Cyber security protection - cloud, emails, hacking etc
Discussion
I'm guessing Business is a better place to ask than Computers - here goes :
We're a firm of solicitors, using cloud based file storage from Microsoft and Quill (as well as tonnes of paper), Outlook and Microsoft 365 on PCs and laptops with password protected access for each account, and what our IT guy says is the best antivirus package on each PC and laptop. We're Cyber Essentials accredited and pretty clued up on what not to click on email-wise - it's very rare anything comes through that could be a threat.
Laptops only leave premises if essential. No memory sticks used.
There's a constant stream of Law Society articles on hacked and ransom'd practices - we'd ideally like to avoid being on that list.
We've been sent an email from https://cyberspecialops.com/
I was just wondering - what else could we do to be as proactive as possible in terms of protecting our data from attack?
Change all passwords more regularly? Is there any benefit to getting further audits and hack-testing done or paying for extra protection of some kind?
TIA
We're a firm of solicitors, using cloud based file storage from Microsoft and Quill (as well as tonnes of paper), Outlook and Microsoft 365 on PCs and laptops with password protected access for each account, and what our IT guy says is the best antivirus package on each PC and laptop. We're Cyber Essentials accredited and pretty clued up on what not to click on email-wise - it's very rare anything comes through that could be a threat.
Laptops only leave premises if essential. No memory sticks used.
There's a constant stream of Law Society articles on hacked and ransom'd practices - we'd ideally like to avoid being on that list.
We've been sent an email from https://cyberspecialops.com/
Cyber said:
Concierge Cyber is a low-cost membership that guarantees members emergency response to a cyberattack or data breach through a team of highly respected third-party service providers, on a pay-as-you-go basis, at pre-negotiated and substantially discounted rates.
Not put it past our IT man yet as the above proposal just seems to be a shoulder to cry on after the event. I was just wondering - what else could we do to be as proactive as possible in terms of protecting our data from attack?
Change all passwords more regularly? Is there any benefit to getting further audits and hack-testing done or paying for extra protection of some kind?
TIA
Microsoft give you quite a few tools out of the box. Reviewing Secure Score ( https://docs.microsoft.com/en-us/microsoft-365/sec... ) is a good starting point and will recommend what you can do to tighten up - for example, enabling 2FA on accounts. Things like that are quite straightforward these days and having people tap approve in an app once in a while isn't asking too much of them.
Generally though it's worth a high-level risk assessment and having a think about what you could do to mitigate or improve and if that would be worth spending on. Think through if you did get hit by ransomware - where can you restore data from? How quickly can you get computers rebuilt (with any apps etc) so people can work again? This should go down to basics - if laptops stay in the office, what if you got burgled? Is the data on them encrypted, and is there anything not stored/backed up elsewhere which you might lose? How quickly could you replace them?
Generally though it's worth a high-level risk assessment and having a think about what you could do to mitigate or improve and if that would be worth spending on. Think through if you did get hit by ransomware - where can you restore data from? How quickly can you get computers rebuilt (with any apps etc) so people can work again? This should go down to basics - if laptops stay in the office, what if you got burgled? Is the data on them encrypted, and is there anything not stored/backed up elsewhere which you might lose? How quickly could you replace them?
This is something your IT team should be doing for you by default now.
However, the market is quite split between traditional break / fix IT people and the more modern proactive approach in an MSP (Managed Service Provider). My company is an MSP.
We have some customers who are Cyber Essentials, some who are Cyber Essentials + and some who dont do CE at all. We have found that the safest way of looking after our customers is to bring them all up to a certain standard and CE+ is the logical choice. So as such, we try to get all of our clients compliant, even if they dont require it. It offers peace of mind.
Cyber Essentials Plus, is very similar to the standard one, except that you have an examiner come to your place of business and check to see if you are doing what you claim you do on standard. They use tools to scan your network, you can buy these tools yourself to check for weaknesses. This is a great starting point to see where your weak points are.
Hope that helps, happy to answer any further questions on this.
Andy
However, the market is quite split between traditional break / fix IT people and the more modern proactive approach in an MSP (Managed Service Provider). My company is an MSP.
