- 25th May 2018
- Posted by: Fidus
- Category: Corporate
Ultimate Cyber Security Guide For Businesses
For today’s executives, senior managers, and entrepreneurs, the online world offers amazing opportunities to connect with new customers, open up in brand new markets, and empower their employees to innovate and to reach their full potential. A lot of what happens in business today is, quite frankly, unimaginable to the generations of executives, senior managers, and entrepreneurs that came before us.
Equally unimaginable to them would be the threat posed by cybercriminals to their businesses and their customers’ personal information.
This is a typical example. Carole Gratzmuller, CEO of medium-sized French company Etna Industrie, came back from a trip to discover that, under her instruction, her accountant had transferred £100,000s out of the company business account. The problem was – she gave no such instruction.
Speaking to the BBC (1), Ms Gratzmuller stated that “My accountant was called on Friday morning…Someone said: ‘You’re going to get an email from the president, and she’s going to give you instructions to conduct a very confidential transaction and you’re going to have to respond to whatever instructions she gives you’.”
Her accountant then received an email, apparently from Ms Gratzmuller’s account, telling her that Etna Industrie was buying a company in Cyprus.
The fraudsters put the accountant under an enormous amount of pressure in a very short space of time. She was first contacted at 9am which was followed in quick succession by ten emails and four more phone calls. In under three hours, the accountant tried to wire £372,000 to the cybercriminals’ bank accounts. The bank stopped three of the four transactions but £74,400 was still lost.
What happened to Ms Gratzmuller and her accountant is known as CEO fraud. £32m has been reported lost by British companies to similar operations, according to the City of London Police’s National Fraud Intelligence Bureau (2).
Glaswegian Feezan Hameed was sent to prison for 11 years for his part in a similar scam which cost businesses and consumers £113m, according to the Guardian (3). Pitman Blackstock Solicitors were taken for £2,260,625.89 after one of Hameed’s accomplices phoned up pretending to be Peter from Lloyds Bank. Another firm lost £750,000 the same way.
But CEO is only one threat of many you need to be concerned about…
What cybersecurity threats do I need to protect my business from?
The nature of the threat changes all the time however there are a few types of cybercrime scams that you should always be on the lookout for.
Email spoofing, email fraud, and “phishing”
Email is 60 years old and it’s never been a secure technology since it was first launched to the public and to businesses. You can forge all sorts with email – including the manipulation of the “from email” and “from line” to make it look like a message was sent by someone else. Email spoofing was one of the techniques used when Ms Gratzmuller’s accountant was fooled by the cybercriminals.
Credit: Krebs on Security
Email spoofing, or phishing, is very successful. There has been a 65% growth in phishing over the last twelve months, according to PhishMe (4) with 76% of all businesses stating that they had been targeted, reports Wombat (5).
The Webroot Threat Report stated that over 1.5m new phishing sites are created each month (6). What is a phishing scam? Let’s say that your company has an Amazon account. A phishing email purporting to be from Amazon is sent to you or one of your staff. It points to a fake Amazon site which has been put up with the sole purpose of discovering your corporate username and password.
Phishing attacks mainly occur by email but fraudsters also often use the telephone to perpetuate their scam.
Cybercriminals will often try to change the information held by government-related bodies, suppliers, and financial institutions about companies. The main reason for this is that they want to be able to set up new credit accounts for your business. They use these new credit accounts to purchase products which are then delivered to their address and not to yours. They get the goods, you get the bill. Others will take out loans or credit cards in your company name after successfully stealing your corporate identity.
Denial of Service
A denial of service attack (sometimes called a DDOS) describes a situation where cybercriminals have control over a very large number of internet-connected devices which try to log onto your website at the same time. The sheer volume of requests will “crash” your website meaning that normal customers are unable to log on.
Towergate Insurance reports that 16% of UK firms have been the target of a DDOS attack (7). It’s big business – Forbes ran a story in April 2018 stating that the world largest “DDOS-For-Hire” business had been taken down after it had launched 6 million separate attacks on companies (8).
Threats from software come in three different forms – piracy, inherent vulnerabilities, and deprecation.
Deprecation is when a manufacturer stops providing updates for their software or for their software plug-ins. Microsoft stopped updating a plug-in called Silverlight back in 2014 – Silverlight was a streaming media plug-in which allowed you to listen to music or watch videos.CVE Details have listed 18 different security vulnerabilities in this plug-in which could leave your business at risk if not immediately addressed (9).
