Cyber attack prevention techniques don’t have to be complex procedures carried out by technological eggheads. There are simple things to consider as a business owner or a decision maker which we discuss in this article which can help prevent your business from falling victim to malicious cyber crimes.
Nearly 50% of UK SMEs experienced a cyber attack in 2017
Long gone are the days of isolated cyber crimes on top enterprise level businesses. In fact, cyber-attacks on small and medium businesses are becoming more prevalent. Hackers are now exploiting the vulnerabilities in less robust security systems and protocols often found in SME’s. This is gathering traction as nearly 50% of UK SMEs faced some form of cyber attack in 2017, outlining the likeliness of it happening to you in the future.
A contributing factor towards such high numbers of cyber-attacks relates to the ease of infiltration. Smaller business owners are often dismissive of the pending cyber security threats towards their businesses. Operating a smaller business may seem relatively safe. Let’s face it, why would you be under the watchful eye of a determined hacker? this naivety ultimately becomes your biggest and most fatal weakness.
More worryingly, these SME’s who had fell victim to cyber crime, 60% permanently ceased business activities within the following 6 months. These concerning statistics are now defining cyber crime as one of the most prominent UK issues to business. Understanding this is the first step and the next is to begin fortifying your cyber attack prevention techniques.
Cyber crimes on the rise.
The recent report by the National Cyber Security Centre (NCSC) concluded there is an increase of cyber-attacks on businesses which show no signs of deceleration within the near future. The most conventional attacks we are likely to see are ransomware, cloud based storage theft and data breaches.
The report by the NCSC was in collaboration with the National Crime Agency (NCA). The director of economic and cybercrime at the NCA, Donald Toon commented:
UK business faces a cyber threat which is growing in scale and complexity. Organisations which don’t take cybersecurity extremely seriously in the next year are risking serious financial and reputational consequences.
GDPR accelerates cyber security challenges.
With the incoming GDPR, data related theft is likely to be prioritised. Data related theft is likely cause significant social and economic damage under new sanctions and sentiment. Ensuring you have a clear understanding on your data storage, processes and protocols is a must. Although, this still does not inhibit a hackers ability to infiltrate your systems nor eliminate the threats to data infractions.
We completely support what GDPR brings to the table and what it asks of data processors. However, it adds incentive for cyber criminals to breach organisational security systems and obtain personal data to later extort the corresponding business.
This trend is already apparent with NTT’s 2018 Global Threat Intelligence Report finding that ransomware has increased by 350% with data collection becoming the long-standing target.
7 essential steps to bolster your cyber attack prevention abilities.
There are a number of simple ways small and medium sized businesses can help defend themselves against falling victim to cyber crimes. This can also be done without breaking the bank or hiring a team of top cyber security professionals. It is often stated that a security breach could and should have been avoided and branded ‘simple, preventable and stupid’.
Here are our 7 steps to strengthen your businesses cyber attack prevention strategy. We have broken it down, explaining in plain English how to combat common cyber security challenges and threats so your businesses continuity remains in check.
1. Two factor authentication.
With the increasing sophistication of cyber crime tactics, setting strong passwords is not sufficient anymore to ensure your organisational safety. Two Factor Authentication (2FA) is one of the most simple yet effective cyber attack prevention measures you can take to protect your digital assets from cyber criminals. This involves adding an extra layer of security to your systems whereby you are required to have more than just a password to gain access.
This is something unique to the individual attempting to login, typically, a mobile device which is on-hand regularly. 2FA users have witnessed a reduction in the number of thefts via the internet and phishing email scams particularly due to hackers requiring more than just a password to infiltrate.
Adding 2FA to your security arsenal isn’t difficult either, nor does it affect the complexity or time of logging in. Simply adding your mobile phone as the second layer of security enables you to deny or approve login request notifications in one tap. Additionally, if you haven’t attempted to login and receive a notification to allow or deny, you are now aware your login details have been compromised but not at the expense of your systems and data.
Considering the practicality, availability and effectiveness of 2FA, it is an easy decision to make for something we regard as the single most effective step to preventing a cyber attack and protecting your business.
2. Phishing awareness: identifying email phishing scams.
The ability to identify phishing email scams could be categorised under internal security training (step 3). Nevertheless, due to it being one of the most common and effective types of security infiltration, it is worth a mention on its own. Cyber criminals are preying on internal business staff with fake emails which mimic authentic branded emails or even internal company emails.
