unauthorized access, quick recovery of data, and compliance with all significant data regulations. Merely relying on SaaS providers to protect your SaaS data will not fulfil any of these needs. In the absence of a proper and complete backup, you are essentially playing Russian roulette with one of your businesses most valuable and vital assets – its data. 

Invest in the Right Backup Solution Today 

If you continue to wait much longer, you will eventually fall victim to a nefarious cybercriminal or even a simple, honest employee mistake that could compromise crucial data your organization runs on.   

By investing in the right backup solution, you can ensure that your organization’s data is protected from a wide range of threats and drastically minimize the risk of a data breach. Talk to us today to help us set you up with an enterprise-class and robust SaaS backup solution that is tailor-made for your business.

Making Cyber Security Awareness Second Nature

Cyber Security Training for staff
Photo by Blackcreek Corporate on Unsplash

Reading Time: 3 Minutes
Your business’ cyber security program must start with your employees and robust security policies rather than entirely depending on your IT team or the latest security solutions. You can significantly reduce the likelihood of a data breach by combining a well-drafted cybersecurity policy with comprehensive security awareness training.

It is your responsibility to implement security training for all your employees so that your organization can withstand cyberattacks and carry out business as usual. Regular training will also help you develop a security-focused culture within your business and make cybersecurity awareness second nature to your employees.

Your Employees are your Biggest Cyber Security Risk. Learn why in our related article.

Cybercriminals can target your employees at any moment to gain access to sensitive business data. However, if your employees receive regular security awareness training, their calculated decision-making and quick response can effectively block deceiving threats.

Security Culture and Its Influence on Employees

Conducting a one-time employee training session for the sake of compliance does not adequately benefit your business’ cybersecurity posture – the key here is consistency. It is regular security awareness training that can truly protect your business from looming cyber threats that are constantly on the rise.

The following statistics shed light on why security awareness training is essential in today’s threat landscape:

  1. Human errors cause 23 per cent of data breaches.
  2. Over 35 per cent of employees do not know about ransomware.
  3. Nearly 25 per cent of employees have clicked on malicious links without confirming their legitimacy.

The aim of developing a security-focused culture is to nurture positive security habits among employees. For example, the simple practice of locking one’s computer screen when leaving the workstation unattended can prevent data from being accessed by unauthorized users.

Once you properly train your employees, they will be more aware of the business’ security policies and realize that their employer’s cybersecurity is their responsibility as well.

Unaware employees are your most significant cyber security risk. However, once trained, they act as your first line of defence.

Helpdesk Integration

Tips to Implement Effective Security Awareness Training

Until recently, companies would impart security awareness training as lectures using a slide deck. Businesses conducted these training sessions once a year or once during induction. However, these sessions proved ineffective because of their uninteresting nature and lack of follow-up sessions.

Training your staff will help you avoid both the Invoice Fraud and the CEO/CFO Fraud. Click the links to learn more.

If you intend to develop a security-focused culture, implementing robust security awareness training is crucial. Here are a few tips that can help you effectively implement security training:

  1. Make the training sessions interactive – Your employees will show more interest if you deliver training in high-quality video format since it grabs more attention. Add text content only as a complementary piece to the video. Ensure that the presentation is appealing to your employees so that they do not miss out on essential details. Also, make sure your employees can clear their doubts through face-to-face discussions or virtual conversations with subject matter experts.
  2. Break the training into smaller modules – Since the attention span of your employees will almost certainly vary from one to another, breaking training sessions into smaller modules will help them retain information faster as a whole. You can regularly send training modules to your employees to ensure they are up to speed on the latest security topics. Smaller units have a better chance of retention than lengthy pieces of content.
  3. Facilitate self-paced learning – Give your employees the freedom to learn at their convenience. This, of course, does not mean deadlines should not be set either. Make sure you give your employees sufficient time to complete each training module based on its complexity.
  4. Training must include relevant material – The training material must not contain any outdated information. Given how quickly the cyberthreat landscape is changing, the program must be updated regularly and cover new cyber threats so hackers don’t end up tricking your employees. Please remember that the content should not be overly technical. The training material must be imparted in an easy-to-understand manner, so employees have no trouble applying it in daily work scenarios.
  5. Conduct reviews with quizzes and mock drills – To assess your employees’ preparedness, you must conduct regular tests, including mock drills, that assess alertness based on their response to simulated scams.

Transform Your Weakest Link Into Your Prime Defense

Regular security awareness training can help develop a transformative security culture within your business, thus enabling your employees to detect even sophisticated cyber threats and undertake adequate action.

We understand that implementing robust security awareness training can be a bit challenging. However, you have nothing to worry about. We can help you seamlessly integrate security awareness training into your business operations to make your employees the first line of defence against existing or imminent cyber threats. Get in touch with us today, and let’s get started.

Thank you for reading! For more security and technology advice, visit our Blog.
Follow Spector on our Social Media channels for more exclusive content.

How to Effectively Manage Supply Chain Risks

Securing Supply Chain
Photo by Elevate on Unsplash

Reading Time: 4 Minutes
Digital transformation has made many things easier for businesses, right from inventory management and order processing to managing financials. On the flip side, however, it has also made companies more vulnerable to cyberattacks and data breaches. A breach occurring anywhere in the supply chain could end up seriously disrupting your operations. So, how do you safeguard your business against these threats? 

Deploying a bunch of security solutions within your company is not enough. For starters, it can’t guarantee the prevention of human errors and insider threats, which are major causes of data breaches. Besides that, it doesn’t precisely address the weak links in your supply chain. Global supply chains have grown vast and complex, making it virtually impossible to pinpoint failure points or avoid risks entirely.

The Invoice Fraud commonly hits unprotected suppliers. Learn about it with this article.

In other words, it is time to stop considering cybersecurity and data protection as just a technology problem that exists within your organization. The scope is much, much larger. It is also a people, process and knowledge problem that extends to your entire supply chain. That means your preventive and corrective measures should proactively address risks within your supply chain.

Let’s take a look at some key strategies and controls that can help you effectively manage and avoid supply chain risks effectively.

Make Supply Chain Security a Part of Governance

Addressing supply chain risks on an ad-hoc basis will only create ambiguity and chaos. Instead, you need to make it a part of your security activities and policies. This way, employees will know how to coordinate with third-party organizations and what kind of security activities must be undertaken. 

Supply chain cybersecurity strategy best practices include:

  • Defining who is responsible for holding vendors and suppliers accountable
  • Creating a security checklist for vendor and supplier selection
  • Specifying how to evaluate and monitor suppliers’ cybersecurity practices and how often
  • Setting up a mechanism for measuring performance and progress

Take Compliance Seriously

With cyberattacks and data breaches increasing and impacting more people than ever before, the emergence of numerous compliance regulations has come to the forefront. For instance, if you are part of the defence industrial base, you must be Cybersecurity Maturity Model Certification (CMMC) compliant. There are many more out there, such as GDPR, HIPAA, PCI DSS, etc., each applicable to a particular industry or specific focus area.

Want to get your business compliance-ready? We recommend our Guide on NIST – you can use it to create a base for several standards.

In most cases, to prove and maintain compliance, companies must undergo several detailed assessments, produce different reports and documentation, implement certain best practices and more. You can avoid weak links in your supply chain by making compliance with these regulations mandatory for your vendors. 

Besides that, you need to ensure your business remains compliant with laws applicable to you as well. Not only does it strengthen your cybersecurity and data protection posture, but these regulations also act as a guide for everyone on your team to follow. Since these regulations are often updated, it ensures the measures you take align with industry standards.

PC & Mac Encryption

Deploy Comprehensive and Layered Security Systems Internally  

Threat prediction is virtually impossible if you have a large number of third-party vendors. The attack surface is massive, making it almost impossible to guard against. What you need is comprehensive and layered security.

It is a more holistic approach, where each layer of your IT infrastructure is protected by a series of different solutions that make up for each other’s vulnerabilities. So, even if your firewall fails to defend an attack vector, you still have multiple layers of defence protecting your data, including antivirus, access control, intrusion prevention systems and data encryption. 

The layered approach to security also calls for regular training and testing of your employees since they are usually your first line of defence. For instance, if your team knows how to identify a phishing email, your data won’t be compromised even if your phishing filter fails.

Do you know how to identify a phishing email? Learn how in this article.

By not relying on any one solution to protect your sensitive data and files, you disrupt the cyber kill chain. This will allow you to prevent, detect and respond to cybersecurity risks more effectively.

Adopt and Enforce International IT and Data Security Standards 

Because modern supply chains are so interconnected, you have to interact and collaborate with your vendors constantly. This means vast amounts of data are exchanged, including sensitive customer information such as medical records, PII and financial data. The data must be stored securely (with continuous monitoring and real-time alerting), and access to it must be regulated.

But how do you guarantee this? By adopting and enforcing international IT and data security standards such as GDPR and HIPAA. These standards ensure companies keep track of the sensitive data they acquire, produce it when challenged, and implement adequate measures to secure the data. Besides that, when selecting a SaaS vendor, you should find out if they are SOC 2 or ISO27001 compliant. This indicates that the vendor is securing information as per industry standards.

ISO 27001 vs NIST – why choose one? Read to find out.

Wrapping Up

With supply chains becoming more interconnected and smarter, now is the time to identify and secure weak links in your supply chain. Collaborate with your partners, find out potential vulnerabilities and compliance violations, and work together to mitigate those risks.

We have another article with more practical tips on securing your supply chain available at this link: Recommended Best Practices for a Secure Supply Chain. With this content, you should be able to bring much more security to your business.

To find out how to deploy layered security and how you can secure your data while staying compliant with regulations, get in touch. We’ll be happy to understand your concerns and provide our recommendations and strategic advice.

Your Biggest Cybersecurity Risk: Your Employees

Unaware Employees - Your biggest cyber security risk
Photo by Alexandre Boucher on Unsplash

Reading Time: 3 Minutes
Cybercriminals work round the clock to detect and exploit vulnerabilities in your business’ network for nefarious gains. The only way to counter these hackers is by deploying a robust cybersecurity posture that’s built using comprehensive security solutions. However, while you’re caught up doing this, there is a possibility you may overlook mitigating the weakest link in your fight against cybercriminals — your employees. 

With remote work gaining traction and decentralized workspaces becoming the new norm, businesses like yours must strengthen their cybersecurity strategies to counter human errors and data breaches perpetrated by malicious insiders. All employees, irrespective of their designation/rank, can expose your business vulnerabilities to cybercriminals.

Untrained employees are putting your business at risk of Invoice Fraud. Learn about it in this article.

Implementing routine security awareness training for employees can help you prevent a vulnerability from escalating into a disaster. As the first line of defence against cyberattacks, your employees must be thoroughly and regularly trained to identify and deflate potential cyber threats.

Why Employees Pose a Risk to Businesses?

According to IBM’s Cost of a Data Breach Report 2020, 23 per cent of data breaches in an organization occurred because of human error. An untrained employee can compromise your business’ security in multiple ways. Some of the most common mistakes committed by employees include: 

  1. Falling for phishing scams: With the onset of COVID-19, hackers masquerading as the World Health Organization (WHO) tricked people into clicking on malicious links and sharing sensitive information. Cybercriminals are using improved techniques, like spoofed emails and text messages, to propagate the ongoing scam. Your employees must be well-trained to counter it. To learn and train your people in Identifying Phishing Email, view this article.
  2. Bad password hygiene: A section of your employees might reuse the same password or a set of passwords for multiple accounts (business and personal), which is a dangerous habit that allows cybercriminals to crack your business’ network security. Improve your Password Hygiene by reading this article.
  3. Misdelivery: Even slight carelessness can lead to an employee sending sensitive, business-critical information to a hacker. Such an act can cause lasting damage to your business, which is why you must be prepared to counter it.
  4. Inept patch management: Often, employees can delay the deployment of a security patch sent to their device, leading to security vulnerabilities in your business’ IT security left unaddressed. 

The bottom line is that with cybercriminals upgrading their arsenal every day and exploring a plethora of options to trap your employees, security awareness training has become more critical than ever before.

Employees - biggest risk at an organisation
Photo by Brooke Cagle on Unsplash

Security Awareness Training: An Essential Investment

A one-time training program will neither help your employees repel cyberthreats nor help your business develop a security culture. To deal with the growing threat landscape, your employees need thorough and regular security awareness training.

The CEO/ CFO Frauds can also be avoided with employee training; learn about it here.

You must never back out of providing continual security awareness training to your employees just because of the time and money you need to invest in it. The return on investment will be visible in the form of better decision-making employees who efficiently respond in the face of adversity, ultimately saving your business from data breaches, damage to reputation and potentially expensive lawsuits. The following statistics highlight why you must deploy regular security awareness training and consider it a necessary investment:

  1. Eighty per cent of organizations experience at least one compromised account threat per month.
  2. Sixty-seven per cent of data breaches result from human error, credential theft or social attack.
  3. Since the start of the COVID-19 pandemic, phishing attacks have gone up by 67 per cent.

Expecting your employees to train themselves on detecting and responding to cyber threats certainly isn’t the best way to deal with an ever-evolving threat landscape. You must take on the responsibility of providing regular training to your employees to ensure you adequately prepare them to identify and ward off potential cyberattacks.

Every employee must realize that even a minor mistake can snowball into a terrible security disaster for the company. They need to understand that your business’ cybersecurity is also their responsibility.

Read: The Human Factor behind Compromised Passwords

You can transform your business’ biggest cybersecurity risk – your employees – into its prime defence against threats by developing a security culture that emphasizes adequate and regular security awareness training. 

Making all this happen will require continued effort and may seem like an uphill climb, but with the right partner by your side, you can easily integrate security awareness training into your business’ cybersecurity strategy.

Here at Spector, aside from different training programmes, we also keep your employees aware by sending fake phishing email regularly and verifying who is falling for potential baits. This acts as a reminder for people to stay alert. 

The first step towards training and empowering your employees starts with an email or a call to us. Feel free to get in touch or schedule your preferred time, and one of our experts will give you a ring to discuss any questions and problems you may have. 

Thanks for reading! Follow us on Social Media for more exclusive content.
 

Recommended Best Practices for a Secure Supply Chain

Supply Chain Security best practices
Photo by Reproductive Health Supplies Coalition on Unsplash

Reading Time: 4 Minutes
Your business’ cybersecurity posture must prioritize detection, evaluation and mitigation of risks posed by your supply chain. It is vital that your security is upgraded regularly to better prepare for any worst-case scenarios.

Having said that, it should come as no surprise that a vulnerable third party who deals with your organization can weaken your supply chain as well. Although controlling a third party’s cybersecurity can be challenging, it must be taken seriously since a security compromise at their end could put your business at risk.

How to Effectively Manage Supply Chain Risks? Find out with this related article.

Always remember that no matter how secure you think you are, dealing with an unsecured vendor can severely damage your business’ reputation and financial position.

Recommended Security Practices

Prevention is always better than cure, especially when you are managing data, systems, software and networks. By proactively adopting best practices, it is certainly possible to enhance your supply chain’s security. For more info on Cyber Security, we have several articles available here. Some of these practices include: 

Security Awareness Training 

You must educate all employees about how even a minor mistake on their part could severely compromise security. Since employees are usually the first line of defence against cyberattacks, it is important that they are given adequate training to identify and avoid any potential threats. 

Drafting and implementing an effective security awareness training program should not be a one-time affair. It should take place at regular intervals to ensure all stakeholders are on the same page. Top-level executives must be trained just as juniors and trainees.

Two more articles highlighting the importance of cyber security training: Invoice Fraud and CEO/CFO Fraud.

Data Classification 

Data classification enables you to identify data, segment it according to its worth and assign security to each type of data. The bottom line is that if you do not know your data thoroughly — especially the data that rests in your supply chain — you will struggle immensely at securing it.

Access Control

Enabling an access control gateway lets only verified users access your business data, including users that are part of your supply chain. With robust authentication and authorization protocols in place, you can minimize the chances of sensitive data getting compromised. 

While authentication verifies whether the user is who they claim to be, authorization verifies whether a user has access to a particular type of data. Hence, both hold equal importance when implementing a robust access control strategy.

Monitoring 

Given the invasive and inevitable nature of security threats, a brisk reaction time is fundamental to the effectiveness of your supply chain security. Hence, automated and consistent monitoring is vital for quick detection and response to an attack. 

You must gather and dissect relevant data to recognize suspicious activity or dubious system changes within your organization. For example, it’s not normal for a user to modify hundreds of files within a split second – that’s more like virus behaviour. Knowing this, you can pre-define acceptable behaviour on the monitoring system, and if breached, the system will trigger an alert.

Endpoint Protection 

Endpoint protection ensures that end-user gadgets are protected against nefarious cybercriminals. Any gadget connected to the network could be used to open a backdoor to your files. Cybercriminals are getting more adept at identifying the most vulnerable point within your network. 

In most cases, it turns out to be an end-user device on your network or even devices on your third-party partner’s network. Therefore, securing endpoints is crucial to reinforcing the security of your business and your supply chain.

Patch Management

Security gaps left wide open due to inept patch management can leave your business vulnerable to cyberattacks. Whenever a new patch gets delivered, it is essential you deploy it immediately. Failing to do so could give cybercriminals a clear passage to circumvent your defences. 

Routine Scanning

Routine vulnerability scanning is a coordinated process to test, recognize, examine and reveal potential security threats (internal and external). Automating these scans so they are conducted accurately and regularly without investing a lot of time and effort will work wonders. 

Network Segmentation

Once you dissect your business’ network or segment it into smaller units, you can control the movement of data between segments and secure each part from one another. Moreover, automating the process can help you smartly restrict suspicious entities (both internal and external) from gaining access to vital information or data.

Managed Detection and Response

MDR is an economically feasible service that helps you with in-depth threat detection and response. Threat hunting, which is part of this service, helps you with deep research and analysis of vulnerabilities, thus allowing you to deal strategically with cyber threats.

Adopt These Best Practices Before It’s Too Late 

When it comes to supply chain security, the best practices mentioned above are just the tip of the iceberg of what you should do to avoid security incidents. Enlisting the help of a Managed Services Provider can help you stay ahead of the curve since they have the experience and expertise to shore up your business’ security.

We got another article with more insight and advice to secure your supply chain, available here: How to Effectively Manage Supply Chain Risk?

Most of these processes can be done automatically and following the best-known practices by an IT Support Provider. Our suite of cyber security tools is constantly evolving, and our specialists are always on par with the latest threats and methods used by perpetrators. If you’re looking for true peace of mind, talk to us, and we’ll be happy to provide more detail on how we do things.

For more information on Cyber Security, check our dedicated Blog section or our service pages.

Recommended reads on Cyber Security:

What is Identity Theft and how to Avoid it?
Stopping Ransomware – The Complete Guide

8 Steps to Secure Remote Working for the Covid 19 Lockdown

Securing Remote Work for Covid Lockdown
Photo by DocuSign on Unsplash

Reading Time: 5 Minutes
Last month we had our first (and hopefully last) anniversary of the Covid 19 pandemic. For this occasion, we reviewed an article from last year – a practical guide to secure remote working in your business.

When the first lockdown hit, many companies scrambled for remote working solutions. In that rush, some cyber security considerations may have fallen to the wayside. As the third lockdown lingers on, securing your remote workforce is a must, as working from home is the new normal. We have outlined 8 key security steps for secure remote working that apply to all companies, regardless of size.

1. Establish what is covered with your IT Support Provider

Both the requirements and coverage agreements tend to be different when working remotely. Protecting people’s personal devices in their home networks demands more attention than in a controlled environment such as the office. Your IT provider may or may not cover the usage of non-commercial home devices or PCs to access your company’s IT resources remotely. You need to know what is covered and if they are incorporating home working.

It is considerably better to allow them to manage your home workers with their centralised management tools than to do it solo. Ask the question. At this stage, a good IT Support Provider will have managing a remote workforce down to a science.

2. Provide Malware Protection for Your Remote users

While you may have centralised malware protection and monitoring of all the workstations at your physical office, you likely do not have the same level of control for home computers. If possible, we recommend that you ask your IT provider to extend their Malware protection and remote management solutions to your home office users. 

If that is not an option (and it should be), Webroot offers multi-device packages for a reasonable cost, covering both PC and Mac environments. Macs should not be exempt from using endpoint protection software. One in ten Mac users has been attacked by the Shlayer Trojan.

Set a policy that all home employees must use an antivirus tool on the machines that access the firm’s resources. Moreover, have your IT support provider verify this before you install your secure remote access tools.

3. Make sure remote working does not introduce more risk

You may have had to suddenly set up remote access servers, Windows 10 virtual desktops or other remote access solutions. Whatever you chose, make it consistent across your organisation, as it makes it simpler to manage and roll back at a later stage. In particular, do not blindly open remote access ports without thinking of the risks and consequences. 

Remember that ransomware attackers look and scan for open RDP servers, targeting anything responding on port 3389. This means any open doors are considered critical security concerns that could compromise your business. For RDP servers, you need a VPN solution, period.

4. Reinforce Cyber Security Education and Make Staff Aware of Covid-19 Scams

The Irish Times have reported a huge increase in COVID-19 scams that are circulating. Urge your users to not click on unsolicited emails and to use only official websites. The same principles used to identify Phishing emails apply here, and you can find more about them in our article How to Identify a Suspicious Email.

Ensure that the firm has a way of centrally communicating incidents so that you can trace all official communications and notifications to act accordingly. Additionally, a Mailbox filtering tool also helps reduce the number of fraudulent emails your employees will receive every day.

Employees - biggest risk at an organisation
Photo by Brooke Cagle on Unsplash

5. Update security and Acceptable usage policies for staff

Make sure your acceptable computer use policies cover staffs’ home computer assets. If this wording is not already there, you’ll need to quickly get up to speed to allow employee’s individual assets to be used for remote access. Policies should also cover remote working protocols, and payment processes need to be reviewed to avoid becoming a victim of payment scams.

Click here to learn more about the Invoice Fraud and the CEO/CFO Fraud to understand the importance of payment protocols.

Some of the biggest frauds in cyber could have been avoided if proper payment processes were in place. A simple confirmation phone call before a requested fund transfer is enough to confirm the identity of whoever is getting the money.

6. Review what software remote employees need

There are two considerations here. Your staff may need to access productivity applications that can only be run from inside your network. In this case, a remote connection to a Remote Desktop server or their PC may be best.

For users that use Microsoft 365 and cloud-based apps, you may only need to provide Microsoft 365 applications. For this, you will need to consider your licence requirements. A Microsoft 365 license allows you to install the Office suite on PCs, Macs, tablets, and smartphones, equal to the number of users you acquire. Those with Volume licenses can allow Office for home use purchases for your employees. You may need to review your options and licensing alternatives based on what platform and version of Office you are currently licensed for.

Which Microsoft 365 Package is Best for your business?

If you are in doubt, reach out to your IT support provider; they may be able to provide temporary licenses with screen connection software that they already use to remotely manage your network.

7. Implement Multi-Factor Authentication (MFA)

When implementing secure remote working, consider adding MFA to remote access solutions. This adds an extra layer of security to your users; and makes it much harder for a cybercriminal to steal someone’s identity. We have a One-Page Guide on Multi-Factor Authentication and Single Sign-On, where we explain how they work and why they’re so important.

Ask your IT support provider about adding MFA solutions such as DUO or Microsoft’s native Multifactor Authentication solution to access your IT infrastructure both in the office and the cloud. 

While your company may need to move quickly to allow your staff to work remotely, you can still ensure that only those admins and users are allowed in mitigating the threat of identity theft.

8. Secure connectivity with a virtual private network (VPN)

A VPN will hide your identity and online activity when browsing. It can also be used to ensure company files are only accessible from whoever is in the organisation.

Most Unified Threat Management Firewalls (SonicwallFortinetSophos) include an inbuilt free SSL VPN client that can be deployed to provide secure end-to-end connectivity for your end-users. Ensure that your Firewall and VPN solutions are up to date as this reduces the possibility of security vulnerabilities.

Prepare for the future of secure remote working

One year and three lockdowns in, remote working isn’t going anywhere, that’s the reality. It is important to define how you work remotely, review improvements and then secure your remote workforce properly. As always, the CIS provide excellent guidance with their CIS Telework and Small Office Network Security Guide. Review that to see if there are any other security issues you should be monitoring.

Next Steps to ensure Secure Remote Working

1. If you’re looking for an IT support provider with experience providing a secure remote working environment, get in touch here, or give us a call on 01 6644190 to talk with one of our experts.

2. Discover more about how MS Teams helps remote workers with both communications and collaboration.

3. Review our Remote Working solutions to ensure optimal protection for your businesses.

When to use Windows Virtual Desktops

Windows Virtual Desktops
Photo by JESHOOTS.COM on Unsplash

Reading Time: 4 Minutes
Since its release in September 2019, Windows Virtual Desktop (WVD) has gained traction across multiple organisations, mainly those looking to provide a better user experience for their employees, have the latest security and feature updates, and reduce costs across their IT environment.

Especially since the first wave of lockdowns in March 2020, Windows Virtual Desktop has become a solution that organisations started looking at for their company’s needs as most of the global workforce had to work from home suddenly. 

When Do You Require a Windows Virtual Desktop

This is a question that we field regularly with users of Microsoft 365 Business solutions. It all comes down to applications! The desktop applications a customer may want to access may not just be Microsoft Office Suite applications. Commonly there are applications such as Accounting, ERP, Development and bespoke client-based solutions that you cannot deliver to your end-users using traditional Microsoft 365 Business solutions.

In a conventional network, these would reside on servers and desktops in your organisation. If your users use Microsoft applications and services – consider Microsoft Office 365 Business Premium. This will satisfy the end-user requirement and provide the flexibility required to work from any location.

For such requirements, there is Windows Virtual Desktops.

So what is WVD? How can you implement it? Will it work for your organisation? What other services does it need for it to work efficiently? Let’s dive in and answer these questions one by one.

What is Microsoft’s Windows Virtual Desktop?

According to Microsoft, “Windows Virtual Desktop is a desktop and app virtualisation service that runs on the cloud.” The cloud Microsoft is talking about is Azure, and running WVD on Azure gives the following benefits:

  1. A scalable multi-session Windows 10 (full) deployment
  2. A replacement for cumbersome Remote Desktop Services (RDS) servers and application publishing.
  3. Accessibility from any location with a full Windows 10 user experience.
  4. A greater degree of security and end-user controls.
  5. Rapid deployment and scalability, allowing BYOD policies.

Learn more about what it takes to migrate your business to the Azure Cloud with our 101 Guide.

How Does Windows Virtual Desktop Benefit Your Organisation

Productivity

One of the main benefits of Windows Virtual Desktop is that a user can access their desktop from anywhere they have internet access, using their company-issued device, a shared work computer, or their own device. So an employee who finds themselves stuck in a remote location would be able to remotely access their same desktop experience with all its functionality and personalisation.

Cost Reductions of Windows Virtual Desktops

By using WVD, an enterprise can realise cost savings in several ways. First, hosting on Azure significantly reduces the infrastructure needed, mainly servers and the rooms to house them in. Also, with employees working from anywhere, the amount of office space required is less, especially when shared workspaces, like WeWork and Regus, are available.

Lower Support Costs

Labour savings will also be significant since you won’t need as many full-time employees to maintain a vast infrastructure. Again, a part of labour savings will come from needing less help desk support staff. This is because desktops are created virtually with the latest versions, so there are no issues with installation or older versions. They are also simpler to lock down and enforce endpoint policies that lower the attack surface for hackers.

Fewer Hardware Costs – Supporting BYOD

For companies that will allow employees to bring their own device (BYOD), the budget for new devices can be reduced since they rely on their devices.

Scalability and Security

A company that wants to scale quickly can do so with Windows Virtual Desktop. The alternative is also valid. If your company goes through busy periods and requires additional staff, you only pay for the use of those desktops as and when they are needed. This is particularly useful for Arts organisations and productions companies where contractors will use their own devices (BYOD).

Since the desktop on WVD will always be up to date, it will have the latest security features Microsoft offers. Traditionally, a larger company would defer security updates or take time to fully roll them out, leaving users vulnerable for attack.

IT Support Dublin

Issues With Moving To Windows Virtual Desktop

Before you can fully move your organisation onto WVD, you need to either migrate your traditional apps to cloud-based alternatives or have all of your apps in a digital format with a proper signature. This requires taking all of your EXEs and MSIs and converting them into MSIXs. Microsoft has provided tooling to do this manually, but Spector can assist with that process.

