Would you say you are cyber secure or cyber confused? If you’re in the latter, hopefully this article might help!
Being secure online isn’t that different really to being secure in other area of life. You match your measures to the likelihood and size of the threat. So for instance a bank has a strongroom, a sophisticated alarm and security guards. You could have those at home but it would be a bit overkill. An alarm is normally sufficient. So it is with your computer systems. You don’t need the latest and greatest – just what is effective.
A rider though – you won’t ever stop everything. You can still get burgled and banks still get broken into. If someone is determined to be in and has the skill, they’ll be in. We just want to deter the opportunist which is usually sufficient, unless you are a prime target!
So, firstly, let me ask you a question. What are some of the threats to your computer or data? There are quite a few, so let me go through some of the main ones you need to be aware of. In some of these I’ve given you definitions written by others – with attribution – because I think they summarise things well:
Types of Threat
Malware – or MALicious softWARE – this is “a kind of catchall phrase that encompasses pretty much any kind of software that could cause harm to your data or your machine. It includes software such as viruses, spyware, adware, Trojans, worms, scareware, and more.” (AskLeo.com).
Within Malware we then have the following:
- Viruses – “a type of malicious software program (“malware”) that, when executed, replicates itself by modifying other computer programs…When this replication succeeds, the affected areas are then said to be “infected” with a computer virus” (Wikipedia)
- Worm – similar to a virus but it is a standalone programme – it doesn’t need a host programme to replicate.
- Spyware – “a class of malware that, as its name implies, is typically designed to spy on you or your computer, silently collecting information that is subsequently sent on to others for typically nefarious purposes.” (AskLeo.com)
- Trojan Horse – “is any malicious computer program which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive wooden horse that led to the fall of the city of Troy” – (Wikipedia)
- Ransomware – “a type of malicious software that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the “WannaCry worm”, traveled automatically between computers without user interaction.” (Wikipedia)
- Keylogger – software that records the keys pressed on a keyboard, usually for the purpose of stealing passwords or other confidential information.
- Adware – in a malware context, is software that presents unwanted adverts to a user, often in the form of an unclosable pop-up window. Adware isn’t always malware but can be, and some websites do seem to make it “difficult” to close down pop-up ads, showing that the boundary line is difficult to establish. Adblockers are very good at dealing with this sort of thing
Going beyond Malware we then have such things as:
Phishing – “the fraudulent attempt to obtain sensitive information such as usernames, passwords, and credit card details (and money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication” (Wikipedia)
Hacking – The term “hacker” is one that we mis-use. The correct definition is “any skilled computer expert that uses their technical knowledge to overcome a problem” (Wikipedia). However, whenever we hear of the term hacker what we really think of is someone who intentionally breaks into a computer system, usually to steal some important or sensitive information. From a cyber security point of view, it is that latter definition that we mean.
Most of the time, it isn’t the threat itself that is the problem, it is the intention behind it. Usually, the person behind it wants data or money. And they usually want the data because they can use it to get money! At the end of the day, this is as much about data protection and security as it is anything else. It’s not just the inconvenience, it’s your reputation and your compliance with law that is at stake.
So how do we stop them?
Good Antivirus Software
Everyone knows the importance of Antivirus software these days. Windows comes it with pre-installed now and there are many other options available. For most people and small businesses, the free versions are sufficient. I normally wouldn’t recommend paying for antivirus unless you have identified a specific feature that you need or there is a specific threat you are trying to combat. The free tools are very good and normally more than sufficient for most needs when used with other security methods and practices. If you think you need more than that, then discuss it with your IT partner. And of course if your IT partner thinks you need more, they will advice you.
What is a firewall? Very simply, it acts as a barrier between computer systems or networks. It allows you control what gets through in both directions – in and out. This can be achieved by a physical piece of hardware, or by installing software on a computer. A good example of a piece of hardware is your internet router. This is a type of firewall. You might not be aware, but it is set up by default to act as a barrier. It will let you browse you the web – that is it lets your computer OUT through the firewall into the World Wide Web. But the world wide web is not, by default, allowed back IN to see your computer – unless you configure the firewall to do so.
Your router essentially protects you from outside. But you should also ensure that there is a software firewall on each computer on your network so that they are protected from each other. This helps to ensure that if a user unwittingly downloads a virus, other computers on your network don’t automatically get infected. A software firewall protects you from the inside. The good news is that Windows has a built in firewall and it is enabled by default. This is suitable for most users – just don’t turn it off!
I cannot emphasise enough the important of good practices within your business. As much as the threats listed are really and need dealing with, the truth is, the biggest threat to your cyber security is You. It’s users of computers and IT systems. And even if you are pretty much savvy and careful, what about your staff? Are they as careful as you? Are they observing good cyber hygiene to prevent falling victim to an attack? Antivirus will not stop a phishing attempt. And a firewall is only good until you let someone or something inside it!
The thing is, whilst there are people out there that try and hack into systems, this is a lot of effort and it is much easier instead for them to trick you into revealing information that lets them in or get you to install something that gives them access.
So this next bit is about those good practices that you need to protect your system and data from you and your staff!
How many of you are Facebook users?
Ok, so you will all have seen those Facebook games that will tell you your personality, or Movie Star Name, or which Harry Potter character you are in exchange for some answers to some questions. You know the ones I mean. What was the name of your first pet? Which city where you born in?
