Best practice for agencies on cybersecurity

How to protect your agency in a dangerous digital world

Jason Pittock, IPA Associate Director of Digital Strategy, and James Husband, IPA IT Manager, have compiled a list of ten questions to evaluate your organisation's cyber security and give advice on the steps you can take to protect yourself better from attacks.

Cyber-attacks are becoming ever more prevalent and it’s no longer just the huge organisations that are being targeted. The IPA has seen recent attacks within the advertising industry.  

Attackers can continuously try and infiltrate your systems and they only need to get through once to cause financial and reputational damage.  

Agency heads are advised to be aware of the business risks around cyber security and the potential impact on the business from operational to reputational. Additionally, it is recommended to empower your agency staff to be aware of the risks and the part they play in protecting the agency.

The IPA is urging all senior leaders to check their agency has the basics in place and to ask the following questions if they are not sure. 

1. Does your organisation use multifactor authentication for business accounts? (One-time pins or mobile authentication) 

These days a username and password isn’t good enough for any system storing confidential information. A second confirmation of identity, usually via a mobile phone message or app vastly improves security but is often not enabled by default. Check to see if the services you use offer this and turn it on if they do. 

2. Do you provide any security training for staff? 

Better cybersecurity isn’t just about more secure systems. Your staff may still unwittingly let attacks through. Online training for staff on how to avoid phishing attacks are widely available, often drip-fed in 10-minute online training sessions. You can also simulate attacks to see where your highest risks are and provide additional training to specific staff.  

3. Do you have any backups in place? (Documents, files, emails, Cloud storage) 

Check that vital files to your agency's commercial viability are regularly backed up, and ensure backups exist offsite. 

4. Do you follow best practice for passwords?  

Most software and online tools now force strong passwords, but it’s good to check there are no old legacy systems still allowing people to use 123456 as a password! Remind your staff not to reuse passwords as if a password is compromised, it will only impact that specific login and not become a more widespread issue.  

5. Do you have any security on devices to protect users from viruses and malicious websites? 

You will hopefully already have antivirus software on agency-owned devices, but what about those connecting to your network on their own laptops? Have you put guidance in place for contractors and freelancers using their own devices? 

6. Do you use any email security for your organisation?  

Email is the most common way for cybercriminals to gain access to your systems. Attacks come in several forms from dangerous attachments containing viruses to phishing emails where the attacker uses social engineering to trick a staff member into giving out sensitive information or changing payment details. Investing in security solutions that filter out dangerous emails is a priority for any agency, but staff training is equally as important.  

7. Does your organisation adequately secure data?

Personal information needs to be stored and handled under the GDPR guidance rules. Ensure any staff handling such data are aware of the guidance. Consider passwords and encryption when passing data between yourself and partners/clients 

8. Have you considered what information you make public?  

Cybercriminals will use anything you have on your website or social media to create more targeted attacks. Information such as full organisation structure and staff lists, or email addresses can be used against you or your clients. 

9. Does your organisation need cyber insurance? 

Holding organisations to ransom for the release of their commercial vital files and documents is becoming more frequent. Consider if you need cyber insurance which will usually include access to experts who can liaise with cybercriminals on your behalf if needed. 

10. Do you know what to do in the event of a successful attack? 

It is crucial for agencies to have an idea of the steps they will need to take should they be unfortunate enough to suffer an attack, this may include changing passwords, restoring files and documents from backups, contacting affected suppliers and clients, contacting the Information Commissioner’s Office, depending on the type and severity of the attack.

IPA webinar on cybersecurity precautions

The IPA is looking to run a webinar on cybersecurity precautions aimed at owners of small to medium-sized agencies. If you are interested, then please leave your details below.

Last updated 12 June 2024