All data has value, and if it has value, it’s an asset that needs protecting.
We take micro-measures every day to protect ourselves and to manage the Confidentiality, Integrity, and Availability (CIA) of our personal assets. We lock our cars and homes, we file our financial papers away in drawers away from the prying eyes of the in-laws and the neighbours, and we don’t share our online photos of that stag party with people who weren’t there! We take all these measures because we understand and appreciate that our assets can be abused, taken out of context, and maybe misunderstood, it may have cost a lot of money and effort to procure the assets and we don’t want to lose them, or we just may not want everyone to know our business.
Protecting Your Business
Boosting security through micro-measures can be applied to businesses as well. Each business has valuable assets that possess an apparent value. Examples of these assets run the gamut depending on the business model. Often these assets have a high time and financial replacement value if lost as would be the case with code and documentation, or the assets may provide third parties with advantages that we would prefer them not to have like pricing and contracts. The items may simply be a financial investment like hardware and software licences. Perhaps the asset is information that could cause damage to your reputation if unprotected.
No matter what the asset is that needs protecting, all businesses should ensure they are doing everything in their power to protect themselves as well as their stakeholders. Government regulations and legislation are looking ever closer at ensuring that companies not only protect their own assets but that of their counterparts through supply chain security. The chain of “National Security” is only as strong as its weakest link. Governments are seeking assurances from their major suppliers, while major suppliers seek assurances from their own support infrastructure and manufacturers, and on it goes. Let’s dive in and look at four easy steps to boost your business’ cyber security.
This is the part of the movie where the wizened instructor tells the student to forget everything they know. Go ahead! Forget everything you know about password security.
How many times have you written down a password that looks like someone mashed their hand on a keyboard because it’s just too complex to remember? When it comes to passwords, if they are not used every day, they’re bound to be forgotten. People create their own methods to deal with password overload. They re-use passwords across multiple services, write them down on a bit of paper in their wallet, post a sticky note to their screen, and perhaps even keep a notebook filled with all their passwords. Maybe they don’t keep track at all and just rely on password resets on their own or perhaps by support staff. Either way, forcing complex password policies is probably doing more harm than good.
The simple way to make a strong password is with length.
A typical complex password of 8 characters (using a mix of upper case, lower case, number, and symbol) can be broken by a consumer PC in about 5 hours. Amazon Web Services (AWS) can do it in 37 minutes. Not so bad you may think, but that’s 67,675,234,241,018,881 – 67 quadrillion(?) options, done in under 37 minutes! Now, take your 8-character complex password, that everyone hates, and writes down, and instead, make it 12 characters, all lower case e.g. “computasezno”. Very easy to remember; this now goes from 5 hours to 3 weeks to break! Even if some hacker with a stolen hash file decides to use AWS, it’s still going to take 2 days. Throw in some upper case ”Computasezno” and that’s 24 years with AWS!
Get the Board OnboardInvesting in a programme of security measures is often a tough sell to the Board. Spending on infrastructure, with no immediate measurable benefit, is difficult for IT managers, and for business owners looking to justify the expense. Often the only way this becomes a discussion is because of external threats, external influences, or as a result of recent compromises, and that is all before we consider any other compelling reasons such as government regulation.
No matter what cyber security route is pursued, without leadership and commitment from top management, any security-focused investment and management plan is doomed to fail. So how do you get the Board onboard?
Reframe it for them. Investment backed by sound advice, engagement, and credible outcomes is not a drain on resources, but part of the modern fabric of doing business. It is critical to focus on profit, loss, sales, and customer experience, as these are increasingly inextricably linked to how technology underpins productivity, security, and performance.
Describing real examples of information security risks and the financial impact they have, and explaining how implementing a security programme mitigates them makes this an easy way to show the necessity of making that change. This includes technical solutions like anti-malware software, as well as more general benefits like an improved company culture, where employees take greater responsibility for information security.
An effective security-compliant infrastructure requires a capital investment to ensure hardware, operating systems, and applications are up to date, legacy networks have been culled and updated, effective malware protection is in place, your mobile device estate is not vulnerable, robust policies and procedures are implemented and well documented, staff are trained in security awareness, and changes in working practices are adopted and encouraged from the top down. Once the compliance standard is met, the entire infrastructure needs monitoring, reviewing, reporting, and managing on a regular basis.
Multi-Factor Authentication (MFA), also known as 2-Factor Authentication (2FA) or Two Step Verification (2SV), is the security principle of “something you have and something you know”.
This simple principle most often manifests itself as the combination of a smartphone (something you have) and a password (something you know). This security principle, once the preserve of large enterprises for the protection of highly sensitive data, is now quickly becoming commonplace in the SME market sector. Why is that?
Personal Data Breaches are increasing and the ability to brute force a stolen hash file is now within the financial grasp of even the lowest level of cyber-criminal. Q3 2021 saw over 600 reported cases of data breaches including personal records such as names, addresses, passwords and more. As these are only reported breaches to the ICO, the real figure is likely much higher. The cost of a data breach is not just the possible fine from the ICO for GDPR or PCI-DSS noncompliance but the costs of recovery, remediation, and reputational damage that a breach incurs.
Cyber-criminals employ each of the following methods:
• Use passwords from leaked data sets, just in case those passwords have been re-used, as they often are
• Engage with social engineering to finagle details that could reveal passwords (e.g. phishing)
• Try commonly used password lists on the assumption that users use those words.
The natural downfall of passwords is that they are the overwhelming method of authentication of a user’s identity and their authorisation to access organisational data: there is no way to differentiate between a valid user or a criminal. MFA provides an additional level of assurance that the accessing user is valid.
When should an organisation use MFA? Every time. No matter if the service is on-premises or accessed via cloud, MFA is a cyber security must-have, especially for elevated service privileges like the system administrator role. All cloud services should be protected by MFA and, if your application service provider does not support MFA, ask them why not. If no MFA can be implemented, it is in the company’s best interest to change service providers.
The Human FirewallTrain employees to recognise security threats, report them to the IT staff, and implement all security measures. Make sure that the knowledge employees receive is appropriate for their role within your organisation.
Keep training sessions short, to the point, and focused on the content staff needs to know. Filling their heads with a technical talk that isn’t under their control may overwhelm their ability to take in what is important to their role.
Hold a quiz at the end of the training to prove they have listened and understood the training delivered.
It’s recommended to recap on these courses every 4-6 months to make sure employees have not forgotten what they learnt and to ensure that the defences against attacks are still holding strong with the most up-to-date information. With new threats appearing all the time, new content will need to be added as your policies and procedures adapt to the changing threat landscape, such as new password policies and device management controls.
How Wicresoft can HelpWith cyber-threats increasing and the nature of attacks changing, we help protect your endpoints, data, operating systems, email, Microsoft 365 environment, perimeter, and internet traffic. Wicresoft offer cyber security audits to identify any security gaps, assist with Cyber Essentials certifications and provide Security Awareness Training to educate your staff, which further mitigates risk.