2BUSY for Cyber Security?

Five free and simple steps to protect your business or charity from cybercrime

and prepare for the GDPR

brnd fr.

This guide is suitable for:

Private businesses Social enterprises Charities

with:

1 - 50 staff or volunteers

Approximate reading time:

Less than 15 minutes

I NCL U

DE S

GDPR

brnd fr.

ForewordCybersecurity is a journey. This guide is written to help you take those first fewsteps. It’s advice that might cost you nothing to implement but which couldmassively reduce your chances of becoming the next victim of cybercrime.

Cybercrime is rampant. You no longer need to be a computer genius to become a professional cyber criminal. The tools, passwords and even online training needed to break into computer networks can all be bought for just a few dollars.

It can be as quick and easy to access your laptop or phone from Moscow as it is from the other side of the room - and breaking into computers is a low-risk activity.The theft or alteration of data or the spread of ransomware can all be carried out with impunity from thousands of miles away, from parts of the world where there is an almost zero chance of being caught let alone prosecuted.

Small UK businesses and charities are rich pickings for the cybercriminal.You might not consider your organisation to be particularly wealthy - but your bank probably has sufficient funds to pay suppliers, salaries and the HMRC. Aside from money, you’ll have databases and spreadsheets listing customers expecting to be invoiced, suppliers waiting to be paid, donors (complete with credit card details) or even lists of vulnerable people you care for.

All of this information can be freely traded on the dark web for cash. Criminals don’t care whether you’re raising money for the local food bank or you’re the local roofingcompany - their only interest is to get in and take whatever they can. And with the General Data Protection Regulation (GDPR) coming into force - your organisation will now be accountable for keeping all of this data secure.

Stewart TwynhamCybersecurity Evangelist @ Brandfire Ltd

- Factor Authentication

ackups

pdates

eparation

our Responsibilities

brnd fr.

2BUSY

The five priorities we identified were:

We wanted to create something which waseasy to remember - so that organisations

could set themselves some simple yet free to implement cybersecurity priorities.

We needed them to be in tune with upcomingregulations such as the GDPR.

Given that we’re always too busy these days,this led us to the mantra of 2BUSY.

Use 2-factor authentication

Passwords for almost every e-mail account in the UK have already been stolen.Don’t believe us? Then check out haveibeenpwned.com and see if your e-mail address or favourite password is up for sale on the dark web right now.

Because most people use the same e-mail address and password for different websites, criminals can use the same details to access multiple places. If a criminal ever gets control of your e-mail account or your domain name, they can reset the passwords for other websites, silently copy themselves in on all of your e-mails, and even change the bank account numbers on invoices you send or receive.

Two-factor authentication helps prevent this by carrying out additional checks every time you log in. You may have used something similar when you log on to online banking - you can usually opt to receive a text message, use a smartphone app or a special device. Even armed with a stolen password, without access to this ‘second factor’ - the bad guys won’t be allowed in.

Always follow good password advice

The passwords you set for important accounts such as your e-mail and sites which control your domain name, certificates or security should always be unique.

It is good practice to check that a password has not been previously hacked byvisiting: haveibeenpwned.com/passwords

Using three random words is a good way to set a memorable but secure password.You could consider using a password manager for less important websites.

2-factor authentication (2FA) costs nothing and can be used on popular e-mail services and social media.

Under the right circumstances, 2FA can also help protect you against certain phishing attacks, butonly if you never disclose the code numbers.

You will never be asked for second-factorcodes via a text message or e-mail.

brnd fr.

Test your backups and keep them safeWe all know we need to back up our data, but most businesses never get around to checking whether their backups are any good. Without a viable backup, the statistics all tell us you won’t be trading after a major data loss event.

Understand why backups fail

Important files can be stored in odd places that you’re not backing up Files may not be backed up properly if the application is still running Backups that span multiple disks or tapes can be overwritten accidentally Backup media and files are themselves a target for hackers and ransomware A single error when restoring data can cause the whole recovery to fail Software may not work correctly after it has been recovered

Test your backups

Your backups should be routinely restored onto a spare computer, securely located away from your office. You get the chance to prepare and test a working machine that’s ready to use in the event of a major disaster.

Consider the cloud

Backing up to the cloud keeps data secure, but you can experience the same issues as conventional backups such as missing data. Cloud-based file storage can offer security, backups and support better workforce mobility and collaboration.

Just 42% of businesses were able to fully restore their network after a system-wide ransomware attack.Even with working backups, a catastrophic data loss can take weeks or even months to fully recover from.

Of those businesses without any viable backups,43% never re-open and 51% close within 2 years.

brnd fr.

Updates - get current, stay currentMost people know to update their operating system - but any piece of software or hardware could act as a backdoor into your business if it isn’t kept up to date.“Critical updates” are the most serious and should be implemented within two weeks - but this shouldn’t get in the way of updating everything else:

If it’s broke, FIX IT! The most successful attacks of 2017 exploitedwell publicised Microsoft vulnerabilities which

had patches available for up to a year earlier.

brnd fr.

Good housekeeping

Whilst updating hardware devices - it is always good practice to make sure that they are as secure as possible. Change any default passwords, and make sure any unnecessary features are turned off, whilst any security features are turned on.

