Proactive Cyber Security – Your Lifeboat for Rising Above the Tide
Keeping your money and resources safe is better than dealing with the consequences of a security breach
As little kids, we are taught to stay away from hot things, in order not to burn ourselves. Our parents try to teach us to foresee the potential dangers and steer clear from them. But more often than not, kids end up learning lessons the hard way, by hurting themselves. Tons of companies burn themselves because they don’t realize how essential it is to invest in proactive measures that will keep cyber criminals at bay. They only comprehend its importance after the damage was done and their systems were already compromised. A cyber security incident takes a major toll on the company, sometimes even costing it to go out of business. Is that a risk worth taking for your company? Because let’s face it: in our contemporary digital environment, it’s not a matter of “if I’ll be hacked”, but of “WHEN I’ll be hacked”. We should switch our perception in that direction and make sure that we are prepared when that happens. Are we confident that we’ve taken all possible measures to minimize the potential damage caused by a cyber breach? It’s key to realize the value of dedicating a part of the resources to the prevention of cyber security incidents. While reactive security measures, the ones taken after a breach, don’t cost that much, they also leave your organisation exposed to major risks. Proactive security measures have long term benefits that are worth it. (source)
Why companies don’t take proactive cyber security seriously
The challenges that small and medium companies face when it comes to proactive cyber security are different to the ones the large companies have to deal with. Small and medium businesses:
- Don’t consider proactive cyber security to be important, so they put off setting up any measure.
- They imagine it’s expensive and they don’t allocate a budget for it. They focus on other things that they consider to be more important for the business to survive.
- They only pay attention to cyber security after something bad happens.
- They don’t really know what to do and are reluctant to call for a professional’s help.
Whereas for the large companies:
- They are usually too big to be properly controlled. Even though they are educating their employees and have security systems set up in place, it only takes one employee to affect the whole company.
- If something bad happens, they are reluctant to report the problems or inform the authorities. They consider it would damage their reputation (although more people would benefit from reporting and it’s impossible to hide the dirt under the carpet for too long).
In the meantime, here’s how the current cyber security landscape looks like:
- Another warning that made the headlines these days came from Mary Jo White, the chair of the US Securities and Exchange Commission (SEC): the biggest risk the financial system faces is cybersecurity.
- The losses are huge and constantly growing. A recent report shows that overall breaches in healthcare alone are costing the industry $6.2 billion per year. Other reports aren’t any more optimistic.
How to start a proactive security plan for your company
Planning the proactive security measures that your company needs doesn’t have to be a burden. You can start with this easy, basic plan:
1. Do a list of the major cyber security incidents that occur most often in organisations and in your industry.
Those are usually caused by a mix of:
- Uneducated employees
- Social engineering
- Outdated software
These can lead to data breaches and systems infected with malware, ransomware or spyware.
2. Put together a data assessment list.
What is your most valuable data? Where is it kept, on what accounts? Do you have backups in multiple locations?
3. Test the security system you already have in place. Imagine all possible scenarios.
Do a vulnerability assessment, to identify the potential deficiencies. Usually, the weakest link in the system are people. And it only takes one employee for a whole organisation to be majorly affected. What does one employee have access to? What kind of security education do they have? What would happen if your data was lost, leaked or deleted?
4. Do a costs and benefits analysis. Determine what cyber security measures are affordable and practical.
You can split them in two major categories: people education and tech (software / hardware).
5. Ask for help.
If you have a bigger budget available, you can also ask for help from security professionals. They could help you discover your blind spots.
Proactive cyber security measures that your company should take
1. Employee training I brought this upfront as it’s among the most crucial ones. Most cyber attacks happen because of employees’ lack of security knowledge, combined with a low attention span and work overload. Downloading malicious attachments, clicking on suspicious links that they don’t know where they lead them to, giving away their credentials without realizing they ended up on different domains than they thought, navigating on websites with pirated multimedia content, inserting foreign USBs or hard-drives – these are just a few of the things that might go wrong and lead to a system infection. Most severe breaches are caused by spear-phishing attacks. That’s a type of targeted phishing, where the cyber criminals take their time and analyze potential victims. They take a longer time to study their targets, but it usually pays off – it’s one of the most successful types of attack. Here are a few examples of recent breaches caused by employees:
(source: CSO Online) Seagate and Snapchat were among the victims – the scammers posed as the CEOs in order to get payroll information on the staff. – Cyber criminals used extremely targeted phishing emails to infect the targets with malware and gain access to hotels’ networks. Those breaches exposed hundreds of thousands of guests’ credit card accounts. (source: Ars Technica) As for the recent breaches in the healthcare system, here’s what a recent research points out:
“Criminal attacks are the main cause of these the breaches, accounting for half of the problem, up five percent from last year. And many of these thefts are inside jobs. In fact, 13 percent of them are pulled off by someone inside the healthcare organization. The other half of the breaches can be attributed to sloppiness and employee mistakes — for example, losing a computer with unencrypted patient information on it.”
