STRATEGIC THINKING FOR YOUR BUSINESS
AUTUMN 2014
WOULD YOU SURVIVE A CYBER ATTACK?
Nigel Brooks & Dean Foreman, Capital Support
4
8
WELCOME... ...TO YOUR QUARTERLY MAGAZINE BUSINESS TALK Welcome to the autumn issue of Business Talk from Capital Support. For the vast majority of businesses, cyber threats can no longer be considered an ‘annoyance which can be dealt with if or when it happens’. In today’s Internet-based world, organisations big and small need to take proactive action to mitigate the risks of an assault on their IT systems. This issue looks at the main types of attack, who’s behind them and why, and how businesses should go about safeguarding themselves from increasingly sophisticated forms of cyber-crime. A recent Government survey states that 60% of small to medium sized companies suffered some
PAGE 2
form of security breach last year and that the cost of these breaches had doubled compared to 2012. We urge you to take this matter seriously. Please feel free to contact us for any further information on this topic or, indeed, anything else relating to your IT needs.
14
Nigel Brooks Capital Support
Dean Foreman Capital Support
Call 020 7458 1250 or go online at www.capitalsupport.com
WOULD YOU SURVIVE A CYBER ATTACK?
The cyber menace
page 4
6 of the worst
page 8
Meet the expert
page 11
When the hacker wins
page 14
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 3
THE CYBER MENACE In our increasingly connected world, the Internet provides unlimited benefits and opportunities for businesses – but, at the same time, it’s open ground for criminals and hackers to exploit any weaknesses they can find
F
OR MANY YEARS, the average small or medium sized business was an unlikely target for a cyber-attack. Fewer rich pickings and a relatively unknown brand worked in their favour as it wasn’t worth the time and effort for the average cyber-crook or delinquent hacker. But not anymore. Smaller companies are becoming increasingly attractive because they often have weaker online security. They’re also doing more business than ever online and retaining greater amounts of information, much of which may include personal details of customers, suppliers and staff. To a hacker, that translates into a potential treasure trove of sensitive data behind a door with an easy-to-pick lock. And if you have any large enterprises as customers, you’re an even more enticing target as you’re also an entry point to them.
Attacks on business According to the recently published Information Security Breaches Survey 2014 carried out by PricewaterhouseCoopers on behalf of the Department for Business, Innovation and Skills (BIS), 60% of smaller businesses (up to 250 employees) suffered some form of IT security breach last year. 45% of these suffered infection from viruses or malicious software whilst 33% were attacked by an unauthorised outsider and 33% suffered from staff-related security breaches. However, most disturbing is that the survey of over 1,125 companies found that the average cost of the worst security breach they had experienced was between £65,000
PAGE 4
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
and £115,000 compared with £35,000 and £65,000 the previous year. Just some of the higher profile and more dangerous threats that businesses are now more susceptible to are described in the following article. These are just the tip of the iceberg with the level and range of threats increasing all the time. With millions of bogus or ‘phishing’ emails being sent every day – whether from organised criminal networks or the ‘apprentice hacker’ – it may only be a matter of time before some unsuspecting employee falls foul of a cyber-attack and potentially puts your business at risk.
You can never be totally safe but most online attacks can be prevented or detected by basic security practices Cybersecurity Cybersecurity is about protecting your computer-based equipment and information from unintended or unauthorised access, change or destruction. You can never be totally safe but most online attacks can be prevented or detected by basic security practices for your people, putting effective processes in place and protecting IT systems. These security procedures are
>>>
PAGE 5
>>>
10 CYBERSECURITY TIPS
as important as locking your doors or putting your cash in a safe and, with more customers demanding that their suppliers are secure, this is a business necessity.
1
Train employees – establish security practices and policies for employees and create a culture which takes cybersecurity seriously.
There are three main elements to cybersecurity:
2
Protect your systems – install latest software updates to protect against the latest online threats. Carry out inside-out and outside-in penetration testing.
Data confidentiality – keeping business and personal data secure from unauthorised access. The Data Protection Act requires this for every business. l Data integrity – safeguarding data from being tampered with by any unauthorised parties. l Authenticity – ensuring data remains authentic and is free from fabrication or forgery. l
3
Provide firewall security – ensure this is correctly configured. If employees work from home, ensure their home system(s) are also protected.