Mobile Users without Internet Access

It may seem rare, but it does happen. If your users are in an area with no internet or a slow/unstable connection, they will not be able to access their desktop and the apps they need. It is important to profile your user base in advance.

Peripherals

You will also need to address the topic of peripheral technologies that standard desktops have access to. For Example:

Printing – this can be resolved by using IP printers.

Scanning – as with printing, scanners can be set to send jobs to email or file locations.

Speakers, microphones, and webcams – this is more challenging. Even with the Windows 10 Enhanced Media pack, we recommend that all MS Teams conferencing and telephony take place outside of a Windows Virtual Desktop. We tend to deploy conferencing and telephony apps on the local desktop or device as the end-user experience is way better.

Hardware license keys and other USB devices – you will need to research this, as it is dependent on the device and licencing.

Conclusion

As working from home and BYOD become the new norm, Windows Virtual Desktop will deliver a consistent and secure working environment for your staff. For more information or a demonstration of Windows Virtual Desktop, please feel free to contact us.

Our team will be happy to demonstrate how everything works and guide you through the usability process in a free Discovery Call. Your business could benefit from this and many other technological advancements while still saving costs.

For more tips and information about Cloud and Remote Working, check our dedicated Blog section with several articles about the topic. We’ve helped thousands of customers move to remote working after the Covid 19 pandemic and would be happy to assist your business.

Thank you for reading! Follow us on Social Media for more exclusive content.
 

Cloud Migration: A Guide to Microsoft Azure and Microsoft 365

Cloud Migration A Guide to Microsoft 365 and Azure Migrations

Organisations belonging to all verticals and sizes are beginning to reap the rewards of Digital Transformation programmes to challenge the status quo and deliver new ways of doing business. At the core of our practice, we help clients realise these benefits by adopting cloud-based technologies. This guide aims to look at how to leverage the benefits of the Microsoft 365 and Azure platforms.

We will share our experience of migrating on-premise technologies to their cloud-based counterparts. Along the way, we will review the most common approaches to extend and migrate critical components of your IT infrastructure, such as Active Directory, shared files, line-of-business servers, desktops, and applications.

We aim to help you develop a more comprehensive plan and deliver successful cloud migration projects that produce meaningful long-term business outcomes. Use the index below to skip to your preferred section or download our PDF guide to lead your decisions.

Download this Guide Button

What are you Planning to Migrate to the Cloud?

Let us start with the most fundamental of questions. What components of your current or planned IT infrastructure are you planning to migrate to the cloud? It is more and more common for us to work with companies that are 100% living in the cloud. Most of them use the Microsoft 365 Platform for productivity applications, among other solutions for project management, accounting, and collaboration.

Still confused about the Cloud? Learn all the important details with this article.

In the rush to get teams operational during the first wave of Covid 19 lockdowns, many companies grabbed the first and best-known technology available. We are now assisting companies in reengineering this approach to ensure better security by consolidating as many of these functions in as few platforms as possible.

Common Business Technologies

Email and Collaboration – We recommend reviewing and consolidating as many functions under one provider as possible. The Microsoft 365 Business or Enterprise packages are a great place to start and provide Email, Collaboration, Enterprise File Share, Chat, Telephony and more. The goal is to maximise each part of your investment and ask if there are better ways of achieving what you are currently doing today. For more information on the right Microsoft 365 package for your business, see our related blog on MS Business and MS Enterprise.

Files (i.e., company shares) – The main shared files belong in the cloud and can be accommodated through your Microsoft 365 SharePoint functionality. This works fine unless you have specific high-performance file server requirements that may be required to house shared accounting solutions (i.e., QuickBooks, Sage) or required by 3D modelling tools such as Revit. For that, you may need to consider a dedicated file server or Azure Files, which will better suit the purpose.

Active Directory – AD should be in the cloud. Managing user identity and access rights is critical as you migrate your technologies to the cloud. We also recommend that Microsoft 365 End users also explore the benefits of a cloud-based AD. It provides more granular policy management that is useful in terms of broader security policy management. AD may exist totally in the cloud or live in a Hybrid model where AD information is synchronised between internal and cloud-based servers.

Databases (i.e., SQL Server) – The cloud is the ideal platform for databases too. Not only are licensing costs typically lower, but the ability to scale out to increase performance and protect critical data (with backups and replication) are imperative considerations. This flexibility is particularly useful when testing Proof of Concept deployments or when your company may need to scale up services for a short time.

IT Support Ireland

Business Specific Applications (i.e., ERP, MRP, CRM) – Business applications tend to come in two flavours. First, we have web-based applications. These move very quickly to a cloud infrastructure as they are essentially cloud-ready by design. The supporting technologies supporting database, web interface and file management as relatively simple to migrate.

For traditional applications that require a client-side installer (an application installed on a desktop), the migration can be more complex. It comes down to how efficient the application works between the client and the server (i.e., if they are in separate locations). By design, these applications are meant to be on the same network, reducing latency and providing better performance. If there is a significant end-user performance hit by moving these business applications to the cloud, you may need to rethink the migration process. Possibly move your users to a Windows Virtual Desktop solution or Application publishing solution that is also cloud-based.

Desktops – For organisations that rely solely on cloud-based applications, i.e., Microsoft 365, XeroParolla and such, having a virtual Windows desktop in the cloud may not provide much value. However, organisations with:

  1. Client/server applications,
  2. BYOD programmes, 
  3. Compliance requirements,
  4. Requirement to scale users rapidly,

A Windows Virtual desktop ticks all the boxes and provides better performance associated with traditional LAN based speeds and controls.

Site-Specific Hardware (i.e., printers, scanners, warehousing and manufacturing controllers, POS systems) – These elements are attached physically to a location and cannot be migrated. 

Security – this is a vast topic, and to make it simpler, you need to consider where your users, data, applications, etc., live. You need to identify how each of these components integrates and communicates with other components and implements security controls and technologies to address risks. This generally involves multiple layers such as Email protection, end-user training, Malware and Ransomware solutions, Identity management solutions and firewalls.

Backups and Disaster Recovery – Cloud is perfect for backup and DR. The cloud provides an ideal target for your backup data/images as storage space is inexpensive, it is physically remote from the original copy, and there is plenty of redundancy built-in. It can also provide a full recovery location for disaster recovery or failover in the case of a disaster. 

We find that a detailed asset and risk register help focus the mind in planning your cloud migration. It allows you to look at your IT assets today, how they are protected and serve the end-user base. It also allows you to paint the future and what benefits a cloud migration will bring, addressing security considerations as you go. 

Learn more about how to build your risk register with our detailed article and find the best ways to manage technology risk.

What is clear from our list above is that most IT assets can be migrated to the cloud. That answers the “What can we migrate?” question. In terms of a wider strategy, the next question is one of timing and phasing your migration.

Cloud

Pure Cloud vs Hybrid Cloud

This question has already been answered for the smaller businesses with no on-premises IT services and infrastructure – you are already 100% cloud-based. For more complex companies with a mix of on-site servers and cloud services such as email and DR, you will need to consider how migration will be performed.

A Question of Timing – Cutover or Phased migration

Should you perform a cutover migration (where users are accessing an on-premises environment one day and are accessing the cloud the next) or migrate your users into groups or phases?

There is no single right answer that accommodates all client requirements. It boils down to their IT components and applications, staff and IT providers’ capabilities and risk. Let us consider an outcome where we will move all components that can be moved to the cloud. 

The “When” question deals with the process of moving the selected IT components to the cloud.

There are two primary ways to perform the migration:

Cutover Migration

A Cutover migration is a one-time event with lots of planning and preparation in advance and then a burst of activity immediately after the go-live. After some time, the activity level subsides as users get used to their new cloud environment and start appreciating the benefits. Cutover migrations are typically best for simple, small settings where it makes sense to do everything at once. It is challenging to do a cutover migration of a large and complex IT environment due to the risk of missing critical components, which means that the risk of user disruption is also high. On the other hand, cutover migrations can be very quick and completed within weeks or even days.

Download this Guide Button

Cutover Scenario

In a cutover scenario, the cloud environment is set up independently as a proof-of-concept replica of the existing on-premises environment. All servers are installed in the cloud and data migrated. All user virtual desktops are prepared with their required profiles, settings and applications. 

A Proof-of-Concept test user group is then selected to log into this newly created environment to confirm that all applications and services are working as expected. Once fully tested and signed off a “go-live” date is scheduled. 

Users are then steered to the new cloud setup as their new working environment. It is wise also to leave the original infrastructure in place for a short time in case any specific settings, files or certs have been missed. Assuming all goes well, the old environment is decommissioned in the coming weeks. This results in the customer having switched from an on-premises system to a cloud-based one in a cutover fashion.

Phased migration 

A phased migration is a journey. It breaks the migration process down into small, manageable steps that are executed in sequence with the opportunity to have users validate the environment in production every step of the way. Phase-in migrations can take a long time to complete. It is not unusual to see these last for months or even years. However, this is a safer approach to migrating large and complex environments. For small, simple environments, phased migrations are typically more work-intensive and disruptive than necessary.

Phased Scenario

In this scenario, the cloud environment is preconfigured with select IT components and one or more workstream are moved to Azure. Users continue using both the existing on-premises systems and the new cloud-based one simultaneously for an extended period. 

The on-premises environment is likely extended to the cloud using a VPN and Hybrid AD. This extends both the network and the user access controls to the cloud-based applications or servers that are being migrated. Over time, additional workloads like file shares, databases, and virtual desktops can be moved one at a time from on-premises to Azure until all the desired IT components have been migrated.

Before an Azure migration, make a list of which IT components will be migrated to the cloud and which will stay local. Consider the migration approach that fits best – Cutover or Phase-In – and discuss it with your IT team and Managed Service Provider. Will you opt to get it done quickly, or will you want to take your time and test everything thoroughly? Be careful not to overcomplicate matters. We have seen simple file share migrations drag on for months! Equally, make sure that your testing is complete and reinsure you are testing accordingly. Planning is critical here.

A Typical Spector Azure Deployment

Each of our Azure Migrations starts with a proof-of-concept stage. One that has no impact on your current environment but can be connected to the live environment for final migration once the POC is complete.

Moving is easy

Connecting your POC Into an Existing IT Environment

There are three top-level steps involved in plugging a new Azure deployment into an existing IT environment.

Extend the network  this is typically accomplished by setting up a site-to-site VPN between your Core office location(s) and the Azure environment. 

Extend Active Directory – Making the same Active Directory Domain Services available in Azure allows you to manage user objects and assign virtual desktops without any changes to the existing environment. Once the AD is extended from the current environment to Azure, it spans both locations and allows seamless movement of servers from one to the other.

Move Server and Desktop workloads – Once network connectivity is established and Active Directory is extended into Azure, servers and data can be moved from the existing environment to Azure. We tend to use Azure Site Recovery (ASR), another VM replication technology, or the Azure Resource Move process.

The result of the three steps above is a Spector managed Azure environment with connectivity to an existing IT environment, AD visibility, and the ability to move VMs from one environment to the other without the need to re-join the domain or reconfigure the operating system.

Once the migration has been performed, you may also consider a reengineering of your cloud solution to better tailor it to its new home or seek alternatives that better suit your digital transformation goals.

Sample Scenarios – Outcomes and Key Steps for Successful Cloud Migrations

In this section, we will look at two cloud migration scenarios of varying complexity and examine the steps in that migration and the outcomes, skill sets, and time scales to achieve them.

Scenario 1

25 user Accountancy Practice using traditional desktop-based applications such as TAS books, Sage Line 50 Accounts, Various Payroll applications.

Current Situation

The company is based in two geographic locations with staff performing a range of financial services including accounts production, tax planning, pension planning and payroll services. Staff work between the office, home and audit locations using laptops. Each site has a centralised server. There are two separate domains, as the second site was a result of M&A.

Current Issues

 All applications are traditional desktop or client/server applications that require constant and disruptive updating.
• Adding new staff is laborious and time-consuming.
• Client files are transferred to laptops for offline working.
• With restricted travel, it takes time and effort to gather all the data required.
• Staff find remote working challenging with VPN and password reset issues.
• Operations are only 80% as productive as their pre-Covid 19 levels.
• Staff cannot easily share and work from both locations as their business data is located on different systems.
• Communications are challenging, with most staff reverting to mobile phone usage. Clients complain that they cannot get through to their main point of contact.

Goals

The ability to communicate and collaborate in real time with both clients and other staff members across both offices.
 Easily gain access to files – both online and offline – from any location on any device.
• Migrate accounting clients to a new centralised cloud-based platform that cuts out all the file transfers.
• Deliver a consistent desktop experience for all users that is quickly scalable and accessible from any location.
• Improve efficiency and focus on consultative rather than transactional relationship with clients. – Drive centralised reporting and KPIs.
• Reduce IT headaches and management costs.
• Improve security and compliance and enter a long term improvement programme.

Cloud Migration Plan 

1- Upgrade all users to Microsoft 365 Business Premium.
2- Set up a new Azure AD environment – the old AD was an inherited mess.
3- Extend the network from both locations to Azure using site to site VPN.
4- Migrate file server to SharePoint Online, allowing users to collaborate and share data with each other and clients.
5- Set up Windows Virtual Desktops for users of Client-Server apps.
6- Perform a fresh install of Accounts Production Virtual Server.
7- Migrate data sets from client-server applications to new Azure-based Virtual servers.
8- Set up backup and Site recovery for DR.
9- End-user testing and go live.
10- Setup Microsoft Teams for Chat, Collaboration and Telephony – replacing several legacy systems.
11- Rollout security policies via Intune and Advanced Threat Protection.
12- Set up data retention and compliance policies.
13- Traditional desktop-based accounts (Sage, Tas, etc.) migrated to Xero & AccountsIQ. Parolla for payroll, depending on client requirement. All with detailed KPI plugins allowing for more consultative practice management.

Outcomes

The primary outcomes come from consistency and efficiency. The consistent end-user experience and modern look and feel make it simpler to train and onboard staff. The client also reports better communications and access to the team with better reporting outcomes.

There has been a 20% increase in pre-Covid efficiency as there are less blockers and time wasted in communications and technical difficulties.

Customer Scenarios Applied Technology

Scenario 2

Manufacturing and Distribution Company both producing and distributing goods to several European markets. Offices in 3 countries. 130 staff. Manufacturing and storage warehouse. AD, File & Print, ERP, Web Orders, CRM, TMS, Exchange Server, ERP – all Server-based. Ageing SAN and infrastructure. Traditional PRI based PBX. Forty reps on the road. Fifteen expert engineers, balance office-based.

Current Situation

The investment in technology has been slow over the past several years. There has been a strong emphasis on security – so much so that all technology is located on-site. There is now a desire to migrate technologies to a cloud-first strategy where possible. There is a strong desire to allow for greater working agility and flexibility as offices are downsized in favour of smaller hot desk sites with flexible meeting rooms.

Current Issues

• There is no defined IT and cloud-based migration strategy.
• Technology management – support and applications are costly, with multiple 3rd party relationships that are difficult to manage and coordinate together.
• 
Traditional applications have slowed down the adoption of new agile technologies.
• 
There is a widespread use of shadow IT and security concerns as staff try to work around the technology limitations.
• 
A traditional UC solution is expensive and needs complete and costly replacement.
• 
There is a need for a rethink and rewiring of all security technologies.

Goals

 The first goal is to develop a strategy and simplify the IT supporting all business functions.
Move obvious workloads to the cloud – File, AD, Email, Comms and Collaboration.
Review core ERP and CRM solutions to see if the cloud migration path is open or seek alternatives.
 Upgrade existing hardware – where necessary.
• Complete cyber security review using the NIST Cyber Security Framework and Enterprise Grade security solutions to protect all company, people, and data assets during the migration process.
• Review and enhance Disaster Recovery solution.

Migration Plan 

1- Develop Strategic IT Review and Roadmap for:

  1. Applications – End-User
  2. Comms & Collaboration
  3. Applications – Enterprise
  4. Infrastructure
  5. Cyber Security
  6. Business Continuity

2- Establish Microsoft 365 Tenancy with E5 Licence – this delivered a consistent application experience for all. In the process, we migrated all telephony, IM, conferencing, and communications through Microsoft Teams saving 20k in annual charges per annum.
3- Full email migration to the cloud with full security capabilities such as MFA, Legal Hold, Data Retention and Mobile management capabilities.
4- New core infrastructure hardware to include core networking, security, and firewalling (Sophos solution with Synchronised security and 24/7 managed threat response).
5- Sales, Finance and Admin all working through SharePoint for file sharing and management.
6- Engineers and higher end-users using Windows Virtual Desktops with Azure High-Performance File Shares to support Revit and “chatty application” workloads.
7- Migration of core servers for ERP, CRM, AD Devops to Azure-based Virtual Machines.
8- Extension of local networks to Azure using IPSEC VPNs.
9- Longer term partner strategy with ERP solution to private cloud infrastructure.
10- Azure backup and Site Recovery solutions Veeam & Zerto based backup and Site Recovery solution with full tested failover for business applications.
11- Set up backup and Site recovery for DR. Fully monitored and tested.

Download this Guide Button

Outcomes

This 14-month project has reduced management costs by nearly 80k per annum. Traditional longwinded processes have been replaced with newer, more agile methods allowing staff to focus more on developing new products and go-to-market strategies. Technology is now seen as a real business enabler. Cyber Security protection is now a topic at the board table with a mature and tested platform in place – with clear lines of reporting and responsibility.

Conclusion – Assisting with the move

As you must have noticed, a proper cloud migration process tends to be very complex and has many instances where it could go wrong. To ensure your files and operations are secured in the cloud, you should find a trustworthy provider to advise and guide you over each step and who essentially watches all details for you.

If you already found that provider, use this guide to ensure nothing less than perfect is delivered. If you are still looking, be reassured we will be happy to assist you in this transition. We’ve helped businesses of many verticals and sizes in migrating to the cloud and will be able to take this heavy load from you and deliver a seamless experience to your employees and customers – light as a cloud.

Book a discovery call with one of our experts today and learn how we can transform your business with the power of technology.

Which Microsoft 365 Business Package is Right for You?

Microsoft 365 Business Package
Photo by Tadas Sar on Unsplash

Reading Time: 4 Minutes
In April 2020, Microsoft rebranded their original Office 365 packages under their new Microsoft 365 branding. In the interim, many companies are still using older packages and remain unaware of the features and functions available under the latest packages.

What about the Enterprise packages, you may ask? Enterprise packages are designed for companies with over 300 staff with specific security controls such as Legal Hold and in-depth Data Leakage protection that can only be purchased in their E5 licence. If you have more complex data security and compliance requirements, check out our blogs on the subject or feel free to reach out to one of our solutions consultants who can help you decide.

Using Only a Fraction of the Available Features

Most SME companies that we encounter are signed up to Microsoft Business Basic (think email and cloud-based version of their productivity applications) or Microsoft Business Standard (Email and Desktop Version of their productivity applications) packages. Most of them, however, are using only a limited amount of the available capabilities. 

There is a wealth of other functionality under the hood that enables more efficient remote working and security for your users, wherever they work. For our assessment here, we are comparing Microsoft Business Standard Edition to the Microsoft Business Premium Edition – as Standard is the most common package that we see in the market.

What is Microsoft 365 Business Standard?

Microsoft 365 Business Standard is a package for organisations who require Office applications across a maximum of 5 devices, with the addition of business email (50Gb), cloud file storage (1TB) and online meetings and chat via Microsoft Teams. The current price of the package is €10.50 (per user/month) with a one-month free trial.

What is Microsoft 365 Business Premium?

Microsoft 365 Business Premium includes everything that the Microsoft 365 Business Standard package offers with the additional add-ons of advanced cyber threat protection and device management, improving security for your business environment. The current price of the package is €16.90 (per user/month) with a one-month free trial. 

Functionality Comparison

Microsoft 365 Standard and Premium package comparison

Is Microsoft 365 Business Premium worth it?

Rather than labouring the point, the simple answer is resounding YES! The main reason is Advanced Threat Protection (ATP) and the additional features allowing you to easily manage devices throughout your organisation, which the Business Standard does not include. Let us take a quick look at some of these key features:

Intune

Microsoft Intune is a cloud-based service that allows you to enforce policies for mobile device management (MDM) and mobile application management (MAM). You control how your organisation’s devices are used, including mobile phones, tablets, and laptops. You can also configure specific policies to manage applications. 

For example, you can prevent emails from being sent to people outside your organisation. Intune also allows people in your organisation to use their personal devices for work. Intune helps make sure your organisation data stays protected and can isolate organisation data from private data on personal devices. As with all security-based solutions, we recommend building specific policies first and then setting up the technologies and alerting to support those policies. 

Conditional Access

As the name suggests, Conditional Access allows you to control the devices and apps connected to your email, files and Microsoft 365 apps. Conditional Access provides granular access control to keep your corporate data secure while giving users an experience that allows them to do their best work from any device and location.

There are two types of conditional access with Intune: device-based conditional access and app-based conditional access. You need to configure the related compliance policies to drive conditional access compliance at your organisation. Conditional access is commonly used to do things like allow or block access to email, control access to the network, or integrate with a Mobile Threat Defence solution.

Azure Information Protection

Enable collaboration of your emails, documents, and sensitive data internally and externally. That is done securely through a combination of encryption, restricted access, and rights to provide additional protection.

Defender

Provides Advanced Threat Protection (ATP) by offering a complete, ongoing, and up to date defence. This helps mitigate malware threats from multiple sources such as infected attachments, links, and downloads through your Microsoft 365 apps such as email, SharePoint, and MS Teams.

Learn about Microsoft 365’s Security Concerns and how they could impact your business.

Windows Virtual Desktop (WVD)

This service is an all-inclusive desktop and application virtualisation service. WVD is a Windows 10 desktop that lives on the Azure platform. It provides a complete desktop solution for remote workers and is suitable to users of business-specific desktop-based applications, i.e., Accounting solutions, ERP, MRP, CRM, etc. Using WVD also allows for a secure remote working for BYOD users

 

Our conclusion and Spector’s recommendation

Yes, there is an extra cost of just over €6 per user per month, but the security controls and capabilities that are contained in Microsoft Office Business Premium are more than worth it. There is a massive uplift in cybercrime (400% in 2020) seeking out vulnerabilities that these security controls can defend against. This re-emphasises the importance of the features above, as your business will be able to defend against threats, giving you the peace of mind that your information is being safeguarded.

How can we help?

We are a Microsoft Gold Certified Partner, which means we have the highest degree of expertise working with Microsoft technologies.

We can help you plan and migrate to the Microsoft 365 Business Premium Package with a strong focus on policy, security, and productivity. If you have any questions on the Microsoft 365 Packages or would like to know more, please get in touch, and we will be happy to help.

We’ll be letting you know when we begin our Microsoft 365 Lunch and Learn sessions, where we deep dive into the specifics of the Microsoft 365 products such as Microsoft Teams, SharePoint, and Collaboration applications. Tell us in the comments if you’d be interested in joining us!

Follow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

The Top Microsoft 365 Security Concerns 

Top Microsoft 365 Security Concerns
Photo by Clint Patterson on Unsplash

Reading Time: 3 Minutes
Microsoft does an outstanding job securing its cloud services. However, cloud users must take responsibility for configuring and managing secure access and file sharing to minimise the risk of data leakage. 

Which Microsoft 365 Business Package is right for you? Find out in this article.

Some IT Managers and most business owners might not be aware of the specific configurations within Microsoft 365 and could have open breaches for cybercriminals. In this article, we’ll be talking about some of these potential risks and how they can impact your business. Here are our top 5 security concerns.

Unauthorised or External File Sharing

Microsoft 365 enables users to collaborate with people outside of your organisation in applications like Teams and SharePoint, as well as by sharing files and folders directly. We talked about external sharing in Microsoft 365, and in particular Teams, in detail in other articles. 

Not sure if Teams is the right tool for your business? Read this article to find out.

Files that are shared outside your network are vulnerable by default. With Microsoft 365, a user can share a single file or an entire folder. This grants access to all files currently in that folder and all its subfolders, as well as any new ones created there. For a decent guide on the subject, take a look at this guide by Netwrix.

Privilege Abuse

Users often wind up with more permissions than they need to do their jobs. Excessive rights increase your risk of a data breach. For instance, users can accidentally or deliberately expose or steal more data than they should. Similarly, malicious software or hackers who take over a user’s account can access more data and systems than they normally would. 

Microsoft 365 doesn’t make it easy to restrict permissions based on business unit or country, or for remote or satellite offices. It’s also tricky to granularly grant admins rights to perform only specific functions, like resetting user passwords. 

Global Administrator Account Breaches

Security Breach
Photo by Michael Dziedzic on Unsplash

Hackers and cybercriminals often target administrative accounts in their attacks. As a result, they gain access to elevated privileges. The centralised administration model in Microsoft 365 allows all administrators to have global credentials. Meaning administrators have access to every user’s account and content. If hackers manage to take over a global admin account, they can change critical settings, steal valuable data, and leave backdoors to enter again. 

To reduce the risk of these powerful accounts being compromised, you can set up multi-factor authentication (MFA) in the Security and Compliance Center. Keep in mind that global administrator accounts do not have MFA enabled by default. 

Curious about Multi-Factor Authentication? We have a one-page guide explaining how it works.

Disabled Audit Logs

Audit recording is not enabled by default in Microsoft 365. An administrator must manually turn auditing on. Similarly, to audit email mailboxes, an administrator must turn on mailbox auditing. These are essential features both for security and compliance and should be present at all times.

Understand that the audit log shows only events that occurred after auditing was enabled. 

Short Log Retention Periods

Microsoft 365 stores audit logs for a short time. From just 90 days to a maximum of one year. For details on these settings, take a look at this link. Many compliance standards require storing audit logs for far longer than that. For example, HIPAA requires logs to be retained for six years. GDPR does not specify a retention period. However, it requires organisations to be able to investigate breaches, which can take well over a year to surface. By that time, the native audit logs are gone. 

Remediating These Risks 

At Spector, we have a full suite of tools that help us remediate these risks and ensure that your Microsoft 365 tenancy is and remains fully secure. As a Microsoft Gold Partner, our team specialises in understanding the whole suite of products available at the market. We’re keen on finding vulnerabilities, solutions and communicating them to our customers and partners.

We can use our expertise to help find vulnerabilities in your business too. Our Gap Analysis covers most business aspects that can be improved, from technology and compliance breaches to business operations and personnel training practices. For more information, please get in touch or book a call with one of our experts.

Thank you for reading! Follow us on Social Media for more exclusive content.
 

Managing Your Technology Risk

Technology Risk
Photo by Tobias Tullius on Unsplash

Estimated Reading Time: 3 Minutes
Today, no business is 100 per cent secure from cyber threats, and more companies are waking up to this reality now than ever before. It’s no wonder cybersecurity investment in 2020 is pegged to grow by 5.6 per cent to reach nearly $43.1 billion in value. With cyberattacks surging due to widespread remote work and increased online interactions during the pandemic, it seems likely that this trend will only continue to grow further.

Download your Risk Register Sample at the end of this article.

While 58 per cent of IT leaders and practitioners consider improving IT security their topmost priority, nearly 53 per cent of them find cybersecurity and data protection to be among their biggest challenges as well. That’s primarily because cybersecurity is not a one-and-done exercise. Your business might be safe now but could be unsafe the very next minute. Securing your business’ mission-critical data and customers’ data requires undeterred effort sustained over a long period of time. While there are several pieces to this puzzle, the most important one, considering today’s threat landscape, is ongoing risk management.

Through the course of this blog, you will understand the definition of a cybersecurity risk assessment and why you must undertake and monitor them regularly to keep your business’ cybersecurity posture abreast with ever-evolving cyber threats. By the end of it, we hope you realize how installing cybersecurity solutions alone isn’t enough to counter cyber attacks unless you make ongoing risk management an operational standard for your business.

Understanding Cybersecurity Risk Assessment

In rudimentary terms, a cybersecurity risk assessment refers to the act of understanding, managing, controlling and mitigating cybersecurity risks across your business’ infrastructure.