Unsurprisingly, every year these email phishing scams become more sophisticated, making it increasingly difficult to recognise a real from a fake. Usually, these emails encourage the recipient to open an attachment or click on a link.
The scale of attempts have been so vast, HMRC announced there had been 771,227 tax rebate phishing referrals within the last year alone.
Acquiring your basic details plus time spent planning and an understanding of marketing psychology can help create a seriously convincing email to fool even the most cautious of people.
Below are a few tips to help construct an improved level of phishing awareness on email scams to help prevent your business falling victim to cyber crimes.
- Links and Attachments – These are the primary culprits in successful email phishing scams. Clicking on these within the email should be avoided unless you are expecting it from a recognised sender. If you are in any doubt, don’t click it and contact the sender if necessary to confirm its authenticity.
- Email Address Obscurities – Cyber criminals may often use authentic looking emails with deceivingly little differences to the ‘from address’ name in order to trick recipients into trusting them. If trust is gained then the recipient is likely to follow the senders guided instructions into a phishing scam.
- Asking for Payment / Details – Any email which asks for personal details or payment details is likely to be a scam. Reputable companies or internal operations will not ask you for these details over email and should be ignored.
- Known Sender with Suspicious Email – Here is where it can get tricky, exhibiting the dangers of email phishing scams, particularly within a business. Victims of cyber crimes often have further emails sent out across their network in their name attempting to affect other users. A greater level of trust is placed on known senders, therefore prompts a higher success rate of phishing attacks. If an email exhibits suspicious content, language discrepancies or just appears odd/random then ignore it and contact the sender to confirm whether they have truly sent it.
3. Cyber security training for internal staff.
Possessing a knowledgeable and skilled IT team significantly boosts your cyber attack prevention capability as well as recovering from them, should they occur. Though, even relevantly skilled staff are susceptible to underhand tactics through human error. The main threat however, emanates from your less digitally skilled and aware employees.
Ensuring your IT team (if you have one) are trained to current industry standards is essential but it still remains fact that you are only as strong as your weakest link in this regard.
Non-tech savvy users within your organisation are most likely to cause breaches to your network as their perception to these dangers are not as vigilant as others.
Considering this, you should contemplate having your staff enrol on some form of cyber security training. Enrolling staff onto relevant cyber security courses is good practice to enhance their ability and awareness.
Another solution would be to invite consultants in to teach your staff on the current dangers. This is one of the most effective ways to prevent successful cyber-attacks and to keep your organisational systems security in check.
If you feel you do not have the budget currently to provide this, there are free training resources online, albeit not as effectual to help.
4. Internet of Things security.
Internet of Things (IOT) security is quickly becoming a business paradox of functionality versus security. On the one hand, IOT allows greater connectivity, asset management, intelligent automation and a saving on costs and time expenditure. However, it also increases the vulnerability towards a cyber attack as it allows hackers find weak spots in a network, users devices.
Like most cyber-attacks, new and more advanced methods become available throughout time and IOT devices are no exception. To elaborate further, Autosploit, a new tool which uses artificial intelligence (AI) to find vulnerabilities in devices connected to the internet now poses significant threats towards a businesses security.
Organisational connectivity is growing and becoming increasingly integrated and comprehensive each year. This means that one compromised device has the ability to compromise a whole infrastructure, leading to potentially severe consequences.
Casting your mind back to the Mirai attack where leading sites such as Twitter and Paypal were brought down through a congregation of cheap IOT devices. These devices ranged from security cameras to smart TV’s. Ultimately, this represented one of the largest Distributed Denial Of Service (DDOS) attacks in history and a clear warning of what can be utilised to cause substantial and possibly irreparable damage. The ingenuity behind cyber-attacks like these really highlights the hardship of overcoming the seemingly perpetual evolution of cyber security challenges.
So what can you do to help protect against these IOT security threats? here are some tips to get your IOT devices secure:
- Put it to the Test – Testing your infrastructure before and after integrating IOT devices should be a mandatory procedure. This then allows you to understand the health of your IOT security and also reveal potential security flaws which can then be alleviated and fortified.
- Install a Firewall and a Intrusion Detection System – Installing a reliable and effective firewall on your devices should already be standard practice across your IOT devices, if not then this should be implemented sharply. Something you may not be using and should be is an Intrusion Detection System (IDS) which monitors your networks, devices and systems for any suspicious activities. The IDS then sends reports to the relevant dashboard so appropriate action can be taken if necessary. IDS can help mitigate the problems faced by organisations who fail to recognise a security breach in ample time or ones who do not detect them at all.
