Cyber security is all very well for large professional services firms with big budgets, but what can you do if your resources are more limited? Here we explain how you can make yourself safer without breaking the bank and taking up valuable working hours.
Many smaller firms are unclear about the cyber threats they face and don’t really understand the ways in which they’re vulnerable. Some even think they’re not a viable target; they’re mistaken. If this sounds familiar, don’t worry – the vast majority of cyber attacks can be mitigated with basic controls. Below are two common ways in which you are vulnerable to attack, and some advice on what you can do to improve your firm’s security and protect your business.
1. Network and software vulnerabilities
The majority of cyber attacks are automated, so they require practically no skill to execute, are cheap and easy to run, and are indiscriminate, looking only to exploit common vulnerabilities rather than specific websites or companies. Every internet-facing organisation is at risk. These attacks invariably focus on network and software vulnerabilities, which few managers and business owners understand or appreciate.
Network vulnerabilities result from insecure operating systems and network architecture, such as flaws in servers and hosts, misconfigured wireless network access points and firewalls, and insecure network protocols. (the rules that govern how network devices, such as modems, routers, etc. communicate with each other)
Software vulnerabilities are flaws such as coding errors or software responding to certain requests in unintended ways.
What can you do?
Your IT department should have a patch management programme that ensures the timely installation of updates. It’s also very likely that your machine will be set to update automatically to keep it up to date. While it sometimes seems that it will want to update and restart at the most inconvenient times, it’s important not to postpone updates any longer than you must.
It’s also important to limit your exposure to attacks that seek to exploit vulnerabilities. The majority of software exploits are delivered by phishing emails, which masquerade as legitimate communications from trusted senders, but contain links to malicious sites or have infected attachments that drop malware. As soon as you or any of your colleagues open one of these attachments or click one of these links, you risk giving criminals a foothold on your network, especially if you are running vulnerable versions that are susceptible to attack.
Learning to recognise malicious emails is essential to combatting this threat. Once malicious content gets past your antivirus, anti-malware and firewall software, your staff are your last line of defence.
2. Weak, default and reused passwords
Passwords are a common point of intrusion for cyber criminals. Far too often, default passwords are left unchanged, or weak and easily cracked passwords are used. However, the biggest issue by far is the extent to which people reuse their credentials on different sites and services.
If another website has been compromised and login details have been stolen, criminals will automate attacks using the username/password combinations they have gained to see what else they can access. Password reuse is rife, so the likelihood of their gaining access to multiple sites with a single set of stolen credentials is high. So, it is essential to use a different password for every account you have, especially if it is linked to the same username – often your email address.
What can you do?
Traditional advice is to make passwords complex, to use upper and lower case letters and numbers, and to change them regularly. However, this is almost impossible for the average user to follow – especially as you need a different password for each online account. How, then, do you select memorable but complex passwords, and manage them?
Modern advice is to use passphrases rather than passwords. Phrases are much easier for people to remember than random combinations of letters, numbers and symbols, and when it comes to password strength, length matters more than complexity: with every character you add to your password, its inherent security increases exponentially.
Source: IT Governance