New Security Challenges…and How to Fight Them

When the global movers and shakers gathered at the World Economic Forum earlier this year, they got a unpleasant surprise — in the form of its Global Cybersecurity Outlook.

During the press conference, WEF Managing Director Jeremy Jurgens related that “93 percent of cyber leaders and 86% of cyber business leaders believe that a catastrophic cyber event is likely in the next two years.”

Jurgens was in part referring to malefactors like Russia and China making cyberwar on their enemies, whether real or perceived. But the threat is growing as well for businesses, big, small, and medium.

For example, recent ransomware attacks (criminals stealing data and then attempting to “ransom” it) temporarily shut down Canada’s largest bookstore chain and the UK’s Royal Mail.

These organizations have impressive security budgets and all the latest security tools and tech. If they can be victimized, how can a mid-market business keep itself safe?

The answer is more straightforward than you may think: it’s expert leadership in the C-suite.

As a CEO, you can’t be responsible for all the technical details. But you can, and must, be able to ask the right questions of the people responsible for security—and stay on top of them.

Most attacks use simple methods. The reason they’re successful is because companies have forgotten to get the basics right. So we urge you to ask your IT team or suppliers six simple questions:

1. Who is accountable for our security and risk strategy?
2. When was the last time we reviewed and tested our security?
3. Are security systems up to date? How do we know they’re up to date?
4. Do we have assessments or accreditations?
5. Are employees—including the CEO—regularly trained in cybersecurity and social engineering? Have we ever tested that training?
6. If we do end up in trouble, who’s in charge, and what’s the plan?

If your IT team can’t provide satisfying answers to all these questions, and quickly, then it may be time to consider IT leadership in the form of a fractional CIO, CTO, or CISO.

If you have any questions about cybersecurity or IT, feel free to get in touch. Unlike cyber criminals, we’re always up for a no-strings, no-pressure conversation.

For a more detailed guide to mailing down the basics, see our 13 key steps to cyber security comprehensive list of questions for non-technical board leaders.

Also see our Cyber Security Knowledge Center, which includes more plain-English content related to this topic.

17 Critical Cybersecurity Questions to Ask Your IT Team

Suddenly the office is closed, and everyone’s working from home.

The IT team is coping, but you’ve got nagging doubts about cybersecurity. You ask the IT team a few questions, but the answers seem to be in a different language!

17 Critical Cybersecurity Questions to Ask Your IT Team

Most cyberattacks are successful because basic steps haven’t been taken. Ask your IT team these 17 questions and reduce your company's risk of attack!

Download now for FREE!

Well, you should be concerned. Criminals are ramping up their activities because systems are more vulnerable when people work from home.

But there’s no need for panic. Most cyberattacks are successful simply because basic steps haven’t been taken.

Here is a simple checklist to ask the person in charge of IT. The answers should all be YES!

Protect your data

1. Do we know for sure that our backups are working?
2. Does data stored on a home user’s drive get backed up?
3. Does our central data storage have versioning?
4. Do we have a Data Loss Prevention system running?

Protect your remote devices

5. Do we have multi-factor authentication set up for our systems?
6. Will our anti-virus, anti-malware and patching tools automatically update for home users?
7. Has everyone who’s working from home signed a communications and internet usage policy?
8. Have we given cybersecurity training to the team within the last six months?
9. Are our legal policies appropriate for people working remotely and at home?

To continue reading, download the article above.

Visit our Cybersecurity and our Hybrid Working & Post-Pandemic knowledge centers, which have more useful content related to this topic.

How to Avoid a CRM Car Crash

Every CEO knows that customer information is a crucial asset. And how you manage customer relationships is vital. So of course you need to implement systems to help you standardize and manage Customer Relationship Management (CRM). Unfortunately, we’ve see countless CRM projects that fail, or CRM systems that are misused, underused, or never used at all.

So why is CRM a project that fails so often?

CEO's Briefing - How to avoid a CRM car crash

To find out how to swerve away from a CRM car crash download our latest CEO's briefing!

Download now for FREE!

This CEO’s Briefing explains the basics of CRM systems and why companies need them. It also presents the ten rules for avoiding a CRM project car crash.

Let’s start at the beginning…

What Is a CRM System? And Why Do Companies Use Them?

