Technology is great for business, but it has also opened up the possibility of all types of cyber-crime. These are new risks that we haven’t faced before from an area where most of us are not experts.
Discussions with our clients have revealed concerns about this issue but many are unsure what they should do about it. Many of us think our data wouldn’t be valuable to hackers but recent cyber extortion cases have shown that’s a false assumption. In many cases the hacker is not interested in our data, they are targeting the value of that data to us – either by encrypting it or threatening to release it and then demanding payment.
Traditional insurance policies provide no protection to businesses for these new risks and the industry has been trying to address this need with new products coming on to the market on a regular basis. This is an area where we have seen a lot of “sales” activity from the insurance market, but not a lot of solid advice.
Prevention is always better than cure and insurance is best viewed as a back-stop for when things have gone wrong, rather than a solution in itself.
Insurance definitely has its place here (you would expect us to say nothing else) but it cannot, and should not, take the place of basic security precautions. In many cases, an insurance policy will require that basic precautions have been taken if a claim is to be paid.
To help improve our own IT security, and also to better inform our conversations with clients, in 2017 we gained Cyber Essentials accreditation with the help of Dave Evans at Cyber Aggress. Cyber Essentials is a government backed scheme that helps businesses attain a baseline level of IT security.
We learned a fair bit from this experience and wanted to share some of that information, so here’s our Top 5 Cyber Tips….
1. Your people are your first line of defence and potentially your greatest weakness
Creating an awareness in your business from the top down has got to be the first thing to do.
Do all your staff know how to spot malicious links in e-mails? How to tell if an e-mail is coming from the source it claims?
Have policies on who is allowed to access your computer systems, when and under what circumstances. Consider splitting your data into different categories and restrict access where relevant – does everyone really need access to everything? Make sure everyone logs on with a standard user account, not an administrator account.
Be wary of allowing unknown devices, such as third party or “free” memory sticks, to be connected to your computer system.
If anyone works remotely, then make sure you know how your data is being handled. Treat equipment used to access your network remotely (such as tablets, mobiles and laptops) exactly as you would your own desktop PC’s, with all the same safeguards and use restrictions.
Avoid “free” Wi-Fi for anything other than casual browsing. Don’t send sensitive information as these services are often not secure and occasionally malicious in intent.
2. Backup your data
This is one of the main vulnerabilities we see when we’re speaking to our customers. Everyone is aware of the issue but the procedure just isn’t followed.
Your data is not just vulnerable to criminals. It’s also vulnerable to loss or breakdown of computer equipment, fire, flood etc. If disaster strikes it doesn’t matter how much insurance you buy, if you don’t have any data to reinstate then there’s not much you can do.
We all need to have a robust procedure so data is backed up on a regular basis and kept away from the business premises.
If you’ve tried, but keep forgetting, then it’s worth looking at some of the cloud-based automatic back-up solutions that are now available.
Whichever method you use, test it frequently to make sure you could actually recover your data in the event of a disaster.
Our information is often more valuable to us than the equipment it sits on. Don’t lose it.
3. Don’t re-use passwords. Change them periodically
First of all, make sure you change default passwords on routers and other devices.
Password re-use is the most prevalent and damaging behaviour, with lots of us using the same password for many apps and websites. If you do that and one of the websites you access is compromised, the hackers have an e-mail address and password they can use to try and access multiple other sites or, worse, it gives them access to your e-mail account itself. Then you could be in trouble.
The efforts that various websites make to secure passwords do vary and some are easy to reverse. So use different passwords every time. For your most valuable passwords, make sure these are changed periodically – you can set some apps to prompt this automatically.
Make sure you use strong passwords with a mix of upper and lower case letters, numbers and symbols. A good tip is to use some of the characters in the lines of memorable songs or poems to create a very long password that will be difficult to crack. Wherever possible, use 2FA (Two Factor Authentication) i.e. mobile or landline number as this makes access a lot harder and the criminal will likely move on to lower hanging fruit.
If you’re now faced with the problem that you can’t possibly remember all those passwords, you might consider using a password manager to store them all. Choose a well-respected paid service rather than a free one. Access to the password manager should be protected by a very long password and 2FA.
You might consider storing just a hint to remind you of the password, rather than the password itself. For example, you might use a password inspired by the first dance at your wedding – easy for you to remember but difficult to guess. If you record your hint as “firstdance2” then you know that your password is based on the first two lines of “Who Put the Bomp in the Bomp-a-Bomp-a-Bomp”…OK, that might just be us.
Whatever you do, don’t write them all down on a list sellotaped to your PC monitor…
4. Anti-Virus/Malware, Software and Apps
Install anti-virus/malware on PC’s, Laptop, tablets and smartphones. I would recommend only ever using a paid, reputable service. Make sure your ant-virus/malware is set to automatically update so you always have the most up-to-date protection.
Only ever install apps from recognised legitimate sources. Your anti-virus/malware must be configured to scan daily as well as “on access” scanning. Even some legitimate sources of apps/software have had issues of carrying malware. Criminals have had to work very hard to get into those locations, which shows the motivation and intent.
Always make sure you are running a supported version of your operating system. Windows XP now has more holes than a chain link fence so it’s time to upgrade. OK, so it’s still being used on the subs that carry the Trident nuclear deterrent, but it’s not good enough for you and me!
It’s worth noting that whenever Windows releases a security update, they are essentially advertising a newly discovered vulnerability. All the criminal has to do is find machines that haven’t had the update. Make sure your system auto-updates to get the latest security patches.
Remove any unused or non-essential software on all your devices. When you install a new app ask yourself, does this app really need access to everything it’s asking for? Does a torch app on android really need to access your contacts and full dialling history?
Not all apps are up to no good when they ask for access to these things, it may be some minor feature it uses that innocently requires much greater access than the developer wanted but it’s the only way to access it. But for all apps and software, if you don’t need it or use it, remove it.
Configure software to be secure, disable java script in pdf readers unless you know you use it, disable autorun when devices like USB sticks are plugged in.
5. Content, Web and Email filtering
Allow your browser to block access to known malicious sites. This should support what your antivirus/malware is also doing.
Ensure your email service is blocking executables or known malicious attachments and also running it through spam and anti-virus/malware before it gets to your machine.
Never allow an exception when your browser pops up with a certificate error when accessing an https site.
Remember, all it takes is one click. There’s nothing wrong with being a little paranoid – they are out to get you!
The Cyber Essentials Scheme ensures you have layers of defence that will catch most phishing or hacking before major damage is done. No system is 100% secure but we can at least make it difficult for an attacker and, ideally, so hard they go elsewhere.
Thanks to Dave Evans at CyberAggress for assistance in writing this article. If you need help, or information on Cyber Essentials, contact CyberAggress on 01292 811 811 or at cyberessentials@aggress.co.uk
If you want to know more about our experience of the Cyber Essentials scheme, or speak about your own cyber insurance protection, please feel free to contact Tom Yorke or John McQuaid at Blue Rock Insurance.