Upload File

cyber security guide

5
SME Business Guidance Series Cyber Security Provided by: Bennett Christmas Insurance Brokers Ltd www.bennettchristmas.com The content of this guide is of general interest only and not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. It does not address all potential compliance issues with UK, EU or any other regulations. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. It should not be used, adopted or modified without competent legal advice or legal opinion. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Design © 2013 Zywave, Inc. All rights reserved. Contains public sector information published by the BIS and licensed under the Open Government Licence v1.0.

Upload: mark-bennett

Post on 28-Jul-2015

145 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Cyber security guide

SME Business Guidance Series

Cyber Security

Provided by:

Bennett Christmas Insurance Brokers Ltdwww.bennettchristmas.com

The content of this guide is of general interest only and not intended to apply to specific circumstances. It does not purport to be a comprehensive analysis of all matters relevant to its subject matter. It does not address all potential compliance issues with UK, EU or any other regulations. The content should not, therefore, be regarded as constituting legal advice and not be relied upon as such. It should not be used, adopted or modified without competent legal advice or legal opinion. In relation to any particular problem which they may have, readers are advised to seek specific advice. Further, the law may have changed since first publication and the reader is cautioned accordingly. Design © 2013 Zywave, Inc. All rights reserved.

Contains public sector information published by the BIS and licensed under the Open Government Licence v1.0.

Page 2: Cyber security guide

2 | Small Business Cyber Security

Many small business owners have taken advantage of online business tools, such as advertising, carrying out financial transactions and communicating with customers and suppliers. However, this increase in usage also brings new and more complex risks into the equation. Every day throughout the United Kingdom, attacks on security and IT systems try to steal private information or disrupt businesses. According to a recent study by the Department for Business, Innovation and Skills, 87 per cent of small business respondents experienced a security breach within the past year.

Understanding Your RisksAs a small business owner, you need to protect your computer-based equipment, data and information from unauthorised access. While it is almost impossible to prevent all risks, the majority of risks can be prevented with basic security practices. It does not have to cost a lot of money, nor do you have to be an IT expert to implement these practices. Even by taking basic measures, you can protect your assets, reputation and customers and help your business thrive.

Common Types of AttacksCyber attacks typically target your business’s information and IT-based services and equipment. Information commonly stolen includes client lists, transactions, databases, financial details, pricing information and personal data. This can occur through theft or unauthorised access of equipment, remote attacks on the IT system or your website, and attacks on information held on third-party systems, such as a cloud-based system.

Sources of the AttacksCyber attacks don’t just come from outside parties (criminals and competitors) trying to steal from or disrupt your business—they can also come from current or former employees. Employees have access to privileged information and can compromise it by accident, through negligence or with malicious intent. Even leaving a laptop unattended for a few minutes can pose a threat.

Consequences of the AttacksOne single attack could seriously damage your business and can cause significant financial losses and costs. Financial losses may occur when financial and bank details are taken, everyday business is disrupted or even when business is lost due to a damaged reputation. A poor reputation can shrink your customer base. There are also significant costs involved with a successful cyber attack. Costs include cleaning up and restoring equipment, IT systems, networks and websites. The Information Commissioner’s Office could fine you for noncompliance with the Data Protection Act. Attacks can also damage other companies you are associated with, such as suppliers or business partners.

Managing Your Risks

Managing your cyber risks can be accomplished in three simple steps: planning, implementation and review. The following pages provide principle assessment questions and a checklist for each step.

Page 3: Cyber security guide

3 | Small Business Cyber Security

Step 1: Planning

1. What information assets are critical to your business? What kind of risks could they be exposed to?

2. What legal and compliance requirements is your business subject to?Assessment Questions

3. How could you continue to do business if you were attacked? How could you manage these risks on an ongoing basis?

Planning ChecklistMake information security part of your normal business risk management procedures.

Consider whether your business could be a target for an attack. Ask your suppliers, major customers or similar businesses if they have been attacked, so you can learn from their experiences.

Know whether you need to comply with personal data protection legislation, such as the Data Protection Act and Payment Card Industry compliance.

Identify financial and information assets critical to your business. Identify essential IT services, such as online payment. Evaluate all IT equipment, including mobile and personal IT devices. Understand the risks to all of these things by considering how they are currently managed and stored, and who has access to them.

Assess the level of password protection required to access equipment and online services by staff, third parties and customers. Determine whether more security is needed.

Ensure all staff is properly trained and understands their role in cyber security.

Decide whether additional investments or expert advice is needed to properly protect your business. If so, seek appropriate advice.

Determine who can provide assistance if you are attacked or if online services are disrupted. Define recovery procedures and plan how to keep your business running in the event of an attack.

Page 4: Cyber security guide

4 | Small Business Cyber Security

Step 2: Implementation

1. Do you have the right security controls in place to protect your information, equipment, IT system and outsourced services?

2. Does your staff know what their responsibilities are? Are they aware of best practices?

Assessment Questions

3. How will you deal with an attack or threat? How will you get your business running again? Who can you turn to for assistance?

Implementation ChecklistPut the proper security controls in place for your business. If third-party IT services are used, check your contracts and service level agreements, and ensure that security controls are in place.

Install malware protection or anti-virus solutions on all systems and keep all software up to date. Restrict access to inappropriate websites. Create a security update policy detailing how and when updates are to be installed.

