Events of recent times have pushed cyber security practices to the front of many businesses’ minds — and not before time.
With stories like the WannaCry outbreak and Equifax breach hitting headlines this year, the major impacts that can be caused by lax cyber security practices were highlighted for many. But what are the weakest links for most businesses when it comes to cyber security?
The number one weak link for businesses when it comes to cyber security — by a long, long way — is the people who work in the business.
From falling for phishing emails, and clicking on links or downloading documents that turn out to be malware, to being a victim of business email compromise (BEC) scams that end up losing the company a lot of money, employees are a company’s greatest liability when it comes to cyber security.
Tackling this problem can be difficult for employers: simply getting rid of employees isn’t an option when you need them to run your business! Educating employees on cyber risks is a key step, but this does require resources, and the participation of employees. This may sometimes be difficult, as employees who have “always” done things a certain way may be reluctant to change. However, it is key for businesses that employees understand the risks that poor cyber security practices present for the business. In many cases, people are the weakest link in a business’ cyber security.
Ensure that any accounts associated with your business are secured by a strong password, and two-factor authentication (2FA), if possible. Underline to all those working in the business that they must not reuse passwords from other online accounts for any of their work accounts. You can make it part of your IT policy that employees have to changes their passwords every 30 or 60 days, although the effectiveness of this approach has been debated.
Also, make it clear to employees that they must not share their passwords with anyone else. Although that may sound obvious, a number of UK politicians recently revealed that they routinely share their login information with their staff, including interns.
The importance of keeping software updates current was underlined in a dramatic way this year during the WannaCry and Petya outbreaks. The primary way both those attacks spread was by exploiting a critical vulnerability in the Windows operating system known as Eternal Blue. Eternal Blue allowed the malware to spread within corporate networks without any user interaction, making these outbreaks particularly virulent.
The WannaCry outbreak occurred in May; the patch for the Eternal Blue vulnerability had been released by Microsoft in March. If the patch had been widely applied the impact of WannaCry, which mostly hit corporate networks, would have been greatly reduced. You would imagine that a high-profile incident like WannaCry, which underlined the importance of keeping patches up to date, would have ensured people and companies did just that. However, despite all the publicity the WannaCry outbreak received when it occurred in May, the Petya outbreak in June was still able to use the same Eternal Blue vulnerability as one of the ways it spread.
To be fair to the IT managers in the various companies that were hit due to the Eternal Blue vulnerability being exploited, updating software on company networks is not always entirely straightforward. IT managers can often be fearful that updating one part of the system could cause another part of it to break, and this can be a particular concern in, for example, healthcare organizations, which were heavily impacted by WannaCry. However, incidents like the above do underline the importance of protecting vulnerable systems, and patching is a key way to do that.
A problem that many businesses encounter in the current business climate is that it is not just their cyber security practices that they have to worry about: they also have to worry about the cyber security protocols of other businesses they work with. They are the weakest links.
Your company may have stringent cyber security practices implemented, but if a third party your company deals with is compromised then attackers could potentially gain access to your network. This is what happened in the Petya attack: a tax and accounting software package called MEDoc was compromised and used for the initial insertion of Petya into corporate networks. Access to the systems of Target in a major 2013 breach was also achieved when a third-party vendor the company worked with was compromised: that breach is estimated to have cost Target more than $200 million.
Network segmentation, or dedicated servers that vendors can use so that they do not connect directly into your company’s network, can help safeguard against weak links in third parties’ cyber security. If that isn’t possible, it is wise to at the very least have a conversation with potential vendors before doing business with them to ensure they take cyber security seriously, and have appropriate practices in place.
BYOD (Bring Your Own Device) is an increasingly popular practice that many businesses are embracing. If employees bring in their own devices they can also take them home, or traveling, allowing them to work from places other than the office. Allowing employees to bring their own devices to work can present its own problems.
However, some businesses embrace BYOD without fully considering the security risks that it may present. Employees’ personal devices are unlikely to have the same level of security as corporate devices, and may be significantly easier for hackers to compromise. Companies that allow BYOD should ensure they have a strict BYOD policy in place that they ensure all employees follow. Steps such as only allowing access to company networks through a virtual private network (VPN), and ensuring employees implement 2FA on all their accounts are definite steps that should be included in such a policy.
As with so many of the issues mentioned on this list, employee education is key: employees need to understand what good cyber security practices are, and the potential consequences for the company if they are not followed.