A CRM system aims to support all or part of the customer interaction. Typically the scope can include everything from prospecting, through the sales process, to ongoing support.

These days there are a host of small, low-cost or free options for CRM, such as Really Simple Systems, Zoho, or OnePageCRM. At the other end of the spectrum, most Enterprise Resource Planning (ERP) products, like SAP and Oracle, have their own CRM module.

There are products targeting digital marketing like Hubspot, and products targeting particular industries like Bullhorn. And of course, there are the usual suspects: Microsoft, Salesforce, Sage, and Sugar CRM/Access.

These products and their heavily incentivized salespeople generally promise the following:

• Standardized processes
• Support for complex marketing campaigns
• All data in one secure place
• Improved reporting on different channels, products, markets and individuals
• Eliminated dependence on key personnel
• Increased focus and responsiveness for customer-facing staff
• Integration of systems and processes to avoid errors and redundancies

So all you have to do is choose the best product for your company. It’s all pretty straightforward, right?

So Why Do CRM Implementations So Often Go Wrong?

There are two primary causes of a CRM car crash:

People issues. Systems are built by people and for people, and the most common cause of failure is people.

Complexity. As a project progresses, a clear vision gradually becomes overcomplicated. This leads to cost overruns, unresolved process or data issues, or a system that users find too difficult to operate.

Of course, these two issues aren’t unique to CRM. But in CRM systems they combine to form a toxic mix.

What Are the People Issues?

Sales people are notorious for their thick skin. This is no accident, as we often recruit them for this trait. We often want sales people to be single-minded — in fact, many organizations forgive or even expect some selfishness. It’s part of the traditional sales culture. Observance of rules and process, attention to details and admin are not.

And, from the salesman’s point of view, the benefits of a CRM may be for the rest of the organization or for the management.

Often central administrative staff and management define the system in order that it collects data they want for reporting and analysis, but the burden of collecting this falls on front-line staff who see no benefit themselves.

Many users of the CRM system may be thinking: “There’s no benefit for me in this CRM thing.” They pretend to be onboard, but really they’re not.

And where does the complexity come from?

There are three underlying sources of complexity.

First, the scope of a CRM system may be unclear at the beginning, and as the project progresses it is tempting to expand it. Many CRM products are extremely flexible, so they can be configured to support a huge range of activities — they can manage workflow, provide a framework for task management, create announcements and reminders, and integrate with other systems.

But all these features can get overcomplicated, especially if you need multiple internal experts and suppliers. And none of these add-ons come without a price.

Second, like any systems implementation, the focus needs to be on improving and automating the process in question, rather than continuing the same inefficiencies with new technology. This means confronting difficult questions about how and why things are done a certain way, and dealing with organizational questions that may be creating hurdles to change.

Finally, most organizations have 80/20 rules — in other words, most of the business is comprised of standardized products and processes, but a minority of business is done differently. Perhaps there is a longstanding sideline of bespoke products; perhaps some high-value customers get special service. This twenty percent can bring complexity to the entire system.

To continue reading, download the article above.

Visit our  ERP and Integration Issues Knowledge Center which includes all content related to this topic.

Learning from Travelex

Due to a cyberattack, Travelex, the world’s largest foreign exchange bureau, has been paralyzed for weeks. The reputational and financial impact on the company and its senior leaders will be severe. New laws and regulations, like GDPR and NY Shield, mean that such breaches can no longer be swept under the carpet, and the business losses will be compounded by huge fines.

Travelex is a wake-up call to all businesses. In today’s cyber-risk environment, maintenance of your basic IT infrastructure and services is critical to remaining profitable and even staying alive. You may be concerned that if a giant like Travelex gets hacked, how can a mid-market company protect itself? It’s actually pretty straightforward.

When we engage with clients, we talk about “getting the basics right.” A fundamental part of that is making sure the IT infrastructure and services are fit-for-purpose and up to date. If the basics aren’t right, then there’s no hope of looking at ways to use technology to grow the business and get ahead of the competition.

