Do you need help & advice with Cybersecurity?
Cyber threats are on the rise, and it’s more important than ever for business leaders to understand the basics of cybersecurity. This guide breaks down some key terms and offers practical advice to help protect your company.
Key Takeaways
- Understand CVE and CVSS scores for vulnerability prioritisation.
- Differentiate between vulnerability scans and penetration tests.
- Prioritise immediate patching of critical updates.
- Develop a simple, accessible incident response plan.
- Assume a cyber attack is a matter of ‘when’, not ‘if’.
Understanding Vulnerability Codes and Scores
When security experts talk about vulnerabilities, they often use codes like CVE and CVSS. A CVE (Common Vulnerabilities and Exposures) is basically a unique identification code for a specific security weakness. Think of it like a serial number for a bug in software.
Each CVE is then given a CVSS score, which is a number from 1 to 10. This score tells you how serious the vulnerability is. If a vulnerability has a CVSS score of nine or ten, it’s considered critical and needs to be fixed right away. Technical teams use these scores to figure out what needs their attention first.
Vulnerability Scans vs. Penetration Tests
It’s easy to get confused between vulnerability scans and penetration tests, but they’re different. A vulnerability scan is typically done using automated tools. These tools check your systems for known weaknesses, similar to how a human might, but much faster and on a larger scale. It’s a way to get a broad overview of potential issues.
A penetration test, on the other hand, involves bringing in an external organisation. These experts actively try to break into your network, just like a real attacker would. They simulate an attack to find weaknesses that automated tools might miss and see how far they can get. Both are important for understanding your security posture.
The Urgency of Patching
Software companies, like Microsoft, release updates every month. Some of these updates fix critical security flaws. If you don’t install these updates promptly, you’re leaving the door open for attackers. With the help of AI, creating exploits for known vulnerabilities has become much easier and requires less technical skill than before. This means that leaving critical patches unapplied is a big risk.
Risk Management and Incident Planning
It’s wise to assume that, at some point, your business will face a cyber attack, possibly ransomware. This can be incredibly costly. Imagine a large company like Jaguar Land Rover spending millions per hour dealing with a ransomware incident. For a small business, the cost could wipe out a year’s profit, or even more than the annual revenue.
Having a plan is like having a handbrake in your car – you hope you never need it, but it’s vital to have it working just in case. This plan doesn’t need to be complicated. A simple, one-page document can make a huge difference.
Your Simple Incident Response Plan
This plan should be printed, laminated, and kept somewhere easily accessible, like near your computer servers. It needs to include:
- Cyber Insurance Details: Your policy number and the emergency contact number for your insurer. If you don’t have cyber insurance, it’s worth looking into getting some.
- Technical Contact: The mobile number for your IT support or cybersecurity team.
- Management Contact: The number for the person who will be liaising with the board or senior management.
- PR Contact: The number for the person who will handle communications with staff, customers, and the public. This might involve setting up a specific voicemail message for customers.
This A4 sheet should clearly state where your full disaster recovery plan is located and how to contact everyone involved. Updating this plan annually is a good practice. Without such a basic plan, dealing with a major incident, especially if your systems are down, becomes incredibly difficult.
The Changing Threat Landscape
Recent reports highlight an increase in serious cyber attacks. This is partly due to state-sponsored hacking, but also because individuals, including teenagers, are finding it easier to carry out attacks. AI has made it trivial to exploit vulnerabilities, meaning you don’t need to be a programming expert to cause damage. This ease of access is a significant change from just a couple of years ago.
To keep your business running, having a simple, practical plan is key. It allows you to communicate with your team and start the recovery process. While more technical solutions exist, starting with a printed, laminated incident plan is a solid first step. It’s better than having a lengthy, complicated document that no one can access or use when it matters most.
