Govern

scrabble letters spelling rules on a wooden table

August 27 2025

Update security protocols regularly.

SJ CyberAware All, Daily Tips, Govern, Protect

Security protocols should evolve with threats. Review and update them at least quarterly or after any incident. This includes password policies, incident response plans, access controls, and data handling procedures. Involve your team in the process to ensure protocols are practical and understood. Outdated rules can create blind spots or false confidence. By keeping protocols fresh, you build a living security culture that adapts, improves, and stays ahead of attackers.

Protocol Updates
Keep Security Protocols Alive and Evolving
Security protocols aren’t static documents, they should evolve as threats, technology, and business needs change. Outdated rules create blind spots and false confidence. By treating protocols as “living documents,” you create a culture of resilience that adapts and improves over time.
Best Practices for Updating Security Protocols:
Review Regularly
Schedule reviews at least quarterly.
Always re-evaluate after incidents, audits, or significant system changes.
Cover All Key Areas
Password & Authentication Policies: Update to reflect MFA adoption and modern standards.
Incident Response Plans: Align with new threats and lessons learned from exercises.
Access Controls: Reassess permissions and remove outdated accounts.
Data Handling Procedures: Ensure compliance with regulations (e.g., GDPR).
Involve Your Team
Gather input from staff who use protocols daily to keep them practical.
Run awareness sessions to explain updates in plain language.
Document & Communicate Clearly
Use simple, accessible formats (one-page guides, checklists).
Store protocols in a central, easy-to-find location.
Test in Real Situations
Run tabletop exercises or simulations to check if protocols actually work.
Adjust based on gaps revealed during testing.
Balance Security and Usability
Avoid overly complex rules that lead to workarounds.
Ensure protocols support productivity while maintaining security.
Stay Ahead of Threats
Monitor advisories from NCSC, CISA, or vendors for evolving risks.
Benchmark protocols against frameworks like NIST or ISO 27001.
Remember: A protocol written once and forgotten quickly becomes a liability. A protocol that evolves, tested, updated, and understood, becomes a shield that grows stronger over time.

August 25 2025

Review security updates frequently.

SJ CyberAware All, Daily Tips, Govern, Protect

Security updates aren’t just patches, they’re shields against known threats. Review updates weekly, especially for operating systems, browsers, plugins, and third-party libraries. Subscribe to vendor advisories and automate where possible, but always test before deploying. Outdated software is a common attack vector, and SMBs can’t afford to leave doors open. Treat updates like brushing your teeth, routine, essential, and non-negotiable.

Why you should
Security Updates: Your First Line of Defence
Security updates aren’t just patches, they’re shields that block attackers from exploiting known weaknesses. Outdated software is one of the most common attack vectors, and SMBs can’t afford to leave doors open. Updates should be routine, essential, and as natural as brushing your teeth.
Top Tips for Staying Updated:
Review Updates Weekly
Prioritize operating systems, browsers, plugins, and third-party libraries.
Don’t forget firmware on routers, firewalls, and IoT devices.
Automate Where Possible
Turn on automatic updates for mainstream software.
Use centralised patch management tools if managing multiple devices.
Subscribe to Vendor Advisories
Sign up for security alerts from Microsoft, Apple, Google, and key suppliers.
Follow trusted sources like NCSC (UK) or CISA (US).
Always Test Before Deploying
In business environments, test patches on a non-critical system first.
Create a rollback plan in case an update causes issues.
Track and Audit
Maintain an inventory of all software and devices in use.
Run quarterly audits to ensure nothing has been missed.
Close the Gaps
Uninstall unused or outdated applications.
Replace end-of-life software (e.g., Windows 7, old Java versions).
Educate Your Team
Remind staff not to click “Remind Me Later” on updates.
Make patching part of their responsibility, not just IT’s job.
Remember: Every missed update is like leaving a window open overnight. Attackers don’t need to break in if you’ve already left the door ajar.

August 24 2025

Maintain good cybersecurity practices.