Devices which are too old to be supported by their manufacturer should be replaced at the earliest opportunity.

SOFTWARE Operating systems Application software Anti-virus / Anti-malware software Security / firewall software Software utilities Browser plugins Device drivers and firmware Website - including plugins

HARDWARE Smartphones Tablets Internet routers Firewalls Wifi boxes Network storage Network printers Security cameras

Discover the art of separationSeparation is the single most powerful weapon you have against the cybercriminal - and can cost nothing.

Criminals rely on the fact that entire businesses are run from a single laptop or tablet these days. Whilst it’shandy to be able to pay a supplier or make a change to a user’s account within just a couple of clicks

of receiving an e-mail - this makes a mockery of your security if that e-mail was ever malicious.

Separation can apply anywhere. Separating your financial processes allows another set of eyes to check over invoices to reduce the risk of fraud. Requiring administrators

to receive e-mails into into separate, unprivileged accounts can preventmalware gaining instant control over your network.

Separating visitors from your office network

(offering “guest” WiFi so information isonly shared via the cloud) prevents

anyone walking into your office with an infected laptop or

USB device from wreaking

havoc.

Keep your home and work life separate - give the kids a cheap laptop or tablet instead of loaning them your work machine - this especially applies to your IT staff and managers who have the greatest system access.

brnd fr.

Where possible, keep critical roles within your businessseparate and encourage staff to question anomalies

“out of band” e.g. by picking up the phone or via instant messaging, instead of just hitting “reply”.

Understand your responsibilitiesThe General Data Protection Regulation - or GDPR - comes into force on May 25th, 2018 and will affect almost every organisation in the UK. If you handle any personal data, then the GDPR will apply to you.

The GDPR is largely an evolution of the current Data Protection Act 1998, but with an increase in scope, and some of it turns good practiceinto a legal requirement. The GDPR significantly increases therights of Data Subjects - putting them in the driving seat - andraises the bar for consent

Some important definitions:

Data Subject – the individual person the data is about

Data Controller – the organisation that ‘determines thepurposes’, that decides to gather and use the information on Data Subjects

Data Processor – an organisation that carries out specific tasks onbehalf of the Data Controller. There must be a binding contract in placebetween the Data Controller and the Data Processor.

Personal Data – any information relating to an identified or identifiable natural person (a natural person is an individual rather than a legal entity like a company), which includes contact details and e-mail addresses - even business ones - and “online identifiers” such as Internet Protocol (IP) address.

You will need to understand exactly what data your organisation has, where it came from, how it’s used, who it’s shared with and how long it’s retained for.You will require a legal basis for processing this data.

If relying on consent, this must be freely given, specific and informed - making consent inappropriate for many circumstances. If existing consent is insufficient or is poorly documented, either seek fresh consent, choose an alternative legal basis or stop the processing altogether. If relying on legitimate interest, the processing must also be necessary and balanced against the Data Subject’s rights.Additional conditions apply to sensitive data (e.g. health). If you deal with children, you will need to verify ages or obtain parental consent.

You must communicate exactly how you use Personal Data to Data Subjects which also clearly explains the risks, rules, safeguards and their rights (lawfulness, fairness and transparency).

You need to use the information only for the purposes you state (purpose limitation), limit it to what is strictly necessary (data minimisation) and keep it for no longer than is strictly necessary (storage limitation).

Data must be kept accurate and up to date (accuracy) and you will need tosupport the new, enhanced rights for Data Subjects including the new timescales and information requirements for Subject Access Requests.

You should protect the Personal Data against unauthorised or unlawful processing and accidental loss, destruction or damage - having processes in place to handle and report any data breaches within 72 hours (integrity and confidentiality).

The above should be documented and records kept sothat you can evidence compliance (accountability). brnd fr.

Understand your responsibilitiesUnder the GDPR, measures should be implemented to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

Ensure the confidentiality of

personal data

Ensure the integrity of personal data

Restoring availablity and access in a timely manner

Use 2-factor

authentication

Keep systems

up to date

Use

Separation

Implement

policies and controls

Provide staff awareness

training

additionally, you may need to...

Back up

your data

Keep systems

up to date

Use

Separation

Consider the

cloud forbackups

Provide

additional staff training

additionally you may wish to...

Restore backups onto

a spare system

Investigate business continuity

Encrypt or

pseudonymise your data

additionally you may wish to...

Consider the

cloud for file storage

brnd fr.

Carry out security testing

Want to know more?

Brandfire Ltd provide training and advice in plain English on complex matters such as cybersecurity andthe GDPR, for small businesses, charities and social enterprises.

We bring over two decades ofpractical, pragmatic experiencewhich can help you secure your organisation, whatever its size, so you can get on with the day job.

© 2017-2018, Brandfire LtdAll Rights Reserved. Rev. 1e

For more information,please contact us at:

hello@brnd.fr

or visit our website:

brnd.fr

Brandfire LtdSuite 2/3 - 2nd Floor

48 West George Street Glasgow. G2 1BP

brnd fr.

- Factor Authentication

ackups

pdates

eparation

our Responsibilities

2BUSY