Are We Secure?

This is without doubt the question we get asked most by our clients – and it demonstrates that security is upper most on their minds. Our answer is always yes…although there is no such thing as 100% security (be weary of companies that promise you 100% security). The dark types as we like to call them are a clever bunch and constantly develop sophisticated ways to bypass even the most robust security.
What we advocate is a layered approach to security and this simply means employing a number of precautionary measures to tackle the problem. The central idea behind layered security is the belief that the most effective way to protect IT systems from a broad range of attacks is by employing an array of counteracting strategies. Layered security efforts attempt to address problems with different kinds of hacking or phishing, denial of service attacks and other cyber attacks, as well as worms, viruses, malware and other kinds of more passive or indirect system invasions.
Our mantra at Supreme is Reduce, Remove, Secure. Some of the strategies we employ include:
1.       Physical Security –  seems like an obvious one but it is amazing how many businesses still take this for granted! Physical security is an important layer in any layered approach. Guards, gates, locks and key cards all help keep people away from systems that they shouldn’t touch or alter.
2.       Network Security – A key layer, good network security measures should include firewalls, intrusion detection and prevention systems (IDS/IPS), and general networking equipment such as switches and routers configured with their security features enabled. Establish trust domains for security access and smaller local area networks (LANs) to shape and manage network traffic. Manufacturing companies may consider having a demilitarised zone between the industrial plant floor or space and the IT and corporate offices allowing data and services to be shared securely.
3.       Computer Hardening – Well known (and published) software vulnerabilities are the number one way that intruders gain access to automation systems. Examples of Computer Hardening include the use of:
  • Antivirus software – Best of breed only. The top AV vendors have invested greatly to ensure that they can respond to the latest attacks.
  • Application white-listing
  • Host intrusion-detection systems (HIDS) and other endpoint security solutions
  • Removal of unused applications, protocols and services
  • Closing unnecessary ports
4.       Access Controls – An important layer, access controls give organisation the ability to control, restrict, monitor, and protect resource availability, integrity and confidentiality. Some measures may include force username/password logins, password frequency change / combinations, disabling local admin permissions etc.
5.       The Human Layer – By far the most important precautionary layer because as we mentioned above there is no such thing as 100% security so constant user vigilance is key. The best antivirus software in the world will not prevent a user from clicking on a link within a malicious email
Absolute security may not be within reach however businesses effectively tackle the risks posed by these threats by following good practices.

To coincide with the Government’s £1.9bn cyber-security initiative, Supreme Systems are offering a Free IT Security Audit for any West Midlands company that registers an interest in November! To discuss your security needs please contact Julian Brettle on

0121 309 0126 

10 things to consider when thinking about Disaster Recovery

1. Have a plan

Many organisations do not have a DR plan, or their plan is outdated. Keep it fresh. New applications are constantly deployed, and storage is growing by 50% per year on average. Be sure your plan keeps pace with business needs.

2. Test the plan
Your DR plan should be tested at least once a year. If you’re really serious about testing, try locking your workers out of the building and say ‘go’. Yes, this may be extreme, but this will ensure they know what to do if a disaster really strikes…
3. Decide what is important
You should identify what applications are vital and how long it will take to recover them. This will allow you to prioritise your recovery efforts and also help you identify what level of data protection your business requires for each application. It’s important to understand that not all applications have equal recovery requirements.
4. Recovery point?

Decide how much data you can afford to lose in the event of local (e.g., server/storage) and/or site failure. A couple of hours? Last night? Weekly? Then architect your plan accordingly.

5. Recovery time?
It’s also important to understand how soon your business critical applications must be back online after a failure before it starts to impact your business seriously? So how long before it starts to hurt…minutes? hours? Days? This information (as well as point 4 above) will help you choose the right DR solution for your business.
6. Disk-based snapshots to protect against Ransomware

Not all disasters are physical. Ransomware is becoming increasingly common (usually costing between £200 and £5,000) and can impact users and systems. Schedule frequent snapshots of your data, enabling granular file, folder, share recovery, to combat these attacks.

7. Keep real-time copies of your data

Data storage redundancy is your friend and can prevent hardware failure from becoming a disaster recovery situation at all.

8. “Deduplication” and “compression”- Tools for efficiency

When replicating storage, look to utilise bandwidth efficiently as this will directly affect your time for recovery. Deduplication and compression technologies are key to achieving this.

9. Encryption in flight
Take extra security precautions by utilising encryption. Even if you’re using private networks, prying eyes may be watching you.
10. Company image and reputation

Companies don’t expect to declare a disaster. If they do, protecting the company’s image is just as important as getting the information back online. If disaster strikes be honest with customers about the impact. Brand loyalty is extremely hard to rebuild. Many companies don’t recover from disasters.

