Cybersecurity awareness month: 5 infoSec quick wins for SMBs

Why were the authorities unable to catch the hacker? 

...Because he ransomware! 

We know that joke is old, however, we do have something new for you! 

In this interview, we sat down with Kyle Tackley from DataGuard’s UK Tech and Privacy Practice to talk about this year's Cybersecurity Awareness Month with the focus on putting the user at the centre of cybersecurity, which ties into this year's theme, ‘See yourself in Cyber’. 

With this year's theme in mind, he shared with us some actionable quick wins that every SMB should know about when it comes to learning how to recognise one of the weakest links in your security chain (The Human). He also talked about how DataGuard can help SMBs adopt operational-wide Information security and security awareness.  

What is Cybersecurity Awareness Month all about? 

Since 2004, both the National Cybersecurity Alliance (NCA) and the Cybersecurity and Infrastructure Security Agency (CISA) have joined forces to shine the spotlight on cybersecurity and its impact on our personal and professional lives in an ever-changing technology landscape. 18 years on, they continue to educate both the consumer and the workforce on how to make better decisions to stay safe online.  

The CISA encourages us to all engage in this year’s efforts by creating our own cyber awareness campaigns and sharing this messaging with our peers. Hopefully, after reading this blog, you will be able to take some ideas away with you to help educate those in your organisation and professional circles.  

Why should this be important for SMBs? 

Well, there are many reasons why you should care about cybersecurity. Let me share a few statistics from recent studies.  

• According to Gartner, the volume of cyberattacks increased over 100% in Europe, East Asia, and Latin America in October and November 2020. Canada and Germany each saw a 250% increase. These numbers are incredibly high and inevitably cyber attacks are becoming more and more sophisticated and commonplace.   
• Cyber Security Breaches Survey -which is a very influential research study for UK cyber resilience tells us that of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. 

Keep in mind that these attacks can be very costly for businesses of all sizes. 

These studies beg the question: As an SMB, what can you do to prevent cybersecurity attacks and safeguard your data and critical assets? 

Hint: Give your data privacy and information security practices a check-up. Get your ISO 27001 certification. 

Do you think an information security management system is essential for practising better cybersecurity? 

In short: YES.  

It is important to recognise that an Information Security Management System (ISMS) that is certified to ISO/IEC 27001 will go beyond just demonstrating to customers and prospects that your organisation has the relevant controls in place to protect sensitive information.  

It is actually a great way to achieve an operational and standardised wide approach to information security, complete with external validation from an accredited certification body. What's not to like? 

Several of the ISMS controls that are required to successfully certify to ISO 27001 are centred around asset discovery and inventory (things like end-user devices, software, and all types of IT hardware).  

So, for a start, an ISMS will aid you in understanding your attack surface. Think of an attack surface as an end-to-end view of where an attacker could try to enter and exploit vulnerabilities in your organisations IT environment, such as software, or misconfigured cloud infrastructure. This can cause harm or highly impact the confidentially, integrity and availability of data.  

ISO/IEC 27001: 2022 edition is around the corner. 

We will talk more about the importance and other benefits of maintaining an ISMS later in this blog. But I wanted to quickly take the time to talk about the new ISO/IEC 27001: 2022 edition of the standard, which at the time of writing this will be available for purchase in a matter of weeks. 

With more focus on cloud-first organisations with remote workforces, the 2022 edition of ISO/IEC 27001 brings the standard into the modern way of working, with some entirely new security controls including Information security for use of cloud services and threat intelligence. It is great to see the introduction of these additional controls given that more than 80% of organizations have experienced a cloud-related security incident over the past 12-month period. (Source). 

The release of the 2022 edition will trigger a three-year transition period to give those organisations already certified time to integrate these new themes and control areas. 

What are some quick wins on how SMBs can improve their Information Security Posture and succeed with a more end-user-based approach to cybersecurity? 

