Sarb for Small and Medium-sized Organisations
Welcome to 'Security and Risk Blog' for Small and Medium-sized Organisations - otherwise known as SaRB for SMO's or SaRB for Small Organisations.
As the name suggests, this is a Blog about security and risk for small organisations to learn and explore more about the security risks and threats facing their organisations. Regardless of your lack of knowledge and experience we can guide you through to achieving secure outcomes for your organisation.
Introduction - Why a Security and Risk Blog for SMOs?
Why would anyone be interested in cyber security, especially in a small or medium-sized organisation? The reality is that no one is particularly interested in cyber security, no-one ever sets up an organisation and decides that they should now take an interest in cyber security - unless that is the business that the organisation is in. But that is not to say that they shouldn't be interested in it.
Myths about Attackers of Small Organisations
Small organisations often mistakenly assume that hackers won’t be interested in a small organisation, because they don’t have the revenues that larger organisations do. They often ask, “Why do I need this costly, time-consuming protection? What’s a hacker or cyber-criminal going to do to my small organisation? What do I have of value that they would spend time attacking my business instead of a larger enterprise?”
This idea is a myth. In fact, small organisations can often be more vulnerable to cyber-security attacks than larger ones. It’s important to understand the misconceptions that can mistakenly lead to hacking attacks.
Why Cyber Security Advice Sometimes Seems Inconsistent
For Small Organisations and individual users it is often difficult to know what they should be doing, and when they find out and start doing it, they may then find that it is not what they should be doing. We explore some of the reasons behind this, as well as our own frustrations with what happens in practice.
Getting Started with Security in a Small Organisation
Get started with your Organisation's Security Programme! The hardest part of anything is often getting started, whether it is a personal fitness habit or getting started with our organisation's cyber security protection.
Why Small Organisations Should have Security Policies?
For a majority of small organisations, security policies will make a big difference when something goes wrong. Security policies can not only set the intentions for strategic thinking but all expected behaviour, how to handle certain incidents, etc. In some respects they may end up being as much for all other stakeholder groups for the organisation, including, employees, directors, customers, regulators, investors, etc. So, it is not only important to have them, but to ensure that you have good coverage for your Organisation.
Cyber Essentials Certification - Introduction
In many previous episodes, we’ve mentioned Cyber Essentials Certification as a way of demonstrating a certain level of cyber security controls. But what is it and how does a Small Organisation get it? Can your Small Organisation really get it working on your own or do you need an expert? This is the first of our seven-part series on How to Certify in Cyber Essentials Basics, without paying an expert to do the work for you.
Cyber Essentials Certification - Gateways & Firewalls
An Organisation’s Internet Gateways (mainly routers and firewalls) are usually packaged in with modems as single devices and enable access to the Internet. Firewalls help control the flow of data coming into and out of an Organisation. Together these devices play a big role in the security of a Small Organisation’s network.
Cyber Essentials Certification - Secure Configuration
All your operating systems, apps, software and services you use must be configured correctly to protect you from attacks. Secure Configuration of user and system devices and servers must enable you to protect these assets and know when there has been a compromise.
Cyber Essentials Certification - Software Patching
Patching software has been an irritant for users and administrators as it can taken hours to complete. Implementing patches is very important to protect against attacks and ransomware.
Cyber Essentials Certification - User & Admin Accounts
Attackers often get access to systems through weak account management practices, Cyber Essentials deals with this by ensuring that organisations have strong practices to protect user credentials from being compromised easily.
Cyber Essentials Certification - Malware Protection
When attackers attempt to compromise systems, they often try to do it by loading some sort of malware code onto your device, Cyber Essentials deals with this by ensuring that organisations have strong practices to protect their devices from being compromised easily.
Cyber Essentials Certification - Submission Process
The final stage of the Cyber Essentials process is to submit your questionnaire responses for assessment. Here we explore some of the things organisations get wrong that may lead to failure in Certification, and what to do about these things.
Safe & Secure Internet Browsing
As web development has matured so to have the applications and interfaces of websites and the browsers used to view and access them. The fact that we can do so much more on the web now than ever before comes with greater opportunities for criminals. Here, we go though some of the things people can do to ensure that they are browsing more safely.
Monitoring Employees in SMOs
Small and medium-sized organisations sometimes have issues which result in a thinking that they should monitor what employees are doing. These issues may be well founded in many cases, but the fact remains that there is often a need to monitor what is happening on the network. In this blog we look at the right approach to employee monitoring for SMOs
Remote Working for Small Organisations
The Covid-19 pandemic in 2020 accelerated the need for all organisations to consider remote or home working in ways that nothing else before it had or could have had. Previously, this may only have been considered by Small Organisations as they grew. Even then this would have been in different conditions that the ones we find ourselves in now.
Getting and Keeping Enterprise Customers with Security
Today's enterprise customers are more attuned with risk and security and because of that they want to work with suppliers which take security seriously. This is especially so as there have been many high-profile breaches which originated from a third-party supplier. So, the best way that Small Organisations can get and keep enterprise customers is to demonstrate that they understand risk and security.
Ensuring Secure Supply Chains for Small Organisations
For small organisations to keep large enterprise customers they must make sure that their supply chain is secure, consistent and not affected negatively easily. To do this successfully they have to invest in processes similar to those used by their enterprise customers. Here we explore some of those considerations for small organisations, so that you are not comparing apples to pears.
Authentication for Small Organisations
Many Small Organisations will use a vast host of online and offline services where they are required to login to prove who they are. That process of validation is called authentication, and all services are restricted until a user has authenticated themselves to the system. Unfortunately, not all forms of authentication are completely secure. In this blog we explore the various methods open to Small Organisations and what they should use and what to avoid when it comes to authentication.
Website Security for Small Organisations
People read or hear about breaches in the press on a regular basis, and website breaches are one of the largest categories of breaches that take place. These don't just affect large corporates, they affect small organisations as well, especially since they don't not have the expertise to secure their websites. Here we look at what small organisations can do to secure their websites.
Secure Data Deletion
When something is deleted, most people expect that it is no longer accessible to them or anyone else. Unfortunately, this is far from the truth. Deleting data does not mean that it is no longer accessible.
Social Media and Cyber Security in SMOs
Social media has grown over the last fifteen years from being something you used occasionally to being something that some people rely on to do just about everything on. Social media sites and apps have included services and functionality to enable users to interact with brands and personalities in ways that were never possible.
Topics we cover & How we help
Managing Security Risks
Identifying threats and risks to organisations
- Identifying assets specific to small and medium-sized organisations
- Tools, services and controls small and medium-sized organisations can use:
- for protecting their assets
- to detect whether their organisation is in the process of, or has already been breached
- to respond to a likely breach or compromise
- to recover from breaches or compromises
- Email security issues for organisations
- Ransomware risks to organisations
- Network security for small organisations
- Risks and strategic and tactical approaches to security from a 0 to 10 to 50 employee organisations and beyond.
Free security and risk resources we provide
- Complete Cyber Essentials Asset Register spreadsheet with:
- Computer details
- Server details
- Mobile devices
- Network devices
- Printers and scanners
- Other devices
- Special bonus includes other Intellectual assets tab not for Cyber Essentials Certification
- Template policies
- Checklists
- Action lists.
Your Bloggers
Sarb Sembhi, Chief Technology Officer at Virtually Informed.
Nick Ioannou, Director of Boolean Logic Limited, a blogger, an author and public speaker.