One of the most significant pan-industrial global changes of recent decades has been the shift of assets to virtual space. For much longer capital markets have allowed for financial credit to be largely conceptual, but never before have data, services and communications been so conveniently and affordably available in the virtual world. It should have come as no surprise that in 2017 data overtook oil to become the most valuable resource in the world.
With greater value placed on information in (potentially vulnerable) virtual locations, cyber crime has developed to meet the challenge of ever-stronger IT security networks and perimeters. Cyber crime cost the world $3 trillion in 2015 and is predicted to rise to $6 by 2021, and the figures of recent years show that businesses of all sizes are open to attacks.
For UK-based enterprises, the most advisable option is to look at cyber security ventures in the UK that can help develop a strategy and implement all of the appropriate IT security solutions that reduce risks and maintain compliance.
The best tips and advice for keeping your data secure and less vulnerable to malicious attacks include the following:
Back up data regularly
Not only to ensure security against attacks, but also to keep saved data current in the event of data loss, backups should be made as regularly as possible. GDPR guidelines require for all data to be available at all times, so backups also need to reflect the live data.
Backups should be carried out daily to ensure minimal loss in the event of disaster, they should contain all working documents, spreadsheets, accounts and sensitive data, and data stored on the cloud should also be backed up. Backups should be stored at a physical distance from business operations in case of a disaster, and backup duty should be shared between a handful of people to lessen the risk of an insider threat.
Apply multi-factor authentication
Stolen or weak user authentication details are the cause of a high proportion of all web application attacks, and multi-factor authentication (MFA) is currently the best approach to heightened security. This added layer of security - that may make use of a security token, an SMS message, a phone call or a fingerprint - means there’s very little chance for a malicious actor to gain access.
MFA systems can also distinguish between users of shared accounts, and this allows for greater control over access. MFA access controls should be applied wherever possible, but especially in the cases where sensitive data is used, such as with email accounts, financial and health records.
Use a reliable firewall
In terms of compliance with regulations, such as the GDPR, no requirements with regards to firewalls are given, only that data breaches must be avoided and reported as soon as they occur. In the U.S., the Federal Communications Commission recommends for all SMEs to use a firewall.
The firewall is a tool that prevents hackers from entering networks via the internet, and can also limit data removal through downloads, malware or breaches. They have long been seen as a standard protection at the basic level, but modern firewalls also perform extra safeguards, such as detecting breaches, blocking suspicious access attempts or preventing specific types of data from being sent to the internet.
Manage the use of the Internet of Things (IoT)
The IoT market is predicted by Bain & Company to reach $520 billion by 2021, more than double the figures from 2017. The weakness here represented to business is in the access that various internet devices have to sensitive data. The various IoT devices may include office equipment, heating systems, smart door locks or security cameras.
If a printer connected to a wireless network can be accessed from outside, then malicious actors can potentially view all documents that are printed or scanned. Such threats can be addressed by using end-to-end encryption for data at rest and in transit, avoiding default hard-coded credentials, using a secure router that enables the firewall, employing a security framework that supports IoT devices, and penetration testing to be used in reviewing potential risks and planning accordingly.
Provide staff with security training
A study by Shred-it showed the biggest risk to businesses is negligence on the part of staff members, and these risks are also increased by remote workers and external contractors.
These risks can be lessened by providing security training that explains the threats posed by cyber crime, the importance of every security measure, examples of security breaches in small and large businesses, the damage caused and the consequences for the organisation as a whole.
Online cyber security training courses are also provided free of charge by the U.K. Government for the purposes of raising IT security awareness.
Anti-malware software is a programme designed to detect incoming threats and suspicious activity. Modern malware has developed and improved on past versions so programmes now have advanced levels of threat identification, and malware can single out threats that the software has not already come across.
Emails containing links can cause malware to be downloaded when the link is clicked. The 2016 Data Breach Investigations Report from Verizon found that 30% of staff members opened those links, which was a 7% increase on the previous year. Anti-malware can help to highlight or filter out such attacks and provide an extra layer of protection against malware from all directions.
Maintain a high level of password security
Changing passwords may seem like a hassle to employees, but 63% of data breaches in 2016 were the result of lost, stolen or weak passwords, according to the above report from Verizon. With this in consideration, password handling and privileged access management (PAM) are essential for organisations in enforcing the highest level of IT security.
Password vaults and PAM solutions are tools that can be employed to ensure a higher level of security and prevent unauthorised users from accessing protected data.
Passwords should each be used for a single account and not shared between employees, and memorable phrases that can be remembered and not written down should be used. Those choosing passwords should also use upper and lower case letters, numbers and symbols, and all passwords should be changed between 60 and 90 days.
Apply the least privilege principle
Given that almost half of data breaches are unintentionally caused by staff, granting access to all employees by default is not always the best practice. The principle of least privilege involves allowing access to sensitive data to the minimal number of employees, and revoking that access when it is no longer needed.
On an ongoing basis, privilege management can become a large job, but there is a range of access management solutions, such as System Frontier or CA Privileged Access Manager, that can effectively complete all tasks.
A similar model to the least privilege principle is similar to the zero trust security model, which also uses the approach of limiting access to prevent insider threats.
Be wary of social engineering and phishing
Social engineering is the various means that criminals gain access to data by exploiting human psychology, and using phishing techniques, which are emails, text messages and phone calls that attempt to gather information for fraudulent purposes.
Phishing attacks are on the rise, and in 2017, 76% of businesses reported being victims, according to Wombat Security.
The best approach to dealing with such a threat is using an effective antivirus and antispyware, as well as a spam filter that can pick up on suspicious messages. Also, members of staff need to be trained to understand the dangers and possible consequences of apparently harmless messages.
Monitor all 3rd party access to company data
With a greater number of employees working remotely, as well as greater reliance on subcontractors, partners, suppliers and vendors, the number of people with access to sensitive data from remote locations is higher than ever before.
This higher amount of access not only leads to a greater risk of insider attacks, but also an increased risk of malware and malicious attacks. This means that monitoring 3rd party activity is an extra security approach that organisations need to take.
This can be managed by limiting access given to 3rd parties, and following the activity of users connected to the network. One-time passwords can also be employed for logging the activity of all users and keep track of any malicious activity.
When it comes to cyber security, there are a large number of precautions that enterprises of all sizes now need to take to achieve even standard levels of security. Each new start-up enterprise has an endless list of challenges to even come close to achieving their objectives, so IT security is an item on the agenda that can easily be overlooked. But with around half of small businesses experiencing data breaches, and the number of attacks increasing every year, each extra layer of protection makes perfect sense. With data security, safe protection is always better than severe consequences.
About the Author
Roy Castleman is founder and managing director of Prosyn Ltd. (PROfessional SYNergy), a London-based IT support organization focusing on small and medium-sized businesses. An experienced consultant in disaster recovery, he has accreditations with such companies as Microsoft, HP, and Cisco.
- Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques - defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cyber security world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
- Blog2022.12.13What are the Common Security Weaknesses of Cloud Based Networks?
- Blog2022.10.12Vulnerability management with Wazuh open source XDR
- Blog2022.08.29Deception Technologies: Improving Incident Detection and Response by Alex Vakulov
- Blog2022.08.25Exploring the Heightened Importance of Cybersecurity in Mobile App Development by Jeff Kalwerisky