Connection to the Internet is a business essential. Unfortunately, it’s also one of the greatest security risks businesses encounter. Once upon a time, a firewall and some good antivirus software were enough to conduct business safely. But now businesses, especially small businesses, are more vulnerable than ever to cyber security threats.
One possible solution is to have cyber security protection in-house. It's becoming more and more apparent that small businesses are most exposed to the risk of a cyber-attack because their budgets might not have room for private in-house security. Another solution is basic education for your employees. Armed with a little knowledge, your workforce can stage off some of the more common cyber security threats.
The following is a guide to some of the biggest cyber security threats to businesses and how you can prepare to combat these cybercrimes.
Like it’s namesake, phishing involves casting out bait in an attempt to land a big fish. However, in this case, the bait is an email or electronic message and the ‘catch of the day’ is access to your business's computer systems. Once hackers have access, they can introduce ransomware, steal your sensitive information and data, or syphon money from your accounts.
The first step in combating phishing is training (such as via the masters in cyber security from ECU). Almost every executive around the world agrees that untrained staff are the greatest threat to the cyber security of their business. Employee training at all levels of the organisation is a valuable fortification against cyber threats.
The impact of a phishing attack can also be reduced through the principle of least privilege – a process of restricting access to only the resources required to do a particular job.
The following scenario is a good example of limiting access through the principle of least privilege:
The scene begins in the accounting department, where some staff will have access to payroll while others will have access to accounts. Staff outside the accounting department may have access to expenses and invoices, or they may have no access at all. If a phishing attack on any of these user accounts is successful, the breach will be limited to the resources available to that account. Therefore, limiting access is a simple and savvy move companies can take when combatting phishing attacks and other cyber security risks.
Another tactic to counteract phishing is to restrict employees from using unauthorised devices while at work. If employees are allowed to bring personal devices to work, a Bring Your Own Device (BYOD) policy must be implemented to outline the ground rules for using any device not supplied by the business. For optimum safety, access to networks and USB ports should be restricted to company approved devices that are fully compliant with your cyber security policies.
Ransomware is malicious software (malware) that takes your data and personal information hostage until a ransom is paid. In some instances, these scams can threaten to publish your data, while in other cases it blocks access or completely encrypts your data. This process ends up crippling businesses and exposing other vulnerabilities if the ransom is entertained.
Ransomware attacks often find their way into businesses through phishing emails. To gain access, all it requires is one click on a link on a convincing looking email that takes you to a legitimate looking website. Without the user even realising, the malware makes its way into the computer system and the cyber threat unfolds. Another, more crude way of gaining access is through an email with an attachment that the user is invited to open.
Internet security company Malwarebytes reports that business detections of ransomware increased 200% from the last quarter of 2018 to the first quarter of 2019. As a result, employees are increasingly likely to encounter one of these nasties in their inbox. Again, training staff on cyber security awareness is the first step in combating cybercriminals using both phishing and ransomware.
Malware scanning software and antivirus software can also be effective by intercepting a trojan message before it reaches the employee. These programs can quarantine emails, prevent downloads or simply highlight potential threats.
If ransomware still manages to get through, having a good recovery plan can still be an effective defence. This requires the maintenance of regular backups in multiple off-site locations. This means a company needs backups that are not connected to your computer systems in any way, so they are completely immune to company attacks. The ransomware may still cost you time to restore your system from a backup, but it doesn’t have to cost you any more than that.
One of the key principles in network security is to create an impermeable perimeter that separates a business network from the Internet. Firewalls enable this invisible border and allow authorised connections while keeping unauthorised approaches out. Maintaining the perimeter requires all parts of the network, and the devices on it, to be secured.
A device may be insecure if the factory set configuration is not updated on installation. Until recently, a printer could be connected to a network and was simply an endpoint for printing documents. As part of the Internet of Things (IoT), now a printer may also connect automatically to WiFi or to the cloud, where data can be sent in both directions. Updating any new device’s configuration to align with your cyber security policies is essential.
Devices can also become insecure if they miss an update. A few years ago, the personal account details of 83 million customers were stolen from a US bank, because one network server was not updated. Like most banks, it had introduced two-factor authentication, where a second unique password is required to log in. Unfortunately, when it rolled out two-factor authentications, one network server was missed, and the hackers found their way in.
It's important to have a cyber security expert in your business
IBM conducts an annual ‘Cost of a Data Breach’ study. In 2018 this study found the global average cost to be US$3.86 million. Compared to that figure, the expense of a cyber security expert on your payroll looks like petty cash!
The fact is, cyber threats are constantly evolving, and today’s cyber security practices could become obsolete with the cyber threats of tomorrow. That’s why cyber security experts are continually scanning the horizon for new cyber challenges and updating defence practices as new threats arise. With a cyber security expert in your business, you can establish a progressive cyber security strategy that is developed specifically for your environment.
Find out more about how to learn the skills you need to protect your business from these threats by studying a Master of Cyber Security.