Sometimes, software you download to your IT system may have built-in vulnerabilities – Adobe Flash Player being perhaps the most famous example. CVE Details have listed over 1,000 problems with Adobe Flash Player – this is the main reason Apple don’t allow Flash Player to work on their platforms (10).
Buying pirated software is still surprisingly commonplace and the decision to do so is motivated by price. Pirated software works by disabling many of the security features inherent in a program – such as reporting back to the software vendor to check that this is a legitimate copy. Disabling the in-built security of a program is risky anyway but this risk is doubly compounded by the fact that many pirates choose to hide malware in their version of the software. And on the subject of malware…
Malware and viruses
Malware causes chaos with business computer systems. Malware is software that has been written with the specific purpose of damaging in some way a computer, a server, or a computer network.
- slow down or crash your computer,
- change your computer settings,
- perform surveillance on your users (even sending back keystrokes and screenshots)
- turn your computer into a spam-sending “dumb” terminal
- threaten to destroy the data on your computer if you don’t pay a ransom
- install a backdoor onto your computer allowing unauthorised users to install programs on your machines and network without your knowledge
- interrupt your network’s connection to the internet
- modify or delete your files
According to GData Software, a new malware program is created every 4.2 seconds (11).
Credit: Psinergy Tech
Other types of cybercrime threat
Emerging threats that businesses are facing include:
- data diddling (altering data on a computer system without authorisation)
- password attacks (systematic remote attempts to hack into your system by high-speed automated password guessing)
- man-in-the-middle attack (pretending to be someone else during an online exchange by intercepting an ongoing communication)
- salami-slicing (small individual financial frauds repeated again and again)
- internet-of-things hacking (breaking into a system through a weak point like a web cam or an onboard car computer)
- cyber extortion (theft of sensitive or commercial valuable data which is then used to extort a ransom under threat of sale of the information to a competitor)
What does my business have of value that people would want to steal from it?
Cybercriminals are after your company data. But what can they do with it? They can:
- manipulate your sales database to determine who your most affluent customers are to then sell that information on in the black market. The value of your data is at its highest in the first few days after it is stolen
- steal any unencrypted debit or credit card information
- use any details they find on an individual or a company which could then be used to change the information held by government or other authorities to take out loans or open credit card accounts
- copy the usernames and passwords used on the websites of companies from which you buy online
- steal commercially sensitive and valuable data (for example, that research and development project you might be working on)
- discover the names of employees, managers, and board members in order to spoof their email details with the intention of committing fraud (for example, the CEO fraud mentioned earlier in this article or conveyancing fraud where a scammer will pose as a solicitor and then instruct you to transfer your house deposit money into their bank account)
Fidus Information security works with clients in the finance, B2B, technology, insurance, industrial, Government, education, online, public services, legal, and accounting sectors. Each one of these organisations stores valuable personal data on their IT systems that someone else wants.
Data, in the hands of a person who knows what they’re doing with it, has a tremendous market value. It doesn’t matter what line of business you’re in – the data that you have on the companies and people who buy goods and services from you will be worth a great deal to someone with dishonest intentions. And those people are as likely to be your employees as they are a hacker from the other side of the world.
What is cybersecurity?
Cybersecurity within a company or organisation are the steps that it takes to minimise the risk of becoming a victim of cybercrime. For the most effective protection, you need your cybersecurity plan to include and involve both your systems and your people.
What are the risks to my business if we don’t implement a cybersecurity policy?
There are three main risks to your business if you are cybersecure – reputational, financial, and legal.
The reputational damage you could suffer as the result of a data breach caused by a lack of a coherent cybersecurity policy could be catastrophic. 46% of UK businesses suffered a serious data loss or breach in 2016. 60% of SMEs close permanently following a data breach or an incidence of data theft within 6 months (12).
Would your customers ever be able to trust you again? Would you trust a company whose lack of cybersecurity compromised your financial situation or put you at risk of identity theft? The chances are that most people would want to put their business with someone else.
There is also a significant legal threat to your business. The number of claims for data privacy breaches has been rising in recent years as has the level of compensation awarded, according to Brabners Solicitors (13). Claimants now can successfully sue if there was no financial loss but that the breach caused personal distress (14).
William Egglestone of Brabners Solicitors believes that “there is speculation surrounding the potential for large-scale ‘class action’ style claims where data security breaches affect a large number of individuals…A collective action regime may be rolled out or extended to cover data protection, whereby all affected individuals are automatically part of the ‘class’ of people bringing the action unless they choose to opt out.”
