When we think of cyber-attacks our minds often flash to larger corporations and massive data leaks for millions of customers, but these are just the ones we see reported in the news. In fact the Verizon 2019 Data Breach Report found that 43% of breaches involved small business victims.
Cyber-attacks are on the rise and for most SMEs trying to get your head around them and protect your business can be a daunting and difficult task. We have complied a list of 8 steps to help prevent breaches including practical advice on what to do should a breach occur.
If you know what you are trying to protect you are going to have a much easier time securing your weak spots. By doing this first you establish what is actually important to your business continuity and users instead of playing security whack-a-mole. While it’s hard to give a definitive guide for all cases there are some important considerations given below:
• What processes do you currently have in place?
• What are you trying to protect? (i.e website, customer data, etc)
• Is access to systems logged and reported? Could you spot an intruder?
• Is all sensitive data encrypted? This includes user data and sensitive documents
• Are production systems and systems that have access to production data locked down?
• Are administrative accounts restricted, and only used for administrative work and not reading emails?
Once you have your list it’s time make sure everyone knows about it.
Making sure your staff are educated is paramount to staying safe. It can only take one click on a dodgy link or insertion of a USB device loaded with malware to expose your company data to hackers.
Below are some common rules you can put in place to help:
• Nominate a data security champion who can assist with queries
• Ensure all staff have strong passwords and these are updated regularly
• Don’t use the same password for all your accounts
• Ask staff not to log in from public devices / public Wi-Fi
• Make sure secure data stored on devices is encrypted, password protected and can be wiped if devices are lost or stolen (this includes mobile phones and tablets)
• Try and keep personal activity to home computers (especially is someone is downloading seasons 1-8 of Game of Thrones from a dodgy website)
• If employees are working remotely encourage them to use a VPN (Virtual Private Network)
• Ensure employees have the latest versions of anti-virus software on their devices
• Set up 2-step verification for employees
• Try and only visit secure websites (verified by the padlock) and only download from trusted sites
• Limit access to your admin account and password to those who really need it
• Create a separate guest Wi-Fi for visitors
• Turn off your devices when you go home
• Back-up your data frequently
• If you’re not sure, ask!
As an admin you can block certain websites or require an admin password for downloads. Don’t be afraid to lock down access, as long as you make staff aware of the possible consequences.
This awareness extends to any third parties you may be working with too. Make sure they are aware of your data policy and enforce these rules where possible.
Once you understand your risk it’s important to understand what attack vectors (ways that hackers can gain access to your systems) are applicable. Different businesses have different attack vectors that are easy to overlook. Cyber-attacks can be simple hit and hope attacks or very complex and targeted, below are some common attack vectors and what you can do about them.
Targeted attacks
In rare instances an attacker may target your business directly. This can be for many reasons from the type of business you are, the type of information you hold, if you have been identified as a weak target or even through a disgruntled employee. Though rarer, it’s still worth taking stock of these things.
New doomsday vulnerability
In most instances a specific organisation isn’t being targeted and it’s just a case of the latest and greatest vulnerability is being exploited in an automated way attacking random targets. Read tip 4 for help with avoiding this type of vulnerability.
Human error
Sometimes breaches are just plain old human error, either through misconfiguration, visiting a website that contains malware, inserting a USB stick they shouldn’t have into a networked computer, having a weak and easy to guess password like “Password123!” or following the instructions in an email they shouldn’t have. The human factor is difficult to ignore and the best approach is to raise awareness in your organisation. Yes mistakes may still happen, after all we are only human, but the more everyone in the organisation is aware of what to be wary of, the less likely it is that you will fall victim to an attack at the first hurdle.
The hacking community is constantly on the lookout for vulnerabilities, including some of our very own developers, not to exploit them but to make companies aware they have a potential data breach. Once the company is notified it will often put out a ‘patch’ to fix this vulnerability and label this as a software update. It is not always stated that this is to fix a vulnerability so it’s worth installing even if it looks like a minor update. If your systems or software are out of date you could be leaving yourself vulnerable to attack.
While nobody likes it when their computer asks to be restarted and production updates need to be planned it’s better than the alternative. The best way to ensure you are up to date can be to turn on automatic updates.
Also make sure to uninstall software you are no longer using as it’s easy to lose track of keeping these up to date.
Email phishing is one of the more common types of attack hackers will use to gain access to your company data. Phishing scams are innocent looking emails, often dressed up to look like legitimate emails from companies you may recognise.
Be wary of emails asking for personal data such as date of birth, passwords or even bank details.
An easy way to spot is poor grammar, a mis-match of different fonts, strange names or leading to a website with a different URL to the link clicked.
Also check that the email address matches the person or company claiming to send the email. For instance probably don’t trust an email claiming to be from a major bank sent from a generic email
i.e yourbank_payments@gmail.com
Quite simply if you don’t recognise a sender then don’t open the attachment or click the link/download. You can hover over the link or even right click and copy link, then paste into a Word document to inspect it further before visiting the website.
An old saying springs to mind here: ‘It’s better to be safe than sorry.’
If in the worst case you do encounter a breach, make sure you have a disaster recovery plan in place.
Losing all your business data could prove catastrophic so make sure all your data is backed up, ideally to a secure off-site location.
There are many reputable vendors out there so it’s worth doing your research on this one to find the best solution for your business.
Ensure regular testing of your websites, applications and infrastructure. Whether this is through a manual penetration test or through an automated tool like AppCheck, or ideally both. It’s certainly a good idea to be aware of how hackers could exploit your business and stay one step ahead by fixing the issue before it can be exploited.
The Vorizon 2019 Data Breach report found that 56% of breaches take months or longer to discover which highlights the importance of regularly checking your weak spots.
Whilst internal testing is important it’s likely that the world wide web has more users than the number of employees in your company – therefore we recommend thorough and regular external perimeter testing as a great starting point in understanding where potential vulnerabilities may lie.
There are many automated tools out there and fantastic manual penetration testers, but if you’d like a free demonstration of what AppCheck can do and how we compare please get in touch through info@localhost
Once the hack has occurred make sure to tell the relevant people (potentially the police) but also relevant bodies. There have been many recent examples of large fines for companies who did not deal with the fall out of an attack correctly. Read about a recent one here: British Airways fined £183m following recent cyber attack
If necessary warn your customers if you think they might be at risk.
Change all passwords if you believe this is how the breach occurred.
If you are using an automated scanning tool, run a security scan to look for similar vulnerabilities.
Most importantly try and establish how this occurred so you can prevent immediate future attacks.
AppCheck automated vulnerability scanner runs in the background on a set schedule, whether that be once a week or constantly scanning for vulnerabilities. These are reported on your vulnerability management dashboard and available with single-click reporting, producing professional reports with a technical overview and simple remediation advice.
https://appcheck-ng.com/wp-content/uploads/AppCheck_Sample_Report.pdf
AppCheck scans for hundreds of vulnerabilities including the OWASP Top 10 and all AppCheck licences come with unlimited users and unlimited scanning frequency to ensure maximum coverage across your business.
If you would like to book a free demo or receive a free trial scan please get in contact with us at info@localhost
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)