Cyber security is an increasing problem for business, and according to the Cyber Security Breaches Survey 2018, it exists on an extensive scale.
More than four in ten UK small businesses, and two in ten charities, experienced a breach of cyber security in the last year, according to the Survey. Among larger businesses, the figure rose to two thirds. Although 74% of SMEs report feeling safe from attack, the Survey suggests ‘There is still a lot that organisations can do better.’
In this Briefing, we review areas where the Survey found that many businesses left themselves open to attack, as well as other key topics:
- technical controls neglected by many businesses
- special dangers with mobile working
- safeguarding removable media
- password policy
- detecting phishing emails.
The Survey found that around 50% of the business population failed to implement basic technical controls set out in the government’s Cyber Essentials scheme https://www.cyberessentials.ncsc.gov.uk/
Filtering what comes in
The first line of defence is to filter what’s coming in. It may sound obvious, but the Survey found that around one in ten businesses still don’t routinely do so.
Firewalls and antivirus software filter incoming computer communication. Together, they establish what’s safe to allow through, and block malicious software (‘malware’). At the most basic level, say, for a laptop connected to the internet, a firewall may be included in the operating system. In this case, it simply needs to be switched on. But many businesses will have a more complicated system, with various different types of devices. They may need a boundary firewall to protect the whole network. Some routers may contain a firewall, but this is not always the case, and your internet service provider can provide clarification. Another tip is that firewalls can be set up or ‘configured’ to block sites which could pose a risk to your business. This way staff can’t access them.
Antivirus software should be installed, and switched on, for all computers and laptops, running regular scans to delete malware such as viruses and ransomware. Antivirus software should be updated as regularly as possible. Smartphones and tablets also need protection, though they may not need separate antivirus software, depending on how they are configured. The National Cyber Security Centre offers guidance here goo.gl/3NmA9G
Many businesses run outdated systems that seem to work ‘well enough’ to save the time and effort involved in doing updates. But keeping the system up-to-date is critical, and the Survey highlighted this as an area where many businesses weren’t sufficiently rigorous. Nearly one in ten businesses weren’t regularly updating software and malware protection. Basically, everything needs to be up to date: operating systems, software, apps. And on all IT equipment: tablets, smartphones, laptops and PCs. The operating systems on all business devices should be set to ‘Automatic Update,’ and software likewise.
Applying updates is called ‘patching.’ Patches exist not just to offer new features, but because security vulnerabilities are regularly discovered. That means that businesses which don’t apply patches are easy prey for cyber criminals - who are every bit as quick to find software errors as the software developers.
Another tip is to remove any unused software or services from devices used. In the words of the Information Commissioner’s Office, ‘If you don’t use it, then it is much easier to remove it than try to keep it up-to-date.’
Businesses also need to think about replacement policy. There will come a point at which a device reaches the end of its supported life and updates will no longer be available. Replacements need to be bought in at least by this point.
Checking who has access
Another area of concern in the Survey relates to access rights. Who has access to what in your business? Restricting user access to the system is another of the basic technical controls set out in the Cyber Essentials scheme.
Staff accounts should be configured so that if there is a phishing attack on your business, the risk is minimised. This means that users should be given the lowest level of user rights necessary to do their job. If, for example, a user account exists to create backups, it doesn’t need to be able to install software as well – and it’s safer if it can’t. Restricting access in this way is called the ‘principle of least privilege.’
‘Administrator’ privileges are particularly important and should be kept to a minimum. An Administrator account can change security settings, install software and hardware and access all computer files: a security breach here therefore has more serious consequences than a breach of a standard user account. Most malicious software, for instance, needs Administrator privileges to install itself or gain access to protected files. Making sure staff don’t use an Administrator account to browse the web or check email can reduce the risk of an Administrator account being compromised.
When staff leave, remember to delete or deactivate their user accounts. This is also worth considering if staff are away from work for prolonged periods.