4
Don’t forget mobile devices – make sure laptops, tablets and smartphones all have adequate safeguards and reporting procedures in place if lost or stolen.
5
Installing a robust cybersecurity framework goes beyond ensuring your anti-virus software is up to date – it’s about assessing the potential threats and then planning, implementing and reviewing your means of protection.
Backup – check all critical data is regularly (preferably automatically) backed up to a secure off-site location.
6
Control physical access – secure building entry points, consider CCTV installation, ensure visitors are properly managed and IT areas locked.
Just one successful attack could seriously damage your business
7
Secure your Wi-Fi – if you have a Wi-Fi network for your workplace, make sure it is secure and encrypted. Do not allow visitors to use – provide a secure, separate guest network if you want to offer this facility.
Understanding the risks
8
Payment cards – if you take card payments, make sure validation and antifraud systems are in place and that you are fully PCI compliant. Don’t use the same computer to process payments and surf the Internet.
To help assess the risks, here are some questions to ask yourself: What is at risk? Equipment, money, online services and information are the main considerations. Information covers client lists, customer databases, financial data and business details such as pricing information, product designs and deals. l Who could pose a threat? These range from current and past employees, business contacts, competitors, criminals and hackers. l What form could a threat take? Remote attacks on your systems or any third party systems you use, access via staff members or theft of computers and mobile devices. l
9
. Restrict employee rights – staff should only be given access to systems they need for their jobs and should not be able to install new software without permission.
10
Password policy – require employees to use unique passwords which are changed at pre-set times. Consider implementing multi-level access authentication to highly sensitive systems.
PAGE 6
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
What impact could an attack have? Not just financial loss but disruption to your business or your customers, impact on your reputation, fines and costs involved in recovering from the attack. Just one successful attack could seriously damage your business.
l
Plan, implement, review Protecting your business against the cyber threat is best achieved through a three step process. Firstly, plan. Ask yourself which IT-based assets are critical to your business and what kinds of risk could they be exposed to. Be clear about the legal and compliance requirements of your business. Also, how could you continue to do business if you were attacked and how can you manage these risks on an ongoing basis? Secondly, implement. Are the right technical safeguards in place? Are staff sufficiently trained and the right processes implemented? Do you have systems and procedures installed should you suffer an attack? Thirdly, review. Systems and procedures need to be monitored and reviewed on a regular basis taking into account potential new threats. But, above all, don’t think it won’t happen to you – act now and protect your business!
Ensure your business is protected before it becomes too late. Contact us for further details.
PAGE 7
1. CRYPTOLOCKER CryptoLocker – and a number of copy-cat variants which have emerged subsequently – are a particularly nasty form of ‘ransomware’. After seizing control of your computer files they will demand a ransom before you can access them again. An email attachment is sent under the guise of a genuine business email. Any employee opening the attachment will activate malware which is installed on your computers and servers and lets hackers access your files. These are then encrypted, disabling your access to them. Sophisticated encryption is used to lock you out of your files and the perpetrators will demand a ransom which, if you don’t pay up, the decryption key is destroyed
and your files will be lost forever. Because the ransom is typically just £200 – £400 most businesses willingly pay up, with payment made via a hard-to-trace virtual method such as BitCoin or online voucher system. The perpetrators of these scams have elicited hundreds of millions of pounds from their victims.
2. SPEAR PHISHING Spear phishing uses emails that look like they’re from someone in your company or a trusted person. Clicking the link in the email takes you to a fake page from where either spyware is downloaded, enabling the hacker to gather information about the individual or organisation, or a bogus log-in page is presented to capture security details.
The success of spear phishing depends upon three things: the apparent source must appear to be a known and trusted individual; there is information within the message that supports its validity; and the request the individual makes seems to have a logical basis.
3. HEARTBLEED
6 OF THE WORST
Research shows that as large enterprises do more to lockdown their infrastructure, less secure smaller businesses are the low-hanging fruit for cybercriminals to cash in on. Here are six of the more dangerous cyber threats hitting businesses today. PAGE 8
Call 020 7458 1250 or go online at www.capitalsupport.com
In April 2014, the Heartbleed bug made headlines around the world. A flaw in a highly popular software programme called OpenSSL used by many web servers meant hackers could steal the cryptographic keys used to secure online commerce and web connections. The bug could also leak personal information to hackers when people carry out searches or log into email. Security experts say that over 300,000 web servers remain vulnerable even though it is easy to protect against the bug.
