4: Reducing the risks
This is part of a series discussing cybersecurity basics for an SME.
Click here to go to the start of the series.
Risk = Likelihood [and] Impact
When we think about reducing risk, we should focus on reducing the likelihood of something bad happening.
However, for most risks, we also need to recognise that it is impossible to completely eliminate the likelihood of that bad thing happening. There will always be a chance of it occurring.
Therefore, when trying to reduce risk, we also need to think about reducing the impact if or when that bad thing were to happen.
Key takeaway: Risk = Likelihood AND Impact
Reducing the risks = 7 P’s and 3 B’s
To reduce the likelihood of a successful cyber-attack, I recommend focusing on the 7 P’s:
- Phishing Email
- Privileged Accounts
To reduce the impact of a successful cyber-attack, I recommend focusing on the 3 B’s:
- Your [Plan] B
- Your Backups
- Your Buddies
To reduce the likelihood of a successful cyber-attack, think about the 7 P’s: Phishing Emails, People, Payments, Passwords, Privilege, Protection, and Patching.
1 – Phishing Emails
As we saw in the previous section, email is the most common way for a criminal to attack your firm. The email will try to fool a staff member into doing something that later turns out to be costly to the firm.
Email is the door used by most attackers. You need to protect the door.
There are a few basic steps you can take to reduce the likelihood of such an email succeeding.
- Ensure your people know that email is the primary method used by criminals.
Encourage staff to be suspicious of all emails, but especially:
– Emails containing urgent requests (e.g. alerts about password expiry, notifications about unusual activity on an account, threats to terminate service, warnings about overdue payments; alerts about home deliveries / overdue customs payments)
– Emails containing requests to change IBAN details of a supplier or to pay an overdue invoice
– Emails that seem to be from senior executives requesting an urgent payment.
– Emails that suggest ‘juicy’ news is just a click away (e.g. celebrity gossip; Covid alerts)
– Emails with links to websites that require them to enter their password.
If they have any doubt about whether an email is genuine, they should verify the contents by phoning the sender on a number that they already have on file for them.
I talk more about this in the next ‘People’ section later.
- Get your IT person to enable any functionality on your email system that can block phishing emails or that can indicate to your staff that the email may not be genuine
(I promise – This is one of the few technical steps that I mention in this section. If you need help with this, send me an email and we can talk it through.)
The settings available will depend on what email system you use. For example, if you use Microsoft Office 365, you can look at their Advanced Threat Protection functionality.
You can also implement a rule that will put a warning on the top of all emails that have come from outside the organisation to remind staff that external emails should not be trusted.
2 – People
Most cybersecurity attacks rely on a staff member being fooled by the criminal.
You need to tell people people about the target on their backs.
No staff member is safe:
- Senior staff are targets because a criminal impersonating them has a lot of power and can cause a lot of damage.
- Finance staff are targets because they can transfer money to the criminal.
- Junior staff are targets because they are more likely to trust an email, and are less likely to challenge a request that appears to be from a senior member of staff.
- All staff are targets because of any of them download ransomware, the criminal can encrypt any files that this staff member has access to.
I’ve already discussed the things you need to ensure your staff watch out for in emails.
But you also need to support staff by telling them what they should do and who they should contact:
- if they receive an email that they are unsure about, or
- if they have responded to an email and now think it may not have been the right thing to do.
3 – Payments
The criminal’s primary goal is to get paid, and preferably as quickly as possible.
You need to ensure it is not easy for the criminal to get paid.
In simple terms:
- A criminal will try to get the firm to make a payment into a bank account that they control.
- This can only happen if someone logs in to the company’s bank account and enters the IBAN of the criminal’s account, or types the details of a company credit card into a website.
1 – Define a clear process for setting up or changing payment details on the company’s bank account
The staff members with access to your firm’s bank account need to feel their fingers burn whenever they type in the digits of an IBAN code.
Your staff need to feel uncomfortable.
Your staff need to feel an immediate urge to confirm that the request is legitimate.
Your process must involve a verification step, whereby your firm contacts the supplier (using a phone number that you already have on file for them) and confirms the IBAN details are correct.
You may feel embarrassed about doing this, but:
- Large firms now do this as a matter or procedure. It is a sign of professionalism.
- It is far more embarrassing when they call you in a few months’ time demanding payment, at which point you realise you’ve been sending their payments to a criminal’s account for months.
All staff and suppliers must adhere adhere to the process. This includes senior staff who may be used to circumventing due process.
If possible, your process should involve at least two people, one of whom should be senior and a natural cynic. It is difficult to fool two people.
2 -Define a clear process for making payments
The staff members in your firm who process supplier payments or have access to a company credit card need to feel their fingers burn as they move towards that PAY NOW button.
The process should take on many of the measures already discussed earlier.
If possible, payments above a certain limit should require a second person to approve the payment. It is difficult to fool two people.
4 – Passwords
One password may be all that sits between a criminal and your valuables.
As I described in the previous section, a password could open up your organisation to a criminal.
1 – Limit the damage
If a criminal has a password, you can limit the damage they could cause by ensuring the password only opens one system.
You don’t use the same key for your house, car, bike, and garden shed.
And you shouldn’t use the same password for multiple systems?