Selecting secure settings
The Survey also found that many businesses were failing to use appropriate security settings – another basic control listed in the Cyber Essentials scheme. Selecting the most secure settings for devices and software is critical. The ‘default’ settings of new devices and software – those used by the manufacturers – will in many cases need customising before use to improve security. One tip would be to disable or remove functions, accounts and services that your business doesn’t need. Default passwords should be changed before devices are used (see below). Touch-ID or PINs can also be used to provide extra security.
Special dangers with mobile working
On business premises, servers can be stored in a separate room. Back up devices, CDs and USBs can be locked away while they’re not in use. But when staff are mobile, different risks arise.
Loss or theft of devices is a particular hazard. Many devices, however, now include free web-based tools which can track a device and lock it remotely so it can’t be used. They can also remotely erase data and retrieve a backup of data stored on the device. Mobile device management software can be used to set up a standard configuration on all your devices to do this.
Unknown Wi-Fi hotspots, for example in hotels and coffee shops, are a prime risk. Connecting to the internet in a hotspot can potentially give someone else access to what you’re working on while connected, or to private login details which many apps and web services maintain while you’re logged on. Using 3G or 4G mobile networks instead provides security. This has the advantage that you can also use ‘tethering’ (your other devices, such as laptops, share the 3G/4G connection) or a wireless ‘dongle’ provided by your mobile network. Another possibility is to use a Virtual Private Network (VPN), which will encrypt data before sending it.
The Survey noted that where businesses allowed staff to connect their own devices to a business network, say for remote working, this added another layer of risk. A ‘Bring Your Own Device’ policy, setting out appropriate security can help here.
Safeguarding removable media
The Survey highlighted the fact that many businesses needed to pay more attention to removable media - disks and drives like DVDs and USBs. Removable media can be easily lost - and important business and customer data with them. But if infected, they also have devastating potential to spread malware throughout an entire business. Tips to minimise infection include blocking access to physical ports for most users, only allowing business-owned removable media to be used with business devices, and using antivirus tools. Not all staff will need access to USB drives, and it can be prudent to make an inventory of USB drives, who they’ve been issued to, and monitor on an ongoing basis whether they are still necessary.
‘A free, easy and effective way to prevent unauthorised users accessing your devices.’ That’s how the National Cyber Security Centre describes a good password policy. It’s important to make sure password protection is operative on all devices - laptops, PCs, smartphones and tablets - and that manufacturers’ default passwords are changed before devices are used.
The use of three random words, and misspelled words is current best practice, and experts recommend training staff on how to create non-predictable passwords. ‘Password’ and ‘123456’ still come high on the list of most-used - and therefore most dangerous - passwords. Secure storage, like a locked cupboard, is advised, to give staff the ability to keep a written note of passwords safely. Password details should never be left with the device itself.
As part of a secure password policy, the use of two factor authentication (2FA) for important accounts like email, banking and IT admin is worth considering. 2FA works by using two different methods of verification before a service can be accessed – but is dependent on the service provider allowing its use. It usually works by using a password in combination with a code sent to a mobile phone. This means accounts can’t be accessed even if an unauthorised person knows relevant passwords. Service providers are now starting to offer enhanced confidentiality and security settings for email, which may help here.
Detecting phishing emails
Good cyber security isn’t just about technology: it’s also about people. One of the most high-risk areas is staff receiving fraudulent emails. Phishing attacks, where emails are sent out asking for sensitive information or containing links to malicious websites, are becoming more and more sophisticated. Just one click can introduce malware with devastating consequences. Reputable ‘brands,’ such as HMRC, can be used as a ‘hook’ – and the resemblance to the authentic brand can be very high. Invoice-related scams are increasingly common, as are banking security notifications. Other scams operate by requiring staff to ‘enable content’ or ‘enable macro’ before they can view. Configuring your accounts to give least privilege (as above) and training staff will help keep your business cyber secure here.
How we can help
It has never been more important to have secure online behaviours in place, and we have only been able to give general guidance here. Please do not hesitate to contact us for help carrying out a security or information audit, or training staff on security issues.