It has been a while since the last article has been written. Therefore, when the article in pdf format was posted from National Cyber Security Centre (NCSC) I thought to share on my blog as it may be required for future developments.
The leaflet contained three key points “Policy actions”, “Technical actions” and “Training awareness actions” which has the list of actions which had to be followed to make small business save online.
As we do understand the small business should contain at least three departments which would be responsible for different matters.
Policy actions mainly should be carried by staff who responsible for cybersecurity policy are following;
- Identify and record essential data for regular backups.
- Create a password policy.
- Decide what access controls your users need so they can access only the information and system required for their job role.
- Decide what staff need to access to USB drives.
- Sign up to threat alerts and read cyber local advice = eg. www.actionfraud.police.uk/signup
- Create an inventory of approved USB drives and their issued owners and review whether the ownership is necessary periodically.
Technical actions should be carried by staff who responsible for the setup and configuration of devices, networks and software are following;
- Switch on your Firewall.
- Install and turn on Anti-virus software.
- Block access to physical ports for staff who do not need them.
- Consider making a password manager available to your staff to secure their password. Review the star ratings before choosing one from an app store.
- Ensure data is being backed up platform eg. portable hard drive or cloud.
- Set automated backup periods relevant to the needs of the business.
- Switch on password protection for all available devices. Change default password on all internet-enabled devices as per password policy.
- Install and turn on tracking applications for all available devices eg. Find my iPhone.
- Enable two-factor authentication for all important accounts eg. emails.
- Apply restrictions to prevent users downloading 3rd party apps.
- Install the latest software updates on all devices and switch on automatic updates with periodic checks.
- Ensure all applications on devices are up to date and automatic updates have been set to download as soon as they are released. Schedule manual checks for updates.
- Set up encryption on all office equipment. Use products such as BitLocker for Windows using a Trusted Platform Module (TPM) with a PIN, or FileVault (on Mac OS)
Training and awareness actions should be carried out by staff who responsible for implementing staff training awareness are following;
- Provide secure physical storage eg. a locked cupboard for our staff to write down and store passwords.
- Create a Cyber Security training plan that you can use for all staff.
- Include details of your ‘Password’ policy explaining how to create a non-predictable.
- Include how to spot the obvious signs of phishing.
- Include details of your reporting process if staff suspect phishing.
- Include details on how your business operates and how they deal with a request via email.
- Include details of Wi-Fi hotspot vulnerabilities and how to use alternative options (eg VPN/Mobile network).
In conclusion, sometimes some humans think that all these actions should be applied by one person, however, it seems that in normal life at least 3 people should work in IT department. In addition, that 3 people may have more support from other resources, such as colleagues, libraries, forums, etc. In addition, so many of these criteria mentioned above are possibly not met. For example, default password’s are not changed regularly and just left for next day which never comes. It would be interesting to find out one day how many products installed in-house environment, for instance, would be left accessible and vulnerable.
One of the most famous search index platforms which were created by, John Matherly does a similar function. As Wikipedia explains “Shodan collects data mostly on web servers (HTTP/HTTPS – port 80, 8080, 443, 8443), as well as FTP (port 21), SSH (port 22), Telnet (port 23), SNMP (port 161), IMAP (port 993), SIP (port 5060), and Real Time Streaming Protocol (RTSP, port 554). The latter can be used to access webcams and their video stream.” This could be used as the practical method to find out about your company security team, even though, we are advised that Wikipedia may contain fake information. Therefore, it up to us to believe if this valid or not. Personally, I would make more research, or check for sources/references and then make the final decision.