Do I need to think about cyber security for GDPR compliance?
On May 25th 2018, the General Data Protection Regulations (GDPR) came into force. The GDPR replace the Data Protection Act (1998) in the UK and they will have force of law in all 28 EU countries. When Britain leaves the EU, the GDPR will be enshrined into English and Scottish law.
If your business is attacked and it suffers a data loss, the GDPR will require that you not only inform the Information Commissioner’s Office (ICO) but also every single individual whose “rights and freedoms” (15) may have been affected by the breach. Once you become aware of the breach, you must do all this within 72 hours (if feasible). If you fail to notify either the ICO or the individuals affected, this can “result in a significant fine up to 10 million euros or 2 percent of your global turnover. This fine can be combined with the ICO’s other corrective powers under Article 58.”
So, what we know is that one big data breach could result in a loss of customer confidence and trust, a class action law suit bought by those people who were affected by the breach (even if there was no monetary loss on their part), an ICO inspection of your IT system and your overall cybersecurity system, and a crippling fine if you do not report the breach to the ICO and the users in good time.
As William Egglestone of Brabners Solicitors put it, “(t)he GDPR represents a tipping of the balance of data protection law, favouring the protection of the individual over the commercial needs of businesses”.
So how do you get ready for it?
Making your company cyber-secure starts at the top
As a business owner, a board level member, or a senior manager, becoming cybersecure as a organisation requires a proactive and positive decision from the very top, followed by a plan for everyone involved to follow, and a determination to see it through.
You can be cybersecure within weeks. First, understand what it is that you need to do to become cybersecure and GDPR-compliant.
Make sure that there is someone who is leading the discussion at the highest level in your business and that that person has a decent base level of knowledge in computer security and database management. If there is no such person within your company, please appoint an outside specialist without delay to sit in on the meetings.
Once a plan is in place, agree a timescale over which the work is done, setting out certain benchmarks that need to be achieved within a certain time. Hold additional board meetings to make sure that targets are being met and the required outcomes are being achieved.
At the same time, start preparing training materials for staff so that they will be aware of what they need to look out for. After all, a serious threat to the viability of the business caused by a catastrophic data breach is as much of a threat to their livelihood as it is yours.
Look at your overall IT network and plan for disaster
Your internal computer network may have developed into what it is today over tens or hundreds of small incremental steps over a long time. Everything that is installed on it and everything it connects to presents a potential vulnerability.
Plan to make your IT network as simple as possible. Only have on it or connected to it what it needs to function. Make an inventory of every piece of software and every software plug-in that is on the network or on individual terminals. Get rid of the programs you don’t need. If there are programs you are still using that the software provider has deprecated, look for a replacement program where updates are still offered by the vendor.
If you do not have one installed already, consider a firewall – this protects your network constantly detecting attempts to get into your system from outside.
Use the cloud to back-up your data frequently. Remember the NHS Wannacry attack (16) which threatened to wipe computers and networks if a ransom was not paid? That attack affected hundreds of thousands of businesses, organisations, and individuals around the world. If you use a cloud back-up, everything your business needs to function is safely stored and retrievable from your cloud provider.
Credit: Financial Tribune
Ransomware is no joke, affecting businesses Worldwide for huge sums of money.
Credit: Heimdal Security
What personal data are you holding?
The GDPR requires that you collect and hold all personal data for “legitimate, explicit and specified” reasons. You must process personal data “fairly, lawfully, and transparently” and you must only keep data with is “relevant” and “adequate” for that processing.
Decide on the data you absolutely need for each customer on a departmental level. Only give operatives access to the information they need to assist a customer, not information they don’t. In 2014, a Ponemon Institute survey of 2,300 US and European employees discovered that 71% of respondents believed that they were “granted excessive access to company data they should not be able to see”. The GDPR has been designed to stop this from happening and allowing employees to see more information on a person than they need to do their job will be an offence under the regulations (17).
Cybersecurity – encryption
Encryption programs scramble your data so that it’s unreadable and unusable to anyone who doesn’t have the “key” to decrypt it.
If members of staff communicate by email internally or with the outside, it’s easy to secure the contents of your email using encryption programs which mean that, even if your staff member’s email was intercepted, the hacker could not read it.
When your network is backing up company data to the cloud, please make it part of your plan that encryption is used on these uploads.
