Protecting your business from cyber security incidents – part 1

Every day, cyber security incidents occur, whether you know it or not. It could be as simple as an employee accidentally sending a confidential email to the wrong recipient or as sophisticated as a hacker compromising your network. Despite daily reminders of security incidents in the news, it might be easy to think that this is not something that could happen to you, and that you shouldn\’t worry about it. My goal with this article is to convince you that you should care, and explain how a security incident could have massive negative consequences for you and your business. It also provides some tips on how you can vastly improve the information security in your company without asking your father for a small loan of 1 million dollars.

What is a security incident and why does it matter to you?

As mentioned in the introduction a cyber security incident can be a number of things. The definition of a cyber security incident is something along these lines: “an event that threatens the confidentiality, integrity or availability of a system or information”. I know that sounds complicated, so let me provide some examples to give you a better idea of what they are.

  • A contract of employment being sent to the wrong employee – This is an incident where confidential information is exposed.
  • A large amount of “fake” internet traffic is sent to an online webshop in order to take down their service, and prevent legitimate customers from making purchases. – This incident affects the availability of a system.
  • Students break into the it-systems of their school and manipulate their results. This is an example of a security incident affecting the integrity of the information or system that was manipulated.

Some security incidents are more likely to occur than others, and some will be more relevant to you. It is all depending on the context of your business. If your company does not run an online webshop, then I do not suggest lying awake at night worrying about your webshop going down. But there are some types of incidents that are relatively likely to occur, and cause a lot of damage once they do. These are the incidents you should worry about, and try your best to avoid. An example of this is something called a ransomware attack.

But there are some types of incidents that are relatively likely to occur, and cause a lot of damage once they do.

Ransomware either encrypts all the files on your system, or locks the entire system down, making all user-data and applications unavailable. Victims may regain access by paying a ransom fee to the attacker, and then hope and pray that they receive the correct key to unlock their system. The people behind these attacks are usually financially motivated, and therefore try to affect as many systems as possible. This is why these attacks are considered a threat to pretty much every system connected to the internet.

Now just imagine that you get in to work one day and your systems are locked down, and the data you had stored on those systems are gone. Would your business be able to keep operations running, and continue business as usual? If not, how long would it take to get things back to normal? One day, one week or even a month? Now try to remember the last time you took a backup of important files. You could pay the ransom, but there are no guarantees that it would result in you getting your files back. It might just as well lead to you losing both your money and data.

Hopefully this thought experiment gave you a better understanding of how impactful these incidents can be, and why you should make an effort to protect your business against them. In the next section I introduce a couple of things you can do right now to improve your information security by a lot, without spending a fortune.

Improving your information security

Security awareness training

Most security incidents are caused by human error. Numbers from the UK Information Commissioner’s Office show that 90% of the security incidents they handled in 2019 were caused by end users. Nearly half of the cases were results of successful phishing attacks, where users are tricked into giving away personal information, or downloading malicious files. Other types of human error include misdelivery of emails and writing passwords on post-it notes.

Sometimes we make mistakes because we are tired, unfocused and not paying attention. Other times it is simply because we do not have the knowledge on how to act securely. This can be solved (or at least heavily improved) by learning more about information security and doing training exercises. There are a ton of free educational resources available and I have included some of them here.

This quiz created by Google will teach you how to distinguish between phishing and legitimate emails. Both enjoyable and educational.

https://phishingquiz.withgoogle.com/

The US Federal Trade Commissions guide to \”Cybersecurity for small businesses\” includes basic cyber security learning material along with information on how to deal with ransomware, phishing and more.

https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity

The importance of strong authentication

I can not tell you how many times I have registered an account for an online service and when asked to login realize that I have forgotten the password I just created. Humans and passwords do not work well together. I know this by experience, and I think many of you feel the same way. Verizon reported in their data breach report last year that 80% of the data breaches they investigated involved passwords that had been guessed or stolen. There are two main ways ofprotecting against this: strong/unique passwords and multi-factor authentication.

Secure passwords

There are some simple rules you can follow when creating passwords. The first rule is to create a new and unique password for every service you register for. This limits the attacker to accessing only that service if the password is lost or stolen. Another rule is that longer passwords are better. Aim for at least 12 characters, but preferably longer. Try to avoid common words such as password, winter, summer and so on.

Passwords are hard to remember, and the strong ones are even harder. Having strong and different passwords for every service you register for, that requires super human memory!  Luckily there are tools that can help. Password managers will help you generate strong passwords and store them in one place. So far I have been using Lastpass which I can recommend.

Multi-factor authentication

A password is something the user knows that can be used to prove their identity. We refer to this as a single factor or evidence. There are other types of factors such as a fingerprint or an app on your cell phone. Introducing an additional factor that must be provided to gain access to a system makes breaking in a lot harder. Now, if your password is stolen, the attacker is still missing one factor and will not be successful at this point. Most services offer some form of multi-factor authentication and I suggest you start by activating it for the services you consider important.

Knowing what you have and keeping it up to date

Attackers are continuously looking for ways to get onto your systems, and sometimes your apps and programs contain security holes that let them do just that. When these security holes become known to the public the creators of the software releases an update to fix the issue. Updates should be done as soon as possible, and enabling automatic updates can be clever.

Keeping track of all your devices and assets is necessary in order to keep everything updated and secure. This includes physical devices like laptops, cell phones, servers, printers etc. but also virtual assets like web applications or virtual machines hosted at third party providers. It is possible to perform this tracking manually up until some point where automating the process would be more efficient.

Well, that is all for now. Hope you enjoyed the read and maybe learned a thing or two. Now is the time to take action, so get started today! I am happy to receive any feedback as this is the first article I’ve ever written. Also feel free to contact me if you have any questions!