Do you have a good understanding of what you need to do to help protect against cyber-attacks in your IT environment?
Effective protection of an IT environment against cyber-attacks requires knowledge of what is required to be protected.
Invariably, IT teams in medium-sized businesses do not have the resources to fully document their IT environments. They also will likely not have the specialist knowledge or skills to thwart or respond to a cyber-attack.
If your business has not reviewed its cyber defences recently, now is the time to do it, before it is too late.
Some of the steps you may need to take are:
- Review Microsoft 365 security settings. Microsoft 365 has over 150 different security settings. Do you understand the impact each setting has on your business security? An assessment of your M365 security configuration using the Microsoft Secure Score and tested against best practice guidelines would be a simple and prudent start.
- Closely examine how your business controls access to your data. The way your business controls users’ access to data, together with the configuration and maintenance of your key IT systems is critical in terms of maintaining security of your data and systems.
An analogous example of similar controls in your daily private life is simply when you keep your front door locked and when you unlock it. When you turn your security alarm on and when you turn it off. Those controls in your daily life help to determine whether or not your house is an easy target for a burglary. Based on the New Zealand Government’s Computer Emergency Response Team (CERT NZ), there are 10 top controls for business. Do you know what they are? Are those controls documented and clearly articulated to your team? When was the last time you reviewed those controls?
- Are there any “holes” in your networks that can be easily be used by an attacker to get in from the outside? To find out, you can perform a scan of your network from the outside and assess it using a database of known weaknesses.
- Are there any “holes” in your networks that can be easily used by an attacker to get in from the inside? To find out, you can perform a scan of your internal network using a database of known weaknesses.
- Does your team have a basic knowledge of security? Your staff members are the first line of defence of your business against cyber-attacks. They typically have all the keys to your buildings and networks. If a malicious attacker asks them, via a fraudulent email, will they let the “uninvited guest” in? This sort of tactic is commonly used by malicious network attackers. It is called “phishing”. To find out how well your people are prepared, you can generate and launch a “generic phishing campaign” to assess the security awareness of your staff
If any of the above has not been done recently, you may want to consider engaging a specialist to perform these tasks. If your in-house IT team has not done this already, they are not likely to have any capacity to do a good job of this.
Remember, it is just a question of “when”, not “if”, your firm will be attacked.
Fill out the form below if you wish to discuss more with our team about our experience reviewing our customer’s IT security settings