Friday, February 7, 2020

Common Sense 2.0 - the best cyber security tool

Dan Gander - Head of IT

Cyber security is always a hot topic, and is one of the fastest growing fields in IT, but the best way to protect your (and your clients!) data may not be to spend on the latest and greatest security tools and software.

The cliché goes that any system is only as good as its weakest link, and the often uncomfortable truth is that the weakest link in your cyber security system is the human element - your people. The only way to enhance it is to educate users on identifying and avoiding these attacks; to level up Common Sense.

Secured Systems + Educated Users = Real Cyber Security

So here's the reality; almost every major breach of cyber security in the last decade has had a human root cause, not a systemic one. Hollywood has done a great job of hooking us into the idea of hooded cyber criminals furiously tapping commands into terminals, quickly followed by a triumphant declaration of "I''m in!". This is an utter fiction; breaching systems like that is a lengthy and difficult process, and in most cases totally impossible thanks to the speedy distribution of updates from software vendors and businesses' investments in cyber security experts, software and appliances to monitor and protect systems at the digital level.

Unfortunately for the human element of our equation, this has meant that cyber criminals have a much higher success rate at much less cost if they just target people first; the most popular and effective example is phishing.

Phishing is the most common human-targeting exploit, with three main goals:

  • Obtain personal information
  • Send users to suspicious or fake websites
  • Instil a sense of urgency to manipulate the targets into acting quickly

One example of a campaign used a compromised email account to send out attack emails. These messages asked recipients to review a document by clicking on a URL. This malicious URL eventually redirected recipients to a phishing page impersonating a Microsoft Office 365 login portal.

Users would log in as usual, with their usernames and passwords being sent to the attackers, which they later use to send yet more phishing emails, to access information on employees and customers, and finally to upload ransomware which locked the victims' data until a ransom was paid for the keys needed to unlock it.

Sounds like a nightmare scenario doesn't it? The NHS spent £460M on cyber security in 2016, and in 2017 were hit by the now-infamous WannaCry.

Almost half a billion spent on cyber security annually; all useless because one person wasn't given the skills and knowledge that could have meant the innocuous looking link in a legitimate looking email was identified and ignored, rather than clicked on. The result was the computer systems of the entire NHS nationwide remained crippled for 3 days.

What would 3 days without email, phones or access to clients information do to your business?

Preventing an attack

Bad news time: nothing can prevent you becoming a target of a cyber attack of some kind; and always be wary of the snake oil salesmen guaranteeing it! In fact, if you rely on Microsoft's Office cloud services or Google Docs, you're already being attacked. Happily your choice of vendor means you benefit from their incredible protection infrastructure; Microsoft spent over $1 billion in 2017 alone on cyber security systems to deal with the over 7 TRILLION cyber threat events every day that they face. And if you're using their cloud offerings, you're benefiting from all that protection too.

Possibly the most important thing to accept when considering cyber security is that despite your best efforts; the money you spent on software and systems and skills is only delaying the inevitable. The weight of probability says it's a matter of "when", not "if", you get hit. But thankfully all that ground work you put in will be making that nightmare day further away.

Prevention is a holy trinity;

  • Anti-virus software to monitor for known malicious software
  • Firewalled systems to prevent unauthorised access
  • Human skills to identify the potential threats and avoid them

Keep all these updated (including the skills), and review them as regularly as you can, and you might just be one of the lucky few to weather the onslaught of attacks without suffering a major loss or outage.

how to Recover

So you did your best and it happened anyway, and you've lost access to all your systems and data. Now it's time to recover what you can. If you've been doing regular backups (nightly at minimum) then you're in luck, recovery should be quick and if you've been testing your backup systems regularly then restoring your data should be second nature by now.

I cannot stress this enough - BACK UP YOUR DATA otherwise you're at the mercy of the attackers who'll demand big bucks to give you it all back - assuming they don't just take your anonymously exchanged bitcoins and run of course. 

How ready are you?

Here's a simple checklist you can follow:

  • Do you enforce ICO best practices for users' passwords?
  • Do you have anti-virus software installed on all your users' devices?
  • Do you enforce updates on anti-virus software at least weekly, run full scans, and regularly review the logs?
  • Do you have firewalls enabled on users' devices and on your network infrastructure, and do you review the logs and rules regularly?
  • Do you have an education programme in place for your staff to help them identify suspicious links and emails?
  • Do you have a resilient backup strategy with a minimum of nightly backups, including at least one off-site backup?
  • Do you regularly test all of these things - including your people?

If you answered "Yes" to all the above; congratulations. You're doing the bare minimum required; you'll delay the inevitable, and you should be able to recover from an incident with minimal disruption.

If you answered "No" to any of these items, you should review your cyber security provisions with some urgency.

Share this post