4: Reducing the risks
This is part of a series discussing cybersecurity basics for an SME.
Click here to go to the start of the series.
Risk = Likelihood [and] Impact
When we think about reducing risk, we usually focus on reducing the likelihood of something bad happening.
However, we also need to recognise that it is probably impossible to completely eliminate the likelihood of that bad thing happening. There will always be a chance of it occurring.
Therefore, when trying to reduce risk, we also need to think about reducing the impact if or when that bad thing were to happen.
Key takeaway: Reducing Risk = Reducing Likelihood AND Reducing Impact
Reducing Likelihood
To reduce the likelihood of a successful cyber-attack, start by thinking about the 7 P’s:
- People
- Phishing Email
- Payments
- Passwords
- Privileged Accounts
- Patching
- Protection
1 – People
Most cybersecurity attacks rely on a staff member being fooled by the criminal.
You need to tell people people about the target on their backs.
Any staff member could be a target:
- Senior managers and execs are targets because a criminal impersonating them has a lot of power and can cause a lot of damage.
- Finance staff are targets because they can transfer money to the criminal.
- Junior staff are targets because they are more likely to trust an email, and are less likely to challenge a request that appears to be from a senior member of staff.
- All staff are targets because of any of them download ransomware, the criminal can encrypt any files that this staff member has access to.
How to get started
1 – Staff need to receive cyber security awareness training and regular reminders.
- The training and content must show them why and how they are targeted.
2 – New staff members must receive cyber training as part of their induction.
- Criminals will target new joiners as they know they are more susceptible to emails pretending to be from senior management.
3 – Staff need to know what to look for when they receive an email or other communication.
- Emails containing urgent requests (e.g. alerts about password expiry, notifications about unusual activity on an account, threats to terminate service, warnings about overdue payments; alerts about home deliveries / overdue customs payments)
- Emails containing requests to change IBAN details of a supplier or to pay an overdue invoice
- Emails that seem to be from senior executives requesting an urgent payment.
- Emails that suggest ‘juicy’ news is just a click away (e.g. celebrity gossip; Covid alerts)
- Emails with links to websites that require them to enter their password.
4 – Staff need to know what they must do and who they must contact:
- If they receive an email that they are unsure about – For example: Verifying the contents by phoning the sender on a number that they already have on file for them.
- If they have responded to an email and now think it may not have been the right thing to do – For example: Contacting their manager, who can then follow the Incident Response Plan (which I discuss later).
2 – Phishing Emails
As we saw in the previous section, email is the most common way for a criminal to attack your firm.
The attacker’s email will try to fool a staff member into doing something that later turns out to be costly to the firm.
Email is the door used by most attackers.
You need to protect the door.
How to get started?
1 – Enable any functionality on your email system that can try to identify and block phishing emails
- The functionality and settings available will depend on what email system you use.
- For example, if you use Microsoft 365, you can look at things like Advanced Threat Protection, Safe Links, and Safe Attachments.
2 – Make it easier for staff to spot an email that came from outside the organisation
- Configure your email system to put a banner on the top of all emails that have come from outside the organisation.
- This will makes it far less likely that an attacker can fool a staff member into thinking their malicious email has come from a colleague.
3 – Stop emails with unusual attachments getting to your email inboxes.
- Configure your email system to block or quarantine emails that include attachment file types commonly used by attackers and not usually used for genuine business purposes.
- For example: EXE, DLL, CMD, VBS, JS, SCR, HTM/HTML, and Python / PowerShell / Java file types are seldom sent by email for genuine business reasons, but frequently used by attackers.
- Microsoft and others frequently publish lists of the file types being used by attackers.
3 – Payments
The criminal’s primary goal is to get paid, and preferably as quickly as possible.
You need to ensure it is not easy for the criminal to get paid.
In simple terms:
- A criminal will try to get a staff member to make a payment into a bank account that the criminal controls.
