Five easy wins in cyber security
Simply sign up to the Cyber Security myFT Digest -- delivered directly to your inbox.
For companies that cannot afford a dedicated security team, protecting against cyber attacks can seem daunting — but even simple technologies and processes can improve a business’s defences.
Here, then, are five easy technology wins, recommended by cyber security professionals.
1. Make security solutions standard
“Multi-factor authentication (MFA), regular software patching and backups, antivirus solutions, and security awareness training . . . should be standard in any organisation regardless of their size,” says Lisa Ventura, founder of Cyber Security Unity, a global community that aims to combat the growing cyber threat. She also recommends the following checks:
Firewall configuration Configure network firewalls to block unnecessary incoming and outgoing traffic, allowing only essential communication;
Endpoint protection Install endpoint protection solutions, such as antivirus and anti-malware software, on all devices;
Password management tools Use password management tools to generate strong, unique passwords and store them securely.
Other solutions companies should consider include “intrusion detection and prevention systems” (IDPS), “security information and event management” (SIEM), secure email gateways, and web filtering.
2. Switch to zero trust network access
In this new hybrid working era, companies are increasingly transitioning from “virtual private networks” (VPNs) to “zero trust network access” (ZTNA). ZTNA assumes all connection requests are hostile, enabling companies to create tailored authentication policies for granting secure access.
“Alongside its large security benefits, many companies have also found ZTNA to be a good replacement for their ‘wide area network’ (WAN),” says Marion Stewart, chief executive of managed security service provider Red Helix. “It connects straight to the desired location instead of going through the corporate firewall and slowing down the user experience.”
3. Consult on use of artificial intelligence
Artificial intelligence (AI) can now be used to identify threats quickly and efficiently — and free up your security team.
“The volume of threats facing organisations, and the novelty of attack methods, has grown exponentially in recent years, making it extremely difficult for human security teams to monitor, detect and react to every threat or attempted attack,” warns Hanah-Marie Darley, director of threat research at cyber security group Darktrace. “Today, thousands of organisations entrust AI to interrupt in-progress, sophisticated attacks without trying to rely on humans to take the sledgehammer out and interrupt wider business operations in the incident response process.”
She says AI-powered solutions can be powerful in dealing with novel threats — such as never-before-seen attacks that might slip past traditional security controls.
4. Factor in the humans
Even with these technical solutions, companies can forget the human aspect of securing a business. But it is essential to develop a security mindset in the workforce.
Cate Pye, partner and cyber expert at PA Consulting, says companies need to engage individuals and give them pride in the fact they are looking after people’s data — and make it easier for them to do the right thing, or harder to do the wrong thing. She cites the example of an email system that pops up a vignette of a news story about a cyber attack if an employee tries to click an external link. This forces employees to check before clicking. “It makes you delay, and think slower — you have gone out of ‘automatic’ mode,” says Pye.
Companies must also close loopholes when employees leave. A 2022 survey by security provider Beyond Identity found that nearly one-third of employers suffered a website hack due to ineffective offboarding of staff. “One of the biggest vulnerabilities is an account of an employee that’s left, and it hasn’t been disabled,” says Asam Malik, partner and head of technology and digital consulting at consultancy Mazars.
5. Wins that don’t cost a penny
Some cyber countermeasures can be implemented at no cost at all. These include creating a cyber incident response plan, conducting attack risk assessments on key third party suppliers, and simply changing complex passwords regularly.
Then there are the cyber defences you do not realise you already have. For example, many organisations use Microsoft Office 365 software for their daily tasks but are unaware it has security features, such as password management and MFA, included — they just need to be switched on.
“They’re not expensive,” says Malik. “But, even if they were, they’re never going to be as expensive as a breach to your company.”