To provide you with a head-start, here are your first nine priorities:

1. Prioritize systems maintenance. All systems and services, particularly those that are connected to the outside world, must be kept up to date with the latest software patches. The IT team or your Service Provider must review and update systems in a regular, controlled manner.
2. Review your backups. Many malware infections encrypt your data and hold it for ransom. Frequent backups mitigate the chance of you losing everything. A regular complete backup of data stored somewhere with no connection to your systems – what’s called an air-gap – will greatly limit the damage of an attack.
3. Get a penetration test. Get a reputable security company to undertake an external penetration test of your systems and services. Resolve all the concerns raised in the results. Find your vulnerabilities and patch them before hackers find them for you!
4. Get certified. Spend some money, usually less than $12k on earning the Cyber Essentials Plus certification. The process involves making your technology secure, and we’ve seen clients win new business after being certified.
5. Lock down your data. Each individual in your business should only have access to the data they need to do their job. This minimizes the risk of data loss should they leave with it or accidentally click a malware link. Allowing employees wide-ranging access to data is asking for trouble.
6. Invest in protection. Keep the bad guys out with well-configured firewalls, anti-spam email systems, malware detection software, and pro-active Day-0 protection systems.
7. Get some insurance. Cyber insurance covers the losses resulting from a cyberattack. It can also aid with the management of the incident itself, particularly reputational damage and regulatory enforcement. Crime insurance covers the loss of money due to theft, fraud or dishonesty and includes theft of money by hackers. Add cyber insurance and crime insurance to your portfolio as separate policies, not just add-ons to existing business insurance.
8. Train your staff. Your employees are the most vulnerable security point in your business. The more they know what to look for and what to do, the better your chances of avoiding an attack. Training is essential for all new staff, and it needs regular refreshing for the whole business – including you!
9. Plan for the worst. Even with all the above nailed down, you still need to be ready for the worst. Sit down with your top team and discuss potential disasters and plan your way out of them. Who would be in charge? Who is authorised to make major decisions on the spot?

Will Travelex survive this attack? Who knows – the reputational and financial damage may be terminal. But by following these nine steps, you can avoid that fate for your own company.

For more information see our Knowledge Center about Cybersecurity.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organizations, and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

How to Stop Worrying About Cyber Security and Compliance: Part II

The second of our two-part report providing busy CEOs with a template for mitigating the stresses and risks of cyber security and compliance. Here is Part I if you missed it.

Previously we discussed why businesses often procrastinate when it comes to cyber security and regulatory compliance. Now it’s time to list how you can mitigate the risks and sleep better at night.

1. Make a Risks-and-Issues Analysis

Every substantial business should maintain a list of risks and issues, with some analysis of the mitigation options. The board should review this document at least annually, and each risk or issue must be owned by an executive with the expertise and time to manage it.

A certain level of risk is of course inevitable. But you need to know what you have, what’s valuable, and what’s vulnerable. Documenting the risks, and having an open discussion about them, will drive sensible decisions about how to mitigate risk and take action when and if the worst happens.

Even better, it avoids sweeping issues under the carpet. Instead, you can confront the real business risks, identify a proportionate response, and ensure you are looking after the things that matter.

Proper backup plans, disaster recovery, and crisis management plans will flow from these discussions.

2. Review Your Cyber Insurance

It’s prudent to consider cyber insurance. But not all cyber insurance is created equal. You need to carefully select an appropriate policy and provider.

The first thing to watch out for is if the provider takes the time to understand your risks and requirements. If they don’t, then they’re simply looking to sell you a policy, and you should walk away.

Next, check the exclusions on the policy. Make sure a member of your executive team understands the coverage — most importantly, if it covers ransomware payments, recovery costs, and loss-of-business. Remember that cyber insurance may not give you back money that’s stolen from you; that generally requires crime insurance.

Also, you should learn how claims work with the insurer. If you have to make a claim, will the insurer specify who runs the recovery program? If so, how quickly can this third party mobilize? If the insurer does not stipulate a third party, don’t wait for an incident to evaluate potential suppliers — identify the best one now.

Ensure that your IT is compliant with the policy. The insurer may impose requirements on your IT, and these requirements may be obscure and complicated. Often the CFO signs the insurance policy without communicating the requirements to the IT team. And the IT team may need to document how they meet the requirements, so that the insurer can audit if necessary. Otherwise your policy may be invalid!

Finally, are your suppliers’ contracts clear about their liability? And are they appropriately insured?

3. Get Behavioral and Awareness Training

The weakest security link in any business is often the people. Some of your staff may struggle to understand the issues or to know what secure behaviors really are. You need to clarify your expectations.

