Irish businesses are facing the growing problem of cybercrime. Cyber attacks can seriously harm an organisation, especially for smaller companies that may lack the expertise and resources to prevent attacks. Implementing essential cyber controls as part of a cyber security checklist can help protect your organisation, reduce downtime, and protect valuable data.
Regardless of the size of the business, cybersecurity has become a critical element of the Irish business landscape. While cyber attacks on large organisations make national headlines, a security breach can threaten the existence of a smaller business that may lack the necessary damage control resources. Recent research found that 95% of Irish small and medium-sized businesses had experienced a cyberattack in 2021, meaning that SMEs should take extra steps to secure their data, networks and IT equipment from unauthorised access.
Adopting the essential cyber controls and implementing security solutions as a small business can help minimise the risks of cyber attacks.
Why put essential cyber controls in place?
The Irish government’s National Cyber Security Strategy is designed to tackle the challenge of cybercrime. It aims to secure information networks, systems and infrastructure to minimise the risk of cyberattacks and seeks to raise the cybercrime awareness among businesses.
By bolstering their cybersecurity, businesses can reduce the threat of compromised data and systems. Recent threats, such as ransomware attacks, can result in companies paying cybercriminals to release scrambled data and inaccessible systems.
Cyber security meshes behaviour and IT solutions. Behaviour includes ensuring staff are actively trained in data security and that there are clear security policies. In contrast, IT solutions include deploying technologies such as firewalls, two-factor authentication (2FA), and network monitoring software to detect and stop attacks.
Our Cyber Essentials certification process audits your organisation to demonstrate to stakeholders and business partners that you take cyber security seriously and have adequate measures to protect data and systems.
Looking to ensure your business meets GDPR requirements? Read our guide to who is responsible for demonstrating GDPR compliance.
Essential cyber controls – security checklist
Here is our cyber security risk assessment checklist of issues SMEs should consider addressing to help improve cyber security.
Keep equipment up to date
Conduct a comprehensive inventory of equipment connected to your network, including any BYOD equipment staff use. This should include desktops, laptops, mobile devices, and routers. Older legacy equipment may no longer be supported with security updates, while other cloud-based devices such as network printers can be attack vectors for hackers.
Ensure that the latest software updates are installed, as this can help minimise the risk of a cyber attack. Ensure that firmware updates are applied to networked IT equipment such as printers, routers, NAS drives and servers. Updates often patch security vulnerabilities, closing security holes that hackers can exploit.
Consider reusing older equipment that is no longer updated into non-network tasks or recycling components.
Employees and training
Implement regular security and data processing awareness training for employees, contractors and others who access business networks. Many cyber attacks are socially engineered, such as spear phishing, where an individual in a business is targeted with convincing emails designed to deploy malware or provide access to a network by cybercriminals. Regularly remind employees of the protocols they must follow and encourage the immediate reporting of any suspicious activity.
Access control
Not every employee in an organisation needs access to all of its data.
Review account permissions, restricting access to the lowest level required for employees to perform their duties. Ensure every employee has a separate account with unique log-in credentials and allow remote access only through a virtual private network (VPN).
Enforce password policies for all employees, ensure each password is different for various accounts/sites, and incorporate multi-factor authentication (MFA) for sensitive accounts or those using remote access. A good example is a password and biometric (fingerprint) or a code sent to an email or phone number. Remember to delete employee accounts when an employee leaves the organisation.
Cyber security defence
Assess your need for cyber security solutions for small businesses, such as:
- Firewalls.
- Anti-virus software.
- Anti-malware software.
- Network monitoring and alert systems.
These systems recognise unauthorised attempts to gain or hack information and can block access or quarantine malware. Systems to monitor networks can alert you of suspicious activity and potential threats. Monitoring can help catch security breaches quickly before too much damage is done.
Ensure malware and security software is updated, ideally daily or hourly.
Bolster email security
Email attacks are one of the most significant security vulnerabilities for smaller businesses. Cybercriminals use phishing scams to deliver malware payloads such as ransomware or fool employees into sharing passwords and access credentials. Email security can be a particular issue for SMEs that use many different and sometimes older email protocols such as SMTP, POP, and MIME servers. Web-based mail can offer more robust security features such as message encryption, malicious email filtering, and detecting hijacked email accounts.
Segment the network
Assess your network topology, and build or restructure networks into manageable subnets with access control between different network layers or subnets. As part of a cyber security checklist, examine and limit access to different subnets, and limit mission-critical data or processes to specific and highly restricted subnets.
Data recovery plan
Ensure your business has a data recovery plan and that it is well-rehearsed to minimise downtime and test protocols.
Protecting data from unauthorised access is paramount, but you should also have a disaster recovery plan in place should your organisation face a data breach or find its data held to ransom by cybercriminals. Ensure that data is backed up regularly. Backups should be encrypted, and more than one backup method used, such as an onsite server and cloud backup, to ensure additional protection.
Supplier security
Many businesses rely on a supply chain for their products or services. If a cyberattack happens to any of your suppliers, your business could also be at risk. Sensitive information, data, customer information or access to essential areas could become available if there are security breaches down the chain.
To minimise the risk of this happening, ensure transparent relationships with your suppliers and encourage robust cyber security with suppliers.
Ask for their cyber security policies and if they’re certified in Cyber Essentials, ISO 27001 Information Security Management Systems, or ISO 27701 Privacy Information Management Systems, for example.
Need to demonstrate your IT security systems are robust and fit for purpose? Our Cyber Essentials with expert support is a great starting point to reduce harm to reputation and enhance data security processes.