SJ CyberAware All, Daily Tips, Govern, Protect, Respond

Cybersecurity isn’t a one-time fix, it’s a daily habit. Keep software patched, use strong passwords, enable MFA, and back up data regularly. Train staff to spot phishing and report suspicious activity. Document policies and revisit them often. Good practices aren’t just technical, they’re cultural. When security becomes part of how your team thinks, clicks, and communicates, you build resilience that lasts longer than any tool or firewall.

Good Practices
Cybersecurity: A Daily Habit, Not a One-Time Fix
Cybersecurity isn’t a one-time fix, it’s a daily discipline woven into how your team works. Just like locking the office door every night, digital safety needs to become second nature. By combining technical safeguards with cultural awareness, you can build resilience that lasts longer than any tool or firewall.
Top Tips for Everyday Cybersecurity:
Keep Software Patched
Enable automatic updates where possible.
Regularly check for firmware updates on routers, firewalls, and IoT devices.
Use Strong, Unique Passwords
Adopt a password manager to reduce reuse and weak choices.
Encourage passphrases (e.g., “Purple!Chair_Dragon#42”) over short, complex codes.
Enable Multi-Factor Authentication (MFA)
Prioritize MFA for critical systems: email, banking, cloud storage.
Avoid SMS-only codes, use authenticator apps or hardware tokens where possible.
Back Up Data Regularly
Follow the 3-2-1 rule: 3 copies, 2 formats, 1 off-site.
Test your backups quarterly to ensure you can restore them.
Train Staff Continuously
Run phishing simulations and quick refreshers, not just annual courses.
Encourage a “no blame” culture so employees report suspicious emails without fear.
Document and Revisit Policies
Review access rights, bring-your-own-device (BYOD) rules, and incident procedures.
Update policies at least annually, or after a major change in tools or staff.
Make Security Cultural
Celebrate staff who spot and report threats.
Use posters, team chats, or short videos to keep awareness alive.
Stay Alert to New Threats
Follow trusted sources like the NCSC or CISA for alerts.
Run tabletop exercises to rehearse response to incidents.
Remember: Security isn’t just what you install, it’s what you practice. When your team treats cybersecurity like brushing their teeth, simple, daily, non-negotiable, you create resilience that outlasts the latest attack trend.

August 23 2025

Update Software Libraries Regularly

SJ CyberAware All, Daily Tips, Govern, Protect

Regularly updating software libraries is a critical step in maintaining a secure and stable environment, especially for SMBs relying on third-party tools and frameworks. Outdated libraries often contain known vulnerabilities that attackers can exploit, and patches are frequently released to fix these issues. By staying current, businesses reduce exposure to threats, improve performance, and ensure compatibility with modern systems. Automating updates where possible and scheduling periodic reviews helps embed this habit into everyday operations without adding overhead.

Would you trust a chef who never cleaned their knives?
Keep Software Libraries Up to Date
Why it matters:
Outdated libraries are like unlocked doors, vulnerabilities are often publicly known and actively exploited. Regular updates close those gaps before attackers can walk through.
✅ Practical Steps
Automate where possible:
Use package managers (e.g., npm, pip, Composer) with update scripts or CI/CD pipelines to streamline patching.
Monitor dependencies:
Tools like Dependabot, Snyk, or OWASP Dependency-Check flag outdated or vulnerable libraries in real time.
Test before deploying:
Always run updates in a staging environment first to catch breaking changes or compatibility issues.
Document update cycles:
Build it into your ops rhythm, weekly checks, monthly reviews, or post-release audits.
Don’t ignore transitive dependencies:
Vulnerabilities often hide in nested packages. Use tools that scan the full dependency tree.
Stay informed:
Subscribe to security advisories for your tech stack (e.g., GitHub Security Advisories, CVE feeds).
Culture Tip
Frame updates as digital hygiene, like brushing your teeth. It’s not glamorous, but it’s foundational.

create-a-highly-detailed-high-resolution-image-that-captures-a-small

August 21 2025

Review security policies periodically.

