I was asked to give a 10-15 minute presentation (or talk of sorts) at the Gone Fishing 4 Business network group around practical tips and things people could do in order to improve their own cyber security.
The session itself became very interactive and overran quite a bit, so I won’t go in to the full detail here, but the highlights we discussed were:
This is a UK Government scheme aimed at helping small businesses (1 – 250 employees) practical and simple steps to take to improve their standing in terms of cyber security.
Cyber Essentials is backed by an accreditation which comes in 2 parts, Cyber Essentials & Cyber Essentials Plus. The first is pretty basic and is ultimately a self-assessment questionnaire that an organisation can submit along with a small fee (£300 at time of writing) to become accredited.
The basic 5 points of Cyber Essentials are:
- Updates & Patches
- Least Privilege
- Perimeter Security
- Modern Antivirus
- Strong Passwords
The website (www.cyberessentials.ncsc.gov.uk) goes in to more detail, but that is the essence of Cyber Essentials. From our point of view, these are very simple steps and a great start (note: this is by no means an exhaustive approach to cyber security).
Cyber Essentials Plus takes this further and involves a 3rd party, but (at time of writing) the extra steps involved aren’t as openly discussed.
On the handout I passed around I had printed out a list of the 50 most common passwords. I’ll save you from the eyesore that was a lot of “123456” and “password1” type entries and get to the point: How can you create secure passwords?
You’ll need 2 things. 1st, you’ll need an approach for setting unique passwords, so why not #ThinkRandom?
- 3 Random Words
- Mix upper and lower cases
- Add a number
- Use spaces, hyphens & underscores
That’s a password with 25 characters, capitals, lowercase, numbers and specials (& you’ve probably already memorised it).
Note: Please do not use that example, I’m using it everywhere, so it will probably make it on to the “list of things to try” pretty quickly.
Secondly, you’ll need somewhere to store all of those unique passwords.
We use KeePass ourselves, but there are others (try searching for “Password manager”). KeePass even has a tool in it to create random passwords of a given length, and it will copy & paste them for us! So we can create 50 character passwords that we don’t need to remember.
Sidebar: Why are unique passwords so important?
The issue with using the same password for everything (a.k.a. password reuse), is exactly that: I’m using it everywhere.
My password for the super secure bank I use is pointless if it’s the same as the password I use for the weakly protected volunteer sports league I go to.
This is because attackers won’t waste their effort on highly secure targets, but because it is a lot easier to attack weaker targets and expose information, they will try it. If they attack the sports league and my password is exposed, the attacker will try it everywhere (be that my email or my bank) as they know generally people reuse passwords quite often.
This is why you need a different password for each different service you use (not even just 3 or 4 you cycle through). You can change the pattern of words (like using a different colour) or just let something like KeePass take the hassle for you.
Taking IT Further
Taking Cyber Essentials as the base I’d then recommend all businesses undertake the following as the bare-minimum when it comes to their technology:
- Backups (following the 3-2-1 rule)
So, what’s this “3-2-1 rule”?
A backup can only be thought of (and relied on) as a “backup” if there are 3 different copies of a file, on 2 different types of storage media (e.g. a hard drive, a USB drive, a tape or “the cloud”) with 1 of those copies being off-site. For example this can be:
- Planning for refresh cycles
At the event I asked people to think about their cars, and I asked for hands up of those people still driving the same car after 3 years, then 5 years and finally 7 years. There was only one hand left up at the end.
A computer (be it a desktop or laptop) that is used day in day out needs to be thought of as a tool (much like a car), and tools have a useful life. With that said, different types of IT equipment have different useful life periods, so it’s hard to create a hard and fast rule, but the budget for the business should have refresh cycles planned in to it.
- Engage Experts Early
It’s important to engage experts in their area as early as you can. The early you bring these people up to speed in your world & what is going on, the earlier they can get solutions together and the more time they have to be creative to work around constraints you’re facing. This goes for pretty much any contextual element of a business, not just IT. For example, there’s not a lot an Accountant can help with in terms of tax planning when you’ve already sold your house.
I know this is a long post. If it’s prompted any questions that haven’t been answered, please feel free to get in touch.