With 88% of UK companies having been victim of a cyber-attack in the last 12 months, and a new small business successfully hacked every 19 seconds, it is more important than ever that your business is protected and that you have a well thought out security and recovery strategy.
Here is our Cyber Essential Checklist to help!
Over 50% of all cyber-attacks today are related to some form of social engineering attack, most commonly in the form of a phishing email.
These are emails purporting to be from a legitimate sender (e.g., your companies CEO) asking for something that will get money for the attacker (commonly gift cards – these work internationally and can be challenging to identify, but also changes to employee bank account details or similar).
Fortunately, phishing emails are relatively easy to defend against and the tools to do so are getting more and more advanced.
The most basic form of defence is in your business processes and the training of your staff, from robust authentication of financial transactions and simulations of phishing emails to improve user recognition of attacks. There are also tools built into platforms like Office 365 to detect common phishing emails and block them from reaching users, as well as protecting against impersonation of key staff members.
The next biggest threat and another thing that has been in the news is ransomware and other malware. Ransomware is software that can run through your entire file set: customer data, invoices, design files, production information, etc and encrypts the data.
This makes it completely inaccessible to you unless you pay a fee demanded by the attacker, usually in bitcoin or some other cryptocurrency to provide anonymity.
There are also a number of defences against ransomware – Endpoint protection systems such as Defender from Microsoft can block many ransomware issues before they even happen, user access can be restricted to only the files they need for their job to limit the reach of any incidents, and good immutable backups can allow you to recover from an attack without paying any of the ransom demands.
A third type of attack is known as Denial-of-Service, which is usually a low sophistication attack that does not involve the attacker gaining access to your data or systems. As the name suggests, the aim of the attack is to stop legitimate users from access the target system or data and can involve anything from a disgruntled employee disconnecting IT equipment on their last day, to traffic floods from across the globe maximising the capacity of your internet connection or servers.
Because Denial-of-Service covers a wide range of different attacks, it is challenging to pin down one specific strategy to protect against them, but there are a few things that can help. Properly set up and sized services are better able to handle spikes in traffic, and proper business grade equipment that can block these threats at your network edge can help protect servers and maintain availability. An important thing to keep in mind is that not all denial-of-service incidents are malicious, for example a product going viral online may cause a huge surge of potential customers trying to access your website for more information or to order, and this can lead to your website being inaccessible if it cannot handle the addition load. A further example would be the recent UK census, where suddenly the entire country was accessing the same website to enter their household data, and the system had to be able to cope with 27.8 million households in the same day. One potential protection against this kind of issues is to take advantages of cloud services from companies like Microsoft where you can automatically scale the resources available based on the demand for the service.
The highest fine the ICO has levied for breaches of the GDPR regulations reaches as high as £183 million, and the cost of recovery from a major cyber-attack can easily put a company out of business, so can you really afford to not put any protection in place?
A great first step for UK businesses is to complete the government led and accredited Cyber Essentials scheme, which is aimed at providing businesses with a simple but effective baseline of security measures to protect against the majority of cyber-attacks. A Cyber Essentials certification can help reassure existing customers that you are taking protection of their data seriously, help you win new customers, and is also a requirement for getting a government contract. At only £300, it’s a worthwhile scheme that can give you, and your customers, some crucial peace of mind during the current trying times.
You can achieve a Cyber Essentials certification by completing the Cyber Essentials self-assessment questionnaire (SAQ). The SAQ includes approximately 70 questions related to each of the five Essential Cyber security controls:
- Secure configuration
- Firewalls and routers
- Access controls
- Software updates
- Malware protection.
The SAQ includes both yes/no questions and open questions that require a more detailed response.
Your completed SAQ serves as a statement of your organisation’s compliance, demonstrating that you have met the scheme’s requirements. It must be signed off by a member of your organisation’s board or equivalent. Find the form here.
We also strongly recommend the adoption of MFA (Multi-Factor Authentication) as it protects users from an unknown person trying to access their account and does so by adding an additional layer of protection to the sign-in process. When accessing accounts or apps, users provide additional identify verification, such as a fingerprint or entering a code receive by a phone. This reduces the risk of a security breach drastically, and sensitive data stays protected.
- Vast majority of attacks these days are social engineering based, e.g. phishing emails. These can be defended against by:
- User training (both in terms of correct processes and phishing simulations)
- Microsoft Defender for Office 365 (formerly Exchange Online Advanced Threat Protection) filters out many phishing emails and can also protect key users in your org)
- Principle of least privilege – Users can only do as much harm as you allow them to do
- Malware and ransomware are two other big threats:
- A good endpoint protection tool can help (e.g. Webroot or Microsoft Defender for Endpoint)
- User training (do not download and run random executable files)
- Principle of least privilege
- Good immutable backups are not a defence against ransomware, but they can be used to recover from it once hit
- Denial of Service attacks are challenging to defend and cover a broad spectrum of techniques:
- Strong, resilient services can better withstand smaller attacks
- Ability to block traffic at the network edge can help mitigate effect on servers/services
- Ability to scale quickly can help protect from non-malicious DoS attacks (e.g. servers running the recent census needed to be able to scale quickly as the whole country were suddenly accessing the same site on the same day)
In summary there are many cyber security threats businesses should be aware of. You should be taking a number of proactive steps to minimise the risk of a breach, it is not the most exciting topic for many, but it should be an absolute priority.