We believe cyber crime is going to rise again this year, to levels not seen before, so how can you protect the business?
The state of the Cyber Security problem
Often the analogy of how we keep our houses secure is used to convey tactics of keeping a business secure.
For example; installing an alarm system, locking doors and windows and keeping lights on when you're not at home, all position your home as less desirable to a criminal than your neighbour's house that doesn't have a working alarm, windows are left unsecured or when they are not home, the property is in complete darkness.
This is a dream target for a burglar. Not only can he/she gain easy entry but they will go unnoticed in the darkness and without the alarm screaming to the entire street that something untoward might be occurring!
Now let's be predictable for a minute and use the same scenario on a business and your Cyber Security. Firstly, the cyber criminals, in this case, don’t even need to risk being caught on the property. They’re probably not even in the same country, yet they can stress-test the company's cyber defences easily without being spotted.
They are relentlessly testing the defences in your email platform, user accounts, firewall, business applications, even home user networks, all in an effort to find a weakness and gain access or exploit vulnerabilities. The businesses that have implemented good controls and have a Cyber Security strategy will not be exposed to the same risk as a business that believes that it will never happen to them.
The reality is, it’s happening 24/7 to the largest and the smallest of businesses across the world. It is imperative that every business have at least the very basic technical and human controls in place.
The reality of Cyber Security for SME's
Cyber crime has officially become the largest category of crime globally, contributing to over $1 trillion in global cyber-crime in the last 12 months alone, with fear of it reaching $10 trillion within the next few years. Everything from data breaches, ransomware attacks and malicious links, have become common cyber threats every business, irrespective of size, has to defend against.
Smaller businesses are generally the ones we speak to that protest that they are not a target, yet they have the most to lose, from reputation to financial loss. Everything that has taken years to build up can be destroyed in a matter of minutes and hours.
Did you know that 61% of cyber attacks are targeted at small and medium-sized businesses?
The truth is that smaller businesses don’t have the same resources to fight cyber attacks that a large multinational business has with dedicated IT Security teams and sizeable budgets.
Thankfully the basics of good Cyber Security are the same for the smallest of businesses as they are for the largest of multinationals. We’ll take a look at some later in this document.
Why are cyber attacks growing so fast?
Technology has become ingrained in everything we do, from being always connected, to our businesses using hosted applications, to online sales, to flexible working arrangements. As we continue to embrace these advancements and their positive impact on businesses growth, cybercriminals have a broader attack surface and have become more sophisticated in their operations.
The pandemic has changed the way we all work. Hybrid and flexible working has become the norm and we’re unlikely to go back to a regimented 9-5 in the office. While the increased flexibility has benefited both the employee and employer it has also provided cyber criminals more opportunities for cyber attacks.
What’s the weakest link in your Cyber Security defence? Your people! Yes, that's right. You can have all the tools and systems and processes in place however if you don’t empower your staff, you risk leaving the door open to a whopping 75% of Cyber Security threats!
So enough with the doom and gloom, I hear you say! “What can I do to minimise the risk to my business?”
Where do you start with cyber security defence?
Simple. Have a plan that addresses the 3 core areas - People, Processes, Technology, that aligns to a Cyber Security standard.
Now, I’m a big believer that when you have a leak, you plug the biggest holes first. Unfortunately, though, this is where most IT Security providers go wrong. They run to what’s safe for them and suddenly you're implementing firewall after firewall after filter after filter.
The technology is vital to get right but if not used correctly, it’s useless. You’d be surprised by just how many “firewalls” we come across in businesses that are not even secure nor do they have any of the sold security services configured.
The right training for your people.
As we have established, 75% of IT security breaches begin with human error. The worst part is they don’t even know it’s happened, certainly not until the hacker is ready to let them (and the wider world) know.
For example, let’s take an email account compromise. We have all heard about these, an email is sent to a recipient and the user clicks on the link in the email. It asks them to verify their identity with their password. What has now happened is that that external cyber criminal has complete access to their account.
For the next few days or even weeks, the attacker will go undetected researching the email correspondence in an effort to identify where the value is. Maybe it’s in the data, or possibly it’s the correspondence of financial transfers. The next move will be to either extract the data for use elsewhere or to initiate fraudulent emails to those that transfer or receive funds.
Only when efforts to extract monetary gain have been exhausted will the cyber criminal look for new hosts and users to infiltrate, which is often when the end-user and their contacts realise there is something wrong.
Employees fall for these attacks all the time, don’t believe me, try it yourself here: https://getgophish.com/
To combat this, the solution is straightforward - continual end-user micro training. Exposure to the reality of cybercrime and practical examples with simulations to educate and inform your employees.
Knowledge is power, and educating your staff is empowering them to become the best cyber defence for your business.
