Writing for Defence Online, Bruce Penson, Managing Director, Pro Drive IT, takes a look at the cyber risks posed to businesses as the UK looks to bounce back from COVID-19.
As the wheels of the UK economy start to spin at pace again, most organisations will be looking to make up for lost time, and their key focus will be on recovering revenues and getting money back in the bank. However, the deteriorating cyber security situation should not be overlooked while the focus is on growth.
Cyber-crime has soared since the beginning of the COVID-19 pandemic; changes in working routines and the growing use of technology in businesses have created new opportunities for cyber criminals to exploit. Coupled with a global economic emergency, these changes are driving more and more people to crime and, thus, the perfect storm is brewing. The UK Government has recognised this issue and, subsequently, made doing more to tackle cyber-crime a key commitment of its post-pandemic ‘Build Back Better’ campaign.
But cyber security should also be a boardroom matter and regularly reviewed in any organisation. Here are four of the key risks that businesses should be covering …
1. Remote working
The coronavirus pandemic has resulted in one of the biggest, and indeed the fastest, transformations in working patterns and arrangements. While many remote workers will return to an office environment as the pandemic subsides, many employers will inevitably have to accommodate requests from staff to work from home for some of the time.
Remote working comes with two major risks from a cyber security perspective — the first being a technical one. Computers running in a business network are operating in a highly controlled, regularised and locked-down environment. A home IT network is the opposite — usually created by someone with little or no IT knowledge, lots of likely insecure ‘smart’ consumer devices on it, no regular review or updates to security software. In other words, a company laptop in a home network almost has an open door to cyber criminals.
So, how can organisations provide their staff with the opportunity to work from home while at the same time protecting the security of their data?
To defend against the technical risks posed by remote working, businesses should ensure they have a robust anti-malware service; this should be a premium service that scans web traffic and prevents ransomware (a free anti-virus product will not be sufficient). Firms should also ensure PCs, the software on them, and security software is up to date. Some kind of remote monitoring system will be required to achieve this.
Computers should also have the firewall enabled. It may be worth considering using a VPN to channel all traffic via the office network or a cloud firewall. This encrypts all traffic coming to and leaving employees’ computers and cannot be read if intercepted. Monitoring the log files of all computers to look for anomalies is also advisable. This is often known as ‘endpoint detection response’ and requires trained security professionals to interpret the data.
2. Authorisation and awareness
Another consequence of the increase in remote working is the complexity added to some business processes by not having everyone in the office at once. As a result, shortcuts can be made, or people easily misled into making incorrect authorisations. Cyber criminals are taking advantage of this lack of awareness and looking to trick businesses out of money or into disclosing passwords or confidential information — often resulting in a significant financial loss or a breach that damages reputations.
This deception process frequently starts by email, but it can equally be by phone, text message, compromised websites or fake apps on smartphones. When a team is spread around various locations, such deception can be difficult to identify, and staff are less likely to report any suspicious activity due to the additional complexities of doing so when not in the office.
To protect and educate the workforce, businesses should action regular awareness training for staff, ensure all financial systems have approval systems set up and make sure both internal and client-facing approval workflows are robust and have a full audit trail.
3. Email threats
Email remains the main entry point for cyber security breaches for corporate networks, and criminals have stepped up campaigns of malicious email. These emails are becoming increasingly sophisticated and, with the rise in email ‘noise’, are more challenging to spot.
Examples include notifications from Microsoft or Google that someone has shared something with a team member. A cyber criminal can easily craft an almost identical email to a genuine one and identify a contact or colleague the employee might be expecting to receive a notification from (for example, from LinkedIn).
These sophisticated attacks require more advanced email security. If, for example, companies are using Office 365 for their email (as many businesses do), the ‘standard’ email security they receive as part of the licence is no longer likely to be sufficient. Advanced email security uses artificial intelligence and data centres full of powerful servers to analyse emails for threats before the end-users receive them to help protect against impersonation or advanced phishing attacks.
4. Cloud systems
Most businesses have seen a huge growth in their use of cloud computing over the last year. Whether to replace older server-based software or automate manual business processes, cloud software systems can be implemented quickly, have a relatively low start-up cost, and rarely require large IT teams to implement.
However, as cloud systems are usually not protected by business networks, ensuring security is included in the licence and appropriately configured is critical to prevent organisations from putting their data and business at risk. Often, this is overlooked in the interest of speed of deployment, and the security features are hidden in higher cost ‘premium’ licences by cloud providers.
For all their cloud software, companies should, as a minimum, enforce secure passwords (minimum of eight characters, lockout after five failed attempts), have multifactor authentication enabled for everyone, fully enable audit logs, review sharing controls and set these to be appropriate for the business and have an audit trail and authorisation process for creating new users and removing them.
Undertaking a Cyber Essentials certification
An excellent starting point for any security review should be going for certification for the UK Government’s own cyber security standard — Cyber Essentials. As well as covering some of the points mentioned in this article, Cyber Essentials helps businesses configure their IT systems according to best practice, helping to prevent the most common of cyber security breaches.
If you would like to join our community and read more articles like this then please click here
The post Don’t underestimate the cyber security risks facing businesses appeared first on Defence Online.