4 Tips to Secure Your Business Against Cyber-attacks
In the last few years, cyber-attacks have been increasing exponentially at an alarming pace. We have reached the point that cybersecurity is now a top concern for nearly all governments and businesses. In fact, one of the very first executive orders Trump signed in office was a cybersecurity measure that he claimed would be a priority in his presidency. The measure came after some very high-profile attacks in 2016 on large businesses and major political organizations. However, attacks are increasing for all sized businesses and across all industries.
According to Small Business Trends in December 2016, 43% of all cyber-attacks were on small businesses. Unfortunately, small companies are more vulnerable, and the U.S. National Cyber Security Alliance found that 60% of them closed within six months of an attack. This trend means that companies will start considering cybersecurity a business driver due to the proliferation of cyberspace in our personal and business life.
In an article published by CNBC in February of 2017, Hiscox Insurance estimates that cybercrime cost the global economy $450 billion in 2016 alone, and unfortunately “53 percent of businesses in the U.S., U.K., and Germany were just ill-prepared."
"Most small-business owners don't think they're at risk. As a result, it's fair to say they are indeed ill-prepared to safeguard against an attack," said Bryan Seely, a network engineer famous for hacking into the FBI. Small and Medium businesses clearly need help with defense, and they often have bootstrapped budgets and small internal teams that lack the skills and experience needed to prevent and deal with increasing attacks.
Be prepared to demonstrate cyber-security due diligence. Covering the different pillars of cybersecurity is essential for any company today, whether they have a web presence or not. We have put together a list of 4 important tips about cybersecurity and cyber-attacks to help you get started securing your business and reducing the financial risk of an attack.
- User access management is a primary pillar, and weakness here can pose more risk than ever before with the increased use of cloud resources.: Password authentication provides weak security and can be easily hacked for many reasons. Users may choose a password that is not very secure, like the names of family members. These are easy to remember, but also easily guessed. They may use the same password for a variety of logins, making it easy to hack multiple sites at once. Individuals may also not update their passwords on a regular basis, without being prompted to do so. Additionally, passwords can be broken via brute-force or weak password encryption stores. As a result, companies are turning to single sign-in solutions to make passwords more secure, and there are more apps and tools available to help individuals keep track of their passwords. These tools improve protection against cyber-attacks because they constantly evolve for you, so you do not have to keep up. Many companies have also started using multifactor authentication. This requires additional steps and verification through SMS, biometrics, and behavioral data, such as the location or computer from which you normally sign-in.
- Consider cyber insurance.: Cyber insurance is available to companies to help recover some of the financial loss from cyber-attacks. The main downside with insurance is that it works like regular insurance, and premiums increase (usually) significantly after you make a claim. For smaller companies or those with lean budgets, insurance may become cost prohibitive. Another drawback is that insurance does little to prevent attacks from happening in the first place, so you still need a good plan for prevention and disaster recovery.
Despite these drawbacks, insurance could help save those 60% of small businesses that close within six months of an attack. One of the reasons many close down, according to research from Complete Care IT, is that SMBs spend an average of $879,582 to repair the damage and recover stolen IT assets.
If you are interested in cyber insurance, the first step is to identify vendors or cyber-insurance brokers that will meet your needs and budget. There are a lot of cyber insurance products and vendors currently, and the industry is still evolving. Do your research thoroughly and ask lots of questions.
The company you select may then do an assessment before insuring your company. They will determine your level of risk which your premium rates will reflect. As a warning, this stage can be lengthy, and some companies will feel like they don’t have the time and money to go through the process. The audit can even slow down your time to product/market, and as the industry matures, coverage may be less of a guarantee. In the article, “Insurers Getting Smarter About Assessing Cyber Insurance Policy Risks,” Ericka Chickowski writes: “The more the insurance companies gain experience and tools in assessing the true risk posture of clients, the more likely policies will grow expensive for risky clients and claims will be rejected for those who fail to meet policy requirements.”