Thankfully, with the range of solutions on offer, it’s not expensive and can be very entertaining.
As the world of cyber crime continues to grow with increasing sophistication, the most important thing to remember is that it’s not a one time shot. It’s important to have a program of light training throughout the year to keep your defences at their strongest. Oh, and everyone must do it, even the Boss! If that's you, then yes, it’s a must!
Using the right technology.
Technology is the business and the business is technology. This is something that the pandemic has reinforced and accelerated. The better the technology and how aligned it is to the business outcomes directly impacts growth and success.
However, it’s easy for businesses to be blindsided by the benefits of software applications without asking the necessary questions about Cyber Security controls. Often it is assumed that modern applications will have the latest Cyber Security features and controls embedded and even worse, the client believes it’s the sole responsibility of the software provider to protect sensitive data.
In reality, we regularly discover that both the vendor and client rush to implement the shiny new systems at the expense of proper controls. While this might not be intentional, the vendor may see the security as a blocker to the sale as the client may not know the answers.
It is vital therefore that when you’re selecting or reviewing your internal software applications such as ERP or Financial accounting systems, legal practice management systems, membership applications, HR systems etc. that you engage with your IT provider or a Cyber Security provider. (Note, if your IT provider simply wants to add on a package or a sell an agent, mark this as a red flag)
Engaging your trusted IT Provider at an early stage will allow for fundamental security requirements to be raised and made part of the solution early on rather than at the end of the process.
Basics like enforced Multi-Factor Authentication (MFA), and Single Sign On (SSO), where your computer login credentials can be extended to be the same ones you use to access the software, and least privilege, are essential to having the foundational Cyber Security controls to help prevent and remediate cyber threats from a cyber attack.
Taking email for example, do you have Multi-Factor Authentication enabled? Is it enforced? Without enforcement, MFA is not implemented, and it only takes one account to be left without MFA for a breach to occur.
The proper technology to manage your IT is also vital to minimise the risk from Cyber Security threats.
- Does your business have the tools to ensure your software is up to date and patched?
- Do you have Anti-Virus software on every workstation centrally managed and reporting?
- Do you have threat hunting continually monitoring every workstation for malicious software or persistent footholds?
- What about ransomware detection?
These are all required and should be provided by your IT partner as standard, along with regular reporting for your oversight.
If you’re being told you have something, you need to be seeing evidence that it’s deployed, working, being monitored and actioned.
The reality is, we adopt technology to help make our lives easier, however, we must ensure that these systems are secure and not left exposed to cyber attacks
As security experts, we thoroughly assess each company to analyse the individual requirements, identify cyber threats and recommend strategic and tactical controls to minimise the risks associated with cyber attacks.
The right Processes
You can have highly educated staff and the best technology, however without a structure, guidance or a framework in which to work there is no coordinated effort or standards to govern their use.
'Policies' are documents that describe what businesses need to do and a 'Process' describes how a policy is to be implemented.
We can have technology that enables us to work from home and access our critical applications as though we’re in the office, or technology that allows us to collate all the business intelligence together to provide us real-time information on performance, opportunities and areas that require attention.
Without guidance or policies, each user could potentially access and use the systems and information in a way that best suits them rather than how the business wants the systems to be used.
Imagine a user who works for a business that has no policies. The user may allow their children to use the work laptop for games, study or social media. When using the accounting system they may download sensitive data to the laptop and copy it to a USB storage device to use on another computer.
While common sense might prevent these from occurring, the reality is that without specific guidance and policies, there are no enforceable behavioural controls in place.
The risk is that this user who might be very effective at their job is exposing the business to unnecessary Cyber Security threats including data loss, data breaches, ransomware attacks, phishing attacks and many other forms of cyber attack.
It is therefore vital that every business has the necessary education for their people - technology that is implemented correctly and securely and has the governance in place to standardise and control the use of the systems.
Cyber crime and the potential for a cyber attack on your critical infrastructure is at an all-time high. Ignoring the risk and believing that cyber threats are only relevant for large businesses and governments is false as we know that 61% of all cyber-attacks are targeted at small to medium-sized businesses.
Taking small steps to ensure that the basics are in place is of critical importance. It can be daunting to know where to begin but as we have outlined, at a minimum ensure you have:
- Multi-Factor Authentication enabled and enforced,
- ongoing cyber security training to staff to enable them to be the best line of defence,
- the right technology and controls in place
- you have the tools and systems to protect and identify potential risks and breaches in your IT ecosystem.
- You have policies and processes to enforce and set boundaries for the use of technology.
- Applied for the cyber Essentials certification
A trusted IT Support and cyber security partner can assist in all of these areas, just make sure you're asking the right questions, we'd be delighted to help you so please book a meeting to get the process started.