Targeted lines of defence for common types of cyber attacks

Posted by Jillian Stewart on Oct 19, 2018 2:06:59 PM
Jillian Stewart


The easiest defence against malware and ransomware is having anti-malware and anti-virus programs installed, and regularly updated, to protect your data. Ensuring that all firewall security is enabled and updated consistently helps to safeguard all incoming and outgoing traffic and keeps employees from browsing dubious sites. Staff must be trained to take responsibility for their actions online. Refraining from clicking suspicious links, for example, is a simple way to avoid malware contamination.

Phishing and spear-phishing
When an employee clicks on a link in a phishing email the business is exposed to risk. Users have shown themselves susceptible to all types of phishing scams including unsolicited ads, free software and fake websites. SMEs should train their employees on how to recognise phishing emails by being on the lookout for the following signs:
  • Requests for personal information: Employees must be alert to potential phishing emails from attackers asking them to update passwords or any other login credentials. Legitimate or trusted sources do not ask for sensitive information by email
  • Spelling or grammar issues: Emails with these issues should be viewed with caution. Legitimate companies review their outgoing emails thoroughly for such errors before they are sent out
  • Unassociated URLs: Phishing emails may direct the target to URLs that include the names of legitimate brands and/or those associated with your business but are in fact fraudulent 
  • Mismatched URLs: The URL displayed in the link may look legitimate but when the mouse is hovered over the hyperlink in Outlook or single-clicked in Google the actual hyperlink doesn’t match and is therefore likely to be fraudulent.
The whole company, from the CEO to entry-level employees, should be trained not to engage in risky online behaviour and to avoid falling foul of phishing attacks by:
  • Never responding to spam, pop-up messages, or emails from providers or vendors unless you have requested contact first
  • Ignoring generic-looking requests for personal data
  • Never supplying sensitive information digitally (via email or link)
  • Never filling out forms embedded in emails
  • Not responding to emails that appear to come from other employees requesting sensitive information such as passwords. Speak to them in person or phone them to verify their request or ask a manager how to proceed
  • Limiting the personal information shared on social media networks (employees shouldn’t be posting anything they wouldn’t want displayed on a public banner)
  • Putting in place additional authentication and verification steps for sensitive requests like electronic transfers of funds.
Man-in-the-middle and man-in-the-browser attacks
A secure server means standard security protocols are in place protecting the data shared with that server. “HTTPS” in the URL (the “S” standing for “secure”), rather than “HTTP”, is a sign that the website is secure and can be trusted. Therefore, when on the internet, ensure that “HTTPS” is always in the URL bar of the websites you are browsing and ensure your business website has migrated from HTTP to HTTPS.
Because the simplest way to access both of the targeted parties in man-in-the-middle (MITM) attacks is through a non-encrypted wireless access point, SMEs can look at using wireless access points (WAPs), wi-fi protected access (WPAs) and wi-fi protected access II (WPA2s), which are security protocols and security certification programs for securing wireless computer networks by encrypting data. 
Businesses may also benefit from installing an intrusion detection system (IDS), which is security software that monitors a network and systems for malicious activity or policy violations with the aim of catching hackers before any real damage is done. The IDS alerts the network administrator if it detects the signatures of known attacks or any deviations from normal activity.
Staff should also be directed not to directly connect to public wi-fi routers. A virtual private network (VPN) should be installed; a VPN encrypts your internet connection on public hotspots to protect any sensitive data you send and receive while using public wi-fi.
Distributed denial of service
You can’t rely entirely on an IDS to protect your business from a distributed denial of service (DDoS) attack. Nor can you rely on a firewall (even one with built-in anti-DDoS capabilities): when the designated threshold limit is reached, every user (both good users and attackers) are blocked and the desired outcome of denial of service is achieved. Some routers come with DDoS protection built in. Find out whether your ISP offers DDoS protection plans either as a free value-added service or as a premium service. 
Advanced persistent threats
The best way to prevent advanced persistent threats (APTs) is to keep up with software patches and continuously monitor all network and insider activity from all points of entry. A designated staff member should keep up with best practice guides from both government and private security agencies. Any issues potentially of concern that arise on the network should be investigated.
Password attacks 
Defending against password attacks is straightforward. It’s essential that all employee devices accessing the company network be password protected. 
Businesses can establish and enforce password policies that require employees to abide by strict standards when creating passwords. 