In its Cybersecurity Framework (CSF), the National Institute of Standards and Technology (NIST) states that the purpose of cybersecurity risk assessments is to “identify, estimate and prioritize risk to organizational operations, assets, individuals, other organizations and the Nation, resulting from the operation and use of information systems.”

The primary purpose of a cybersecurity risk assessment is to help key decision-makers take informed decisions to tackle prevalent and imminent risks. Ideally, an assessment must answer the following questions:

  • What are your business’ key IT assets?
  • What type of data breach would have a significant impact on your business?
  • What are the relevant threats to your company and their sources?
  • What are the internal and external security vulnerabilities?
  • What would be the impact if any of the vulnerabilities were exploited?
  • What is the probability of a vulnerability being exploited?
  • What cyberattacks or security threats could impact your business’ ability to function?

The answers to these questions will help you keep track of security risks and mitigate them before disaster strikes. Now, imagine periodically having the answers to these questions whenever you sit down to make key business decisions. If you’re wondering how it would benefit you, keep reading.

Why Make Ongoing Risk Management an Operational Standard?

Making ongoing risk management an operational standard is vital, especially in today’s cyberthreat landscape where even a single threat cannot be underestimated. In one assessment, your business might seem on the right track, but in the next one, certain factors would have changed just as the company would have changed. That’s precisely why having an ongoing risk management strategy is now an integral part of standard operations for many of your peers.

Here are seven reasons why you can’t keep this critical business decision on the backburner anymore:

Reason 1: Keeping Threats at Bay

Most importantly, an ongoing risk management strategy will help you keep threats, both prevalent and imminent, at a safe distance from your business – especially ones you usually do not monitor regularly.

Reason 2: Prevent Data Loss

Theft or loss of business-critical data can set your business back a long way, leading to the loss of business to competitors. Ongoing risk management can help you remain vigilant of any possible attempts at compromising your business data.

Reason 3: Enhanced Operational Efficiency and Reduced Workforce Frustration

As a business owner or key decision-maker of your organization, you would be amazed how consistently staying on top of potential cybersecurity threats can reduce the risk of unplanned downtime. The assurance that hard work will not vanish into thin air will surely keep your employees’ morale high, thereby reflecting positively on their productivity.

Reason 4: Reduction of Long-Term Costs

Identifying potential vulnerabilities and mitigating them in time can help you prevent or reduce security incidents, which in turn would save your business a significant amount of money and potential reputational damage.

Reason 5: One Assessment Will Set the Right Tone

You must not assume that there should only be one fixed template for all your future cybersecurity risk assessments. However, in order to update them continuously, you need to conduct one in the first place. Hence, the first few assessments will set the right tone for future assessments as part of your ongoing risk management strategy.

Reason 6: Improved Organisational Knowledge

Knowing security vulnerabilities across the business will help you keep a keen eye on important aspects that your business must improve on.

Reason 7: Avoid Regulatory Compliance Issues

By ensuring that you put up a formidable defence against cyberthreats, you will automatically avoid hassles for complying with regulatory standards such as HIPAA, GDPR, PCI DSS, etc.

Continue tackling the Risk – Download your Risk Register Sample

Outsourced It Support
Photo by Blake Wisz on Unsplash
Photo by Blake Wisz on Unsplash

From our years of experience working with customers in highly regulated industries – Financial Services, Healthcare, semi-private organisations – we have found that the best way to handle the challenges of managing technology risk and governance is by leveraging the NIST Cyber Security Framework.

We explain how to do it in detail in our Guide to NIST. Its main focus is for Financial Services companies, but every type of business can leverage the framework to deal with risk.

Download your Risk Register Sample Here.

The Asset and Risk Register are crucial for the development of a Risk management system, but keep in mind that they are only part of that system and not the end result. Now that you are done reading this part, the next one is to Develop your Action Plan to Address Technology Risk.

To continue managing the risk consistently and continually, we have developed our own methodology to assist and guide you through every step. If you are looking for an extra level of detail and a system that will make this process much more comfortable and straightforward, Book a Call with us. We can get you to your desired state of maturity with a tested solution.

Follow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

10 Ways to Improve Online Meetings

Remote Working Video Conference Meeting
Photo by Chris Montgomery on Unsplash

Estimated Reading Time: 3 Minutes
It has been nearly 12 months since the start of the Coronavirus. In this time, we have had to adopt online meetings to collaborate with our teams and communicate with our customers. The “new normal” has been replaced with “the office is dead” and so the unhelpful predictions will continue. There are multiple challenges in successfully transferring communications to online meetings tools such as 
Microsoft Teams and Zoom.

Want to learn more about Microsoft Teams? Check our articles: Is Teams the Answer to your Remote Working Requirements? or Our Guide to the perfect Microsoft Teams Deployment

There are, however, some tips that we have gained through the use of our EOS (Enterprise Operational System) Traction Meeting disciplines that translate very well to online meetings. It all boils down to preparation and the setting of rules and expectations. Our team have multiple online meetings per week, covering both internal and client communications. We are happy to share our learnings, improvements and best practices with you here.

Here are 10 steps you can take to make your meetings shorter and more productive:

1. Test your technology ahead of time

Make sure you have the bandwidth capacity for online meetings. Nothing kills momentum at the start of a session like a 15-minute delay because people need to download software, can’t get the video to work, etc. Prior to a virtual meeting, all participants should test the technology and make sure they are comfortable with the main features.

2. Use the camera

To make people feel like they’re all at the “same” meeting, use your camera. We are continually amazed by how many people turn off their cameras in a Video meeting. In a nutshell, be present or get off the call.

3. Create and stick to a clear agenda and timeline

During the session, use an agenda, set meeting ground rules, take breaks every 45 minutes (if running into hours), and clearly outline next steps (including timing and accountabilities) after each section and at the end of the meeting.

4. Share your screen

Meetings should be discussions. Background information should be provided beforehand using a collaboration tool such as Microsoft SharePoint. If someone needs to present, use screen sharing to guide the conversation, so attendees can literally “be on the same page.” But prioritise conversation to maximize the time people are looking at each other.

Read this article by Harvard Business Review: What it Takes to Run a Great Virtual Meeting?

5. Add a personal touch

In our weekly team meetings (Level 10 Meetings in EOS Traction world), we start with some good personal and business news to share with other team members. It may sound a little over the top, but it works well to strengthen relations and get an inside view of others’ lives. With our client meetings, we always begin with some good news about our company, such as a new client or new exciting technology to share. This always starts meetings on a positive note.

6. One person guides the session

It is vital to have a meeting facilitator that can guide and time the meeting. We commonly limit the core meeting length to 30 minutes with 10 minutes set aside to kick off and summarise the discussion and next actions. The facilitator should also be able to resolve basic questions on the technology being used.

7. Ask questions and engage all people

This is no different from in-person meetings. There are always loud and dominant people in the room. The high “D” in the DISC profile or the Leading Lion types so well described by Dr Larry Little. Engage the quieter staff members through questions. You may be surprised at the insights they will bring to the meeting.

8. Take Notes and agree on Actions

Make sure to take notes on next actions with clear responsibilities and timelines. In Traction world, we call them To-Dos. To-dos are actions that will be performed within the next week or two weeks. Simple activities with binary outcomes such as done or not done are known to drive excellent accountability. In particular when you measure how many of these To-Dos actually get done!

9. Set the next meeting date before the current meeting ends

We all know that marrying calendars can be a nightmare. In the case of team meetings, set a regular meeting time that is fixed in stone. No other business gets in its way. With less frequent client meetings, we always seek to schedule our next appointment before the current one is over. This saves enormous time and hassle for both parties.

10. Score your meetings out of 10

Ask yourself is the agenda was met, whether there was clarity around next actions and how engaged people were. We call these Level 10 meetings, as they are marked out of 10. If anyone scores the meeting less than an 8 there needs to be a clear explanation as to why. While simple, this is a remarkably effective way to get honesty on the table and determine how well the meeting was run.

We hope these practical steps are useful to you. Online meetings are here to stay, so we might as well put some effort to make them as productive and pleasant as possible.

Watch out for our handy guide to online meeting technology. If you’re looking for more useful information to better enable your business for Remote Working, make sure to check our article: The Best Tips and Guides for Remote Working. Alternatively, read Our Short Guide on how to safely Implement Remote Working.

Thank you for reading! Follow us on Social Media for more exclusive content.
 

Cyber Security – Do You Know Your Digital Risk?

Security - Are you Digital Safe
Photo by Content Pixie on Unsplash


Estimated Reading Time: 4 Minutes
Rapid technological advancement and rising global connectivity are reshaping the way the world is functioning. From higher productivity to improved customer satisfaction, technology has played a critical role in the growth of businesses worldwide. However, the consequential bad news is that technological advancements have also made organisations increasingly vulnerable to digital risks. However, this does not mean that businesses must compromise on growth and improvement for the sake of security.

The security challenges within these digital environments could be better addressed if organisations knew how to identify these risks and incorporate preventative security measures and controls, along with proactive solutions and detailed plans, to overcome their digital vulnerabilities. Let us discuss the different types of digital risks you should be looking out for and how you can use this information to get a positive ROI.

Types of Digital Risks

Digital risks are increasing in the business world due to the rapid adoption of new disruptive technologies. These risks are seen in various industries and are more pervasive than cybersecurity risks. On a broader scale, digital risks can be classified into physical, technical and administrative risks.

The following risks are the most prevalent in today’s digital world and should be treated as top priorities for your business:

  • Cybersecurity risk: Cyberattacks continue to evolve as companies become more technology-driven. Attacks like ransomware, DDoS, etc., can bring a halt to the normalcy of any business.
  • Data privacy risk: As we move forward to a knowledge-based economy, data has become the most valuable commodity in the world. This has resulted in hackers targeting critical business data and misusing them for personal gains.
  • Compliance risk: Businesses need to adhere to various regulations regarding data privacy, cybersecurity, organisational standards of practice, etc. Any violation can attract heavy fines and penalties for a business.
  • Third-party risk: When you outsource certain services to third parties, it might compromise the security of your IT infrastructure. For instance, a software tool you develop with an external vendor may introduce some vulnerabilities to your otherwise intact digital environment.
  • Resiliency risk: This concerns the ability of a business to bounce back and continue operations after an unexpected disaster.
  • Risks due to human errors: In the UK, 90 per cent of cyber data breaches were caused by human errors in 2019. Whether it’s falling for phishing scams or misusing work devices, human errors can be quite costly for organisations if they go unchecked.
  • Automation risks: While automation is reshaping the tech industry for the better, it could also give rise to a range of risks such as compatibility risks, governance risks, etc.
  • Cloud storage risks: The flexibility, ease-of-use and affordability offered by the cloud makes it one of the most popular options for backup and storage. However, the cloud is also prone to various risks such as lack of control over data, data leakage, data privacy, shared servers, etc.

Importance of a Risk Assessment in Managing Digital Risks

Secure Remote Working

The best way to start managing your digital risks is by performing comprehensive security risk assessments regularly. After all, how would you know what your current vulnerabilities or gaps are and where you biggest security challenges lie without an ‘under the skin’ examination? With a risk assessment, you can measure your security posture against various internal and digital threats and determine how equipped you are to deal with these risks. When you perform a security risk assessment you can proactively:

  • Identify vulnerabilities: A risk assessment helps you identify which part of your digital environment is relatively weak against various security threats. You can identify which systems are likely to be targeted by attackers and incorporate measures to strengthen these systems. Without the information presented by your risk assessment report, you don’t stand much chance of improving your digital security posture against various vulnerabilities.
  • Review and bolster security controls: In most cases, security incidents occur due to a lack of controls in the process. For instance, without proper cybersecurity awareness training and best practices training, employees are unlikely to follow security protocols on their own, which could result in losses due to human errors. Based on the risk assessment, you can upgrade your securities and incorporate preventive measures against various risks.
  • Track and quantify risks: To effectively manage various risks, you need to know the effect of these risks on your business. With a risk assessment, you can quantify these risks by identifying the potential losses posed by various threats. This helps you incorporate necessary risk mitigation strategies to prevent your exposure to various risks.

To begin understanding these risks, there are several steps a business owner or risk manager can take. We have more detail on this topic in the following article: Building your Asset and Risk Register.

The Value of Risk Assessment

IT and security budgets are often difficult to explain to management. Everyone understands the consequences of not investing in correct security measures. However, it isn’t that easy or simple to put an exact ROI figure on security investments. The value of risk assessment is based on how you choose to act with the information you get from these reports.

After understanding these risks, you should have enough knowledge to begin prioritising and addressing them based on the impact and urgency of each risk. This process will result in the creation of an Action Plan, which if properly executed will minimise most organisational risks. Some organisations are able to conduct this process effectively by themselves, while others fail to do so.

In this scenario, the real question is – what is the cost of not making this investment?

Security devices and tools
Photo by Pop & Zebra on Unsplash

Let us consider a major data breach for example. It is always about what you stand to lose in the aftermath of a breach. If your business is dealing with valuable customer data, a data breach can result in unrecoverable financial losses as well as reputational damage. Moreover, this might also result in regulatory non-compliance and attract heavy penalties from various regulators. In such cases, reviving a business after a major disaster can be almost impossible.

Here, the cost of investment in security solutions and cyber insurance is negligible since it concerns the survival of the business. You may not be able to measure the exact ROI of the airbags in your car but that does not mean that your survival is not dependent on them. Similarly, the information and insights gained from routine risk analysis are critical to the operation, resilience posture and long-term success of your business.

A thorough analysis can bring you essential insight and indicate the next steps for your organisation. Should you be looking for professional help to identify and address your digital risks, we recommend starting with the Gap Analysis. This process goes beyond a conventional IT Audit, where your company’s cyber security structure is scanned to identify any potential breaches. The main difference here is that we’ll also look into your policies, processes and people to understand where your business is and where you want it to be.

After identifying the Gap, we’ll begin to close it and improve your business’ cyber security structure. To learn more about this process, download our brochure and feel free to get in touch.

Data Sources:

What is Ransomware and How to Avoid it – The Complete Guide

Ransomware How Does it work and how to avoid it - The complete guide

Introduction to this Guide

We hope with this guide to provide you useful information to protect your business against Ransomware. It is today one of the most dangerous methods of cybercrime for businesses that rely on technology. Luckily, with a robust cyber security strategy it can be avoided and its damage reduced to a minimum.

Our Guide covers all that a business owner or director must know about Ransomware. Click on the links below to skip straight to where you want to go. We hope you enjoy your reading.

Should you also prefer to download the entire guide as a PDF, simply click the button below.

Download this Guide Button

Attitudes to Ransomware

A successful ransomware attack can be devastating to a business. Organisations caught unprepared could be left with the choice between paying a ransom demand and writing off the stolen data entirely.

In our day-to-day cyber security practice, we perform a lot of assessments with new and potential clients. Among this wide variety of professional companies, we find very differing understanding of the threat Ransomware poses to their businesses. 

There are the unknowledgeable optimists that believe to will never happen to them. Clearly this is not a recommended stance. 

There are also the informed optimists that believe they have all angles of protection covered. That may or may not be the case. Assumptions can be dangerous.

Finally there are the affected pessimists – have suffered from a Ransomware attack and for whom it may be too late. We receive calls from complete strangers asking how they deal with a Ransomware hit. We always ask the same two questions – do you have a backup and do you carry Cyber Liability Insurance. The silence at the end of the phone can be deafening.

Whichever camp that you belong to it is important to become informed and engage with preventative measures and plan for the worst outcomes so your business can continue to thrive after such an attack. 

The purpose of this guide is to provide that information and to provide some of the measures required to both prepare and recover if your business is impacted by a ransomware attack.

What is Ransomware and How does it work?  

Ransomware is multibillion euro criminal enterprise executed by Cyber Criminals to disrupt access to your systems, business, and personal information. It is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. 

Once infected the attacker then demand a ransom (normally in Bitcoin) to liberate access to your data and critical business systems. Worryingly this activity is on the rise at an exponential rate. Research suggests that in 2020 a new organisation will be hit by a ransomware attack every 14 seconds and that Ransomware incidence increased 50% in Q3 in 2020 alone. Adding insult to injury, the Cyber Criminals are leveraging the current Covid crisis to target vulnerable remote workers and infect vulnerable organisations. 

Once systems are compromised, cryptocurrency, credit card, or untraceable gift cards will be required as a ransom. However, payment doesn’t ensure that you regain access. Even worse, victims who do pay are frequently targeted again. Just one infection can spread ransomware throughout an entire organisation, crippling operations. As a result, the solution is often costly as you require a complete rebuild of your core infected systems 

Ransoms range from hundreds of euro to the millions Garmin had to pay after their systems were compromised in 2019. Consequently, billions have been extracted by cyber-criminals in recent years. Cybersecurity Ventures predicts that ransomware damage will exceed €20 billion by 2021. It is so effective because it takes many guises. You must be aware of all of them to effectively protect your data and your entire network. 

How Bad Can it Get – The NHS Example

NHS - National Health System (UK) was targeted by WannaCry Ransomware
Photo by Hush Naidoo on Unsplash

A famous example of ransomware is the WannaCry attack of May 2017. This was a piece of malware that infected over 230,000 computers across 150 companies within a single day. It encrypted all files it found on a device. Following that, users must pay €300 worth of bitcoin payments to restore them. 

WannaCry mainly affected large organisations. The National Health Service in the UK being one of highest profile targets affected. Surprisingly, the attack’s impact was lower than it could have been. Due to the fact it was stopped quickly, and it did not target extremely critical infrastructure, like railways or nuclear power plants. However, economic losses from the attack were still in the millions of pounds.

Recently, 22 cities in Texas were hit with ransomware in September 2019. The attackers demanded €2.5 million to restore encrypted files, leading to a federal investigation. Moreover, ransomware is an especially prevalent in financial and healthcare organisations. With cyber-criminals targeting 90% of these businesses last year.  

The threat posed by Ransomware has never been greater. Microsoft also revealed in their 2020 Digital Defence Report that the time in which it takes to gain command and control of an organisation’s network has dropped significantly. As a result, now cyber criminals can go from initial entry to ransoming the entire network, in just 45 minutes.   

How Does Ransomware Work? 

Ransomware begins with malicious software being downloaded by an unwary person through an infected email or link onto their computer or smart device. 

One common method of distributing malware is through phishing attacks. Where an attacker attaches an infected document or URL to an email, disguising it as being legitimate (i.e., a well-crafted but fake Amazon Delivery or banking notification). By opening the infected link or attachment the first phase of the attack is complete. As a result, Malware is now installed on their device.

How to identify a Phishing email? Find out in this article.

Another popular method of spreading ransomware is using a ‘trojan horse’ virus. This involves posing ransomware as legitimate software online, which then infects the device once installed.

Encrypting Files at Light Speed

Once Ransomware infects an endpoint it will run freely wherever it has access. In seconds, the malicious software will take over critical process on the device. Then search for files to be encrypted, meaning all the data within them is inaccessible.  

The ransomware will then infect any other hard-drives, network attached devices etc, taking out everything in its path – including backups.

This entire process happens extremely quickly. In just a few minutes the device will display a message that looks like this: 

Wannacry Ransomware Attack instructions screen
Figure 1: WannaCry Ransomware Attack

This is the message that displayed to users who were infected with the WannaCry ransomware attack. As you can see, it’s a ‘cyber blackmail’ note. Users are informed that they have been locked out of their files, and they must pay to regain access.

Should you pay the Ransom?

Backups are the last port of call during a ransomware attack. Backups are also targeted by the attacker. If your backups are infected, you may have no other choice but to pay the ransom. It is estimated that the Sportswear manufacturer Garmin paid out a multimillion-euro ransom to get their system back online in 2019.

Payments are requested through bitcoin, a cryptocurrency that cannot be traced. Followed by a countdown, threatening to permanently delete the encrypted files should time run out. For smaller businesses performing a Disaster Recovery may be viable however for larger companies with thousands of core systems, the cost of recovery may simply exceed the ransom.

The Origins of Ransomware

As mentioned, Ransomware is the most prevalent form of cyber-crime as of 2020. However, it has been with us for over a decade. First sightings of this attack date back to around 2005. Although conditions for it to be devastatingly effective have only been met with the rise of Bitcoin.

In the 2000s, ransomware was not very sophisticated. The early methods used by attackers to encrypt or block data were easy to remediate. Services that allowed untraceable payments were lacking also. As a result, few victims ended up willing to pay the ransom due to these blockers.

Download this Guide Button

The more successful enterprise for cyber-criminals was in supplying phony anti-virus and computer cleaning software (scareware). By operating under a thin veil of legitimacy, cyber criminals were able to avoid detection. As the internet became a larger part of society around 2008, legislation caught up to this method of attack. Which significantly increased the risk and cost of operation.

The risk gap between scareware and ransomware was closing. While ransomware remained a less costly venture. In the early 2010s, ransomware scams became more prevalent utilising different avenues of payment, such as through prepaid cash cards or gift vouchers. Then something happened that would significantly change the trajectory of ransomware as a cyber-crime: the rise of cryptocurrency.

Cryptocurrency – The Enabler of Ransomware

Bitcoin, the most known Cryptocurrency, acts as an enabler to cyber crime
Photo by André François McKenzie on Unsplash

In 2012, the Bitcoin Foundation was formed and Bitcoin Central was recognised as a European Bank. Cyber-criminals were waiting for this exact form of currency since 2005; a simple, untraceable, method of extracting ransoms from their victims. The risk gap between scareware and ransomware began growing again, however this time, ransomware was the less risky, and less costly option for cyber-criminals.

Then came Crypto Locker in 2013, a revolutionary new form of ransomware. Combining Bitcoin integration and much more advanced methods of data encryption. Victims of this attack would be unable to decrypt their files without a special key encryption unless they paid out roughly €300 worth of bitcoin. The Gameover Zeus banking trojan became a delivery method for Crypto Locker. It was shut down in an operation led by the FBI. Within months researchers discovered numerous Crypto Locker clones across the globe from criminals looking to hitch a ride on the new wave of modern ransomware.

Eventually, cyber-criminals realised that profits being as they were from attacking individuals, they could aim bigger. Targeting businesses who possess more sensitive and valuable data and would pay accordingly. This was the advent of ‘Big Game Hunting’. Where cyber-criminals specifically target larger organisations through their users. This is the state of ransomware today, the biggest cyber-security risk, which is only growing.

Why is Ransomware so effective?

Ransomware causes massive damage to business, impacting companies financially and their productivity.

Most apparent is the loss of files and data, which represents years’ worth of work and intellectual property, or customer data that is critical to the smooth running of their organisation. Loss of productivity comes as machines will be unusable. According to Kaspersky it takes even smaller organisations a minimum of a week to recover their data in most cases.

Once a victim of a successful ransomware attack, downtime is only the beginning of the problem. The loss of data and productivity can have tremendous impact on a business financially. After that, professionals need to be hired to remediate the damage caused and put protections in place to stop such an attack from happening again. Many businesses do not survive.

Ransomware Exploits your Greatest Weakness – People

People utilising computers are the weakest point in your organisation
Photo by Hannah Wei on Unsplash

Attackers most successful vector of attack is using email phishing attacks, which can bypass traditional security technologies. Email is a weak point in many businesses’ security infrastructure. Hackers exploit this by using phishing emails to trick users into opening malicious files and attachments.

Another approach is to use trojan horse viruses where hackers also target human error by causing them to inadvertently to download malicious files. These files can remain dormant in your systems for a long time before they become active. Once active they implement Control and Command tools giving the hacker free reign to run ransomware throughout your organisation.

The major issue here is a lack of awareness and staff education about security threats Many people are unaware of what threats look like, and what they should avoid downloading leaving you open to risk. 

This lack of security awareness helps ransomware to spread with great efficiency.

Reasons Why Ransomware is so Successful

Ransomware attacks grew by as much as 715% in 2020 with attackers making off with increasingly high average payouts that have tripled from circa €80k to €239 (source Sophos 2021 Threat Report) . Many businesses do not have the strong defences needed in place to block and detect these attacks, because they can be expensive as well as complicated to deploy and use. It’s often hard for IT teams to convince company executives that they need strong security defences until it’s too late and systems have already been compromised.

Out of Date Hardware and Software

Organisational security policies often overlook hardware and software that is out of date. This can be down to legacy systems support needed to drive the business.

Over time, attackers discover the security vulnerabilities that are widely released by larger corporations. Technology companies often push out security updates, but for many organisations they have no way to verify that users are installing these updates. Many organisations rely heavily on older computers that are no longer supported, meaning they are open to vulnerabilities.

This is one of the main reasons the WannaCry virus was so successful. It targeted many large organisations such as the NHS, which used decades old machines on operating systems that no longer received regular updates.

The exploit WannaCry used to infect systems was discovered two months before the attack took place and was patched by Microsoft. However, the attack rapidly spread due to these devices running old software.

As discussed, the rate of growth in Ransomware attacks on businesses large and small is out of control. The risk is high, which is why you must be proactive. Ransomware thrives in a climate where businesses are unaware of where their risks lie. In the next section we will cover ransomware avoidance, and the need for a layered approach to cyber security. To allow your business to protect, detect, and recover from a Ransomware attack.

Addressing the Ransomware Risk

Life Buoy - illustrative metaphor for how to save a company from ransomware
Photo by Matthew Waring on Unsplash

Reducing the risk and damage of a Ransomware requires a mix of frameworks, policies, training, and technology. The best companies perform a detailed GAP analysis using a Cyber Security framework such as the NIST CSF in conjunction with security controls such as the CIS 20 controls. This approach leads to better outcomes, period. Below we list some of the key components in your Ransomware protection arsenal.

Learn more about the NISC CSF in this practical Guide.

Here are some tips for the best protections to put in place to stop ransomware attacks: 

Strong, Reputable Malware and Ransomware Protection

One of the most important ways to stop ransomware is to have a strong endpoint security solution. One that blocks malware from infecting your systems when installed on your endpoint devices (phones, computers, etc.). Industry leaders include Sophos, Trend Micro and Bitdefender. Just be sure that Ransomware protection is included as many traditional Anti-Virus products are not equipped to defend against modern Ransomware attacks.

The best solutions will also provide real time alerting if unusual behaviour is noted on your networks and help lock down that behaviour if it looks suspicious. Better still many modern providers can also supply real time alerting and remediation services.

Download this Guide Button

These solutions help protect against malicious downloads, and alert users when they are visiting risky websites. However, they are not guaranteed to be 100% effective as cybercriminals are always trying to create new pieces of malware that can get around the security tools. Still, endpoint security is a crucial step in strong protection against malware. 

Email Security, Inside and Outside the Gateway

As ransomware is commonly delivered through email, email security is key in preventing ransomware. Secure Email Gateway technologies, such as Mimecast and Barracuda, filter email communications with URL defences and attachment sandboxing to identify threats and block them from being delivered to users. This stops ransomware from arriving on endpoint devices. While blocking users from inadvertently installing malicious programs onto their machines. 

Ransomware is also commonly delivered through phishing. Secure email gateways can block phishing attacks using Advanced Threat Protection (ATP) capabilities. Also, there is Post-Delivery Protection technologies, which use machine learning and AI algorithms to detect phishing attacks. After that, they then display warning banners within emails to alert them that the content may be suspicious. This helps users to avoid phishing emails which contain a ransomware attack. 

Web Filtering & Isolation Technologies 

DNS Web filtering solutions stop users from visiting dangerous websites and downloading malicious files. Blocking ransomware that is spread through viruses downloaded from the internet, including trojan horse software. DNS filters also block malicious third-party adverts. Additionally, web filters should be configured to aggressively block threats, to stop users from visiting dangerous or unknown domains. 

Isolation technologies are a valuable tool to stop ransomware downloads. They completely remove threats away from users by isolating browsing activity in secure servers and displaying a safe render to users. Therefore, preventing ransomware as any malicious software is executed in the secure container. Moreover, Isolation does not affect the user experience. Delivering high security efficacy and seamless browsing. 

Security Awareness Training 

The people within your organisation are often your biggest security risk. There has been a huge growth in Security Awareness Training platforms such as KnowBe4. Which train users about the risks they face online, at work, and at home. Awareness Training teaches users what a suspicious email looks like, and the best security practices to follow to stop ransomware. Such as ensuring their endpoints are updated with the latest security software. 