- Automated Password Management – Having a central control policy can reduce human errors by using an automated password management system. Poor static passwords were a primary cause of the Mirai attacks, so by ameliorating this helps to support the significant reduction in successful cyber-attacks through IOT devices.
- Device Access Management Tools – You should recognise that having a larger number of IOT devices creates a larger number of holes in your security. To prevent your security systems becoming a porous mess, you should be using a device access management tool which can segment and limit certain devices access privileges.
- Conduct Risk Management Protocols – Similar to putting your systems to the test, before this happens you should be identifying how your business would cope if a breach was to occur. This should pertain to the measurement of damage inflicted by a breach and how you would deal with it accordingly. More precisely, you should distinguish potential financial damage under certain scenarios as well as non-financial damage and design a relevant process to deal with it (as well as preventing it).
5. IT security consultant: anti-virus and malware protection.
Whilst technology progresses and security procedures strengthen, cyber criminals advance similarly to bring more sophisticated and diverse methods to test your systems defences. This emphasises the necessity to keep ahead of hackers and should always keep your software, browsers and operating systems updated with the latest security patches installed.
This is generally common knowledge and something you and your business shouldn’t need lecturing on. However, when your business starts approaching 10-20+ users, things start getting a lot more complex. Your digital assets become a lot more attractive to hackers and you have more of them to control and protect.
Internal expertise and IT teams can be a solution but may not be necessary considering your situation. Though, you must strongly consider using an IT security expert of some kind. Typically, an IT security consultant who boasts vast experience within this field and can advise proficiently is an effective option.
6. SSL certificate.
Secure Socket Layer (SSL) is now the standard measure for secure internet browsing as it helps protect sensitive information inputted to a site. It works by encrypting this data so nobody else can access it apart from the intended end destination user which is imperative when sending payment details online for example.
As well as having this security measure it also has a profound affect on your online presence. Search engines will now prioritise sites with an SSL certificate meaning your Search Engine Optimisation (SEO) efforts may be nullified without one.
Browsers now make it easy to identify and differentiate secure websites from insecure ones by displaying a green locked padlock symbol with ‘secure’ written in the top left of your screen. It also acts as a deterrent to web users and leads who may not be willing to consider doing business with you due to the potential risks involved.
7. Cloud security issues: ensuring threats to data are minimised.
The rapid adoption of cloud computing has been staggering and currently valued globally at £133.4 billion and is continuing to grow. In fact, Gartner predicts by 2020 businesses without some form of cloud adoption will be very rare and practically unheard of.
So you probably have some form of cloud integration in your business, or will have within the next few years meaning there’s more ways in which hackers can attack you. The most prominent dangers being threats to data loss, breaches and malware infections.
A lot of what we’ve just spoke about should help fortify your business security in the cloud but there are a few exceptions you should consider. Firstly, the transformation to the cloud and the transportation of data there doesn’t mean you are now backed up (check this). It is a common misconception we see a lot which is only realised once it is too late. Distinguished names in the sector such as Office365 may offer an array of features but do not offer backup points like you may expect.
Secondly, whether you’re considering pushing data to the cloud or already have it there, you should revise what type of data should and should not be there. This should revolve around the sensitivity of the data and the benefits/drawbacks of storing it there. You must be able to display best practices that ensure appropriate protection when storing and accessing information as well as understanding the unique requirements encompassing it.
Role-based controlled access is a good start, limiting specific data to the relevant people within your business and not forgetting to perform regular audits to demonstrate correct practice.
Cyber attack prevention – doing it right.
Preventing cyber-attacks should be your priority concern and something which this article attempts to encompass. Of course, you should not focus on purely preventative techniques otherwise your organisational capability will be severely hampered. After reading this you should be well informed to understand where you are in your cyber security journey and what you need to do next.
Having measures in place in the event of a breach are necessary no matter how strong your IT security is. failure to do so could make a breach 10 times as lethal. Sadly, many cyber-attacks leave a business incapacitated through incidents which could have been avoided. The above steps should help to avoid this and give you a perfect base to tackle all your cyber security challenges.
If you find it difficult to understand what you need to be doing then you should always consult with some form of IT security expert, never leave your businesses security to chance. If you have any questions then feel free to post them below.