A Guide to Cyber Security for business
20th September 2018
It’s been over a year since the much publicised WannaCry ransomware cyber-attack that brought chaos to the NHS and it’s global IT network. Following the attack, the National Audit Office’s (NAO) published a report on the incident that stated that the attack was deemed preventable.
Not only was this a brutal warning for businesses about the risks and impact of cyber-crime but it also raised the awareness for and importance of cyber security within an organisation.
The new victims of ransomware
With the number of incidents being reported rising dramatically over the past few years, it is not something business owners can ignore – and it is foolish to believe that it is only large organisations at risk.
In the UK alone SME’s were targeted on average 230,000 times each during 2016, with the average cost of a cyber-attack to this sector coming to nearly £26,000. For some SMEs this could be the difference between being able to continue trade and not - so it is imperative to have Cyber Security procedures in place, regardless of size.
The techniques and sources of the hackers are constantly changing and evolving so it is almost impossible to keep up and keep them out completely. Even cyber security specialists are not immune to the threat – but you can put many levels of protection around your business to mitigate the impact.
Backing up your data
Your data is business-critical and your most valuable asset. Businesses, regardless of size, should be regularly backing up their systems and data in triplicate, making sure that these are recent, are kept securely online, offsite and offline and can be restored.
This will ensure that your business can still function following the impact of flood, fire, physical damage or theft, and minimise the impact of being blackmailed by ransomware attacks.
By making data back-up part of your everyday tasks through an automated solution will protect your business.
Using cloud storage via a third-party specialist is a cost-effective and secure solution for most SMEs as it allows your data to be physically stored away from your business location through regular remote system back-ups and provides a high level of availability as well as security and expertise.
Email spoofing, email fraud, and phishing
It is a known fact that email is not the most secure form of communication and can invite cyber attacks into the heart of your business – and the stats highlight this.
There has been a 65% growth in phishing over the last twelve months, with 76% of all businesses saying that they had been targeted. One report stated that over 1.5m new phishing sites are created each month.
In a typical phishing attack, fake emails are sent to thousands of people, asking for sensitive information such as bank details or with links to fake unsecure websites. Their aims vary from trying to obtain money to gather personal details or log-ons – or from a business’s perspective, gain access into your IT systems and secure data.
Making sure your staff are prepared and observant is key as most businesses, however big or small, will receive phishing attacks at some point. Some key points are:
- Make sure all staff’s account configurations are set to the lowest level of user rights required to perform their jobs – this should reduce the impact of successful attacks
- Check for the obvious signs of phishing such as typos, incorrect grammar, poor quality of logo and graphics, an urgent call to action such as ‘act within 24 hours’ and asking for personal information such as account logon details
- All attacks should be reported and take steps to scan for malware. Passwords must be changed as soon as possible if you suspect a successful attempt has occurred.
- Stay up to date with attackers and their different methods of attack - signing up for the free Action Fraud Alert service will give you direct, verified, accurate information about scams and fraud in your area by email, recorded voice and text message.
When talking about cyber-attacks, the term malware is used a lot, but what exactly is it?
In simple terms it is a software that has been written with the specific purpose of damaging your computers, servers, or network.
It’s functions are numerous. It can:
- slow down or crash your computer
- perform surveillance on your users sending back keystrokes and screenshots back to the source
- threaten to destroy the data on your computer if you don’t pay a ransom
- install a backdoor onto your computer allowing unauthorised users to install programs on your machines and network without your knowledge
- change your computer settings
- turn your computer into a spam-sending “dumb” terminal
- interrupt your network’s connection to the internet
- change or delete your files
Although eradicating malware attacks completely is unrealistic, there are steps you can take within to reduce the impact significantly and protect your business:
- Install antivirus software on all your computers and laptops – and make sure it is on and working
- Prevent staff from downloading non-standard apps that are not from manufacturer-approved stores or from unknown vendors/sources. If devices such as tablets and smart phones are being used for both work and leisure, then a strict data policy should be adhered to
- Your staff accounts should only have enough access required to perform their role with extra permissions only given to those who need it.
- Keep your IT equipment up to date so that all software and firmware is the latest versions from the developers, hardware suppliers and vendors.
- Control and limit the use USB drives and memory cards - when drives and cards are openly shared, it is hard to track what they contain and plugging in just one infected one can paralyse a whole organisation’s network. Most larger corporations now block access to physical ports for most users
- Switch on your firewall – this creates a 'buffer zone' between your own network and external networks such as the Internet.
Keeping your devices safe & protected
Mobile technology is now an essential part of modern business. With more of our data being stored on tablets and smartphones that are regularly use outside the safety of the office, they should have a heightened level of protection.
All devices must be password protected with a complex PIN, password or fingerprint recognition. If emails and data can be accessed from the device, then a secondary level of passwords for the app should be used.
Setting two-factor authentication (known as 2FA) for staff accounts adds a large amount of security. 2FA requires two different methods to 'prove' your identity before you can use a service, generally a password plus one other method.
All devices that allow staff to work remotely should be tracked with the ability to lock or wipe data remotely if lost or stolen. All data should be backed up regularly to the main servers.
According to a report many UK firms do respond immediately after an attack by reviewing existing security systems and redefining the process for reacting to security incidents, but in many cases immediate concern didn’t translate into long-term action.
Due to many factors such as lack of resources, budget constraints and limited knowledge, many businesses struggle with basic systems management tasks such as patching, which are essential in preventing future attacks.
The impact of a cyber attack could be disastrous, so implementing the steps discussed could protect and save your business.
Cyber-crime is a complex and fast-moving world so trying to stay up to date whilst managing your business can be tough. Working with cyber security specialists can help you put the right systems and equipment in place to protect your business.
If you are worried about your Data Security, Cyberattacks or would just like to talk through your options then do call us today – we have solutions to suit all budgets.