Security Awareness Training solutions typically also provide phishing simulation technologies. Meaning admins create customized simulated phishing emails, and send them out to employees to test how effectively they detect attacks. Phishing simulation is an ideal way to help view your security efficacy across the organisation. It is also a useful tool to identify users that need more security training to stop the spread of ransomware. 

Multifactor Authentication

It may not seem obvious, but identity theft lies at the core of a lot of backdoor Ransomware attacks. Hackers use administrative and other accounts to gain a foothold in your core systems. Adding MFA makes the possibility of elevating privileges and giving the attacker the keys to run ransomware without barriers. MFA comes free with most Microsoft 365 packages and more in-depth solutions also exist with companies like DUO that extend more granular protection to all devices in the organisation.

Software Patching

Keep your operating system and 3rd party applications patched and up to date to ensure you have fewer vulnerabilities to exploit.

Data Backup and Recovery

Addressing Ransomware by having backups of your hard drive
Photo by benjamin lehman on Unsplash

Once a ransomware attack succeeds and your data is compromised, the best protection for your organisation is to restore your data quickly and minimize the downtime. The most effective way to protect data is to ensure that it is backed up in multiple places. Including; in your main storage area, on local disks, and in a cloud continuity service. In the event of a ransomware attack, backing up data means you will be able to mitigate the loss of any encrypted files and regain functionality of systems. 

The best Cloud Data Backup and Recovery platforms will; 

  • Allow businesses to recover data in the case of a disaster. 
  • Are available anytime. 
  • Are easily integrated with existing cloud applications and endpoint devices.  
  • Have a secure and stable global cloud infrastructure.   

Cloud data backup and recovery is a crucial tool in remediating against Ransomware.

Learn more about Business Continuity and Disaster Recovery.

Cyber Liability Insurance and Extortion Coverage

If the worst comes to pass, it can be very costly to rebuild your business or to pay of the cyber criminals. If it comes to this, Cyber liability Insurance can assist.

Cyber extortion is a coverage option under many cyber liability policies. It protects your business against losses caused by ransomware and other types of cyber extortion.

What’s Covered

Many cyber liability policies cover three types of costs:

  1. Ransom Money. This is money you pay to a cybercriminal in response to a threat. Some policies also cover property (other than money) you relinquish to an extortionist.
  2. Extortion-Related Expenses. These are expenses you incur because of the extortion threat. Examples are travel expenses you incur to make a ransom payment and the cost of hiring a security expert to advise you on how to respond to a threat.
  3. Repair Costs. Payment of a ransom does not guarantee your computers and data will be undamaged after their release, or that they will be released at all. Most cyber liability forms cover losses you sustain as a result of damage, disruption, theft, or misuse of your data. Policies cover the cost to restore, replace or reconstruct programs, software, or data.

Most cyber policies require you to secure permission from your insurer before you pay a ransom. If you make a ransom payment and then tell your insurer about it later, the payment may not be covered. The same rule applies to extortion-related expenses. If you want to hire a consultant to help you negotiate with the extortionist, you’ll need to notify your insurer in advance. Otherwise, the consultant’s fee may not be covered.

Most cyber liability policies provide reimbursement for a ransom payment and related expenses. They do not pay these costs upfront.

 

Cyber Risk Management

Some cyber liability insurers provide risk management services through a web portal such as eRiskHub. Policyholders can use these websites to learn about cyber exposures and how they can protect themselves from losses.

Covered Threats

Cyber extortion insurance covers ransom payments you make and extortion-related expenses you incur in response to a threat. The meaning of this term is important because it determines what types of acts are covered. The definition varies, but often includes threats to do some or all of the following:

  • Alter, damage or destroy your software, programs, or data
  • Infect your computer system with a virus or other malicious code
  • Release your data or sell it to someone else
  • Make your website or computer system inaccessible by initiating a cyber-attack, such as a denial-of-service attack
  • Transfer funds using your computer system

Ransomware is experiencing a boom as the perfect conditions for its rise to prominence have been met in recent years, and dedicated cyber-criminals are actively working on methods to ensure it is more effective. This game of cat-and-mouse will continue to evolve as the gains are large and the payouts continue.

Preventing Ransomware – Get in Touch

IT Support Dublin

If you feel uncertain or do not have the skills to determine your current cyber security risk, contact us to discuss our Cyber Security GAP analysis service. This will that help expose any current issues and build a risk-based roadmap to address any gaps in your approach. We are always here and happy to help any company looking to improve their cyber security maturity profile.

If you are looking for a new IT partner to provide faster response, times, enhanced security and better business outcomes – get in touch today.

New Year, New Risks for IT & Data Security

New Year, New Risks for IT and Security

Reading Time: 3 Minutes
The COVID-19 pandemic has changed everything about the world as we know it. Just as we started embracing new practices like sanitizing, social distancing and remote working, the pandemic has also forced us to embrace systemic changes in the ways we deal with cyberthreats.

The FBI has reported an increase in cyberattacks to 4,000 per day in 2020, which is 400 per cent higher than the attacks reported before the onset of the coronavirus.

Since remote working is here to stay, the trend in increasing cyberattacks is expected to continue well into the future. Moreover, business technologies are also transforming, attracting more cybercriminals to target business data. In these circumstances, the best solution is to build your cyber resiliency and protect yourself from unforeseen attacks.

Remote Working and Cybersecurity

Cybersecurity has always been a challenge for businesses with sensitive data. A single unexpected breach could wipe out everything and put your existence in question. With the sudden transition to remote working, this challenge has increased manifold for security teams. From the potential safety of the remote working networks to trivial human errors, there are endless ways in which your IT network could be affected when employees are working remotely.

A study by IBM Security has estimated that about 76 per cent of companies think responding to a potential data breach during remote working is a much more difficult ordeal. Also, detecting breaches early is another big issue for IT security teams. The same study by IBM has estimated that it takes companies roughly about 197 days to detect a breach and 69 days to contain it. Is your cybersecurity posture good enough to withstand a potential attack?

Threats You Need to Be Aware of

Cyberthreats come in different shapes and forms. From simple spyware monitoring your network transactions to a full-fledged ransomware attack that holds all your critical data for a ransom, there are multiple ways in which your IT network could be affected. Only when you get the idea of the potential risks surrounding your IT infrastructure, you can build a resilient cybersecurity strategy that enhances your IT environment and keeps vulnerabilities at bay.

Let’s look at some of the common cyberthreats that businesses faced in 2020:

Phishing scams: Phishing emails still pose a major threat to the digital landscape of many business organizations across the globe. COVID-19 communications have provided the perfect cover for these emails to lure unsuspecting users. By creating a sense of urgency, these emails might persuade your employees to click on malware links that could steal sensitive data or install malicious viruses inside a computer.

To learn how to avoid Phishing attacks and identify suspicious emails, click here.

Ransomware: Targeted ransomware attacks are increasing every day. It is estimated that a ransomware attack will happen every 11 seconds in 2021. Ransomware attacks hold an organization’s critical data for a ransom, and millions of dollars are paid to hackers every year as corporates do not want to risk losing their sensitive data. However, there is no guarantee that your files will be secure even after you pay the ransom.

Learn More in our Complete Guide on Ransomware.

Cloud Jacking: With the cloud becoming a more sophisticated way of storing data, cloud jacking incidents have become a severe threat. These attacks are mainly executed in two forms – injecting malicious code into third-party cloud libraries or injecting codes directly to the cloud platforms. As estimated by the 2020 Forcepoint Cybersecurity Predictions, a public cloud vendor is responsible for providing the infrastructure while most of the responsibility concerning data security rests with the users. So, bear in mind, you are mostly responsible for your data security even when it is on the cloud.

Man-in-the-middle attack: Hackers can insert themselves in a two-party transaction when it happens on a public network. Once they get access, they can filter and steal your data. If your remote working employees use public networks to carry out their official tasks, they are vulnerable to these attacks.

Distributed Denial-of-Service attack: This attack happens when hackers manipulate your web traffic and flood the system with resources and traffic that exhaust the bandwidth. As a result, users will not be able to perform their legitimate tasks. Once the network is clogged, the attacker will send various botnets to the network and manipulate it.

Protecting Your Business from Cyberthreats

Security readiness is something all organizations must focus on irrespective of their size. It is mandatory to have an action plan that outlines what needs to be done when something goes wrong. Most importantly, it is critical to have a trusted MSP partner who can continuously monitor your IT infrastructure and give you a heads-up on usual activities.

Investing in cybersecurity solutions is way cheaper than losing your critical data or paying a large ransom. You need to deploy advanced solutions that can keep up with the sophisticated threats of this modern age. Then, there is a list of best practices such as multi-factor authentication, DNS filtering, disk encryption, firewall protection and more.

If all these aspects of cybersecurity sound daunting to you, fret not. Reach out to us today to fully understand the vulnerabilities in your network and how you can safeguard your data with the right tools and techniques.

The Dangers of Rapid Digital Transformation during Covid-19

The Perils of Rapid Digital Transformation

Digital transformation is the process of using digital technologies to create new business processes to meet changing business and market requirements. It is by its nature planned and intentional change. The Covid 19 lockdown has accelerated digital transformation and flipped it on its head. It has been forced upon many companies who have scrambled to get their workforce up and running from home and other remote locations.

Since lockdown our ISO Lead Auditor, Aaron Nolan, has evaluated the security impact of remote working on over 40 companies. He prepared over 120 best practice questions and examined he results under four main headings. What he discovered can be broadly summarised as follows:

Remote working – perhaps not as secure as you thought!

We found that the correct mechanisms are in place for secure remote working. However the we found several security gaps and data leakage concerns in over 50% of companies reviewed. These came about due to the pace of change and a need to get working as quickly as possible. In particular, we noted the use of Shadow IT and unauthorised remote access solutions in several companies. In the majority of cases this requires some small changes to both technology and security policies to close of these security gaps.

Microsoft 365 Security

Let’s be clear here. The Microsoft 365 Platform is secure but it requires work to make it so. Microsoft provide a wealth of tools through their Security and Compliance centre that can assist in tightening security. You just need to understand what options are available to you, define your policies and them deploy them. Our main findings were that there was:

  • A lack of Multifactor Authentication.
  • No use of auditing and security policy management capabilities in Microsoft 365.
  • Rapid adoption of Microsoft Teams with little or no attention to security and retention policies. Also, potential issues with data leakage of or PII confidential data.
  • A general lack of a plan with defined goals and edges i.e. reactionary rather than planned approach to cloud migration.

The mechanisms to secure Microsoft 365 exist withing the platform itself but they need to be turned and managed properly by professionals.

Business Continuity Planning

We found very good procedures in place for both backup and well tested disaster recovery procedures. The missing component though was a written Business Continuity Plan (BCP). For the sake of clarity, a BCP is an organisation wide document outlining an action plan and response to a serious business shock such as Covid 19. We found several companies with either no BCP or one that was years out of date. We even found some alluding to staff that no longer even worked in the company.  Thankfuly the Covid 19 lockdown has sparked interest in addressing this. VCIO magazine have a helpful article on how to establish and build a BCP.

Efficiency

For the majority of businesses that continued to operate through the Covid 19 lockdown, there has been a realisation that remote working actually works. Many staff have traded the daily commute for a more balanced work/life balance. The result has been a noted increase in employee well being and productivity. This has come as a welcome surprise to many who now view remote working as part of the future of their digital transformation strategies.

There is also a massive shift towards cloud-based platforms such as Microsoft 365. Largely driven by an effort to consolidate multiple IT functions under one hood. It is no longer just a case of having email in the cloud. It is about the efficiency of having all of your business data, communications and collaboration tools in one place. The light has been shone on the possibilties of remote working and it appears that companies are really seeing the benefits of how technology can transform the working lives of their staff.

If you are interested in seeing how technology can help transform the lives of your staff and make your organisation more agile we would love to hear from you.

Feel free to reach out to us either by phone on 353 16644190 or get in touch here. We can arrange a discovery call and perhaps even a short demonstration.

Thinking of a New IT Support Provider

  1. If you’re looking for an IT support provider get in touch here, or give us a call on 01 6644190 to talk with one of our experts.
  2. Looking to plan your Microsoft Teams deployment.  Feel free to read our post here on the subject.
  3. Review our Remote Working solutions to ensure optimal protection for your businesses during the Covid-19 lockdown.

A guide to the perfect Microsoft Teams deployment

Cyber Security
How to Deploy Microsoft Teams Properly

Reading time: 5 Minutes
Written by Mark Hurley

Steps for Preparing Your Organization for A Successful Microsoft Teams Deployment

In our day to day practice we serve a customer base with user numbers ranging from 15 -150 users, across industry types, some with a single office location, others with multiple locations. With the surge in remote working due to the Covid-19 lockdown we have seen a huge increase and demand for clients seeking a better way to communicate and collaborate. Microsoft Teams  – Microsoft’s suite App combining a suite of Collaboration and communication tools satisfies that requirement for a large percentage of our clients.

Since its launch on May 3rd 2017 Microsoft Teams has exploded onto the scene with a current user base of over 44M users, at the time of writing this, worldwide making it Microsoft’s fastest growing app ever.

Better still Micorosft Teams provides a single simple to use app that works on almost any device from any location. So what’s not to love?

Despite its simplicity Microsoft Teams is complex solution under the hood and as such requires a proper plan to deploy and manage on an ongoing basis. Let’s take a look at Microsoft Teams from a deployment perspective – preparing your organization for the rollout, and some pitfalls to avoid, to ensure it goes as smoothly as possible.

Deploying Microsoft Teams – The Process

 

The stages outlined above follow a pretty standard approach to a new software or application deployment. There are typically three challenges to a successful Microsoft Teams Deployment that need to be addressed through the rollout life cycle. These can be summarised under three main headings:

  • Technical issues – is your technical environment fit for purpose, does your organisation have the correct licencing, bandwidth capabilities etc.
  • User adoption resistance –  establishing early communication, training and pilot programmes  will assist with adoption.
  • Governance and Security considerations – establish policies and make sure your data secure, who is keeping an eye on wider governance and what policies and procedures need to be in place to keep Microsoft Teams secure.

Address Technical Issues

The last thing that you need once you have committed to a new technology such as Microsoft Teams is to have that effort torpedoed by a lack of technical preparation. Users will turn their back on a technology if it is glitchy. Any excuse! You need to consider the technical environment and prepare accordingly. Listed below are some of the key technical considerations for deploying Teams.

1. Check your Bandwidth and technical capacity

The traffic generated by Microsoft Teams will impact the network. Conduct an assessment to ensure that your infrastructure can support Teams and provide a high-quality user experience. Microsoft offers a number of tools to help admins prepare for Teams. Consider also that remote workers may not have the best internet connections and secure home technology setups. These will all need due consideration and planning.

2. Check your licencing

Before deploying Microsoft Teams, you will need to make sure that it’s included in your Microsoft license. It’s also important to evaluate the requirements of dependent services such as Exchange and SharePoint.

 

Overcoming User Adoption Resistance

Change can be difficult for an organization; when people become used to working with a particular app or tool, they may resist adopting new products. Ultimately, this boils down to their unfamiliarity with the tool, along with a worry that they will lose efficiency. That’s why a change management strategy is essential: you can explain the benefits, offer pre-deployment training, and let users prepare for the eventual switch over.

1. Create and Communicate Your Change Management Strategy

  • Create advanced enthusiasm for Microsoft Teams
  • Select and train a small user core who can act as influencers
  • Outline current business challenges and show how Microsoft Teams can help overcome them
  • Ensure new users have access to ample training and support
  • Allow users to leave feedback directly and act on it accordingly

2. Ask a lot of questions.

A recent Spiceworks survey found that organizations are using an average of 4.4 different collaboration solutions across three different providers in an attempt to meet the high demand for collaboration. In some cases, IT isn’t even aware of all the tools in use. Start by asking end-users what they use for collaboration, what works and what doesn’t, and where there are gaps.

3. Bring stakeholders together.

Assemble a team of individuals from various departments, including both end-users and managers. Be sure that groups who regularly use collaboration tools are represented. Define use cases for Microsoft Teams and determine the best way to facilitate adoption and migration from existing tools.

4. Train Staff on the Functionality

There is a wealth of detailed video and documentary training material available on from Microsoft. Have you staff review and round table suggestions and ideas as they go through this training.

Determine the functionality you will use first and who will pilot and test that functionality. Teams provides functionality such as:

  • Chat and IM,
  • Calendar and Meetings,
  • Conferencing,
  • Integrated Telephony (requiring as additional licence),
  • Collaboration and
  • File management capabilities.

We found that adoption in Spector accelerated by through the migration of our file server into SharePoint and integrating our phone solution with our partner IPTelecom. This meant that we were able to consolidate all of our files/folders and communications in one simple to use app. We have not looked back since!

5. Logically Organize Your Microsoft Teams & Channels

Before implementation, your organization should give thought to how you will configure Teams for maximum effectiveness. Decide how you will set up your various teams and channels. In Microsoft Teams, teams are groups of people brought together for work, projects, or common interests. A channel is a subset of that.

For example you could have a Team called “Internal R&D Projects” and then have multiple channels such as CRM Changeover, Production Efficiency etc. as Channels.

Here are some best practices for organizing your teams:

  • Be clear about your goals in advance.
  • Determine which people or groups will be added to each team.
  • Determine roles and permission in advance. For example will you allow users to create their own Teams and Channels.
  • Start with a smaller number of team members and scale upwards.
  • Designate a small number of owners for each team.

6. Train Staff on the Functionality

There is a wealth of detailed video and documentary training material available on from Microsoft. Have you staff review and round table suggestions and ideas as they go through this training.

Determine the functionality you will use first and who will pilot and test that functionality. Teams provides functionality such as:

  • Chat and IM,
  • Calendar and Meetings,
  • Conferencing,
  • Integrated Telephony (requiring as additional licence),
  • Collaboration and
  • File management capabilities.

7.Organize Your Microsoft Teams & Channels

Before implementation, your organization should give thought to how you will configure Teams for maximum effectiveness. Decide how you will set up your various teams and channels. In Microsoft Teams, teams are groups of people brought together for work, projects, or common interests. A channel is a subset of that.

For example you could have a Team called “Internal R&D Projects” and then have multiple channels such as CRM Changeover, Production Efficiency etc. as Channels.

Some best practices for organizing your teams:

  • Be clear about your goals in advance.
  • Determine which people or groups will be added to each team.
  • Determine roles and permission in advance. For example will you allow users to create their own Teams and Channels.
  • Start with a smaller number of team members and scale upwards.
  • Designate a small number of owners for each team.

Governance and Security

 1. Form a Governance Committee

Ok, I can see eyes beginning to roll here. You are only a 20 person organisation and you do not have an in-house Governance function. We mention it here for a reason. Teams is not an isolated product. It is part of the wider Microsoft 365 suite of applications. So what you do in Microsoft Teams may have an impact on what happens in Email, file management and other apps. You need to make sure that the deployment decisions that you are making in Microsoft Teams comply with other policies elsewhere. Our advice is always to lock down technology as much as possible.

2. Secure your Identity

As Teams is part of Microsoft 365 you will use the same authentication process to gain access to Teams as Microsoft 365. It is not only highly recommended but imperative that you employ at least Multifactor Authentication (MFA) and/or Certificate based authentication to verify your user identities. Simple email addresses and passwords do not cut it. Microsoft offer a native MFA solution and another favourite in our practice is DUO.

3. Device Compliance

With more and more people working from home you need to make sure that any devices connecting to your Teams comply with your company security policies and have at minimum and up to date and centrally managed Malware protection solution in place.

4. Setup Your Office 365 Security and Compliance Tools

Teams uses a variety of security and compliance tools and protocols, and offers a number of ways to configure them depending on your organizational needs. Before roll out, take the time to ensure you are familiar with the following tools:

  • Auditing and Reporting – interfaces with the Office 365 Security and Compliance Center to configure the level of audit reporting logs and security alerts
  • Data Retention Policies – Configure and set up data retention policies for channel messages and communication
  • Legal Hold – place a hold on team or group mailbox activity during eDiscovery
  • eDiscovery – a crucial tool to conduct forensic audits and legal reporting, with an option to choose from In-place eDiscovery and Advanced eDiscovery

Manage Permissions and Limit Microsoft Teams Sprawl

Teams and SharePoint Site sprawl and redundant sites is one of the biggest governance concerns for those in charge of managing IT and IT governance. A lot of IT departments still feel extremely uncomfortable with the thought of users creating Teams on a whim and having hundreds or thousands of unused SharePoint Online sites, Planners and OneNote notebooks on their tenant. A feeling that we as Managed IT Service providers concur with.

To address the issues of Site sprawl caused by outdated, inactive Teams we strongly recommend the use of Microsoft  365 activity-based Groups expiration. This allows the admins to set an amount of time (in number of days) after which every Microsoft 365 group will come up for renewal. This will certainly help alleviate IT concerns over site sprawl and will help with outdated content cluttering search.

Our advice is to initially lock down Microsoft Teams like any other technology. Limit the ability for any users to create new Teams and SharePoint sites etc. Train administrative users that can assign and enable functionality for your team that fits with your wider security policies.

In Summary

Launching a new deployment of Microsoft Teams doesn’t have to be a daunting task. One of the key strengths (and also weaknesses) of the platform is its unprecedented amount of configurability and control. Starting with a clear functional plan and a strong focus on governance will give you a head start in enjoying the many benefits that Teams has to offer.

Thinking of a New IT Support Provider

1. If you’re looking for an IT support provider get in touch here, or give us a call on 01 6644190 to talk with one of our experts.

2. Not sure about Microsoft Teams. See our short presentation and blog piece on the subject.

3. Review our Remote Working solutions to ensure optimal protection for your businesses during the Covid-19 lockdown.

 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

8 Simple Steps to Secure Remote Working During Lockdown

IT Support Ireland
What does your IT Support cover?

We have reviewed this article one year after the first lockdown and created an updated version, available in this link.

The Covid-19 Pandemic has created a massive rush to get staff operational from home or remote locations. In that rush some security considerations may have fallen to the wayside. As we hunker down for the longer term where, for many, securing your remote workforce is a must as working from home will become the new normal for many. We have outlined 8 key security steps for secure remote working that apply to all companies, regardless of size.

1. Establish what is covered with your IT Support Provider

Your IT provider may or may not cover the usage of non-commercial home devices or PCs to access you company’s IT resources remotely. You need to know what is covered and if they are covering home working. It is considerably better to allow them to manage your home workers with their centralised management tools than to go it solo. Ask the question. You may find that during Covid-19 they will extend that mangement for a limited period for a small fee.

2. Provide Malware Protection for Your Remote users

While you may have centralised malware protection and monitoring of all the workstations at your physical office, you likely do not have the same level of control for home computers. If possible, we recommend that you ask your IT provider to extend their Malware protection and remote management solutions to your home office users. If that is not an option (and it should be) Webroot offer multi device packages for a reasonable cost that will cover both PC and Mac environments. Macs should not be exempt from using endpoint protection software. One in ten Mac users have been attacked by the Shlayer Trojan.

Set a policy that all home employees must use an antivirus tool on the machines that access the firm’s resources. Moreover, have your IT support provider verify this before your install your secure remote access tools.

3. Make sure remote working does not introduce more risk

You may have had to suddenly set up remote access servers, Windows 10 virtual desktops or other remote access solutions. Whatever you choose, make it consistent as it makes it simpler to manage and roll back at a later stage. In particular do not blindly open remote access ports without thinking of the risks and consequences. Remember that ransomware attackers look and scan for open RDP servers, targeting anything responding on port 3389. For RDP servers you need a VPN solution period.

4. Reinforce Cyber Security Education and Make Staff Aware of Covid-19 Scams

The Irish Times have reported a huge increase in COVID-19 scams that are circulating. Urge your users to not click on unsolicited emails and to use only official websites. Ensure that the firm has a way of centrally communicating with incidents so that you can trace all official communications and notifications

5. Update security and Acceptable usage policies for staff

Make sure your acceptable computer use policies cover staffs’ home computer assets. If this wording is not already there, you’ll need to quickly get up to speed in allowing employee’s personal assets be used for remote access. Policies should also cover remote working protocols and payment processes need to be reviewed to avoid becoming victim of payment scams.

6. Review what software remote employees need

There are two considerations here. Your staff may need to access productivity applications that can only be run from inside your network. In this case a remote connection to a Remote Desktop server or their PC may be best.

For users that just use Office 365 and Cloud based apps you may only need to provide Office 365 applications. For this you will need to consider your licence requirements. An Office 365 license allow you to install the Office suite on up to five PCs or Macs, five tablets and five smartphones. Those with Volume licenses can allow Office for home use purchases for your employees. You may need to review your options and licensing alternatives based on what platform and version of Office you are currently licensed for.

If you are in doubt, reach out to your IT support provider; they may be able to provide temporary licenses with screen connection software that they already use to remotely manage your network.

7. Implement MultiFactor Authentication (MFA)

When implementing secure remote working, consider adding MFA to remote access solutions. Ask your IT support provider about adding a MFA solutions such as DUO.com or Microsoft’s native Multifactor Authentication solution for access to your IT infrastructure both in the office and the cloud.  While your company may need to move quickly to allow your staff to work remotely, you can still ensure that only those admins and users are allowed in mitigating the threat of identity theft.

8. Secure connectivity with a virtual private network (VPN)

Secure Remote Working
VPN

Most Unified Threat Management Firewalls (Sonicwall, Fortinet, Sophos) all package with an inbuilt free SSL VPN client that can be deployed to provide secure end to end connectivity for your end users. Ensure that your Firewall and VPN solutions are up to date as this reduces the possibility of security vulnerabilities.

Prepare for the future of secure remote working

Outsourced It Support
Future Direction

While this is a stressful time with little certainty about what will happen next, it’s also a great time to prepare your company for the longer haul and preparing your organization for emergencies. It is important to define how you work remotely, review improvements and then secure your remote workforce properly. As always the CIS provide great guidance with their CIS Telework and Small Office Network Security Guide. Review that to see if there are any other security issues you should be monitoring.

Thinking of a New IT Support Provider

1. If you’re looking for an IT support provider get in touch here, or give us a call on 01 6644190 to talk with one of our experts.

2. Discover more about how MS Teams helps remote workers with both communications and collaboration.

3. Review our Remote Working solutions to ensure optimal protection for your businesses.

 

Is Microsoft Teams the Answer to Your Remote Working Needs?

Can Microsoft Teams Help your Company Through These Troubled Times?

 

The answer is a resounding yes. Microsoft Teams is a fabulous product however you will need a plan to get it up an running properly. So if you are you interested in providing your staff with a single app that allows your perform the following in one simple app, then Teams is for you.

Verify their availability

No more guessing if your colleagues are available. Real time presence allows you to see if they are available, on a call, in a meeting or whatever.

Chat in real time.

Be able to get quick answers to questions through real time chat.

Make and receive all calls on any device.

IT Support Ireland
Work on any device from any lodation

Stay in contact with your colleagues, clients, friends and family through a simple to use call management solution that can be used on any device – laptop, mobile, desk phone, tablet – you name it.

Collaborate on files in real time.

Share and work on files at the same time – no version histories or emailing of files for review. All files in one place that can be edited by anyone with access. This is file management simplified.

Store all files centrally and access those files without complex VPNs.

Have access to your files from any location and any device. There is no requirement for complex VPNs and poor performance with trying to upload and download files to traditional file servers over slow connections.

Collaborate, share and communicate with each other with ease.

Join and manage teams that mirror how you work. Working on a project together – no problem. Need to collaborate with you finance team on new budgets – no problem. All communications, files and to-dos all located in one place ion one simple to use app.

Schedule once off and regular meetings and video conferences.

Stay in contact with clients and staff suing video conferencing. Visual contact is more important now than ever before. Seeing you colleagues and clients has a hugely positive impact on relationships.

IT Support Dublin

Stay in touch and feel part of the team during the Covid 19 lockdown.

It goes without saying that teamwork is central to our ability to recover from the economic shockwave that Covid 19 has and will continue to cause. Make sure you team stay focused and productive as we navigate our way through these choppy waters.

If this sounds good, then Microsoft Teams may just be for you!

 

 

 

 

Mitigating your Risk with IT Security Controls

Outsourced It Support
Photo by Bernard Hermant on Unsplash

Reading time: 3 Minutes
Written by Aaron Nolan
Risk mitigation is the process of lessening the effect of incidents through the implementation of security controls. The entire idea behind risk mitigation is putting mechanisms in place to reduce risk to the organisation. In this article, we will be talking about IT Security Controls and their role and characteristics in business.  

