Cyber Security and business
Cyber risk is now firmly at the top of the international agenda as high-profile breaches raise fears that hacks and other cyber security failures could endanger the global economy. 2015 saw a number of high profile cyber-attacks that left both large and small businesses crippled and the effect of these attacks should not be ignored. The estimated cost to the global economy due to cyber-crime was £266 billion annually (2014). Cyber-crime is a growth market, the returns are good and the risk is low due to how most of the crimes are routed through nearly untraceable networks of hundreds of machines. The volumes of attacks are increasing due to this profitable business model.
So, how do we as business owners minimise the risk to our business and our employees?
In no particular order the following points are the top risks and essential steps all businesses need to address to reduce the risk of cyber-crime
Antivirus has been the pillar of cyber security for many years, many still see this as their bulletproof vest. Unfortunately there are many techniques which will bypass antivirus entirely, so whilst it is an essential tool it is only one piece of the puzzle. You must ensure that you have a robust antivirus software and that it is installed and kept up to date on all machines within your network.
A correctly configured firewall must be in place to ensure your business only allows traffic in and out of your company network that you want. Poorly configured firewalls are an easy target for attackers. Your perimeter firewalls need to be kept up to date and regularly checked for weaknesses such as open ports or misconfigured VPN accounts. Your internal firewalls such as those on servers and client PCs should only allow the traffic they need to. So if the perimeter is breached it is more difficult for an attacker to look around your internal network and steal valuable data.
All users across your site should have the minimum amount of access as possible to do their job. Do all of your users need to be super users or worse, administrators? This is something I have come across all too often and once an attacker has a foothold into your network these restrictions are what they will rely on. Privilege escalation is a time consuming exercise and this can give you vital time to plug a hole if an attacker has found a way in. Remember “least privilege” and you are on your way to a more secure network.
Users are increasingly becoming the target for attackers. We have all seen the phishing emails that hit our inbox on an almost daily basis. Hopefully most of us will not fall victim to them but millions of users do. Phishing is not just the hacking tool of ‘philanthropic millionaire princes’ anymore. One of the largest malware threats of last year was the infamous Dridex. An email is sent to users who inadvertently open an attachment (an attachment many antivirus programs do not filter), this attachment then steals data from that machine. Data such as login credentials of websites, namely banks. It was estimated last year that this malware had taken £20 million (in the UK alone) and that was before January 2016 when it was modified once more, making it harder to detect. It is essential to test your users awareness to cyber security threats, run anti-phishing campaigns and awareness training. This not only helps in the office but these are tangible skills employees can take home.
External testing is the last stage and one of the most important. This is when all of the steps above have been addressed. You get an external party to test your business, your network and your employees. Technical penetration testing and social engineering testing on a regular basis will help to keep you safe. Penetration testers and cyber security experts use the latest techniques used by real hackers. These techniques are used in a safe way to fully test your system in the wild and often find weaknesses that you were not aware of. Everything from a firewall port left open, to an accountant who opens any attachment to an abstract client side attack…All of which can give an attacker full access to your system.
Cyber security is a real threat to our businesses but it doesn’t have to cause sleepless nights. If you are concerned about the risk to your business then please contact myself or anybody at SafeHack UK. It doesn’t matter if you run a one man band or a global corporation cyber security is our business, and keeping your business safe and operational is our goal.