Cyber security controls: an introduction for businesses
This advice is designed for Jersey businesses of a range of sizes. It outlines the critical security controls business should put in place to protect themselves.
For more information, you can visit our Information pages. You can also book a free cyber advice session with our team by completing this form.
If you are experiencing a cyber security incident, you can report it to us by:
- completing an incident report form
- emailing incidentreports@jcsc.je
- calling +44 (00) 1534 500 050
Patch all your systems regularly
In cyber security, a ‘patch’ is an immediate solution to an identified problem. You may already patch your operating system (eg. Microsoft Windows) on a regular basis. However, there are also patches for the other services you use, including:
- databases
- firewalls
- routers
- mobile devices
- CCTV systems
- Internet of Things (IoT) devices
Developers release patches to fix vulnerabilities as they discover them. However, a vulnerability may have existed for some time before the patch is released.
This is why we recommend that you install patches as soon as they’re available and why Cyber Essentials recommends installing a patch within 14 days of release. Remember: the longer you go without patching a vulnerability, the more time attackers have to find ways to exploit that vulnerability.
For standard patches, we recommend you develop a simple, repeatable process for testing and deployment.
Emergency patches are slightly different. These are patches that address a vulnerability that cyber attackers can exploit. You should have an emergency patching process in place so that you can install these patches as soon as you reasonably can.
When a system reaches the end of its life, it will no longer be supported by the developer. This means that even if new vulnerabilities are found, the developer will not release patches for them. If you are a using a system that is no longer supported by a developer, your system is at risk. To reduce this risk, you should ensure that you replace systems before they reach the end of their life.
In some cases, you may be required to run obsolete software or hardware. This may be because of how it works with your other systems, or because it is a unique piece of software. In these cases, you can introduce an additional control: you should make sure that the affected software or hardware is not connected to the rest of your network.
Beginning section Use 2 Factor Authentication (2FA)
Use 2 Factor Authentication (2FA)
As standard, your systems and user accounts should be protected by passwords, but it is vital that these are good passwords.
Ensuring that all users and systems have good passwords is one of the easiest ways to protect your business. A good password is one that is easy for the user to remember, but hard for a computer to guess. The National Cyber Security Centre (NCSC) suggests using a combination of three random words as the basis for your passwords.
However, even if you’re using strong passwords they can still be compromised.
Using 2-Factor Authentication (2FA, also known as Multi-Factor Authentication, or MFA) will add an extra layer of protection. 2FA asks a user for two types of identification before they can access a system. This might mean pairing a password with a biometric (like a fingerprint) or a code sent to your phone or mobile app.
If it is set up correctly, having 2FA gives you extra protection because even if the malicious actors have access to a staff member’s password, they won’t be able to produce the second type of identification. This will make it harder for them to break into your systems.
You should use 2FA for network, device, and app access, and personal services and accounts.
You can read more about three random words via the NCSC website.
Beginning section Control privileged access
Control privileged access
Your customer-facing and employee-facing systems (like websites and emails) rely on hidden IT infrastructure. These directories, databases, file systems and routers work hard in the background to support your business. Each piece of infrastructure relies on someone to manage, configure and maintain it: this is referred to as having “admin” or “privileged” access.
If an attacker gains admin access to your IT infrastructure they can damage your systems, and your business. To manage this risk, you should keep tight control of who has admin access to your systems. We recommend introducing the following controls:
- set strict limits on who can use the admin account
- enforce the use of multi-factor authentication (MFA) for admin accounts
- record when an account was accessed, why it was accessed and who accessed it
- ensure that IT staff do not use privileged accounts for email and web browsing
Beginning section Manage your attack surface
Manage your attack surface
Your attack surface is all the possible points where an unauthorised user can access your systems, or remove data. This includes:
- your digital attack surface: the hardware and software that connected to your network
- your physical attack surface: all laptops and desktop computers, mobile phones, hard drives, and USB drives
The smaller your attack surface, the easier it is to protect.
Many cyber attackers will start by scanning your network to find potential ways they can access it. This could be through things like: unpatched systems, accounts that use the default credentials to log in, or guest accounts that you may have forgotten about.
Most cyber attackers are opportunists. They’ll focus on attacks that are easier to carry out, and which produce high rewards. If an attacker thinks your network looks hard to break into and it’s low reward, they’ll likely choose another target.
Even if a cyber attacker is specifically targeting your network, a smaller attack surface will make it harder for them to get in. You can reduce your attack surface in several ways:
- run network firewalls that sit between your network and the internet
- run application firewalls that sit between your application and the internet
- make sure that your systems are built to a consistent standard, in line with CIS Security Benchmarks
- turn off ports and services you don’t need
- only have your systems face externally if it’s necessary
Beginning section Keep your backups segregated, and tested
Keep your backups segregated and tested
Every business can put in place cyber security controls to reduce the likelihood of a cyber attack being successful. However, no controls can disrupt every possible future cyber attack, so you should plan (and behave) as if an attack may one day be successful.
This includes preparing for data loss. After a cyber attack, you could lose access to the data you need to run your business, or the to the technical data you need to configure your systems and network.