Many different types of controls can be implemented to mitigate risk. Risk controls can be physical, technical or administrative and they can act proactively or reactively. After the risk analysis element of the risk management process, many companies struggle to implement the correct or sufficient controls due to their lack of knowledge on IT Security. Choosing the wrong type or an unnecessary control can be a costly decision for the organisation.  

The organisation’s governance structure is responsible for the risk within the company. Many organisations do not have in-house IT knowledge or expertise, and therefore many mature organisations consult an independent third party to assess the mitigating controls available for each risk.   

What you need to Start Mitigating Risk 

At the mitigation point of the risk management process, an organisation should have the scope of their entire business in an Asset Register. The organisation should have completed a threat model against each one of these assets, with the likelihood and impact of their risks analysed, to then document the exposure. If you’re not familiar with these procedures, take the time to read our articles above.   

The organisation should have documented an acceptable level of risk in each area of the business based on its criticality. The exposure to each asset should have then been accepted, avoided, transferred or marked for mitigation. 

To learn more about these different ways to address risk, read:
Developing an Action Plan to Address Technology Risk. 

The list of risks to be mitigated is the outstanding exposure that requires IT Security controls to be implemented. Having an acceptable level of risk and an understanding of the criticality of each business functions allows the organisation to make an informed decision on what security controls to implement. 

Security Controls   

The phrase security control is sometimes used interchangeably with Safeguard or Counter Measure. There are many different types of security controls, and they can be broken down into Proactive and Reactive controls. 

Proactive Controls  

Deterrent and preventive control are types of proactive controls as they are in place before an incident occurs. Examples of Deterrent controls are banner messages on servers, employee code of conduct in contracts and high perimeter walls around your premises.  

The idea of a deterrent control is, as the name suggests, to deter the threat. Preventive controls are mechanisms like firewall rules, Intrusion Prevention Systems (IPS) and physical locks on secure rooms. The idea of preventive control is to stop the threat from occurring at all.   

Reactive Controls 

Detective, compensative, corrective and recovery controls are all types of reactive controls because, at this stage, the incident has already occurred. Detectives controls are Malware anti-virus, Intrusion Detection Systems (IDS) and CCTV systems. The reason for detection systems is to alert when an intrusion has occurred or been detected.  

Examples of compensative controls are Insurance (Cyber/Premises) or having an alternative site available (Hot/Cold Site). Compensative controls are used to protect the organisation after a vulnerability has been exploited. 

Corrective and recovery controls are backups, electronic journaling or data archiving. These controls are to bring the business back to its natural state of operation. 

Whichever security controls you choose to implement should be driven from the risk analysis that has been carried out. These security controls should be cost-effective but also appropriate to the level of security required to protect the resources. The organisation must continually manage and monitor security controls to ensure sufficient security governance. 

In Conclusion 

The essential part of risk management is understanding your risk. The organisation’s governance structure should be aware of the threat before and after a control has been implemented. If the company does not have in-house IT knowledge or expertise and cannot make an informed decision on their risk, they should consult an independent 3rd party expert in IT and risk management. 

Once the risks are mitigated, the organisation should be able to accept any residual risk. The risk management process should give the company a baseline to work from or put them in a position to implement a framework, allowing to drive security policy from the governance structure down. 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

Why an Impact Analysis is Essential for Company Continuity

IT Support Dublin
Photo by Julia Joppien on Unsplash

Reading Time: 4 Minutes
Written by Aaron Nolan
A Business Impact Analysis (BIA) is one of the first steps any company should go through before or soon after becoming operational. Th
e analysis is conducted to bring clarity to the financial and operational impact that a disruption could cause.

Moreover, the Business Impact Analysis’ importance goes beyond providing clarity. It serves as an essential activity to build a Business Continuity Plan and in the risk management discipline.

The goal of Business Continuity Planning (BCP) is the ongoing performance of the business in a time of disaster until normal business conditions are back in place. Planning for business continuity is vital to maintain continuous operations of the organisation in the event of an emergency.

A Business Impact Analysis should be implemented by the Management Structure within an organisation. It should include senior management and representatives from all departments of the business. 

Choose your team and required resources.  

The first step in a Business Impact Analysis is choosing the right members within the organisation to represent each team. Each person will view their risk and their department’s risk differently.

Therefore, every team must be represented in the assessment, as risk is objective, and any risk is relevant.

It makes it even more critical that Senior Management is part of the analysis, as it is their task to independently quantify and qualify each risk after the review has taken place. Legal representation would also be advised throughout or at least at the end of the BCP process to ensure you have covered your organisation for legal and regulatory requirements.  

As Business Continuity Planning is not a once-off event, the need for ongoing resources is required. The duty to continually train staff, purchase new hardware and software, maintenance of documentation and processes in keeping the plan live will need to be budgeted for each year.   

Find your Scope  

Once you have your team in place and have an idea of cost involved in maintaining your Business Continuity Plan, you should then identify your scope. Your scope should cover all assets within your organisation, including hardware, software, information, premises and people.  

The easiest way to identify the scope of your business is to complete an asset register. All the previously mentioned assets should be addressed and recorded on the register. You may not have to go into great detail with people by listing each member of staff, but you should list critical positions of the team and ensure succession planning is addressed.   

Learn how to build your Asset Register in the article
Building your Asset and Risk Register to Manage Technology Risk 
 

The key priority of every organisation is the protection of its people. Human life should be prioritised over every other asset. An organisation may then choose to prioritise the security of its hardware over its information, but this will depend on which sector the company is in.  

Addressing Risk

Secure Remote Working
Photo by Dave Herring on Unsplash

Once a company has identified its assets the next step is the risk assessment and risk analysis of these assets. Although many times risk assessment and risk analysis are used interchangeably, they are different things. 

Risk Assessment is the identification of all threats to its Assets, whereas Risk Analysis is the likelihood of the vulnerability of these exploits being exposed. These concepts could prove relevant for you when attempting to understand and calculate our risks, so read our article Understanding and Calculating Organisational Risk for more details.  

Once you have identified your risk, the organisation should document its acceptance or mitigation control and cost of these risks, which will then be presented for final approval by the CEO, stakeholders and board members.    

There are different approaches to addressing different types of risk. To get more insight and our best suggestions on that, read Developing an Action Plan to Address Technology Risk.

Business Continuity Plan Approval, Implementation and Maintenance 

The final step in Business Continuity Planning is the Plan Approval by the CEO, Stakeholders and board members. It is essential to have buy-in from the top level for BCP to succeed. Once the plan has been approved, and the resources provided, the implementation and maintenance of the program can start.  

A Business Continuity Coordinator and one alternative person should be trained in all parts of the Business Continuity Process. They, in turn, should put a BCP committee together to ensure the process stays live. It is the committee’s job to ensure the training and education of all employees are complete, documentation is up to date, and goals are being met.  

Documentation like a Statement of Importance, Statement of Priorities and the Outline of the Organisational Responsibilities should be deployed from the C-Level to all employees to ensure buy-in from the top down.

IT Support Ireland
Photo by Ashkan Forouzani

Minimising Downtime with your Business Continuity Plan 

Once your Business Continuity Plan is live, the most critical part is ensuring that it stays there. Therefore you should test your plans on a regular basis to ensure you can address potential crisis scenarios effectively. While doing this, it’s crucial to keep your Maximum Tolerable Downtime (MTD) limit in mind.  

The purpose of everything is to ensure your business stays within its MTD, even in disaster situations. That’ll keep your operations and employees safe, and your company can resume activities quickly, without suffering considerable damage.  

To illustrate the extent of financial damage a business could suffer within a few hours of Downtime, we have created a Downtime Calculator. Use it and calculate how much your business would lose for every hour in which operations are disrupted.

If the continual operations of our organisation have stopped, then business processes have stopped and therefore the organisation is no longer in BCP mode, but in Disaster Recovery (DR) mode. Read our article explaining the difference, or visit our Business Continuity page for more information. 

Thank you for Reading! Follow us on Social Media for more exclusive content.
 

Lessons in Lockdown: Our Guide to Smarter Remote Working

IT Support Dublin
Photo by Aleksi Tappura on Unsplash

Estimated Reading Time: 7 Minutes
The Coronavirus – a.k.a. Covid 19 – outbreak is forcing organisations all over the world to send their staff home, putting to test their business continuity planning. This means that businesses that have the structure to enable people to work from home can remain productive amidst the outbreak and other disaster situations.
 

Is your business prepared for the Coronavirus? Ensuring Business Continuity  

I love to work from home but only under certain circumstances. I only enjoy it when I have a task or project that requires serious focus. Otherwise, I prefer the energy and banter in the office. So how can we help our staff prepare for the lone working environment, handle stress and overcome the isolation effects of the Covid 19 pandemic?  

Take a typical day in the office, the chat, the meetings, the advice taken and received and all banter that goes with it. Try pausing it. For most business owners, this idea feels eerie.

Now put yourself in the shoes of the newer staff, the interns and other team members that look to others for guidance and assurance that they are doing the right thing. It tells you one thing: more input. A lot more input and leadership are going to be required to help those staff and protect them from the stresses and pressures that come from isolated working.  

Managing people remotely is more challenging  

Hopefully, you have clear staff roles defined. If not, thanks to the Coronavirus, you have more work to do. Deciding things like this for the first time during a pandemic outbreak is going to be tough, but it’s critical to helping your staff know that they are doing a good job.  

In our business, we manage the workload of the bulk of our team. They are clear on what they have to do and what good looks like. They need to communicate with each other and escalate work to colleagues where required. Even with this clarity, some staff might tend to feel isolated.   

The Power of Collaboration Tools  

The key for us has been to have regular huddles which are performed using MS Teams Meetings. The specific technology doesn’t really matter, and other alternatives such as Slack, Zoom and GoToMeeting have waived some of their fees and offer free solutions.   

Once you choose the technology that suits your purposes, you will need to help your staff bed them into place. We suggest starting slowly where possible. Make sure they all have the technology, headphones, cameras etc. to make this simpler. Make sure that your team also know that we are all prone to distractions such as kids or crazy canines that need walking. We need to be understanding and flexible.   

Our recommendations from lessons learned in Spector  

We have broken down the main recommendations in three headings; Team Motivation, Meetings and Managerial Advice. Towards the end, we are also recommending the best guides and in-depth articles about remote working. By learning and implementing these practices in your organisation, it will be more resilient and flexible than ever, while remaining productive.  

Keeping the Team Motivated

Doing your part in keeping the team motivated is vital, but it’s also crucial that you instruct the crew in practising and developing their own productivity habits while working from home. In a usual scenario, you would have plenty of time to prepare your team, but due to the rush in getting things done during the coronavirus outbreak, people are bound to feel out of place. Be disciplined in your efforts, and you will facilitate the transition for them.

  1. Stimulate communication: Have an Instant Messaging platform for your team and ask everyone to be online there during work hours. Let them know that everyone is available to chat, and if they do not understand something, they can raise their hands and ask. Nothing is more isolating than not knowing what is going on.   
  1. Keep it Light and Allow Banter: we use a Team Channel specifically for banter and chat. We should call it the “You will not believe what just happened” channel because that is what it is. People – suppliers, clients, staff – can request strange and wonderful things when they are under pressure. Somewhere to share that can be beneficial.  
  1. Keep in touch: check-in with each person at the start and end of each working day. Give them a few minutes to tell you where they are at and if there have been any particular challenges that day. Split the work among your senior management to help them develop a new type of rapport with the staff. Most of all, be disciplined.   
  1. Check if people are available: don’t feel bad if you don’t get an immediate response. People may appear free but be talking on the phones, concentrating on something else or hassled by something at home. Ask for a confirmation of arrival after sending a message and let them catch up at later meetings, if required. 
  1. Discuss Difficulties: as mentioned before, the biggest challenge in shifting work environments is the cultural change. People have work habits that are being disrupted, and most of them are probably not used to work at their homes. Be open to hear about their difficulties and provide advice. 

Sharing some material and tips from experienced remote workers has proven to be an excellent start, and we found two links to help on that: 
Tips for working from home, from experienced remote workers;
Working from home when your kids are out of school – especially useful now that school classes have been paused due to the coronavirus outbreak:    

Outsourced It Support
Photo by Andrea Davis on Unsplash

Meetings  

Another common difficulty shared by businesses is in conducting meetings remotely. Again, this topic is particularly sensitive during the Coronavirus outbreak, as the official recommendation from the health authorities has been to avoid physical contact. There is a large number of companies that rely on meetings to present their services or close new businesses, and they must adapt to survive during the reclusion time.  

  1. Scheduled meetings: set aside defined times to meet. Random meeting times do not work. Period. It also helps to have fixed meeting periods — ours last from 5-minute huddles and updates to 45-minute leadership meetings. Nothing goes over the established time.  
  1. Have an agenda: create and share a firm agenda of a small number of important points that are clearly explained to all participants. Allow people to add their own relevant points before the meeting.  
  1. Use your resources: make these meetings eye to eye using Video Conferencing where possible. It adds a higher level of connection and stimulates people to be paying more attention. It’s also suitable to get your team to mute their calls – it helps drown out the noise of the environment. Let them unmute as they need to talk. This is good especially if you are with a larger number of people. 

For more tips on Virtual Meetings, we recommend this article by Harvard Business Review: What it takes to run a great virtual meeting 

Managerial Advice  

Managing remote teams can be challenging as with any change in the way that you work. For this reason, we have compiled some guides from some of the world’s leading companies in remote working.   

Some of these companies were born remotely or made the transition with time. Between them, one should match your managerial style and bring some refreshing insight that you can apply in your reality. To get started rapidly, we recommend the article Transitioning to remote work in a hurry, made by Zapier. After focusing on these first aspects, you can proceed to reflect in more depth on this critical topic. Click on the blue links below to dig deeper into each guide.   

  • Learning about Business Continuity is an excellent way to prepare for this and other disrupting situations that may come to arise. Our article, Is Your Business Ready for the Coronavirus offers practical insight on that.  
  • Insight from real businesses  in this link, 140 companies are answering the most frequent questions about remote work; such as how to manage performance and communications remotely. These companies are very distinct and adopt remote working at different levels, which will provide a multilateral view of the topic.  

Facilitate your Transition to Work Remotely 

As you may have noticed, enabling your workforce to work remotely is not a simple task – and one surrounded by multiple challenges. Even more so in the current global situation. Many of our customers were forced to adapt quickly due to the Coronavirus outbreak, and this seems to be the case for many businesses around the world.

Most companies still lack the structure to work remotely, such as the devices, configurations, and tools that one would require (VPNs, file sharing, cloud servers). Others may have the basics in place but are not yet able to do it securely – without compromising their critical files and database. 

Most business owners are too busy to learn about the level of detail needed to abide by best practice and ensure optimal performance while working remotely. Hence, we recommend finding a partner to facilitate this transition. 

If you need any advice on how to activate your team to work remotely, feel free to make contact with us. We have assisted numerous customers in this task, and hope to aid others in difficult times.

Thank you for reading! For more exclusive content, follow us on Social Media.
 

Understanding and Calculating Organisational Risk

IT Support Ireland
Photo by Fer Nando on Unsplash

Estimated Reading Time: 5 Minutes
Written by Aaron Nolan
Understanding organisational risk is crucial not only for a risk manager handling GRC (Governance, Risk and Compliance) but also to any business owner or member of the C-Board to future proof their companies and ensure Business Continuity.

In this article, we will be addressing some of the most common doubts and providing the essential information you will need to understand the nature of risk. With this knowledge, you can begin developing tactics to shield your business against it.

What is Risk?

Risk deals with the possibility or likelihood of a situation occurring based on the threats and vulnerabilities of an asset. Both vulnerabilities and threats can be mitigated using security controls, but we must understand the level of exposure first.

  • A threat: to your business is any likelihood of unwanted potential harm. An example of a threat might be a thief or a computer virus.
  • A vulnerability: on the other hand, is a weakness or absence of a safeguard in an asset. An example of a vulnerability is a broken alarm system or an unpatched server.

Once all the threats and vulnerabilities have been calculated, you will find your Total Risk. This is the organisation’s exposure level before implementing any mitigation controls. Being aware of all your risks is crucial to conduct a Business Impact Analysis.

Risk Assessment vs Risk Analysis

Many people use these two phrases interchangeably, but they are two separate things. A risk assessment is used to gather the data about the company, like its assets register, asset value and data flow. The risk assessment is used to understand the scope of the business and its potential exposure.

A risk analysis, on the other hand, is used to calculate the probability of a vulnerability being exploited. An organisation should list all probable threats and vulnerabilities to the gathered data from the assessment, in a process called Threat Modelling.

This should be used to produce a Gap Analysis or a Risk Mitigation plan, which will generate a list of risks that can be acted upon based on a cost versus benefit analysis. Therefore, a Risk Analysis must follow a Risk Assessment.

For more details and useful tools to help you build your Asset Register and Risk Register, read: Building your Asset and Risk Register to Manage Tech Risk. There you will find a sample risk register and a webinar with detailed instructions on how to use it.

Calculating your Risk

After your organisation has completed the threat modelling process, there are some ways they can calculate its risk. Depending on the type of risk and type of potential damage that could be caused, one way may be more suitable than the other. In this article, we’ll be exploring Quantitative and Qualitative risk analysis.

How much does downtime cost your organisation? Find out with our Downtime Calculator

Quantitative Risk Analysis

A Quantitative Risk approach adds costs or monetary value to the risk allowing you to easily see a cost-benefit analysis of any mitigation process.

For a Quantitative Risk analysis to work, each asset must have an asset value (AV) attached to it. By carrying out threat modelling, we will calculate the likelihood and consequence of a threat or vulnerability occurring.

By scoring your “likelihood” on a scale from 0 to 5, with 0 being highly unlikely to happen and 5 being certain to happen, this will give you a number to work off. Similarly, this can be done with “consequence”, with 0 being no effect on operations and 5 being a complete stop of operations.

These two numbers added together will give you a total amount which you can compare with your risk table. Example below:

Risk Level

Totally Acceptable RiskLow<=5
Acceptable RiskMedium6
Transferable / Mitigatable RiskMedium7
Must Mitigate RiskMedium8
High Priority to Mitigate RiskHigh>=9

This number will give you your exposure factor (EF). The Asset Value (AV) times the Exposure Factor (EF) can be used to give the organisation the Single Loss Expectancy (SLE) of any threat occurring or vulnerability being exposed.

AV x EF = SLE

An organisation can use the Single Loss Expectancy (SLE) times the Annual Rate of Occurrence (ARO) to get the Annual Loss Expectancy (ALE) of a risk occurring.

SLE x ARO = ALE

By comparing the results of different threats and vulnerabilities, you should be able to understand which risks are more relevant and justify it to the board. By putting the results together into a chart, it becomes easy to visualise and compare risks, as seen below.

IT Support Dublin
Risk Likelihood and Impact Chart

Knowing how to report these topics at a board meeting is also a vital part of the Risk Manager’s role. That could be especially hard if addressing Cyber Security risks. Should you need any help with it, read Preparing for an Audit and Discussing Cyber Security with the Board.

Qualitative Risk Analysis

Not all risk is tangible, therefore putting a cost on every asset may not be viable. In this case, an organisation should use a Qualitative Risk approach to review risk which might affect the reputation of the company.

A qualitative approach is a lot simpler and focuses more on business-critical operations than cost. It’s based on a subjective analysis, which can be done by scoring the risks of your assets as low, medium and high based upon the criticality to the business. This will give you a quicker indication of the required protection methods that need to be in place.

There are many different techniques and tools an organisation can use to calculate its qualitative risks like the Delphi technique, brainstorming or storyboarding.

Some organisations use a mixture of Quantitative and Qualitative risk analysis to cover both tangible and non-tangible assets. This is a very mature approach and safeguards the organisation both financially and reputationally.

Next Steps in Understanding and Addressing Risk

It is vital that the governance structure of an organisation understands the risks to their company to realistically implement controls to mitigate the risk. It is the responsibility of the organisation’s board members, C-level and stakeholders to understand the risks to their company.

The entire organisation must be examined in the Risk Assessment and Analysis process. The assessment must identify all assets and their value to the organisation, as discussed in detail in this article. The Risk Analysis process will evaluate the probability of a threat or vulnerability being exploited.

During the risk analysis process, the organisation’s governance structure should ask itself, “what will it cost us if we do nothing?” The Total Cost of Ownership (TCO) is the total cost of implementing a safeguard, and this must match a Return on Investment (ROI) for the controls. Otherwise, alternative plans for mitigating the risk should be considered.

There are different ways to address or mitigate risks, and we discuss them in more detail in our article Developing an Action Plan to Address Technology Risk. Before deciding to tackle threats directly, the organisation must determine the business impact of these exposures and identify the cost versus benefit of the mitigating controls.

Risk Management is a complex topic, so help yourself with our series of content and tools available in our blog.

If you need specialised help to guide you through this process, Book a Call with us. We have the expertise, the tools and the systems to make the risk management process simple and automatic.

Thank you for reading!
Follow Spector on our Social Media channels for more exclusive content.
 

Business Continuity – and Why it Matters During Covid-19

Cyber Security
Photo by Dimitri Karastelev on Unsplash

Estimated Reading Time: 4 Minutes
Written by Aaron Nolan
As the Covid-19 virus epidemic continues to spread across the globe, the number of organisations and institutions forced to close their doors continues to rise daily. The long-term impact of the Coronavirus on businesses and the economy is yet unknown, but your organisation should do everything possible to mitigate the risk and ensure business continuity.

The key priority here is to contain or eradicate the spread of the virus so, therefore, protecting your staff, your most valuable asset. To this end, it may be necessary for your organisation to close the premises and require that employees work from home.

What is Business Continuity – and why does it matter in the Coronavirus outbreak 

The goal of Business Continuity is the ongoing operational uptime of the business in a time of disaster until normal business conditions are back in place. Planning for business continuity is vital to maintain the continuous operation of the organisation in the event of an emergency.   

Moreover, a robust business continuity plan will consist of much more than simply telling people to work from homeThere are multiple factors that need to be considered and discussed beforehand. Most businesses are not ready to request that from their staff, as there is no structure in place to allow them to be productive remotely. 

The Covid-19 virus pandemic brings business continuity into sharp focus. Now is a perfect time to build and test the resilience and the Business Continuity Process for your organisation.

Questions that every organisation should be asking themselves now:  

  • What is the risk posed by Coronavirus to my business and employees? 
  • How long can the organisation sustain downtime? 
  • Can my organisation survive 14 days (self-isolation period in case of a Coronavirus infection) of remote working?  
  • What can I do now to limit potential downtime?   

How much would one hour of downtime cost you? Discover with our Downtime Calculator

Mature and risk-averse organisations should already have these contingencies in place to limit downtime and to mitigate potential financial loss. If your company has not got controls in place, consider the following controls as efficient preparation wins to prepare in the event of an emergency closure.  

Business Impact Analysis

It may be too late for most, but a Business Impact Analysis (BIA) is one of the first steps your company should consider. A Business Impact Analysis is a review of all Business-Critical Operations, risk assessing them in the event of a worst-case scenario.  

A Business Impact Analysis should be implemented by the Management Structure within an organisation and should include senior management and representatives from all departments of the business. 

The easiest way to assess the risk to your business is to identify critical functions and supporting assets in your organisation. Once a company has identified its business-critical assets, the next step is to ensure their availability and continued ability to run.  

If you haven’t yet identified your critical assets and risks, read:
Building your Asset and Risk Register

Secure Remote Working
Photo by Macau Photo Agency on Unsplash

People 

A Business Continuity Coordinator should be nominated, and all employees should be trained or at least made aware of the Business Continuity Process. It is the responsibility of senior management within the organisation to ensure the training and education of all employees is complete. 

Process 

In the event of your organisation having to close due to an emergency, there should be procedures and guidelines available to all staff to let them know what to do. Documentation such as an Incident Response Plan, Business Continuity Plan and a Continuity of Operations Plan should be available for all staff in the event of the organisation closing.  

Your employees should know where these documents are located whether that be on a local file server or hosted in the cloud. We call this a disaster recovery war chest. 

Technology 

The first thing to consider is, does every employee have access to a laptop or home PC? If so, does each computer comply with the company’s network access policy? And finally, does the device have a VPN set up in order to gain access to business applications and data remotely?  

It is also highly advisable to consider moving critical files to cloud-based storage, such as Egnyte or SharePoint. This will allow access to these files from anywhere, and on any device without the need for complex VPNs.  

Putting Business Continuity into Practice 

Having a robust Business Continuity Plan in place will allow you to be prepared not only for the Coronavirus outbreak but every major risk factor that could potentially affect your organisation. A Business Continuity Plan should be able to address situations like fire, floods, physical invasions and the vast number of Cyber Security risks – which although seemingly less dangerous, could be just as disastrous for a company.

One of any such disasters could cause anything from financial damage to a vital failure leading to business closure. Having contingencies in place could determine the difference between your business shutting its doors or thriving. 

Now that you are aware of the importance of these procedures, you can prepare your plan and avoid the incoming damage poised by external threats. Should you need assistance and professional advice, feel free to Book a Call with us.

Thank you for reading!
Follow Spector on our Social Media channels for more exclusive content.
 

Financial Services Guide: Managing Technical Risk With NIST

Outsourced It Support

A Guide for Financial Services and Regulated Firms

Dealing with risk is complex, and that level of complexity tends to escalate when addressing technology risk. Most people, including experienced risk managers, feel intimidated by the amount of technical detail involved. After hearing the concerns of many customers and partners, we decided to put together this guide on how we succeed in the challenge of managing technology risk

Today you will learn of a framework and a set of tools that will make the task of addressing technology risk feel achievable. By leveraging the NIST framework, you can build a Risk Management system that will allow your business to reach top-level security and compliance. Plus, the best part: it’s easy to understand and verify progress.

We will be explaining what NIST is, how it works, and how you can begin implementing it in your organisation. The benefits are evident for companies in the Financial Services industries or for most businesses that operate in highly regulated spaces. However, the advantages of a robust risk management system and a cyber security framework are universal and will help all types of businesses thrive among today’s threats.

Click on the links below if you want to skip to any particular chapter and follow the links within them to dive further into more detail.

Understanding IT Cyber Security Risk

By now, businesses across the globe know that their IT infrastructure is at risk from attacks or breaches from cyber criminals, no matter how large or small they are, or what they offer.

For financial services organisations, it’s even more important to be aware of the risks and to come up with a plan to prevent and resolve any issues arising from an attack. When you hold a client’s financial information or provide a platform for people to save and move money, you want to ensure that that plan is as robust as possible.

It’s important, however, to understand first that there is no such thing as perfection in cyber security, and risk management is not a race, it’s an ongoing process of improvement.

Knowing that risk is something you’re always going to have to deal with means that you can regard it as an opportunity and allows you to be proactive in your approach to data protection and security. You don’t need to be an expert technician to avoid IT risk – it’s all a matter of asking the right questions.

In order to protect your business and its data (as well as that of clients and suppliers) and to ensure you’re compliant with financial regulations, you need to build a cyber security framework.

Secure Remote Working
Photo by Rikki Chan on Unsplash

NIST is one of a number of frameworks, but it’s simple to understand and can be adjusted and applied to the IT systems of any company, no matter what their size. The business can then develop a cyber security system entirely tailored to their needs.

Still not sure about the usefulness of a framework? Read the following article:
Understanding Guidelines, Frameworks and Standards (from a Governance Standpoint)

NIST starts with a basic assessment of where a company is and where it wants to be. Understanding the difference between the current and desired state should help companies to carry out a gap analysis, to define their target risk profile and produce a risk assessment.

It’s important that careful consideration is given to the threats and vulnerabilities specific to financial organisations.

What is NIST?

The National Institute of Standards and Technology (NIST) has developed a Cyber Security Framework which they define as: “a policy framework of computer security guidance for how private sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks.”

Once the assessment process is complete, NIST provides a risk-based action plan and cyber security insights that are appropriate for both board and executive-level review and implementation. The information generated is also easily quantifiable.

The NIST process is made up of three stages, each building upon the other to help a business to assess its current systems and draw up a plan. It includes five functional areas to consider: Identify, Protect, Detect, Respond and Recover. We will dive into more detail on these areas shortly.

