What should SMEs do to avoid a cyberattack?

Advice from a security expert, Paul Delahunty, CSO, Stryve

A Carlow based Private Cloud and Cyber Security company, Stryve has shared its essential tips to help SMEs mitigate against a cyberattack. In the days following a serious ransomware attack on the HSE, many Irish companies are wondering what they should do to reduce their exposure to a security breach.

Stryve whose clients ranging from Irish SMEs to European Government Departments says ransomware attacks are ​often firstly a personnel issue, lack of adequate training and secondly a technology issues for example a lack of appropriate security systems and protocols in place.

Paul Delahunty, Chief Security Officer with Stryve, CISSP (Certified Information Systems Security Professional) and one of the country’s top security experts offers the following advice.

The company ethos is key

“The people in any organisation are both your strongest line of defence and your weakest underbelly. They are the strongest when properly trained to have a cyber security outlook. From day one, the company must display a cyber security ethos and instil a cyber security mind frame in all employees. This must come from the top down. Data security should not be the responsibility of the tech department. The CEO, CFO, General Manager and Department Heads must buy into a culture of cyber security. Cy​ber security needs to be a standing item at senior management and board meetings. This is not always the case, and where it isn’t, mistakes happen. Regular training must be seen as routine.”

Backups, Backups, Backups

“Ransomware on a very basic level denies a company access to its data. A key component of your recovery plan is to have secure backups. Data is the modern currency. Its value cannot be underestimated. Companies that have robust and securely backed up data, can restore its data from a set time and date, get their data back up and running and resume business as usual without a total loss of business. If your backups are implemented correctly, you will at the very least get back on your feet quickly. But, remember to test it regularly, as a backup system is useless if it isn’t working correctly”

Put the basic technologies in place

“Not all companies can afford complex technology defences, but they can still do the basics and at a reasonable cost. For example:

  • Keep your operating systems and device security patches up to date
  • Ensure you have good anti-virus software that scans your devices regularly
  • Use a good email filtering service that prevents spam and malware from reaching your employees
  • Limit the device administrator privileges given to employees
  • Where possible, use Two Factor Authentication to protect access to your most sensitive data and assets
  • Consider using a managed Endpoint Protection solution

Cybersecurity is all about managing risk. This does not mean having the most advanced security defences in the world, but rather trying to lessen the window of opportunity for criminals to hack your network and steal your data. Each basic step you take closes that window a little more and increases your protection.”

Penetration testing at regular intervals

“In addition to all of this, your defences need to be continually tested. Vulnerability tests are highly recommended, but these only identify if you are open to known software loopholes and weaknesses. A recommended step further would be to implement regular penetration testing. This type of testing actually tries to take advantage of any vulnerabilities and see how they can be used to get around your defences, in the same way, hackers would do.”

Know What’s Important to you and Have a Plan

“Make a list of your assets (an asset is anything that is of importance to your business. For example, laptops, customer data, your products secret sauce). Identify which ones are the most critical to your business and put a plan in place to protect them. Have a Disaster Recovery plan and solution in place, and regularly test it. If an attack occurs, you need to know what to do, and you need to act quickly. A tested and well-rehearsed Disaster Recovery plan and solution are essential to this.”

“No matter how well trained your staff are, they are human at the end of the day….mistakes will happen. You need the technology in place to counter that. There are many solutions out there and we advise Irish businesses to consider the robustness of their system against security breaches.” Concludes Paul Delahunty.

See stryvesecure.com for more