Reducing Cyber Risk – User Education and Awareness

Reducing Cyber Risk – User Education and Awareness

Unfortunately, the use of a business’s IT by its users brings with it various risks. As such it is essential for all staff to be aware of their personal security responsibilities and the need to also comply with corporate security policies.

This can be achieved through regular security training and awareness programmes designed to increase the levels of security expertise and knowledge across the organisation as well as developing a security-conscious culture. 

What is the risk?

Organisations that do not produce user security policies or train their users in good

security practices will be vulnerable to many of the following risks:

  • Unacceptable use
    Without a clear policy on what is considered to be acceptable, certain actions by users may contravene good security practice and could lead to the compromise of personal or sensitive commercial information that could result in legal or regulatory sanctions and reputational damage
  • Removable media and personally owned devices
    Unless it is clearly set out in policy and regularly communicated, staff may consider it acceptable to use their own removable media or connect their personal devices to the corporate infrastructure. This could potentially lead to the import of malware and the compromise of personal or sensitive commercial information
  • Legal and regulatory sanction
    If users are not aware of any special handling or the reporting requirements for particular classes of sensitive information the organisation may be subject to legal and regulatory sanctions
  • Incident reporting
    If users do not report incidents promptly the impact of any incident could be compounded
  • Security Operating Procedures
    If users are not trained in the secure use of their organisation’s ICT systems or the functions of a security control, they may accidentally misuse the system, potentially compromising a security control and the confidentiality, integrity and availability of the information held on the system
  • External attack
    Users remain the weakest link in the security chain and they will always be a primary focus for a range of attacks (phishing, social engineering, etc.) because, when compared to a technical attack, there is a greater likelihood of success and the attacks are cheaper to mount. In many instances, a successful attack only requires one user to divulge a logon credential or open an email with malicious content
  • Insider threat
    A significant change in an employee’s personal situation could make them vulnerable to coercion and they may release personal or sensitive commercial information to others. Dissatisfied users may try to abuse their system level privileges or coerce other users, to gain access to information or systems to which they are not authorised. Equally, they may attempt to steal or physically deface computer resources

 

How can the risk be managed?

  1. Promote an incident reporting culture
    The organisation should enable a security culture that empowers staff to voice their concerns about poor security practices and security incidents to senior managers, without fear of recrimination.
  2. Support the formal assessment of Information Assurance (IA) skills
    Staff in security roles should be encouraged to develop and formally validate their IA skills through enrolment on a recognised certification scheme for IA Professionals. Some security related roles such as system administrators, incident management team members and forensic investigators will require specialist training.
  3. Establish a staff induction process
    New users (including contractors and third party users) should be made aware of their personal responsibility to comply with the corporate security policies as part of the induction process. The terms and conditions for their employment (contracts for contractors and third party users) must be formally acknowledged and retained to support any subsequent disciplinary action. Ideally, the initial user registration process should also be linked to the organisation’s technical access controls.
  4. Produce a user security policy
    The organisation should develop and produce a user security policy (as part of their overarching corporate security policy) that covers acceptable use. Security procedures for all ICT systems should be produced that are appropriate and relevant to all business roles and processes.
  5. Maintain user awareness of the cyber risks faced by the organisation
    Without exception, all users should receive regular refresher training on the cyber risks to the organisation and to them as both employees and individuals.
  6. Monitor the effectiveness of security training
    Establish mechanisms to test the effectiveness and value of the security training provided to all staff. This should be done through formal feedback and potentially by including questions in the staff survey on security training and the organisation’s security culture. Those areas that regularly feature in security reports or achieve the lowest feedback ratings should be targeted for remedial action.
  7. Establish a formal disciplinary process
    All staff should be made aware that any abuse of the organisation’s security policies will result in disciplinary action being taken against them.

Our top tips to better business security

  1. Managing user privileges – Some of you might say, “Why do we need to prevent colleagues from accessing certain areas on the systems or internet?” Well… If an important file gets corrupted or deleted by accident, it can cause a huge dilemma in the office! Managing user privileges stops your colleagues from accessing certain files on a computer, such as not being able to get into the programme files that could cause serious damage to a computer they are using or even a server! This won’t prevent anyone at the office from being able to work, however It will only prevent the worst from happening.
  2. Malware Prevention –Malicious Software are hidden files that latch onto a computer or system and infect it with a Virus, Trojan, Ransomware etc. Malicious Software has many ways of getting on to your system and you want to contain viruses before they reach the core of your infrastructure. So how can we barricade computers getting viruses? We recommend that every computer has Anti-Virus software installed, such as MacAfee or our Managed Antivirus services to prevent your system from being in harm’s way.
  3. Monitoring Systems – If there is a document that is highly valued to the business and if someone were to get a copy of this file it could potentially put the business at risk, what impact do you think it could have? Money Loss, Downtime, you name it. It can happen if nothing is being monitored. So, how would one cease this from happening? Monitoring Systems allow you to see where files have been transferred and who has transferred them, and can also block users if they are doing something that is against the rules. This will give you the upper hand if you have noticed files being deleted or a security issue that keeps occurring.
  4. Disaster Recovery and backups – Files can always be lost, but it’s how it is recovered and how long it takes that makes the issue important. In some cases, I have seen Businesses lose all of their data and have no way of recovering it, which then causes a major downtime that leads to loss of money or even closure. We all know that work keeps the food on the table and roof over your head and we want to make sure that no one is affect by data loss or any significant issues caused by Cyber Attacks or Downtime.
  5. Educating Colleagues – I know you’ve probably heard this over and over, but educating users on how to use a computer correctly can prevent security threats from happening. From Social Media sites to Websites, these can cause security breaches within businesses. As Social Media sites grow every year threats occur more often and can be a large issue if used within a business environment. Attackers have set up accounts where they will either obtain email address or social media profile and then send an attachment which contains a virus. Without knowing the process, the hackers can carry out deploying viruses on computers so that they become vulnerable to a devastating attack.

