If a burglar came to your door, would you invite him and show him your TV so he could heist it?
No, that would be considered foolish by most people. Unfortunately, that is what many companies and individuals do: they leave their computers and networks open to criminals. Although cyber-security is in the headlines nowadays, there is still a gap between awareness and companies properly protecting themselves.
Computer security expert, Ivan Yordanov, CEO of Go Live UK, an IT services and cybersecurity consultancy, says, "Companies that have no Disaster Recovery process planned leave their businesses exposed to extreme risks."
Over the last few years, malicious cyber threats have increased. The UK's official government survey says, “In the last 12 months, 39% of UK businesses identified a cyber attack.” the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack.
31% of businesses and 26% of charities estimate they were attacked at least once a week. One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber attack, while one-third of businesses (35%) and almost four in ten charities (38%) experienced at least one negative impact.
Ivan Yordanov thinks companies are often complacent about these severe risks until they suffer a cyberattack, but this might be too late. As the saying goes, 'An ounce of prevention is worth a pound of cure.'
Employees can be less than careful about opening phishing emails. The rise of home working, BYOD and mobile platforms introduce new security threats. Where businesses employ many temporary workers or subcontractors, for example, in the construction industry, this adds another vector of potential vulnerability where criminals can break into a company's systems and steal data or insert malicious code.
The Computer Security Hardening Plan
Ivan says, "That's why we developed our cyber security hardening plan. This really improves cybersecurity levels for the businesses." Businesses need a triple backup plan because sometimes the backups don't work. Ivan continues, "The next level is cyber security training from an expert, and we develop and deliver the cyber security training."
Ivan addresses the mobile or temporary worker scenario, "A very practical solution could be virtual private network set or network setup of remote access for the remote users, especially now with COVID and working from home. Many of us have to work from home, and project managers and other members of the team could be working remotely. So the remote software sometimes is not secure enough. In that case, a practical solution is to add a virtual private network."
Go Live UK's tools to build better security for clients include the Government's Cyber Security Essentials package. "So what are the benefits of cyber essentials and IM certification? First of all, it demonstrates a professional approach to your business. Second, this is peace of mind knowing that your data is protected. Having this certification will also enable you to tender for specific contracts.
For example, some local authorities require Cyber Essentials to tender for contracts." Go Live UK has created their own "premium" version called Cyber Essentials Pro, which adds several other defences and hardening to the standard package.
The Threat of Ransomware
As the government survey above shows, Ransomware attacks are a formidable and increasing threat to businesses. Usually, the malware encrypts all the drives on the network, including any backup computers it can find. This can cause enormous damage to a company, both financially and reputationally.
Ivan warns, "Even if you pay them, they will give you a code so you can decrypt your drives. Some of the information could be recovered, but with this code, it goes and puts a T bomber or malicious app in somewhere. And at the later stage, it encrypts again." So paying the ransom won't be enough.
Staff Vulnerabilities and the Essentials of Proper Security Training
“We do regular vulnerability checks on computer networks and also vulnerability checks on users. So we send Phishing emails, and we see how they react,” says Ivan. “When we run this for the first time within companies and even banks, you should see the face of the stakeholders." Users will click on the Phishing test emails repeatedly. Ivan continues, "Management couldn't believe the behaviour of their people: we've had cases where somebody clicks on this malware link four times in a row from their smartphone and another three times from the laptop. Unbelievable."
The lesson is that computer security procedures should be at the forefront of everyone in the company, not something they'll get around to 'when I'm not so busy'.
Companies Need to Comply with Legislation
There are a lot of complex issues relating to government legislation, for example, GDPR and security breaches, which could be damaging and costly if the company gets fined by regulators or is involved in a lawsuit. Again, pro-active company policies and audits will go a long way to avoiding pricey mistakes. It's an insurance policy: you may not need it, but if things go wrong, you will be protecting your interests to have this safeguard.
Ivan's Five Best Practice Tips:
1. Have secure backups
2. Replace obsolete legacy software
3. Train staff in security
4. Adopt the best security practices
5. Keep informed about security legislation
Ivan summarises Go Live UK's mission, "I want to give people peace of mind. We've got all the certificates to prove our competency. Basically, when you engage our services, you know you can sleep easily because we will do the utmost to protect your systems."