360-Degree Cyber Security
Small businesses are increasingly targetted by cybercriminals. Without security professionals watching their backs, they’re perhaps an easy option. What should you do to keep safe during lockdown given that adversaries are more active than ever?
Security demands that you consider your attack surface and minimise the risks appropriate to your business. What’s more, this is now a legal requirement since the new Data Protection Act (DPA 2018) kicked in, which applies the GDPR to UK law. Thankfully there are a few key ways you can strengthen your security posture and some great tools to make this happen.
Evolving threats emerge all the time with various objectives in mind, be they financial, political or just to cause trouble. The impact on businesses can be financial, operational and/or reputational. Attacks are sometimes carefully set up by real people over a course of months, so it can pay to be at least a little aware of their game.
The following list highlights a few common kinds of threats to be aware of:
Phishing (etc): These are emails (Phishing), texts (Smishing) and phone calls (Vishing) impersonating brands you trust in order to steal your login credentials, card details or other sensitive information.
Malware: Software designed for malicious purposes such as ransomware, spyware, botnets, trojans, viruses and worms, among others. These can be used to cause disruption to your own computer(s) or to help disrupt much bigger systems, such as large-scale attacks on big websites and services.
Social engineering: Learning about your organisation and creating trust with your team so that they can con them into taking actions such as paying out.
Targeted attacks: This is where cyber criminals and groups take time to carefully plan and carry out an impactful attack on a desired target (individual, group or organisation). These can be months in the making, but there are plenty of ways to minimise their ability to succeed.
Vulnerabilities: Security flaws are often spotted in software and they’re usually very quickly addressed by software updates (Patches). When new vulnerabilities are found and are a current threat, these are known as “Zero-day vulnerabilities”.
Theft and physical breaches: People gaining access to physical systems or information.
Website and web application attacks: Aimed at taking over or taking down your website or web applications (for example, DDoS or SQL injections).
To keep safe, here are some easy wins to address to the above concerns. I’ve put these in order of priority, where the first items are those I’d recommend addressing first in a typical business:
Firewall: Use a modern firewall that’s geared up for protecting a business (not just a cheap consumer one). Some also integrate with the protection on your computers to provide synchronised security.
Strong Passwords: Many people still use guessable passwords, or the same passwords for multiple sites and systems. Use a password manager.
Multi-factor Authentication (MFA) – also known as Two-Step Verification (2SV) / Two-Factor Authentication (2FA)): Usernames and passwords are frequently compromised, so make sure that’s not all you need. MFA is often achieved simply by receiving a code to your phone in order to log in. This prevents hackers being able to log in with your credentials if they have been acquired (many are available for sale on the dark web).
Anti-malware Protection: Use a modern comprehensive solution that protects against various kinds of threats:
Zero-day threats: Many of the best products out there are able to receive updates much more frequently to protect against the latest threats. They also watch the way things run on your systems to ensure there’s nothing fishy going on.
Traditional signature-based antivirus: This is still important, emphasised by the recent increase in these kinds of attacks.
Ransomware protection: protects against encryption of files by unauthorised means, avoid large pay-outs and disruption.
Process / behavioural monitoring: Many modern products apply machine learning algorithms to spot suspicious behaviour, even for processes that are otherwise recognised as being expected. This is an important line of defence against malicious code execution.
Encryption: This ensures that people can not snoop on your Internet traffic or get anything off of your devices. They would need a password or recovery method to decrypt them first.
Patch Management: Keep your systems up-to-date with the latest software, especially important security updates that address high-risk vulnerabilities.
Backup: Make sure you have a backup that won’t be taken out by the same threats that could take out your live systems. A solid Business Continuity and Disaster Recovery (BCDR) solution is a very good idea too.
Cyber Awareness Training: Equip your team to understand what threats are out there and how to protect yourselves. This needs to be concise and easy to grasp so that you can focus on business while staying aware.
Detection and Response: This gives you tools to assist with identifying and dealing with threats effectively and efficiently.
Incident Response Guidelines: Every business should have a one or two page document containing guidelines for what to do if there is a cyber security incident. This gives you a clear action plan when it’s most needed, avoiding or minimising impact on time, reputational or financial damage.
Policies: Your company policies should be easy to understand, backed up with training to help people understand why it’s important and how to keep to the requirements.
Email Protection: Beyond the built-in protection of platforms like Microsoft 365 and Google G Suite, you can add a further layer of advanced protection to minimise the chances of malicious emails reaching your team, leading to them being caught out by more advanced scams. This includes protection against Business Email Compromise (BEC) scams where your team or contacts may see emails that look as though they’re sent by you (a threat with more and more victims at this time due to remote working under lockdown).
Web Content Filtering: In addition to restricting time spent non-work sites, filtering services can also block malicious or high-risk sites. This provides further protection against users accessing sites opened from Phishing emails so that users don’t give away their login details or other sensitive information.
DNS Protection: This protects against a number of vulnerabilities regardless of where you are working.
If you were to implement all of the above with reputable products, you’d be in a very strong position. If you can only implement some, I would recommend making sure you at least cover the first six as a bear minimum.
Many of these can be covered by a small set of products and services.
If you would like to find out more about any of the above, please get in touch and we will be happy to line up a call. Alternatively, feel free to schedule an appointment at fluidity.it/bookings.
Photo by Rosie Steggles on Unsplash
