When it comes to protecting your customer’s data and your own, getting security right can be something of a headache. Online threats are common and are becoming increasingly sophisticated in that they are capable of evading commercial antivirus solutions. It’s been known for years now that the most effective way to combat threats is to use a ‘layered’ approach that uses several methods to detect and eliminate threats.
As any IT technician will tell you though, often such threats cause a problem because of user intervention and as such, this means that this should also be eliminated. By this I am of course not suggesting that you don’t allow your employees to access the network or the internet, but you can reduce the amount of damage that could occur by taking pre-emptive action. A lot of this lies in education and the creation of strong policies which enable managers to dictate how the network is used. Permissions at network level should also be used to ensure that employees are not all given administrative rights and can’t access sensitive data such as customer information unless it’s a part of their job.
53% of Businesses Don’t Perform Daily Backups
All sounds pretty simple right?
Perhaps so. But many businesses fail to implement even the simplest procedures which could reduce risk such as patch management and regular backups. Given that it’s thought that “60% of companies that lose their data will shut down within 6 months” a security breach that leads to loss of data could prove fatal to any business, yet so many still fail to backup and protect data. In a survey carried out by GFI, it was found that 53% of those businesses that participated didn’t carry out daily backups. Reasons for this ranged from it not being an efficient use of time, to a lack of resources and efficient technology. Certainly backup in the past, when it was all done onpremise and by tape backup – often a laborious process.
These days though we have the cloud and businesses can choose a hybrid solution which allows them to store data both onpremise and in the cloud. This is generally quicker, and more secure in that a copy of the company’s data is always available.
Many Businesses Don’t Have Basic Protection
Another study carried out last year by NTT Group found that 45% of network security attacks are due to malware and the majority of these could have been prevented if just the most basic of protection had been put in place. The 2014 Global Threat Intelligence Report collected and studied around three billion attacks that took place in the previous year around the globe.
The research found that more than half of all the software vulnerabilities that were picked up in scans could have been patched more than two years previously and that 77% of the companies studied didn’t have any incident response document in place. So whilst on the one hand we see businesses concerned about the security of newer technologies such as the cloud, on the other we have plenty of businesses that are seriously lacking in even the most basic security on the network. A proportion of the businesses that NTT studied didn’t have any security in place, not even a basic antivirus solution.
So there appears to be something of a disconnect between what businesses think they need and what they actually put in place.
Patch Management is Key
Good security starts with good practice and when it comes to the software that’s used on the network, it should be a priority to ensure that they’re patched as soon as an update becomes available. For IT departments, it’s not always easy to access workstations and servers during working hours in order to update systems. Managers complain about the cost downtime, which is of course hugely expensive to any business. However, it’s much more costly if the worst should happen and a breach occur or malware damages operating systems.
Software vulnerabilities are commonly exploited by cybercriminals, to whom they represent the easiest way in, alongside phishing, which remains an issue in every business. Failure to patch systems is like waving a nice big red flag around on the internet with a sign reading “I’m open – come on in”. It’s not difficult, or expensive, to patch systems, so businesses with their own IT departments need to schedule these and other updates such as antivirus patterns and engines regularly. Those that don’t have an IT department should strongly consider using an IT support company that offers managed services – also known as MSPs.
Managed Service Providers
Managed services providers generally offer (depending on the size of the business):
- Remote monitoring and management – all systems are continuously monitored to pick up errors and intrusion attempts so that the IT technician can act promptly to ensure that no damage is done and pre-empt downtime.
- Patch management – often, patches can be deployed remotely and at a time when staff won’t notice any interference.
- Backup and storage – as discussed earlier, backups are made to the cloud and also onpremise. These are done so often that it’s very unlikely that in the event of a breach or failure, no data will be lost.
- Hosted exchange and managed email – again, email is stored in the cloud and is protected by robust security. Archiving is often offered bundled with this particular service too.
- Security – the MSP provides all security software and ensures that it’s constantly updated and fit for purpose.
- IP telephony – hosted PBX is becoming increasingly popular are it offers business-grade telephony without the capital costs and maintenance of a traditional business telephone system.
Depending on the supplier, all of these and more are often available and are a better option than using the traditional IT break-fix model as this is a reactive one. Break-fix has never really aligned with business goals as it’s only when something goes wrong that a technician is called out and this makes things expensive. The business owner is never very happy to see the break-fix technician as he knows that it’s going to cost him money. With managed services however, a monthly fee is paid and this only varies if hardware fails and needs replacing. With managed services, even if a hardware fault occurs, it can often be picked up in error files and some warning given to the business owner.
An MSP is a little like having your own CTO, but without the need to pay a monthly wage, just a fee.
Educating End Users
When it comes to human error, the first step in overcoming this is in educating employees about the threats that your business faces and how their actions could lead to a situation in which the life of the business is threatened. Once they understand the threat, the majority of employees will adjust their behaviour in order to ensure they’re not the one that causes the breach.
Employees should learn about:
- Spear phishing
- Social engineering
- DDoS attacks and botnets
A common spear phishing tactic employed these days is one in which a criminal will first collect information about a worker in an organization they’re planning to target. Most people have all of this information freely available on social networks, so it’s simple to discover. This is then used to craft an email that appears to be from somebody that the target member of staff already knows in a business capacity and they can be very convincing.