The worst part of it? There’s also a huge gap between what employees know they should be doing and what they actually do. And it only takes one employee for a whole system to be breached. That’s why it’s equally important that you help them understand the importance of cyber security and how it could impact the business and their job. Do they fully comprehend the repercussions of a possible hack? Start investing part of your budget towards educating the employees. A cyber security education will help prevent most of those hacks. You can also have them take our Cyber Security Course for Medium and Small Businesses – it’s free and it offers simple, structured and easy to follow knowledge. We launched it last month, together with the London Digital Security Centre. Here are other 50 cyber security courses that can be taken online. And here are few more guidelines for employees. 2. Office policy regarding access to information What type of information do employees have access to? Their access should be layered. The higher their role and responsibilities in the organisation, the higher the access to data. It wouldn’t make sense for an intern that works on communication, for example, to be able to access salaries and taxes information, right? Also be careful with the information they can access on a smartphone device. It’s much harder to spot a phishing page on the mobile than it is on the desktop or laptop. For more guidance on smartphone security, here’s a helpful and comprehensive guide. 3. Former employees policies The company should also have in place a system that determines what happens when an employee leaves the company. Former employees are one of the top threats to companies’ security. Many ex-employees use data for vengeance or future personal gain. I had a similar problem because of an ex-employee that wanted vengeance. He hacked my email account, deleted all my work, my website (the very website he had been working on), damaged the social networks accounts and so on. No matter the size of the company, make sure you have in place a confidentiality agreement that everybody signs when they come into the team. It should clearly state the kind of information they aren’t allowed to share, with whom, for how long. Also include the legal action that will be taken in case they breach that agreement. For every employee make sure you create a checklist with the accounts they have access to and what kind of data is on those accounts. Don’t forget to limit their access to those accounts before the collaboration ends.
TECH (SOFTWARE + HARDWARE)
1. Data backup Imagine if something happened to a work device. It can be dropped, it can be damaged, suffer a hardware problem, get lost, stolen. The data on it can be encrypted, corrupted or leaked online. How would you feel about any of those scenarios? Here’s how a simple ransomware infection looks like: Ransomware is the hottest threat of the moment and you can easily end up infected with it. It can be served through phishing or spam emails, advertising networks, you can find it even on big websites. In order to infect a system, ransomware will exploit the vulnerabilities from websites, browsers, browsers plugins and outdated software. The cyber criminal will encrypt all your data and then ask for a ransom in exchange for the decryption key. If you don’t pay in 24 hours, the ransom amount will double. It’s highly recommended that you don’t pay them the ransom. There’s no guarantee that you’ll receive the key to decrypt your data. Also, the encryption might have went wrong and discover that your files were irreversibly corrupted. It’s only one of the few reasons why it’s essential that you have backups. That’s plural, ok? Multiple backups, in multiple locations. Here’s how you can easily set that up. 2. URL filtering tech That’s a type of software that will keep employees from accessing potentially dangerous websites, that can be loaded with malware. The company or IT guy who installs the URL filter also sets up a few rules. When an employee wants to load a web page, the filter will check its origin and content, to see if it was blacklisted or marked as infected. If it was, the software will block it before doing any damage. 3. Patching & updates Software producers constantly release new patches and updates. Those come with new features for the existing apps and programs, but they also fix security bugs that appear. It’s essential that those updates are done quickly, in order for the cyber criminals not to exploit them. Outdated browsers or plugins are critical vulnerabilities in your system. It’s also hard for a network administrator to quickly update all the software, as soon as a patch comes live. Or administrators could just focus on more important things and let us take care of the updates – our security product, Heimdal, silently patches essential software (among other things that it does). If you don’t trust us, then read what these 15 security top experts have to say about the importance of software patching. 4. Antivirus An antivirus program aims to detect and delete any type of malware from a computer. The most common techniques to identify malware are signatures and heuristics. Antiviruses may contain tons of malware signatures, but can only detect the ones for which they already identified a signature. Unfortunately, there’s a time gap between the release of a new malware and its signature incorporation into the antivirus. During this period, malware can be distributed and attack systems. Also, new type of malware now has the ability to change and disguise itself, hiding from antivirus programs. The heuristic method of detecting malware is based on previous experience on how malware behaves. This type of method also has its flows: it can only draw conclusions based on past experience, so innovative malware chean pass undetected. Here’s how to choose the antivirus that will best fit your needs.
I’ll leave the conclusion to my colleague, Alex Balint, the mastermind behind the Heimdal Security product suite (thank you, Alex!): “Investments in proactive security should be made because a reaction is simply not enough. Because proactivity is better than reactivity. Because when you’re a proactive company, you want to stay on the edge of new technology, you want to inspire your employees and others to embrace evolution, you want to show that you have initiative, that you care. You want only the flagship of every product you use and ultimately, you want to learn from the mistakes of others by staying safe online. Proactivity comes from the highest levels of management, down to the level of each and every employee, in every line of business, not just online security. It’s more of a daily life decision, not necessarily an investment one. It’s a decision not only for companies but for end users as well. Everybody has a choice: to be just reactive or to reap the benefits of proactivity in everything they do.”