The cyber security threats faced by businesses of all sizes did not let up in 2020. A barrage of bad news throughout the year left no shortage of topics for opportunistic phishers to hack into, with some estimates putting the ill-gotten gains of ransomware attacks at over $1 billion.

We also saw failures in the basics of cyber security lead to high-profile attacks. Weak passwords like ‘solarwinds123’ and ‘MAGA2020’ played their part in hacks of the SolarWinds IT management company and Donald Trump’s Twitter account respectively, both of which made global news at the end of the year. 

From opportunistic phishing to companies missing the basics, we saw it all in 2020. In this post, I’ll cover a number of different steps that you can take to combat the latest trends in cyber crime, which, if implemented, will stand your business in good stead this year.

1. Assess assets and determine objectives

We are at the point where there is no need to convince most people in business management about the threat of cyber crime. Instead, I recommend involving your management team or board in implementing a security management system like those found in ISO 27001 and IASME. 

Defining security objectives based on the value of your assets to hackers will help you to set up these systems, and will give you goals against which the business’s leadership can measure performance. This approach improves transparency in your processes and encourages senior leaders to buy into your security activity.

2. Adopt Cyber Essentials (Plus)

Cyber Essentials is an NCSC certification that helps you to fix the basics of cyber security in your business. It is an ideal step to take towards protecting your business against opportunistic attacks that target obvious weak points in your security. 

I actually recommend going one step further and attaining Cyber Essentials Plus, which adds 3rd party assurance that you have implemented baseline controls effectively.

3. Avoid opportunistic cyber security sales

Recent years have seen a rise of snake oil salespeople in the world of cyber security solutions. There are a number of red flags when considering the effectiveness of a given solution, including:

• ‘Military-grade encryption’ – it’s almost certainly not military-grade and it doesn’t guarantee safety in any case.

• ‘Solve all security issues’ – no solution can solve everything.

• ‘100% secure’ – can the provider prove this?

• Excessive technobabble – has it actually been proven to work?

When assessing the merits of a solution provider, look for reputation, references, 3rd party accreditation and consider a 2nd party audit.

4. Get ahead if you’re part of a secure supply chain

The cyber security demands on sensitive supply chains are greater than those on many other businesses. I expect to see increased compliance requirements as time goes on, with an emphasis on governance-oriented standards like ISO 27001 and IASME. ISO 27001 takes, on average, a year to obtain, so it’s worth planning for it now if you haven’t already done so.

5. Make an incident response plan

Having an incident response plan will prepare you to act quickly should your business fall prey to an attack. Practice the plan regularly and make sure you know who to contact if the incident exceeds your own skills to deal with. You should also check whether or not you have insurance that covers external emergency response costs.

6. Assess information flows

This is a more advanced step that requires a full assessment of how information flows throughout your business and assets, including which systems or services need direct internet access. If a service or system does not need internet access, consider running it in an isolated network segment.

7. Adopt a zero-trust approach

Zero trust is an emerging approach intended to restrict access to services to trusted people from trusted environments and devices. I expect to see more being written about this topic throughout 2021. A good starting place is the principle of ‘know who is accessing your systems,’ which aligns with Cyber Essentials guidance.

Where to begin

If some of these steps are unfamiliar to you, I recommend starting with certifications and standards. As much as it’s important to be aware of advanced threats, basic errors were still costing businesses throughout 2020. Completing Cyber Essentials (or Cyber Essentials Plus) will help you to put your house in order and iron out the basic mistakes that could leave your business vulnerable.

Depending on your industry and resources, following up with standards like ISO 27001 or IASME is the next step towards demonstrating your compliance with cyber security processes. These standards take a while to complete, but the potential reward is an accreditation that shows anyone who’s interested that your business is compliant with industry best practices. If your business operates as part of a sensitive supply chain, we recommend pursuing a standard like one of these even more strongly.