Unfortunately, lots of companies have security protocols that no-one reads. Or perhaps people circumvent the rules with the tacit approval of their managers, who are busy and under pressure to deliver results. For example, if managers are writing passwords on Post-its, or accessing email from insecure home computers, then their subordinates will do the same.

Instead you’ll want to foster a culture of security. For example, is your finance manager empowered to challenge an email that looks like it’s from you calling for an “emergency payment?” How are suppliers’ bank details verified? Is your IT staff empowered to call out poor security practices from senior managers?

We recommend awareness training, which is relatively inexpensive — a few hundred or thousand dollars. A small price to pay compared to the expense of getting hacked!

4. Follow the NIST Cyber security Framework

For most businesses there is a straightforward route to getting basic security right — adhering to the Cyber security Framework from the National Institute of Standards and technology (NIST).

The Framework is a voluntary set of “standards, guidelines, and practices to promote the protection of critical infrastructure.” It’s also the result of a collaboration between industry and government, so it’s designed to be flexible and cost-effective.

As with every aspect of cyber security, though, the Framework is ever-changing; make sure you have someone checking it periodically.

5. Do a Penetration Test

A penetration test is when a third party looks for weaknesses in your website and networks. Most companies can have a full, detailed penetration test for just a few thousand dollars.

This is essential if your website includes custom software or any kind of ecommerce services! Poor technical practices can result in custom software being full of holes. The OWASP top 10 is a list of the standard vulnerabilities that almost all hackers focus on — ensure your penetration test includes checks against this list.

Typically, penetration test findings are divided into high, medium, and low priority. Address all high- and medium-priority issues immediately. Address low-priority issues on a case-by-case basis.

6. Consider Complying with GDPR

The General Data Protection Regulations came into force in Spring 2018 in the European Union (EU). The rules are in force, with high penalties for breach. Being outside of the EU doesn’t necessarily mean the that GDPR is not your problem: the law applies to any company doing business with EU citizens.

The good news is that for the most part, the compliance measures are sensible and worthwhile. And most businesses can organize an expert assessment of their GDPR compliance for a few thousand dollars.

The recommendations can be complicated, and GDPR compliance can be a long process. So you’ll need to plan the work as a series of projects. Someone at the executive needs to have ownership of it, preferably someone both commercial and sensible in their approach.

You should also check local laws. For example, New York State’s Governor Cuomo recently signed the New York Shield Act, which expanded the notification requirements in the event of a security breach. This law applies to any company with employees in New York State, which, given its size, will have national and even international implications.

7. Comply with ISO27001

ISO27001 is a more serious information security and management standard. Some companies have this standard imposed on them by corporate or government customers.

Either way, if your business is complex or has specific security requirements then ISO27001 provides you with a means to foster a culture of security. For example, if you manage sensitive data or valuable intellectual property; if you want to demonstrate your credentials to demanding corporate clients; or if you plan for your business to offer important IT services, then ISO27001 gives you a means to embed security into every aspect of your business operations.

This is another standard that requires external assessment. Although it may only cost a few thousand dollars, implementing the necessary changes can be complicated and invasive. But that’s why companies brag about their ISO27001 accreditation — it’s a demanding standard and it means something.

Remember: Secure Companies Are More Efficient and Reliable

Let’s emphasize that the above steps are sensible. They will make your business more secure, so that you can your customers can sleep soundly. And in the event of a problem — because there are always problems — you will have mitigated the damage, and your business will recover more quickly, and you can avoid criticisms or accusations of negligence.

One final point: well-maintained systems and security practices will make your business far more effective, profitable and reliable.

You may like to visit our Knowledge Center, which includes all content related to this topic.

Risk Management and Security

Pretty much every CEO is concerned about increasing cyber threats, security risks, regulatory issues and compliance problems — and rightfully so. We meet clients whose businesses have been brought to a standstill by online attacks and most CEOs recognize the need to beef up policies and business continuity plans.

Whatever the issue, it can be hard to move forward because the IT guys don’t always speak the same language as a CEO and there’s no end to the money that you could spend on hardware, software and advice and these issues are extremely complex and technical.