DISASTER RESPONSE PACK – WHAT YOU SHOULD INCLUDE

This article has been shared from the UK governments Centre for the Protection of National Infrastructure (CPNI) – the website is full of advice as to how businesses can better prepare for a disaster. Find out more at http://www.cpni.gov.uk/

Response pack

Article Summary

A Response pack should include key documents and items that may be needed by those who will manage the incident room or work with the emergency services. Example contents are set out below, however these lists are not exhaustive and other items should be added as required.

Documents:

Business Continuity Plan and Communications Plans
Contact details for nominated response staff, plus list of all employees, their home and mobile numbers
Emergency services contact details
Details of any local utility companies, emergency glaziers, salvage organisations,building contractors, local authority contingency planners Building plans, including the location of gas, electricity and water shut off points and heating and ventilation controls. Also, any protected areas where staff will be sheltered.
A recent stock and equipment inventory
Financial and banking information
Product lists and specifications

Equipment:

Stand-alone laptop computer, compatible with the local network
USB memory sticks or flash drives
Spare keys/security codes
Torch and spare batteries
Hazard and cordon tape
Small cash resource
Card and marker pens for temporary signs and other stationery (pens, paper, etc)
Mobile telephone with charger and appropriate credit

CLOUD TECHNOLOGY AND TABLET COMPUTING FOR SMALL BUSINESSES

If you are a bit of a history enthusiast then you may be aware that the tablet device is not a recent development in the world of computing. The first patent for the tablet design was in fact issued around 1888 and since then the tablet has been through various trials and tribulations which had threatened its sustainability on the consumer market. In 2002 Microsoft decided to implement a version of Window XP which was not as successful as they had hoped. Around this time tablet designs were often considered to be clumsy in the sense of heavy builds and insufficient software capabilities. However, the development of cloud technology allowed manufactures such as Apple to marry a healthy relationship between cloud applications and tablet computers, giving birth to the iPad. As you may be aware vital data is normally stored on cloud servers allowing easy access using multiple devices and locations. If this is the case, then it would be wise to ensure that the operating hardware remains effective to accommodate good screen resolution, sufficient processing power and hand-held comfort ability. If you are one for fancy aesthetics then this value will be presented in the cost of your investments. Otherwise a mid-range tablet should be priced quite reasonably, packing enough punch to allow efficient online activity without you gaining square eyes and saw wrists.

To conclude, the power of cloud technology enterprises such as Google and Amazon, have only increased an appetite for cloud convenience with their respective online services. The popularity of utilizing these services has helped to breed a familiar relationship with most tech competent consumers who often systematically log in and out of cloud based applications in order to satisfy their social, entertainment and business needs. The only thing left to consider is will we see a shift in the value businesses place on merging tablet devices and cloud technology for increased work based productivity

TOP 10 WAYS TO MOBILIZE YOUR WORKFORCE

The Benefits of adopting mobile devices within the workforce is becoming extremely popular as businesses are striving to find innovative ways to increase employee productivity. This can mean employees working more flexibly in a highly dynamic business environment or responding to real-time information at the ‘wisp of a wand’. The devices available to achieve such things are mainly dependent on individual business needs, nonetheless, still remaining accessible to all. With this being said I have listed 10 ways in which businesses can mobilize their workforce using technology.

1. Tablet PC’s – These devices are similar to notebooks but their wireless capabilities and intuitive touch screen user interfaces make you feel right at home. For the real business savvy, tablet computers are no stranger to fully functional operating systems such as Windows and being highly compacted are adaptable to your work-space layout.

2. Laptops and Notebooks – Another great addition to office mobility, offering powerful alternatives to desktop computers with excellent software handling capabilities. Laptops come in a huge variety of sizes, specifications and designs which you can use to your advantage.

