And to remind us that being secure means more than thinking about electronic data and cyber security there was the theft of servers from a charity (they contained details of supporter names, addresses, emails, and bank accounts), a social engineering attack on a solicitor that tricked them into transferring £750,000 of client money to criminals and the fire in Holborn that stopped some businesses from accessing their offices for several weeks.
Some predictions for 2016
The number of cyber attacks will increase. Large businesses suffer the most attacks, but as they have improved their security measures smaller business will be targeted. Attacks could include encrypting files and asking for a ransom to unencrypt them, taking down or defacing websites and taking over social media accounts to put up false or libellous information or messages with links to malware, see the next prediction.
Social media channels – Facebook, LinkedIn, Twitter etc. – are increasingly used to deliver malware that steals passwords. Currently, criminals mainly use emails to send out links, clicking on a link downloads the malware. As email scanners treat many of these as spam, links will be sent as messages on social media channels. People seem to be less wary of clicking links on social media, so this may result in more malware being installed.
One of the main cloud services will be compromised and suffer a major outage while they recover. For some this could mean no access to emails, file backups, websites and social media accounts. Backed up files and personal details from website databases on the compromised cloud service will be leaked by criminals or held to ransom, think of the Ashley Madison attack where (very) personal details were made available when money was not paid.
Social engineering attacks to trick people into handing over personal details or getting access to offices become more sophisticated.
Procurement managers in larger businesses only give work to companies that can prove they take security seriously. This follows on from Government procurement requirements for suppliers to prove their security credentials on many tenders to get past the initial checks when bidding for work.
Cyber liability insurance is promoted more heavily. Small businesses buy the policies but then find cannot claim when there is an issue as they cannot prove they met the basic criteria for keeping themselves secure. Always read the small print.
However, the good news is that small businesses will take action to find out more about information security and realise that a few simple changes can make them more secure.
Basic steps to improve security.
Make a list of your information and where it is stored. This includes your business plans, strategy and finances, client details, contracts, backups, website content, social media content etc. First consider the impact on the business of not having access to this information for 1 day, 1 week and 1 month. Prioritise measures to the protect information you really need to keep the business running. Then consider the impact of information being leaked. Prioritise protection measures on information where leaks could result in legal actions from clients or have a major impact on your business reputation.
Apply patches to Operating Systems (Android, Apple iOS and OS, Linux and Windows) and software on desktops, laptops, servers, phones and tablets when they are released.
Keep malware defences such as antivirus and web protection up to date. Make sure notifications about issues are acted on.
Enable two-factor (sometimes called multi-factor) authentication on cloud services. When this is enabled, a confirmation code is sent to another device, usually an SMS message to a mobile phone when someone tries to log in. The code has to be entered to complete the login. It protects against unauthorised access to cloud services if someone did manage to get hold of your password.
Do daily backups. There should be a local one plus one to the cloud, or to two different clouds. Typical backup issues are failures of local disks and not picking up new top level directories on drives. Do a quick monthly check to confirm the correct data is being backed up data and can be restored.
Ongoing staff awareness training in what they must do to keep information secure. As threats evolve they need to know about the latest social engineering scams and the impact a security breach could have on the business.
NOTE: If you have an IT company that looks after your computers and backups ask them for an email each month to confirm all patches are applied, malware defences are up-to-date and backups have been checked.
I hope everyone has a great Christmas and a happy, secure and prosperous new year.