To many businesses, cybersecurity seems scary and confusing. Damaging data breaches continually hit the headlines, along with reports of online identity theft, fraud, blackmail and worse. Regulators hand out ever-larger fines to businesses that fail to protect customer information effectively. And a constantly changing A-Z of jargon – from “attack vector“ to “zero-day“ – leaves most non-technical people reeling.
Indeed, many businesses seem to be stuck in the cybersecurity headlights, admitting they don’t have a clearly defined cyber-defence strategy (pdf). And with so much dangerous traffic hurtling around our data highways and byways, the last place you want to be is in the middle of the road, unprotected.
Yet while Hollywood thrillers depict all hackers as evil geniuses who can crack any security system in seconds, the bulk of threats you’re likely to face are mundane, opportunistic and largely automated. It’s possible to detect and contain most of them, as long as you have the right tools and processes in place. And you don’t need to be a technical wizard to keep your business safe – a good comms integrator can give you all the guidance you need. O2 Business, for example, matches every customer with a digital adviser who can help you put the right defences in place.
For most businesses, cybersecurity used to mean protecting the perimeter of the network with a traditional firewall and deploying antivirus (AV) software on office PCs. Today, that approach is no longer effective. Changing workstyles mean most organisations no longer have a fixed perimeter, and work is rarely confined to company-owned PCs. People use a variety of devices, including personal smartphones and tablets. They frequently log into their company’s systems via home wifi that may not be well secured, or from public spaces such as cafes and airports, where open wireless traffic can easily be intercepted.
This changing workstyle has greatly increased the number of points at which hackers can potentially breach your systems. At the same time, it has become trivially easy for them to deploy automated tools that scan networks for weaknesses, such as poorly configured firewalls or people using older versions of software with known bugs they can exploit to gain entry. They also take advantage of the time lag between discovering some new security hole and the point where software companies identify and patch it. There’s even a flourishing dark web trade in these so-called “zero day“ exploits.
Malware can infect systems at any weak point – including via email and messaging systems, flash drives, apps and software downloaded from untrusted sources, or malicious code hidden on web pages. Social engineering techniques are also commonplace – for example, tricking people into opening innocent-looking files that may appear to have been sent by a trusted contact, or convincing them to reveal login details through spam “phishing“ emails that replicate an official-looking login page. Simply making employees aware of the latest tricks and techniques, while important, isn’t sufficient – it only takes one person to make a mistake for your system to be compromised.
So how do you protect your business in this new landscape? First, you have to get the basic “hygiene factors“ right. Just as the simple act of making everyone in a hospital wash their hands regularly dramatically prevents the spread of disease, so putting in place sound, basic security practices greatly reduces your risk of suffering a damaging cyberattack.
Common examples of poor hygiene among businesses include: failing to keep all systems patched and updated; using insecure or easy-to-guess passwords; failing to set up security software properly; ignoring security alerts; giving too many people admin rights to install software or change settings; failing to encrypt and ringfence sensitive data; and ineffective monitoring of systems for suspicious activity and malware. And don’t forget mobile phones – the average smartphone is every bit as connected, powerful and versatile as a computer, and can expose the corporate network to risk.
Many SMEs also fall for enduring security myths, such as believing they are secure as long as they don’t put sensitive data into the cloud. In fact, today’s cloud providers typically have far more effective security controls than most in-house systems. Too many SMEs also believe that because they’ve bought an expensive security solution, they don’t need to do anything else.
In fact, there’s no single silver bullet security solution, and independent experts can ensure you have the correct protections in place. O2 Business, for example, typically recommends a mix of best-of-breed solutions along the lines of those listed below.
• A “next generation“ firewall from a reliable supplier, properly configured, can segment your network to contain any threats and create a buffer zone that ensures your sensitive data is appropriately ringfenced. It can also prevent access by remote devices if they’re not using a secure, encrypted network.
• Effective mobile device management systems can secure all your smartphones and tablets, checking you haven’t inadvertently left open any back doors to your systems, restricting access to settings and preventing unauthorised apps. They also enable you to remotely wipe the data from devices that are lost or stolen.
• Access control systems can limit who and what has access to different parts of your network. Users can be restricted to only those systems and settings they need and prevented from installing or running potentially insecure software. Secure passwords can be automatically mandated and managed, while additional measures, such as two-factor authentication, can be put in place for your most critical systems and data.
• Anti-malware solutions can protect all your devices against pernicious threats such as ransomware. As well as the traditional checklist of known malware signatures, modern systems might include intelligent behavioural analysis of network activity to detect anything out of the ordinary, whitelisting of safe apps/websites, and sandboxing of unknown software and applications so they can be tested for malicious behaviour without causing any damage.
• Vulnerability management systems can spotlight weak points in your systems and networks, and ensure all your software is automatically patched and up-to-date.
This is not an exhaustive list, and cyberthreats and defences are always evolving. But, by putting in place a solid security strategy with the help of trusted technology experts, no business need have nightmares.
