- Security TWENTY
- Women in Security Awards
The unfortunate truth is that cyber attacks and malicious malware are lurking around every corner and these threats continue to grow in scale and severity. Although businesses have no direct control over the growth of cyber crime, there are some simple steps they can take to secure their internal systems and processes and so reduce their exposure to attack, writes David Emm, pictured, Principal Security Researcher at the IT security product company Kaspersky Lab.
Small businesses come in all shapes and sizes, but in today’s world, no organisation, large or small, can afford to ignore online security. Whether you’re a team operating out of an office, or an individual working from home, cybersecurity is an issue that every business should prioritise. Granted, cybercrime generally grabs the headlines when a huge multi-national or government agency is the victim, but the many unreported cases affecting small businesses are arguably the bigger story.
In the second quarter of 2017, Kaspersky Lab solutions detected and repelled over 342 million malicious attacks from online resources in 191 countries. What’s more, the majority of these were directed against individuals and organisations who wouldn’t have regarded themselves as likely targets. The truth is that any business is a potential target, but the good news is that there’s a huge difference between being a target and being a victim. It simply comes down to being prepared – and there are several steps that businesses should take to arm themselves against threats.
Conduct a security audit – The starting point for any cybersecurity strategy is to assess the risks to the business. Identifying your business’s security strengths, weaknesses and opportunities for improvements will provide a good foundation for your future decision-making process on appropriate technology and other measures. Ask yourself the following questions to identify how you need to protect your business:
– What do you have that’s valuable – intellectual property, customer data, money?
– Who might want it?
– How might they try to get it?
– What methods of attack might they use – e-mail, social media, through your network? and
– What might they do with it – sell it, publish it, damage the company reputation?
Once you’ve established what you’re already doing to secure your assets, it will help you identify what else you need to do for adequate protection.
Choose the right anti-malware protection – When it comes to cybersecurity, small businesses are in a unique position. They face many of the same threats as enterprise, while sharing many of the same vulnerabilities as individuals. This unique position deserves its own approach to security. Simply repackaging a consumer product as a small business solution isn’t adequate. For instance, it might offer no protection for servers, but many small businesses either use one or soon will.
Unlike consumers, businesses need a way to protect multiple devices easily. However, simply taking functions away from a solution intended for a large enterprise doesn’t work either. Small businesses don’t have dedicated IT teams or the time to wrestle with complicated software built for specialists. Choosing the right security software will allow you to feel relaxed and comfortable that your business is adequately protected, without the hassle of managing an expensive or overly elaborate security solution.
Keep your software up to date – According to AV-test data, four new pieces of malware are now detected every second, so businesses need to stay ahead. This means applying updates to your operating systems and applications as soon as they become available (switch on automatic updates where this is available). Remember, programs that haven’t been updated are one of the key means that cybercriminals use to hack businesses: this was underlined by the WannaCry epidemic earlier in the year.
Manage your network to minimise threats – By managing your network, you can limit the scope of any potential attacks. This includes:
Not automatically assigning admin rights to all staff – only to those who need access.
Segmenting the network – this will prevent lateral movement of malware if an infection does occur.
Limiting write-access to only those who need it restricts the access of an attacker.
Back up – Plan for the worst-case scenario: infection. It’s vital to back up your files – so that, if your documents are compromised, you can restore your files with minimal disruption. This is true for ransomware attacks. It’s also true for attacks like ExPetr, that are wipers disguised as ransomware and which delete your files rather than holding them to ransom – which means that even if you pay the fee you won’t get your files back.
Enforce a password policy – Ensure your employees use unique, complex passwords that mix symbols, numerals and letters of both cases. Everyday words can be cracked by programs that simply scan through dictionaries until they find the right one. Even if it’s strong, the same password used across multiple accounts increases the risk of a security breach – if it is compromised, attackers can try to reuse it to access other accounts.
Businesses should have a strong password policy in place and ensure that teams aren’t making any classic password errors. Follow the following guidelines:
Make every password at least 15 characters long – the longer the better.
Don’t make them easily guessable. There’s a good chance that personal details, such as your date of birth, place of birth, partner’s name, etc. can be found online – and maybe even on your Facebook wall.
Don’t use real words. They are open to ‘dictionary attacks’, where someone uses a program to quickly try a huge list of possible words until they find one that matches your password.
Combine letters (including uppercase letters), numbers and symbols.
Don’t ‘recycle’ them, e.g. ‘david1’, ‘david2’, ‘david3’, etc.
Use a password manager to help you store and remember your passwords securely.
In addition to this, make use of two-factor authentication to reduce the likelihood of an account being compromised and to limit the damage that can occur if an attacker manages to obtain the password.
Educate your staff about browsing behaviours – From sophisticated targeted attack campaigns to random, speculative malware, the starting point for most attacks is tricking people into doing something that allows attackers to get a foothold. So proactively educating your staff about the impact their online activity can have on the business will help to reduce your exposure to online threats significantly. This includes the type of sites they visit at work, how they transact sensitive business online (using only secure websites, for example) as well as how they respond to attachments and links in unsolicited e-mails. Good habits include manually typing URLs, to avoid being redirected to fake sites, only entering confidential data on secure site (only those starting with ‘https’ and checking that the security certificate of the site is valid).
If they’re also using a mobile device such as a laptop, smartphone or tablet, either a personal or business device, they may become less security-conscious once they’ve left the building. Therefore, it is vital to secure all devices and the data stored on them.
Staff should also be encouraged to avoid using untrusted, public Wi-Fi networks for conducting sensitive business. Increasing general awareness of IT security threats will help employees stay safe in their personal life as well as reducing the risk of an attack on the company.
Banking – From directing you to fake versions of trusted sites to using malware to spy on your activity and capture passwords, cybercriminals have a number of methods for obtaining your financial information. You need to take active measures to stop them.
Stay alert for ‘phishing’ attempts. Phishing is when cyber criminals impersonate a trusted institution, hoping to obtain information – such as passwords and credit card details – which they could use to defraud you. Often phishing scam artists send emails impersonating your bank, a trusted supplier or an official organisation (HMRC, for example), so always take a close look at the URL before inputting your details on any site to make sure it’s a genuine site, and ideally use a secure browser. It’s also best to avoid sharing sensitive in e-mails, using IM or in social networks – they may be seen by eyes they weren’t intended for.
Mobile devices – As working on the move is now part of our everyday life, cybercrime is increasingly directed at mobile devices. In 2016, more than 8,500,000 new malicious mobile apps were detected.
Their portability and size means that mobile devices can be lost or stolen very easily, and if they’re inadequately protected, they provide an easy route for someone to gain access to the business. Remember that on a mobile device, a weak PIN or password becomes a single point of failure, allowing easy access to everything you do on your device.
Even though it’s just as important to protect phones and tablets as it is to protect PCs and Macs, only 32 per cent of small businesses currently recognise the risk mobile devices present.
Encryption is key – If you have sensitive data stored on your computers, it should be encrypted, so that if it’s lost or stolen it won’t be accessible. It’s important to realise that as a business, the information you hold is a highly valuable asset that needs protecting.