Cyber Security is a top concern for any business. Fail to take it seriously and you could easily find yourself facing huge fines for breaching compliance and losing all of your clients because you compromised their sensitive data. Not to mention spending weeks unable to work or trying frantically to repair damage to your IT systems, or having to pay large sums of money to retrieve your data from criminals.
Failing to take cyber security seriously could easily ruin the business you’ve spent years building up.
Here are some habits of businesses who take it seriously:
1. Using strong passwords & extra method of authentication
Let’s face it – everyone is AWFUL at picking good passwords. Most of us KNOW password strength is key, but convenience prevails in picking the simplest one the system allows.
Now if you think like this, do you perhaps think your employees might act similarly? Don’t make it even easier for cyber criminals by allowing weak passwords!
Ensure your systems only accept sufficient passwords. These passwords include upper and lower case characters, at least one number, and minimum of one special character.
Make sure passwords expire after 30 days. This will greatly reduce the chance of a cyber criminal gaining access to your systems or data by guessing a password. (This happens more often than you think!).
Just make sure no-one thinks it’s a good idea to write their passwords down!
In addition to a strong password, use a second method of authentication for your login.
Check out our post on two-factor authentication here!
This can be used to log on to your PC, your E-mails, online banking and applications across your network.
So how does this work?
You can download an app on your smartphone which is linked to your user account.
You will be asked to link the account with the app and every time you login a unique code, will be generated. Type this in to access your account!
Beware though, the code expires after a 30 seconds! Each code is different can only be used once.
With two-factor authentication you are still protected should a cyber criminal know your username and password.
2. Requiring cyber security training
Successful businesses know constant training aids in keeping you and your staff up to date in the latest climate. This includes security awareness training!
We partner with KnowBe4, which gives a detailed video training guide for you and your employees.
Without this awareness, staff are prime targets for social engineering methods employed by cyber criminals.
Social Engineering = Manipulation + Gathering Information To Impersonate A Higher Authority Figure
What would you do if an urgent E-mail came from your line manager asking you to transfer funds immediately?
Below are some examples to watch out for:
- Stay away from USB sticks lying around!! Cyber criminals are known to leave these in public spaces, near an office entrance or toilets. Some entice you in with encouraging labels: e.g. “Director Bonuses 2017”.
Once that USB stick is plugged in, malware is deployed to the network. This can silently copy, or encrypt data, monitor communications or just wreak havoc.
- A particularly deceptive, and currently very widespread, crime is CEO fraud. Normally targeting someone in finance, cyber criminals send an E-mail appearing to come from the CEO of the company. This will generally result in a payment request and look legitimate.
Often, malware is present on the company systems so criminals can monitor email communications and impersonate the boss, as well as time the attack. A follow up E-mail with a phone call from the “company” or an “intermediary” is not uncommon.
By the time you realise what’s happened, the money is gone.
If security training is not already present in your business, can you afford to take that risk?
3. Employing simulated phishing email tests
Phishing emails are one of the most dangerous threats to your business. Every business will be sent them at some point. They’re not necessarily easy to spot.
They are not always riddled with spelling mistakes, using terrible formatting and from strange looking addresses. They can often look exactly like the real thing.
The main goal is to click on something. Cyber criminals are actually researching specific targets online, even going as far as creating a fake social media profile that looks like one of their colleagues so they can befriend them to reveal more information.
Any information they find out about you could be used to write an email that catches your attention, so tighten your social media security!
Once you click the link or download the attachment, anything can happen.
Your email accounts could be monitored, all the files on your network could be encrypted and held to ransom, or cyber criminals could just quietly go through all of your business’ data and use it for their own means.
This is why, along with ongoing cyber security training, employees should be regularly sent simulated phishing emails.
If people click, no harm is done, they’re the butt of jokes from their colleagues, and you can send them for more training. But most importantly, you can assess who is at most risk within the company.
4. Investing in the latest tech to stay secure
It’s a known fact and it makes obvious sense:
Businesses that invest in technology and employ more advanced defences against cyber security suffer less breaches.
For example – a business that hasn’t upgraded their firewall in a couple of years because they think there’s no need, may be allowing as much as 60% of internet traffic to pass into their network without being scanned.
This is because older firewalls DO NOT have the ability to scan traffic encrypted by SSL.
What is SSL?
It’s the security standard that pretty much ANY major website now uses, and anyone (including cyber criminals) can obtain. SSL encryption means data passing from recipient to sender is encrypted and cannot be read by someone else.
This is great, but what happens when you make an encrypted connection to a website controlled by cyber criminals and your firewall can’t scan what they’re sending to you?
What else is worth investing in?
- For example, a cloud based antivirus that is ALWAYS up to date against the latest known threats. Traditional, cheaper antivirus programmes be manually updated (usually when it’s too late) in order to recognise new threats.
Fending off cyber threats is all about a multi-layered approach. Antivirus alone won’t fully protect you, neither will your firewall. Hopefully your employee training will prevent some attacks, but when one layer fails – another one may save you.