Passwords and monitoring network traffic and network access points
Many companies deploy an Intrusion Detection System (IDS) as part of the cybersecurity policy. What this does is to examine your WiFi, your host-based systems, and your IT network as a whole for unusual behaviour and for signs of a known attack.
An IDS alerts you when there are large and unexpected outbound transfers of large amounts of data – a strong sign of a security breach or a theft in progress. The system will inform you of which user’s terminal the transfer originated from.
Many IDS systems are now run with machine learning and artificial intelligence approaches built in. It will start to learn how your network and all the terminals attached to it use data. In the early days of the deployment of your IDS system, you will receive some false positives indicating that an attack or breach is underway when it is not. However, as the systems continue to monitor data usage, it will report far fewer incidents as time goes on particularly with the additional information inputted by your users telling the system that an incident was not an attack when it indicated it wasn’t you.
You will also need to make your WiFi connections as secure as possible. This is particularly so in the light that Belgian researchers “broker” the WPA2 protocol used by the vast majority of WiFi connections (according to the Guardian). The author of the report, Mathy Vanhoef, told the paper that “Attackers can use this novel attack technique to read information that was previously assumed to be safely encrypted…This can be abused to steal sensitive information such as credit card numbers, passwords, chat messages, emails, photos and so on.
Credit: EZ Computer Solutions
“…The attack works against all modern protected wifi networks. Depending on the network configuration, it is also possible to inject and manipulate data. For example, an attacker might be able to inject ransomware or other malware into websites.” (18)
The use of secure passwords to access your computer network or your cloud back-up will stop many attacks. For those that it does not stop, the method of encryption you use will prevent a cybercriminal from accessing the contents of sensitive files.
Despite the fact that the encryption will prevent any real damage being caused in the case of an individual file interception, the real value of strong passwords is in preventing a dishonest and unauthorised user from using the techniques he or she uses to hack into your system to grant themselves administrator rights. If a cybercriminal managers to authorise themselves as an administrator, your entire system, encryption of not, is in danger of being controlled completely by someone who has malicious intent.
Safe internet usage (internet and emails)
The way that your staff use the internet and their email will need to be controlled and monitored as part of your approach to corporate cybersecurity. You should make clear to your employees what the company policy is for the types of website that are acceptable and unacceptable to visit (you may want to have a separate list for staff on breaks).
Your staff may be asked to download attachments from an email they receive or from a website. Put together a list of authorised programs, apps, or functions that can be installed on a user’s terminal. Make sure that you have an anti-virus and anti-malware service running on each terminal and on the network which informs users of a potentially dangerous download – if such a message pops up, train your staff about the person they need to report this to before deciding on a course of action.
Users may also upload files via email and to internet sites. Let your staff know what they can upload and what’s forbidden (product schematics and diagrams, customer databases, sales payment details, and so on).
Make clear beyond doubt what you consider sensitive company intellectual and database property to be and insist that, prior to uploading or transferring to someone else (even within your company), your employee gets the necessary authorisation to do so.
Be certain to make your mobile devices (including smartphones and tablets) as secure as possible by using strong passwords for access to the use of encryption when a device which is outside the office wants to access or manipulate data on your internal network or your cloud services. For laptop computers, it is easy to find and install downloads that will encrypt a hard drive in case the laptop is lost or stolen.
There has been a growing trend towards a “Bring Your Own Device” (BYOD) culture in many companies and organisations. There is inherent risk to storing company data on property which is not owned by your company and many cybersecurity experts would strongly caution you about the wisdom of a BYOD policy. If you already have a BYOD policy and you want to keep it, or you’re thinking about introducing it into your company, make sure that the data on an employee’s device is encrypted and that, when connecting to your network or cloud, all communications are encrypted too.
What about removable media?
Do you allow staff to download sensitive company data onto a CD-ROM or a memory stick? Many cybersecurity experts do not think that allowing removable media on your system will assist you in protecting your data and the distribution of your data. This is because one of the most vulnerable areas of cybersecurity policy comes from…
Sometimes the biggest threats come from rogue employees. Data theft is occurring more and more from British companies. The number of cases which reached the High Court in the UK increased by 25% in one year. In the Telegraph, Felix Dodd, senior solicitor at commercial law firm EMW stated that “the figure is rising rapidly as data theft becomes easier to carry out.” (19)
“Businesses most at risk are those in the technology or financial services sectors, where staff members can steal proprietary algorithms, as well as those that are heavily reliant on client relationships such as recruitment or estate agents.”
