Cybersecurity Spring Cleaning

By Chris Holden, independent information security expert
It might still be early in the year, but it certainly isn’t too soon to start planning some Spring cleaning – especially in terms of cybersecurity. Once policies, practices, software and devices are in place it is easy to rest on the proverbial laurels, but as the nature of the threats faced never stands still, nor should your organisation’s defensive stance.
Here are five suggestions for your cybersecurity to-do list this quarter:
1. Patch! It seems painfully obvious, but audit both software and devices to ensure they have up-to-date patches. Firmware updates for network devices and every single security update for all your company’s software are important. Every patch that is missed is a possible opening for an exploit. Bear in mind that patches are for known security issues – so you can be sure that everyone from seasoned cyber criminals through to first time ‘script kiddies’ knows to look for unpatched security holes. A failure to patch correctly at a small branch office could lead to a breach of the whole company!
2. Review both your disaster recovery and security breach response plans to see if they are robust. If they haven’t been tested recently, test them. In a large organisation, it is easy for staff to change and key responsibilities not be reassigned – which can lead to disaster if not fixed. In any organisation testing also means practice which pays dividends should you actually need to put a response plan into action. Of course, it is vital to know that a disaster response plan works. It can never be assumed that because a test worked several months ago that it still works now!
3. Review the working practice policies that affect company employees (users), such as Acceptable Use Polices, Data Protection Policies, and Non-Disclosure Agreements etc. Are they clear enough to be easily understood? Are they enforceable? Is it possible for every employee to do their job without breaching them? Does any policy need its content updating or simplifying? One reason this is often ignored and policies not updated is because it involves collaboration with Human Resources.
4. Make sure your organisation’s cybersecurity stance looks inwards as well as outwards, and that your whole I.T. team and higher management understand this. Threats are often considered to come from outside the network, but once the outer defences are breached, and if undetected a payload may have been left on the internal network – even once the security hole exploited to place that payload has since been fixed! It must also be remembered that sometimes company employees have criminal intent, or may be negligent, so the threat can be entirely internal. Ensure your team is looking both ways.
5. Make sure your network users know what they are allowed/meant to do, and what is proscribed, i.e., they have not just blindly signed policy agreements. Also, make sure they know why they can or cannot do something. A little user education can pay dividends down the line. Not only should new hires get some training along these lines, everyone should get a regular refresher – especially data handlers.