IT PROVISION & CONTROLS
IT Service Provision, Physical security, Controls, Breaches & Common Threats -Ransomware, Phishing, Smishing
This week’s paper looks more closely at some of the practices and controls you should consider adopting to support Cyber Security good practice. This includes the need to be vigilant around physical security and where you decide to obtain your IT support.
Often the physical security element is overlooked when we discuss cyber security issues. In reality, the physical security of your premises and the equipment within it, along with any computer or device operated away from the business premises is a very important part of your cyber security plan, and something we will look at in more detail.
As cyber-attacks become increasingly sophisticated the importance of having your IT infrastructure created, managed, and supported by a reputable supplier cannot be underestimated. They should work in partnership with you to create a cyber security plan in respect of the hardware they supply and the software they approve for use within your business.
When was the last time you had a dialogue with your IT provider about a cyber security plan? Have you ever asked a third party to carry out a cyber security audit on your IT provider? Ideally, the IT provider should have their own independent audits that they can share with you.
The potential impact of a breach can affect many aspects of the business, from the impact on hardware and software through to loss of reputation and the impact on your bottom line.
Your IT provider should also effectively be your IT and Cyber Security partner, if you believe they may not be then you should think seriously about reviewing their ongoing suitability.
Don’t underestimate the importance of physical security. Unlocked access points such as doors/cabinets/desk drawers etc. can all lead to places where personal data is kept and can then potentially be accessed. Think about the paper that is stored and kept either on business premises or even when someone is working from home.
Good practice should include destroying/shredding all paper that you no longer need or no longer need to keep physically, once you have scanned/uploaded it to the appropriate software.
Physical security also includes to whom you grant access to your premises and technology. The robust controls that you employ around these are key.
Ensure that you have the policies and procedures in place to counter threats, both physical and cyber. There are a number of approaches you can use with your IT provider and staff.
- Limiting remote access – Allowing others to have remote access to files may seem convenient, but if precautions are not taken, your network may become compromised. Set access limits for only what an entity/person needs (e.g., contractor) and time limits (e.g., 1 month of access).
- Physical access – Ensure you are able to track who is on the premises at all times. Sign in and sign out any paper-based documentation that may include client personal information, such as client files and/or reports.
- Passwords protocol – rigidly adhered to across the business, consider employing password-generating software
- Mobile device/removable media policy – Educate employees on best practices, automating security updates, and establish procedures for if/how devices are removed from the company premises.
- Identity and access management (IAM) – Through a framework of policies, procedures, and technology that authenticate and authorise access, IAM solutions work to prevent unauthorized access across your environment. What processes have you in place to monitor who has access and why?
- Multi-factor or password less authentication – Multi-Factor Authentication (MFA) adds a layer of security for your entire environment, and it’s especially critical for accessing cloud applications and other resources
- Upgrades – across the company of the need to upgrade at the same time. Avoid running different versions at the same time. Failure to do so increases the overall vulnerability of the organization.
- Access controls – Controlling access to applications can greatly reduce security risks. Consider implementing cloud governance to automate and streamline access management and policy enforcement.
- Monitoring and auditing – Auditing ensures that the safeguards in place are functioning properly and being maximised to protect the weakest links in the network. A yearly audit is recommended while monitoring (e.g., malware scanning) should be conducted throughout the year.
- Appoint – someone within the business to own these controls and ensure they are enforced
At board meetings include cyber security as a standing board item.
What are the common threats you can help avoid with effective controls?
Some common attacks involve Ransomware, Phishing, and Smishing –
Ransomware – Ransomware is a form of malware (software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system) that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.
Phishing – Phishing is when criminals use scam emails, text messages, or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.
Smishing – a combination of the words “SMS” and “phishing” – is a scam where fraudsters use mobile phone text messages to trick you into opening a malicious attachment or link.
The best way to combat these is staff training and vigilance and a very clear approach to password protocol.
The regulator continues to raise awareness of the threat posed by Cyber Attacks. In addition to seeing evidence of senior managers taking responsibility, they are also looking for good practices in how a business reacts once a breach has occurred.
Every firm should have a written down breach policy that is clear and trained to all staff. Breaches reported to the FCA went up in 2021 by 52%.
Senior managers are responsible for ensuring that the processes and procedures are adopted by staff. Having a standing item on board/senior management meetings helps remind senior managers of the need for ongoing robust best practice adoption. This will help address FCA expectations.
The FCA expectations can be summarised as follows;
Respond swiftly and promptly, redress what you can, prioritise and be able to evidence governance, and have transparent record-keeping clearly showing breaches and remedial actions are taken including future event prevention.
Staff awareness and training
Train and continue to revisit training across behaviours and controls across the whole of your company’s employees. Awareness of how the company addresses the security measures in place to prevent cyber-attacks should always be high.
The most effective way to minimise successful cyber-attacks is to ensure that everyone in your organisation is aware of their responsibilities and adopts a best-practice approach to cyber security threats.
Our Cyber Security Month is Supported By Our Sponsors
Beyond Encryption is the industry standard for secure digital communications, working with major household brands such as Aegon, HSBC, Royal London, Origo, Paragon Customer Communication and Westcoast Cloud.
We’ve built the world’s most secure encrypted communications network, protecting and connecting advisers, providers and platforms throughout financial services and other aligning industries with our secure email solution, Mailock.
Mailock is our versatile software platform, enabling organisations to send customer communication securely via email. Mailock protects sensitive data through end-to-end encryption and multi-factor authentication capabilities, helping our customers to remain compliant, reduce costs, and improve operational efficiencies – not to mention achieving a positive environmental impact through the reduction of print, pack, and post.
With nearly 100,000 customers across 1.8k companies, we give organisations the freedom to exchange information confidently, cost-effectively, and with full compliance, supporting businesses on their digital transformation journey.
Westcoast Cloud are a pureplay cloud distribution partner, enabling over 750 partners to make the most of public cloud services, and the associated security that is needed to support their use.
From email security, anti-phishing software for Microsoft365, to advanced tools and security for Microsoft Azure, we educate and train partners to be able to provide the best-in-class Microsoft security solutions to over 34,000 end user customers.
Alongside these tools we partner with best in breed solutions such as Beyond Encryption. This ensures markets that need that extra layer of security such as financial services and legal organisations, can stop potential attacks and disrupters accessing your customer information without your knowledge. With Beyond Encryptions advanced toolset, customers can control, manage, and maintain the security layers around their emails to ensure that the right information is reaching the right people all the time.