- Most of the time this means the people most at risk are those who can log into the company’s bank account and make online payments or change a supplier’s payee details, or those who have access to a company credit card.
To deal with this threat, you need to lock down these pathways.
How to get started
1 – Define a clear process for setting up or changing payment details on the company’s bank account
Staff members with access to your firm’s bank account need to feel their fingers burn whenever they are entering in the payee details of a supplier.
Your staff need to feel uncomfortable.
Your staff need to feel an immediate urge to confirm that the details are correct.
Your process must involve a verification step, whereby your staff contact the supplier (using a phone number that they already have on file for them) and confirms the payee details are correct.
They may feel embarrassed about doing this, but:
- Large organisations now do this as a matter or procedure. It is a sign of professionalism.
- It is far more embarrassing when they call you in a few months’ time demanding payment, at which point you realise you’ve been sending their payments to a criminal’s account for months.
All staff and suppliers must adhere adhere to the process. This includes senior staff – They must not be allowed to circumvent this process.
2 -Define a clear process for making payments
The staff members in your firm who process supplier payments or have access to a company credit card must also feel their fingers burn as they move towards that PAY NOW button.
The payments process should take on many of the measures already discussed above.
2 – Four eyes are better than two.
It is difficult for a criminal to fool two people.
So, if possible, your process should involve at least two people, at least one of whom should be senior and/or a natural cynic.
If it is too time-consuming to involve two people in all payments, then payments above a certain limit should require the involvement of a second person.
4 – Passwords
Attackers don’t break in; they log in
Most attackers do not break in through a back door.
They come in through the front door by fooling a staff member into revealing their password.
You need to strengthen the locks on your front door
How to get started
1 – Implement a human-friendly password policy
Forget what you have been told: A password containing just letters but is at least 15-20 characters is actually more secure than an 8-character string of upper case and lower case letters, numbers, and symbols.
Three random words or an English sentence is easier for a human to remember and more difficult for a criminal to guess.
So, when enforcing a password policy or including one in your staff policy, focus on length rather than complexity.
2 – Don’t reuse passwords.
If a password is used across multiple systems, more than one front door will open if a criminal gets their hands on that password.
You don’t use the same key for your house, car, bike, and garden shed.
And you shouldn’t use the same password for multiple systems.
So, make sure your password policy reminds staff that they must use a unique password for each system that the log in to.
3 – Do not send passwords in emails
Emails are not a secure method of communication.
Writing a password in an email means a criminal could intercept this password in transit, or retrieve it in if they ever gain access to the email in the future.
Instead, phone the person and tell them the password over the phone, or send it via a phone message (e.g. using WhatsApp).
This is not 100% secure, but it takes a bit more work for an attacker to intercept a phone message.
4 – Use something else as well
Wherever possible, but especially on valuable systems like email and CRM systems, ensure the system requires a second ‘thing’ before it will let someone log in.
Someone can only gain access to your house if they know something (the alarm code) and they have something (the key).
Make sure you have similar security on your important IT systems.
It means a criminal can’t gain access with just a password. They need a second thing.
In the technology world, needing a password and something else is called Called Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA).
Depending on the system, this second ‘factor’:
- May be a security code that the system sends to your mobile phone number.
- Preferably, it will be a code generated by an application on your mobile phone.
5 – Privilege
In broad terms, there tends to be two types of user account on an IT system:
- Standard accounts, and
- Privileged Accounts (frequently called ‘Administrator’ or ‘Local Administrator’ accounts).
To make significant changes to an IT system, standard user accounts usually do not have the necessary ‘privileges’ to make such changes. Only privileged accounts have the necessary privileges.
Many attacks will only succeed if the attacker gains access to a privileged account.
So, the key defence is to be very careful with privileged accounts.
How to get started
1 – Restrict privileged accounts to the people who really need them.
Privileged accounts are the keys to the kingdom.
Be careful about who you give the keys to your kingdom.
For example, most people should not have privileged access (e.g. an administrator account) on the laptop or PC that they use for work.
