In the past year, UK businesses have seen a 22% increase in cyber crime resulting in losses more than £1bn. A staggering figure. So how do we turn this rising number of cyber crimes against businesses?
Taking care to educate and inform employees of more robust security measures, and implementing cyber crime prevention tools can have an effect, and can help better safeguard your business from hacking.
To help you make your business a safer place we have spoken to experts in cyber crime and asked ‘If you could offer three pieces of advice to help businesses better protect themselves from cyber crime, what would they be?’
Check out their responses below.
Robert Sicilano is a personal security and identity theft expert. With close to 30 years' experience under his belt, Siciliano has been driven to educate and inform people on violence and crime in the virtual world.
'Security Awareness training has not worked. Some studies show anywhere from 15-80 percent of consumers or employees still fall for phishing scams. Why? There is no patch for human gullibility. And because security awareness is “head based” information, knowledge, perception or an intellectual understanding it still lacks “security appreciation”.
Security appreciation is consciousness, comprehension and a degree of gratitude for someone or something. This “heart based” appreciation and understanding affects us at a cellular level. When you make your employees and client’s data security appreciative and social engineering proofed, then your data and everyone’s identities become tougher to hack.'
ThreatMetrix is able to recognize a digital users identity, helping businesses remain safe. Their tool 'allows users to transact their business seamlessly and without friction"
- Understand the latest threats; look beyond your own network perimeter and leverage global shared threat intelligence
- Use the latest technological innovations to understand the true identity of your digital customers and internal workforce to distinguish between genuine users and cybercriminals
- Don’t settle for security measures that get in the way of business or commercial priorities. If security measures are too onerous, users will circumnavigate them or digital customers will go to a competitor. User experience is key.
Eric Vanderburg is an information security executive, thought leader and author known for his insight on cybersecurity, privacy, data protection and storage. Some have called him the “Sheriff of the Internet” since he and his cybersecurity team at JURINNOV protect companies from cyber threats, investigate data breaches, and provide guidance on safe computing.
'Most businesses are affected by cybercrime in some say. It could be malware residing on business machines, locked files from ransomware, data exfiltration, or fraud. Some are more commonplace than others but businesses must be vigilant for cybercriminals are eager to exploit the weakest link in organizational security. User training is the most important thing to do. The vast majority of incidents begin from some interaction with a user. This may be navigating to a website infected with malvertizing, clicking on a malicious link, downloading infected files, or providing information in response to a phishing message. Users need to be able to recognize attacks, understand safe practices, and be equipped with the tools to protect their companies and the data they work with.
My second piece of advice is to have backup and recovery systems in place. Some problems are best fixed by wiping a machine and then restoring from backup. However, this assumes that a backup is available for the data on the machine, server, or device. As adoption of the Internet of Things increases, businesses will need to ensure that they can recover those devices as well if they are compromised with a malicious firmware. It is not only having the backup that matters. Companies must be able to restore that data within specified time frames and the backups must be recent enough that losses are within acceptable limits.
My last piece of advice is to assess your organization against industry standards and best practices. Identify the gaps and create a plan of action to implement remediation. Many smart minds have analyzed systems and determined ideal configurations or security controls to have in place and these can serve as excellent guidelines. It is also important to size the standard for your organization. Some are written for the enterprise so a small business will need to understand how segregation of duties is implemented when there are only three people who work in IT or how to implement a configuration management review team or incident response team.'
David Whitlegg runs the Cyber Security Expert Website - a place to keep up to date on news, alerts, and provides security related tips. His wealth of experience makes him an authoritative voice in the field.
- Educate all business staff about dangers and latest attack methods, particularly ensuring they aware of targeted scam emails (spear phishing). Cyber criminals are increasingly targeting individual business staff members, typically those with finance responsibilities, by crafting highly convincing emails using information about the business, its staff and its suppliers. These scam emails once responded to, will typically try to convince (social engineer) individual staff members to arrange a bank transfers or payment to a bogus account operated by the cyber criminals.
- Keep all Servers, PCs, Laptops, Tablets and Smart Phones operating systems and applications updated (security patching). Out of date software is vulnerable and commonly exploited by malware and hackers.
- Business staff should use unique passwords with each third party/online service used by the business. Ensuring password are complex and changed every 90 days. Where possible use mutli-factor authentication (I.e. password + hardware token or text message confirmation). Cyber criminals know many people use the same email and password combination across multiple websites, so when they obtain one credentials combination, usually via a third party website hack, the database of which are often dumped onto the darkweb, cyber criminals try the same stolen email and password combinations to attempt to access further online services, with the intent of stealing personal data and money.
Rhino Security Labs aims to help businesses identify their security vulnerabilities, and safeguard themselves against cyber attacks. Their proactive, actionable advice is always worth taking
- Get a password manager, such as Keepass or Lastpass. Compromised and reused credentials is the single biggest threat to businesses.
- Handle the basics first. Patching systems, phasing out old operating systems (such as Windows XP) and ensuring antivirus is installed and updated are critical to security. Many exploits and attacks utilize these old, well known security issues.
- Educate users on social engineering and phishing. Phishing - another classic security attack - is still very common. Even sophisticated attackers utilize email attacks as a simple means of compromising networks and data. The Hillary Clinton presidential campaign was compromised through a simple phishing scam, for example.
EMEA Sales Manager
Webroot provide a 'smarter solution' to outdated security technology that can't keep up with advance cyber attacks. They provide a wide range of security products including mobile security, file reputation, and more.
'Businesses looking to protect themselves must understand the risk environment for the specific organisation and implement relevant security policies, including appropriate administration, password policies and back-up. They should also deploy technical solutions and threat intelligence that will be able to proactively hunt for suspicious traffic and apps as they hit the network. Security and IT teams must contain the right skill-sets to ensure these systems and solutions are managed correctly, and all other employees and stakeholders with access to the company’s network must be continuously educated as to the potential threats they may encounter.'