In a report by the British Chambers of Commerce (BCC) released in April this year it was found that one in five UK businesses have been subject to a cyber-attack in the last year with only 24% of businesses having adequate security in place to guard against hacking, despite the rising danger of attacks and increasing publicity about the threat. There’s nothing to suggest that the situation is any more favourable for businesses in Ireland.
The perception persists that only large corporations are at risk of cyber-attack, likely stemming from the fact that these are the incidents that make headlines. This perception is false. SMEs and MLEs are equally at risk and the fall out for smaller companies can often be far worse with the loss of revenue, damage to the company’s reputation, and the cost of fixing the damage more difficult to absorb for smaller businesses.
The most effective means of keeping your business best protected from cyber-crime is education.
All the cyber security strategies, policies and technologies are worthless if your employees lack cyber security awareness. If your staff do not possess a basic level of cyber security knowledge then any measure or policy implemented will be undermined and it’s impossible for your IT team to monitor every interaction across your network.
One well-targeted spear phishing email, could convince an employee to yield their password and user information leading to catastrophic consequences for your business. Your first step in lessening your susceptibility to cyber-crime must be to educate and train your people. Even a basic level of knowledge and awareness can mean the difference between being hacked or avoiding the risk altogether.
Let’s look at 5 of the most common cyber security threats and what businesses can do to protect themselves and the sensitive data of their customers.
Threat 1: Internal attacks
Very often our search for security threats to our technology infrastructure is focused outwards. It’s important to also focus on the threat from inside your company as very often it’s harder to detect and therefore, eliminate.
Disgruntled employees, especially those with access to sensitive data or admin accounts, are capable of causing damage to your business. Many tech security experts believe that the notorious 2014’s Sony Pictures hack – typically linked to North Korea – was in fact an insider attack.
How to reduce threat from internal cyber attack
- Identify privileged accounts – accounts with the ability to significantly affect or access internal systems – and ensure that these accounts are audited on a continuous basis by several staff members.
- Insure you have a policy to audit and delete user accounts that are no longer in use or connected with employees no longer working in the business.
- Stop the use of shared accounts. Simple. They are a huge security risk and these days there’s no business case for their use.
- Invest in account auditing software. Software packages exist that will give you event-log analysis to detect and stop malicious user activity.
Threat 2: Phishing and spear phishing
Phishing remains one of the most effective methods used by criminals to introduce malware into business networks. Although it seems obvious that we shouldn’t click on something when we’re not sure what it is or where it came from, people still fall victim to phishing every day. The increased resources behind cyber-crime organisations means these phishing attempts are well funded and increasingly more sophisticated.
Spear phishing is a targeted form of phishing where the emails are designed to appear to originate from someone the recipient knows and trusts – like management, a business client or even family or friend.
To target victims, cyber criminals are looking to social media to gain valuable insights into individuals which can then be used to make their phishing emails appear more personal and authentic. Clicking on a malicious phishing attachment can result in a ransomware attack where computers are quickly locked down as it spreads across a network. Until a ransom is paid, businesses are unable to access the computer and the critical files and services that they hold.
How to reduce risk posed by phishing and ransomware
- Organisations must constantly ensure staff are aware of the dangers and know how to spot a phishing email. Businesses must also ensure they have secure backups of their critical data as these backups are a crucial safeguard to recover from the hack.
- Some firms have implemented a policy of not opening any attachment via email. Instead all files attached to incoming emails are uploaded to the cloud and scanned before the user can open them and view them not locally on their machine, but online, with no way of compromising your network.
Threat 3: DDoS attacks
Distributed Denial of Service (DDoS) attacks ambush businesses with massive amounts of web traffic, slowing their websites to a crawl, forcing crucial services offline. These attacks have overwhelmed some of the largest websites in the world, including Reddit, Twitter, and Netflix but are also a major risk for website dependent smaller business.
If your business relies on a website or other online service to function then outages caused by DDoS attacks can lead to loss in revenue and a loss of confidence in your online operation. Most DDoS attacks last between 6-24 hours and whilst businesses can’t stop a website or service being targeted in a DDoS attack, they can alter their online infrastructure to absorb some of the increased traffic, giving them more time to form a response or filter out the spam data.
How to counter a DDoS attack:
- Create a DDoS response plan in the event of an attack. This can involve pointing customers to an alternative or backup website hosted at a different location.
- Use a third-party DDoS mitigation service which detects the attack and filters and diverts the attack’s traffic.
- Ensure you always have an overhead when it comes to available bandwidth.
Threat 4: Malware
Malware is a catch-all term that covers any software that gets installed on a machine to perform unwanted tasks for the benefit of a third-party. Ransomware for example is a type of malware, but others exist, including spyware, adware, trojans and bots.
To prevent malware from taking hold, businesses should invest in a recognised anti-virus package that enables intra-network monitoring. It’s vital that all operating systems, firewalls and firmware are kept up-to-date and this process is audited on a bi-weekly basis to ensure continued compliance.
If software and services are not updated regularly then you’re putting your business at serious risk. Just look at the damage caused by the WannaCry malware. It infected many high-profile businesses around the world, including the UK’s National Health Service, by exploiting an outdated version of Windows.
How to prevent malware attacks
- Ensure that your anti-virus solution can monitor all clients both inside and outside the network and ensure anti-virus definitions are up to date. Never use the freeware anti-virus packages.
- Invest in a software solution that will implement and monitor updates for all operating systems across your network.
Threat 5: BYOD
This is a remarkably common issue and in many ways the most unsophisticated of security breaches. Businesses are becoming vulnerable to data theft by enabling employees to use unsecure mobile devices to share or access company data. As more small businesses make use of bring your own device (BYOD) technology, corporate networks are leaving themselves open to unsecured devices carrying malicious applications which could access the network from within the company.
How to operate BYOD safely
- Ensure you have a water-tight company BYOD company policy that limits mobile devices access to the network and educate your employees on device expectations.
- Use a proxy server.
- Use cloud storage instead of email to share information amongst employees. It’s more secure and far more practical. With the increased capacity and speed of cloud storage there should be no need for USB sticks and their use should be highly restricted.
- Ensure your company uses VPN when connecting to your internal network from outside. If an attacker does capture encrypted VPN traffic they will only see incomprehensible characters going from you to a VPN server – meaning no sensitive data is leaked.