2 – For anyone who needs a privileged account, make sure they also have a standard account.
Even when someone needs a privileged account (e.g. to install software on your laptop; to manage the users on your email system), they must only use this account when they need to use these privileges.
For their standard day-to-day activities, they must use a separate, standard account.
3 – Make sure accounts are removed quickly
People leave or change role. They may no longer need their privileged account (or their standard account).
Make sure that there is a reliable process to identify movers and leavers, and to shut down accounts that are no longer needed.
4 – Regularly review accounts
Regularly review the list of active accounts, especially those with privileged access.
Disable / remove the ones that are no longer in use.
Fewer accounts means fewer access points for the criminals.
6 – Patches
Security holes (‘vulnerabilities’) in software are identified on a frequent basis and IT companies work hard to fill those holes by releasing software updates (‘patches’).
The headlines may focus on “zero-day attacks” (attacks that take advantage of a security hole that no-one previously knew about and for which there is not yet a solution). However, most common attacks take advantage of security holes that are well-known and for which there are patches available.
However, until you install the patch, you are exposed to the vulnerability.
How to get started
1 – Ensure the operating system (e.g. Microsoft Windows) and the applications installed on devices are kept up to date
Define and implement a policy to regularly install the latest updates on all devices.
If your devices are centrally managed, you can use something like Microsoft Intune to do this.
Otherwise, you may need to put the responsibility on staff members (e.g. by adding it to your staff policy), especially if you allow them to use their personal devices to access your data and systems. In this situation, you will need to regularly seek evidence from them to ensure they are complying with the policy.
And don’t forget about your servers, firewalls etc.
2 – Create and maintain an inventory of all of the devices and applications in use in your organisation
You cannot manage and monitor what you don’t know.
You must have an accurate list of the devices and applications in use within the organisation (known as an ‘Asset Register’), and use this to regularly review all devices and applications to ensure they are up-to-date.
7 – Protection
The more layers of security that are in place to protect your systems, the more difficult it is for an attacker to break through.
Using Multiple layers also ensures you aren’t relying on one layer working 100% of the time.
How to get started
1 – Ensure every Windows device has protective layers
At a minimum, each device should have a firewall and anti-virus / endpoint protection software running and being regularly updated.
Firewalls and anti-virus software watch out for suspicious activity, and try to stop malicious actions before they have an impact on the organisation. These protective layers are also updated on a frequent basis (e.g. multiple times per day) so they are more likely to defend against the latest emerging threats.
There are many good solutions available for free or for a very low price (e.g. BitDefender, Sophos, Avast to name just a few).
2 – Ensure the doorways into devices are locked down
Many organisations use Remote Access Tools (e.g. TeamViewer, AnyDesk) to remotely manage devices. There are also tools that use RDP (Remote Desktop Protocol) to gain similar access to a device.
Criminals also use these tools and protocols to gain access.
You must:
- Know the tools that are used
- Ensure these tools require more than just a password before they provide access to a device
- Configure devices so they do not allow other tools or access pathways. For example, disable RDP on all devices or implement tight restrictions on its use.
3 – Don’t forget about physical security
While the focus of this guide is on cyber attacks that happen through the internet, we must not forget about the risk of a physical security threat – e.g. a device being stolen.
To reduce the impact of such an event:
- Enforce the use of disk encryption on all devices that store data (e.g. BitLocker on Windows devices)
- Enforce the use of password-protected (or PIN / TouchID / FaceID-protected) lock screens that automatically activate after 10 minutes of inactivity.
4 – Ensure every personal device has similar protective layers
If you allow your systems and data to be accessed from personal devices, you must ensure the owners of these personal devices have similar protective layers and configurations in place.
Reducing the Impact
While there are many simple things we can do to reduce the likelihood of an attack, it is impossible to eliminate the likelihood completely.
Therefore, when trying to reduce risk, we also need to think about reducing the impact if or when an attack succeeds.