We have some customers who are Cyber Essentials, some who are Cyber Essentials + and some who dont do CE at all. We have found that the safest way of looking after our customers is to bring them all up to a certain standard and CE+ is the logical choice. So as such, we try to get all of our clients compliant, even if they dont require it. It offers peace of mind.
Cyber Essentials Plus, is very similar to the standard one, except that you have an examiner come to your place of business and check to see if you are doing what you claim you do on standard. They use tools to scan your network, you can buy these tools yourself to check for weaknesses. This is a great starting point to see where your weak points are.
Hope that helps, happy to answer any further questions on this.
Andy
Thanks for that, much appreciated.
The 2 factor authentication is a good shout, never even thought of that. I’ll look into the Microsoft secure score review, we should be upgrading to cyber essentials plus if it adds an extra layer of stress testing.
I think we’re currently probably using the break/fix IT solution, although they’ve been proactive with cloud, cyber essentials and so on.
The 2 factor authentication is a good shout, never even thought of that. I’ll look into the Microsoft secure score review, we should be upgrading to cyber essentials plus if it adds an extra layer of stress testing.
I think we’re currently probably using the break/fix IT solution, although they’ve been proactive with cloud, cyber essentials and so on.
2FA where you can (and on Office 365 it's a must) is literally the biggest free win you get right now.
I've seen people get phished via 365 where there is no 2FA enabled and within minutes there are emails going out as the victim because the bad guys have their 365 credentials and just login as them and start sending very convincing stuff to people both in and outside the organisation.
Also think about how smart and aware your staff are around clicking links in emails etc. as modern antivirus will only get you so far and won't always protect against someone clicking a link in an email.
I've seen people get phished via 365 where there is no 2FA enabled and within minutes there are emails going out as the victim because the bad guys have their 365 credentials and just login as them and start sending very convincing stuff to people both in and outside the organisation.
Also think about how smart and aware your staff are around clicking links in emails etc. as modern antivirus will only get you so far and won't always protect against someone clicking a link in an email.
Oh and if your computers are Windows 10 enable Bitlocker too so if your computers get lost or stolen someone can't just switch them on and get at your data.
Cyber Essentials is a bit weird IMO in that they go into detail on some areas that are arguably fairly minor but there are other areas I think most IT teams would consider essential (encryption and backups etc.) that it doesn't even mention.
Cyber Essentials is a bit weird IMO in that they go into detail on some areas that are arguably fairly minor but there are other areas I think most IT teams would consider essential (encryption and backups etc.) that it doesn't even mention.
Others have already made good points, but make sure you've got defense in depth and layered security. Relying on a desktop AV package is too little too late.
MFA is an easy no brainer.
MS do M365 Defender subscriptions to filter out the bulk of bad things long before they get to the user.
Firewall's on the network edge are still a gdod thing.
Re laptops, make sure they're all Bitlockered
Re other mobile devices consider using Conditional access to enforce minimum standards/ban use of users personal devices for work.
MFA is an easy no brainer.
MS do M365 Defender subscriptions to filter out the bulk of bad things long before they get to the user.
Firewall's on the network edge are still a gdod thing.
Re laptops, make sure they're all Bitlockered
Re other mobile devices consider using Conditional access to enforce minimum standards/ban use of users personal devices for work.
b
hstewie said:
hstewie said: Oh and if your computers are Windows 10 enable Bitlocker too so if your computers get lost or stolen someone can't just switch them on and get at your data.
Cyber Essentials is a bit weird IMO in that they go into detail on some areas that are arguably fairly minor but there are other areas I think most IT teams would consider essential (encryption and backups etc.) that it doesn't even mention.
You need to do BitLocker+PIN to have real protection.Cyber Essentials is a bit weird IMO in that they go into detail on some areas that are arguably fairly minor but there are other areas I think most IT teams would consider essential (encryption and backups etc.) that it doesn't even mention.
All really useful advice thank you.