Freeman Clarke is unique because one of our people – we call Principals – can join your senior team and get involved in every aspect of your IT. From servers and infrastructure to bespoke software, we will help assess the risks, explain the issues and options in plain business language and agree on a commercially sensible plan. We will understand your business, the demands of your sector, your back-office systems, your processes and data, your client and supplier contracts and your culture.

We understand that different clients have different needs. Many of our clients are traditional companies who simply need to get the basics right. Some of our clients are high-profile organizations or provide critical 24/7 services that they need to be confident they can keep operating to fulfil their contracts and commitments. What they all have in common though, is a need for a commercially viable, technically sensible solution.

If you’re interested in learning more about how we can help you with risk management and cyber security issues, then visit our website – there’s a lot of good information on it! And if you’d like, reach out to us directly — we’d be more than happy to have a conversation with you and talk about how we can help you mitigate those risks.

Visit our Cybersecurity Knowledge Center, which includes more plain-English content related to this topic.

How to Stop Worrying about Cybersecurity and Compliance: Part I

The first in our two-part report that will help busy CEOs mitigate the stress of cyber security and compliance.

It’s not an exaggeration to say that most days we hear from companies who have been hacked. Their reputations are damaged, they’ve lost money, and they’re not sure what to do next.

Freeman Clarke CIOs, CTOs and IT Directors have deep experience in helping clients navigate these dangerous waters. But the uncertainty can begin much earlier: we’ve also seen how even the threat of a cyber attack makes many CEOs of mid-market companies feel exposed and uncertain.

Another stress is the related issue of compliance. Many companies are at risk of huge contractual penalties from their customers in the event of a data breach or the like. And the law is tighter than ever, with big government fines making headlines.

For business in heavily regulated industries, security standards and good practice are part of the corporate culture. But for businesses in other markets, the situation is fuzzier.

These are complex issues. And a CEO’s time is short. It can be tough to find a simple, affordable strategy for security and compliance. It can be even harder to get someone in the boardroom with the necessary technical knowledge, experience, and sensible attitude to lead the approach.

That’s why we’ve prepared this two-part report: to provide busy CEOs with a template for mitigating the stresses and risks of cyber security and compliance.

Why It’s Hard to Get Started

In our experience the underlying issue is a simple lack of expertise. The IT team understands the technical issues; business teams understand the commercial issues. But there may not be someone at the executive level with a firm grasp of all sides of the problem.

Meanwhile, external advisors are typically selling expensive products like AI-based intrusion detection, data loss prevention software, or advanced malware protection. But they’re often more concerned with making a sale than helping your company.

Often the starting points should be relatively inexpensive training sessions that will cultivate a culture of compliance in your staff. At the same time, there are simple steps to reduce threats and to minimize impact in the event of a breach.

The ideas are straightforward, but their execution can be complicated. The executive team needs to accept that secure practices might not be as convenient or simple as the status quo. But keeping your business secure is worth the investment of effort, and, when done well, the positive impact enormously outweighs the negatives.

But, above all, given the real risks and regulatory environment, there is no longer any alternative to taking action!

The Basics of Security and Compliance

You may have heard that there’s no such thing as being truly secure. Well, that’s true — when it comes to cyber security, there is no finish line. But there are a set of basic, practical steps that every business should put in place.

Consultants, product vendors, and the media would have you believe that it’s much more complicated. But based on our years of experience with hundreds of mid-market companies, nearly every single hack or breach were a result of basic errors — mistakes due to carelessness, lack of training or lack of expertise.

Yes, sophisticated attacks do happen. But they’re very rare. And even when sophisticated attacks have occurred, basic measures have allowed our clients to recover quickly with limited damage.

Our follow-up article provides a clear roadmap to help you rest easier when it comes to security and compliance. In the meantime, for more straightforward advice about cyber security, see our article on the 13 Strategic Steps to Cyber-Security for Non-technical Board Members.

And here is Part II of How to Stop Worrying about Cyber security and Compliance.

Visit our Knowledge Center, which includes all content related to this topic.

Freeman Clarke is the UK’s largest and most experienced team of part-time (we call it “fractional”) IT leaders. We work exclusively with ambitious organizations, and we frequently help our clients use IT to beat their competition. Contact Us and we’ll be in touch for an informal conversation.

