There are frequent reports in the media about malware attacks We hear of ransomware holding major databases hostage, we hear of the theft of customer’s credit card details from retail companies. Occasionally we hear of the theft of intellectual property. It seems as if every company is under siege with the imminent prospect of a business‑threatening cyber-attack.
The prudent business fights cyber-attacks by implementing internet security, particularly online security measures using hardware and software solutions, supplemented by a programme of monitoring checks and regular reviews.
It obviously depends on the nature of your business, but most businesses are under threat from a drip‑feed of smaller cyber-attacks which bypass your major firewalls and associated Internet Security measures.
What gaps must the small business look for in its Internet Security environment to fight cyber-attacks, and what online security steps does it need to take to reduce the threat?
The first thing to remember is that there are no infallible security systems, only those that have not been broken yet. At some time, you will be the subject of a cyber-attack, and the effects of the attack depend on your preparedness and recovery measures.
The second thing to remember is that the most likely route for a breach of Online Security is internally through an employee or contractor with access to your systems and data. It’s not just the electronic defences that need to be checked, people intentionally or unintentionally ease the way for security breaches. Taking home a production schedule on a memory stick is perhaps a small security breach, but it could just as easily have been a copy of information the company does not want in the public domain.
Common gaps in Online Security
Putting malware hardware and software to one side, some common gaps in Online Security that are commonly overlooked include:
Management of User Passwords
Often company exit procedures do not include the requirement to disable or remove the departing user’s access rights and computer profile. The former employee can gain access to systems and data. If the user was a privileged user they can cause all sorts of mischief affecting the availability of the company systems. This equally applies to contractors who are granted temporary access to company systems and data.
Security audits have found passwords written on post-it notes attached to keyboards or monitors or on a piece of paper in a desk drawer.
User passwords are defined by the user and can be easily deduced, perhaps a maiden name, date of birth, a pet or child’s name.
Many organisations use the HR department to manage user access rights, including passwords. Passwords must change after a specified time and they must be constructed according to a predefined rule to prevent inspired guesswork.
Management of Systems Passwords
The Operations team often keeps a notebook or data file with all the systems passwords. Again, HR should manage these. However, having said that, recovery procedures require copies of all software licence codes and default and operational log-in details. These should be kept in secure storage.
Users can copy confidential data to an external hard drive, DVD or memory stick and take it away. They can also introduce malware to the office network from DVDs and sticks brought from home.
The basic system image for desktop computers should prevent access to external devices like DVD drives, and connectors like USB, Firewire and Infrared. Most organisations have a dual user image where there is an admin user with full access to the computer in addition to the desktop user with restricted access.
A common gap in Internet Security is user access to personal email and social media from their desktop. Some companies allow it, some don’t, according to the corporate culture. If you do allow access, be aware that this allows users to make data immediately available on a public platform. If users can upload files to the Internet, this is another means of stealing confidential data. You should also be careful in the Internet sites that users can access, particularly external file servers. Some companies do not allow users access to FTP (File Transfer Protocol) servers.
Companies might consider themselves well protected if they have covered the bases in respect of external malware cyber-attack. They also need to include policy and procedure in their overall Internet Security systems to make sure they aren’t leaving gaps that can be exploited.