Cyber security risks are a fact of business life. No organisation is immune from being a target – size, industry and location are largely irrelevant to the perpetrators of cyber attacks – and that isn’t likely to change anytime soon.
What has changed is our working habits. Covid-19 has resulted in more and more people working from home or remote locations, and the jury is out on how many people will actually return to the office once restrictions are lifted. Whilst many consider this a welcome evolution which can improve work-life balance and remove the stress of the daily commute, to the more nefarious out there it is an opportunity to cause disruption and make money.
Cyber criminals and hackers seek to turn any situation to their advantage, and this is no exception. The fact that many employees are no longer working within an organisation’s internal network, protected by their security infrastructure, only plays into their hands. The good news is that some of the simplest and most cost effective cyber security solutions are just as effectual regardless of where your users are located. Here’s our round up of the basic cyber security measures that can help to protect you against the majority of attacks.
1.Turn the weakest link into the strongest defence
Ask any cyber security expert and they’ll probably tell you that humans are the weakest link in any cyber security defence. While this is true to an extent, your employees can also be your best line of defence, but only if they are educated about how cyber criminals may try to exploit them and to recognise the indicators of a potential attack.
The easiest way into your network for any potential attacker is through your employees; it is vital that they can identify the signs and react accordingly.
Often attackers will attempt to steal credentials by tricking your employees into clicking on a link in a phishing email, opening an attachment, or by spoofing the sender’s email address to make it look like it came from a fellow employee. If a user falls for the scam, it will usually lead to entry into your corporate network and access to a buffet of confidential and usable information.
Regular awareness and cyber safety training is the single most effective way to protect your organisation against cyber attacks, and whether you choose to undertake this in-house or via a third party provider, it’s something you can get up and running within days.
2. Pimp up your passwords
The humble password has been a basic security requirement of most online accounts and services for decades, and the average user has around 100 of them. That’s a lot of passwords to remember, especially when there are so many requirements for the modern password – including symbols, letters, capitals, and numbers. Which is why so many people reuse the same password for multiple accounts, or record them in plain text on a device. Both of these methods represent a serious cyber security risk.
Millions of passwords are already available to potential hackers and cyber criminals online. Many so-called trusted sites and vendors have been breached over the years, and user login details are openly shared and sold online. It’s therefore crucial to make sure that passwords are changed regularly.
Another way to improve password security is to use a passphrase rather than a password. Here’s a good example of why:
Normcyber12 – this contains capitals, numbers and is 11 characters long. You would expect this to be secure, right? In fact, a password strength calculator estimated that it would take about eight days to crack.
N0rmCyb3risS3cure!123 – by turning it into a phrase, swapping some of the letters for numbers, and adding a symbol the strength of the password has been vastly increased. The same password calculator estimated that it would take 17 thousand years to crack it.
But with so many passwords to remember, even turning them into passphrases will only go so far. Many organisations have started to use password managers to circumvent the problem of creating and remembering multiple passwords. A password manager generates and stores complex passwords on behalf of users – and autocompletes login credentials for them, making life a whole lot simpler and more secure. It’s also relatively inexpensive compared to the cost of other cyber security solutions, and is quick and easy to deploy.
3. Bring on the backups
The easiest way to protect your systems and files is to have a backup policy. For a policy to be effective however it must be followed, and that means making provisions to regularly backup – or take snapshots of – your environment, be it individual laptops or the network. These backups should then be stored in a remote and secure online location, separate from the network.
Backups are essentially a safety net that you can fall back on should you become the victim of a security or personal data breach, or if your data is held to ransom. Ransomware is on the rise with more variants being found at an alarming rate. It’s become so lucrative that Ransomware-as-a-Service is now widely available via the dark web to prospective cyber attackers. Victims of a ransomware attack often have a painful choice to make – pay the attacker, or lose access to precious data. Backups essentially mean that you can restore your data to a known good state, leaving the attacker with no leverage at all. This also applies to other forms of malware and infection. Giving yourself a restore option keeps your organisation safe and able to restart operations quickly, and with minimum fuss and cost.
4. Make patching part of the plan
Another key element of a cyber security defence is regularly updating and patching your devices and software. Vulnerabilities in software are commonplace, and these bugs or errors are often easily exploited by attackers to gain access to a device or network. Vendors regularly issue patches and remediations for their products, the most well-known being Microsoft’s Patch Tuesday, whereby on the second Tuesday of every month Microsoft provides updates to their products to help keep them secure.
The majority of breaches are enabled by missing patches – and some of the most high profile breaches of the past few years have occurred as a result of them. Examples of breaches and ransomware attacks arising from unpatched vulnerabilities include Equifax and Marriott, at an approximate cost of £1.1bn and £100m, respectively.
Patches for software and devices you have purchased won’t cost you more money, but you do need to make sure that they are correctly managed and applied. Either your internal IT team or ICT provider should be able to do this, but it can be a time consuming and manual exercise. Automated tools are available, as are Vulnerability Patch Management services which can manage the entire process for you.
5. Make yourself invisible with a VPN
Virtual Private Networks, or VPNs, are a tried and tested way of protecting your employees and corporate network from cyber attacks. The accelerated rise of remote and home working means that many more employees are no longer entirely supported by the corporate network security infrastructure. This leaves them much more vulnerable to a cyber attack. VPNs offer numerous benefits, most notably protecting your data through anonymity. Key information like your IP address, location, passwords, and data will all be hidden – even your Internet Service Provider won’t be able to see or process any of this information.
VPNs are relatively inexpensive to acquire, easy to deploy and simple to manage, and you can check out some of the industry’s leading offerings here.
The steps above will help to protect any organisation against the vast majority of cyber attacks. Of course there are many more advanced measures that you’ll need to take if you want to reduce the risk of a cyber attack even further. To be fully effective, your cyber security strategy must address all three pillars of a comprehensive defence – people, process and technology – and needs to be managed by cyber security experts with the relevant skills and experience. An increasing number of companies are turning to managed cyber security providers to support them with this; if you’d like to find out more about what Cyber Security as a Service could do for you, visit us here.
Written by Craig Evans
A hospitality leader turned cyber professional, mentor and blogger, Craig is part of the SOC team at NormCyber. He helps to minimise the operational disruption, financial impact and reputational damage caused by cyber attacks by proactively monitoring customers’ technology environments. Craig has broad knowledge of all things cyber and holds both Blue and Red team qualifications.