Protect your networks, including wireless ones, with firewalls, proxies, access lists and other measures.

Identify a standard secure configuration for all IT equipment. Maintain an inventory of all equipment and software. Change any default passwords.

Manage user privileges and restrict access (staff and third-party) to the minimum required. Keep equipment physically secured to prevent unauthorised access.

For home and mobile workers, ensure that sensitive data is encrypted when stored or transmitted online so that data can only be accessed by authorised users.

Restrict the use of removable media such as USB drives, CDs, DVDs and secure digital cards. Protect any data stored on such media to prevent losing data and to prevent malware from being installed.

Monitor use of all equipment and IT systems, collect activity logs and make sure you know how to identify unauthorised or malicious activity.

Page 5: Cyber security guide

5 | Small Business Cyber Security

Step 3: Review

1. Are you reviewing and testing the effectiveness of your control measures?

2. Are you actively monitoring and acting on the information received?Assessment Questions

3. Are you keeping up with the latest cyber risks and threats?

Review ChecklistPeriodically review your security and respond to any changes or problems you identify.

Test, monitor and improve your security controls on a regular basis to manage any changes to your level of risk.

Remove any software or equipment that is no longer needed. This will ensure sensitive information stored on it will be disposed of.

Review and manage changes to user access.

If attacked, ensure that the response includes removing on-going threats (such as malware), understanding the cause of the incident and addressing any gaps in your security that were identified.

Report online fraud and attack to the police via the Action Fraud website at www.actionfraud.police.uk/report_fraud. You may also need to notify customers and suppliers if their data has been compromised or lost.

http://www.actionfraud.police.uk/report_fraud

Regulatory Guide 5.71 - Cyber Security Programs for Nuclear Facilities

It u National Cyber Security Strategy Guide

Cyber Security The Cyber Security - GOV.UK

Cyber security Incident Management Guide 2015

ICC CYBER SECURITY GUIDE FOR BUSINESS · 4 icc cyber security guide for business 1 Examples of external cyber security threats which are increasing are malicious software (such as

IMDA IoT Cyber Security Guide Annex B

CYBER SECURITY DIVISION - dhs.gov · CYBER SECURITY DIVISION: SECURING YOUR CYBER FUTURE • • • CYBER SECURITY DIVISION OVERVIEW The nation’s economic strength and security

Cyber Security Guide

Cyber Security Study Guide - ETH Z

Cyber Security Incident Response Guide...4 Cyber Security Incident Response Guide Few organisations really understand their ‘state of readiness’ to respond to a cyber security

The Ultimate Guide To Cyber Security Certifications

The Four-Step Guide to Understanding Cyber Risk · The Four-Step Guide to Understanding Cyber Risk Identifying Cyber Risks and Addressing the Cyber Security Gap Lifecycle Solutions

CYBER SECURITY AUDIT GUIDE

Cyber security & Importance of Cyber Security

Cyber Security Specialist Information Security • Cyber ... · Cyber Security • Security Analyst • Cyber Security Specialist Information Security • Cyber Operations Manager

NETWORK SECURITY A Buyer’s Guide - Cyber Butler

The Security Director's Practical Guide to Cyber Security

Cyber Security Division Transition to Practice … › sites › default › files › publications › CSD...Cyber Security Division Transition to Practice Technology Guide Fiscal

OpSec Alert: CFO’s Top Secret Guide to Cyber Security

FOR CAMPAIGN TEAMS - Canadian Centre for Cyber Security Security... · With this Cyber Security Guide for Campaign Teams, we’ve outlined practical advice and guidance about cyber

Cyber Security Incident Response Supplier Selection Guide · 2018-08-08 · 4 Cyber Security Incident Response Supplier Selection Guide About this Guide This Cyber Security Incident

CYBER SECURITY INCIDENT MANAGEMENT GUIDE...guide. CYBER SECURITY EVENT A cyber security change that may have an impact on organisational operations (including mission, capabilities,

Cyber security guide for SMEs · Cyber security guide for SMEs • 4 What is cyber security? 01. 02. The cyber security threat landscape in New Zealand and globally has rapidly changed,

Guide to Cyber Security

Improving Cyber-Security Improving Cyber-Security through

Leadership centre Cyber-Risk Practice Guide resources/Cyber-Risk... · Cyber-Risk Practice Guide centre ... and business online security. ... about cyber-risk management should be

GUIDE TO CYBER THREAT MODELLING - Cyber Security Agency

A GUIDE TO STARTING A CAREER IN CYBER SECURITY · 2020. 9. 22. · Often people believe that cyber security is all about technology and hacking.This is somewhat true, but cyber security

Belgian Cyber Security guide - version UK

Cyber Security, Cyber Intelligence & Cyber Investigation

Guide Cyber Security Check

ICC CYBER SECURITY GUIDE FOR BUSINESS - ICC …store.iccwbo.org/content/uploaded/pdf/ICC Cyber security guide for... · The ICC Cyber security guide for business was inspired by the

Cyber Security Incident Response Guide · PDF file4 Cyber Security Incident Response Guide Few organisations really understand their ‘state of readiness’ to respond to a cyber

Cyber Security Career Guide · (resources). In cyber security, the process of strategic planning involves development of strategies to manage information technology related Cyber

Cyber Security Analyst Course Outline Cyber Security