39% of UK businesses identified a cyber-attack in 2021 and over 75% of UK businesses who were hacked paid the ransom to release their data in 2021 which is almost double the global average.
Once criminals have breached a network, they can hold the business to ransom by locking them out of their files and applications. Additionally, they can sell business data on the dark web. It can take months to recover from a cyber-attack with a huge impact on business operations and significant financial costs of recovery with potential ransom payment, data leakage and GDPR fines.
Seriously, don’t do that. You can laugh but that’s what a lot of people’s first instinct is in the event of an attack.
Planning is fundamental to security and for disaster recovery and business continuity. Business teams need to communicate to their IT support what they’ll need if they lose a site or a system, how long they can cope without it and how much data they’ll need restored.
There are lots of factors - network security, firewall security, application security and training are all part of cyber security. This blog doesn’t cover it all. The focus is on how one UK manufacturer strengthened their cyber security. I’ll define terms, break down how we did it and provide ten tips for cyber security in the manufacturing industry.
RPO – Recovery Point Objective. This is the point from which data is restored. If you do backups every day at 6pm and your system fails at 5pm, you’ll get everything back from 6pm yesterday.
RTO – Recovery Time Objective. This is how long it will take to get everything back up and running. You might be able to live without your CRM for a week, and if needs must you can pay people exactly what you paid them last month. What about production data, how quickly do you need that back? What’s the cost to the business if this is unavailable? The RPO and RTO will be different for different systems. The business needs to set their RPO and RTO objectives and it’s the responsibility of IT or their MSP to ensure these are met.
On a side note, where a business has an MSP looking after their backups, it’s important to highlight that it’s the responsibility of the business to determine the RPO & RTO time frames – not their MSP. It’s also the responsibility of the business to check that backups are being completed successfully and what is being backed up. Backups should also be tested.
MFA – Multi-factor Authentication (also referred to as 2FA). MFA is security technology that requires users to present more than one credential when trying to access a system. An example would be a password and a security token from their registered device.
This quote, often attributed to Peter Drucker, is true for cyber security. There are lots of ways for a business to benchmark their security posture and a wide range of applications that can help give you visibility. This means assessing security status across your networks, information, devices and systems based on information security resources i.e. your people, hardware, software and policies plus the capabilities to defend the business and recover from an attack.
One option for businesses on Office 365 and Azure is the Microsoft Secure Scores. This is a security analytics tool that audits an organization’s security posture. You can also link in your firewalls and anti-virus software to get a more holistic view. The higher the score, the better your security. Once you’ve benchmarked your business you can set a target, e.g. >80%.
Cyber security is never one and done. Your IT security needs continuous monitoring and improvement to maintain your target score. Every time you add a new device, you add a risk, and your score reduces for example. Regular communication with the business and updates to the leadership team are critical.
Fluid started with a security assessment of the entire IT environment. We then compiled a report that detailed the current state as well as recommendations to mitigate risks, with costs and benefits. Together with the relevant stakeholders we then formulated IT security strategy to collectively understand the “what and why”. This led to the creation of the IT security improvement project which detailed the “how and when” with roadmaps, sprints, stage gates, roles and responsibilities documented in detail.
Fluid engaged with the manufacturer’s Managed Service Provider and started the 12-month program of system upgrades, new application deployments, equipment replacement, training and change management.
Several business applications were at end-of-life and were no longer supported by the vendors. This meant no security updates were available to patch vulnerabilities. These applications were upgraded or replaced to mitigate these risks. New wi-fi networks were installed to enhance security.
Fluid created a centralised risk management portal with automated risk notifications and upskilled the internal IT support team on cyber risk management. External penetration testing is done regularly by an independent specialist who attempts to infiltrate the business network.
The team worked with the business to update IT policies and procedures including business continuity, disaster recovery and the cyber incident response plan. Training programs were provided on cyber security and MFA was rolled out across all business users.
Over a 12-month period the Microsoft Secure Score had increased beyond the target. The entire security structure was changed from ‘castle and moat’ to an ‘any device, anywhere’ structure to support remote working.
It’s not possible to prevent cybercrime. What you can do is reduce the risk and minimise the impact of an attack as well as plan the recovery if you are hit.
If you’re unsure whether your cyber security is appropriate for your business then a good place to start is the Fluid Maturity Framework. It sets out what good looks like across eight pillars of IT, including Cyber Security, GDPR, infrastructure, resilience, and disaster recovery.
We use the framework as a starting point with our clients. It sparks our conversations and helps customers figure out what their priorities are and what’s optimal for their business.
We’ve made it available to download so you benchmark your company’s levels of maturity. Then take your score to your leadership team to help make informed decisions about cyber security.