To protect yourself, you should maintain copies of your data (these are known as backups). Your backups should be segregated from your primary network. This could be offline, such as on a dedicated computer, storage array or USB stick. It could also be via an online backup service or a cloud computing platform.
You should schedule regular backups of your data to ensure that you have access to the most recent version of your critical information.
Finally, you should run regular tests to make sure that you can restore data, and use it when needed. If your backups are available but you need to spend three weeks downloading them from the cloud, they will be of limited use after an attack. If you know this before you’re targeted you’ll have time to find a solution.
Beginning section Manage risk in your value chain
Manage risk in your value chain
As well as direct attacks on your business, cyber attackers may target an organisation by sending malicious emails from a customer or supplier. We’ve seen this type of attack happen to Jersey businesses. The attacker gained access to the system of a customer or supplier, then used that access to target an organisation.
Your business can’t take responsibility for the security of every client or supplier as well as your own. However, you can take some steps to manage these risks:
- undertake security assurance with your suppliers to make sure that they have appropriate controls in place
- notify your customers of any security issues or concerns
- pass on cyber security advice and alerts to us
Beginning section Develop effective monitoring and alerting
Develop effective monitoring and alerting
If something goes wrong, it’s essential that you are the first to know. This will mean that you can understand the issue, act quickly, and (in some cases) limit the impact.
Regular monitoring helps identify any anomalies that could suggest cyber security issues. You can then investigate these issues and and introduce new controls, before an attack.
There are several ways to do regular monitoring. Some methods are more suited to smaller businesses:
- If you know which of your systems are critical to your business, you can often contract a security supplier to monitor them. There are several businesses in Jersey that can provide this service.
- You can install cloud-based firewalls and security monitoring services to monitor your website (for example, CloudTrail for Amazon cloud services, or Sentinel for Microsoft Azure).
For larger organisations:
- You can use a Security Incident and Event Management (SIEM) tool. SIEM tools collect and analyse data from your applications, devices, servers and users in real-time. This allows your security team to detect attacks and block them. You can read more about SIEM via the Microsoft website.
Beginning section Test your incident management process
Test your incident management process
Even if you experience a cyber incident, you do still have some control of the situation. Depending on how you manage it, you can reduce the impact of the incident on your business.
Incident management describes how you identify, manage, record and analyse security threats or incidents as they happen. Incident management also describes how you communicate about the incident. This could include communicating with staff, stakeholders, regulators, customers, and the public.
Bad incident management can turn a drama into a crisis, and damage relationships. Good incident management can reduce the impact on your business, and improve your relationships with customers and stakeholders.
The best way to improve the way you manage incidents is to have an incident response plan. The complexity of your incident response plan will depend on the size and scale of your business. It will also vary depending on the number of people involved in your response, and how you manage your IT services. Regardless of the size of your organisation, your incident response plan should include:
- a list of key contacts
- their roles and responsibilities
- a process for making critical decisions
- basic guidance on HR or legal issues
You can find more information about how to design an incident response plan via the UK’s National Cyber Security Centre (NCSC).
Mock Cyber Security Incident Response Exercises
We run regular Mock Cyber Security Incident Response Exercises throughout the year. These sessions take you through a simulated cyber incident in your industry. They give you opportunities to test your response, and learn more about what controls you can put in place.
To find out the dates of the next event, visit our Event page.
Beginning section Verify your controls
Verify your controls
Implementing any one cyber security control will help protect your business. Implementing several controls will give your business additional protection. However, you need to regularly verify that these controls:
- function the way you expect them to
- give you adequate protection against the risks you face
- meet the relevant security requirements for your industry
If you find exceptions to the controls you’ve put in place, you should take action. You should have a clear plan on how you’re going to eliminate these risks, and when you’ll do it. You’ll may also need to report them to any relevant stakeholders.
There are several ways to verify your controls.
You can contract an external organisation to run security testing on your network. There are several cyber security providers in Jersey, and some offer security testing. You can find a list of cyber security suppliers in Jersey on this page.
You can verify your controls against Cyber Essentials (CE) or Cyber Essentials Plus (CE+). Both are certification schemes focused on preventing the most common cyber security attacks. Certification costs from £320, depending on the type of certification and the size of your business. You can find out more about Cyber Essentials and Cyber Essentials Plus via the NCSC website.
Finally, some cloud services (including Officer 365) provide tools that compare your IT configuration against common standards and frameworks. This may be suitable for smaller organisations.
Beginning section Share cyber security incidents with JCSC
Share cyber security incidents with JCSC
Cyber security incidents happen all the time, to organisations of all kinds. No matter how prepared you are, if you experience a cyber security incident you can contact us.
Depending on the type of incident you’re experiencing we can:
- give you more information and advice
- signpost you to more support
- provide direct support
You can find out more about how JCSC can support you during an incident here.
If you report an incident to us, it can help us protect other Island businesses from being targeted by the same attack. It can also help us identify future threats. You can report an incident by:
- completing an incident report form
- emailing incidentreports@jcsc.je
- calling +44 (00) 1534 500 050