Simple steps to information security


Information overload, that’s what it feels like. FUD (fear, uncertainty and doubt) everywhere we look whether that’s the popular press, specialist industry publications or professional social media – concerns about Cyber Security seem to be at an all-time high.

IT managers are constantly bombarded with messages encouraging them to adopt the latest technology – hardware, software or security services – in order to address ever more esoteric threats. Of course ensuring that ‘the basics’ are in place can often far outweigh the cost benefit of any advanced technology, and that means understanding your business and its corresponding exposure & risk. Establishing a Risk Management regime should now be a board-level priority.

In terms of getting the basics right, the good people at the NCSC (and their former incarnations) have thankfully invested time and effort summarising the essentials, offering their 10 steps to Cyber Security as an easy to digest guide to raise awareness and provide a high-level checklist, which can be extremely useful for small businesses.

Even the fundamental practice of choosing a password has over the years gone from a matter remembering a pet’s name and date of birth to, in some cases, an enforced combination of upper & lower case characters, punctuation, numbers and so on with an ever increasing minimum character length. No wonder high street stationers are selling Internet password books! Yes, really!. Here again, even though enforced minimum complexity and regular resets should continue to be part of good practice, user education is key. Staff awareness of cyber security should also include guidance on password good practice, and examples on how to create passwords (or passphrases) which are increasingly hard to crack for the bad guys. Three random words, in conjunction with numbers or punctuation, presents a significantly harder challenge for hackers to overcome. On this basis, encouraging users to think creatively and adopt a passphrase can therefore have a positive effect on increased security in terms of preventing unauthorised system authentication attempts.

Having already made the suggestion to enforce increasingly complex and lengthy passwords on users, IT managers will also face the challenge of encouraging them not to use the same passphrase for each and every account to be accessed during the working day. A unique and complex passphrase for every system being accessed is the ideal, but how many users will use work-around tactics simply to relieve the load on mental capacity. Enough that once a single password has been compromised, there’s a likelihood it’ll provide access to numerous other accounts and systems available to that user. An easy win for the bad guys again.

To help alleviate the seemingly counter-productive exercise of using complex passphrases repeatedly, it’s now becoming increasingly acceptable to use a password storage and entry system or password manager. Modern password managers can detect forms, completing details for the user as well as entering passwords across a variety of websites and systems, even across multiple devices and platforms. Provided therefore that the password manager itself is from a trustworthy vendor and that extremely strong (multi-factor) authentication is employed, then perhaps IT managers should consider trialling and adopting such a technology to mitigate the risk of password compromise across their IT landscape and user base. Somewhat more high tech and secure than a long list of pet names and dates scribbled in a handy-to-lose notebook!