Insights

There is no doubt that cyber security is a priority for all businesses. Cyber-attacks cost time, money and reputational damage and attack are rising in frequency and complexity.

It isn’t just large companies being attacked though; companies of all sizes are targeted and SMBs are just as vulnerable as Enterprises if not more, as their security can be weaker. The most common attacks tend to be: socially engineered attacks, phishing emails, CEO Fraud emails, identity theft, malware and unpatched software.

This article was originally published 21 Jan 2021 and has been updated for accuracy.

Changes in modern working

The way in which people now access their IT has changed. The rise of cloud computing years ago enabled people to be able access their apps and data from anywhere and on any device. This brought many benefits to organisations and its staff but it also has brought a number of new security challenges. Today, new challenges such as shadow IT and emerging shadow AI will bring further risks that organisations need to protect themselves against. This is where Zero Trust is needed.

The Old Model vs the New Model

Traditional IT security used to follow a ‘perimeter security model’ (aka ‘castle and moat’) where you built a wall of protection around your IT and systems but this no longer effective. As networks, apps and users are no longer contained it is no longer possible to build a perimeter. Combine this with ‘shadow IT’ where users store their work data outside of the knowledge of their IT department (i.e. Dropbox etc) and you simply don’t know where to build the wall. To overcome this, a ‘newer’ cybersecurity method has evolved: zero trust networking.

You still need to ensure that your network is protected and you have the right defence in place, but you now need to assume that attackers will be able to get through nd a perimeter is no longer effective. Instead, efforts need to be focused on ensuring when someone is in, they cannot do anything. This is done by following the motto “never trust, always verify”. The four areas to verify are:

• User – who is trying to access something
• Location – where are they accessing this from
• Device – what device are they using
• Apps – what are they trying to access

This ensures that anyone trying to access your data is verified to ensure that they are a trusted person, in a trusted location, using a trusted device and have permissions to access the app or data in question. The difficulty here is getting the balance between tight security and simple user experience. If users have issues accessing their data then this will cause frustrations, but not challenging these factors leave your organisation at risk.

How to do this?

We recommend beginning with a Cyber security assessment to assess your current situation and to then create a risk and remediation plan, which outlines steps to improve your security. You may need additional security tools – we often recommend Microsoft 365. Most organisations are already running Microsoft 365 and using the productivity apps, but it also comes with powerful security tools. The Microsoft Defender Suite also brings further advanced security features to Microsoft 365 customers as an add-on.

Microsoft 365 includes features, such as:

• Identity-driven security
  protect your users and identity with tools such as multi-factor authentication, single sign-on and conditional access policies
• Threat protection
  monitor threats with advanced detection and analytics (which analyses threats based on all the data Microsoft collects and analyses every month
• Information protection
  this keeps your data safe; rather than building a wall around all your data, data becomes self-protecting with classifications, rules and policies in place
• Security management
  manage and monitor your security through holistic dashboards

Using Microsoft 365 gives you the tools to set policies and procedures and then allows your trusted users to access their data securely and simply with a great user experience. Meanwhile, threat detection software continues to run so if any threats do come through they cannot access your data and can be quickly stopped through automated remediation.

Finally, you will need to then ensure ongoing management of your security to monitor, detect and respond to threats – so that any successful attacks are rapidly contained, isolated and eradicated. This can be done internally, or through a managed security service provider (MSSP) who can monitor and contain threats 24×7.

Cybersecurity maturity roadmap

Each organisation will already have a certain level of cybersecurity standards in place and these can vary from basic through to robust. We recommend once the necessary tools, processes and support are in place that you get your organisation certified. Not only does this clarify that you have the right measures in place but it also publicly shows that you are taking your cybersecurity seriously – giving peace of mind to clients, suppliers, partner etc.

We would suggest the following three-tier certification:

1. Cyber Essentials
   This shows that the basics are in place and you are guarded against the most common attacks. This is fairly quick to achieve and involves a self-assessment. We also have an article that outlines how organisations can achieve Cyber Essentials with Microsoft technologies.
2. Cyber Essentials Plus
   The Plus certification goes a step further and you must have the basic Cyber Essentials certification first to go onto the Plus certification. This also ensures the core areas are covered but you are then also externally audited to ensure the tools in place are effective. This takes a little longer to achieve due to the external audit – our Cyber Essentials services can help organisations meet requirements and become certified.
3. ISO27001
   This certification really shows that you have sophisticated and robust IT security measures in place and are well protected and prepared. As a consequence, this is time-consuming and a large commitment involving legwork and then a thorough external audit.