It seem that if you follow cyber security news there are new software vulnerabilities announced every day. The media tends to report on these without any context, and can even talk up the dangers. This can give the impression that it is too hard to secure you information and systems. And whilst it’s true that new software vulnerabilities are discovered almost every day (and patches issued to address them), it does not mean that criminals will use those vulnerabilities in attacks.
Criminals will only put in the lowest amount of effort or expense required to achieve their aim – which is usually to make money, either through direct means (blackmail, fraud, ransomware or other scams) on indirect (stealing information which can then be sold or used). They will not use an attack that is expensive in time or effort when a simpler one will achieve similar results. There is no need to hack a company’s IT systems via Wi-Fi when sending a phishing email to one of their staff is far easier, more effective and less risky for the criminal.
This doesn’t mean that we shouldn’t install patches to fix vulnerable software. But we should think about whether the cyber security risks we read about actually apply to us, and whether they are likely to happen.
Here’s a quick list of the areas that you should focus on:
· Phishing emails are still a very effective way of attacking companies – make sure your staff have training, test their awareness, and turn on any anti-phishing protection you many have (e.g. some firewalls check for malicious websites when staff click on email links)
· Payment policies – criminals love tricking people into paying money to the wrong account, or paying a fictitious invoice. Make sure you have good payment policies to guard against fraud – especially if you handle money for clients
· Remote email – criminals will get password from users (via phishing emails) and use them to log into email remotely. They’ll then send out phishing emails from this account, or use it to commit fraud. Two factor authentication can stop criminals accessing remote email, even if they have the user’s password
· Remote access – criminals will log into remote access servers/PCs using passwords they have obtained, or will launch a brute force attack to guess the password. Once they have access, they may install ransomware on the network or launch other attacks. Once again two factor authentication will help, as will scanning the servers for vulnerabilities and addressing them
· Website / web applications – criminals will try to gain access to websites that hold or process valuable information e.g. credit card details, personal information. They will either sell this information, or use it to launch other attacks (personal information can be used to gain access to accounts or to create better phishing emails). Performing a security review of your website/web application will help.
Simon Thomas CISSP, CCSP, CIPP/E