Call 020 7458 1250 or go online at www.capitalsupport.com
>>>
PAGE 9
>>>
4. INTERNET EXPLORER VULNERABILITY Just weeks after the Heartbleed alert, Microsoft announced a major security warning affecting all versions of their popular web browser from Internet Explorer 6 to 11. The vulnerability enables hackers to access user’s computer through a phishing email and trick them into clicking a link or opening an attachment which installs
malicious software without the user knowing. The issue is of particular concern to businesses still using Windows XP as Microsoft ended official support for the operating system earlier this year, meaning there are no longer any security updates and bug fixes provided.
MEET THE EXPERT
5. DENIAL-OF-SERVICE ATTACKS Denial-of-Service (DoS) is a type of attack designed to bring a network to its knees by flooding it with random traffic. Many DoS attacks such as the ‘Ping of Death’ and ‘Teardrop’ exploit limitations in network communication protocols. The hacker does this by instructing thousands of remotely-controlled computers to flood traffic to a server. The server is so busy dealing with the attacker’s requests that it doesn’t have time to respond to legitimate user requests, causing the target system to stop responding, resulting in long delays and service outages.
Business Talk quizzes cybersecurity expert Dr Paul Stephens, Director of Computing, Digital Forensics and Cybersecurity at Canterbury Christ Church University, on some of the topics relevant to smaller organisations and businesses.
Software fixes for known DoS attacks are available which system administrators can install to mitigate the damage caused. However, like viruses, new DoS attacks are constantly being developed by hackers and are becoming increasingly sophisticated.
6. TIMTHUMB PLUG-IN In this attack, hackers exploit a security flaw in a photo re-sizing plug-in (called Timthumb.php) for the popular blogging and website publishing tool Wordpress. Through this flaw, hackers install malicious code or files into a website or server. They can then launch spear phishing campaigns as well as ‘Denial-ofService’ attacks (see above).
Q: We hear a lot about cyberattacks on large multinationals but how much of a threat is cybercrime to the UK’s small and medium sized businesses? A: It’s a much bigger problem than most people realise. According to the UK Government’s Information security breaches survey 2014 , 60% of small businesses had some form >>> of security breach last year, with
Timthumb attacks have hit millions of websites over the last few years, most of which have been small businesses unaware that they have been hacked.
Don’t become another statistic of cyber-crime – ensure your systems and working practices are secure.
PAGE 10
Call 020 7458 1250 or go online at www.capitalsupport.com
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 11
>>>
the average cost of these breaches doubling. More than half of those surveyed believe there will be an increase in incidents in the future. The threat of cyber-attacks needs to be taken seriously by any business reliant on IT systems. Q: Cyber-crime isn’t going away. Which areas do you feel businesses should be most concerned about? A: I think it is important to be aware of a range of threats and where they may come from. In contrast to the old stereotypical hacker who breaches security for enjoyment, the reality these days is much more likely to be that attacks are perpetrated by organised groups of determined criminals looking to make money. In addition to these hackers and cybercriminals, you may also need to be aware of competitors looking for economic advantage and ‘hacktivists’ whose motives to attack your company can be political, social, economic or environmental. Company employees (both current and former) can also cause problems either accidentally or maliciously.
60%
of small businesses had some form of security breach last year Motives to attack your company can be political, social, economic or environmental.
They want... l financial details l intellectual property l commercially sensitive data l customer databases
Q: What are some of the more common examples of how small businesses can be affected by cyber-crime? A: Some of the most common effects of cybercrime are theft of financial details (yours and your customers), intellectual property (such as product designs) or other commercially sensitive data (such as negotiation positions) and customer details. Irretrievable loss or corruption of data is also a possibility.
to legislation. There may also be a need to comply with the Payment Card Industry Security Standards Council if you allow customers to pay with credit and debit cards. In more creative or product-based industries then your intellectual property could be a big worry. If businesses are negotiating with other businesses then this information can also be extremely sensitive and attractive.