- One additional layer you can add is DNS monitoring. This is another layer of security you can add outside your network.
Providers of these solutions handle huge amounts of internet traffic, and they look at domains, requests and patterns of traffic in order to spot and predict threats.
Protection at this level will effectively block your network from making connections to domains that are suspicious (e.g. by clicking a dodgy link).
5. Proactive technology management
All technology needs to be proactively managed to ensure it continues to operate as it should.
This is no less the case with security technology. It must stay up to date in order to be effective. Firewalls need firmware upgrades, and antivirus needs constant updates to the database of threats it can recognise.
In addition, those updates to Windows, Mac, java, Quicktime, iTunes – EVERYTHING – that you always skip – are essential to keep you protected.
From time to time, cyber criminals figure out vulnerabilities in operating systems on PCs and Servers, and in common applications. The updates that are very often ignored or delayed by users are brought out to address these vulnerabilities.
If left unaddressed, they can be exploited to gain unauthorised access to your systems. This is why if you’re still running Windows XP or Vista, you’re effectively leaving the door open for cyber criminals, as these operating systems no longer receive updates from Microsoft.
It’s vital that you’re proactively reviewing your technology to make sure that everything is up to date. If you are partnered with a company who manages your IT, they should be doing this and providing you with reports on the patch/update status of your PCs and Servers.
Habits to avoid:
Businesses avoiding these traps are less likely to be the victims of a successful cyber attack:
Storing sensitive data on devices
If you’re holding sensitive data on your business desktop, laptop, phone etc. then you’ve got a problem if that device is ever lost or stolen – or when it comes to disposing of the device.
Sure, your login screen should keep unwanted people from accessing the data on the device – but what if that person simply removes the hard drive and connects it to a different device?
There’s a couple of ways you can protect yourself. One is to employ hard-drive encryption.
These solutions work by encrypting all of the data on a hard drive, and only authorised user accounts can read the encrypted data. If someone tries to remove the drive and connect it to another computer, they will be using their own, unauthorised, user account and they will not be able to read the contents of the drive.
Using file sync services not designed for business
File sync and share services are incredibly useful for business. However, you should be using one that’s specifically designed for business, with business level security in mind!
Dropbox and Google drive are designed for consumers and the mass market. Because everyone is using services like these at home, they’ve found their way into the work environment. There’s several good reasons why this shouldn’t be allowed:
Your IT partner or department has no control or visibility over what’s syncing. Once you’ve given Dropbox permission to sync with your work PC, whatever you place in it at home will appear there. Unfortunately, if something unwanted gets into the Dropbox folder on your home PC, it will replicate itself in the Dropbox folder at work too!
Dropbox don’t share their audit logs, so if sensitive data is leaked there’s no way of knowing who accessed it. There’s also a lack of “remote wipe” functionality, which means files will remain on the device if it’s lost or stolen! Hopefully you’ve invested in hard-drive encryption!
In addition, there’s no ability to set granular permissions for users. You can’t customise different read and write ability over the same files/folders for different people. If you want your accounts person to be able to VIEW financial data, you can, but you’ll have to live with the risk of them accidentally overwriting the files!
Trusting the unknown!
One policy several businesses have adopted to reduce costs and provide flexibility to employees is BYOD – or “Bring Your Own Device”.
This is a huge security concern as employee’s devices can easily contain malware, and often do, due to a lack of protection and careless browsing at home. Connecting these to your networks opens them up to a huge risk.
As mentioned earlier, unknown USB devices (even webcams, keyboards, etc.) can contain malware. Plugging them in bypasses all the network protection you have in place – they’re already inside.
You can protect yourself from employees plugging in unknown USB devices by investing in endpoint protection.
Endpoint protection allows an administrator to set a minimum level that all devices must comply with in order to connect to the network. All USB devices, except those that have been pre-approved can be blocked, and devices such as desktops, laptops, phones etc. can be blocked unless they comply with a certain security standard.
Another unknown that people are all too quick to trust is public Wi-Fi.
Unfortunately, people have been stung when they connect to unsecured public wi-fi – for example in coffee shops. It is easy for anyone to set up a public Wi-Fi network.
You probably even know how to set up a hotspot from your phone. Cyber criminals use devices to create unsecured wireless access points and name them something you’d connect to. Following this, they collect all the information that people send and receive via the free internet connection.
Login details, work emails, sensitive business files… They can even push notifications to the users such as “java update required” – when clicked, this will install malware on the user’s device.
Allowing everyone to have admin rights
Having admin rights on your work computer means you can do all kinds of great things, like install Spotify or iTunes, install custom fonts, change screensaver timeout, etc.
Employees usually want admin rights because they’ve always had them. They don’t want to have to wait for someone to type in a password when they need to install a new project management tool.
But, employees should not automatically have admin rights on their machines.
Admin rights are a huge threat to business security. Enabling them means that any malware can run unrestricted and do whatever it was designed to do.
Are you concerned about cyber security for your business?
If you are there is no need to worry. Our dedicated team is here to help run through some solutions, through our Managed IT Support. Click here to fill out a contact form.