Cyber security attacks on businesses continue to make headlines in 2020. Past and recent incidents are prompting Australian business leaders to sit up and take notice. And as a result, pushing their cyber security practices to the forefront of their minds.
Just last week 9news reported that the Australian Red Cross bushfire donation fund of $216 million was targeted by almost 900 cyber-attacks. And in a 9news exclusive Fiona Willan, reported that a large data leak from an AFL fan website has exposed around 70 million records online. These included private conversations between users on the Aussie Rules forum Bigfooty.com that has around 100,000 subscribers. In addition to personal information, email addresses, phone numbers, passwords and other sensitive information being leaked.
These major incidents that occur are often the result of a lax in cyber security practices for many. What are the weakest links, when it comes to a business’ cyber security?
The number one weakest link for businesses are the people. The people that work for the business. Employees are a company’s greatest liability when it comes to cyber security. Firstly, people fall for phishing emails, and click on links or downloading documents that turn out to be malware. Secondly, people fall victim to business email compromise (BEC) scams that end up losing the company a lot of money. Businesses need employees to operate. So, having a no workforce approach isn’t an option. Businesses need people.
Importantly, cyber risk education is key to reducing a cybersecurity incident. Educating your staff about cybersecurity risks will require resources, and employee participation. Employees need to be made aware that their cybersecurity practice is important for the business.
Any and all accounts that are attached to your business need to be secured by a strong password. And if possible, a two-factor authentication. (2FA) Firstly, staff must know never to reuse passwords from other accounts, including personal ones. Secondly, you can consider having employees change their passwords every 60 days. You can make it part of your IT policy. Finally, emphasise to your employees not to share their passwords with anyone else.
A number of UK politicians in 2018 admitted they allow all levels of staff to login to their computer, including the interns.
3. Patch management
During the 2017, WannaCry and Petya outbreaks highlighted the importance of keeping software updates current. For instance, both these attacks were spread by capitalising on the at- risk section in the Windows operating system known as Eternal Blue. As a result, Eternal Blue allowed the malware to spread within corporate networks without any user interaction. Making these outbreaks especially lethal.
The patch for the Eternal Blue vulnerability had already been released by Microsoft in the March, when the WannaCry outbreak occurred in the May. If the patch to the software had been current in its application, it would have greatly reduced the impact. The WannaCry outbreak headliner, despite all its publicity still didn’t stop the Petya outbreak in June. As the Petya ransomware outbreak was still able to use the same Eternal Blue vulnerability, as one of the ways it spread.
IT managers when updating software on company networks can fear that updating one part of the system could cause another part of it to break. So, it is not always straightforward.
Above all incidents like those outlined do underline the importance of protecting vulnerable systems. Certainly, there no way around it. Patch management is a key way of protecting your vulnerable systems.
4. Other companies
Businesses not only have to ensure their cybersecurity practices are up to scratch, they also need to worry about the cyber security practices of other businesses they work with. If you work with a third party that is compromised, then potentially attackers could gain access to your network. Even if your company maintains tight cyber security practices.
For example, in 2013, Target systems experienced a major breach. This was made possible via their third-party vendor who was compromised. That breach had an estimated cost to Target of more than $200 million.
To help safeguard against third party weak links in cyber security. Firstly, look at network segmentation, or dedicated servers that vendors can use so that they do not connect directly into your company’s network. Secondly, it is worth having a conversation with potential vendors to ensure they take cyber security seriously, and have appropriate practices in place, perhaps before you do business together.
5. BYOD (Bring Your Own Device) — bringing in trouble
Increasingly popular especially during the rush to Work from Home during the Covid-19 pandemic, is bring your own device (BYOD). Some businesses fully embrace the practice of allowing staff to use their own device without considering the security risks;
- Staff can take their own device – home, office, travelling, café, car allowing them to work from different places. Increasing the potential of damage, theft and compromise.
- Personal devices are unlikely to have the same level of security as corporate devices, and therefore easier for hackers to compromise.
Companies that allow BYOD need to firstly, adopt a strict BYOD policy for their employees. Secondly, give staff access to company networks via a virtual private network (VPN). And finally, implement 2FA on all their BYOD staff accounts. These are just some of the initial steps to tightened up any security risks for BYOD.
Conclusion on the cyber security risks businesses are facing
Cyber security practices are important for every business in todays climate. Certainly, no business can afford an incident and we definitely- don’t want to make the headlines. Maybe your business has some weak links?