Before we start, relax! I’m not selling anything. If anything, I’m unselling. I’m not a fan of throwing money at something that can be done with a little elbow grease. Of course, if the price of elbow grease goes up, throw money at it instead!
In business we like to be rewarded for success. We get paid for success, and we (reluctantly) pay taxes on the profits of that success. At least we get something out of paying taxes, much as we don’t like to do it. We can argue all day about where and how tax money is spent, but most of us end up with an infrastructure within which we can continue to do business. So, taxes bad but yeah we get what it’s about. What we do not buy into is that some cyber criminal can illegally tax our hard work, but that’s what is happening every hour of every day.
In a past life as a cyber crime investigator, I have seen profitable businesses destroyed overnight. One day everyone is happily working away making a good life for themselves, the next they are in panic mode, and shortly afterward there’s a rash of LinkedIn activity as the search for new roles begins. Why? Because some low-morals script kiddie stumbled across a vulnerability and exploited it.
Unfortunately, I’ve also seen businesses destroyed in slow motion. I have seen insider breaches send a business into a long-running tailspin. Losses aren’t immediate, but down the road the victims find that contracts don’t get renewed and business suffers. It’s not directly attributable to the insider’s actions, but deep down everyone knows it didn’t help. In one case I investigated, over 60 people lost their jobs as a result of the actions of one colleague. He went to prison, they lost their jobs, an entire business division perished. Nobody profited.
In most cases, if not all, the value to the cyber criminal was minuscule compared to the losses of the victim. In fact, I have investigated cases where there was no financial benefit to the cyber criminal at all – and still the losses to the victim were devastating.
You have worked hard to make your business as much of a success as possible and you pay your taxes. Of course, you have no desire to plough your hard-earned money into expensive security measures that you hope you will never need. That is understandable. On the other hand, you don’t want your business wiped out by some low-life who has mastered the use of Metasploit and anonymous VPNs, operating from their bedroom and fueled by a diet of fizzy drinks and cheesy puffs.
Let’s imagine that your business will be hit by a cyber attack of some sort, sometime in the next year or so. Hopefully you have robust security in place, so you’re likely to be well prepared for the inevitable when it happens. However, recent events have changed the way nearly everyone operates, and it is likely that gaps have appeared in defenses. What low-cost, or no-cost, actions can you take so that you are best-positioned to survive?
1. User awareness
This is key to preventing a huge amount of cyber-attacks. Thankfully, this is an area that does not require massive investment. It is an easy fix. Show your people what a phishing mail looks like, let them know how phishing works, and how not to fall for it.
A typical method used by cyber criminals over the last few years has been to identify a staff member’s email account, send a phishing email which brings up a fake login page (for Office365 or whatever online systems you use), and to steal the login details once the staff member attempts to log in. Once the account details are compromised, your cyber criminal will redirect copies of your emails to an account they control, allowing them to read them at their leisure. What they are looking for is an opportunity to insert themselves into a financial transaction, and they have the login details required to do just that once they spot the opportunity. You won’t know about it until you receive a call from a customer or supplier wondering why the money isn’t where it’s supposed to be.
Make sure that your people who deal with financial accounts know not to make payments or change accounts based on instructions received by email. They should always double-check. You do not want your annual profits redirected to cyber criminals. It’s worth the price of a phone call to prevent that from happening.
2. User buy-in
This is also a cheap fix. If you use systems that offer multi-factor authentication, switch it on. It has been my experience that a lot of businesses don’t use multi-factor authentication despite it being available to them at no cost. Why not? Usually because of push-back by their staff who see it as yet another obstacle to getting things done. Let your people know why you’re doing it. You’re implementing it to protect the business, protect them, and protect their jobs.
Additional security can be a little bit inconvenient at times, but the alternative is far worse.
3. Test your back-ups.
You do have back-ups of your data, right? Of course you do, but shortly after your business systems have been encrypted by some guy looking for payment of a bitcoin ransom is not the time to be putting them to the test for the first time. Do test restores regularly from your backups so that you know you can get back up and running if the worst happens. It costs nothing to do, but could save your business.
4. Keep logs
Do this where you can, and analyse them regularly. Logs are a fantastic resource for someone like me who comes in to investigate a breach of your systems. You don’t really want to be in a position where someone like me is investigating, but if you are then good logs will be a help in making the best of that bad situation. An even better use of logs is in early detection of breaches. Why, for example, is there a login to an accounts email at 3am from another country? Use your logs to get ahead of problems. It’s a low-cost action with very large benefits for your business.
To sum up, you don’t need to spend large to position yourself so that you aren’t low-hanging fruit for cyber criminals. Take a few simple steps to keep a hold on your (post-tax) profits!
Colm Gallagher is the head of CommSec’s forensics business practice.