NIST Cyber Security Framework five functional areas - Identify, Protect, Detect, Respond, Recover
Original NIST core framework

 

How can NIST Help Financial Services Organisations?

The NIST Framework helps companies to: ‘better understand, manage, and reduce their cybersecurity risks’. Completing the assessment means you can identify your individual priorities when it comes to cyber security and business continuity.

NIST is internationally recognised and designed to be shared with all employees, as well as with suppliers. Rather than making cyber security the responsibility of the IT department alone, the framework helps senior managers to communicate the importance of keeping data safe.

It also helps you to stay GDPR compliant. Since the legislation was introduced in 2018, all companies holding customer data must be proactive about how they safely store and remove that information. Anyone who falls foul of the regulator faces large fines.

Going through the process helps you to assess your current IT systems and allows you to fix any gaps, reducing your chances of data being compromised. It also means that if anything does go wrong, you’re prepared for it and can implement your continuity plan.

For more in-depth information about the NIST CSF, visit the official website or ask us in the comments section at the end of this page.

Applying the Framework

As we mentioned above, the NIST Cyber Security Framework is comprised of three sections. To help you get started, here is a quick explanation of what each of these is and how they fit in.

The Framework Core

The Core is designed to give you tasks to work through to help you reach the cyber security outcomes that you’ve identified as being necessary for your business. Within the Core, you can add references to where readers can find additional information on best practices, procedures and industry requirements.

The Core is written in clear, straightforward language so that it can be easily understood by anyone at any level within the organisation and doesn’t require a knowledge of technical jargon.

To make it easier to assess your needs, the Framework Core is spit into five functions, as mentioned above, which are: Identify, Protect, Detect, Respond and Recover. NIST recommends using all five together for a ‘high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk’.

Secure Remote Working
NIST Core Areas

Identify: The first step is to get an overall picture of the business, the resources available to support critical functions and the potential risks to data, assets and systems. Once these risks have been identified, you will then be able to create a strategy for use throughout the business to prioritise and manage them appropriately. Things to consider at this step include governance, the business environment and asset management.

Protect: The next step is to develop safeguards to make sure your company can deliver critical services. NIST suggests giving thought to data security, protective technologies, access control, awareness and training and identity management. Also include an implementation plan for the safeguards.

Detect: This function is designed to help you detect cyber security events in a timely manner and develop processes to do so effectively. It’s recommended that you include continual monitoring of systems and security, as well as how to identify anomalies or other changes.

Respond: NIST says that this function is intended to make sure you have the ability to contain the impact of a cyber security incident, should one happen. Take into account response planning and communication, as well as what to do afterwards, including analysis of the incident, mitigation and possible improvements that you can make to prevent an attack in future.

Recover: At this step, you’re working to map out your recovery plan and the improvements you’ll make for the future, as well as identifying how you’ll communicate this across the organisation. The key priorities here are to be able to get back to normal operations as quickly as possible in the event of a cyber attack and how to restore any services that were affected during the attack. Business resilience is important at this stage.

Within the Framework Core are underlying key Categories and Subcategories (outcomes). There are 23 Categories which are mapped against each of the five Functions outlined above. These include suggestions for cyber security objectives, such as personnel education. Think of them as brief topics you can include to help you reach your business outcomes.

NIST Cyber Security Framework Categories
NIST Categories

Next, there are 108 Subcategories, which NIST describes as: “outcome-driven statements that provide considerations for creating or improving a cybersecurity programme”. These can be amended to suit your own requirements.

NIST Cyber Security Framework Subcategories
NIST Subcategories

NIST Framework Implementation Tiers

The next section of the Framework covers the Implementation Tiers. The four tiers assess how an organisation views cyber security risk and what processes it has in place to manage that risk. The Tiers are used to decide how a business is prepared for and will respond to a cyber breach or attack.

NIST Implementation Tiers Scoring System
NIST Implementation Tiers
  1. Tier 1 – Partial Implementation: At this level, businesses have minimal awareness of the risks they face. Planning and implementation is inconsistent, and they take an ad-hoc and reactive approach to cyber security.
  2. Tier 2 – Risk-Informed: Here, companies are aware of the need for cybersecurity measures and have some idea for what these should be, but aren’t implementing them regularly. While they have plans and resources to protect themselves, they aren’t proactive.
  3. Tier 3 – Repeatable: This tier refers to companies which have implemented the Cybersecurity Framework across the board, apply policies consistently and communicate fully with employees at all levels so they understand the potential risks and the steps to take. The word ‘repeatable’ means that the business is able to respond to more than one crisis that may occur.
  4. Tier 4 – Adaptive: At the final stage, businesses have fully integrated the Cybersecurity Framework into their processes. Not only are they equipped to respond to and deal with threats, they are proactive with detecting them. They can also predict any issues based on the IT systems they have in place and any current trends.

Further below, we will provide a simplified tool to help you evaluate your current practices and understand where your business stands among these Tiers. It’s helpful to know that they don’t necessarily reflect your business maturity (although if you’re at Tier 1, moving up is recommended).

Instead, the Tiers should be seen as a way to help you manage risk, your priorities and how you can improve cyber security and progress to the next level at the right time for your company. They help you move from being reactive to proactive in terms of responding to risk.

As for your target profile, choose a Tier that reflects your desired outcomes and is achievable. You must select the appropriate Tier considering your ideal risk management practices, any legislation and industry regulation requirements (essential for financial services) as well as any obligations you have to others in your supply chain and any constraints that may exist.

NIST Framework Profile

The final stage is the creation of a Profile which is unique to your business. It is based on your objectives and requirements, the level of risk and the priorities you identified at the Core stage. It’s built using the Categories and Subcategories that you’ve chosen as being important to help you build a robust cybersecurity plan.

One advantage of spending some time developing a Profile means that, once you’ve assessed where you are now (Current Profile) you can start looking for ways to improve your cybersecurity and move to where you’d like to be (Target Profile).

Any gaps between Current and Target Profiles mean you can develop a plan to resolve them, based on what’s most important and time-critical to ensure your systems are protected.

Within this, factor in any other business needs, such as staffing and resources, costs, future planning and overall goals and other outside influences (such as changes to legislation or technology). Plan how to communicate the Profile and the goals to internal staff and external suppliers.

Learn where you are – Estimate your current NIST Profile

To get you started, we have developed a simplified self-assessment tool that you can use to evaluate your business and identify your current and target profile. By using this tool, you should be able to have a better practical understanding of how useful NIST can be. Keep in mind that it doesn’t cover all bases normally addressed by the framework, especially since we have shifted it from a levelled approach (1-4) into a “yes or no” approach to keep things simple.

Download the NIST CSF Simplified Self-Assessment Tool

Watch the video below for a detailed explanation about how to estimate your NIST profile and use the tool.

Strategy and Delivery to Implement the NIST CSF

The NIST Cyber Security Framework will then allow you to move on to analysis and planning and delivering your strategy. At this stage, you are working to identify your target (ideal) cyber security system and assess the current situation to see where there are gaps and what your business needs to do to hit the target.

Remember, completing the NIST Cybersecurity Framework is not enough on its own. While it will help you think through your security needs, you need to decide what steps to take next.

Once you’ve clarified your current cyber security position, your Target Profile (see above), identified any gaps and decided how to resolve these, you can move on to putting together your plan.

Don’t forget to include any legal requirements (such as GDPR) and industry regulations you may need to consider. Here are some other things you’ll need to think about:

Complete a Detailed Asset Register

An asset register (sometimes called a fix asset register) is a record of every fixed asset you have in your business – anything that you use to generate revenue. It includes computers and other devices, vehicles, machinery and equipment, buildings and land.

You can record and track your assets however you wish, but an electronic list in a spreadsheet or similar is ideal because you can share it across teams or department heads who need to be able to access and update it.

It’s also important to review your asset register and keep it current, so allocate a regular time to review it, whether that’s quarterly or six-monthly. The register tracks the value of all the fixed assets within the business, if it works, and its location. You’ll need to work out asset depreciation at the end of each financial year too.

It’s up to you what information you include on your asset register, but at the minimum, note its name or give it a description so you know which item you’re talking about. Include serial numbers or other identifying numbers.

IT Support Dublin
Photo by Green Chameleon on Unsplash

Add how much each asset was bought for and when and its original purchase price, the depreciation and current book value. You might want to include service history or if it’s a vehicle, if it’s been repaired/ or last had an MOT.

Assign an owner to each asset, and where appropriate, allocate a risk weighting. A risk weighting is essential for banks, as it enables a calculation to determine its capital requirement and to reduce the risk of insolvency. Different classes of assets have different risk weightings applied to them, as some are riskier than others.

Depending on the asset, its risk will be assessed using the most appropriate tool. A calculation should also be done to calculate interest that may be charged, and the rate of return.

For more detail and practical examples of how to build your Asset and Risk Register,
read our article:
Building an Asset and Risk Register to tackle risk

Building a Risk Register

A risk register is a way of plotting the impact of any given risk over its probability. A scatterplot is the usual method of presenting the results, with impact across the X-axis and the likelihood of it happening on the Y-axis. The risks are then all marked on the graph. You can also use specialist software to track the risks.

IT Support Dublin
Risk Likelihood and Impact Chart

The register also includes any other relevant information about each risk, such as its owner, the nature of the risk, and what, if any, mitigation measures are in place, and any contingency plans. It also discusses what impact a risk will have, and how likely (probable) it is that the risk will happen. Similar risks can be grouped together.

To help you visualise and build your risk register, we have acquired a Sample Risk Register and made a video with instructions and practical tips on how to insert and organise your risks onto the spreadsheet. You can access both below:

Download Sample Risk Register

Watch our Web Class below on how to complete your Risk Register

Set an Action Plan to Address Technology Risk

The information you’ve gathered while completing the NIST Cyber Security Framework should clearly show what your next steps are. Decide and agree on the actions the business needs to take across the next 12 to 24 months.

Set milestones for when you’ll change or update your security systems, how and when you’ll move from your Current to your Target Profile, and how you’ll track your progress. Include review dates for each step, and make sure you clearly communicate the plan and how it’s progressing with everyone within the organisation.

Knowing how to address your main risks is also crucial in improving your business profile, and there are different ways to do it, depending on your budget and priorities. For example, a risk can be tackled straight on, it can be outsourced, insured or even ignored. Everything depends on how significant the risk’s impact, costs and probability are, and all these factors should be considered when preparing your Risk Register.

For more information on how to build your action plan and address risk, read:
Developing an Action Plan to Address your Technology Risk

Collecting and Storing Evidence of Compliance

A crucial, yet commonly unappreciated, part of this process is to gather and store evidence of your activities along the way. To be compliant, you must be able to prove that you are compliant. This is where the evidence-gathering process begins, and it should function in parallel with your efforts to tackle risk.

There is a multitude of procedures, policies, systems and tasks that support this effort. We recommend utilising tools and specialised services to make this process automatic and as easy as possible.

The key take away from this chapter is that it supports the next stage – The Audit process. By maintaining this evidence, you can decidedly prove to an auditor that your business has been compliant with best practices and takes this task seriously.

For more information and details on the tools and methods we recommend, read:
Before the Audit: Gathering Evidence to Prove Compliance

Develop the Risk Management System

Next, you’ll need to develop your risk management system. The system will not only advance your technology infrastructure but will allow your organisation to improve in other key business areas and evolve in maturity. The company will run like a well-oiled engine, with processes and procedures supporting activities.

Below, we explain how the NIST Cyber Security Framework can assist in developing some of these areas.

Governance
Most government requirements are covered in the ‘Identify’ function, which is stage one of the Framework Core. Other requirements will come under the relevant headings, such as ‘detect and respond.’

Cyber Security 
Cyber security is tracked across all five of the Core areas, with the main controls included in Protect and Detect. It’s a good idea to take into consideration the CIS 20 controls.

The Centre for Internet Security Critical Security Controls for Effective Cyber Defence is a guide to best practice for computer security. It consists of 20 key actions which serve as guidelines for organisations to take to block attacks. and are known as critical security controls (CSC).

Business Continuity Plan (BCP) 
This is covered across all functions, particularly the Recover function. A BCP is essential for all businesses, but particularly for financial institutions. Having a robust continuity plan in place means you can be prepared in case the worst happens.

It means you can continue with business as usual while data is restored or cyber threats are dealt with, enables you to communicate with your customers, staff and suppliers and ensures that everyone knows what to do to help the business operate properly.

Outsourcing 
Is covered within the Identify function and falls under the category of Supply Chain Risk Management. It’s essential that if you are part of a supply chain, your business is not vulnerable to external risks which could compromise not only your systems but those of everyone else in the chain too.

If you decide to purchase new technology, make sure it’s compatible with your existing hardware and software, it can be secured against data breaches and that it’s installed by the in-house IT team or your external support partner.

For more insight on outsourcing, read: Outsourcing Policy – Governance, Risks and Preparations to consider

Outsourced It Support
Photo by Marius George Oprea on Unsplash

ISO Standards
As with other aspects of business, ISO standards apply to cyber security frameworks, although of course these vary depending on industry. ISO 27001 is a general standard for Information Security Management Systems and sets out explicitly how this should be controlled.

ISO 27002 includes the BS 7799 good security management practice standard, which outlines the best practice for cyber security management, and operates as a high-level guide. It’s most helpful to use it as guidance for management looking to achieve ISO 27001 certification.

For financial institutions, having ISO 27001 certification is hugely beneficial. As they hold so much personal and financial information on clients, often across devices and locations, they are particularly at risk from cyber-attacks.

Holding the ISO certification demonstrates to customers that the institution is committed to security, confidentiality and protecting their data, and are proactive in doing so. In the post-GDPR world, this is more important than it’s ever been and will help you stand out from the competition.

ISO 27001 and the NIST Cyber Security Framework have many similarities and overarching areas. This is a good thing, as if you are looking to adopt the framework or achieve the certification, you can transition from one to the other without dissipating your efforts. To learn more about which of these models can be more beneficial to your business, read our article ISO 27001 versus NIST: why choose one?

Preparing for an Audit

Financial Services organisations and companies operating within regulated industries are familiarised – and often terrified – with the concept of an audit. Utilising NIST and a risk management system, this process should become much more straightforward and painless.

An audit is a vital process for identifying fundamental weaknesses in your company’s formal procedures or cybersecurity architecture. It is not a name and shame process; audits exist to help you grow. Internal audits could potentially be just as effective, but the added pressure from an external auditor is what usually closes the gap between an organisation’s plans and actions.

However, as relevant as cybersecurity audits are, many companies are not very well prepared for them. Learning what do you need and how to behave in a review will bring more peace and efficiency to the procedure. The critical lessons are:

Communicate with the auditor: Speak to the auditor before and during the process, so you can both be as clear as possible on what is needed. Know the scope of the inspection, and what people, tools and reports will be required to have them available when requested.

Prepare in advance: The more time you prepare for this process, the less time the auditor will need to be in your site. Study up on the applicable regulatory standards prior to the audit, prepare your files and docs in an easy to read format, and be ready to show a register of your assets.

Don’t be afraid: the auditor is not your enemy, and the sole fact of changing your perspective towards this figure may show some significant improvement in your relation and process. Ask him to let you know of any significant issues as they arise, and be sure to ask for advice, as your problems will likely not be exclusive to you and there might be simple solutions available.

For more in-depth insights on being audit-ready, read:
Preparing for an Audit: How to tackle Cyber Security and discuss it with the board

IT Support Dublin
Photo by Hunters Race on Unsplash

Dealing with the Board

Apart from dealing with the auditor, it’s equally important to report progress to the board and make sure that the goals and actions to attain these goals are fully understood and supported by them.

Educating the board about the relevance and role of the tech infrastructure of your business is an excellent place to start. It would be best if you also kept things as simple as possible, as this will likely be only one amongst many items in a list to be discussed by the board members.

One of the main advantages of the NIST framework is that it can demonstrate progress with its uncomplicated ranking system. Any non-technical person or board member should understand and learn about what are the most critical areas.

We talk about the guiding principles for board reports, as well as some of the key questions to help identify and develop cyber security metrics in this article.

Maintaining the Risk Management System

As we said at the beginning, cyber security is not a once-off event; it is an ongoing process which needs to be continually monitored and improved. It’s not something that you can set and forget or leave to the IT department to manage.

Regular reviews of the systems in place using the NIST Framework should be agreed amongst the senior management team. Track examples of best practice and highlight areas for improvement, and make sure you communicate the results with the rest of the organisation.

The system can be maintained and handled by yourself, with enough discipline and by utilising calendaring tools. In this case, you will retain all of the documentation, evidence gathering and calendaring of reviews (such as backup tests, incident management etc.) using a centralised document management solution such as Sharepoint or Microsoft Teams.

However, depending on the size or complexity of your organisation, we would recommend hiring a specialised solution to facilitate this process. It will need to support the NIST Cyber Security Framework and provide you with the outputs that you need.

There are some excellent Integrated Governance, Risk and Compliance tools out there, all with their own strong points. At the very minimum, it needs to manage the tasks, repeat reviews, document and evidence gathering as well as provide detailed and executive progress reporting.

It makes the whole process from Vendor evaluations to day to day tasks management and compliance control way simpler.

If you consider specialists’ help and tool, you must understand the value it will bring to your business. Being secure against threats, audits, and with a future-proof structure and strategy that fits your business’ unique characteristics are the outcomes that you seek. Depending on how much knowledge you have obtained about your tech infrastructure structure, we are able to suggest an appropriate solution.

Outsourced It Support
Photo by Blake Wisz on Unsplash

How Can We Help – Implementing NIST into your Business

Here at Spector, we have two basic service offerings in this area: the Gap Analysis and the Cyber Security Programme.

We usually recommend companies to begin with the Gap Analysis, as it will provide us with more knowledge of your setup and a clear direction for your needs. This service consists of a project to analyse and identify the most critical vulnerabilities in your structure. It can be done in a short period by our team, causing minimal disruption. To learn more about how it works and what is involved, read our Gap Analysis brochure, available on this link.

The Cyber Security Programme, on the other hand, is the following step after the Gap Analysis, and it will address the actual mitigation of your risks and development of your structure on a continuous basis. We will lay our tools and resolve the most urgent issues, to then initiate new projects to reach your business goals. This allows us to close the gap between desired and current state. If you want to learn more about this stage, we have information available on this link.

Both solutions will help turn this daunting process into an automatic and uncomplicated job. If you have questions, feel free to Book a Call with us. We will be happy to learn about your challenges and figure the best solution.

Thank you for reading! If you have found value in this content, please share it with others who may feel the same way. Follow us on Social Media for more exclusive content.

Before the Audit: Gathering Evidence to prove Compliance

Cyber Security
Photo by Maarten Van den Heuvel

Estimated Reading Time: 4 Minutes

One of the core elements in a mature risk management system is gathering evidence of your ongoing activities. To be compliant, you need to be able to demonstrate compliance, and the best way to do that is to collect and store evidence of your activities and have them ready to be verified during an audit. If you can do this work consistently before the audit, your job when dealing with an auditor will be made considerably easier.

In this article, we will explore some of the core elements involved in this process and some tools and methods to make it more straightforward. There is a multitude of procedures, policies, systems and tasks that support this effort.

These include but are not limited to:

Security policies

At Spector, we consider security policies an essential item for protecting your technology infrastructure – even more than the actual tools that will monitor your structure. They will define how users should behave, and if well implemented, should stop people from putting themselves in danger.

These policies will act as the base that sustains the system, so it’s essential that they are in place and reviewed every two years. We use between 17 and 23 policies with our clients, depending on their requirements. Our system will then gather evidence and save them as screenshots to support the implementation of these policies and controls.

Scheduled tasks with clear accountability

If you have designed an Action Plan to address risk or reach compliance, this plan should have originated a number of tasks and activities that must be performed for your business to attain its goals.

This can include all minuted meetings, preparation for board reports, backup testing, verification of security controls against known norms, etc.. Tasks should be put into a calendarized system which creates automated workloads for responsible bodies.

Every task should have an owner, and there should be one body overlooking the entire process – a Risk/ Compliance Officer. Evidence should be gathered regularly to ensure controls are still in place. If tasks don’t have a completion date, they usually fall on the back burner and never get done.

Reviews of logs

It can be done on a timed basis or using automated discovery tools and modern SIEM (Security Information Event Management) and vulnerability solutions that report issues in real-time. Technology can be a huge help here. In particular evidence of real-time activity. Running annual vulnerability tests might tick boxes but is no longer enough to be considered best practice.

IT Support Dublin
Photo by Beatriz Perez Moya on Unsplash

Managing security incidents

It’s futile to pretend that incidents will never happen, as there is too much uncertainty in today’s scenario, along with the human factor to take into consideration. Reporting and demonstrating how you discover, handle and remediate these incidents is crucial to show stakeholders and auditors that you can address them effectively.

Preparing reports after a security episode is usually recommended and will help the organisation understand how the incident happened and how to stop it from happening again.

Change management

Making sure that you document your approach to change management in terms of risk. Imagine the deployment of a new CRM. Where will the data live and how does the solution provide clarity around current Data protection legislation? These considerations are evidence of proper planning.

Building a System to Manage Risk and Compliance

We like to think of this system as an organic entity. It grows and changes as the environment changes. There are many ways to handle this process of system building and evidence gathering. We use a risk management platform to assist us with our efforts, but we have clients that successfully manage the system by using calendaring solutions.

Tools to help in Gathering Evidence

There are a wealth of tools that can help in gathering data. These come in different flavours.

Tools that are run at a point in time – Vulnerability assessment and Pen-testing tools such as Qualys, Nessus, Rapidfire Tools. All have their place and discover different levels of details about the potential vulnerabilities in your environment.

Tools that run 24/7 – Now this gets more complicated. This is where current endpoint security and AI protect and detect solutions start to cross over with modern SIEM solutions. SIEM used to harvest log data to be analysed periodically.

Modern SIEM uses AI and inbuilt vulnerability capabilities as well as integration with key security products to provide a 360 real-time view of incidents. Players such as Netsurion have fantastic platforms that extend their solutions and staff right into your organisation at a fraction of the price of manning your own Security Operations Centre (SOC).

Using the Evidence in your Favour – Preparing for the Audit

The key take away from this chapter is that it supports the next stage – The Audit process. By maintaining this evidence, you can easily prove to an auditor that your business has been compliant with best practices and takes this task seriously.

We recommend utilising tools and specialised services to make this process automatic and as easy as possible. Our suite of tools enables full visibility for an external or internal auditor while maintaining data protection and governance. It can reduce an auditor’s time significantly on-site, and consequently, the stress of business owners.

Next Steps

The next part will address how to get Audit ready and report your progress to the board using the tools and knowledge you already got. If you want to turn this daunting situation into a stress-free, automatic process, then talk to us and keep reading our compliance and risk management content in our blog.

Thank you for reading.
Follow Spector on our Social Media channels for more exclusive content.

Your Outsourcing Policy: The Risks and Considerations

Secure Remote Working
Photo by John Towner on Unsplash

Estimated Reading Time: 4 Minutes
Written by Aaron Nolan

Outsourcing involves the transferring of responsibility for activities to an Outsourced Service Provider (OSP). Outsourcing has become an increasingly common practice in today’s world, as it brings to businesses the benefits of reducing costs, increasing scalability and allowing for the use of external expertise when required.

However, outsourcing is often not as straightforward as it seems, as there are many risks and factors to be taken into consideration.

An organisation’s board and management structure are uniquely responsible for the risks involved in outsourcing. Should anything happen as a result of outsourcing business-critical functions, the board and its management will be held accountable by their governing body.

Before deciding to outsource part of your organisations critical business functions to an OSP, several things should be understood and pondered. This article will provide a brief overview of the crucial factors to be considered, which hopefully can help you make a more informed decision.

Looking for specific information on outsourcing your IT management? We have more details on the article: Does Outsourcing Technology Support Really Work?

Awareness

The Board must be aware of what needs to be outsourced and what can be managed internally. Are there enough resources to keep certain functions in-house? Is it feasible and beneficial for the business? Keeping things in-house has its benefits, and will allow for direct manipulation of activities. However, without awareness, it can sometimes be just as faulty as outsourcing and not having controls in place.

A cost vs benefit analysis should be carried out before outsourcing a business-critical contract. This should then be followed by a risk assessment of the outsourced function. This reflection exercise will give senior management a much broader view of the risk involved in outsourcing this function. By doing this, it should become easier to understand which functions should be prioritized or how the budget can be assigned.

Once the board and senior management agree that a function is required to be outsourced, they should go about understanding the Maximum Tolerable Downtime (MTD) of this function. Maximum Tolerable Downtime is the maximum length of time a business function can be down without causing irreparable harm to the business.

The organisation should then set about looking for an Outsourced Service Provider who guarantees that their Recovery Time Objective (the time it takes to restore critical functions) is less than their MTD. This means, in short, that a business’ expectation must meet the outsourcer’s promise for the relationship to work.

Only when both organisations understand and agree on the relevance of these functions, they can potentially engage in business. These Service Level Agreements (SLA) should be written into contracts and reviewed regularly.

IT Support Ireland
Photo by Hal Gatewood on Unsplash

Risk

Before outsourcing a business function, an organisation should go about doing a due care and due diligence process on the function and the providers. A risk assessment should be carried out on a provider before outsourcing any business functions. An organisation may use a tendering process or use the MTD mentioned previously as an indicator of the provider’s ability to meet its required SLA.

Once a service provider has been selected, the organisation should add the Outsourced Service Provider to their internal risk register or a list of third-party providers for regular review to ensure SLA’s are being met.

To learn more about risk, read: Understanding and Calculating Organisational Risk

Business Continuity Management

When an organisation decides to outsource business functions, it is their responsibility to ensure that SLA’s are tested regularly. There is no point in having Recovery Time Objectives and Recovery Point Objectives in place if they are not tested at least once a year.

Sometimes backups fail, system patching isn’t always up to date, and changes to infrastructure are not always recorded, resulting in the BCP process taking longer than expected. Therefore, it is vital to test your business continuity plan as regularly as possible.

It is also critical for the organisation to implement an exit strategy with any service providers to ensure a smooth transition to another provider and return of any data held by the service provider. This could easily become an obstacle for business growth if left unchecked.

In Conclusion

With the ever-evolving advancements in technology making businesses more efficient, it has become more and more necessary to outsource functions due to the lack of in-house knowledge.

Outsourcing functions increase the scope of a business, but will also increase exposure, risks and the challenges for compliance. Tasks such as mapping the data flow and having full visibility of the suppliers’ activities can become extremely complicated.

Regulatory requirements like GDPR force boards and management to understand and protect their data. It is critical for the organisation’s senior management to have awareness and understanding of the scope of its business – especially if choosing to adopt a framework, guideline or standard.

Once the organisation understands its scope, it can then go about addressing the risks of not only its internal functions but now its outsourced functions. These outsourced functions should be tested regularly to ensure SLA’s are being met and critical data is being backed up.

If you are looking for yet more detail on the major risks and factors related to outsourcing policies, we recommend reading the following whitepaper from the Central Bank of Ireland: Outsourcing – Findings and Issues for Discussion.

Thank you for reading, and for more compliance and business advice, visit our blog.
Follow Spector on our Social Media channels for more exclusive content.

eBook | Your Tech Transformation Roadmap for 2020 and beyond

IT Support Ireland
Photo by Jakob Owens on Unsplash

Digital Transformation and Technology Transformation are some of the latest buzzwords commonly used by business leaders as the next go-to investment to bring your organisation to the next level. However, this process is often not very straightforward and could easily go wrong.

Major technology initiatives, like the implementation of new enterprise systems such as CRM or ERP, can be intimidating. They are usually expensive, take a long time to complete, carry a high risk of failure and can be very disruptive to the company’s day-to-day operations.

Applications that focus on specific business functions such as scheduling software, while less costly, often come with their own set of challenges such as limited functionality and the need to integrate multiple systems.

Despite these challenges, companies that have invested in digital technologies are reporting increased productivity, lower costs and improved product quality. They are also better positioned to react more rapidly to market changes and have better growth prospects.

Digital Technology in the Centre of the Transformation Process

Understanding how technology applies to a company is fundamental for this process to work. Expectations and investments must be clearly aligned, and every change implemented must be meaningful and effectively adhered to.

