How to defend your business from cybercriminals

Barry Searle, Director of Education at Cyber Stars Initiative has seen it all. He’s dedicated his career to helping more and more people understand the practical steps they can take to protect themselves and their organizations.

But how real is the threat? “This is a $2.5 trillion USD market. There is a lot of money to be made by cyber criminals. And on average globally, only one in 400 cyber-attacks or cybercrimes against businesses are actually investigated,” says Barry.

Small and medium-sized enterprises are in fact the fastest growing targets for attacks. Why? Barry explains: “Because you have economic value, you’re heavily connected, you’re out there shouting about the success (quite rightly) that your business has achieved – but you may not yet have invested in the infrastructure to protect it in the same way that large organizations have.”

According to Peter Buckley, Head of Technology and Cyber Resilience, HSBC Bank Canada, it’s easier for the bad guys than ever before.

“Today there’s strong economic incentive, and much less risk,” says Buckley. “This is the age of Malware-as-a-Service, where advanced tools can be bought and sold for cheap and used to attack any organization.”

That doesn’t mean a successful attack on your business is inevitable. However, there are some simple, cost-effective and fast-acting things you can do to protect your business from this very real threat.

1. Educate, educate, educate

According to Buckley, companies face a balancing act of trying to grow their organization and protecting it. “Educating employees about what to look out for,” Buckley says, “is the number one way to keep your organization protected.” Barry agrees. “Over 90% of cyber-attacks are facilitated by human error,” says Barry. So how do you manage that? By building a culture of awareness.

According to Barry, effective communication is key to improving response to cyber security threats because it’s people who are being targeted in the first instance.

“As long as it is kept up-to-date, technology is consistent – people are not,” adds Barry. “Cyber threat groups have realized in terms of percentage chance of success, manipulating people is more effective.”

He recommends introducing technology to support your staff. Simple additions like password managers, Multi Factor Authentication (MFA) and Virtual Private Networks (VPN) all reduce the risk of the most common attacks.

The other big thing you can do is teach people caution. Nine out of 10 cyber-attacks start with an email – because they need a delivery method and we’re inundated by them. Barry says: “Every 60 seconds, there’s up to 188 million emails being sent around the world. So actually, if we become better at dealing with emails, we can mitigate most of our cyber risk more or less immediately.”

He warns against email phobia though. “We need to work with emails, but we need to start dealing with them in the same way that we learn to cross a road. Apply the same level of two-second, three-second due diligence to emails as we do to crossing the road, and we can eliminate 90% of that risk from our business.”

2. It’s not just laptops and phones you need to think about

We – and the things we use – are more connected than ever. Everything from your car to your coffee machine can be designed to connect to the internet. And Barry warns these items become the ‘windows and doors’ that a cyber-criminal can use to attack your business.

And the risk is only growing. Barry says: “We now have 50 billion everyday objects connected to the internet. Now that’s great – it provides efficiency – but only one in five of those devices are effectively secured and they increasingly provide vulnerabilities to your organization.”

He adds: “An attack becoming more popular…is called Man in the Middle. This is enabled by the fact that we don’t turn our WiFi and our Bluetooth off when we’re not connected to something. WiFi and Bluetooth are constantly saying, ‘Please connect to me, please connect to me, please connect to me.’

“All an attack group do is replicate a frequency that they think your device will recognize… and your device will connect without you knowing anything about it.”

It’s more than worthwhile switching your Bluetooth and WiFi off when you’re not using it.

3. Patch and update your systems

We’re all guilty of it with our devices – putting off updates for as long as possible because they stop us being connected for a short time. But in fact, these updates are critical to repair or ‘patch’ vulnerabilities in operating systems.

Barry says: “If there was an option to delay [an update] for 400 years, most of us would probably select that so that it was no longer a problem for us.

“In reality, there are 250 to 300 attempted cyber-attacks every single minute. You are far more likely to be exposed and exploited if you do not update your software. So, it’s not just about creating a culture of updating our systems and networks when we want to, but forcing those updates on to all devices so that you can ensure that you have the best security – that all of our windows and doors are boarded up and secure at all times.”

Buckley agrees that staying up to date with the latest security patches is critical.

“It only takes one weak point for hackers to get into a system, and from there they can cause considerable damage and expense,” he says. “And if they’ve been successful in attacking once, they’re even more likely to try again and again and again.”

Barry also says it’s important to invest in antivirus and anti-malware software. “While I’ve said that human beings are the best solution, antivirus and anti-malware will still stop over 98% of the legacy viruses that are out there,” he adds.

4. Don’t forget remote workers

The last year or so has seen businesses around the world to quickly adapt in response to the pandemic – with one of the biggest shifts being how and where we work.

Home working has allowed many companies to remain operational and for many employees, when the return to office finally does come, it’s much less likely to be full-time.

Barry says: “Increased home and remote working has brought new and evolving threats.” His advice includes reviewing your IT and social policies, encouraging colleagues to change their default router password and segregating networks.

5. Back things up

It might sound simple, but taking regular back-ups of business-critical data can be the key to your ability to respond to a cyber incident.

“The only real way of responding to a cyber-attack without paying ransoms or money is to flush and clear the malware out of the system and restore from back-up. But it is no good in taking those back-ups every week and every month and not checking that they work,” Barry states.

“In a power station recently where they’d been backing up particular part of a data system every week for years and years, it went down and they went to restore it from back-up and realised that for the last three years, it had actually not been backing up correctly ¬– there was nothing there. So don't just back-up, check once every six months that what you’re backing up is actually there.”

He also says it’s worth investigating agreements with third-party cloud suppliers if you’ve outsourced this. Their service-level agreements may mean it could take days to get you the data you require to get your business up and running again, and be costly.

The above top tips don’t have a huge cost impact, if any. In fact, it’s individual responsibility and empowering your people with knowledge that’s the best defence against cyber criminals.

Barry concludes: “What this is about is increasing your proactivity so that you’re less likely to have to respond to an attack, because it won't happen in the first place. If there were 200 or 300 physical crimes against your business – whether it be vandalism, theft, arson, people defacing your goods, your property – you would react and you would change how you operate.

“Because we don't physically see cyber threats in the same way, we don't do simple things like add antivirus on to all of our mobile devices or change default router passwords or make sure that we have effective password security on admin accounts. All of these things are very non-technical, very simple, and they just rely on us engaging with and acting upon the risk that is prevalent.”