Cyber Security is a top concern for any business. Fail to take it seriously and you could easily find yourself facing huge fines for breaching compliance, losing all of your customers because you compromised their sensitive data, spending weeks unable to work or trying frantically to repair damage to your IT systems, or having to pay large sums of money to retrieve your data from criminals.
Failing to take cyber security could easily ruin the business you've spent years building up.
Here's some habits of businesses who take it seriously:
1. Everyone Uses Strong Passwords + Another Method of Authentication
Let's face it - everyone is AWFUL at picking good passwords. Most of us KNOW we should create the strongest password possible, but the convenience of picking the simplest one the system will allow, usually wins out.
This is likely the mindset of the majority of your employees - so don't make it even easier for cyber criminals by allowing weak passwords. Ensure your systems only accept passwords containing upper and lower case characters, at least one number, and at least one special character. Make sure passwords expire after 30 days. This will greatly reduce the chance of a cyber criminal gaining access to your systems or data by guessing a password (which does happen). Just make sure no-one thinks it's a good idea to write their passwords down!
In addition to a strong password, a second method of authentication should be required for login. This can be used for logging on to your PC, logging in to emails, online banking and applications such as your CRM system.
An example of how this works, is an app on your smartphone which is linked to your user account. In addition to user name and password, a unique code, which you generate within the app, must be entered in order to log in. The code expires after 30 seconds, is different every time and each code can only be used once. With 2 factor authentication in place, knowing your user name and password is still not enough for a cyber criminal.
2. Everyone Constantly Undergoes Cyber Security Training
Training is usually boring, and everyone hates it. However, the majority of your staff will NOT be up to date or educated on the latest threats. This makes them prime targets for social engineering methods employed by cyber criminals - and they WILL be targeted!
Social engineering means manipulating people into providing access to something restricted. This could be data, funds, accounts, a computer or even your office itself.
A couple of examples:
- Cyber criminals have been known to leave USB sticks lying around in the lobby or toilets in the building of companies they are trying to infiltrate. These are sometimes labelled with something juicy like "Director Bonuses 2017". Once that USB stick is plugged in, it deploys malware to the network which can silently copy, or encrypt data, monitor communications or just wreak havoc. One company fell for this trick because someone walked in and asked somebody to take his USB stick and print off his CV because he needed it for an interview. They fell for it.
- A particularly deceptive, and currently very widespread, crime is CEO fraud. Cyber criminals attempting this kind of fraud will identify somebody in the accounts or finance department as their target. They'll then send an email appearing to come from the CEO of the company, asking them to pay an invoice or transfer funds for a sensitive business deal. Often, they have managed to get malware on the company systems so they can monitor email communications and see when the boss is out of the office. Sometimes they follow up the email with a phonecall from the "company" or an "intermediary" assisting with the transaction. By the time you realise what's happened, the money is gone.
There are many more ways cyber criminals can manipulate employees. The point is, do your employees know about them? If you train them now, on a one-off basis, will they remember or stay vigilant in one year? Can you afford to take that risk?
3. Employing Simulated Phishing Email Tests
Phishing emails are one of the most dangerous threats to your business. Every business will be sent them at some point. They're not necessarily easy to spot. They are not always riddled with spelling mistakes, using terrible formatting and from strange looking addresses. They can often look exactly like the real thing.
They're trying to get you to click something, and they're sometimes employee some very clever tricks. Cyber criminals are actually researching specific targets online, even going as far as creating a fake social media profile that looks like one of their colleagues so they can befriend them to reveal more information. Any information they find out about you could be used to write an email that catches your attention, so tighten your social media security!
Once you click the link or download the attachment, anything can happen. Your email accounts could be monitored, all the files on your network could be encrypted and held to ransom, or cyber criminals could just quietly go through all of your business' data and use it for their own means.
This is why, along with ongoing cyber security training, employees should be regularly sent simulated phishing emails. If people click, no harm is done, they're the butt of jokes from their colleagues, and you can send them for more training.
4. Investing in the Latest Tech to Stay Secure
It's a known fact and it makes obvious sense:
Business that invest in technology and employ more advanced defences against cyber security suffer less breaches.
For example - a business that hasn't upgraded their firewall in a couple of years because they think there's no need, may be allowing as much as 60% of internet traffic to pass into their network without being scanned.
This is because older firewalls DO NOT have the ability to scan traffic encrpyted by SSL. What's SSL? It's the security standard that pretty much ANY major website now uses, and anyone (inclding cyber criminals) can obtain. SSL encryption means data passing from recipient to sender is encrypted and cannot be read by someone else. This is great, but what happens when you make an encrypted connection to a website controlled by cyber criminals and your firewall can't scan what they're sending to you?
There's other areas too where higher maturity businesses are investing to stay secure. For example, a cloud based antivirus that is ALWAYS up to date against the latest known threats vs. traditional, cheaper antivirus which must be manually updated (usuall when it's too late) in order to recognise new threats. Fending off cyber threats is all about a multi-layered approach. Antivirus alone won't fully protect you, neither will your firewall. Hopefully your employee training will prevent some attacks, but when one layer fails - another one may save you.
