IT Security

Cyber Security doesn’t necessarily need to be difficult. In fact, for the most part, good Cyber Security involves protecting and training your staff, not technical IT security. Up to 98% of Cyber Attacks rely on Social Engineering, which means tricking your staff into giving out access details to their company accounts or other company details. So by understanding the best ways to fix this avenue, you reduce your level of risk dramatically. The 3 best ways we've identified to secure your business are:-
 
  • Implementing MFA
  • Staff IT Security Training
  • Phishing Protection
 

Multi-Factor Authentication (MFA)

MFA, also referred to as 2-Factor Authentication (2FA), two-step verification and others, is the process of having a second step or factor involved when logging onto company systems or other Cloud services. This could include entering a code from an Authentication App installed on your phone, receiving an e-mail message with a code, or using an item such as a USB security key. This greatly enhances security by ensuring that even if a password is shared with an attacker, they will still be unable to access the account without the second authentication factor. 
 
Implementing MFA is considered the single most impactful change you can make to protect your company from Cyber Attacks. The vast majority of Cloud Services offer MFA as an option, however, don’t enable it by default. For your critical IT services and data, we recommend you get MFA enabled as soon as you can, and look at implementing it on any Cloud Services you use.
 

Staff Training 

As we mentioned above, 98% of Cyber Attacks rely on Social Engineering, and it’s clear that the weak link in most cases is the people, not the technology. To help prevent being caught out we recommend ensuring that your staff understand that they will be targeted at some point, and how to avoid becoming a victim. We highly recommend the Baseline Briefings provided by the Cyber Griffin programme; a pair of hour-long online briefings designed to teach you have to defend yourself against common Cyber Attacks. These are aimed at non-technical people and you should consider mandating your staff to watch these.
 
 
There are also methods of performing fake phishing tests on your staff, to measure their responses to potential Social Engineering attacks. For clients using the Mimecast security system, we have run checks on client’s staff to ensure they’re responding correctly to a set of fake phishing e-mails. This allows us to understand which staff may fall victim to them and provide appropriate additional training where necessary. Other systems are available to do similar tests.
 
 
cyber security awareness

Phishing Protection

Continuing with the theme of dealing with Social Engineering, our final suggestion is to implement technical protection against phishing e-mails. In most cases these e-mails come from external e-mail addresses pretending to be staff members, examples of these can be:-
 
  • An e-mail to HR/Accounts asking to change bank account details
  • An e-mail to Accounts asking to urgently pay an invoice
  • An e-mail to a new or junior staff member from a senior staff member asking to buy gift cards
 
To help staff to catch these, in most e-mail systems you can add a notification to the e-mail to make clear it comes from an external source, and not the staff member’s normal e-mail. To further extend this protection for some of our clients we partner with Mimecast and use their Impersonation Protection system to flag up and block any e-mails coming from outside the business that pretend to be internal staff.
 
 
These Phishing protection checks and filters can be set up on Microsoft 365, Gmail or an internal Exchange server, or by using dedicated mail filtering systems such as Mimecast to provide an additional layer of security. Putting this in place will again reduce the opportunity for someone to trick your staff into giving out company information, and login details, or even transferring money to these criminals.
 

Conclusion

EC2 IT have assisted our clients with the delivery of all of the above methods to boost their Cyber Security and reduce the risk to their businesses. Unfortunately, we have continued to see a rise in attempted Phishing across all of our client base, and this shows no sign of slackening. Having your Cyber Security in a good place, for example, by implementing the security controls in the Cyber Essentials Certification, is a must for businesses in this day and age. 
 
To find out more about how we can assist in improving your IT Security, please Contact Us.