- Not to open any attachments that they’re not expecting, no matter who it’s from. Malware doesn’t just come wrapped in zip files anymore either, it can be embedded into a Word document, image or spreadsheet.
- Not to click through on any link in an email unless they’re completely sure of the source.
- To recognise phishing websites and email.
- To be aware of social engineering tactics that are employed on social media such as sensationalist ‘clickbait’ headlines, videos, links that evoke strong emotion such as images of sick children.
- Not to install software at all – leave that to those who are responsible for it.
- To understand how a DDoS attack can take down a website and how malware on their machine could very well be the facilitator (or one of them). DDoS attacks often use a botnet, which is a collection of malware infected machines known as bots or zombies. The host machine owners are rarely aware that they have malware, which often sits quietly in the background performing actions such as logging keystrokes and reporting back to the malware author/botnet controller.
- To have a basic understanding of how malware works – the majority of malware (an amalgamation of ‘malicious’ and ‘software’) is created to steal, either money through banking Trojans and suchlike, or business data and information.
Policies and Your Employees
It used to be the case that the majority of businesses with a network outright banned employees from using social media and any site that wasn’t directly concerned with their job. In recent years this has relaxed a lot and as such, it’s necessary to have sound policies in place which dictate what users can and can’t do on the company network. Many businesses also allow employees to use their own devices to access the company network for various reasons. Some staff use it in their own time for training, others work remotely and others still might work in the field and prefer using their own device. Whatever the case, the business that operates a BYOD (Bring Your Own Device) scheme is one that’s potentially creating problems for itself.
Again, this is something that MSPs can help with, many of them now offer Mobile Device Management (MDM) or you can purchase software solutions of the same name. However, this won’t be enough on its own so you should also implement policies on apps and downloads and what can be accessed during working hours. The employee may not like the fact that she’s not allowed to download apps from an unofficial store, or to jailbreak her own device, but should be made to understand the implications so that she knows that deviating from the rules could cause serious harm to the business.
The use of social networks has become central to the way that some of us perform our jobs. It’s used widely in marketing and in customer service, reputation management and more. As such an outright ban rarely works for a business so instead, you should train staff to recognise the risks associated with social media and how to avoid them.
The vast majority of the various scams that are carried out on social media can be found within seconds by Googling it. Sites such as Hoax Slayer and Snopes are exceptionally good at providing the latest information on scams, malware and hoaxes so should be used too. It’s really not that difficult to recognise a scam once you know the tricks that scammers and cybercriminals employ.
It’s shocking to think that 77% of those businesses studied in NTT’s research had already suffered a breach in the previous year and yet still didn’t have an incident response plan in place. These work to ensure that a business can react swiftly if a breach occurs and minimise any damage.
An incident response plan should include:
- A contact list detailing the key personnel to be contacted in the event of a breach, malware attack, DDoS attack, or system and hardware failure.
- Data classification identifying key and sensitive data that must be prioritised in the event of an attack.
- Key tools that can be utilised to minimise damage.
- Details on what constitutes an incident that needs addressing immediately.
And much more … a good incident response plan should make up a part of your overall security, you can find an example template here. If you choose to go with an MSP to support you, then they should also be able to work with you to create one.
As mentioned earlier, good security at network level should be made up of more than one part. It should employ a firewall, antivirus/malware scanners, an incident response plan, file monitoring, correctly applied network permissions, sound policies, an MDM solution if BYOD is employed and education.
Layered defence works on the principle that if an attacker gets through one, then they haven’t already accessed the network, but rather another layer that they have to get through. Cybercriminals are generally reasonably lazy in that they usually look for the weakest targets to attack. And for the most part, if you’re the owner of a small business, that’s you.
For SMEs that do business with large organisations, this is even more the case, as often, the attacker is looking for the weakest link in the supply chain with the least robust security. So it’s a myth that small businesses don’t get attacked because they’re not worth the bother – hackers are usually looking to make cash, one way or another, and just because your business isn’t generating the same revenue as larger targets, it doesn’t mean that cybercrooks aren’t looking to empty your bank account or perform some other mischief – they are, so get your security tightened up.
Years ago I used to run one of those break-fix IT support companies that stepped in when things went wrong and at times, it seems like little has changed or been learned by businesses when it comes to protecting their data and their business. Let me repeat myself – a data breach can be disastrous to the point of fatal to all businesses, regardless of size.
But it’s simple to put measures in place that will in the long term save you a lot of time and money. Even 15 years ago, when I actively worked in IT I was saying the same things to clients as I write now – educate yourself and your employees on the dangers of malware, phishing, hacking and other attacks before you come to regret it. For some reason, people refuse to see the bigger picture in that even if your business has a very small network, or even if you don’t protect your home PC, the damage that can be wrought on others due to the botnet you’re helping to power is not negligible – it’s expensive, to large organisations, to your aunt who suffers fraud thanks to a banking Trojan, to SMEs that fail, to banks and insurance companies that pick up the bill, to sites that are taken out by a cybercriminal who’s demanding a fee to reinstate it.
Cybercrime is not a battle the good guys are winning anytime soon so it’s up to you to protect your business, your customers data and in turn, the businesses of others. It’s only really going to be when security becomes a primary concern for us all, consumers and businesses alike, that we’re ever going to make any headway.