If technology is not important for you, it won’t be the thing that changes your business. You can’t expect to witness Digital or Technological Transformation if core value-adding activities of your company aren’t integrated with tech.

To establish your priorities and define these areas, we recommend the creation of a technology roadmap.

A technology roadmap can help you move forward with confidence and purpose while avoiding costly mistakes. It will help you align your IT projects with your strategic priorities, plan for the long term, and define your needs and goals before investing.

Download E-Book: Technology Transformation – Building an IT Roadmap for 2020 and Beyond

Secure Remote Working

The ebook will provide insight and guidelines for you to build a technology roadmap for your organisation. It covers the six steps you should take to prepare your business to what’s coming. If you need any help in this process, don’t hesitate to contact us.

Thank you for reading! If you have any questions or comments, please let us know in the comments below.

ISO27001 vs NIST Cyber Security Framework: Why choose one?

Outsourced It Support
Photo by Marius George Oprea on Unsplash

Estimated Reading Time: 4 Minutes
Written by: Aaron Nolan
Standards and frameworks are implemented by organisations to have business alignment, adopt business best practice and adhere to industry regulations. Moreover, standards and frameworks outline security controls to help protect the confidentiality, integrity and availability of business-critical assets.

The firm’s Information Security Governance structure, which should comprise of top-level management, should ensure security controls are managed, monitored and measurable. The easiest way to do this is to implement an existing framework or standard. Two of such well-known frameworks are ISO27001 and the NIST Cyber Security Framework (CSF).

ISO 27001 and the NIST CSF framework approach information security and risk management differently, but the control measures for both are similar. The correct choice of framework for an organisation largely depends on their operational maturity, level of inherent risk, resources available and outside-pressure from clients and governing bodies. There is a significant overlap in the two frameworks to allow companies to implement controls which address risks within both. We will explain each in brief below.

ISO 27001

ISO 27001 is a globally recognised standard for information security management systems (ISMS). It sets out the requirements against an organisation’s ISMS which can be certified. Achieving certification requires an independent audited verification to ensure the ISMS are managed in line with the standard.

ISO 27001 requires the organisation to outline its cybersecurity program in a Master Security Policy, and then prove it is driven by the organisation’s governance structure.

The two critical steps of an ISO 27001 implementation are the risk assessment and risk treatment plan, which are better detailed in our article Building your Asset and Risk Register. These ensure adequate controls are in place for information assets, and that they are based on actual threats and vulnerabilities.

NIST Cybersecurity Framework

The NIST CSF is a risk-based framework developed for critical infrastructure sectors but has been adapted by organisations across all industry sectors. NIST does not provide a certification process, rather a well-designed framework to assist in establishing its Cyber Security maturity posture over the five business-critical functions:

Identify, Protect, Detect, Respond and Recover

Each of the core NIST functions is graded on a scale of 0-4, their higher scores outlining higher levels and degrees of Cyber Security maturity. This ability to provide an overall rating for an organisation’s cyber security posture makes it attractive. This way, Senior Management can quickly understand and appreciate positive developments in a risk improvement programme.

Use our Simplified Self Assessment Tool to view how your company performs in relation to the criteria used by the NIST CSF. Our GRC experts have also made a video explaining how to use the tool in more detail, which you can watch below:

With either of these materials, you’ll have a better understanding of how NIST works and of some of the topics you will need to address to obtain a good result and protect your business. Keep in mind this tool is based on a simplified version of the framework and does not cover the same width or depth.

ISO 27001 and NIST – Which to Choose?

As NIST practitioners and ISO 27001 lead auditors, we are commonly asked which approach is most appropriate to each client. The response depends on what you want to achieve as an organisation. If the eventual aim is to achieve and maintain ISO 27001 certification, then starting with that ISO27001 would seem obvious.

There is one caveat to that rule, though, and that is the current level of Cyber Security Maturity and Risk preparation of an organisation.

Where the NIST CSF truly comes into its own is for organisations that are trying to get a structured technology risk management programme off the ground. This is never more right than where such efforts may have failed previously. Such organisations tend to have lower NIST scores but have the Governance drive and desire to build a structured approach to building a Cyber Security maturity programme.

The NIST CSF will identify your current Cyber Security maturity levels and set out a clear plan to mitigate the risks by order of priority. It also helps rule out costly mistakes when making decisions about technology choices and budget by clearly identifying what is needed to address each risk.

Cyber Security

This makes the NIST CSF a good starting point, as organisations may progress through the critical areas needed to reach compliance and focus on the specifics required for each stage. Then, companies can address whatever is missing for standards such as ISO 27001 only when they are better prepared. Furthermore, progress can be better visualised in this framework than for most standards – as they are based on a “yes or no” approach, versus NIST’s 0 to 4 scoring.

Conclusion – Understand where you are

Before deciding on which path to walk, it is always a good idea to take your time to analyse industry standards and your organisation’s priorities and goals. Depending on your particular situation, the ideal choice will change. Think about what will bring you more value in the long run, but don’t panic if you think you have made the wrong choice.

In the case of ISO 27001 and the NIST CSF, you have the advantage that several key areas of improvement overlap between both. Plus, they are both well-designed and established choices to raise the level of your business’ activities.

Getting someone familiar with the process can help, so if you need specific advice for your business, feel free to get in touch. We have guided many companies through these paths and will be happy to assist you if you are stuck. It may seem hard, but it is truly a matter of knowing the route to proceed.

Next Steps:

  • Our article Building your Asset and Risk Register may help you in identifying the risks and points that need to be addressed for your business to reach a higher level of compliance.
  • Once you know what these risks are, our article on Developing an Action Plan will explain alternatives and methods to complete your goals.

Thank you for reading. For more Compliance content, please check our blog.
Follow us on Social Media!

Downtime Calculator – How much does downtime cost your business?

Outsourced It Support

Estimated Reading Time: 2 Minutes
Downtime could be the difference between a business closing and thriving. Yet, it is a fear that tends to vanish from managers’ minds until the very moment it becomes vital trouble. Most businesses, however, face a certain degree of downtime every single day, on not-so-prominent levels.

Every time your staff or systems are delayed due to technical inefficiencies, you are experiencing downtime. Just think of how each employee now and then have to stop working due to freezing computers, random updates, system outages or connection loss.

However, those instances of downtime are commonly seen and often ignored by businesses; categorised mainly as productivity issues. The type of downtime we are addressing in this article are the ones caused by disasters situations. At some of the worst instances, business operations are forced to stop because of such events, creating a tremendous financial or reputational loss and potentially leading to business closure.

To learn more about organisational risk, read: Understanding and Calculating Organisational Risk

Causes and Effects of Downtime 

In this scenario, depending on which type of disaster has occurred, customers may be unable to shop, the staff may be unable to work, and the damage can hardly be contained if there are no robust Business Continuity procedures in place. It is a scary situation for any business owner, and up to 60% of businesses that go through a major disaster will close their doors

In today’s world, technology failure and cybercrime are the most typical reasons for downtime amongst companies of all sizes. Depending on how reliant on technology is your business, it could suffer more or less from such adversities. 

Calculating and Preventing Damage from Downtime 

The Downtime Calculator helps you understand the level of disruption that one of such IT disasters could cause to your business. It should take just a minute to set up and will give you a rough idea of the cost per hour of downtime, depending on how dependant your structure is to technology. 

Nevertheless, some costs can’t be precisely estimated, such as the reputational damage or the loss of valuable data. You can access the Downtime Calculator here.

IT Support Dublin

Fortunately, cases like these can be avoided and prepared for, with a budget that would cost a fraction of what such a disaster could potentially reach. By having a Business Continuity plan, a business will have tools, procedures and partners ready to act in case of a failure.

It would be best if you start by identifying the main risks that could affect your organisation and define the best ways to proceed in any foreseeable scenario. If you want to learn more about Business Continuity and protection, talk to us, and we can give you details of what a good plan looks like. You can also check our Blog for more articles and resources on this topic.

Thank you for reading, and please share with us any thoughts on the blog and on the calculator. Have a good day!

Information Security: Governance vs Maintenance

Cyber Security
Photo by Sylvia Yang on Unsplash

Estimated Reading Time: 3 Minutes
Written by: Aaron Nolan
Although they sound similar, Information Security Governance and Information Security Management operate at completely different levels of the business – one at board level and the other at management level. Throughout this blog, we will explore the differences between these functions and explain how they complement each other within the business’s security strategy.

Information Security Governance

Information Security Governance is a framework or standard set out by the board members, directors or partners of an organisation. This system outlines the security goals of the company, establishing how they will operate. In any mature business, the board members, directors or partners of an organisation are solely accountable for the Security Governance. It should be viewed as a non-negotiable business requirement that comes from the top down.

One of the first things a company should do is outline its Organisational Policy Statement, which is also referred to as the master security policy. This statement describes the strategic functions of the organisation and enacts company policy, and it should come across as an essential part of the business’ long-term strategic plan.

Essentially an Organisational Policy should protect a company’s finances, reputation and assets; so it must detail how the business and its assets should be governed. Thus allowing the organisation to allocate resources based upon their risk.

A key benefit of having a Governance Framework or standard in place is that it ensures goals are in place which can be measured against current performance. It provides shareholders with oversight and reassures them that risk is being adequately mitigated. Our latest article highlights the characteristics and many benefits of adhering to frameworks, guidelines and standards. Click here to read it and discover which we recommend.

Information Security Governance should not only align the framework against the company’s strategic objectives but also ensure that it complies with local and international regulatory laws. Overall, it is an essential part of a business’ risk management strategy, and it will have a direct impact on the course that the company will take over the long term.

 

Information Security Management

Information Security Management aligns the organisation’s functions to its strategic objectives. It is the practical enforcement of the policies and practices defined by the Information Security Governance structure. The organisation’s senior management is responsible for implementing these controls and ensuring that they are being adhered to on a daily basis. Therefore, the Security Governance authorises the Security management to make decisions on the company’s behalf.

Information Security Management also alludes to the management of vulnerabilities and potential threats posed to the organisation. As such, it is the responsibility of senior management to manage risk on behalf of the organisation. This also implies that any risk not detected by C-level management may not be effectively addressed by Information Security Management. They are responsible for managing risk, but not accountable.

Senior management is also expected to oversee project management to ensure that the strategy set out by the Governance structure is worked towards. Senior management would have full utilisation of the allocated budget to develop projects to reach the framework or standards set by the Security Governance.

 

In Conclusion

Information Security Governance is crucial for any business as it not only allows for budgeting for both capacity and new technologies but it also helps prepare for times of disaster. Negligence in the area of Information Security Governance can result in board members, directors or partners being held responsible for breaches, damage to company reputation or even financial loss.

Information Security Governance helps to outline goals, standards or frameworks for an organisation to achieve. Indeed without any of these things, an organisation’s procedures can never be defined.

Security Governance is a “buy-in” from the top level of the company, and it is necessary for the Information Security Management to work within a company.

Thank you for reading. For more compliance advice, visit our Blog.
Follow Spector on our Social Media channels for more exclusive content.

Governance: Understanding guidelines, frameworks & standards

Governance: Understanding guidelines, frameworks & standards
Photo by Rikki Chan on Unsplash

Estimated Reading Time: 4 Minutes
Written by: Aaron Nolan
Having a Guideline, Framework or Standard is fundamental for a business to define policy and assess its risk. Many companies are restrained in how they operate by guidelines, frameworks or standards whether this is Central Bank, HIPPA or ISO27001. The levels at which these can be brought to vary, depending on the company’s view of risk.

Guidelines

A guideline is a recommendation, typically by a governing body, on the operational actions an organisation should take when there is no defined standard or framework in place.

An example of this is the Central Bank of Ireland’s handbook for Credit Unions or Financial Services, which is very suggestive in nature but not mandatory for institutes to follow. Guidelines assist the organisation in strengthening its legal and regulatory requirements, by offering best practice advice. They provide recommendations on how standards or baselines should be implemented.

The main benefits of guidelines are that they can be adapted to suit the context of the business, allowing flexibility in implementation. They can be adjusted, modified and scoped to work with the companies’ needs.

However, one of the main drawbacks of working based on a guideline is that these are subjective and not clearly defined, leaving a lot of grey areas of uncertainty.

Frameworks

A framework is a conceptual structure defined by the governance of an organisation to set out policies within the company. This is a top-down approach with the main stakeholders identified first, along with their needs and their appetite for risk. Those who will manage the policies on a day-to-day basis are determined at a later stage.

An example of a framework would be NIST or COBIT, with clearly defined policies and controls to be implemented. Frameworks do not specifically need to come from one source as organisations can draw from several standards to develop their own structure.

The benefits of having a Framework over a Guideline is that there are clear controls and policies that need to be in place to adhere to. Another advantage is that you can draw from several resources to adopt your own framework.

The main disadvantage from pulling from several frameworks is that it may not make you fully compliant with any specific standard or regulation. Be mindful of which frameworks you use as a reference and if they resonate with each other.

Standards

IT Support Dublin
Photo by Victoria Heath on Unsplash

A standard is a mandatory activity, action or rule which is usually verified by a third party and certified. These are typically organisational security standards that specify how hardware and software must be used, in order to satisfy the needs of the standard. Standards are created to support and reinforce policies while providing more detail and direction on the controls.

IASME gold standard or ISO27001 are examples of standards which have precise controls which organisations must adhere to if they wish to be certified. Independent auditors are employed to verify that the required controls are in place so that the organisation can remain certified by the standard.

A crucial advantage to having standards in place is that it provides reassurance to your customers, third parties and authorising bodies that you take the necessary standards seriously. They are beneficial for an organisations’ reputation, and also reassure stakeholders that all is being adhered to.

While there aren’t many drawbacks for adopting a standard, they can be costly to implement and upkeep. Regular reviews are required to keep the standard live, so resources are required – adding additional costs.

The One we Recommend the Most

We have a great deal of experience with compliance across several different verticals, which allows us to work with customers in highly regulated industries, such as healthcare and financial services. Over the years we have discovered which frameworks are easier for the majority of people to understand, apply and follow.

One of these Frameworks is the NIST Cyber Security Framework, the most commonly used in the USA to evaluate a business’ technology infrastructure. It serves as an excellent place to start because it allows companies to identify what their most significant weaknesses and strengths are, which in turn makes it easier to decide where to focus first.

Looking for a comparison between NIST and ISO27001?
Read ISO27001 versus NIST: Why choose one?

The NIST Cyber Security Framework covers a business’ capacity to thrive against threats in a wide range. There are five main categories, which are: identify, protect, detect, respond and recover. Each of these can be rated from 0 to 4, depending on a business’s readiness. Overall, these ratings provide an accurate and profound knowledge of how a business tech infrastructure behaves, which is why we recommend and utilise it with our customers.

We have a guide explaining how to effectively leverage the NIST Framework to bring your security and compliance to the highest level. With it, you can build a risk management system tailored to your organisation. It’s available in this link.

In Conclusion

Depending on the maturity level, risk appetite and resources available; an organisation’s governance structure should be able to select a guideline, framework or standard that works best for the company.

The implementation of a framework such as NIST should be the foundation for any risk-averse company. Having a framework like NIST allows for the budgeting of resources, capacity planning and cost technology improvements.

Security Frameworks are vital for the success and progression of a company, whereas standards are “nice to haves”. Once the organisation has implemented a framework and brought it to its highest level, only then should they look at standards in order to improve its reputation or marketing value.

Thank you for reading! For more compliance advice, visit our Blog.
Follow Spector on our Social Media channels for more exclusive content.

How Your Staff Put Your Business at Risk of Invoice Fraud

Outsourced It Support

Estimated Reading Time: 4 Minutes
Invoice Fraud – aka Beneficiary Change Request – is an increasingly common practice in today’s world. The increasing reliance on email communications has made Businesses much more vulnerable to Cyber Criminals and Social Engineering practices. Moreover, this Cyber Security incident easily bypasses your Anti-Virus or Firewall protection – instead, it relies on your staff and on how well-trained they are to recognise the threat.

Another common type of Fraud that has gained popularity over the previous years is the CEO Fraud, and you can read about it and educate your staff here.

What exactly is Invoice Fraud?

In this fraud scenario, a Cyber Criminal will pretend he is a reliable player and will seek to redirect payments. Typically, they will mimic the identity of a known supplier and communicate directly via email to the person in your company responsible for managing expenses.

There are cases in which the supplier’s email accounts have been compromised, and others in which criminals are using “spoofed” accounts, which appear as if they are coming from a trustworthy address. Learning to identify a suspicious email is one of the best ways to address this topic, and we have an article about it here. Reading this and sharing with your staff is a good start.

The content of this message is the vector of attack. What, on the surface, looks like a legitimate communication regarding financial details, may be a case of Invoice Fraud. Often, the criminal will pose as a new account manager working at a partner company and inform your staff that their banking details have changed. Usually they’ll not even ask for money right away – to make things subtler.

Instead, they will patiently wait for the period that businesses usually pay their invoices and it could take a long time for everyone involved to realise what has happened.

How does Invoice Fraud happen? – An Example

Emma, a member of the accounts payable team, receives an email from John – a known contact for a supplier. The email notifies Emma of a change in banking details, in a polite and formal tone. Emma replies asking for telephone confirmation, which is required according to company policy.

John responds to say that he is on a business trip but that his colleague, ‘Brian’, is managing confirmations in his absence. Brian then calls Emma, confirms the request to change the banking details and sends an invoice – which Emma pays to the new bank account.

A few days later, Emma receives an email from John requesting payment for this same invoice. Emma immediately rings John and discovers that their bank details have not changed and that no Brian works for the company. It is only then that they discover they have fallen victim to Invoice Fraud and the money is gone.

Please Note: this type of fraud can and often is accompanied by additional telephone communications, which only serves to make it appear much more genuine. Do not underestimate how sophisticated and patient fraudsters have become.

In these situations, it can be hard to pinpoint who is at fault for the money loss. If the email account used to communicate the change of details was compromised, then people may want to hold them accountable for the breach. However, in the end, it always falls to the organisation who is making the payment to have robust confirmation policies and ensure that they are communicating with legitimate company contacts.

IT Support Dublin

How to Avoid Invoice Fraud

As previously mentioned, Anti-Viruses and tools will only do so much to protect you. A Cyber Security company can do a lot for your business, but an email inbox cannot be 100% secured. Indeed, while an inbox should have filters and protection, there always has to be an opening for new, seemingly secure emails – or the whole point of the channel becomes lost.

Therefore the best defence against this threat lies in staff training. Learning to identify a suspicious email is crucial as it will not only help to prevent Invoice Fraud, but it will protect your company against a wide variety of Cyber Attacks.

As employees are educated on this type of fraud, payment policies should also be reinforced. The following points should be standard procedure among transactions:

  1. 1. Validate all change requests you receive beyond the channel they came from. Go to the company’s official website (don’t click on links from a suspicious email) and look for contact information, preferably telephone numbers.
  2. 2. Create your own customer, supplier and payee profiles.
  3. 3. Independently confirm requests with established approved contacts to verify any transfer requests.
  4. 4. Beware of requests for immediate or urgent payments. Watch the language and tone being utilised and verify the sender’s identity.
  5. 5. Keep track of your invoice routine and don’t merely pay something as soon as it comes up. Confirm all details verbally and in writing with the responsible parties.
  6. 6. Send a test transaction, with a small value of money to the new account and confirm receipt with the legitimate beneficiary.

Armed with this knowledge and by being made fully aware that they are the most common targets, your employees should be able to avoid being tricked by any potential Cyber Attacks. Remember, don’t hesitate in educating your staff – these threats are happening every day.

Here at Spector, we can provide this training to your staff as part of our Cyber Security offering. Education, evaluation and occasional phish tests are conducted to ensure that your staff are being vigilant and able to identify any suspicious communications. This is only part of the service included, and if you are interested in discussing this in greater detail, please feel free to contact us.

We will be able to answer your questions and have a better understanding of your needs. For more details on how we operate, read our Brochure Cyber Security Gap Analysis – it explains how the process begins and the first steps we will take to mitigate your technology risk.

Thank you for reading.

The Risk of CEO & CFO Fraud – How it happens and how to avoid it

CEO desk empty with a computer on top
Photo by Luke Chesser on Unsplash

Estimated Reading Time: 6 Minutes

CEO and CFO Fraud have been continuously hitting the news in the past few years. One of the most well-known cases targeting a large enterprise reached a value of €47 Million being sent to a fraudulent account.

However, since last year, we have seen a fast-growing number of cases among Small and Medium Businesses. Cyber criminals and hackers have found that although these companies offer smaller gains, they are easier to trick and target due to weak Cyber Security and virtually no training.

Globally, these attacks are now costing over €200 Billion per year for SMEs.

This article will bring a detailed overview of this serious issue. If you want to learn more about it, make sure to check our Essential Guide on How to Avoid Identity Theft, available for free, or read our blogs on the subject linked at the end of this post.

Real-Life Examples

Recently we have witnessed a case in which a person was convinced to send €700 in gift cards to a fake CEO. If the criminal has the right email and the right attitude, he may be able to persuade their targets to do the most incredible things.

In some exceptional cases, we have seen Cyber Criminals monitor an email account for weeks or months until an important supplier meeting was due to happen. When time comes, they will send an email to the CFO saying that the meeting was a success and asking for a money transfer to close the deal. The account details provided are for the criminal’s, and they will quickly withdraw the money and disappear.

Businesses have lost millions already due to these practices, which can be avoided with basic Cyber Security training.

How does CEO Fraud Happens

The main thing all cases of CEO/ CFO Fraud have in common is the channel used for the attack: your email inbox.

Hackers will try to obtain access to the email address of the CEO or an important member of the board with direct access to the Finance department.

They will then try to find a situation in which a money wire seems to make sense. As soon as the moment arises, an email will be sent to the Finance Director requesting a money transfer to a specific account. The authority of the CEO and the language used for these scams are vital in making it seem authentic.

Open web page with email inbox displayed - the main channel of attack
Photo by Austin Distel on Unsplash

How they will gain access to an account – and why an Antivirus can’t protect you

Cyber Criminals have several ways of obtaining access to an account and stealing an Identity, even if they don’t infect your machine with viruses or malware. We will give a brief explanation of the most common ways below:

  • Phishing Attacks: Cyber Criminals will often try to trick their targets into giving away their personal details or clicking on some link or attachment that will give them access to their machines. To learn how to spot one of these suspicious emails, read our article about it here.
  • Insecure Network Connections: Hackers often exploit public networks due to their vulnerable security settings. If you use one of these networks, avoid accessing work files or sharing confidential information. Your company network may also be an open door for Cyber Criminals if your settings are not correctly configured and your firewall is not continuously monitored.
  • Data Leaks: Cyber Criminals often find passwords on data breaches and leaks. If your company does not have a robust password policy, it is very likely that one of your employees or even yourself is using a password that has already been harvested. If that is the case, criminals can access your account straight away.
  • Password Cracking: Another technique often used by Hackers and Cyber Criminals is to go deep into a target’s social media networks to gain more data about them and attempt to crack their passwords or trick their partners using available information online. By going through old social media profiles, they can find old email passwords – which are often used as Recovery Emails and may be accessed by security questions. This form of attack is extremely targeted to a specific individual, and it works surprisingly well against some people.

To learn about all these in detail, read our Article on How Does Identity Theft Happen, which talks not only about CEO Fraud but also about other techniques used for Identity Theft.

In short, if hackers can access a computer or find a password, there is a high probability that they will be able to infiltrate that account.

There are also some cases in which Cyber Criminals may not even be able to access the real email – they can simply create a fake email using the target’s first and last name and pretend to be him/ her in their personal accounts. They will then request a money transfer to an account, claiming it is an urgent matter.

The fact that this form of scam continues to works shows that even if your accounts are secure, you may still be in risk of such frauds. Next, we will discuss the best way to make sure your business will avoid such troubles – and if you want to know if your accounts are safe in the meantime, read Are you Cybersafe? Assessing your Personal Risk of Identity Theft.

 

The Best Defence: Training & Education

A solid Cyber Security strategy and tools will be enough to push back most Cyber Criminals, but some of them are due to persist and potentially trick your staff into falling for the CEO Fraud or the Invoice Fraud.

The most crucial step to avoid this ever happening to you is to educate your staff about this issue and adopt security measures to ensure they are secure and will not make any mistakes.

Man speaking on phone while checking computer - confirming if money-transfer request is not a fraud
Photo by Austin Distel on Unsplash

We recommend training courses or sessions, along with a foundation of policies and tools to facilitate this task. Some of the main topics to be addressed should be:

Email Protection:

Since your email is the primary channel used by Cyber Criminals, it has to be as secure as possible. It’s always a good idea to use an Email filtering tool, but even then you cannot shut your doors entirely as valuable prospects and partners may try to contact you via email.

For that reason, everyone in the business – from interns to board level – must be trained on Email security. The main points are always to verify the sender address, examine the language tone and never open suspicious links & attachments. These tips and more are explored in our article Top Tips to Identify a Suspicious Email

Strong Passwords:

A Strong Password Policy is of crucial importance in defence of your systems. Users must use strong passwords, change them regularly and never use work passwords on other accounts.

We have an article on some of the best password creating techniques and tools to facilitate your life and increasing business security. It is available here – Your Business Needs Stronger Passwords. Learn How to Create and Manage them.

Elastic Protection:

Cyber Hygiene must be present not only on your work environment but follow you wherever you go. Mobile devices are following us everywhere and have a critical role in our lives. The same goes for companies adopting BYOD – Bring your Own Device – where employees use their personal devices to work. This trend means people have more ways of inviting malicious users to their work environment, and the company has much less control of these machines.

Businesses must utilise Mobile protection tools, be extra careful with insecure networks, and prepare procedures in case of device loss or theft. Encryption and remote wipe tools must be in place, and some level of education is required. We have an article with more details and relevant tips on BYOD, called: Embrace BYOD, but be smart about it.

Money Transfer Confirmation Policies:

Last but not least, even with all the right tools and procedures in place, there will be occasions in which a Cyber Criminal will be lucky or smart enough to bypass the main defences. When that happens, users must be ready and vigilant to make sure they are dealing with the right people.

One effective way of doing this is always to call or contact people asking for money transfers by other channels, to make sure they are aware and actually requesting that. If a suspicious message arrives via e-mail, try reaching people through their phones – even a text message could do it in most cases – or contacting others who are close to them and informed of their plans.

Stop CEO Fraud before it begins

As you may have noticed, this is a big topic full of nuances and points that can be deepened with further research. The best ways to safeguard your business and your accounts are to educate yourself and your staff, using whichever tools are appropriate to create new layers of security.

Identity Theft is the main reason for Financial Fraud. It is a growing and disturbing issue, that requires immediate attention.

If you want to read a guide about all these topics with more detail in a single place, we have a Free Essential Guide to Avoid Identity Theft. Download it or share it and help us reduce the number of potential targets.

We are here to provide more information or help you build your own robust Cyber Security. Contact us, and we will be happy to assist.

Preparing for your Cyber Security & GRC Audit

IT Support Dublin
Photo by Hunters Race on Unsplash

Estimated Reading Time: 9 Minutes
Welcome to our series of articles on Managing Technology Risk and Governance. In this chapter, we will investigate how to prepare for a Cyber Security audit and prepare comprehensive reports for the board. These are recommendations based on our audit and board reporting experience over 15 years. Being ready for it is key to saving time and effort.

The core fundamentals of a cyber security audit are no different from a traditional audit. The auditor will be looking for anything that is out of place and your business has to prove that it is following best practice and addressing any issues. Audit experience is useful in both scenarios.

Adopting a framework prior to an audit can be extremely beneficial, as it will provide your business with direction and illustrate what are the standards and best practices you should be pursuing. Here at Spector, we recommend leveraging the NIST Cyber Security Framework to succeed in your GRC efforts. To learn more about it, read our Guide to NIST for Financial Services.

What is the purpose of a Cyber Security Audit

A cyber security audit is a vital process for identifying fundamental weaknesses in your company’s tech infrastructure. These assessments help you verify what lives inside your network, what needs to be protected, and how to improve protection. Auditors are looking for proof that you are doing the right thing and improving. It is not a name and shame process; audits exist to help you grow.

However, as relevant as cyber security audits are, many companies are not very well prepared for them. So, how can you prepare for a cyber security audit so that it can be completed quickly and efficiently?

