“A cybercriminal only has to be lucky once, while a defender has to be lucky every minute of every day.”
– Combating Ransomware – A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force.
The message we hear from governance boards over and over is ‘can you prevent hackers from stealing our data?’ Every time there is a high-profile attack, the calls get louder. As the attacks become more frequent, the awareness of this activity increases exponentially.
The simple reality is that cyber-crime is now a mega-business. The cost and effort to combat it grows all the time, and while nothing is guaranteed, there are things we can do to reduce your risk.
It means stepping up our collective game. New tools, new processes and new staff awareness. The protections that seemed excessive a year ago now seem to be inadequate. We have to keep adding new tools and services so that you can select a level of protection that you are comfortable with, and like your insurance, you need to reassess this every year.
What do you need to think about to protect your organisation?
1. The biggest risk is people and process.
We suggest taking a representative group and mirroring the practice of a Health and Safety committee. Have an ‘e-Security’ committee that spends time thinking about how someone could accidentally give away confidential data – start by thinking about what data was held, then what of it was confidential, where was it held, and who had access to it. Next up are simple things like credentials. For example if a client calls up for anything, from a question to a password reset, how do you verify who they are before providing any confidential info.
2. We all know about malware and ransomware but…
They typically get in through software bugs, and the best answer is to ensure everything is patched. Do you get regular reports to show that everything is patched or do you trust that it is done? “Everything” can be quite a long list but you can divide it up by types of machines (Servers, laptops etc). Patching isn’t just for Microsoft tools, but everything that you use – Adobe, Google and so on.
3. We’re all aware of antivirus but today we need to go further.
We need more intensive end-point protection and personal firewalls, even for computers that stay behind the corporate firewall. That’s because its surprisingly common for ‘guest’ machines to connect to networks, for example to support visitors, and you simply don’t know what state they are in and what viruses they may introduce.
4. Common attack vectors include “phishing”. The best defenses are:
- Regular phishing tests, to see how aware your colleagues are.
- Security briefings and awareness training to help everyone stay alert and support each other, both via eLearning and in-person presentations.
- URL scrubbing – testing the URLs people click on BEFORE the site opens to warn you before you inadvertently browse to potentially infected websites.
5. The Darkweb!
It pays to be aware that some of your data is ALREADY in the darkweb. It will mostly be credential information scavenged from historical hacks of sites like Sony, LinkedIn, Marriott and many others. Occasionally this will surface up to you as an email that states your account name, and password for a particular site, along with a threat, for example, “We know what you have been up to, pay a ransom or we will share this publicly”. If you recognise the username and password and it’s a common that you use, then this threat can be very compelling.
The best defense is to ensure everyone uses unique passwords for everything, and the best way to do that is with a secure password vault tool.
6. Multi-factor authentication!
MFA isn’t infallible, but in conjunction with the items above, it’s a very important layer. We regularly see compromise attempts on Office 365 in particular, and these are being defeated by simple steps like enforcing multi-factor authentication, and where possible, limiting logins to territories that people log in from. For example, unless you have people currently in eastern Europe, then you can simply block access from IP addresses from those countries. MFA should be on EVERYTHING, not just Office 365 but also the less common sites your people access
7. Shadow IT Detection…!?
Looking at the first item on the list, you will be amazed at some of the tools in use by your people. It is extremely common for people to set up an account on an external website to get a job done. They often just use their email address and make up a password. That means that if they leave your organisation, they can still log in with the email address – the webtool doesn’t know they’ve left! Even worse, you don’t know how secure the tool is, and often you don’t even know about the tool at all!
8. Microsoft have baked some excellent protections into Microsoft 365. Are you using them?
For example, there is ‘data leak protection’ to help set up a regime where Office 365 can detect confidential data (eg credit card numbers, health records and so on) and then permit or prevent certain actions – for example preventing emailing a spreadsheet with more than say 5 of these records on it, or at least warning you before you do. It can also warn when it detects unusual behaviour such as copying or deleting large numbers of files. The trick is that this needs to be turned on, configured and, above all, maintained and monitored
9. Consider vulnerability scanning on a regular basis.
Vulnerability scans are based around CVE (Common Vulnerability and Exposures) and CVSS (Common Vulnerability Scoring System) and are maintained by First.org, a global forum for response and security teams. CVE’s can describe vulnerabilities in software on any connected device, from baby monitors to virtual appliances, CVE’s can be found everywhere and anywhere. A deep vulnerability scan is intensive. In addition to scanning devices, it will attempt to use common login and passwords to brute-force hack devices.
Read some of the latest news on Cyber-Security
Over the weekend, thousands of businesses were caught up in a global cyber-attack that is being blamed on a Russian hacker group called Revil. It is disappointing when geo-politics impacts everyday business, and the reports talk about President Biden ordering a probe....
Recently, we asked the question if organisations should pay ransomware demands. There is the balance between desperation and the uneasy knowledge that you might be funding further criminal attacks on the community. We’ve just read a paper that tells us that it also...
On some emails, you might see a warning that marks them as being ‘external’. This gets added as the email comes into your organisation. The idea is a simple one – if you see an email marked as external, then you will be more cautious with it. If you see an email that...
Your own personalised stalker It always seemed slightly creepy that your computer shows advertising that is strangely accurately targeted at things you might have been interested in. On the surface, that seems quite useful. If you have to tolerate ads on your...
n the old days (ie last year!!), a dodgy email had a whiff to it – there was something that triggered your subconscious. That’s because some phishing emails were really badly written with terrible English. But others just had a sniff about them- something that made...
What is 'Shadow IT'? Shadow IT refers to the various web tools informally in use within most organisations. These tools are often chosen without reference to IT or to management in general. They are often used for all the very best reasons. Your colleagues have work...
Some emails are more than just bad news No one likes bad news! But sometimes it can’t be helped. Sometimes it sneaks up on you. One of the most common ransomware attacks is through a compromised attachment in an email. It’s easy to say “only open stuff you expect” but...
Data Leak Protection (DLP) is the name of several policies in Office 365, setting up what data can, and can't be, shared and with whom. Imagine being able to automatically identify private information like passport numbers, Health IDs or bank account details and make...
This sounds like a nightmare that could never happen. US soldiers have been putting sensitive information online in non-secure third party websites. It defies belief, yet we’re reading that it happened. The story popped up on ‘Gizmodo’ . It is alleged that US Soldiers...
Password Vaults and You With more and more websites necessary for our everyday activities, it’s getting harder and harder to manage passwords. By now, you will know not to write passwords on post-it notes and paste them on your screen. Its not uncommon for...