Actionable Advice For Improving Your Organisation’s Resilience To Cyber Attacks – From Workpro’s CTO

Our chief technical officer (Chris Ellis) has featured in an IT Supply Chain article exploring the importance of cybersecurity in our increasingly digitalised world. 

In the article, Chris pointed out that we’d seen a 600% increase in cybercrime since the pandemic – including a slew of successful attacks against major players like Cisco, Samsung and Nato. 

In the month after this article was published, an international ransomware group also made a successful attack on popular file sharing app MOVEit: exploiting a zero day vulnerability to access data belonging to organisations like PwC, Ofcom and the Irish Health Service. 

And CyberEdge’s 2022 Cyberthreat defence report estimates that a staggering 81.4% of UK businesses experience at least one cyber attack per year. And that’s not accounting for successful attacks that go undetected. 

In light of these statistics, it’s fair to say that cyber security has to be a major priority for most businesses operating today. 

As Gallagher’s Tom Draper puts it, failure to maintain an adequate defence “exposes organisations of every size to the risk of financial and reputational damage” that can prove crippling in the long term – necessitating serious investment in preventative measures designed to minimise the likelihood of a successful attack. 

Now, we know this will be beyond obvious if your business is a large, consumer facing organisation that handles a lot of sensitive information about members of the general public. 

Ombudsmen, government departments, financial service providers, insurance brokers and the like will all be moving to establish robust processes in place to avoid a repeat of the MOVEit breach and safeguard the sensitive information they’re charged with protecting.

But smaller orgs also need to be very careful about safeguarding things like the employee personal data stored in their payroll or HR systems, which is why we’ve decided to publish this guide to stepping up your cybersecurity – and protecting your data from unauthorised access. 

Taking Ownership Of Cyber Security 

First things first, it’s important to establish where the responsibility for improving cybersecurity lies.

Most organisations will have a dedicated IT department that will spearhead coordinated efforts to protect sensitive data. But there are still things that other departments can do to reduce the likelihood of a successful attack. 

Some of these precautions involve minor changes to internal policies; things like adopting two factor authentication, using a password management app or implementing a routine for ensuring that software is kept up to date. 

But it’s equally important to ensure that all departments are vetting the security credentials of any vendors who’ll be handling or storing sensitive information. This includes the people who make your payroll and holiday booking software and your HR case management software.

It’s important to remember that when they’re made in conjunction, these changes can make a significant difference to your organisation’s overall resilience to all sorts of harmful cyber attacks. 

Which is to say that there’s tangible value to making individual departments at least partially responsible for their own cybersecurity where possible. Even if your IT or dedicated cybersecurity team still has to take ownership of the whole piece. 

Improving Internal Processes

According to our CTO Chris Ellis, there are a number of relatively simple steps you can take to improve resilience across your organisation, including:

• Installing Anti-Virus Software. These programs are designed to detect and remove viruses and other malicious software from your computers or laptops. Without them, devices can be infected by inadvertent downloads of malware in an attachment linked to a dubious email, or hidden on a USB drive – enabling malicious actors to access sensitive information or launch attacks designed to disable your infrastructure.

• Patching your operating systems and software. Software vendors use patches to enhance performance, fix bugs before they happen and close vulnerabilities before bad actors can exploit them. Make sure that routine updates are applied across all systems and that staff aren’t ignoring patches that require manual installation.
  
  
• Skilling up internal teams. Making sure that all staff, whatever their responsibilities, are aware of the many ways that hackers can worm their way into systems, such as phishing, is key to ensuring resilience. Best practice email and password protocols are vital, as is a good working knowledge of how phishing operations work.
   
• Using a password manager. Assuming that teams use multiple SaaS platforms to run their day to day operations, it is inevitable that there will be numerous different passwords, which are a primary vulnerability. A password manager app on devices stores passwords, so users don’t need to remember them. Once logged into the password manager using a “master” password, it will generate and remember passwords for all online accounts.
  
  
• Using multi factor authentication. This is a layered approach to securing data and applications where a system requires a user to present a combination of two or more credentials to verify a user’s identity for login. This is increasingly commonly used in personal circumstances such as online banking and is very effective at shutting the criminals out.