Q: Are businesses in certain sectors more exposed than others? A: Possibly. This can depend on the kind of data your company keeps; however, if you keep any of the data outlined earlier then you are at risk. Some businesses may be required to comply with the Data Protection Act which states that “appropriate technical and organisational measures shall be taken against accidental loss or destruction of, or damage to, personal data”, so for client databases there is increased risk and responsibility due
Q: What impact are mobile devices having on cybersecurity? A: An acceptable behaviour and use policy is essential for these devices and should include what can and can’t be done. Access and use of sensitive data needs to be managed appropriately. This should include the use of strong passwords, encrypting sensitive information and the network links to that information, automatic locking of the device used, and a clear delineation between personal and business data and app usage.
PAGE 12
Call 020 7458 1250 or go online at www.capitalsupport.com
Q: What are the key steps an organisation should take to combat cyber threats? A: There are a number of great sources such as 10 Steps to Cyber Security prepared by a division of GCHQ and Small businesses: what you need to know about cyber security by the Department for Business, Innovation & Skills (BIS). I particularly like the latter’s approach of ‘Planning’ followed by ‘Implementing’ and then ‘Reviewing’. The Planning phase involves identifying your critical assets along with the risks to these, management of these risks and the legal and compliance requirements. This phase also stresses the importance of asking how you would continue to do business following an attack. The Implementing phase looks to ensure that the correct security
measures are in place, that staff are well trained in good practice, and installing measures to recover from any attacks. The Reviewing phase looks to systematically review these implemented measures. However, it is advisable to enlist the help of IT experts such as your managed service provider to help develop and implement a cybersecurity strategy. Q: Do you think SMEs appreciate the business risks posed by cyber-crime? A: I hope so! What is important is that the high level decision makers understand how important cybersecurity is. This means allocating a substantial budget to IT security which covers both the technological and staff awareness education aspects.
For help in reviewing your potential level of risk from cyber-attacks, contact us today.
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 13
CASE HISTORY
WHEN THE HACKER WINS...
Small business loses important contract A rival organisation with hostile intentions collected key information about a manufacturing company over a period of time and used it against them. The attackers used social media sites to identify key employees and to get information about locations, contact details and current work projects. Armed with this information the adversary sent targeted and realistic spear phishing emails to a number of staff in different teams, containing attachments infected with malware. A work laptop was also stolen from a director on a business trip.
Thousands of businesses suffer cyber-attacks every week. Fortunately, most are blocked but just a small chink in your armour can lead to disastrous consequences as these two sorry tales portray.
The attacker used the malware capability together with the stolen laptop to get into the network and extract vital information about the company and its contract bid. They used this to produce a rival bid at a lower cost, using stolen intellectual property. As a result, the company lost out on the sizeable contract. Without this work, it was impossible to maintain the full workforce and half of the employees were made redundant. This news was picked up in the press, leading to lasting reputational damage and further loss of business.
CASE HISTORY Customer exposure Last year, an online retailer struggled for two weeks to find the source of a cyber-security breach after being alerted to a possible leak of credit card details by its card processing company. During that time, the firm apparently continued exposing the debit and credit card data of people who shopped on its website. The company stated that data for approximately 24,000 credit and debit cards used by customers may have been exposed although cardholder’s names, addresses and identifying information had been kept secure.
PAGE 14
A detailed timeline of events shows the firm first learned of a possible intrusion on 14 March. That’s when the card processor alerted the company about fraud on a handful of cards that had been recently used. The retailer launched an internal investigation and was able to rule out insider theft as the potential cause. On 19 March, the company hired a security firm to investigate further amid reports of more fraud. However, even then it was not able to isolate and shut down the breach until 28 March. It took a further 36 hours to contain the breach and strengthen security to prevent a re-occurrence.
Call 020 7458 1250 or go online at www.capitalsupport.com
As a result, the company lost out on the sizeable contract. Without this work, it was impossible to maintain the full workforce and half of the employees were made redundant.
What steps could have prevented this attack? Planning: consideration of the information assets the business held would have led to information about the contract bid being better protected. Implementation: training staff on the safe use of social media could have prevented so much sensitive company data being gathered from open sources. Tighter procedures on encrypting data on mobile devices could have also prevented unauthorised user access.
Call 020 7458 1250 or go online at www.capitalsupport.com
PAGE 15
If you would like to find out more call 020 7458 1250 or go online at www.capitalsupport.com
All content copyright of Capital Support Limited 2014