Now, think for a moment about the sort of information you are freely handing over. How many of you use names of pets or children in your passwords? Or favourite colour, or something related to the year of your birth? The thing is, most people use this information as the basis of their passwords and hackers know this. So getting you to answer a little quiz on Facebook on the one hand looks innocuous but if you think about it, is a very subtle way of getting you to reveal information about yourself that you are probably using for your password. So the next time someone tells you their Facebook was hacked, perhaps they played along with one of these quizzes.
So lets just talk for a minute about passwords.
The most important aspect about a password is its length. Why is this? Here’s an example password:
Most websites will say that’s a strong password and will allow that. But it would take only about 18 hours for a computer to crack that password. An eight digit password has 722 trillion possibilities (722,204,136,308,736 to be exact) assuming 26 upper and lowercase characters, 10 digits and 10 special characters, but today’s computing power mean it is not a diffcult or time consuming process .
What if we add four more digits in – Er3K!fXX$nB45
A twelve digit password has 19sextillion (19,408,409,961,765,342,806,016). All of a sudden, that has become a LOT more secure. It’s an exponential increase and would take billions of hours to crack. Length matters.
In addition to having long passwords, you should also never use the same password in more than one place. If a hacker somehow DOES get hold of your password then they will try it in other places. They are not fools! They know that most people have a Facebook and twitter and Instagram and dropbox and google drive etc. And remember, although YOU might keep your passwords safe, can we trust our passwords with the websites than we use them to long onto? Last week I got an email form Adobe saying that my password had been reset as it may have been compromised in data breaches from other online services. Before that it CeX writing to advise that they had suffered a data breach and that I needed to update my password. Don’t assume others are being as careful as you. Dont re-use passwords.
But, you say, I can’t remember them all! That is true, so using a password manager can be a great way to manage your passwords. I use LastPass, which works across all browsers, phones etc and can be used to generate and store your passwords. What’s more they are encrypted, which means that they can’t be read by someone hacking into the LastPass database. All you need to remember is your master password. Just make it a long one!
One of the ways that malware can get into systems is though unintentional holes left in them by the original developers. With all the best will in the world and extensive testing, it happens. The solution is for software companies to issue fixes, or patches, as soon as they become aware of them. This means that, you need to make sure you are keeping things up to date. Here are some the things you need to make sure are updated:
Windows – Windows 10 makes it almost impossible to avoid updates now. Microsoft will also provide updates for its other products that you have installed too, such as Office. So this one is difficult to miss these days. Admittedly, Windows often wants to update at the most inopportune time however with the new April update to Windows 10 Microsoft has tweaked things so most of the updating can be done in the background without getting in the way.
Product updates – However, updates for other products can be missed, as you are able to have more control over them. The big one to watch is your Browser. This is your gateway to the internet. Your Firewall allows it through, so by definition it is way that something can get in if there is a weakness in your borwser. Again most will be set to update automatically by default – don’t turn them off!
Your router – For most people this is your biggest protection against the outside world. So, make sure your router is updated regularly too – Router manufacturers do issue updates. However, some consumer grade routers don’t get updated or supported for long! Therefore you should have a business grade router from a manufacturer that is committed to providing support for a good length of time. If you are using the one that your ISP gave you, ditch it! Companies like RedFez can supply you with something far more secure!
Policies and Procedure
This is really about enforcing good cyber hygiene. So here are some things you might want to think about:
· Restricting Access – to certain websites or to certain files and folders.
· Emails – exercise caution when opening emails and links. Educate yourself and your staff on how to recognise a phishing attempt.
· Password policies – Set a minimum length for windows passwords and require them to be changed every so often. If you have a domain network and Windows Server then this can all be managed by the server. If you don’t have that sort of setup, maybe you should consider it?
· Working Remotely – What do you allow staff to take out of the office and under what circumstances? We’ve all heard the stories of government officials leaving laptops or usb sticks on trains. How do you avoid this? Have a policy (you should anyway to be GDPR compliant). You can say that nothing is allowed to leave the office. But if this is not practical then you can set up a VPN as an encrypted secure way of staff accessing files remotely and also working securely over 4G and open WiFi networks. Or it is easy to buy encrypted USB sticks and mandate their use. And if you do allow your staff to work from home, do you allow them to use their own computer or is it a work one? If they can use their own, how do you make sure that any malware on their home system doesn’t make its way onto yours?
· Regular backups – You should be backing up anyway in case of a system failure but this can also be a good defence against ransomware. If your files do become encrypted by a third party and they are demanding money to unencrypt, you have much less of an issue if you have a backup of all that data that they have not been able to touch. You can essentially ignore the request and whilst it may take some time to restore everything, you at least have your data and you haven’t had to pay the ransom. You should adopt a 3-2-1 backup strategy. That is, 3 copies of your data, 2 onsite and 1 offsite. So that could be Computer > External Hard Drive > Cloud
· Routers – As well as keeping them updated, when setting them up it is a good idea to do the following
- change the default password,
- change the SSID name,
- disable remote access,
- use WPA2 encryption,
- turn off UPnP,
- disable WPS,
· Physical security – It’s easy to think that this doesn’t really link into cybersecurity, but it does. For instance, anyone can reset a router if they have physical access to it! So where is your router? What about the locations of any USB drives, external drives or physical backups. How easy is it for an authorised person to access these? A two lock principle is always a good one to follow – that is anything that is sensitive needs to be behind two locks (i.e. a locked cabinet in a locked room). This is a principle adopted by many public organisations.
And for now, that is it. This article has only scratched the surface of this rather enormous subject but I hope, at least, you are more conversant with this area and aware of the risks you need to watch out for.