If you are a Small to Medium Enterprise (SME) working for a bigger organisation as a third party, how do you comply with your security obligations as per the contract, but not spend a fortune on security tools?
In the UK, the National Cyber Security Centre (NCSC) has come out with Cyber Essentials, as a set of basic security controls that all organisations should conform to.
This seems like a good place to start for what you need to be doing to be a secure your business. The five technical controls specified in the Cyber Essential framework are as follows:
- Secure your Internet connection
- Secure your devices and software
- Control access to your data and services
- Protect from viruses and other malware
- Keep your devices and software up to date
But what does that mean for your small business looking to do the right thing, but not spend a fortune?
Secure your Internet Connection
It is not difficult to ensure that your firewall is turned on. Windows comes with Windows Firewall and Mac OS has a firewall as standard too. It doesn’t take too long to Youtube the setting up Windows Firewall and Windows Defender or Mac OS firewall. The firewalls are good enough to block the majority of bad stuff that may attempt to get onto your network. This is just basic stuff that everyone should be doing.
Secure your devices and software
Don’t share devices between home and work. The only exception to this should be your phone. If you have a device that is solely for work, then only you will use it. Access control becomes very straightforward.
You don’t have to contend with that tricky moment where your son has to come to tell you that the machine has been acting funny ever since he installed that latest game that all his friends are playing.
So get the extra laptop/desktop. And don’t let the kids on it. Reserve it strictly for work. No other games or other apps that may distract you from getting anything done. In this way, you will know exactly which applications are on the machine and you are limiting the number of places that bad stuff can get into the machine from.
Encrypt the laptop
Yes, I know it will slow down the machine, BUT it is 2019. The benefits far outweigh the consequences. Lose the machine or have it nicked in Peckham, and you have not lost or exposed the data. You have just lost the asset, and insurance can cover that. Yes, it will be a pain in the butt to create a new machine from your backups, but it is better than the conversation you would have to have with your client otherwise. Having to explain to someone how you managed to lose their data and that it wasn’t encrypted is not a nice conversation to have.
Backups. Lots of them. Constantly.
You are always likely to encounter a recovery event. You might just install a new application that breaks everything. It might be ransomware, some other malware, your laptop might get pinched in Peckham or that your laptop saves your desk from getting wet when you spill the coffee.
And those backups must be encrypted. All drives/removable media without exception should be encrypted.
There is an argument that says if your backup drive fails (i.e. a hardware failure of the drive) then you will lose that data completely because it is encrypted. There is no way to recover the data from that failed encrypted drive. This is a slightly crazy argument. If you have concerns about drive failure, then you should be backing up to multiple drives or multiple clouds.
I have Onedrive, Google Drive, iCloud drive and Dropbox. Many of my critical files have multiple copies in multiple places. All this requires is an understanding of what you least want to lose, and then having a schedule that copies it to another location every year, six months, quarter, whatever you need. I own a Mac and routinely use Timemachine on at least two hard drives.
Keeping data unencrypted is just a bad idea. Fullstop.
Passwords
Write them down. I’m not kidding. Have a paper folder at home/office that has every key username and password in it. Keep it up to date. Keep it at home/office with the rest of the boring paperwork. Don’t advertise what it is on the cover. In this way you can have unique and complex passwords without having to remember them all. The only way they get lost is if your house/office gets burgled, and no-one will want to steal a paper folder. What happens if your house/office burns down? Ok. Now we are getting paranoid.
Or get a password generator application.
The key here is not to re-use passwords for different websites/applications and not to have obvious ones that can be broken by tools really easily. If your password is a dictionary word, with some combination of additional numbers or symbols, or a dictionary word with some letters replaced by numbers/ symbols, such as an “a” replaced by an ”@” , or an “s” replace by a “$”, it will take a good tool just seconds to break it. A password that is not formed of real words in some form is significantly stronger than one that is.
Use two factor authentication wherever you can
Google authenticator or Microsoft or similar. It is only slightly more inconvenient. But it may save the company from bankruptcy if you get phished. A successful phishing attack only takes one mistake. One time where you are not on your game. One time when you are not paying full attention. Don’t take the risk. Use Touch ID or Face ID wherever you can. These small things make it much harder for an attacker to pretend to be you.
Access Control
The smaller the company, the easier this is. Make sure only people who need access, have access. The easiest way to do this is to store as much of what you do in a cloud, with two factor authentication enabled for everyone. Permissions are then easy to set up, as the cloud becomes your server that everyone gets their data from. And it is safer up there, then being looked after by someone who is not an IT expert inside your business.
Virus/Malware control
Make sure you have an anti-virus on every laptop/desktop you have. And make sure it scans everything at least weekly, and checks anything new coming in, in real time. Make sure it is updating itself whenever it needs to, through auto-updates.
Keep your devices and software up to date
Patch, Patch, Patch. Make sure you are aware when the software you use needs to be updated. Set automatic updates wherever you can.
Do NOT use anything that is no longer supported by the vendor. Always make sure that the software is fully supported and plan your moves to new operating systems and applications accordingly.
This applies to your website too. If you run WordPress, get the Wordfence plug-in. It will tell you when a newer update is available for your other plug-ins or WordPress or your themes. It’s free. WordPress has so many exploits associated with it that it is key that you patch your website as soon as an update is available. Just search for WordPress on Exploit-db.com to see how popular it is with hackers as a target.
Minimal Data
Make sure that your client only gives you the data you need to get the job done. Make sure you agree that at the beginning of the contract. If you have sensitive personal data (as per the GDPR definition), make sure you discuss data anonymisation with your client, and keep the minutes of that meeting.
Remove data when you no longer need it. Don’t leave data on your systems that you no longer need. You have obligations to remove it as soon as you no longer need it, so work out what that is and remove data on a regular basis. If you can do all of the above, you are in good shape. And you have not spend more money than you would have done for your home network of devices.