There’s also the potential issue that comes with the same company setting your premiums and conducting the assessment. As a result, there are now external assessors who calculate a company’s risk similarly to the way FICO credit scores are done. One such company is BitSight (https://www.bitsighttech.com/), and their mission statement says: “In 2011, BitSight pioneered the security ratings market, founding the company with a solitary mission: to transform how organizations evaluate risk and security performance by employing the outside-in model used by credit rating agencies.” BitSight uses a scale with 200 factors and assessment process that is fairly rigid, and fair.
- Be prepared to manage and handle Zero-day attacks.: What is a Zero-day attack? They are holes in a software program that is unknown to the vendor and then exploited by hackers. The attack usually occurs before anyone is aware of the vulnerability and has had a chance to fix it. No one currently has protections for these types of attacks, and as a result, you cannot prevent 100% of these attacks. Businesses can have a plan in place that is ready for when they do occur. Early detection, rapid containment, and response are the key parts of a solid plan. Having backups and redundancies in place, and tested on a regular basis, are essential. This will ensure you can get up and running again as quickly as possible, minimizing the disruption to your business and your customers.
Lockheed cyber kill chain framework provides companies with a template for containing the damage from zero-day attacks. As stated on their website, “The seven steps of the Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures.” You can read more about it here.
- Consider the ease of commoditized custom malware.: Anyone can buy custom malware on the darknet for as little as $24.99. It doesn’t require programming knowledge or skills, and most are so simple that a 6th grader could use it. For instance, setting up the software often requires simply checking a series of boxes. When companies are dealing with an attack from custom malware, it creates a lot of noise and confusion since these viruses are difficult to remove and detect. The fact that each one is different and customized is part of the reason they are so challenging, and companies can easily lose focus trying to minimize the damage while simultaneously figuring out how to stop it. Some payment companies, like Bitcoin, allow individuals to make electronic payments with no paper trail and no middleman. This has made it even harder to trace who is behind an attack. All of these factors combined have made custom malware a lucrative business.
Malware infects a company when an individual visits a malicious site or downloads an attachment or content from a malicious email. Businesses need to make sure they are communicating with & training individuals in the company about the dangers and characteristics of suspicious emails. Your employees will be the first line of defense for all the noisy custom malware. For more advice and how to manage suspicious emails, please see our blog post: How to Identify a Malicious Email: 6 tips.
Mobile devices are another vulnerable, easy target for malware attacks. The increase in mobile traffic over the last decade has outstripped the creation of cybersecurity designed specifically for mobile devices. Mobile is also an easy target because use has penetrated developing countries at such a fast pace that they say there are more mobile devices in some countries than running water or toilets. Many of these markets are even more underprepared for cyber-attacks than developed nations.
Even in developed countries, a lack of awareness about the vulnerability of mobile devices makes them an easier target than desktops. For instance, many people don’t know their phone can become a reflector if they visit a malicious site on their device which becomes infected and they unknowingly bring it to work and connect it to their company’s network. Hackers use these reflectors to amplify and obscure their attacks, making it even more difficult to trace the origins of the attack.
Work with cybersecurity professionals to identify the weak points in your systems. There are a lot of tools available on the web that claim they can scan your systems to detect vulnerabilities. The capabilities of these tools are trivial and not likely to fully detect all of the weak points that hackers can find and exploit. To find the areas that are really under threat from attacks, first look at prime targets or low hanging fruit, like old servers. Have a professional develop a plan for securing your perimeter which includes detection, remediation, and recovery.
Make sure you have solid plans and track the upkeep of all your applications and infrastructure before they reach the end of support. It is essential that you keep up with maintenance on a regular basis. Life-cycle management is as relevant for in-house environments as it is for the cloud, although the cloud is easier to miss due to its out-of-sight, out-of-mind nature. Ensure that you are protecting the identities of your users, customers, partners, and associates.
click to hear more of what Nick Belov and other experts have to say about Cybersecurity Trends for SMBs
Nick Belov is Chief Information Security Officer at CGS. Prior to joining CGS in 2016, Nick was Director, Information Security Risk Management for MUFG, Union Bank.
Nick has more than 15 years' experience in IT and security.