To reduce the impact, start by thinking about the 3 B’s:
- Backups,
- Plan B, and
- Buddies.
1 – Backups
If a ransomware attacker gains access to your systems, they will encrypt your data and only decrypt it if you pay them a ransom.
If you have a recent backup that is inaccessible to the ransomware attackers, you may be able to recover from the attack without paying the ransom.
There are also attacks known as ‘wipers’, where your data is deleted – Even the attackers cannot restore the data. In such a scenario, a backup will be your only way to recover.
How to get started
1 – Identify your most important ‘crown jewels’ data and systems.
When you are starting out, it’s important to focus on the most important data and systems first and ensure these are backed up.
2 – Implement a 3-2-1 backup strategy
- You have at least 3 copies (e.g. 1 live and 2 backups)
- They are stored in at least two places or on two types of storage device, and
- At least one copy is not normally accessible online.
At least one copy needs to be stored offline (or with a service that guarantees ‘immutability’) because many ransomware attackers will try to find your backups and destroy them. If the backups are on your computer network or accessible from the network, they are at risk.
3 – Regularly test your backups
A backup is as useful as a chocolate teapot if you do not test it on a regular basis to confirm you can restore from it.
2 – [Plan] B
Your Plan A is to reduce the likelihood of a successful attack.
You need a Plan B that focuses on reducing the impact of a successful attack.
Your Plan B describes the steps you will take if / when an attack does succeed.
How to get started
1 – Make sure you know if there is an attack or breach.
You can’t respond if you don’t know it’s happening.
Ensure staff know that it is safe to tell you that they have been fooled into revealing their password or making a payment. It’s never too late for them to flag a concern.
2 – Write a step-by-step plan of action (often called an ‘Incident Response Plan’) that will guide your response.
An Incident Response Plan is most valuable in the early stages of an incident, as you will be dealing with the initial shock and panic and you will not be thinking straight.
A 1-page plan is better than a blank sheet of paper. Just get started on it and add to it over time.
Start by considering the following:
1 – ‘If someone tells me they may have paid a fake invoice or transferred money to the wrong account, we will do the following:’
2 – ‘If someone tells me many of our files can no longer be opened, we will do the following:’
3 – ‘If someone tells me they may have revealed their login credentials to someone, we will do the following:’
3 – Buddies
As you write your Plan B, you will realise that you cannot recover from an attack on your own. You will need outside help.
For example:
- You will need to contact your bank to try to get a payment reversed.
- You will need to contact the police to report the crime.
- You will need legal advice to ensure you stay on the right side of the law, and in case you need to report the breach to regulators.
- You will need technical experts to identify how the attacker got through, and to get them out of your organisation if they are still lurking.
- You may need PR advice to ensure this incident does not cause long-term reputational damage.
You’ll get by with a little help from your friends
If you wait until an attack before you think about this list of buddies, you may find it difficult to get them involved. Their skills are in demand and you may not be at the front of the queue.
Get your buddies lined up before you need them.
If you have insurance (e.g. Professional Indemnity Insurance or Cyber Insurance), the policy may already provide you with access to a panel of experts. Check your policy documentation, or speak to your broker or insurance provider.
If not, check the cost of putting such cover in place and ensure the cover includes a panel of experts that you can lean on in the event of an attack.
The relatively small cost of such a policy would be money well-spent if you were attacked.
Conclusion
Key takeaway: The 7 P’s and the 3 B’s will make your firm a far greater challenge for most cyber attackers.
The simple security defences I have described here will significantly reduce the risk that your organisation will be the victim of an unsophisticated attack.
It’s not everything you need to do.
But it’s a great start.
One Request
I hope you have found this series useful, and that it helps you take some simple steps to protect your money, your data, and your reputation.
I’d really appreciate your feedback on the series so I can continue to make it more valuable.
Where did I lose you? Where did I confuse you? Where did you disagree with me?
Please, send me a quick email and let me know. I’d really appreciate it.
Sam.