I'm reading up on all this and getting together a wants/check list to attack our IT guy with - checking we have Windows Defender with our 365 (I think we do) then adding 2FA and Bitlocker seems to be the next step. Interesting Cyber Essentials misses out 2FA as that does seem like a no-brainer in terms of access security.
I'm reading up on all this and getting together a wants/check list to attack our IT guy with - checking we have Windows Defender with our 365 (I think we do) then adding 2FA and Bitlocker seems to be the next step. Interesting Cyber Essentials misses out 2FA as that does seem like a no-brainer in terms of access security.
andy43 said:
All really useful advice thank you.
I'm reading up on all this and getting together a wants/check list to attack our IT guy with - checking we have Windows Defender with our 365 (I think we do) then adding 2FA and Bitlocker seems to be the next step. Interesting Cyber Essentials misses out 2FA as that does seem like a no-brainer in terms of access security.
Cyber Essentials is going there with MFA and it will be a requirement for cloud services next year where the cloud service supports it.I'm reading up on all this and getting together a wants/check list to attack our IT guy with - checking we have Windows Defender with our 365 (I think we do) then adding 2FA and Bitlocker seems to be the next step. Interesting Cyber Essentials misses out 2FA as that does seem like a no-brainer in terms of access security.
They already ask about it on the latest Cyber Essentials questionnaire.
Seriously just turn 2FA on now - there's literally no downside and you get so much from it.
A few additional thoughts to those already added.
You need a well defined and rehearsed recovery plan in case the unwanted really does happen. If you suffer a successful attack then the last thing you want is to be running around like headless chickens. This includes how and who you will communicate with, eg your clients etc
Why not make sure that the laptops and PCs can’t store data locally, that way you minimise physical threat through loss of a device?
Consider encryption of your data, both at rear and in motion. Again this protects against physical threat.
Most attackers will seek to compromise passwords as this is often the weakest link, so enforce a stronger password or other identification protocol.
A good data loss prevention tool is really useful so that you can monitor everything that leaves your network. If configured properly it can stop your state leaving your network, either directly or via alerts.
The National Cyber Security Centre has a really good website and they are really helpful for advice and are particularly helpful if you are attacked. https://www.ncsc.gov.uk/
Try some planned phishing type tests, you will be amazed how many people click on things that they shouldn’t.
In my opinion the insurance angle is a waste of time as it is almost impossible to prove that you were not at fault to trigger the policy.
There are a number of credible organisations that will do red team testing for you if you really want to understand your vulnerabilities, but this isn’t cheap.
Finally, Cyber Essentials is pretty basic, even the plus version. A better standard is NIST https://www.nist.gov/cyberframework or similar but not knowing the scale or complexity of your business it is hard to know whether this is overkill. Having said that, simply reading through it will give you a lot of food for thought.
You need a well defined and rehearsed recovery plan in case the unwanted really does happen. If you suffer a successful attack then the last thing you want is to be running around like headless chickens. This includes how and who you will communicate with, eg your clients etc
Why not make sure that the laptops and PCs can’t store data locally, that way you minimise physical threat through loss of a device?
Consider encryption of your data, both at rear and in motion. Again this protects against physical threat.
Most attackers will seek to compromise passwords as this is often the weakest link, so enforce a stronger password or other identification protocol.
A good data loss prevention tool is really useful so that you can monitor everything that leaves your network. If configured properly it can stop your state leaving your network, either directly or via alerts.
The National Cyber Security Centre has a really good website and they are really helpful for advice and are particularly helpful if you are attacked. https://www.ncsc.gov.uk/
Try some planned phishing type tests, you will be amazed how many people click on things that they shouldn’t.
In my opinion the insurance angle is a waste of time as it is almost impossible to prove that you were not at fault to trigger the policy.
There are a number of credible organisations that will do red team testing for you if you really want to understand your vulnerabilities, but this isn’t cheap.
Finally, Cyber Essentials is pretty basic, even the plus version. A better standard is NIST https://www.nist.gov/cyberframework or similar but not knowing the scale or complexity of your business it is hard to know whether this is overkill. Having said that, simply reading through it will give you a lot of food for thought.
Gassing Station | Business | Top of Page | What's New | My Stuff