Most business owners and managers are aware of the importance of good cyber security but often other concerns take precedence. Managers are busy dealing with the day to day running of the business and can’t spare much time worrying about the “what ifs” posed by cyber threats.
Additionally, small businesses have limited funding so they need to make sure they’re getting the best “bang for their buck” in all areas including cyber security. It is difficult for business leaders to keep abreast of the risks posed in the current environment and set the right budget to combat these risks. This means their business, data, clients and reputation are often vulnerable to cyber attacks.
Why are we sharing this?
In the last month, we’ve seen an increase in the number of cyber attacks in the industry. The most common cyber breaches that we see occur when an attacker gets a username and password for one of your internet facing systems. They may get the password through a variety of different means, but once they have your username and password they can do anything they like with your data. This is obviously a major problem!
The common targets for these attacks are email and file storage systems such as Office 365, remote access technologies such as Remote Desktop Servers, and VPN systems that grant access to your internal networks from across the internet.
What do hackers do with their access?
Usually when a hacker breaches your network they do not announce themselves straight away. On average, networks are breached months before the attacker does anything noticeable. During this time they may sell your details to other hackers, or can sit in the background reading your data and working out how best to exploit your weaknesses.
There are lots of different possible attacks, but the most common ones we see are:
- Ransomware: The attacker gains access to your network and encrypts all of your files so you can no longer access your data. Your data is then held for ransom; you need to pay the attacker their requested sum of money to have your files decrypted.
- Extortionware: The attacker gains access to your network and copies your sensitive data. They then threaten to release the data, thereby causing you significant reputational and legal damage, unless you pay.
- Impersonation: The attacker gains access to your email. They read your history and get an understanding of who you are, who you deal with, who they are, and what you commonly communicate about. They can then effectively impersonate your business contacts to trick you into sending money, stealing information, etc.
What should you do immediately?
A study by Microsoft shows that 99.9% of password based attacks can be prevented by implementing Multi Factor Authentication. Synapse strongly recommends that all organisations deploy MFA on all internet facing systems, particularly Office 365, Remote Desktop, and VPN systems. Doing this is relatively cheap and easy, and offers significant additional protection.
In addition to this, we also recommend a more broad assessment of your security posture to make sure your business is adequately protected from threats such as ransomware, hackers etc.
How do you know if you’re adequately protected?
MFA is a great start, but it’s just one piece of a complex puzzle. There are a lot of other things that may or may not be required depending on your business.
To understand how you compare to a reasonable benchmark we suggest utlising a Cyber Security Framework. There are a number of internationally recognized frameworks, all of which are proven processes for delivering a good cyber security outcome. Originally most were designed for large enterprises, governments or other large bodies. As time has gone on, these frameworks have been broadened and cut down so that they’re more broadly applicable even down to small organizations.
One of the common frameworks is NIST, which is an American framework. NIST has 5 main components as outlined below.
Let’s take a high level look at the what each component means.
Identify – You can’t effectively protect assets you haven’t identified, right? The first step to protecting yourself is to identify what information do you have, how critical it is, what software, hardware and people access that information, where is it stored, etc. The first step is to identify what you are trying to protect.
Protect – Now that you’ve identified the assets, you can take steps to put protection in place to reduce risk. It’s worth noting that even if appropriate protections are in place, no protection is 100% guaranteed. Consequently you may still have a breach.
Detect – If / when you have a breach, how do you detect it? We already know that in many cases the damage is not done until months after the initial breach occurs. Ideally you need a way to detect and contain the breach early before significant damage is done.
Respond – When you detect the breach, either before or after serious damage is done, what do you do next and how to do you respond? Making it up as you go is not the best way to handle a crisis. A clearly thought through plan outlining who will be involved and what they’re going to do is required.
Recover – Obviously if there’s an incident you want to be able to recover. You need to make sure you have the appropriate systems, processes and people in place to enable this.
The more work put in at the early stages leaves less risk in the later stages. If you are more effective with identifying and protecting assets, and then detecting breaches when they occur, you should find responding and recovering to be a much easier task.
The table below shows some of the common considerations in each of the 5 stages.
Why is following a framework best practice?
A cyber security framework provides a formal process for improving your security posture. Without one you can end up putting in systems reactively, or just guessing what you may need. Without a structure it’s easy to spend money on security and still accidentally leave big gaps in your coverage.
We encourage everybody to think about how the 5 areas outlined above are addressed within their organisation. How good are your systems and processes in these areas?
Why should you care about cyber security risk management?
Ultimately it is the responsibility of business owners and leaders to protect their own data. They are the ones who have the most to lose if their data is destroyed or stolen, and they can also be held personally liable for any damages caused by data breaches in their organisations. Business leaders need to understand, at a high level, what the risks are and make sure they are happy with the protections that are in place.
If you’re a business leader and have questions about your cyber security please get in touch with us for help protecting your business and its reputation.