Asked whether companies are doing enough to protect themselves against cyber attacks, Oliver Dehning, CEO of Hornet Security, chuckles: “Absolutely not,” he says simply. The Symantec Internet Security Threat Report 2016 records an increase in attacks against small businesses – 43 % of all attacks against companies – and a 55% increase from the previous year in spear phishing attacks against employees from companies of all sizes. Cyber criminals are out for blood – and vulnerable small and medium-sized enterprises present an easy target.
Cyber security specialist Oliver Dehning believes many companies – especially SMEs – have a false sense of security: “Very often, they don’t take security seriously, because they think their data is not important anyway. But if suddenly all your files on your PC are locked, encrypted, and you can no longer use them, that might mean you’re basically out of business.” Put simply, it doesn’t matter whether that data is in the least valuable outside of your company, what matters is how valuable that data is to your business continuity.
Cyber attacks against companies range from the sophisticated to the ingeniously simple, and may be targeting company or customer data, intellectual property, the bank account, the IT hardware, your web shop, or information about investment plans, financial deals, or details of tenders, to name just a few of the tasty morsels. A common example of CEO fraud involves a well-faked invoice, apparently approved for payment by the CEO, and can cost companies millions. Crypto-viruses, accidently downloaded by an unsuspecting staff member, can result in all of a company’s operational data being encrypted and held to ransom. Predatory behavior means that certain company representatives, such as workers from the HR or Finance Departments, are being specifically targeted: fake job applications or invoices concealing Trojans provide a gateway for cyber criminals into the company network.
As the cyber policeman Dirk Kunze points out, cyber security needs to start with information security (Where do you keep your passwords? Are you discussing important company information on your mobile on the train – who might be listening? Who is reading your tablet over your shoulder?) and bosses need to be proactive: companies need “to live the security rules from the very top. And then you can ask your employees to do as you do.”
So, with your money, your operations, and your competitive advantage on the line, there is all the more reason to ensure that IT security is given a high priority not only by the IT specialists, but also management and staff, regardless of the size of the company.
Top Tips for Building IT Security Defenses
- Sensitize the company workforce – IT security is not just a topic for the specialists. Management needs to understand the risks – if you’re the IT professional, make your boss listen. If you’re the boss, take notice. Cyber crime tends to target the weakest link in the company IT, so every member of staff needs to be sensitized to the types of traps cyber criminals set for unsuspecting users, such as CEO Fraud, Social Engineering and Phishing.
- Take security seriously – use best practices like these:
- Update software regularly – set automatic updates wherever possible – and back-up data in case of loss.
- Know what devices are in your network – use network scanners to analyze traffic into and out of your network. Be aware of what Shadow IT (IT purchased separately by different departments, which has not been authorized by the IT department itself) is being used in different departments, and ensure that these and privately-owned devices are secure enough. Private mobile phones which are connected to the company-internal Wi-Fi, for example, offer a further gateway into the network.
- Set up an Emergency Task Force – know who to contact if you discover an attack in your network. This should include internal representatives, including IT, Management and PR, and external contacts (such as the local police cyber crime task force and external security specialists).
- Do emergency exercises – train your staff how to react in an emergency – just like fire drills. There’s no point backing up your data, if you then don’t know how to restore it.
The one that got through
Of the thousands of cyber attacks companies continuously face, an occasional one might get through your defenses. In this case, damage mitigation is necessary and the post mortem needs to be carried out.
- Do not pay a ransom – Although this may seem like the easy way out, there is no guarantee that your data will actually be set free. After all, you are dealing with criminals. The only thing you can be certain to achieve by paying ransom is that you will be remembered as an easy victim, potentially making future attacks more likely. Besides this, you fund their continued activities. In many countries this is illegal, as Thorsten Jansen from DWF points out. In Germany, for example, the punishment for “supporting a criminal organization” by paying a ransom can be a hefty five years’ imprisonment.
- Do call the police – combatting cyber criminality requires the cooperation of the many stakeholders involved – the IT security service providers, the victims, and law enforcement. Open sharing of information with the police and security specialists is necessary to continue and intensify the fight against cyber crime. Police services have dedicated cyber crime task forces, but if cyber crime is under-reported, then there is less funding provided to combat it.
- Call together your emergency task force – If you are under attack, then you need a concerted approach. While the IT specialists need to be mitigating the attack and cleaning the systems, PR needs to be communicating clearly and effectively with customers and the public. And remember: one attack vector, like a low-level DDoS attack, may be used to mask a deeper attack – keeping your staff distracted while the criminal get access to the entire system.
- Analyze your data – Andrew Bushby, from Fidelis Cybersecurity, recommends hunting through your metadata to investigate how, when and why the network was compromised, whether the attack is part of a multi-vector attack, and what is actually going on in the network. And learning from it.