The next blog in our Cybersecurity Awareness Month series covers 10 tips organisations can take to improve their cyber security without spending huge sums of money. Whilst some of these will be quite basic, the beauty (and challenge) of cyber security is that often having good hygiene will help you just as much as investing thousands in a piece of technology or service.
We’ll explore some of the broader challenges and ways around them in our last blog of the month, which will cover some of the ‘higher-end’ options (spoiler alert, such as how to build an effective security operation). But for now, in no particular order, here are our top 10 things to do and check to instantly improve your security posture:
- Be sure you know what IT assets you have, where
When you say this out loud, it sounds obvious. However, a huge number of organisations, of all sizes, can’t say for sure how many IT assets they have, where they are and what they should be interacting with on an average day. How can you hope to spot something that shouldn’t be happening on your network when you don’t know what should be happening on it?
- Review current policies with a security lens
Cyber security is a company problem. Don’t just assume your cyber security and IT policies will cover all security requirements, go back and review non-cyber policies to ensure they cover security considerations alongside their focus.
- Ensure your organisation is using multi-factor authentication (MFA)
Even the most basic two-step verification (e.g. a phone number to text a code to) can massively improve your organisation’s cyber security. Google found that just having a recovery phone number “can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks”. Of course, MFA, especially text-based, isn’t fool-proof, but it’s certainly better than not having anything in place!
- Try the NCSC’s ‘exercise-in-a-box’ tool
This tool allows organisations to test how resilient they are to cyber-attacks and practice their responses in a safe environment, covering technical, people and process. Don’t leave it until you’re being attacked to test how well you can respond!
- Baseline with Cyber Essentials
Cyber Essentials is a great place for organisations to start to improve their cyber security. Apply for it and find out more with IASME.
- Patch, patch, patch
As we’ve said, basic hygiene is critical to better cyber security and ensuring your devices, systems and network are patched regularly is the bread and butter of hygiene.
- Reduce your admin accounts
Trust us, you almost certainly don’t need as many admin accounts as you have. Following the principle of least privilege (POLP) is a good starting point – reduce admins to the minimum required and reduce rights of admins to the minimum required – consider whether all admins will need the same access rights.
- Reduce your technology footprint
Technology is often touted as critical to improving cyber security and there are some brilliant tools out there. However, be sure to review your tech stack regularly and make sure you actually need (and use!) everything you have. More technology means more things to not be correctly installed or fully patched (and more tools that may have a zero-day exploit that patching can’t fix at this stage) and therefore a larger attack surface for threat actors to exploit. Start with any cloud licences you may have – often these will come with security tools meaning you can not only reduce your risk, but reduce your spend on licences by de-duplicating some of your technology. By doing this simple step you not only reduce your attack surface, but may free up some budget to spend on actually improving your security posture.
- Read the NCSC’s Cyber Assessment Framework (CAF)
The NCSC’s CAF guidance lets you review your security posture holistically and is a good starting point to prioritise future investments in cyber security to plug your biggest gaps.
- Bring employees along with you It’s important to benchmark and improve employee awareness, but consider your culture and employee base before simply jumping into simulated phishing exercise and other such tools. They can be very useful, but just be sure that you bring employees along with you and treat them like adults, making it clear that cyber security is everyone’s responsibility. Creating a no-blame culture encourages employees to raise security risks more readily, without fearing it will impact their standing at work.
In Summary
Remember, whilst some of these seem simple or like they wouldn’t stop a highly sophisticated attack, simple steps are critical whether you’re a start-up or a multi-national with millions of pounds in your cyber budget.
The goal of most organisations should be to improve their cyber security incrementally and continuously and to make them less of an easy target than their neighbour, by reducing the attack surface. After all, attackers are effectively a business with limited resource and most will simply try the simple techniques and move on if they don’t work.
If you have any other tips to add let us know and we’ll collate and share them. Look out for our next blog in the series, covering the diverse world of cyber security careers.
