6 cybersecurity tips for your practice
RIBA has partnered with Mitigo to offer technical and cyber security services for our members. David Fleming, Chief Technology Officer at Mitigo gives his 6 top cybersecurity tips.
Never in our working lives should it be clearer that you need to allocate budgets and resources to mitigate known risks. Cybercrime is now one of the most significant of those risks, so here are my suggested cybersecurity tips for architectural practices:
1. Invest time to understand your risk from cyberattacks
Cyber attacks are indiscriminate, they hit any vulnerability they can find. I suggest you get the right group of experts together to assess your risks, and then consider the controls you have in place to reduce that risk e.g., policy, training, software, support, etc. Consider paying for a vulnerability risk assessment that can guide you on where to start.
2. Get your remote connections fit for purpose
From March last year, cyber criminals have had a field day compromising poorly set up remote connections. In the rush to connect remotely, speed was prioritised over security. Please carry out the exercise to make sure your connections are fit for purpose moving forward. This includes logins to cloud platforms, VPN connections to the office and all versions of remote desktop control. You should also pay extra attention if you have allowed staff to use their own computers.
3. Stop assuming that your IT support have this covered
The practices that got hit last year still assumed this. In our experience, IT do not look after this because they are not risk or cyber experts and you are frankly not paying them to shoulder this responsibility. This assumption can be a blocker to firms acting.
4. Change employee habits through training, testing and simulation
All the incidents we investigated last year had an element of human error and picked up bad habits. This includes link-clicking, alert-ignoring, update-delaying, data-syncing… I could go on. Best practice is to follow up training with simulated attacks on staff, e.g., a pretend email phishing campaign to strengthen a defensive culture.
5. Write and communicate a mobile phone policy
Do not forget mobile phones. Personal and work mobile use can be necessary for business. However, do you have a policy on it with the necessary controls in place? Cyber criminals increasingly rely on mobile phones as an entry point to company systems. Once you have agreed on what your policies are, you will need to configure your technology to support your approach.
6. Prove to yourself that your back-up actually works
Most back-ups that we check will not survive a ransomware attack because they are poorly configured. Have you ever had this checked? And is it still operating correctly in this remote working world? Staff may have started storing files locally for convenience or even started using third-party storage. Have you still got control of your data footprint?
Obviously, this is not an exhaustive list, but I am hoping it will get you thinking about this subject because it isn’t going away. Indeed, the cyber criminals are more organised than ever, and their attacks are becoming increasingly sophisticated. It is a lucrative business for them, so they invest money and resources into constantly improving their game. I suggest you use this year to do the same.
View the full service offer on our technical security page. For more information contact Mitigo on 0161 88 33 507 or email riba@mitigogroup.com.