3. PDA’s – The Personal Digital Assistant or PDA could be thought of as the predecessor to the modern day smart phone. PDA’s often pack large screens operated by their stylus counterpart and are capable of running limited versions of office software. Additionally the PDA’s offer remote access to email, schedules and documents through WIFI or Bluetooth connectivity.

4. 3G Phones – 3G stands for 3rd generation and currently dominates contemporary mobile broadband connectivity. The main benefit of 3G devices are that they are always connected to the internet and offer quick access to web pages.

5. GPRS – The General Packet Radio Service is the predecessor to 3G technologies which also allows mobile phone users to connect to the internet on the move. GPRS devices are an alternative to 3G as they are normally a more cost effective way to communicate business initiatives between employees.

6. WIFI – A name given to given to a group of standards, which governs the use of wireless technology and effectively revolutionising how we communicate today. WIFI technology offers users super quick access to the Internet and is widely available to the public through the development of WIFI hotspots.

7. Extranets – Essentially this is a private network in which businesses can operate using a standard Internet browser. The information included on an Extranet network may include product information, pricing and payment processes. Obviously concerns about network security may be an issue but Extranets combat this with password protection and structured levels of permeable access.

8. VPN –Virtual Private Networks offer a secure way to deliver remote access to private networks. Again, security threats are stabilized with high end encryption which leaves you to concentrate on collaborating with your virtual workforce.

9. Bluetooth – Bluetooth wireless technology uses radio waves to allow instant connection with other Bluetooth compatible devices. The great thing about this way of communication is that no phone or Internet connection is needed. Therefore activities such sharing contact information and mobile printing becomes as easy as can be.

10. Cloud Service Providers – These are companies which manage an online infrastructure where clients have the ability to manage, create and share information through a range of web based applications.

SECURITY IN OFFICE 365

If you did not know, Microsoft Office 356 delivers cloud productivity to businesses of all sizes and as an external provider of cloud services it is important to consider what security measures are actively in place to help protect customer data . The areas which normally arise with regards to security usually include data protection, privacy and data ownership. Therefore this blog has been written to identify the measures Microsoft has taken to respond to these concerns.

The current challenges in relation to cloud security include an increasing trend in mobile access to information, which has created a haven for cyber-crime. In order to maintain maximum precaution, strategies to research, monitor and prevent emerging threats are needed which means time and money for any organisation. This is where a program like Office 365 comes in. Microsoft invests a lot of money into its data center’s where the need for secure access is a highly communicated initiative. This also includes anti-spam and anti-virus technology which has been automated to counteract virtual threats.

No stranger to online services, Microsoft have gained considerable experience since the introduction of MSN in 1994. Recognizing that security is an on-going process, measures were taken to protect data from harm, whether a natural disaster or unauthorized access. This was done by a committed approach to monitoring data infrastructures, applying industry practices and investments in high-end technology in order to keep data safe. This also meant security needed to be built into the software from the start to further increase security. As Office 365 has been designed for secure access over the Internet, users have the option of creating strong passwords to enforce data protection. Alternatively users can also apply for a Federated ID which aims to increase security measures by actively monitoring on-premise-access to the system. And if this is not enough, Office 365 software hosts a range of in-built encryption’s which comply with all necessary daily activities such as emailing, documenting and even voice-mail messages. Considering the above, it seems that Office 365 covers a wide range of security initiatives designed to make the user feel at ease when it comes to handling data. Data security will always remain a major concern for businesses of all sizes and the need for high security initiatives by external cloud services should not be ignored. As demonstrated, Microsoft Office 365 is one example of a forward thinking company who takes into account the vulnerability of cloud business applications only to provide effective on going solutions. And just in case I missed it out, Office 365 wholeheartedly emphasizes user responsibility where their Trust Center provides highly valuable information on how you can increase effective handling of sensitive data.

The Most Destructive Computer Viruses Of All Time

This is our info-graphic on The Most Destructive Computer Viruses Of All Time, which is jam-packed with information to keep you safe from the troubles that lurk on the internet!

Supreme-Systems-IG-Jul-15

CPNI Security

Personnel security – In Hindsight

“This video is intended to be used in staff training to help raise awareness of personnel security in the workplace. It is made up of three chapters, focusing on staff recruitment, ongoing personnel security and staff departures.”

Personnel security – Eyes Wide Open

“This film is for anyone who has a security role within the UK national infrastructure or responsibility for security in crowded places. Through interviews, advice and re-enactments the film seeks to help the viewer recognise suspicious behaviour more readily, clarify the context of such behaviour through questioning and have the confidence to report suspicious incidents.”

 

Staff security awareness

“A short film aimed at all staff working across the national infrastructure explaining the importance of following security procedures and how everyday measures – all based on best practice advice provided by CPNI – can help reduce vulnerabilities in organisations”

 

These videos were created by CPNI.