SJ CyberAware All, Daily Tips, Govern, Identify, Protect

Review security policies periodically to ensure they remain relevant, effective, and aligned with current threats, technologies, and business operations. Cyber risks evolve quickly, and outdated policies create gaps that attackers can exploit. Regular reviews also help confirm compliance with legal, regulatory, and industry standards. Involving stakeholders across IT, operations, and management ensures policies reflect real-world practices. Treat reviews as an opportunity to strengthen resilience, update procedures, and reinforce staff awareness, keeping security a living, adaptive framework.

Top Tips
Best Practice Guide
Why it matters:
Security policies are the foundation of your cyber resilience strategy. They guide staff behaviour, set technical standards, and demonstrate compliance. But if they’re outdated, vague, or forgotten, they become a liability instead of protection. Regular reviews keep them sharp, relevant, and effective against evolving threats.
🌟 Top Tips for Reviewing Security Policies
Set a clear review cycle
Aim for at least once a year.
Trigger extra reviews after incidents, regulatory changes, or new technology adoption.
Involve the right people
Don’t leave reviews to IT alone. Include HR (for staff behaviour policies), operations (for workflow impacts), and senior leadership (for risk appetite and compliance).
Benchmark against recognised standards
Use Cyber Essentials, ISO 27001, or NIST CSF as reference points.
This ensures your policies aren’t just “good enough” but aligned with proven frameworks.
Test policies in practice
Run tabletop exercises or simulations to check if policies hold up during incidents.
Example: Test your incident response policy with a ransomware scenario.
Update for the modern threat landscape
Remote work, mobile devices, and cloud services change risk exposure.
Policies must adapt to cover these realities, not just traditional office setups.
Keep it practical and readable
Avoid jargon. Write for everyday staff, not just IT teams.
Clear, simple language encourages compliance and builds a security-aware culture.
Track changes and improvements
Keep a version history of all policies.
This shows regulators, auditors, and clients that your business takes security seriously.
Communicate and train staff
Policies are only effective if employees know about them.
Share updates via training sessions, team meetings, or quick guides.
Link policies to resilience planning
Treat them as living documents that evolve with your business.
Align with continuity and recovery planning to minimise downtime when incidents occur.
Audit compliance regularly
Check if policies are being followed in practice.
Use spot checks, system audits, or staff surveys to identify gaps.
By following these steps, businesses turn their policies from “tick-box documents” into living safeguards that build trust, resilience, and regulatory compliance.

August 18 2025

Encourage feedback on security practices.

SJ CyberAware All, Daily Tips, Govern

Encouraging feedback on security practices helps build a stronger, more resilient culture. Employees often notice risks, inefficiencies, or suspicious activity that leadership may miss. By creating open channels for suggestions, incident reporting, and improvement ideas, organisations empower staff to play an active role in cyber defence. Regularly reviewing feedback, acting on valid concerns, and recognising contributions reinforces trust, accountability, and shared responsibility for protecting business systems and data.

More Information
Best Practices for Encouraging Feedback on Security
Create clear reporting channels
Provide easy ways for staff to share concerns (e.g., email, hotline, anonymous form).
Encourage open communication
Make it clear that reporting issues or suggestions is welcomed, not punished.
Act on feedback quickly
Show employees their input leads to real improvements.
Recognise contributions
Thank or reward staff who highlight risks or suggest better security practices.
Integrate into culture
Build feedback into meetings, training sessions, and regular check-ins.
Allow anonymity
Offer options for confidential reporting to reduce fear of judgment.
Provide feedback loops
Share outcomes and changes so staff know their input matters.
Train managers
Equip leaders to listen, escalate issues appropriately, and encourage dialogue.
Promote a ‘see something, say something’ mindset
Reinforce that everyone has a role in spotting risks.
Regularly review processes
Assess whether your feedback channels are being used and improve them as needed.

August 15 2025

Maintain good cybersecurity hygiene.

SJ CyberAware All, Daily Tips, Govern, Protect

Encrypting email protects sensitive messages by converting them into unreadable code during transmission, ensuring only the intended recipient can access the content. This prevents interception, tampering, and unauthorized access, especially important when sharing confidential data like financial details, login credentials, or client information. Encryption also supports compliance with data protection regulations and reinforces trust between senders and recipients. In short, encrypted email transforms everyday communication into a secure channel, safeguarding both the message and the reputation of the organization behind it.