2 – Use something else as well
Wherever possible, but especially on valuable systems like email and CRM, ensure the system requires a second ‘thing’ before it will let you in.
You can only gain access to your house if you know something (the alarm code) and you have something (the key).
Make sure to have similar security on your important IT systems.
In the technology world, this is something called Called Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA).
It means a criminal can’t gain access with just a password. They need a second ‘factor’.
Depending on the system, this second ‘factor’ may be a security code that the system sends to your mobile phone. Or, it may be a code generated by an application on your mobile phone. To log in to the system, you must know the password and this security code.
Most systems will make it easy for you to set this up or there will be tutorials online to show you how to do it.
(If you are stuck, send me an email and we can work through the process)
5 – Privilege
In broad terms, there tends to be two types of user account on an IT system:
- Standard accounts, and
- Privileged Accounts (frequently called ‘Administrator’ or ‘Local Administrator’ accounts).
To make significant changes to an IT system, you usually need a privileged account. Standard user accounts usually do not have the necessary ‘privileges’ to make such changes.
Many attacks will not succeed if you only use a standard account. The attackers require a privileged account to do the damage.
If you need to have a privileged account (e.g. to install software on your laptop; to manage the users on your email system), only use this account when you need the privileges. Use a different standard account for your day-to-day activities.
6 – Protection
I haven’t mentioned anti-virus or anti-malware on your laptops and PCs until now.
But it is important. Use a good anti-virus / anti-malware tool and to keep it up to date. There are many good ones available for free or for a very low price (e.g. BitDefender, Sophos, Avast to name just a few).
Anti-virus software is another line of defence
If a staff member is fooled into downloading malware, this type of tool may spot the infection and stop it from running.
7 – Patching
‘Patching’ means ensuring the operating system (e.g. Microsoft Windows) and the applications (e.g. Microsoft Office, Google Chrome, Adobe Reader) installed on your device are kept up-to-date.
Security holes (‘vulnerabilities’) in software are identified on a frequent basis and companies like Microsoft, Google, and Adobe work hard to fill those holes by releasing software updates (‘patches’).
Until you install the software update, you are exposed to the security hole (the ‘vulnerability’).
This is why you need to regularly check for, and install, the latest software updates.
To reduce the impact of an attack, think of the 3 P’s: Plan B, Backups, and Buddies.
1 – [Plan] B
Your Plan A consists of the 6 P’s above, and is focused on reducing the likelihood of an attack succeeding.
You need a Plan B that focuses on reducing the impact of a successful attack.
Your Plan B documents the steps you will take if / when an attack does succeed.
Firstly, you need to make sure you are made aware of a successful attack. You can’t react if you don’t know. For example, ensure staff know that it is safe to tell you that they have been fooled into revealing their password or making a payment. The right email at the right time will fool anyone.
Next, write a step-by-step plan of action (often called an ‘Incident Response Plan’) that will guide your response.
An Incident Response Plan is most valuable in the early stages of an incident, as you will be dealing with the initial shock and panic. You will not be thinking straight.
A 1-page plan is better than a blank sheet of paper. Just get started on it and add to it over time.
Start by considering the following:
1 – ‘When someone tells me they may have paid a fake invoice or transferred money to the wrong account, we will do the following:’
2 – ‘When someone tells me many of our files can no longer be opened, we will do the following:’
3 – ‘When someone tells me they may have revealed their email password to someone, we will do the following:’
2 – Backups
When you write your response plan for a ransomware attack, you will realise the value of backups.
If you have a recent backup that has not been accessible to the ransomware, you will be able to access your files again without needing to pay the ransom.
There are key things to keep in mind:
- Ransomware will search for your backups and destroy them. If they are on your computer network or accessible from the network, they are at risk. Try to have at least one backup that is stored offline (e.g. on an external USB device that is disconnected from the network as soon as a backup completes).
- A backup is as useful as a chocolate teapot if you do not test it on a regular basis to confirm you can restore files from it.
3 – Buddies
As you write your Plan B, you will realise that you cannot recover from an attack on your own. You will need outside help.
- You will need to contact your bank to try to get a payment reversed.
- You will need to contact the Gardai to report the crime.
- You will need legal advice to ensure you stay on the right side of the law.
- You will need technical experts to identify how the attacker got through, and to get them out of your organisation if they are still lurking.
- You may need PR advice to ensure this incident does not cause long-term reputational damage.
You’ll get by with a little help from your friends
If you wait until an attack to look for this help, you will find it difficult to get a timely response. Their skills are in demand and you may not be at the front of the queue.
So, get your friends lined up before you need them.
If you have insurance (e.g. Professional Indemnity Insurance), the policy may already provide you with access to a panel of experts. Check with your broker or insurance provider.
If not, check the cost of putting cyber Insurance cover in place and ensure the cover includes a panel of experts that you can lean on in the event of an attack.
Key takeaway: The 7 B’s and the 3 P’s will make your firm a far greater challenge for a cyber-attacker. And without them, you’re an easy target.
I hope you have found this series useful, and that it helps you take some simple steps to protect your money, your data, and your reputation.
I’d really appreciate your feedback on the series so I can continue to make it more valuable to SME’s. Where did I lose you? Where did I confuse you? Where did you disagree with me?
Please, send me a quick email and let me know. I’d really appreciate it.