How to Make It Work When They Work from Home

Many of our clients want to explore opportunities for their employees to work from home. They have two main drivers:

1. Reduce office costs by reducing space requirements and associated expenses
2. Ease recruitment by (a) offering more attractive terms and (b) opening-up options to recruit outside their immediate locality

In addition, many knowledge workers are frustrated by their commute. As they increasingly see others working from home, they begin to expect this as an option from their own employers.

But there are so many questions that arise when companies allow their employees to work from home. Our CEO’s Guide, How to Make It Work When They Work from Home, will help answer many of these questions.

The guide covers the business and IT strategy aspects of working from home. It includes issues of cost reduction, recruitment, teamwork, cultural changes, and collaboration. Specifically, it describes team-working for home workers, technology and connectivity, and use of products such as Teams, Slack, SharePoint, Trello, Basecamp, Wrike or WhatsApp.

This guide covers how to enable business applications for those working from home (including virtual desktop technology, e.g. Citrix) as well as outlining issues of cybersecurity. In addition, it discusses how to change management style for remote workers, including defining jobs, monitoring performance, and encouraging collaboration.

Finally, the CEO’s guide talks about how home-working can improve disaster resilience, which is related to business continuity planning, (BCP), disaster recovery (DR), and risk management.

How to Make It Work When They Work From Home

There are many questions surrounding employees being able to work from home. Our CEO’s Guide, How to Make Home Working Work will help answer many of these questions.

Download now for FREE!

Visit our Hybrid Working & Post-Pandemic Knowledge Center which includes all content related to this topic.

Cyber, Legal, Compliance … How a CEO Can Sleep Soundly

It is not an exaggeration to say that most days we meet companies who have been hacked, their reputations damaged, and money lost. Successful websites can be juicy targets; ransomware can bring a company to a standstill.

Many companies have demanding standards and huge contractual penalties imposed on them by their customers. And the law is tighter than ever, with big fines making headline news.

The threat of cyber makes many CEOs of mid-market companies feel exposed and uncertain. These are complex issues, your time is short, and finding a simple commercial and strategic approach can feel difficult.

But there are simple strategic steps and this document describes the basic projects to make your business secure and compliant.

CEO's Briefing: Cyber, Legal, Compliance … How a CEO Can Sleep Soundly!

The issue for the Board is how do you know whether your technology guys have got the basics right or wrong? Download the document for the simple road map!

Download now for FREE!

Visit our Knowledge Center, which includes all content related to this topic.

13 Key Steps to Cybersecurity for Non-technical Board Members

Cyber attacks can be complicated, but in our experience over many years, most are really simple and exploit basic weaknesses.

In the vast majority of cases, simple steps can make you safe, or minimise disruption in the event of an attack. But, normally, these decisions are taken by technologynicians and the Board are not able to effectively challenge or lead.

Here is a simple list of 13 questions and answers to allow non-technical Board members to stop hoping for good luck!