If time is in your favour, one of the best approaches you could take to succeed on this is to gather and store evidence of your activities. By doing so, you can quickly prove to an auditor that you have been compliant and all main risks have a control and an owner – which shows accountability. For more detail on this, read the article: Before the Audit – Gathering Evidence to prove Compliance.

Moving to a closer date to the audit, there are a number of things you can do to prepare apart from gathering evidence. Here is a short list of the main tips to help you get ready:

Create a Diagram of Your Network Assets

While part of the goal of any audit is to identify potentially unknown assets on your business network, giving your auditor a network diagram can help them save time and get a head start on their assessment. A network diagram outlines the overall structure of your network—what assets are present, how they’re connected, and how they are linked. Many tools exist today that can provide a real-time view of your network assets. These make the process of gathering data simpler than drawing diagrams that go out of date as you finish them.

Verify with the  Auditor Which Stakeholders They Need to Talk to

Cyber Security

At one point, the auditor will need to speak to subject matter experts within your organisation to get a complete picture of your cyber security policies and architecture. So, before the audit begins, ask the auditor which of your key stakeholders they will need to talk to during their inspection, and set aside some time for these stakeholders to attend a meeting and what tools or access they may need during their audit.

Build Your Cyber Security Policies into a Single, Easy-to-Read Book

While your auditor will likely conduct interviews of your staff to get a feel for their grasp of security, it can be helpful for them to have access to your cyber security policies during their audit. Here, taking all of the documentation regarding your business’ cyber security policies and procedures and organising them into a single book can be massively helpful.

Spector provides a book of 20+ cyber security policies as well as other key business documents that we build into a single policy book. We also include evidence in these documents – which will likely be asked for. Some examples include:

  • Password policies
  • User Access Controls
  • Acceptable Usage Policies
  • Backup and DR Policies
  • Incident Management Procedures
  • Data Mapping Processes and many more.
  • Cyber security training logs

This policy book helps the auditor understand your organisation’s overall cyber security awareness as well as spot potential gaps in your security policies and procedures that need to be addressed.

Study Up on All Applicable regulatory and Compliance Standards Prior to the Audit

Most organisations have one or more compliance or regulatory standards that they strive to meet, such as PCI DSS, GDPR etc. In 2016 the Central Bank of Ireland released the Cross-Industry Guidance in respect of Information Security and Cyber Security Risk. It is a fantastic resource – albeit a little dated – on recommendations of what may be expected at audit time.

By educating yourself about your compliance requirements, you can put yourself in a position to work more collaboratively with your cyber security audit & compliance team as well as verify that the suggestions they make are realistic and positive.

Define the Project Scope with the Auditor

One of the most vexing problems companies face is determining the scope of an audit and how to prepare for the review. Without a scope, lags are inevitable because there are always unforeseen events that can disrupt outcomes, your time and costs. An experienced auditor should be able to anticipate these events to some extent and inform you (to some degree) of their requirements in advance.

When discussing project scope for an audit, be sure to ask questions about why the auditor needs certain resources, or if there are any resources they require that you haven’t provided yet. Get details about why specific assessment steps are necessary and what they entail. Be confident!

After the Cyber Security Audit Starts

When the auditor begins making their assessment of your organisation’s cyber security infrastructure, be sure to ask them to bring any significant issues to your attention as soon as possible. No-one needs surprises at the conclusion of the audit. This also gives you a chance to start remediating these issues as soon as you can.

Also, be sure to take any alerts from the auditor seriously and ask for suggestions about how you can fix these issues. Many experienced auditors are familiar with numerous cyber security tools and quick fixes for common problems that you can implement very quickly. However, they may want to complete their full audit before making some recommendations so they can suggest the most comprehensive solution possible.

Dealing with the Board

Secure Remote Working
Photo by Campaign Creators on Unsplash

Concerning the board, our advice is to keep it simple. There are often over 20 items to be discussed at a board meeting. You have a short time window in which to get your point across – and possibly ask for investment.

Educating the board about the relevance and role of the tech infrastructure of your business is a good place to start. We recommend reading the document mentioned above; the Central Bank Guidelines in respect of IT and Cyber Security Risks. The report is easy to read and highlights the main requirements and risks of a regulated firm. After introducing them to the topic effectively, your job will be much more straightforward.

Another strong recommendation for this subject is to consider adopting a framework such as the NIST Cyber Security Framework. It covers 5 key functional areas that are imperative for a robust Cyber Security strategy – Identify, Protect, Detect, Respond, Recover. In short, this framework comprises of several relevant practices, ranging from user training to backups and security tools. It is simple enough to be quickly presented to the board while holding all details under the surface.

The following insights will also be valuable in transmitting your message in the best way possible.

Guiding principles for board reports

  • Relevant: Relevant to the audience (full board; key committee)
  • Reader-friendly: Use summaries, callouts, graphics, and other visuals, avoid technical jargon
  • Meaningful: Communicate insights, not just information.
  • Highlight changes, trends, patterns over time
  • Concise: Avoid information overload
  • Discussion: Reports should also enable dialogue and debate.
  • Continuous improvement: Review the format and content regularly.

Key questions to help identify and develop cyber security metrics

What metrics do we have that indicate risk to the organisation? Boards need to know that the organisation’s critical assets are being protected.

One advantage of utilising the NIST Cyber Security Framework is that it provides the board with an easy-to-understand scoring system based on 4 tiers. As you advance and tackle technological risk, your score should increase in each of the areas and bring you to a new tier, according to what your target profile and priorities are.

IT Support Ireland

For more information on these tiers and on how NIST works, read:
The Guide to NIST for Financial Services Organisations

Moving on, independently of what framework you are using, these are the main questions you should be considering:

What investments are necessary for cyber security?

Organisations need to understand their current and future cyber security needs before they decide what investments will drive down risk. Useful questions include:

  • What initiatives were not funded in this year’s budget, and why?
  • What trade-offs were made?
  • Do we have the right resources, including staff and systems, and are they being deployed effectively?

How do we measure the effectiveness of our organisation’s cyber security programme and how does it compare to those of other organisations?

Board-level metrics should highlight changes, trends and patterns over time, show relative performance, and indicate impact. External cyber security specialists may be able to provide useful comparisons within industry sectors.

If you are leveraging the NIST Framework, you can easily visualize your progress in all key functional areas. The best way to do it is by keeping track of your initial profile and comparing it to your current and target profile, just as seen on the chart below:

IT Support Ireland

To give you an idea of your current NIST profile, we have developed a simplified Self Assessment Tool that you can use to evaluate your business and identify your current and target profile. By using this tool, you should be able to have a better practical understanding of how useful NIST can be. Keep in mind that it is a simplified version of the framework and it doesn’t cover all bases normally addressed by the full scope.

How many data incidents (e.g. exposed sensitive data) has the organisation experienced in the last reporting period?

Outsourced It Support
Photo by Stephen Dawson on Unsplash

This metric will inform conversations about trends, patterns and root causes. Remember to reinforce the fact that incidents are bound to happen – it’s not a matter of “if”, but “when”. How effectively the organisation reacts to these incidents is the primary point of discussion.

How do we assess the cyber-risk position of our suppliers, vendors, JV partners and customers?

Supply chain relationships typically pose increased risk for organisations given the degree of system interconnectivity and data-sharing that is now part of everyday business operations. Useful questions include:

  • How do we conduct ongoing monitoring of third-party risks?
  • How many external vendors connect to our network or receive sensitive data from us?

What metrics do we use to evaluate cyber security awareness across the organisation?

People are often the biggest cyber security threat for many organisations. Data about policy compliance and the implementation and completion of training programmes will help inform conversations about insider risks.

Using these Insights to be Audit-Ready

Throughout this content series, we have provided you with the tools and knowledge you will need to perform much better in this stage. This knowledge is based on years of experience operating in many regulated industries and having internal lead-auditing capabilities.

It’s the material we wish we had when we were starting.

The pieces of content you have will aid you in understanding your risks, assessing your vulnerabilitiesprioritising and acting on them. The material can give your business a significant edge in this aspect, and you should use it as a competitive advantage.

If your objective is to get audit-ready and increase your organisational maturity, you must be in a much better place by now. However, to have your business ready for the future and secured against evolving risks, you still have to develop an evolving system.

Building a Risk Management System – Simplifying the Process

Here at Spector, we have two basic service offerings in this area: the Gap Analysis and the Cyber Security Programme.

We usually recommend companies to begin with the Gap Analysis, as it will provide us with more knowledge of your setup and a clear direction for your needs. This service consists of a project to analyse and identify the most critical vulnerabilities in your structure. It can be done in a short period by our team, causing minimal disruption. To learn more about how it works and what is involved, read our Gap Analysis brochure, available on this link.

The Cyber Security Programme, on the other hand, is the following step after the Gap Analysis, and it will address the actual mitigation of your risks and development of your structure on a continuous basis. We will lay our tools and resolve the most urgent issues, to then initiate new projects to reach your business goals. This allows us to close the gap between desired and current state. If you want to learn more about this stage, we have information available on this link.

Both solutions will help turn this daunting process into an automatic and uncomplicated job. If you have questions, feel free to Book a Call with us. We will be happy to learn about your challenges and figure the best solution.

Thank you for reading! If you have found value in this content, please share it with others who may feel the same way. Follow us on Social Media for more exclusive content.

 

Developing an Action Plan to Address your Technology Risk

IT Support Dublin
Photo by Jakob Owens on Unsplash

Estimated Reading Time: 7 Minutes
In this article, you will learn about the crucial components to consider when creating an Action Plan to address technology risk. In reality, even though technology risk has plenty of complexities and details, the logic behind the action plan should be quite similar to the one guiding a standard risk management plan.

Serious about managing technology risk? Our best recommendation:
Building a system leveraging the NIST framework to manage risk

Technology risk is ever-changing and intricate, and it cannot be ignored. In today’s world, the odds of facing technological disasters is higher than the ones from the natural world, and the consequences could be just as disastrous. Loss of critical business data and equipment, staff unable to operate, customers unable to buy – the more dependant you are on technology, the higher the risks.

That being said, there is no reason to panic. Once you have an idea of your main assets and the risks you could be facing, you can begin to tackle them by order of priority. If you haven’t yet identified them, you can start by reading Building an Asset and Risk Register. There you can find a sample Risk Register and more useful information, so check it out and come back when you’re ready.

Leveraging the Risk Register to define your Prioritised Plan of Action

The key result from establishing a full Risk Register is that your core and most critical risks rise to the top for all to see. Your plan is now to define how to handle these risks.

Firstly you need to understand your inherent risk and to assess the consequences and likelihood of failure. If the inherent risk is high, with damaging effects, you need to treat that risk by applying a control and reducing it to a tolerable level. However, that is not your only option.

Every company can adopt different methods for addressing IT Risk. For example, some qualitative and others quantitative. In our practice, we use the NIST CSF approach to get most organisations advancing, and an ISO 27001 approach for the ones looking to maintain a higher level of compliance, such as financial services or healthcare.

Let’s take a look at the options open to you as the Risk manager with some examples that will hopefully allow you to understand how to manage your risks.

Option 1 – Employ controls to mitigate risk

A control gives you the ability to change the inherent risk outcome. For example, you may decide that you cannot afford to lose any more than 1 hour of data from your core business system (ERP) as recovering that would be an operational nightmare.

You can apply a control such as a more frequent backup of the system – say to 15-minute windows. In this case, the control already existed and just needed to be altered to address the risk of data loss.

For the sake of comprehensiveness, three types of security controls will assist in mitigating risk:

  • Management controls: The security controls that focus on the management of risk and the management of information system security.
  • Operational controls: The security controls that are primarily implemented and executed by people (as opposed to systems).
  • Technical controls: The security controls that are primarily implemented and executed by the system through the system’s hardware, software, or firmware.

It is the combination of all three types of controls that provide robust security. In our example above we have a Disaster Recovery Plan (management control), that is managed by your internal or external IT resource (operational control), and backup and recovery software/ hardware systems deliver the ability to recover (technical controls).

A common problem with control adoption is that they often make systems less simple to use.  When usability is an issue, many users will attempt to circumvent security controls; for example, if passwords must be long and complex, users may scribble them down.

Balancing security, functionality, and usability is often a challenge. The goal should be to strike a proper balance: provide a reasonably secure solution while offering the functionality and usability that users require.

Option 2 – Transfer risk

Risk transfer is a risk management strategy that involves the shifting of an identified risk from one party to another. The simplest example, of course, is the purchase of an insurance policy, by which a specified risk of loss is passed from the policyholder to the insurer.

In terms of IT Risk, there are new Cyber liability policies that provide first-party cover as well as a host of additional benefits (legal, HR, PR advice) that allow an organisation to offset operational and reputational risks.

Option 3 – Cease risky activity

Outsourced It Support
Photo by Jairph on Unsplash

There is always the option to cease a risky activity altogether. It is not uncommon to accept the status quo of how things have always been done even when those activities expose you to risk.

With the arrival of GDPR, we have advised many clients on how they share information both within and outside of their organisations. It has meant that they now have entirely ceased the sending of personal data through unsecured means. They have sought different ways of moving that data or changed processes to suit the security requirement.

Option 4 – Accept the risk

Risk acceptance means accepting the identified risk and not taking any other action to reduce it because you can admit the potential consequences. For example, you may decide to accept a risk because the cost of eliminating it ultimately is too high.  If you choose to take a risk it is a good policy to qualify and support that opinion.

An Auditor may not see this the same way that you do so it is essential to be able to stand over your reasoning.

Ownership, Accountability and Frequency

Although Risk Registers are unwieldy, they do provide the beginnings of a system and discipline around the assessment and ownership of your IT risks. This allows you to calendarize and set an agenda for review in place. Auditors are invested in seeking out evidence that you are doing the right thing.

They want the evidence from logs and activities, to how you manage your approach to IT Risk. Moreover, they are looking for accountability – someone has to own the risks.

This evidence-gathering process is a crucial part of the risk management system, and it should happen in parallel with your actions to mitigate risk. Keeping track of your efforts will make your life much more straightforward in an audit and bring precise accountability on what has and hasn’t been done.

More information on this can be found in the article:
Before the Audit – Gathering Evidence to Prove Compliance

Scorecard

A Scorecard is an excellent way of measuring your progress and assessing the main topics that need to be developed in every year or quarter. At Spector, we’ve been using scorecards with customers for many years, and their indications always bring much more clarity to reports and the action plan.

The simplest way to measure your score is to leverage an existing classification and scoring system and evaluate how your business is doing. We recommend utilising the NIST Cyber Security Framework, as it covers the most important areas of technological resilience and risk, with the added benefit of being incredibly easy to understand and present to the board.

As you address your risks and improve your cyber security maturity levels, you will be able to update your scores on your NIST profiles under the 5 key functional areas of Identify, Protect, Detect, Respond and Recover. Each of these areas has a number of categories and subcategories, which you can use to assess your level of cyber resilience. Depending on how well your business is, you could fit in one of the 4 tiers of implementation.

IT Support Ireland
NIST Implementation Tiers

As you advance and tackle technical risk, your score should increase in each of the areas and bring you to a new tier, according to what your target profile and priorities are. Make sure to keep this up to date and celebrate your progress.

For more detail in how to leverage the NIST framework to tackle technology risk, read:
The Guide to NIST for Financial Services Organisations

To get you started, we have developed a simplified Self Assessment Tool that you can use to evaluate your business and identify your current and target profile. By using this tool, you should be able to have a better practical understanding of how useful NIST can be. Keep in mind that it doesn’t cover all bases normally addressed by the framework, especially since we have shifted it from a levelled approach (1-4) into a “yes or no” approach to keep things simple.

In the following chart, you can see the starting profile, current working profile – i.e. as it is today or at last review – and target Cyber Security profile, based on the 5 functional areas of the NIST Cyber Security framework. The tool gives a simple view of how you are progressing your Cyber Security maturity levels.

IT Support Ireland

These tools and knowledge should help you define a clear path to begin addressing your risk. Not only that, but you will be able to prioritise actions and understand where your business is improving and where it still needs to improve.

Continue Tackling the Risk – After the Action Plan, prepare for the Audit

The next part of the series that we will discuss is about Evidence Gathering – which, as discussed above, means maintaining data that proves you are being compliant and improving your practices. It is a process that should happen in parallel while you are executing your action plan, and it will make your life much more comfortable during an audit.

For more tips and advice on how to present your progress to an auditor or the board, read: Preparing for an Audit – how to tackle cyber security and discuss it with the board.

As always, talk to us if you need specialised assistance. A reliable IT and Risk Management system will provide your Action Plan with the attention it deserves. At Spector, we specialise in technology risk management and have the tools and experience to make this process look simple.

Thank you for reading! Follow us on Social Media for more exclusive content. If you have found value in this content, please share it with others who may feel the same way. Be sure to leave a comment below if you have any queries or feedback about this topic.

 

Building your Asset and Risk Register to Manage Technology Risk

Secure Remote Working

Reading Time: 7 Minutes
In this article, we will deal with the development of your Asset Register and Risk Register – critical tasks to manage Compliance and regulatory requirements in your organisation. If you need an introduction to risk management, read: Understanding and Calculating Organisational Risk

At the end of this post, you can download a sample Risk Register. Fill it with your business’ risks and details to build your own register.

Technology risk has its unique characteristics and is becoming increasingly common and dangerous to businesses of all sizes. Your business is more likely to fall victim to a cyber attack than fire, for example, and the consequences of such an attack could be just as dreadful. 

Most people who seek our advice don’t consider themselves fit to handle technology risk. Yet, in reality, much of the knowledge applied here is similar to other areas in risk management. We tend to recommend leveraging the NIST Cyber Security Framework to tackle technology risk, as it makes the whole process much more manageable. We have a detailed guide on that, here.

Prefer this content in a video? Watch the Webinar below:

Asset Register

Building an asset register helps clarify what is valuable in your company and who is responsible for it. Moreover, without knowing what you have and who is in charge of protecting these assets, you can never fully understand technology risk in your business.

When considering building an Asset register, we dip into our ISO 27001 knowledge and preparation and utilise their definition from the 2005 revision of ISO/IEC 27001 which defines an asset as “anything that has value to the organisation.”

Think about that for a moment as it covers a lot of ground. Necessarily so.

Why are assets important for information security management?

There are two reasons why managing assets is essential:

1) We use Assets to perform the risk assessment. Assets are usually the key element of identifying risks, together with threats and vulnerabilities.

2) If the organisation doesn’t know who is responsible for which asset, chaos would ensue – defining asset owners and assigning them the responsibility to protect the confidentiality, integrity and availability of the information is one of the fundamental concepts in IT Risk management.

How to build an asset inventory?

Secure Remote Working
Photo by Samuel Zeller on Unsplash

If this is your first attempt at creating an asset inventory, the simplest way to build it is during the initial risk assessment process because this is when all the assets need to be identified, together with their owners.

The best way to build an asset inventory is to interview the head of each department or outsourced service provider (if appropriate), and list all the assets a department uses.

We use discovery tools that automate the gathering of such information in terms of technical resources that may be less obvious – i.e. virtualisation solutions, switches, routers etc. – as these are often forgotten.

This process is further supported by describing what you see and do. It is always amazing what your staff know about what is stored and used in your business.

You may already have several elements of this asset register to hand, in which case you only need to compile them under the headings as described below.

Building the asset register is usually done by the person who coordinates the Risk Management process, and this person collects all the information (hopefully with plenty of help) and makes sure that the inventory is updated.

What to include in your asset inventory:

In the asset register that we are looking to build today, we suggest the inclusion of assets under the following headings:

  1. Hardware – e.g. laptops, servers, printers, but also mobile phones or USB memory sticks.
  2. Software – not only the purchased software but developed software and freeware.
  3. Information – not only in electronic media (databases, files in PDF, Word, Excel, and other formats) but also in paper and other forms.
  4. Infrastructure – e.g. offices, electricity, air conditioning – because those assets can cause a lack of availability of information.
  5. People are also considered assets because they also have lots of information in their heads, which is very often not available in other forms.
  6. Outsourced services – e.g. IT services, legal services or cleaning services, but also cloud-based services like Microsoft Office 365 and Enterprise File Sharing solutions such as Egnyte. As such services need to be controlled very similarly to assets, so they are very often included in the asset management.

Who should be the asset owner?

The owner is usually a person who operates the asset and who makes sure the information related to this asset is protected.

For instance, an owner of a server can be the system administrator, and the owner of a file can be the person who has created this file. For the employees, the owner is usually the person who is their direct supervisor.

For similar assets used by many people (such as laptops or mobile phones), you can define that an asset owner is the person using the asset.

If you have a single asset used by many people (e.g. an ERP software), then an asset owner can be a member of the board who has the responsibility throughout the whole organisation – in this case of a Critical Business System, this could be the CIO or CFO.

When this part is done, you should be able to move to the next stage.

Risk Register

IT Support Dublin
Photo by Green Chameleon on Unsplash

Building a risk register allows you to both assess and treat the risks of all of your identified assets. Although critical, we are often asked  – why is it so important? The answer is quite simple although not understood by many people: it is important to find out which incidents could occur (i.e. assess the risks) and then find the most appropriate ways to avoid such events (i.e. treat the risks).

Now add to that that you also have to assess the importance of each risk so that you can focus on the most important ones first. In NIST world, this allows you to prioritise your next actions based on identified risk.

While building the risk register seems daunting, it is very commonly unnecessarily mystified. These 4 straightforward steps alongside our sample documentation will shed light on what you have to do, and eventually how to present it to an auditor or the board:

1. Risk assessment methodology

This is the first step on your journey through risk management. You will have to define rules on how you are going to perform the risk management because you want your whole organisation – and your stakeholders – to implement this in the same way. The approach that we will take will be quantitative in our example.

2. Risk assessment implementation

Once you know the rules, you can start finding out which potential problems could happen to you. You need to access a list of all your assets, then investigate threats and vulnerabilities related to those assets.

You should assess the impact and likelihood of each combination of assets/ threats/ vulnerabilities and finally calculate the level of risk. Again, our sample risk table will assist you in building out your risk register.

Our experience tells us that companies are usually aware of only 30-40% of their risks. As a result, you will find this kind of exercise both revealing and rewarding.

3. Risk treatment implementation

Not all risks are created equal – you must focus on the most important ones, so-called ‘high’ or ‘critical’ risks, first.

There are four options you can choose from to mitigate each critical risk:

  1. 1) Apply security controls to minimise the risks.
  2. 2) Transfer the risk to another party – e.g. to an insurance company by buying an insurance policy.
  3. 3) Avoid the risk by stopping an activity that is too risky, or by doing it in a completely different fashion.
  4. 4) Accept the risk – if, for instance, the cost for mitigating that risk would be higher than the damage itself.

This is where you need to get creative – how to decrease the risks with minimum investment. The unfortunate truth is that budgets will always be limited. You need to figure out the best way to mitigate risk at the least cost. We will get in more detail about this bit on the next article – Developing an Action Plan to Address Technology Risk.

4. Risk Implementation Plan

This is the step where all of your hard work and information gathering starts to pay off. Let’s be frank – all up to now this whole risk management job was purely theoretical, but this is where the rubber meets the road and we get some concrete results.

The primary purpose of the Risk Treatment Plan is this: to define exactly who is going to implement each control, in which timeframe, with which budget.

Once you’ve written this document, it is crucial to get buy-in from either your board or top management as it will take considerable time and effort (and money) to implement all the controls that you have planned here. Moreover, without their commitment, all these efforts will fail.

Once you’re done, you have just completed the hardest part of your overall risk management strategy. Best of luck!

Continue tackling the Risk – Download your Risk Register Sample

Outsourced It Support
Photo by Blake Wisz on Unsplash

From our years of experience working with customers in highly regulated industries – Financial Services, Healthcare, semi-private organisations – we have found that the best way to handle the challenges of managing technology risk and governance is by leveraging the NIST Cyber Security Framework.

We explain how to do it in detail in our Guide to NIST. Its main focus is for Financial Services companies, but every type of business can leverage the framework to deal with risk.

Download your Risk Register Sample Here, and if you have problems using it, watch the webinar near the top of this page.

The Asset and Risk Register are crucial for the development of a Risk management system, but keep in mind that they are only part of that system and not the end result. Now that you are done reading this part, the next one is to Develop your Action Plan to Address Technology Risk.

To continue managing the risk consistently and continually, we have developed our own methodology to assist and guide you through every step. If you are looking for an extra level of detail and a system that will make this process much more comfortable and straightforward, Book a Call with us. We can get you to your desired state of maturity with a tested solution.

Follow us on Social Media for more exclusive content, and as always, if you have any feedback or questions about this article, please do not hesitate to use the comment box below.

 

How to Avoid the Biggest Cyber Security Risks of 2019

IT Support Ireland
Photo by Serge Kutuzov on Unsplash

Estimated Reading Time: 4 Minutes
We depend upon technology more each passing year. Just a decade ago the idea of controlling your home using your smartphone was speculative at best, and pure Sci-Fi for most people. Fast forward to today, and most members of the public have a personal technology stack with multiple vulnerability points. This post intends to highlight some of these vulnerability points, and explain how they can be mitigated simply.

Smartphone Security

There is a smartphone app for everything it seems these days. From ordering food at your local fast food outlet, to making payments without taking your credit/debit card out of your pocket. We control our homes, our finances and our lives using our phones. Apart from exercising common sense in the way you use your smartphone, there are some proactive steps you can take to protect yourself, and these include:

  • Set a passcode for your phone, that must be entered every time you wake it up.
  • If your phone has the capability to use fingerprint or facial recognition to unlock it, use it.
  • Always ensure that the operating system itself, and also all of the apps you use, are updated at all times.
  • Install some antivirus and antimalware software.
  • Regularly review which apps have what permissions on your phone, and remove any permissions that are not required for normal operation.
Outsourced It Support
Photo by Bence Boros on Unsplash

Internet of Things Enabled Devices

The Internet of Things (IoT) is already changing the way that we interact with the world. From turning the lights on and off, to cooking our dinner for us while we are at work. It is also revolutionising automated systems such as manufacturing lines, and completely re-inventing the way we handle real-time monitoring applications such as security systems. If a device can be intelligently connected to the Internet, it can be used to control, monitor and measure its environment.

This comes with a cost though. Every single new IoT device adds another potential point of failure when it comes to security. Aged devices running old software riddled with vulnerabilities, will exponentially create security problems in the future. If you are embracing the IoT, then make sure every device you use is 100% secure and has no inbuilt vulnerabilities.

Amazon Echo & Google Home

Taking the IoT problem outlined above one step further, we have to talk about intelligent, Internet-connected assistants. Sure, it is great to be able to ask Alexa what time our next meeting is, to play some new music, and to remind us to buy some cooking oil the following day, but what happens when an intruder has access to your assistant? Consider how simple it would be for somebody to gain access to your private information, just by asking your Amazon Echo or Google Home smart assistant? Always power these devise off when you are out if you can.

Ransomware, Malware and Viruses

This trinity of malicious software applications is worthy enough to make every list for the last decade or more. As antivirus software becomes smarter, the developers of these applications always seem to stay one step ahead. Your antimalware suite is your first line of defence, but it is often not enough.

Only common sense and the development of safe browsing/downloading habits can keep you 100% safe.

Put simply, if you never do anything that could expose you to malicious code, you can’t get infected.

Cyber Security
Photo by Simon Rae on Unsplash

PINless Payment Cards

Using a PINless, contactless debit or credit card is incredibly simple. However, what happens when your card comes close to a piece of hardware that is designed to read it and steal the details? You could be standing next to somebody who has such a device in their pocket and never know that your card details have been stolen in this way, until the money is gone from your account. The good news is, the way to mitigate this problem is very simple. Get yourself an RFID blocking wallet or purse, and keep your cards inside it.

In Conclusion

Although the technology that we need to be concerned about with regards to security is fast changing, for the most part, common sense is still a perfectly capable first line of defence. Unfortunately, as the number of devices we rely on grows, and the connectivity between these devices becomes ever more complex in its implementation, the number of potential vulnerabilities increases. Keep your own cybersecurity in mind at all times, and try and do nothing that could expose you to risk.

If you want to learn more about Cyber Security, feel free to visit our Blog, or read about the Services we offer to protect Small and Medium Businesses. We also invite you to Talk to Us if you have any specific concerns or would like expert advice on this subject.