Mr Dodd also stated that many companies now ban their staff from sending work emails to their personal accounts and some disable functionality on their employees’ smartphones to prevent unauthorised data transfer.
Malicious insider attacks, whether stealing trade secrets or company data, are on average far more costly than outside attacks. Internal threats can often be severely overlooked especially in rapidly growing organizations with no systems in place to prevent them.
How long will it take before I can describe my company as “cybersecure?”
Once you have reached the end of your company plan to make your systems cybersecure, now it’s the time to make your people cybersecure.
Take care to communicate with staff on an ongoing basis things they should look out for. Reward and incentivise staff who are proactive in helping the company.
It may be worth doing regular testing to look for gaps in knowledge in individual employees. Where those gaps exist, you should introduce top-up training for those staff members.
- “The ‘bogus boss’ email costing firms millions”, BBC News, 8 January 2016 (link http://www.bbc.co.uk/news/business-35250678)
- “Action Fraud warning after serious rise in SEO fraud”, NFIB, 5 February 2016 (link https://www.actionfraud.police.uk/news/action-fraud-warning-after-serious-rise-in-ceo-fraud-feb16)
- “Ringleader of gang responsible for £113m fraud jailed for 11 years), Guardian, 21 Sep 2016 (link https://www.theguardian.com/uk-news/2016/sep/21/feezan-hameed-fraud-gang-jailed-11-years-southwark-crown-court)
- PhishMe’s Enterprise Phishing Resiliency and Defense Report (link https://phishme.com/wp-content/uploads/2017/11/Enterprise-Phishing-Resiliency-and-Defense-Report-2017.pdf)
- Wombat Security State of the Phish (link https://info.wombatsecurity.com/state-of-the-phish)
- Webroot Threat Report (link https://www.webroot.com/us/en/about/press-room/releases/nearly-15-million-new-phishing-siteshttps://www.webroot.com/us/en/about/press-room/releases/nearly-15-million-new-phishing-sites)
- “SMEs and Cyber Attacks – What You Need to Know”, Towergate Insurance (link https://www.towergateinsurance.co.uk/liability-insurance/smes-and-cyber-attacks)
- “Cops Take Down World’s Biggest ‘DDoS-For-Hire’ Site They Claim Launched 6 Million Attacks”, Forbes, 25 Apr 2018 (link https://www.forbes.com/sites/thomasbrewster/2018/04/25/massive-ddos-attack-service-webstresser-org-taken-down/#12930a062e3c)
- Security Vulnerabilities in Microsoft Silverlight, CVE Details website (link https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-19887/Microsoft-Silverlight.html)
- Security Vulnerabilities in Adobe Flash Player, CVE Details website (link https://www.cvedetails.com/vulnerability-list/vendor_id-53/product_id-6761/Adobe-Flash-Player.html)
- Malware trends 2017, G DATA Security Blog, 10 Apr 2017 (link https://www.gdatasoftware.com/blog/2017/04/29666-malware-trends-2017)
- “The UK’s latest data breaches”, British Assessment Bureau, 21 Dec 2015 (link https://www.british-assessment.co.uk/guides/uks-latest-data-breaches/)
- “GDPR – What does it mean for civil litigation”, Brabners Solicitors,4 July 2019 (link http://www.brabners.com/blogs/dispute-resolution/gdpr-what-does-it-mean-civil-litigation)
- Vidal-Hall – Courts and Tribunals Judiciary, 27 Mar 2015 (link https://www.judiciary.gov.uk/wp-content/uploads/2015/03/google-v-vidal-hall-judgment.pdf)
- Personal Data Breaches, the Information Commissioner’s Office (link https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/)
- “NHS ‘could have prevented’ WannaCry ransom attack”, BBC News Online, 27 Oct 2017 (link http://www.bbc.co.uk/news/technology-41753022)
- “Too Much Insider Access to Critical Data Is a Growing Risk”, Forbes, Dec 9 2014 (link https://www.forbes.com/sites/dinamedland/2014/12/09/too-much-insider-access-to-critical-data-is-a-growing-risk/#79bfe99c4c50)
- “’All wifi networks’ are vulnerable to hacking, security expert discovers”, the Guardian Online, 16 Oct 2017 (link https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns)
- “Increase in disgruntled employees stealing confidential customer data”, Telegraph, 20 Nov 2017 (link https://www.telegraph.co.uk/business/2017/11/20/increase-disgruntled-employees-stealingconfidential-customer/)