Most Managing Directors and CEOs would admit that if there’s anything that keeps them awake at night it’s the possibility of their organisation hitting the headlines due to a data breach. But what is a ‘breach’? And how is it likely to come about in today’s multi-employee, networked and distributed business?
As we’ll see it’s a multi-faceted challenge. Let’s have a closed look.
Data that resides on internal servers, in the cloud and on individual computers is potentially at risk of begin lost or stolen if the correct measures are not taken to protect it.
Commercially Sensitive Business Information
- Intellectual property
- Legal documents
- Financial Information
- Employee records
Private Customer Information
- Personal or family details
- Credit card details
- Banking account records
- Historical data such as health, employment, insurance…
…everything must be closely guarded.
Risks Increase with More
- Servers, computers and mobile devices in use
- Number and nature of other networked devices
- Software applications in use around the business
It’s tempting to think that if you’re just a small business, you won’t be vulnerable to cyberthreats. But depending on the nature of the threats, they’re just as open to exploitation. For Managing Directors, the sheer volume of risks has increased enormously as technology used to improve business process and efficiencies has grown. The more we become dependent on computers, communications and cloud technologies, the greater the risks to cybersecurity. It’s important to understand the nature, sources and possible implications of these risks, and put in place plans to ensure they’re managed and mitigated.
Sources of the Problem
Attackers with criminal intent want to steal data for fraudulent use such as identity information like names, dates of birth, addresses, credit card numbers and so on. So these types of attackers tend to target larger consumer facing organisations that by definition will hold large amounts of profiled data. Identity theft is big business, and there’s ready — though black — market for personal profiles and credit card numbers. Other types of hacker want to hijack systems for reasons of extortion, or to host botnets from where they can launch large volumes of spam. Others still may be intent on stealing specific data from certain organisations, or just on causing disruption. As Managing Director, you don’t expect to know about every individual cyberthreat to the business – so let’s just look at three headline areas you should be aware of.
In 2017, the WannaCry worm succeeded in spreading malware throughout networked organisations around the world, including the UK’s NHS. Many networks were brought to a standstill, causing chaos and disruption to employees, customers and other individuals linked to businesses and public-sector organisations.
Worms are usually spread via links and attachments in emails, faster than many other methods of attack. They succeed through infected media, such as USB drives and mobile network-connected devices and rely on vulnerabilities in networking protocols and operating systems.
Once onboard a machine, worms will search for other potentially vulnerable systems to infect. The WannaCry outbreak was “ransomware”. It locked down the systems of the devices it infected using a strong form of encryption so that they could not be used, demanding a ‘ransom’ be paid in exchange for a key to unlock the system.
This type of exploit is likely to persist for the foreseeable future.
Backup: the best form of protection against ransomware is to deploy a comprehensive backup system that ensures all files are backed up to a separate, secure system that cannot be accessed from the normal operational network.
Email filtering: clearly the ransomware ‘vector’ must enter the network, find its way onto a susceptible computer, phone or other device and then execute. The most common pathways are via emails. Email filtering and whitelisting may prevent the emails getting into the network.
Anti-virus: once the ransomware attachment is open (or the link in the email body is clicked), the unsuspecting user is typically taken to a malicious website where the code for the download is stored. Antivirus software will scan files prior to download and then block it if it looks suspicious. AV software will also scan the computer to find any other malware present.
Specialist anti-ransomware software: some endpoint protection solutions (including CryptoGuard in Sophos’s Intercept X) is designed specifically to arrest ransomware. Using complex behavioral analysis, Cryptoguard stops ransomware and boot-record attacks, as they attempt to execute, and actually resets any encrypted files to their original state.
Attackers rely heavily on software vulnerabilities. As software applications mature, it’s common for small updates to be issued to fix known bugs, improve functionality and enhance features. Often, these updates address a specific vulnerability that may make the software susceptible to a malicious hack.
However, as the number and type of applications used by most organisations has increased so rapidly, the process of patching has grown more complex and includes maintaining and accurate inventory of:
- All software in use around the organisation
- Versions of the software
- Which machines the software is installed on
- The update/patching record for each installation on each machine
The only way to prevent software vulnerabilities is to apply updates (known as patching) regularly. In larger organisations, this is a highly complex process requiring specialist procedures and software. Nonetheless, patching is vitally important activity.
Keeping the software on servers, computers and mobile devices up to date is a highly complex process. To be effective, a patch management solution must detect, assess, report and patch software that is not up to date.
With multiple types of device, mobile users, varying operating systems and up to 50,000 types of software, maintaining up to date systems is a huge challenge, especially if it is not going to disrupt network users.
The more sophisticated patch management applications that can:
- Combine assessment with patch deployment
- Prioritise patching based on assessed vulnerabilities
- Incorporate automated patch management
- Cover all software applications in the organisation, including non-Microsoft ones
- Encompass reports, advisories and intelligence
Internal threats to security often come about because scammers send spam emails masquerading as familiar looking information. Emails may look as if they have come from an official source such as a bank, delivery company, ecommerce shop or news website.
The intention is to con the unsuspecting recipient into clicking a link or opening an attachment. Delivery notes, bank statements and invoices are common vehicles for this type of activity.
On clicking a link, the users may be asked to download a file — which if clicked will then install some form of malware such as spyware or Ransomware. Other forms of insider threats arise when a disgruntled or rogue employee tries to copy, download or send sensitive data for use outside the business.
In either of the above cases, the management of threats that originate outside the business can often be made more effective by security awareness training inside the business.
When you make employees aware of the security measures that are running on their systems and on the network, there may be a temptation for them to think that the IT team is taking care of everything, and that nothing special is required from them.
However, the opposite is true. A great deal can be achieved through user security awareness training. Whether through classroom and 1:1 onsite training, or online interactive learning, testing and certification, all staff can benefit from knowing that their role in being alert and aware to the most common forms of cybersecurity risk puts them in the front line of defence for the organisation.
Security awareness courses should:
- Be simple to deliver and understand
- Spread over time so as not to overwhelm users
- Aim to educate and teach, not control, so that users are brought on-side
- Focus on the most vital aspects of security first e.g. password management and best practice
- Make users aware of the importance of patching
- Introduce users to the tools and techniques of hackers
- Lay down a few ground rules e.g. how to treat emails from unknown senders
- Make them feel responsible for their own role in cybersecurity
- Show them that what they do away from the office on their laptop or smartphone may be as important as what they do in the office.
Periodically you need to reassure yourself and your key stakeholders that your cybersecurity systems are working as they should: to prevent external threats from gaining access into the network.
It’s vitally important to ensure — and demonstrate — that your network is secure against malicious threats. This is not only logical best practice, but also means that your business can:
- Comply with regulatory requirements such as PCI DSS and ISO 27001
- Demonstrate security due diligence to shareholders, staff and suppliers
- Protect corporate brand reputation
- Highlight security areas that need improvement — and then address them
To ‘stress test’ your cybersecurity infrastructure, you need to use an external, properly qualified and suitably certified Penetration (Pen) Testing provider. Pen testing should be carried out at regular, set intervals by a CREST certified pen testing organisation as companies with the CREST certification are subject to rigorous qualification criteria.
Even if you believe your security infrastructure is up to scratch, your penetration test report is likely to reveal some unexpected results. You’ll then know what your security team need to do to remediate these issues, plug any possible security gaps and address the vulnerabilities.
In summary, make sure that the penetration testing company you use:
- Is trustworthy
- Possesses the necessary technical capabilities
- Has a strong track record
- Has the capability to restore systems affected during the process