09 Apr Essential Cyber Security Defences
Cyber security should be at the top of your list of concerns within your business. The days of cyber criminals / ‘hackers’ being tech geniuses and having knowledge the average citizen couldn’t even dream of having are over. Between cyber criminals not needing the same level of expertise they once did and the increased use of tech in the workplace, combined with the effect Corona virus has had on the world of work in the past year, the overall likelihood of becoming the victim of a cyber attack has increased considerably. In such an incredibly digitised age, it is best to exercise caution and be prepared for any and every eventuality.
In this article, we will help you to consider the landscape of threats that are perfectly capable of causing costly losses to small businesses, what those threats are, and why and how you should tackle them. This advice is combined with our decades of experience in supporting and protecting the interests of other local businesses just like yours, and includes a recent case example of where Apogee implemented the best security practices outlined here in this blog.
Why do you need good quality Cyber Security defences in your small business?
You hear it everywhere – ‘cyber security is important’, ‘cyber security should be a major concern for all business owners’ – but why? Why is it so important?
In the modern world it would be fair to say that technology makes the world go round. Without it the world as we know it wouldn’t exist and there are so many benefits we now receive from advances in technology. But with every positive there is a negative – this reliance on technology leaves a unique opportunity for cyber criminals; an opportunity they are not going to pass up. If a cyber criminal takes control – or accesses – your technological landscape they can single-handedly shut your business down from the inside-out, if they so wished.
Your cyber security is just as – if not more – important than the physical security you use to secure the perimeter of your premises. Would you leave the door open to your house with all your valuables on display for anyone to walk in as they wish? No? Well, that is what many businesses are doing with their technology, often leaving it wide-open to be exploited by criminals and foreign powers hell-bent on causing disruption or stealing your valuable sensitive data. Just as you put a lock on your door, fit an alarm system, or install security cameras on your house, it is essential that you take every necessary precautionary measure to protect your technology and private information from cyber criminals.
What are the range of threats that impact the sanctity of your business in a digital sense?
The potential threats:
Phishing scams come in many different forms but most commonly they centre around the use of a false identity to unwittingly extract sensitive information directly from their target victim; often with the false identity being someone familiar or trusted by the unsuspecting victim. Phishing scammers most commonly perform these attacks via email, which is the easiest and quickest form of reaching their targets.
Malware (Malicious Software) is software that is specifically designed with the intent of causing damage, destruction and chaos, or with the aim of stealing private data. Malware can take many forms and either strike immediately or lay in wait, acting in the background unbeknown to the user.
Malware is usually managed by a group of cyber criminals as opposed to a lone criminal, who are looking to make money from either selling the software over the dark web or by spreading the Malware content themselves.
Ransomware is a type of Malware, designed with the sole intention of forcing victims into paying a ‘ransom’ in order to regain access to their encrypted files, or to regain access to their disabled systems (hence the name Ransomware).
Ransomware is most commonly associated with file encryption. The hackers will infect a device (or worse, an entire network) encrypting files as it goes – quickly followed by the display of a threatening message demanding payment in return for a ‘decryption key’ to return access to the owner. The cyber criminal will often threaten the victim with the deletion of files if the ransom is not paid in a timely manner.
In this often stressful and panic-filled situation, business owners will often pay the fee to the criminals because they are under the impression they will regain control / access of their systems and files. Unfortunately, it is in a criminal’s nature to lie – and despite paying there is no guarantee this will happen. When it comes to Ransomware your best course of action is to avoid becoming a victim in the first place – this can only be achieved by being informed and alert – while also having technical security defences – which will help you navigate around the threats.
Vishing (Voice Phishing), is an alternative deception-centred attack, which attempts to dupe information from unsuspecting targets by phone.
Vishing fraudsters use the increased anonymity that digital telephony (VoIP) provides compared to traditional fixed-line telephony. VoIP enables the use of features, such as caller ID spoofing, which make it much harder for authorities to track, locate and bring scammers to justice (as opposed to Landline telephone services that allow numbers to be assigned to physical locations known to the phone companies).
The methods of manipulation used, however, are very similar to those employed in Phishing scams; with ‘Vishers’ also using a sense of urgency, panic, and emotional manipulation to force victims into sharing sensitive information without any level of prior consideration. A perception of legitimacy is also created using fake caller ID profiles and the use of IVR (interactive voice response) systems.
With quite a broad-range of threats now attempting to break down the defences and protection of our data and systems, how can a small business set about better protecting itself, without incurring considerable expense?
Cyber Security measures:
We all have accounts with passwords, which is why it is amazing quite how many people don’t use passwords as effectively as they could. The best passwords consist of a random assortment of letters, numbers, and other characters, which have no meaning or any relevance to the user. You should make them as long and complicated as possible – to the point at which you won’t forget it.
If you stick to these principles you and your team can be certain you are setting strong enough passwords to stand up to scrutiny and keep your accounts as secure as possible.
- The longer the better; if possible, make sure your password is over 10 characters long and contains a combination of letters and numbers.
- If it is too easy to remember then don’t use it. Avoid easily recalled sequential passwords, recurring numbers (2345, 4567), as well as common words.
- Periodically change your password; sometimes accounts are hacked unbeknownst to the account holder.
- Use upper and lower-case letters.
You can also purchase a wide variety of different password management tools, these tools allows users to store, generate, and manage their passwords. A password manager can generate complex passwords on demand.
The correct use of passwords is often overlooked, sometimes merely in order to make things easier for the user themselves. However, they are arguably the most important of all cyber security measures you have in your arsenal and will put your system in good stead against cyber attacks.