One additional layer you can add is DNS monitoring. This is another layer of security you can add outside your network. Providers of these solutions handle huge amounts of internet traffic, and they look at domains, requests and patterns of traffic in order to spot and predict threats. Protection at this level will effectively block your network from making connections to domains that are suspicious (e.g. by clicking a dodgy link).
5. They Proactively Manage Their Technology
All technology needs to be proactively managed to ensure it continues to operate as it should. This is no less the case with security technology. It must stay up to date in order to be effective. Firewalls need firmware upgrades, and antivirus needs constant updates to the database of threats it can recognise (as mentioned, a cloud based AV can remove this need).
In addition, those updates to Windows, Mac, java, Quicktime, iTunes - EVERYTHING - that you always skip - are essential to keep you protected.
From time to time, cyber criminals figure out vulnerabilities in operating systems on PCs and Servers, and in common applications. The updates that are very often ignored or delayed by users are brought out to address these vulnerabilities. If left unaddressed, these vulnerabilities can be exploited to gain unauthorised access to your systems. This is why if you're still running Windows XP or Vista, you're effectively leaving the door open for cyber criminals, as these operating systems no longer receive updates from Microsoft.
It's vital that you're proactively reviewing your technology to make sure that everything is up to date. If you are partnered with a company who manages your IT, they should be doing this and providing you with reports on the patch/update status of your PCs and Servers.
Habits to Avoid:
Businesses avoiding these traps are less likely to be the victims of a successful cyber attack:
1. Storing Sensitive Data on Devices
If you're holding sensitive data on your business desktop, laptop, phone etc. then you've got a problem if that device is ever lost or stolen - or when it comes to disposing of the device. Sure, your login screen should keep unwanted people from accessing the data on the device - but what if that person simply removes the hard drive and connects it to a different device?
There's a couple of ways you can protect yourself. One is to employ hard-drive encryption. These solutions work by encrypting all of the data on a hard drive, and only authorised user accounts can read the encrypted data. If someone tries to remove the drive and connect it to another computer, they will be using their own, unauthorised, user account and they will not be able to read the contents of the drive.
2. Using File Sync Services Not Built Specifically for Business
File sync and share services are incredibly useful for business. However, you should be using one that's specifically designed for business, with business level security in mind!
Dropbox and Google drive are designed for consumers and the mass market. Because everyone is using services like these at home, they've found their way into the work environment. There's several good reasons why this shouldn't be allowed:
Your IT partner or department has no control or visibility over what's syncing. Once you've given dropbox permission to sync with your work PC, whatever you place in it at home will appear there. Unfortunately, if something unwanted gets into the dropbox folder on your home PC, it will replicate itself in the dropbox folder at work too! Dropbox don't share their audit logs, so if sensitive data is leaked there's no way of knowing who accessed it. There's also a lack of "remote wipe" functionality, which means files will remain on the device if it's lost or stolen! Hopefully you've invested in hard-drive encryption!
In addition, there's no ability to set granular permissions for users. You can't customise different read and write ability over the same files/folders for different people. If you want your accounts person to be able to VIEW financial data, you can, but you'll have to live with the risk of them accidentally overwriting the files!
3. Trusting the Unknown!
One policy several businesses have adopted to reduce costs and provide flexibility to employees is BYOD - or "Bring Your Own Device". This is a huge security concern as employee's devices can easily contain malware, and often do, due to a lack of protection and careless browsing at home. Connecting these to your networks opens them up to a huge risk.
As mentioned earlier, unknown USB devices (even webcams, keyboards, etc.) can contain malware. Plugging them in bypasses all the network protection you have in place - they're already inside. You can protect yourself from employees plugging in unknown USB devices by investing in endpoint protection. Endpoint protection allows an administrator to set a minimum level that all devices must comply with in order to connect to the network. All USB devices, except those that have been pre-approved can be blocked, and devices such as desktops, laptops, phones etc. can be blocked unless they comply with a certain security standard.
Another unknown that people are all too quick to trust is public wi-fi. Unfortunately, people have been stung when they connect to unsecured public wi-fi - for example in coffee shops. It is easy for anyone to set up a public wi-fi network. You probably even know how to set up a hotspot from your phone. Cyber criminals use devices to create unsecured wireless access points, name them something appropriate, and then collect all the information that people send and receive via the free internet connection. Login details, work emails, sensitive business files... They can even push notifications to the users such as "java update required" - when clicked, this will install malware on the user's device.
4. Allowing Everyone to Have Admin Rights
Having admin rights on your work computer means you can do all kinds of great things, like install Spotify or iTunes, install custom fonts, change screensaver timeout, etc. Employees usually want admin rights because they've always had them. They don't want to have to ask to install some software that isn't really related to their job, or they don't want to have to wait for someone to type in a password when they need to install a new project management tool.
Employees should not automatically have admin rights on their machines. Admin rights are a huge threat to business security because having them enabled means that any malware that gets onto the machine can run unrestricted and do whatever it was designed to do.
Are You Concerned About Cyber Security for your Business?
Download our free guide, with over 50 tips to keep your business secure, just click the button below: