Four critical steps to achieving cyber security

Steve Forbes, Head of Product Management (Cyber) at Nominet, the UK registry for domain names, sets out the four steps that fund operators must take to make a big difference to cyber security.

Sara Benwell POSTED ON 5/4/2021 2:58:11 PM

Unfortunately, there are no silver bullets in cyber security. In many cases, you don’t need to spend a lot of money, but need to take some time to address the right things and a few small steps can make a big difference.

The four steps are:

  • Protecting your devices
  • Protecting your networks and data
  • Protecting your identity
  • Making sure that you are giving good communication and training.

Protecting your devices

In terms of protecting your devices, obviously devices are out in the world, so you need to ensure that these are being updated so that they are not vulnerable.

Make sure that you have some kind of end point protection on them i.e., basic antivirus, anti-malware on them.

You could also install an endpoint detection and response (“EDR”) solution, which gives you much greater effectiveness whilst you have no devices on your networks.

They will detect and respond automatically but you will also get that view from a central cloud platform where you can see what is going on and enact actions on these devices if you see something amiss.

“Restrict the permissions on your end user devices so that they can’t just install any old software”

Make sure that all of your internet connected devices, especially internet facing things are updated and try to use different devices for your work and personal areas.

Try to ensure that where possible, your employees aren’t using their personal devices for work activity, as that is where you see things go awry and infections start to happen.

Restrict the permissions on your end user devices so that they can’t just install any old software. This can be a bit of a pain to end users, but it is a worthwhile pain so that they can’t just install malware on the fly.

Using a VPN or other security measures should be considered for off network devices. If you can’t use a VPN consider things like web gateways or DNS firewalls that allow your users to have some additional protection whilst they are out in the world connected to the internet.

Protecting your networks and data

Protecting your users and data means that if users need access to the crown jewels within your castle walls, don’t allow unmanaged devices on your network or personal devices to use the VPN, as this is a risk.

Control your access to cloud-based networks and data - most cloud-based tools enable you to do this. Restrict access to your crown jewels only to those who really need to be able to access them.

We need to ensure that backups are suitable for remote working but suitable full stop. Ask: Is your backup connected to your network so that if you get a ransomware, is it likely that your backup is also going to be infected with ransomware as well?

You need to ensure that you have some separation so that if you need to restore following some kind of infection, you have the ability to do that quickly and there is less danger of those backups being compromised in addition to your standard software.

“Restrict access to your crown jewels only to those who really need to be able to access them”

Make sure that you patch your network appliances particularly the internet facing ones as they could be the gateway into your networks.

Behind those firewalls may well be servers that haven’t been patched for certain things because they are not internet facing so the risk is considered low.

Obviously, this means that if an attacker gets into your network through these appliances, they can then expose those vulnerabilities of the non-internet facing servers as well.

You also need to ensure that you register the additional risk from home working and create an action plan to mitigate this.

You want to ensure that you are monitoring the activity of your end users to see if there is anything suspicious going on that you need to be worried about.

Protecting your identity

From an identity perspective you need to use multi-factor authentication wherever you can, particularly if you have users going straight out onto the internet connecting to cloud services.

If you have multi-factor authentication, it means that if their credentials are compromised, this additional layer of protection is there to stop anyone from using the credentials and gaining access.

“Ensure that your users have strong passwords”

Encourage end users to use a password manager or roll those password managers out as a corporate policy to make sure that they aren’t using simple passwords and that these passwords are efficient.

You also want to ensure that your users have strong passwords so the same sorts of policies that you would use on a normal active directory network.

Communications and training

It is important that you are giving communication and training. A lot of the phishing and business emails compromises are based on the fact that users are at home and they are isolated.

While we have many communication tools, it may be that we are not communicating to the end users about security issues and things that we are seeing.

Perhaps a user has identified and reported something back, which is information that could be shared and used to ensure that others are aware of it and don’t fall for it.

You want to ensure that you are thinking about cyber security and training, as it is an absolute must for your end users and this kind of training has become a lower priority for everyone at the moment working from home.

You want to just ensure that everyone can work from home and get access to everything they need but you need to ensure that this does stay on the agenda and that you give you end users this training as well.

“A lot of the phishing and business emails compromises are based on the fact that users are at home and they are isolated”

In terms of priorities, in the short-term, patch and secure your internet facing security gateways, your servers and your MFA wherever you can.

Wherever your users can - put MFA on the software, particularly if they are going directly out to the cloud to access cloud resources.

Only use VPNs when there is a reason to do so, reduce the bandwidth that you need and the number of appliances that you need, as well as the exposures.

Secure remote desktop services wherever you are using them. Make sure that there is some kind of firewall in place or additional authentication and make sure that your back up is suitable and that there is a separation between your back up and your standard network.

“Secure remote desktop services wherever you are using them”

In the medium-term you might want to consider web gateway, DNS firewall solutions at your end points and to implement things like conditional access policies on your cloud resources to make sure that only those who get access should get access from devices that have been approved.

If you can protect devices through this configuration through EDR do that wherever you possibly can.

In the long term, you might want to consider transferring those crown jewels into the cloud. Ensure that you have the scalability of access and that you benefit from the tech giants’ technology.

Perhaps start to consider zero trust architecture, which is designed only to allow users on devices that you know are secure.

Steve Forbes, Head of Product Management (Cyber) at Nominet spoke about the cyber trends facing asset managers in our Fund Technology, Data & Operations, Europe 2021. You can download the report and read more on this theme here.


Please Sign In or Register to leave a Comment.