Vetting Vendor Security Measures

When you partner with vendors that are going to store or process sensitive information for your organisation, it’s important to remember that you are increasing your overall attack surface.

In plain English, this simply means that you’re increasing the number of entry points potential bad actors can use to attack your organisation or obtain privileged data. 

This is fine as long as vendors have sufficiently robust security practices and are actively taking steps to mitigate risk but if vendors fall short on this front, you open your organisation up to unauthorised access, data breaches or data leaks that can damage your reputation and disrupt business operations.

It’s also important to note that engaging or working with vendors that don’t meet basic security or data protection standards can put you in contravention of various industry-specific and general data protection regulations.

Were an attack to happen when you’d neglected to vet a bad vendor, you may open your organisation up to non-compliance fines or more serious legal penalties so it’s always worth taking the time to double-check that all vendors/suppliers meet the minimum standards for cybersecurity. 

To help you do this, we’ve outlined a relatively-simple 8-step process that should allow you to establish a vendor’s security credentials and ensure full compliance with any relevant legislation:

1. Identify your own security requirements. It goes without saying that you can’t vet vendors until you’ve established a set of specific security requirements that are important for your organisation. 

These will often be vertical-specific and often depend on the regulations set by industry bodies or regulators, but they could include factors such as data protection, encryption, access controls, incident response, and compliance with relevant standards or regulations.

2. Request vendor documentation. Vendors who understand the importance of cybersecurity will always have documentation pertaining to their security controls and cyber defences.
   
   Either head to a given vendor’s website or ask the vendor to provide documentation regarding their cybersecurity practices. This will often include things like security policies, incident response plans, data protection measures, employee training programs, and any relevant certifications or audits they have undergone.
   
   
3. Evaluate vendor's security controls.  Assess the vendor's technical and procedural security controls. This may involve reviewing the documentation mentioned above to analyse network architecture, access management processes, encryption methods, vulnerability management practices, and data backup procedures.
   
   Ensure they have appropriate measures in place to protect against common threats, and if you don’t feel qualified to make a judgement call remember that you can always involve your own IT department to help you get a handle on a vendor’s setup.
   
   
4. Assess third-party security. If a vendor relies on any third-party suppliers or subcontractors, you’ll want to inquire about their security practices as well.
   
   Weak security measures at any point in the supply chain can impact your organisation's defence against cyber attacks so it pays to be thorough and exacting when going through this process.
   
   
5. Verify compliance and certifications: Check if the vendor complies with industry standards and regulations relevant to your organisations.
   
   You can also ask whether vendors have relevant certifications like  ISO 27001 accreditation, which tells you a lot about their internal security measures and overall approach to cybersecurity.
   
   
6. Review incident response capabilities. Alongside plans and certifications, it’s also worth enquiring about a given vendor's incident response and recovery capabilities – paying particular attention to the way they detect and respond to security incidents to ensure that they’re across everything.
   
   
7. Assess contractual agreements. You should also take time to carefully review the vendor's contract or service-level agreement (SLA).
   
   Ensure it includes specific provisions related to cybersecurity, data protection, breach notification, and liability in the event of a security incident. Seek legal counsel if necessary.
   
   
8. Perform periodic audits. It’s tempting to double-check a vendor’s credentials once, and then assume that everything will be fine going forward.
   
   But as any expert will tell you, cybersecurity is a rapidly evolving field that is always changing. Periodically assessing a vendor’s security measures helps to ensure they maintain a strong security posture over time.

Generally speaking, good vendors will make any and all of this information readily available to you at any point. We list our own data security credentials on the privacy page of our website and also make detailed information about our data protection policies available to any prospective, past or current customer on request.

If you’d like more information about cybersecurity or enhancing your organisation’s overall resilience to bad actors, the ICO have a helpful document that walks through the basic precautions in more detail – including a breakdown of things like physical countermeasures and advanced vetting procedures.

A version of this story appeared in:

• IT Supply Chain
• Silicon Scotland