Best practice
Top Tips & Best Practices for Encrypting Email
Use End-to-End Encryption Tools
Choose email services or plugins that offer end-to-end encryption (like ProtonMail, Tutanota, or Outlook with S/MIME). This ensures only the sender and recipient can read the message.
Enable Encryption by Default
Configure your email client to automatically encrypt outgoing messages when possible. This reduces the risk of forgetting to secure sensitive content.
Verify Recipient Identity
Always double-check the recipient’s email address and public key (if applicable) to avoid sending confidential info to the wrong person.
Encrypt Attachments Separately
Use password-protected PDFs or encrypted ZIP files for sensitive attachments, especially if your email client doesn’t encrypt them by default.
Avoid Public Wi-Fi for Sensitive Emails
Sending encrypted messages over unsecured networks can still expose metadata. Use a VPN or wait until you’re on a trusted connection.
Keep Encryption Keys Secure
Store private keys in a secure location and back them up. Losing your key means losing access to encrypted messages.
Educate Your Team
Train staff on how and when to use email encryption. Awareness is key to consistent, secure communication.
Stay Compliant
Ensure your encryption practices align with regulations like GDPR, PCI-DSS, etc, depending on your industry.
Use Strong Passwords for Encrypted Files
If you’re encrypting attachments manually, use complex, unique passwords and share them securely (not via email!).
Regularly Update Your Tools
Keep your email client and encryption software up to date to patch vulnerabilities and maintain compatibility.

August 9 2025

Use security awareness materials like posters.

SJ CyberAware All, Daily Tips, Govern, Protect

Posters reinforce good habits visually, keeping cybersecurity top-of-mind in shared spaces.
Well-designed posters serve as constant visual reminders of key security behaviours, whether it’s locking screens, spotting phishing emails, or using strong passwords. Placed in kitchens, meeting rooms, corridors, or near printers, they catch the eye and spark quick moments of awareness without needing formal training. When updated regularly with seasonal tips or campaign themes, posters can boost engagement and support a broader culture of cyber awareness across the workplace.

Posters and stuff
Cybersecurity isn’t just policy, it’s culture.
And posters? They’re your silent enforcers. Eye-level, everyday reminders that actually stick.
A bold sign by the printer or kettle can stop a bad click before it happens. Lock your screen. Check that attachment. Watch for shoulder surfers. Quick hits. Big impact.
Make them land:
Use punchy slogans. Grit, humour, or cheek—ditch the corporate fluff.
Rotate monthly to keep them fresh.
Add QR codes to micro-training, incident forms, or your cyber hub.
Real win:
A poster saying “Your password is not ‘password’… is it?” sparked laughter, and an impromptu round of password updates at a local design agency.
That’s culture shift in action.
Pro tip:
Get your team involved. Use insider lingo, team jokes, or bold visuals that feel real. Think zines over stock photos.
If it feels personal, it works.
Bottom line:
When people see it, they remember it.
When they remember it, they act.

July 28 2025

Review cybersecurity policies regularly.

SJ CyberAware All, Daily Tips, Govern, Protect

Regularly reviewing cybersecurity policies is essential for maintaining effective security measures. Periodic reviews help ensure that the policies stay up-to-date with the latest threats and compliance requirements. This practice helps identify gaps or weaknesses in your security protocols, allowing necessary adjustments and improvements. Keeping your cybersecurity policies current better protects your organization from potential risks, ensuring a more secure environment.