1. Roll out engaging cybersecurity awareness programs

Gamified and engaging cyber security awareness training programs will yield better results compared with your typical ‘mandatory’ employee training you ask your new hires to complete as part of their role onboarding.  

Awareness training should speak to the user who is not familiar with lesser-known complexities of information security, and if you can categorise the training by job function, even better.  

This way of thinking encapsulates the 2022 Cybersecurity awareness theme – See yourself In Cyber.  

2. Level up your ongoing cybersecurity awareness with full-scale phishing simulation campaigns

Related to cyber security awareness programs, you should start getting creative with full-scale phishing simulation exercises.  

Did you know that last quarter saw a record-shattering number of observed phishing attacks? (More than 1 million in a single quarter), fuelled in large part by attempts to target users on their mobile devices. 

Phishing attacks are becoming more difficult spot, with hackers adopting more sophisticated ways to exploit uneducated users within your organisation.  

A great way to mitigate the risk of falling victim to a phishing attempt is to keep your users on their toes by conducting ongoing full scale phishing simulation exercises.  

It goes something like this… 

Imagine a scaled and controlled delivery of a phishing email (disguised as a legitimate business-related email) dropping into all your users’ mailboxes.  

Those users who engage with the email -by clicking a link for example (serial clickers!)- will get notified by your phishing simulation solution to say that they have clicked on a suspicious-looking link (remember this is happening in a controlled way).  

The user is then made to complete additional cyber awareness training, with a focus on how to spot, and how to report phishing attempts.  

This usually happens when your users are on the go or distracted while scrolling through their inboxes on their mobile devices in a queue to get some coffee, or while sitting on a train on their way home from the office. 

3. Practice and enable your teams on how to use strong passwords

You probably heard this a hundred times and maybe included more characters or numbers in your passwords. But it might not be good enough, even worse, so far in 2022, ‘123456’ made it to the top spot of the most commonly used passwords list.   

Password managers are the way forward. If you use password managers (which are encrypted databases that use complex passwords) this will help you safeguard all passwords without having to remember them in your head. 

You can generate very complex passwords -which are incredibly hard to memorize. Once you and your teams start using strong passwords, you have a much better chance to protect your organisation from data breaches.   

4. Enable Multi-Factor Authentication (MFA)

Strong passwords alone are not enough and should always with paired with multi factor authentication (MFA). 

To secure your online accounts and the sensitive data they contain, make sure you a have multi-factor authentication solution in place. When you use MFA, you can protect your account more than just using a username and password all while reducing your chance to get hacked.  

5. Adopt an operational wide approach to cybersecurity by implementing an Information Security Management System (ISMS) and getting it certified to ISO/IEC: 27001

ISO 27001 certification brings great benefits. It shows that your company has used the best practice information security methods and of course It helps you gain a competitive edge in the market and lowers the chance of a costly breach. It’s win win! 

Here is what you achieve with ISO/IEC: 27001 

• Mandatory reporting and KPIs on the effectiveness of user security awareness training. Not only does this helps embed a security culture into your organisation, but also how can you really measure results if these important metrics and KPIs are not defined?  
• Enforcement of organisational wide security policies, including the use of strong and safe passwords.  
• A balanced risk-based approach to secure mission-critical information assets, such as your IT hardware and cloud and on-premises IT infrastructure. 

How can DataGuard help SMBs in managing information security successfully? 

Trust is the secret sauce.  

Trust can be a key differentiator for your company and give a competitive edge. 

At DataGuard, we help SMBs to get their businesses ISO/IEC 27001 certified. We do that with our full proof hybrid approach by bringing the best of both worlds: exceptional Information Security expertise and a sophisticated security platform.   

We provide industry-specific advice, support you to set up your information security management system (ISMS), prepare for an external audit, and we work with you on a continual basis to make sure you stay certified. 

Take cybersecurity awareness beyond Cybersecurity Awareness Month and get ISO 27001 certified.