We examine why companies are continuing to fall victim to cyber attacks despite increased awareness of such threats, and gives us some proactive steps companies can take to avoid such security breaches.
Why informed companies continue to get hacked
Recent UK Government statistics found that nearly half of all UK businesses suffered a cyber breach or attack in the past 12 months. Firms holding personal data and processing money are top targets. With an average cost to a business being £1,380, the most common attacks were fraudulent emails, followed by viruses and malware. So, why do companies continue to get hacked, despite massive media coverage and widespread usage of commercial security products?
Some reasons would be:
- Small businesses are less likely to have sought any expert guidance on the topic compared to medium/large firms, and they cannot afford qualified/skilled security experts
- Poor advice received from non-technical advisors or software salespeople
- Poorly configured software and systems
- Inadequate staff training and qualified staff
- Lack of scenario planning around incident management
On the other hand, it has never been easier to engage in malicious hacking for profit or simply for malevolence. A plethora of tools are available freely and as digital life becomes more complex, with more and more devices connected to the internet without a thought for security, systems become more vulnerable. You might have heard of affiliate marketing – in which a business rewards one or more affiliates for each visitor or customer brought by the affiliate’s own marketing efforts. But have you heard of Malware Affiliate marketing? Malware authors, having seen what works elsewhere, have developed their own affiliate program.
In the security assessments that we have performed for small businesses in Ireland, we regularly encounter the following:
- Weak cipher/encryption (whereby committed hackers could easily break into password controlled logins and take control of a site/server)
- All service ports are open to public interfaces i.e. database, ssh, rdp. In these instances, there was absolutely no need to leave these open to the world.
- Lack of redundancy or backup: one e-commerce retailer (just to pick one) has its entire site (IT asset, front-end, backend, etc.) on just one server with single storage, not to mention the configuration/setup. Despite the security risks, this is just bad practice as servers are known to fail for purely technical reasons.
- Nicely designed sites delivered by competent front end developers, which have security flaws due to poor configuration. By this we mean the web server on which the website lives could easily be compromised. Developers often do not change standard admin configurations, leading to easily exploitable vulnerabilities. They often just are not aware of the security implications of what they are doing.
What companies can do for themselves
Imagine going to a car garage for a service. Would you assume that the mechanics would adjust your child’s seat for maximum safety or update your sat nav software? Don’t assume that your otherwise excellent IT people are looking after security. You may be surprised to hear it, but many IT graduates have never studied anything security related. Security is a very specialized discipline, at the pinnacle of IT and requiring a combination of skills in networking, system administration, development engineering, software engineering and infrastructure engineering with a solid background covering all areas. For small businesses, especially those holding data or processing payments, security is not something that should be compromised on.
Take a moment to consider these questions :
- Do your IT team or 3rd party developers know how to secure your digital assets?
- Who do you depend on if you suffer a data breach?
- What would you do if your customer database was hacked, your website defaced or taken down, or you couldn’t access your email or business files?
Ciaran Martin, CEO of the UK’s National Cyber Security Centre advises:
“The majority of successful cyber attacks are not that sophisticated, but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities.”
Steps you can take to significantly improve your cyber security:
- Install, maintain and update antivirus, anti-malware and firewall software for desktop and mobile.
- During system/server provisioning and setup, apply at least the basics of hardening in your environment. Remember to keep your system patched and up to date.
- Consider Open Source products which can be more cost effective than commercial solutions.
- Remove unused services from your server and restrict access to those services where there is no need for a public interface (anything outside of http(s) basically).
- Always grant the minimum required privileges for your users/employees.
- Set up a proper user access policy in your environment and keep it up to date (for new entries and leavers).
It is possible that this may be too much for your own IT team to handle, so consider booking a security health check with a reputable provider. There are great resources put together by the UK National Cyber Security Centre and the Cyber Essentials Programme.
Why this is important
All businesses holding customers’ personal data will need to ensure that they comply with the EU’s General Data Protection Regulation (GDPR) legislation from May 2018. This will strengthen the right to data protection, which is a fundamental right, and allow individuals to have trust when they give their personal data. Security is constantly evolving so make sure to carry out regular health checks. This could mean vulnerability and penetration testing, where security experts (with express permission) put on a ‘white hat’ and attempt to penetrate your system, yielding valuable data that can be used to strengthen your defenses.