By now you’ve probably read quite a few ‘end of year wrap-ups’ that took you through the many dramas and scandals 2017 brought into our lives. There were a lot, from keeping up with Kim (Jong-un) to watching Trump transform the way American Presidents president, a Brexit negotiation here and a Weinstein predator there assured 2017’s place in history as the year the status-quo got sucker-punched in the face. More relevant to us, however, was the almost infinite number of cyber-attacks that took place over the last 12 months. Security, or rather a lack thereof, showed how vulnerable even the mightiest of businesses were to hackers and their tricks.
The salt that made the cyber-attacks of 2017 sting, however, was not that cybercriminals outsmarted our best defence mechanisms, but rather that big businesses, businesses that you and I trust with our most intimate information, utterly failed to implement some of the most basic security measures. In some cases, such as with Equifax, businesses actively ignored simple security recommendations that would have easily prevented 2017 from being the year where malware reigned supreme. Businesses failed us, and in some instances, they willingly betrayed our trust. We might not have all the answers to the riddles 2017 threw at us, but we certainly have something to say when it comes to IT security. That’s why for 2018, we recommend you make security your New Year’s resolution.
You are not special
The first step in your ‘new year, new you’ transformation is to admit to yourself that your business – at least from a hacker’s point of view – isn’t that special. Most business owners are not adequately prepared for a security breach because most go about their business thinking an attack, such as the one that befell the Barts Health NHS Trust, won’t ever happen to them. This line of thinking is incredibly flawed and ultimately shows a lack of care for the well-being of your customers’ information and the information your own business holds (financial records, employee information, etc.). So, stop thinking your business is the exception to the rule and start thinking about a security strategy that helps your business stay out of harm’s way.
Hackers are not special
As our IT managed services director Christo Van Zyl likes to point out, most business owners that come to see us in the aftermath of a security breach do so with the expectation that their hack is somehow different from the rest, that the security issue they faced was something no one could have predicted. Fortunately for everyone else, this isn’t often the case. Most cyberattacks – yes, even the big ones that you read about in the news – are due to hackers exploiting businesses’ sloppiness when it comes to simple security measures. So, the second step in your ‘new year, new you’ journey is to ensure your business has the security fundamentals covered.
A strong foundation
A quick look through the litany of cyberattacks that took place in 2017 shows there are three key threats every business must be prepared to face in order to hold off an embarrassing cyberattack. These are by no means the only types of attacks your business could face, however, they are the most common, and as obvious as it sounds, the reason they are so common is because they keep happening over and over again. If you are going to be attacked, make sure the hackers have to pull off the digital heist of the century, not a routine one-two punch. The common threats to your business to look out for are:
Malware can come in many forms and in 2017 data-encrypting ransomware proved to be the weapon of choice for most cyber-criminals. This type of attack is usually delivered to a company via the end-user, i.e. an employee of the company that is tricked by a Trojan programme, for example, a link to a website or a PDF to download, which initially looks legitimate yet once they click on it, they’ve unintentionally downloaded malicious software that then takes hold of important, and often sensitive data, and holds it ransom until a fee is paid.
The best way for your business to prevent such an attack is to make sure your staff are aware that these types of attacks exist and for them to learn how to recognise them. Doing refreshers of this type of awareness training is useful, as people often get caught up in the day-to-day running of their jobs and slip back into old habits quickly. For an additional layer of security, running an email security programme such as Mimecast is a great idea. Not only does it add an extra layer of protection to your business, it also acts as a fail-safe by filtering out any suspicious emails and highlighting to your employees any emails that appear to be out of the norm. If you do get hit with ransomware, make sure you've got an ‘always on’ disaster recovery plan in place, that way you can avoid paying the pesky cryptocurrency ransom, as well as keeping your name out of the dark web as an easy target that is willing to pay.
Other than a complete disregard for cybersecurity management, unpatched software was the main reason behind 2017’s Equifax data breach. A patch is a piece of software that is used to update computer programmes. The reason an attack resulting from unpatched software is so painful is because patches are usually made with the specific purpose of fixing known security vulnerabilities. If you’re ever attacked because you didn’t patch a piece of software, know that you were attacked in the most obvious way possible: everybody knew there was a security issue, but you failed to run a patch, so what everybody warned would happen, happened. Think of it as your car breaking down in the middle of the motorway because it didn’t have enough petrol. The flashing light told you the car was running on empty yet you pressed on anyway. The car didn’t fail you, you failed you.
The best way to avoid an attack via unpatched software is to regularly make sure all your programmes are up-to-date with their patches. Build this into your IT team’s KPIs and keep a regular log of when you most recently updated a programme or application. Conducting a yearly IT Audit is also incredibly useful as it will highlight any vulnerabilities in your IT infrastructure. If you’ve never had one done or it’s been a while, talk to us today.
It just keeps reeling us in. All puns aside though, phishing is the type of attack everyone assumes we’ve gotten over yet time and time again it proves it’s still a major threat to businesses the world over. Most businesses usually have something in place to help them ward off phishing scams, and applications like Office 365 actively filter out emails that are easily identified as spam. However, even to the trained eye, there are exceptionally decent phishing emails that do an impressive job of imitating legitimate emails. Once you’ve gone down the phishing rabbit hole, you’ll most likely be tricked into providing your log-in information. This could be anything from your company log-in credentials to confirming your bank account details.
The best way to avoid a phishing attack is to first have a rigorous anti-spam programme running on your emails. Again, Mimecast is our top choice, but there are others. Secondly, implementing two-factor authentication greatly reduces the risk of a phishing attack being successful. As always, make sure your staff is aware of phishing attacks and what they involve. A good idea is to clearly communicate with staff what type of information you would never ask them for, for example, a simple statement like, “we will never ask you to provide your log in details via email or place them on an external site” immediately makes it clear to your staff that an email requesting them to do such a thing is...phishy.
Just like its predecessor, 2018 is shaping up to be another year full of unpredictability and potential instability. The Brexit negotiations and the introduction of the GDPR in May hold a great deal of uncertainty up their sleeves for businesses, especially those competing in the SME market. Do yourself a favour and get your business’ security strategy in a sound place, so that when the variables that 2018 throws at you hit the fan, you’ve got the time and energy to focus on finding solutions to those problems, rather than spending time worrying about the compromised data you’re now holding due to a silly and easily avoidable cybersecurity incident.
Camilo Lascano Tribin is senior content writer at Advantage. Find out more at www.advantage.co.uk