1. How do we get security risks and issues under control?
   Every substantial business should maintain a list of risks and issues, with some analysis of the options and mitigations. Each risk or issue should be owned by someone around the Board table who has the expertise, time and ability to manage it. This document should be reviewed by the Board at least annually. The list and the open discussion drives sensible, productive decision-making and avoids a culture of sweeping issues under the carpet. This approach prevents overspending in the wrong areas – it’s all about “proportionate response”.
2. What kind of insurance do we need?
   Unfortunately, not all Cyber Insurance is created equal and you need to take care to select an appropriate policy and provider. Check the exclusions on the policy and ensure a member of your Board understands the cover. Cyber Insurance may not give you back money that’s stolen from you – that generally requires Criminal Insurance. Check your IT is compliant with your policy conditions – the devil is always in the detail and your IT team or supplier need to know what they have to do to maintain compliance? Finally are your suppliers’ contracts clear about their liability and are they appropriately insured?
3. How do I get staff to take security seriously?
   Security systems can be bypassed by canny criminals because they know where the weak link is … it’s your people. Create a “security culture”, where taking this stuff seriously is encouraged. Ensure you and the Board demonstrate good practice – for example, if you write your passwords on post-its then you should fully expect your staff to do the same… and one day you will probably be hacked as a result. Many hackers exploit helpful staff who simply hand over money! Sound financial processes, clear controls, good education and ongoing training are all vital to security. Remind people to “think before you click”!
4. How do we keep data secure?
   Access to systems and data should only be given to those who need it. This is known as a least-privilege policy. For example, when a person is given access to a system, the default should ensure that person has no rights to anything. Then privileges should be granted according to what that person needs to do in the system, building up to only include the data and processes they require. If you don’t follow a least-privilege system, then you are really exposed to cyber attack, to fraud and to errors. When users’ roles change their access should be reduced if their job doesn’t require it anymore (and their access removed altogether when they leave!)
5. What are firewalls?
   Start by ensuring your office has sensible physical security. Then make sure the equivalent measures are in place for your systems – these are your firewalls. Knowledgeable and trusted experts who understand the complexities of system and firewall management need to configure this equipment and to keep it up to date. Specifically ask them whether they have minimised points of access (ports) and are using secure ports for email and web access rather than standard ports.
6. Why is it important to keep security up to date?
   This should be so simple, but most hacks exploit the fact that many companies fall behind. All computers should use up to date operating systems which are properly patched; utilise up to date anti-virus and anti-malware systems. However these systems only work well when they know what they’re up against. Newer protection systems coming on the market look for programmes acting suspiciously and will automatically shut down the programme before it has had time to cause mayhem. These systems provide protection against new attacks (often called “Zero Day”) because they spot the bad behaviour of an application rather than recognise the malware itself.
7. What is data encryption?
   To protect your data, it should be encrypted and only accessible to those with the approved rights to look at it. Where you have customer data, particularly user accounts and passwords, ask your IT team whether the data is “hashed and salted” which will make it very secure and difficult to break even if your systems are breached. It is unforgivable nowadays to be holding personal or confidential data unencrypted (known as “clear or plain text”).
8. How should we backup our data?
   Your data and systems should also be well backed up and the backup must be stored off-site, preferably with no connection to your live systems (known as an “airgap”). Ensure the backups include multiple versions of the same document in case corruption or malicious encryption took place at some point in the past. Having a decent data backup can be the difference between having a business post-disaster and not.
9. What is a penetration test?
   A penetration test is an assessment by an expert company of your website and network to find weaknesses. This is essential if your website includes custom software or any kind of ecommerce services. Poor technical practices can result in custom software being full of holes and these are well documented in a standard list known as the OWASP top 10. This list are the standard vulnerabilities that almost all hackers focus on – ensure your penetration test includes checks against the OWASP top 10. Simple!
10. Practical but secure password rules.
    Many hackers don’t have to be clever because users make it easy by choosing “password123” – hackers automate attacks testing thousands of obvious passwords until they get lucky! Users must take passwords seriously, choose long passwords that are hard to guess, use different passwords, and don’t share. Software can be used to store passwords securely, but if people must write down details then these must be locked away. Make sure your systems are configured to enforce good password discipline and lock out users after repeated failure attempts. Sensitive systems should be protected by 2 pieces of information, not just a password (this is called “2 factor” or “multi-factor” authentication).
11. Sensible Cyber Attack crisis plans.
    Establish how you will handle a crisis in advance. Who’s in charge if you are attacked by ransomware and decisions need to be taken on the spot. GDPR makes specific requirements about notifying the ICO if you suffer a security breach – who is responsible for making this happen; failure to do so will result in a fine.
12. Why does security certification matter?
    Certification will give a focus and purpose to your efforts to improve security. A good place to start is Cyber Essentials Plus certification. This will provide you with a government standard accreditation that directly demonstrates to you, your company and your customers that you take security seriously and that you’re working to ensure their data is held securely and your systems are well managed. We know of clients that have won new customers simply because they stood out from the competition by having Cyber Essentials Plus accreditation. If your business is complex or has specific security requirements then ISO27001 provides you with a means to go further and embed a “security culture”.
13. Who should be in charge of Cybersecurity?
    Someone around the Board table who has the time, expertise and right commercial attitude! This person needs to start by getting clear on what you’ve got – who are the users, 3rd parties and suppliers who access your systems. List your equipment, networks, software etc. What are the crown jewels that really matter and ensure these are these properly protected. If you want a high-class CIO, CTO or IT Director on your side and sitting around your Board table … then that’s where we come in!

You can download and read our full CEO’s Briefing about Cyber, Legal, Compliance here. Or, visit our Knowledge Center which includes all content related to this topic.