• BDO Cyber Lab: Smart Security Tips for your Business

BDO Cyber Lab: Smart Security Tips for your Business

28 November 2016

By Graham Croock, Head of IT Audit, Risk and BDO Cyber Lab

  • Make use of what you already have:

    Minimizing risk does not always require the latest and greatest cybersecurity technologies, some of the fundamentals are available at the click of a button. Encryption, for example, is such a basic principle for protecting sensitive data that some businesses forget to even activate the technology.

    Password management is a simple but effective form of instantly improving the logical security at a business. Our research has shown, that, passwords are still given inappropriately little time and consideration. Analyzing over 2 million passwords leaked during 2015, SplashData found "123456" and "password" to be the top two most commonly used passwords. Weak and easily guessable passwords are a wide open door to hacking and identity theft and can be easily addressed by avoiding words in the dictionary (use a compound instead) or by making good use of free password management tools available online.

  • Educate your employees

    You're only as strong as your weakest link is the message every CIO should be telling employees. Raising awareness amongst staff isn't a difficult or daunting task: they simply need to know some of the risks and some of the steps they can take to minimize them. As well as preventing malware and alike getting in, businesses need to make staff aware of the risk of sensitive information getting out. A secure file transfer system should be used to send any confidential information externally.

    Preventing unauthorized access can be as simple as reminding employees to lock their screens while away from their desk, or physically locking their work laptops away when not in use. The proliferation of bring-your-own-device (BYOD) has opened up more holes for confidential information to stream out of. Dedicated Wi-Fi for personal devices and greater user awareness of maintaining operating system and app updates can go a long way to counter this. Finally, organisations themselves have to account for human error. Mistakes after all will happen.

  • Don't get held to ransom

    Ransoms are no longer just for multi-millionaires or physical extortion. Any business could find itself blackmailed these days, thanks to a particularly malicious and very common bit of malware (Randsomware). In a nutshell, ransomware prevents or limits users from being able to access their systems by taking control of a target's computer and then encrypting all the data on it. The software's developer then demands a payment in exchange for handing over the encryption keys. Businesses in particular should be aware of rising numbers of mobile ransomware, with Android devices being a particular target. Windows-based devices are at threat from a new version of “Crypto-Locker”, which now encrypts file names along with data, in order to make it even harder for victims to recover data, according to Kaspersky. Ransomware victims aren't just large organisations, home users and SMEs are equally just as at risk — schools, hospitals, professional practices and churches have all been struck. Ransomware can be extremely profitable. According to a 2015 report from Trustwave, criminals can get an estimated 1,425% return on investment for their ransomware operations, with the average ransom demand being between $300 to $500.

    Bitcoin has played an unwilling role in the rise of ransomware, with many cybercriminals demanding payment in the digital currency. Scared businesses are even thought to be stockpiling bitcoin in the eventuality of a ransom. There is a simple and effective solution for businesses to ransomware that does not involve handing over large amounts of ransom, adequate and appropriate Disaster Recovery Procedures.(DRP).

  • Phishing, Spear Phishing and Social Engineering

    You do not need to be an evil IT mastermind to persuade someone to hand over sensitive information. In fact, cybercrime these days is as much about social engineering as it is malware and viruses. As businesses have looked to address technical deficiencies, hackers have found a new weak spot in humans. And in phishing, pharming, vishing and smishing, fraudsters have some effective weapons to choose from.

    Phishing is an attempt to use social engineering to fraudulently obtain sensitive information from users. The message is typically formatted to disguise itself as a legitimate request and can now days be embedded in any word document, adobe document or spreadsheet. Modern phishing emails are carefully crafted and targeted at the end user, usually referred to as "spear phishing" and if the target is a senior executive, "whaling" They may know your business or your personal interests. They may have obtained this information by visiting a company's public website, observing and extrapolating the company structure.

  • Rushing to the cloud.

    According to Gartner, more than $1 trillion in IT spending will be directly or indirectly affected by the shift to cloud over the next five years. Most businesses have indeed woken up to the advantages of cloud: cost savings, agility and innovation to name but a few. Cloud can help organisations build a modern IT environment, providing them with a platform to build their digital business and future applications. But at the same time it does effectively mean you're handing over the keys to your data to a cloud provider. Even though cloud environments face the same threats as traditional corporate networks, they are a particularly attractive target given the vast amount of data stored on cloud servers. And cloud hacks do happen - with some of the biggest names in the business such as Apple and Amazon having fallen victim to hacks. To counter this, most organisations should be using a combination of cloud services from different cloud providers. They should also be exploring hybrid cloud environments, in which businesses mix private and public cloud services with orchestration between the two platforms. Meanwhile, cloud-based services are also becoming an increasingly favoured option for businesses to bolster cybersecurity. Unified threat management is a great way to combine all your cybersecurity needs - be it firewall, network detection, antimalware, spam and content filtering or VPN capabilities into one integrated package. This gives businesses advanced control over installation and updates, reducing overall complexity. But again the flipside can be that it puts businesses at risk of a single point of failure. "Take advantage of cloud offerings on the market, but do your homework and mitigate the risks," using appropriate Disaster Recovery Planning and Business Continuity Planning techniques.

  • Physical Network Security

    Investing heavily in cybersecurity but failing to physically protect the equipment itself is a bit like leaving your house with the alarm on but the backdoor wide open. Network infrastructure is generally not the most obvious target for criminals, but the growing threat of terrorism is changing attitudes to protecting physical infrastructure. Deadly terrorist attacks across East Africa have prompted businesses to invest further in physical security across their operations. Investment in the latest cybersecurity technologies should always be matched with investment in the physical protection of your equipment.

Read more BDO Insights