Protecting your Company from Cyber-Attack

Mid-sized firms are at risk from cyber-crime. They can be targeted for commercially sensitive information on budgets, marketing strategies, staff and intellectual property while customer data can be hacked to enable fraud and identity theft. A well planned and properly implemented company cyber-security strategy may not protect against every threat, but it can greatly reduce the chances of compromise and limit its scope if one occurs.

While precautions demand a measure of investment and managerial commitment, and may marginally inconvenience staff, these amount to a fraction of the cost of a security breach. While hostile foreign government actors use highly sophisticated attacks to undermine and infiltrate their government and military targets, most foreign cyber gangs use well-known system vulnerabilities and social engineering techniques. All companies can protect themselves against these threats, but all too many, though ignorance or misplaced frugality, neglect to do. The infamous Wannacry exploited a known Windows vulnerability which had been patched months before the attacks began and only affected computer systems which had not been kept up to date.

Mid-sized companies are large enough to be attractive targets, but may lack the specialist resources of larger corporates to defend against the threat. This underlines the need for simple protective steps to be taking, rather than reducing their responsibility. Australia’s mid-sized firms must build cyber-defence into their ICT planning and operations from their inception, rather than tacking it on as an afterthought.

Cyber insurance may offer the industry yet another opportunity to sell a policy to their corporate customers but it is no substitute for investment in appropriate cyber security measures. Even if a cyber-breach is covered by the insurance policy, the pay-out will not repair the very public damage to the company’s reputation, retrieve stolen intellectual property from its competitors or foreign governments or protect customers from the life ruining consequences of identity theft. While paying for a policy may encourage the company to ensure its compliance with the inevitably stringent conditions of coverage, the premium might be better spent on those measures in the first place. If prevention is always better than cure, then it’s also worth more than mere compensation.

Investing in a solid baseline of network security will help firms avoid even greater expense in repairing the havoc caused by criminal infiltration. Simple system processes, such as network segregation, administrative privilege restrictions and system logging, are crucial but maintaining a secure and robust network involves more than routine system maintenance and software patching. The company must understand what it is doing if it is to do it properly. Despite the widespread move to cloud computing and the eclipse of on-premises equipment and expertise, investment in trained personnel is seldom wasted. Unwary employees may offer the most vulnerable attack vector, but trained staff are also the best defence.

Whatever the investment in qualified personnel, security cannot be left to computer specialists. It the responsibility of every employee and, more particularly, each member of senior management. Executives in every department must not only build security awareness into their firm’s culture, but practise it themselves. The drive for greater speed and efficiency should not be allowed to compromise safety and scrutiny. Neither should wise investment in prevention prevent resources and processes being put in place to handle an incident when – rather than if – it occurs.

The ASD offer basic eight guidelines to reduce commercial vulnerability to cyber intrusions, ransomware and malicious insiders as well as e-mail compromise and system vandalism. However the implementation of any strategy cannot become a meaningless box-ticking exercise, and must be proceeded by proper risk assessment of vulnerable activities and possible threats and supplemented by protection tailored to the firm’s circumstances.

The ASD notes that every commercial network breach reported in recent years would have been prevented, or at least minimised, by proper implementation of its ‘essential eight’ although it suggests an additional 31 strategies which can further limit a firm’s exposure to risk. The agency now provides a maturity model to guide self-assessment by cyber-security professionals for firms in all types of risk environments.

Such protocols must be adhered to, as well as adopted. Just as every computer support technician knows that most computer problems originate between the chair and the keyboard, so defective ‘wetware’ can reduce the most impregnable fortifications to rubble. While poorly trained, lowly paid junior staff are often blamed for breaches, more significant problems stem from the top. Too many managing directors revel in their ignorance of computing procedures, reveal their passwords to junior staff to delegate seemingly routine tasks or keep system access data on post-it notes on their computer. Many people still use a simple and easily guessed password on a sensitive site or the same password on all sites, making their penetration only a matter of time. The importance of user education and adherence to proper procedures cannot be neglected no matter how great the investment in skilled staff or technology.

While basic security measures are important, they must be integrated into every aspect of the company’s operations and policy, rather than isolated and ignored in a stand-alone document. Network breaches can affect every aspect of a firm’s operation, and even imperil the survival of the business itself, and so must permeate all its procedures in an age where everything is linked in some way to the network. If responsibility for cyber security is fire-walled from other managers then the problem will be perpetuated, rather than solved. The identification of a convenient scape-goat when something goes wrong is no substitute for an effective strategy to prevent it. Human resources, for example, must incorporate cyber-security training for every employee, just as finance and customer liaison staff must realise the threat to their operations.

The basic steps outlined below can help prevent malware from accessing a network, limit the extent of incidents and recover data where it is lost. While their implementation will not be without cost in terms of resources and training, they will save firms the potentially ruinous time, money, effort and above all reputational damage caused by a major event. All of these approaches should be encouraged on home computers, as well as commercial networks, to prevent their infiltration.

• Application whitelisting will only allows selected software applications to run on computers, stopping malware from running and spreading on the network.

• Patching operating systems and other software on a regular basis will fix known security vulnerabilities in applications which criminals commonly exploit.

• Disabling untrusted Microsoft Office macros will prevent malware hidden in macros – tiny applications which automate routine tasks – from running and downloading additional malware which can access sensitive information or networks.

• Hardening user applications can block common vectors of attack. Access to Adobe Flash Player should be minimised or blocked, as should web ads and untrusted Java code on the Internet.

• Restricting administrative privileges to essential personnel will prevent ordinary users inadvertently installing malware when attempting to manage systems, install legitimate software or apply software patches. Administrative accounts hold the ‘keys to the kingdom’ and adversaries use these accounts to gain unrestricted access to data and networks.

• Compelling multi-factor authentication will prevent a single false identity securing access to the network. Users should only be able to log on after presenting multiple pieces of discrete evidence. This can take the form of something they know – a password, something they have – such as a physical token and something they are – such as fingerprint or other biometric data.

• Performing a daily backup of important data and securing a record in several places, including at least one hard drive offline and off premises, will allow firms to restore their systems and databases after a breach.