Top tips on cybersecurity for local businesses – from our expert

Dr Rupak Kharel from the GM Cyber Foundry offers advice on staying secure.

The Coronavirus (COVID-19) pandemic has changed the way in which we all live and work.

Many businesses have gone digital to remain operational during lockdown and are facilitating remote working for their employees, making the need for better cyber security more important than ever.

Since the outbreak, cybercrime has been on the rise.

It was reported that in the month of February alone, there was a spike of 4,300% in COVID-related spam.

Reports also indicated that COVID-related website domains were 50% more likely to be malicious than other domains registered during the same time period.

In response to this, the Greater Manchester Cyber Foundry, which is made up of cyber security experts from four Northern universities including Manchester Metropolitan, is offering free advice to SMEs in Greater Manchester through a new webinar series.

The first webinar starred Dr Rupak Kharel, Reader in Computing at Manchester Metropolitan University, and here are some of his top tips from the episode, for those businesses starting to think about cyber security:

1)      Take cyber-security seriously

It is vital that organisations of all sizes take notice of cyber threats – as malicious actors do not exclusively target large organisations.

In fact, the UK Government’s 2020 Cyber Security Breaches Survey found that 43% of micro firms, 62% of small firms, and 68% of medium firms suffered a cyber-attack over a 12-month period – figures which outline just how important cyber security is for all.

This has only been magnified by the current pandemic, with a surge in cyber-attacks since the beginning of the outbreak, including an abundance of phishing attempts and scams on both individuals and businesses alike.

But by taking note of cyber threats and forming strategies to deal with incidents, organisations can earn the trust of their customers and expect to grow as a result.

2)      Know your enemy

Security is about risk.

To be able to manage risk, a business needs to know their assets, threats and the malicious actors who pose a danger to them in order to implement reasonable controls – and if something were to happen, strategies for recovery.

To do this they need to have a good understanding of their digital environment. Without knowing this, a business will not be able to identify their risks, let alone protect themselves from these risks.

Knowing the enemy starts with a threat assessment.

By performing a threat modelling assessment, a company will be able to determine the ‘threat actors’ or the entities they are at risk from, as well as their capabilities.

A threat assessment would start with determining sector specific threat actors and eventually working down to application specific threats, unique to that individual business.

This modelling exercise determines the security vulnerabilities and mitigates them before they are exploited.

Both internal and external entities will be looked at, as will their motivates. 

By doing this exercise, we can at the very least assess and estimate the enemy’s capability against the security controls that are in place, allowing the company to determine whether or not it accepts the level of risk it is operating at.

A threat assessment may be carried out as regular as yearly or every other year. However, threat modelling on application systems can be continuous and possibly automated.

People, processes and technology should all work in a uniform manner to do this and the automation of the process should be both practical and cost-effective.

3)      Make your business trustworthy

Trust is essential in business and without it, customers and the supply chain may lose faith in a business or stop buying into the services provided.

They won’t want to put themselves or their business at risk – and companies shouldn’t either.

Likewise, stakeholders will be in favour of security management, as they will see the alignment of security within the business and business growth.

The three things companies should be aiming to achieve are: security, privacy and resilience against attacks.

By focusing attentions on being secure, with good insight into privacy and data protection, companies will be able to achieve this. It is also the best way to reduce time costs and resources while still achieving all three goals.

Embracing and incorporating cyber security into the existing products and services will eventually help the business to differentiate from competitors.

It may also allow a company to grasp one of the many opportunities to develop a new product or service to help them grow and diversify.

4)      Find the balance between ‘security’ and ‘usability’

Finding the right balance between having a usable system and a secure one can be a challenge.

Prioritising usability over security could leave a system vulnerable to attack and data compromised.

For example, imagine having a good encryption process in place but leaving access control measures weak because a company wants its system administrator to have easy access so they can troubleshoot when things go wrong.

Essentially, there haven’t been applied good access controls around the crown jewel – the data – and it has been left vulnerable, just to make a system more user friendly.  

As a result, the attacker who manages to compromise one of the administrators systems and will now have access to get where the sensitive data is stored. They can escalate their privilege and eventually have access to the data as well.

Here usability was put before security and the implications were serious.

Thinking about usability and security is as important as ever right now. With staff working remotely, businesses will want to ensure everyone can access what they need to easily and have an easy experience working from home during this challenging time.

But, has the urgency to deploy remote working services or increase capacity resulted in security gaps?

5)      Be aware of new risks COVID-19 brings

Most industries have been hit with the sudden demands of remote working.

Various cyber security threats, including phishing attempts and scams have been reported in abundance since the outbreak, making cyber security of significant importance at this time.

Considering access and usability is one thing we must consider, but it is not the only thing that can make a business vulnerable.

Over the past few years we have seen a drastic change in privacy regulations:  a strong indication that governments and other institutional bodies take data privacy seriously, with serious consequences to those who breach these laws.

As a result, we have seen a review and update to data protection laws globally, such as the UK’s 2018 Data Protection Act and General Data Protection Regulation (GDPR) alignment.

Numerous organisations have distributed smart devices to its customer-facing staff to continue working, maintain operational profit and minimise losses throughout lockdown.

But businesses must still consider compliance to data protection rules and consider the risk of their new ways of operating. After all, many have not had adequate time to assess the impact and determine such risks.

Greater Manchester Cyber Foundry Webinar Series

The GM Cyber Foundry includes researchers from Manchester Metropolitan University, the University of Manchester, the University of Salford and Lancaster University.

Their aim is to support Greater Manchester businesses with their digital security needs.

To access the full webinar series from GMCF, click here.