By Jason Howells, Director EMEA, Baracuda MSP
Data Privacy Day is almost upon us. As well as being an awareness day, it also commemorates the January 28 1981 signing of Convention 108; the first legally binding international treaty dealing with privacy and data protection. So, in line with this international holiday and the greater ‘stay safe online’ movement, here’s our top tips on how to keep your SME safe from cyber criminals.
Size doesn’t matter. You are never too small to be a target. A common misconception we hear regularly is that small and medium businesses think they are unattractive attack targets. In reality, SMEs are often more prone to attacks as they’re assumed to be resource limited and have less IT savvy employees. The truth is, cyber criminals don’t discriminate, as anyone’s money will do. Stay cautious so you can ensure you don’t become their next source of income.
Knowledge is power. User behaviour can be your biggest weakness. Attackers today exploit “human networks” as much as computer networks. Don’t forget your remote workers – a significant part of most workforces live outside the corporate perimeter. Educate them on how to detect social engineering threats. Phishing attacks and spear phishing attacks continue to become more sophisticated and even savvy users fall victim to them daily. Continue to educate yourselves on how to identify phishing attempts and how protect your organisation from these threats.
Simplicity is not the ultimate form of sophistication. Cyber threats are constantly evolving as attackers get access to and create more powerful and sophisticated exploits. It used to be that malware was generally mass delivered via emails that were – on the most part – poorly crafted, often with telltale signs that they weren’t from who they were claiming to be from. In response, most organisations now have some kind of protection in place to either prevent a click on malicious emails or restore from backup if a click occurs. But, cyber criminals’ approaches have evolved, and you need to evolve with them. Nowadays, the real danger comes in the form of highly targeted, heavily researched, compelling spear phishing attacks. They work because they’re believable: cyber criminals spend a huge amount of time making them look as realistic as possible and the results can be devastating. You need to develop a more sophisticated approach to security in order to defend against these types of threats.
More is more. Two factor authentication is now an industry standard, especially when it comes to administrator accounts that have even more access to valuable data. As highlighted by last years Deloitte attack, measures such as email encryption when exchanging confidential data as well as a layered approach is key to protecting your data. You should have a disaster recovery plan in place, solid backup, and solutions to help mitigate an attack. One of the best ways to protect yourself is with a next-generation firewall and an email security solution, which is more than just a spam filter. You want to secure every threat vector you can. Think of it this way: You wouldn’t just leave your house unlocked; if you do someone can easily get in. But if you lock your house the individual might move on to the next or at least have a more difficult time getting into yours. Using technical safeguards can help prevent exposure to a variety of attacks, so taking extra precautions, such as encryption, to secure users’ data is advised.
Be Proactive, not reactive. The truth is that the best thing to do when it comes to defending your organisation against cyber criminals is be proactive, rather than reactive. You need to invest in the correct hardware and software (which not only includes cyber security but also backup) and make sure that you can control and segment network access to minimise the spread of any threats, should any get in.
By adhering to these five simple tips, you can reduce the risks and severity of an attack. However, the fight against cyber criminals doesn’t end here. In the marathon that is cyber security, these steps should be treated like the starting point as opposed to the finish line.
The reality is, no one is invincible, anyone including you can fall victim to an advanced threat at any time. Therefore, a constant effort will need to be given by all in order to prevent a breach.