For most of us, the only time we brush up against the government’s Foreign Office is for passports or travel advice for people brave enough to go further off the beaten track than the Costas. However, the FCO (it’s actually the Foreign and Commonwealth Office) has a much wider brief, and, along with, for example, Human Rights, has taken a great interest in cybersecurity – which is without doubt a global issue.
Our government institutions are, after all, heavy users of technology, and at constant risk of attack from unscrupulous hackers. Indeed, many believe that there is a constant cold war and arms race under way in cyberspace.
In late 2011, therefore, the FCO participated in the London Conference for Cyberspace, in which the Foreign Secretary said that “cyberspace must be secure and reliable so that it is trusted for online business”. One of the results of the conference is an exceptionally comprehensive yet readable and well-structured set of advice sheets called “10 Steps to Cyber-Security”; which has just recently been published.
The 10 Steps are designed to be comprehensive enough for larger businesses to implement; a framework which IT managers can apply to their technology infrastructure irrespective of size and growth. However, there’s plenty of advice which is also applicable and easily used by small businesses.
You can find all the documentation on the 10 Steps here (and it won’t take weeks of effort or a degree in computer science to read, either):
For smaller companies, however, we have collected some of the key pieces of advice here, in bullet form.
- Your information risk management regime
- Treat cyber threats like any other risk (fire, theft etc.) Assess the risk and take reasonable, proportionate countermeasures. Don’t under-protect, but don’t go overboard either
- Revisit internet security regularly – it’s not a one-off issue to file in a drawer.
- User Education and Awareness
- Train staff on acceptable and secure use of your IT systems. Refresh regularly.
- Incident Management
- Prepare for trouble, even if it will just mean unplugging one machine and using a reserve. Work out what you need to do to keep working.
- In particular, prepare for e.g. data loss, a crashed website, and anything else which might cripple your business activities.
- Write a plan – it might take a day to produce, but it will ensure a calm response in the event of a crisis.
- Secure Configuration
- Always apply security patches and updates, both for Windows and individual programs. These are well automated, and so should be pain-free.
- Keep a list of devices on your network, and audit patching every quarter.
- Malware Protection
- Install appropriate anti-virus and other protection as necessary.
- Run device-wide scans regularly.
- Home and Mobile Working
- Apply the same baseline of security (e.g. antivirus programs) to all devices used away from the office – even if it’s equipment owned by staff.
- Protect company information when it’s away from the office.
- Managing User Privileges
- Temptation is a strong motivation, even for generally noble employees. Don’t give everyone default access to everything.
- Removable Media Controls
- Make it mandatory to scan dongles and flash-drives etc. before connecting them to your company systems. Many anti-virus programs will do this automatically.
- Network Security
- Protect your office against external (perimeter) and internal (staff negligence or theft) attacks.
- Again, test controls regularly – to achieve this, learn to think like a thief!
- This is least applicable to small businesses, but worth mentioning even if only for completeness of the strategy. If possible, monitor digital traffic for dodgy activity which could indicate cyber-attack.
Few small businesses have the time or financial resources to implement best-of-breed protection in all these areas. Indeed, large companies who cover all these bases have fat technology departments working on this sort of thing full time. However, the advice is strategically very sound, and if you use this framework to inform your thinking and future security purchases, you will be massively reducing your exposure to online risk. Plus, of course, as your business grows (which we obviously hope it will), the framework will remain valid.