For most businesses today, data is their lifeblood so making sure that your information is secure should be a number one priority.
Whilst it might seem that this is something that only affects the biggest companies, in fact, most data thefts happen to smaller businesses and so it is something that every company should be aware of.
For smaller enterprises that want to contract to larger companies, data security will be one of the main things that will determine whether they get the work or not, and in many countries, legislation like GDPR will mean that there is a legal requirement to take security precautions.
So how can hackers get at your data and what can you do about it?
1.Phishing And Spearphishing
Phishing is something that has been around since before the days of the internet and relies upon telling a story to get people to hand over information.
The oldest form would be something like the well-worn but still-seen ‘419 scam’ which involves a barely believable story of billions of dollars of unclaimed money that you can share if you only hand over your bank details.
Spearphishing is slightly different in that it originates with an email to a named individual but from a trusted source. Favorites are companies like Amazon, Paypal, and eBay.
Because you trust them and because the email often looks identical to the one you would get from these companies you click on a link that then either takes you somewhere you don’t want to be or downloads malicious code into the company network.
The best defense against these is education. Letting employees know what scams are doing the rounds, how to spot them, and what to do (or more importantly what not to do) all help.
Stripping active links from incoming emails can also help as can hardening your systems against code attacks.
A relatively new phenomenon that encompasses a lot of different hacks, social engineering uses data that can commonly be found on the web to spin a believable lie to get at your data.
A good example here would be an email to someone in accounts purporting to be from the CEO and demanding a payment be made urgently to an account number otherwise the company will lose a big deal.
The keys here are that it comes from a named real person in the company (of course it doesn’t really), that there is some form of peril (you may lose that big order), and that there is a time constraint (it gives you less time to check).
Some of these simply try to get the person to transfer money but others will say they have forgotten a password or in more sophisticated cases will discuss internal company matters to get information.
Education again helps here but more importantly having clear controls about who can reset passwords and make payments and what the process is, then enforcing them will help. It’s important that even the staff on the lowest rung of the ladder have the ability to say ‘no’ if payment or reset request happens outside of policy.
Another old one but amazingly one that still works in 2021.
Hackers can get access to your systems simply by running through a list of the most commonly chosen passwords and the depressing thing is that the list hasn’t changed much since systems access became a thing.
Unbelievably hackers will get access many times by simply trying ‘Password123’, ‘123456’ or the slightly more secure ‘1234567890’!
There’s a simple answer to this – enforce strong passwords.
Make sure that you have a sunset of around 45 days so that employees have to reset their passwords periodically to keep your systems safe.
If you want to be extra secure then look at using two-factor authentication for sensitive system access.
Something that has come even more to the fore since COVID is the issue of open networks.
With more people than ever before connecting to company systems remotely, the integrity of the business’s information can be compromised by fairly simple methods.
Where people connect using public WiFi or even their home routers or hubs, it leaves data open to interception.
The problem is that although data may be encrypted on a mobile device and on the main system when it travels between the two it is not.
Hackers can simply connect to the network and either use an interception script that records all the data passed from the employee’s device or can redirect their browser to a lookalike site that then collects data like network access codes etc.
Although many people’s home networks are secured with a strong password they can be compromised (see the passwords section!) and with home routers being stronger than ever it is a simple matter for someone to sit in a car out on the road and pick up a signal.
Even more insecure is the coffee shop/airport terminal open WiFi and there have been cases of hackers spending days in specific locations just harvesting data from unsuspecting victims.
The trick here is to provide VPN access to your systems so that wherever and however your people connect, they are doing so securely.
What is a VPN? It’s simply a method of connecting to the internet using secure, encrypted servers and then using that connection to access company systems and online services. A VPN stops hackers from intercepting and using data when it is on its way to and from your encrypted devices and systems which in turn secures the whole end-to-end process.
5.Hard Media Loss
There can’t be many people that haven’t seen news reports of massive and embarrassing data losses that occur due to someone losing something.
Often this can be someone downloading data onto a key drive or losing a laptop with information sitting on the hard drive.
The problem is that hard media today is so well developed that it is often small for the sake of convenience (thus easy to lose) and holds a huge amount of data. So when it gets lost it can be catastrophic. The answer here is to ban hard media. Many computers are now supplied without DVD writers but get your IT person to disable USB ports so that information can’t be downloaded onto easily losable key drives.
And if you do absolutely need to use hard media then make sure you encrypt them so that if they are lost, nothing is readable.
Smartphones are great but in many ways, they can be a nightmare in security terms.
Research has shown that employees are more productive if they are allowed to use mobile devices but allowing connection to the company systems also opens up your data to attack.
Apps downloaded from iPlay should be virus-free but there have been issues in the past with the Play Store which has meant that an app downloaded away from the business has the opportunity to attack when the employee next connects.
To counter this, think carefully about allowing Bring Your Own Device and if you do allow people to connect, perhaps provide a separate network that allows people internet access, but not to your main system.
And of course, invest in the best antivirus software you can and keep it up to date.
7.Brute Force Attacks
Brute force attacks are fairly unsophisticated hits that use tools like Aircrack-ng or John the Ripper to gain access.
They will look for password vulnerabilities, hidden web pages, and other potential openings by simply using volume as a tool. For example, imagine that you know the most common passwords and you have a pretty good idea of how a company might structure usernames. Then you can use a script to keep trying variations of the two until you get a hit.
Yes, it may take millions of attempts until you get in but by using a script it can be done in seconds and the rewards are worth it. The best way to combat this is to enforce password security (see above) and to limit incorrect attempts.
Hidden webpages should be properly secured and it is always worth investing in getting a security company to carry out periodical penetration testing on all your systems.
Most Security Is Simple
In most cases, to make your company more secure is simply a method of thinking about the way that people might gain access.
User education, especially around phishing and malicious apps will help as will investing in VPNs and penetration testing.
Ban removable media and if you do have to use it, make sure you encrypt data when it is stored.
Being data secure doesn’t have to be expensive, so start thinking about how you can increase your protection today.
If you like the article then Check out Techdee for more!