The Reasons Why!
🛡️ Why Regular Cybersecurity Policy Reviews Are Non-Negotiable

🔁 Adaptation to Evolving Threat Landscapes
Threat actors constantly shift tactics, yesterday’s defences may be obsolete by tomorrow.
Emerging technologies introduce new vectors (e.g., AI-powered phishing, IoT vulnerabilities).
Reviewing policies keeps you agile rather than reactive.
📜 Regulatory Compliance & Legal Alignment
Legislation and standards (GDPR, NIS2, ISO/IEC 27001) evolve, non-compliance = fines and reputation hits.
Policy reviews ensure controls align with current legal obligations.
🕵️‍♂️ Gap Identification and Risk Reduction
Reviewing exposes outdated protocols, redundant tools, and weak user practices.
It’s your chance to proactively plug holes before a breach exploits them.
🧠 User Awareness and Cultural Reinforcement
A refreshed policy serves as a renewed call to arms, everyone from interns to execs realigns.
It reinforces a cybersecurity mindset across departments, not just IT.
💻 Tech Stack & Infrastructure Changes
New deployments (cloud services, SaaS tools, remote access platforms) demand updated security rules.
Periodic reviews capture these shifts and apply necessary safeguards.
⏱️ Incident Lessons & Post-Mortem Insights
Breach investigations often highlight policy breakdowns, reviews embed those hard-learned lessons.
They turn chaos into clarity, enhancing readiness.
📊 Metrics, Monitoring, and Accountability
A strong policy isn’t just a document, it’s an ecosystem.
Regular reviews set baselines, evaluate KPIs, and clarify who’s responsible for what.

July 23 2025

Limit access to sensitive information.

SJ CyberAware All, Daily Tips, Govern, Protect

Limiting access to sensitive information is crucial for protecting data and ensuring that only authorized individuals can access it. Implement role-based access controls to restrict access based on job responsibilities. Regularly review and update permissions to ensure they align with current roles and needs. This practice helps prevent unauthorized access and minimizes the risk of data breaches.

More Information
Tips & Best Practices for Access Control
1. Implement Role-Based Access Control (RBAC)
Define roles (e.g., HR, Finance, IT) and assign permissions based on job responsibilities.
Ensure access aligns with the “least privilege” principle — only what’s needed to do the job.
2. Create an Access Control Policy
Document how access is granted, reviewed, and revoked.
Specify approval processes and authority levels.
3. Use Groups and Directory Services
Manage access through Active Directory, Azure AD, or Google Workspace groups.
Automate role assignments for new staff based on their department or job title.
4. Regularly Review Permissions
Conduct quarterly access reviews to detect and remove unnecessary privileges.
Promptly revoke access when employees leave or change roles.
5. Monitor Access Logs
Enable audit logging for sensitive systems and files.
Regularly review logs for unusual or unauthorized access attempts.
6. Control Admin Rights
Restrict admin access to essential personnel only.
Use temporary elevated access tools (e.g., Just-In-Time access in Azure).
7. Multi-Factor Authentication (MFA) for Sensitive Data
Enforce MFA for any system containing confidential or regulated data.
Especially important for remote access and admin accounts.
8. Educate Staff
Train employees on the importance of access control.
Help them understand the risks of sharing credentials or accessing restricted data.

Update security protocols regularly.

Keep Security Protocols Alive and Evolving

Review security updates frequently.

Security Updates: Your First Line of Defence

Maintain good cybersecurity practices.

Cybersecurity: A Daily Habit, Not a One-Time Fix

Update Software Libraries Regularly

Keep Software Libraries Up to Date

✅ Practical Steps

Culture Tip

Review security policies periodically.

Best Practice Guide

🌟 Top Tips for Reviewing Security Policies

Encourage feedback on security practices.

Best Practices for Encouraging Feedback on Security

Maintain good cybersecurity hygiene.

Use security awareness materials like posters.

Review cybersecurity policies regularly.

🛡️ Why Regular Cybersecurity Policy Reviews Are Non-Negotiable

🔁 Adaptation to Evolving Threat Landscapes

📜 Regulatory Compliance & Legal Alignment

🕵️‍♂️ Gap Identification and Risk Reduction

🧠 User Awareness and Cultural Reinforcement

💻 Tech Stack & Infrastructure Changes

⏱️ Incident Lessons & Post-Mortem Insights

📊 Metrics, Monitoring, and Accountability

Limit access to sensitive information.

Tips & Best Practices for Access Control

1. Implement Role-Based Access Control (RBAC)

2. Create an Access Control Policy

3. Use Groups and Directory Services

4. Regularly Review Permissions

5. Monitor Access Logs

6. Control Admin Rights

7. Multi-Factor Authentication (MFA) for Sensitive Data

8. Educate Staff