Jason Lock is an infrastructure architect and consulting IT director who is skilled at analysing risks and opportunities aligned to business growth strategy. He has designed and implemented IT infrastructures for manufacturers, pharmaceutical companies and charities.
Jason doesn’t like the word expert. He considers himself a constant student as cyber security is continually evolving and there is always more to learn.
In this blog he defines terms you need to know, shows how one manufacturer increased their cyber security, and shares ten tips to reduce risk, minimise the impact of an attack, and plan the recovery.
Cyber security isn’t about just preventing cyber-attacks, it’s also about preparing for them.
This means being able to detect an attack and deal with it quickly.
39% of UK businesses identified a cyber-attack in 2021 and over 75% of UK businesses who were hacked paid the ramson to release their data in 2021 which is almost double the global average.
Once criminals have breached a network, they can hold the business to ransom by locking them out of their files and applications. Additionally, they can sell business data on the dark web. It can take months to recover from a cyber-attack with a huge impact on business operations and significant financial costs of recovery with potential ransom payment, data leakage and GDPR fines.
When to run into the server room and disconnect cables
Seriously, don’t do that. You can laugh but that’s what a lot of people’s first instinct is in the event of an attack.
Planning is fundamental to security and for disaster recovery and business continuity. Business teams need to communicate to their IT support what they’ll need if they lose a site or a system, how long they can cope without it and how much data they’ll need restored.
There are lots of factors - network security, firewall security, application security and training are all part of cyber security. This blog doesn’t cover it all. The focus is on how one UK manufacturer strengthened their cyber security. I’ll define terms, break down how we did it and provide ten tips for cyber security in the manufacturing industry.
3 terms you need to know
RPO – Recovery Point Objective. This is the point from which data is restored. If you do backups every day at 6pm and your system fails at 5pm, you’ll get everything back from 6pm yesterday.
RTO – Recovery Time Objective. This is how long it will take to get everything back up and running. You might be able to live without your CRM for a week, and if needs must you can pay people exactly what you paid them last month. What about production data, how quickly do you need that back? What’s the cost to the business if this is unavailable? The RPO and RTO will be different for different systems. The business needs to set their RPO and RTO objectives and it’s the responsibility of IT or their MSP to ensure these are met.
On a side note, where a business has an Managed Service Provider (MSP) looking after their backups, it’s important to highlight that it’s the responsibility of the business to determine the RPO & RTO time frames – not their MSP. It’s also the responsibility of the business to check that backups are being completed successfully and what is being backed up. Backups should also be tested.
MFA – Multi-factor Authentication (also referred to as 2FA). MFA is security technology that requires users to present more than one credential when trying to access a system. An example would be a password and a security token from their registered device.
‘You can’t improve what you don’t measure’
This quote, often attributed to Peter Drucker, is true for cyber security. There are lots of ways for a business to benchmark their security posture and a wide range of applications that can help give you visibility. This means assessing security status across your networks, information, devices and systems based on information security resources i.e. your people, hardware, software and policies plus the capabilities to defend the business and recover from an attack.
One option for businesses on Office 365 and Azure is the Microsoft Secure Scores. This is a security analytics tool that audits an organization’s security posture. You can also link in your firewalls and anti-virus software to get a more holistic view. The higher the score, the better your security. Once you’ve benchmarked your business you can set a target, e.g. >80%.
Cyber security is never one and done. Your IT security needs continuous monitoring and improvement to maintain your target score. Every time you add a new device, you add a risk, and your score reduces for example. Regular communication with the business and updates to the leadership team are critical.
How one UK manufacturer increased cyber security
Fluid started with a security assessment of the entire IT environment. We then compiled a report that detailed the current state as well as recommendations to mitigate risks, with costs and benefits. Together with the relevant stakeholders we then formulated IT security strategy to collectively understand the “what and why”. This led to the creation of the IT security improvement project which detailed the “how and when” with roadmaps, sprints, stage gates, roles and responsibilities documented in detail.
Fluid engaged with the manufacturer’s Managed Service Provider and started the 12-month program of system upgrades, new application deployments, equipment replacement, training and change management.
Several business applications were at end-of-life and were no longer supported by the vendors. This meant no security updates were available to patch vulnerabilities. These applications were upgraded or replaced to mitigate these risks. New wi-fi networks were installed to enhance security.
Fluid created a centralised risk management portal with automated risk notifications and upskilled the internal IT support team on cyber risk management. External penetration testing is done regularly by an independent specialist who attempts to infiltrate the business network.
The team worked with the business to update IT policies and procedures including business continuity, disaster recovery and the cyber incident response plan. Training programs were provided on cyber security and MFA was rolled out across all business users.
Over a 12-month period the Microsoft Secure Score had increased beyond the target. The entire security structure was changed from ‘castle and moat’ to an ‘any device, anywhere’ structure to support remote working.
10 cyber security tips for business
It’s not possible to prevent cybercrime. What you can do is reduce the risk and minimise the impact of an attack as well as plan the recovery if you are hit.
- Strong business ownership is critical to good cyber security. The business needs to define their own business continuity and disaster recovery objectives.
- Have a 3-2-1 backup system in place: 3 copies of your data, on 2 different media types (preferably 1 off-line) and keep 1 copy off-site. Test your backups at least annually.
- Cloud solutions can offer benefits like redundancy, resilience, faster disaster recovery and faster system updates and patching.
- Performance manage your IT suppliers with SLA ticketing, backups, threat management reports and regular reviews.
- Ensure you have IT policies and procedures in place including disaster recovery and cyber incident response policies and that they are updated.
- Introduce multifactor authentications for all applications that support it.
- Deliver cyber security awareness training.
- Personal devices that access business resources can be used to infiltrate your network so protect your environment by disallowing personal device access or implement an MDM (Mobile Device Management) application.
- In addition to the usual desktops, laptops etc., know what software is operating on your network connected machinery, printers etc. and ensure these are also protected.
- Ensure all devices are encrypted where possible.
Get started - score your business on the Fluid Maturity Framework
If you’re unsure whether your cyber security is appropriate for your business then a good place to start is the Fluid Maturity Framework. It sets out what good looks like across eight pillars of IT, including Cyber Security, GDPR, infrastructure, resilience, and disaster recovery.
We use the framework as a starting point with our clients. It sparks our conversations and helps customers figure out what their priorities are and what’s optimal for their business.
We’ve made it available to download so you benchmark your company’s levels of maturity. Then take your score to your leadership team to help make informed decisions about cyber security.