How do you solve a problem like Suella?

Leaving aside the politics of the furore surrounding the UK Home Secretary, some serious questions around cyber security have been raised over the last few weeks. Are there lessons to be learnt here? And, if so, what can we learn about the cyber security mismanagement?

Allegations about the mishandling of sensitive information have impacted more than one political career. In the commercial world, the implications are equally serious – with fines under GDPR reaching up to four percent of global turnover.

Mishandling sensitive data can also have significant reputational damage. Customers and supply chain partners don’t want to work with partner organisations which can’t be trusted to handle their data securely.

#1. Using personal email addresses

Sending information back and forward between work and personal email addresses is a huge red flag when it comes to cyber security. How can businesses prevent such bad practice?

•Education should be a key plank of defence in any cyber security strategy. Train your staff to understand that this behaviour is not acceptable.

• The best way to prevent the use of unauthorised email accounts (or unauthorised tech in general) is to make the solution you provide fit for purpose. This way, there’s no incentive to use anything else.

• Give staff secure email access on their mobile devices with Microsoft 365.

#2. The need to work while on the move or away from the office

Although the pandemic required many organisations to move quickly to hybrid or remote working arrangements, many of these organisations still need to do more to enable mobile working – and to make those mobile working arrangements secure.

• Give staff a secure platform to access data securely – so that they don’t need to send documents back and forward via insecure email addresses or platforms. Document sharing via Microsoft Teams is a great way to offer staff access to documents in an agile and mobile way, whilst ensuring that you can secure the documents appropriately.

• Microsoft Intune makes it easy to simplify endpoint management by managing any device with a single, unified tool already built into Microsoft 365. Combine this with multifactor authentication and you have the tools to offer secure, mobile email for your staff so they shouldn’t need to share documents between personal email addresses.

#3. Sharing sensitive or personal information with people who shouldn’t see it

Sharing documents with unauthorised contacts is a major risk because, once the data has moved out of your control via personal email addresses, you lose control over how it is being shared. You need to prevent this happening in the first place by locking down data at source.

• The settings in Microsoft 365 in Microsoft Teams and SharePoint make it easy to apply document management rules. You can apply different security settings to different Teams or documents to suit your organisational risk appetite and the sensitivity of the documentation.

• These settings can range from open access to really tight control which goes as far as preventing sharing or email forwarding and even preventing screen grabs being taken of the documents.

#4. Not making use of the security settings in your existing Microsoft 365 tools

We have to ask: why didn’t the IT team ensure the right controls were in place? It shouldn’t be possible to share highly sensitive documents with people outside the organisation or insecure email addresses. Get the settings right, so that people can’t do the things they aren’t supposed to be doing!

• Work with a trusted IT partner who can talk you through the tools and technologies that are available to you. Often, this might not require spending any additional money. It’s often about using the existing tools better and tweaking the settings to make your environment more secure. Microsoft 365 is a big product so it can be daunting at first, that’s why working with a trusted IT partner – at least in the beginning – will deliver an excellent return on investment.

• At a minimum, you should be leveraging Microsoft Intune to build your “zero trust” security architecture with a management solution that centralises endpoint security and identity-based device compliance.

• Plus, as we’ve already discussed, make sure your document management security settings are configured appropriately in Microsoft Teams and SharePoint.

#5. Your organisational leadership team needs to be included in all cyber security awareness training

One might assume that the UK Home Secretary would be aware of basic cyber security principles, but we all know what they say about assuming…

• It can be tempting to leave the senior leadership team out of the cyber security training you offer to the rest of your staff. Yet we know there are very good reasons why they should be a main focus of your cyber training efforts.

• Your executive team are a key target for spear phishing and other criminal activity – so they need to be more aware of the risks, not less.

• While they might be the biggest target, often the leadership team is amongst those least likely to have cyber security awareness training. We need education all round.

• No matter how busy your leadership team is, it’s important they dedicate time to cyber security awareness training. It can often help to work with a member of the leadership team who can take this message to the rest of the leadership team for you. This way, your C-suite sponsor can ensure they understand the importance of taking the time to understand the risks and how to mitigate them.

• Automated training emails can be a great way to make the case that this training is required.

What next?

If any of these suggestions have resonated with you, please reach out to our team. We’re always happy to share best practice ideas and offer advice.

Call us on: 0808 164 4142

Or send us a message.

Elsewhere on the Grant McGregor blog

Get up to date with some of our other recent articles:

• What does the war in Ukraine mean for your organisation’s cyber security?

• An update on the 2022 ransomware threat

• An overview of the changes to the Cyber Essentials scheme

• AWS, Azure or Google: Which cloud should you choose?

• And: tips for getting the most from Microsoft’s Power Platform