Graham Thomson from Irwin Mitchell’s top six must-have security controls

When I was first taught about computer security two decades ago, in a darkened classroom deep within the UK’s secretive Defence Intelligence and Security Centre, it was an obscure, relatively unheard-of subject. Fast forward to today’s digitally addicted, internet-reliant world, and not a week goes by when some kind of cybersecurity threat does not play out in the media. Whether it’s nation-state sponsored espionage, cyber warfare, or criminals making billions from cybercrime, the threat is real, and one that affects companies of all sizes, across all sectors.

But for many, cybersecurity remains a mysterious practice. In order to help counter the myths and scare stories, and show there is a logical path to achieve good cybersecurity, I co-authored a chapter in a new publication, The LegalTech Book, together with trainee solicitor Daryna Plysak, who volunteers as a security champion at our firm.

Our chapter, Cybersecurity: myths and the hero’s journey, draws on Greek mythology and examines the herculean tasks faced by businesses when it comes to cybersecurity, the different roads to success, and the challenges faced along the way. Although focused on law firms, the steps are applicable to all types of digitally enabled businesses that want to reduce their cyber risk cost effectively. And, as businesses grapple with the security issues posed by employees now working from home, compounded by significantly increased cyber risk, there has never been a more important time to tackle the risk.

The journey starts with realising and accepting there is a problem requiring investment. Then, to begin the fight back, you will need someone to create your cybersecurity battle plan, and lead the charge but also the ongoing war – it’s not a one-off project. Cybersecurity must be baked into everyday business operations.

There are free and open cybersecurity frameworks, policies, and risk-based controls businesses can adopt and implement to mitigate their cyber risk. Frameworks such as the National Cyber Security Centre (NCSC) 10 steps to cyber security are really important, as they’ll help you to choose the right controls to identify and detect cyber threats, and to respond and recover from the inevitable attacks.

But culture also has a massive role to play. Rather than a top-down approach, at Irwin Mitchell we work together to tackle cybersecurity and support those who need help. This approach, based on our values as a firm, has undoubtedly proved a success.

I frequently get asked for the top three must-have security controls. I wish it was that simple. I give six:

1. Use two-factor authentication for all remote access, especially for email.
2. Remove local admin rights from user accounts (this mitigates 85% of the malware risk).
3. Use antivirus on your computers, an email-filtering tool, an internet-filtering tool, and activate intrusion prevention systems on your firewalls.
4. Conduct regular all-staff training and awareness and phishing testing.
5. Clearly mark incoming email from external senders (“THIS IS NOT FROM US”).
6. Use a service to scan your internet-facing network (join the NCSC’s Cyber Security Information Sharing Partnership and you get an element of this for free).

There is no such thing as perfect cybersecurity. It is not a destination, but a journey. But the reward of success is a gift to your firm.

This article was taken from Briefing November/December 2020 – Alert to change. Read the full publication here.