Traditional wisdom says passwords should be long and complicated with a combination of numbers, symbols and both uppercase and lowercase letters. However, some security experts suggest departing from these traditional guidelines and making passwords long but easier to remember, using normal English words and phrases well-known to the user. 
The same or similar passwords must not be used for different applications. Passwords must not be written down or shared and should be changed every 60 to 90 days. When you change your password, switch more than a single letter or digit. 
Consider enabling two-factor authentication (2FA) and/or installing a password manager to maintain passwords and keep them secure. Businesses can also add a level of security by making accounts automatically lock after a certain number of failed login attempts.
Remote desktop protocol
There are a number of simple ways to protect your business from a remote desktop protocol (RDP) brute-force attack:
  • Change login details (user name as well as password) from the default ‘Administrator’ to something more complex. This will require disabling the existing administrator account and setting up a new one
  • Limit the number of people who can login using RDP, thereby lowering the risk of a security gap
  • Lock users out after a certain number of login attempts.
Inside attacks
Some of the biggest risks to a business’s IT security come from inside the organisation. Here are some suggestions for tackling the threat of insider harm:
  • Implement a clear cyber security policy and enforce it there is no point in rules that aren’t strictly followed
  • Educate employees about why company systems need to be kept secure
  • Implement a training program to educate employees about cyber security measures
  • To be alerted when employees do something suspicious, monitoring software can be installed. User behaviour analytics (UBA) can identify inconsistencies in users’ actions. The behaviour of both maliciously motivated insiders and outsiders can be highlighted
  • Implementing an anti-fraud strategy involves identifying the personnel issues involved and working with senior members of staff on implementing anti-fraud measures: eg audit trails, systems to track email, records of which employees have access to sensitive data 
  • Businesses should have a protocol in place to instantly revoke access to company data on termination of employment.
Bring your own devices
Although bring-your-own-device (BYOD) has benefits for businesses, the cyber security risks that come with it need to be managed. Here are some suggestions:
  • Businesses should devise and implement a clear BYOD policy that sets out security protocols that assist in keeping the devices secure
  • Employees should be trained on how to keep their devices secure, and their software and security patches up-to-date
  • Devices should be set to lock automatically when not in use and employees need to use a secure PIN to protect the business from data breaches in the event of loss or theft
  • Employees can be taught how to encrypt hard drives and USBs before they put any work-related information on them
  • When personal data and corporate data are kept on the same device, businesses can train employees on how to ring-fence data; eg corporate data can be kept in a specific app and stored in a backup facility so it can be recovered if the device is lost or stolen
  • Mobile device management (MDM) software can be implemented to wipe lost or stolen devices. However, all data on the device would not need to be deleted if corporate data is ring-fenced only the particular folder or app that contains company data
  • Employees can be provided with a user-friendly mechanism for secure remote access to company data that is stored in a central location (such as a mobile app that requires a login and uses an encrypted connection to communicate with corporate servers)
  • To prevent any viruses or malware infecting the company network through security loops in mobile phone apps, businesses can use a virtual private network (VPN) to ensure a secure and encrypted connection 
  • Ensure that employees always use a VPN when doing anything work-related on public wi-fi
  • Educate employees about the risk of Internet of Things (IoT) devices and ensure they are covered in the BYOD policy (some employees may be unaware of the risks they pose to company security and may not even know their IoT device is connected to the internet, eg wireless mice can be hacked)
  • Disconnect any IoT devices that don’t need to be connected to the internet
  • Employees should be provided with technical support to ensure security measures are correctly implemented
  • You may also want to consider using enterprise mobility management (EMM) software which can help determine how mobile devices are used on your system, as well as detect risks
  • All devices accessing the company network should be identified
  • Penetration tests must be regularly conducted to identify potential vulnerabilities
  • The system must be constantly monitored for any security breaches.
How can you reduce your risk and reduce insurance premiums?
With Dacreed's powerful online compliance training you can train managers and staff in cyber security. Once completed, you'll be able to demonstrate a lower risk profile to our partner insurers and get lower premiums - saving you and your business money.

Topics: Cybersecurity

Proactively train your staff in AML/CFT

With the Dacreed online compliance training system you can:

  • assess your team’s knowledge, application and retention of AML/CFT training
  • keep track of your team’s completion dates and completion rates
  • tailor the training for different employees depending on their roles and tasks