How to protect businesses from cyberattacks
By Sergey Ozhegov, CEO, SearchInform
Hacks and data leaks: how to protect businesses from cyberattacks
Hardly a week goes by without a hack or data breach incident occurrence. Quite often, large organizations, such as banks, state bodies and corporations become attacked, despite the fact that they are well-sponsored and their employees are usually quite well informed in the information security related issues. Thus, even large enterprises are often incapable of protection against cyber threats. So, the questions arises – what should executives of SMEs, which information security budget is much smaller do? The SearchInform CEO shares advice on how to strengthen an organization’s information security protection.
SMEs are in the focus
Owners of small businesses quite often don’t take cyber security issues seriously, because they believe that intruders aren’t interested in their companies due to their small size. Such approach leads to serious consequences, as it turns small businesses into perfect and vulnerable target.
One of the core risk is critical data leak. Such data includes, but isn’t limited to:
- Client database
- Critical data on some business processes
- Commercial data on business deals etc.
Businesses should also take data privacy laws seriously. There is a global trend of adoption of various acts, aimed at regulation of data-related processes. The new regulations, coming into force worldwide motivate companies to implement specific protective software. The consequences of such norms ignorance become more and more serious. For instance, in case a company doesn’t comply with a regulator’s requirements, it has to pay fines, which, in turn, are also permanently increased.
The main problem is that implementation of information security measures requires significant financial expenditures and takes time. Nevertheless, law requirements and data leak risks must not be ignored anyway. That is why it is strictly important to address risks properly and deal at least with main vulnerabilities and security “holes”.
First of all, let’s identify where to expect threats to occur.
Who poses a threat to your organization’s security?
There are four categories of intruders, which pose threats for information security.
External accidental intruders
These are intruders who hack any poorly secured IT infrastructure. With the help of automatized vulnerabilities scanners they reveal unpatched vulnerabilities, open ports and weak passwords. Typically, small and mid size businesses face such problems, because they often don’t have a staff information security officer and system administrators usually deal with information security tasks.
External deliberate intruders
Cybercriminals who refer to this group choose their victim deliberately. They usually attack companies because they know, that the companies have some valuable assets or simply because somebody paid them for the hack. For instance, market competitors can perform a DDoS-attack to disrupt “Black Friday” sale.
Internal malicious insiders
Malicious insiders typically pose more threats to businesses than hackers do. Due the fact, that such intruders initially have access to the IT-infrastructure they have more options for committing fraud, data leaks and other destructive actions.
Internal accidental violators
Despite mentioned above, employees much more often become accidental violators: they are typically tricked by phishing methods, accidentally send confidential data to the wrong recipient etc.
Which tools do intruders use most often?
Below is the list of most popular tools, used by intruders to attack organizations.
Password cracking
Most users use not complicated passwords, which are cracked in minutes, sometimes in seconds. That is why in most cases intruders do not use advanced tools for password cracking. Instead, they simply brute force passwords.
A vivid example – the case of insurance company TransUnion South Africa. The intruders hacked company’s server, access to which was protected with the following password – “password”. Intruders demanded a ransom equal to $ 15 million to provide employees with the access to the encrypted server.
Phishing
When a phishing attack is conducted, fraudsters use seemingly legible, but factually fake email or website. Any SMS, link or attachment in the mail, which at first glance looks like a normal one, in fact may be a malicious one and may infect a computer with spyware or ransomware.
BEC-attacks
BEC-attacks (Business email compromise) is the corporate email compromise. Intruders hack counterparties’ or company employees’ mailboxes, examine correspondence, imitate the continuation of the conversation for their own purposes. Sometimes, thread in an email may contain only two-three letters, sometimes correspondence lasts for months. Attackers’ aim is to induce employees to conduct a payment to a fake account, gain access to infrastructure or confidential information.
The most important aspect of a successful attack is social engineering. Employee’s attentiveness can protect a company from such type of attack.
DDoS-attacks
Hackers overload company’s server with requests until it starts to lag or simply fails. This issue is often critical, because business processes are interrupted. DDos-attacks specific issue is that they are usually used as a tool for performing deliberate malicious actions. Sometimes DDoS may hide the start of an attack, which aim is to find out, which vulnerabilities does the organization’s IT-infrastructure have. This endangers companies, operating in all business spheres.
Malicious software
Malicious software stands for any programs, deployed on devices with the intent to harm users or gain unauthorized access. The list includes: viruses, worms, trojans, ransomware, and various spyware.
One of the most significant threat for small and middle size enterprises is encryption of company’s data by a ransomware virus. After data is encrypted, intruders demand a ransom. Business processes of the attacked companies may remain interrupted or totally stopped for weeks, and the ransom sum may be large, up to millions of dollars. In case the victim refuses to pay the ransom (and, in fact, even in case the ransom is paid), there is a chance that data will be compromised and exposed.
Attacks on unpatched software
Such attacks logic is as follows: the vendor publishes detailed data on the vulnerability and releases an update, a client forgets to install the newest version of software or operation system and hackers benefit from this user’s delay. They have the precise data on the vulnerability and the attack costs nothing to them.
How to protect a company against internal and external threats
Sooner or later your business may turn into intruders’ target, it’s just a matter of time. First of all, intruders attack those organizations, which are not protected properly. That is why it is crucial to ponder, whether company’s infrastructure is protected well enough and if there are no deliberate malicious insiders among employees.
Below you can find the least of minimal required technical measures for ensuring organization’s protection against internal and external threats:
- Do not neglect usage of antivirus protection and use licensed software, update it regularly
- Distinguish access rights to confidential data (at least in Active Directory)
- Set the two-factor authentication to access services, critical for company’s business processes
- Use corporate email instead of free public one
- Perform monitoring of phishing activities cases, when your brand is impersonated
- Back up your data
- Use only encrypted data transmission channels
- Use tools for monitoring employees’ activities (DLP-systems) to mitigate insider-related risks.
What else can be done
A company doesn’t always have an onboard information security specialist; what’s more, it’s often too expensive for companies to purchase software licenses. That’s why I would recommend to consider information security outsourcing.
However, you can implement numerous protective measures absolutely free of charge. Set the regulations for interaction with critical data, for instance, specify, which employees should have access to specific documents, where exactly the documents should be kept etc. Implement the trade secret mode – this helps to enhance discipline, because not all the employees understand, that corporate data is an asset, and its misuse is a kind of crime, equal to an ordinary theft of company’s equipment from a warehouse.
Training employees in the sphere of information security helps to mitigate the number of accidental mistakes and incidents. It’s crucial to acknowledge staff about phishing attacks and internet safety rules; provide employees with regulations on how to work with sensitive data; implement the safe passwords policy; explain, why it is so important to log out the system when leaving workplace.
Complex implementation of even minimally required measures significantly enhances company’s protection.
About the Author
Sergey Ozhegov, CEO, SearchInform. Sergey is the Chief Executive Officer at SearchInform, which is the global risk management tools developer.
For over a decade Sergey has been contributing to the company’s success, handling business processes and strategic decision making. Sergey is a co-founder of annual SearchInform Road Show.
Sergey can be reached at our company website https://searchinform.com/