Multi-factor authentication adds another layer to your security. It acts as an additional way of knowing that the users trying to gain access to your system are who they say they are by requesting authentication through another device / source (a text message or email, for example) that is only known to the individual trying to gain access.
You need to install Anti-Malware on all computers and laptops at home and in the office. Yes, you get a free one with the manufacturer a lot of the time but you cannot trust the free one from the manufacturer – these are often very basic and are not guaranteed to support business standards of cyber security.
‘I thought that’s what I was trying to avoid happening?’ A fair question because that is true. As we explained previously, cyber criminals’ intentions are to encrypt your data, but you want to beat them to the punch and be the ‘key holder’. Understand? No? Let’s go into more detail then. Encrypting your own data is different to it being encrypted by a third party. Data encryption is the process of scrambling the readable text of your files and documents so they can only be read by the person who holds the ‘key’ – by doing this you are essentially turning the tables on the cyber criminal.
To stop unauthorised access, managing permissions to confidential information, sensitive data and system settings – both by individuals within and outside of your organisation – is very important. Access breaches could allow Malware intrusion, deliberate changes to your current security settings – to allow for future attacks to be committed – or data theft / loss.
Not all cyber security measures are technical, there are other ways to be cyber secure that are centred around the behaviour of your users and the rules you put in place to keep them safe when working online. They are as follows:
Having policies in place around the use of your system enables your users to perform and complete their day-to-day work with as little interference as possible.
To ensure compliant use of your technology and best cyber security minded practices are adhered to, employing policies within your business is one of the best ways to mitigate against cyber breach.
In the same way that policies help direct and control how people utilise IT, educating your users can ensure that they act as a ‘human firewall’ in their role as the last line of defence against attack.
You can introduce the best security measures in the world but if your users are not educated and alert to the variety of threats that they might face – and how to get the most from said security measures – you will forever be vulnerable to even the simplest forms of attack.
Now that we have been through some of the security measures that you can take to ensure cyber security, let’s explore how we at Apogee can help you by looking at an example of how we assisted an existing customer of ours to become cyber secure.
Securing a small business in practice
An established tech media company that is very mobile and don’t have the requirement for a server environment, but they did need control and protection over their company data, control of staff access to files and company emails – with the ability to instantly rescind that access if necessary. They also needed better lines of communication, corroboration, co-operation both with internal staff and externally with their clients.
Our client had a requirement to increase their security and better management of the files of their clients for compliance purposes, and asked us how they could achieve this. They were working on stand-alone devices with no centralised control over user access to data and had several solutions which didn’t provide the level of control and integration required.
We recommended the Apogee Security Bundle, which includes all the best practice elements (as outlined within this article) that are required to achieve cyber security peace of mind.
- Barracuda Email security and Sentinel AI provides Email scanning and heuristic scanning using Barracuda’s AI in the cloud, called Sentinel (which provides a multi-layer approach to email security while the AI actively learns the behaviour of the company’s Email habits to better protect them from phishing attacks, malware attachments, etc, by using Antivirus scanning). Alongside this, we implemented DKIM and DMARC for better protection from Spoofing and other compromise attacks used by current cybercriminals. Due to the better monitoring and visibility of these issues, Apogee can now monitor for attacks and provide real-time responses as part of this service.
- Barracuda cloud-to-cloud backup is used to back up emails, SharePoint Files and Folders, and Teams’ conversations and file locations. This is useful as Microsoft don’t back up these locations and deletions are unrecoverable after 30 days, possibly leaving a cloud-only business uncompliant or at least exposed to accidental deletions which are not spotted in a timely fashion (especially if revisioning is a large consideration for a business such as a journalistic company).
- PhishLine is an ongoing user training service which is used to educate employees about the current types of email attacks such as phishing attacks. It demonstrates what to look out for over a monthly period, and then test emails are sent to ensure the training has been absorbed by the email users. With any that click through on the test emails being tested the following month, the training is split into quarterly parts over the year and is kept current. This is the human firewall layer of the security package we have put together because training is a major part of any person-orientated approach to security.
- Intune is Microsoft’s endpoint management suite which controls access to company devices such as laptops, tablets and phones to better cope with modern BYOD (Bring Your Own Device) strategies which are often used in modern companies such as themselves. With a single sign-on experience, they have one password which is used across emails, laptop sign-in, and for file access which is all controlled through Azure and Office 365. By using Intune we have full control over things like USB drives and screen saver settings so we could help implement a company-wide security policy which they could have confidence in. In the event of staff turnover, we can remove access rights and any email / file access on personal devices without wiping personal data from the devices. Effectively this means they became and remain very compliant while still being flexible for the company’s employees.
We also implemented Teams to help them corroborate on projects and to store all their company files in a single location by leveraging Team’s and SharePoint to store them. This meant they can be accessed across all their devices securely and, by syncing them down to the laptops using OneDrive, they had multiple methods of working on documents and projects. Teams also enabled better team contact throughout the COVID pandemic which meant that they could be as efficient at home as they are in the office or remotely, perhaps at a client’s site.
Implementation and results:
As this was such a substantial change to their working resources and environments, these new systems were implemented over a period of time, in stages, making sure each stage was completed satisfactorily and then providing training based on their feedback, to ensure as smooth a transition as possible.
This is still fresh but the recent feedback from them has been good and our ongoing support has meant they have had a smooth transition.
Technology to thrive on – Apogee
Technology is pivotal to your business and we want you to understand the value it provides when working seamlessly with your operations. Apogee values transparency and simplicity – we provide the IT support you need when you need it. Within this support is the guarantee that your technology is secure against all manner of cyber threats. We will work alongside you and guide you into a secure, brighter future with technology as your ally. Contact us now to find out how we can help you.