Many thanks to Joe Burns at Pyranet for the seminar he presented this morning, on which this blog post is based.
Cyber security has long been of importance to businesses of all sizes. But it’s only in recent weeks, with high profile news coverage of organisations like the NHS experiencing cyber security issues, that it’s really come into mainstream consciousness.
Common threats to cyber security
The following are common threats identified by Joe as threats to a business’ security.
Phishing and spear phishing
Phishing is something that’s been around for years and that you could probably pick up on straight away. It’s that email that drops into your inbox, saying it’s from your bank and asking you to add your details. It’s that email that pops up saying there’s been a security breach in your account and asking you to confirm your name and address. Typically, these emails are from a dodgy looking address, contain poor spelling or grammar, or you don’t even use that bank or platform.
Essentially, they’re pretty easy to spot, and most of us do.
Spear phishing is much more targeted than this. This is where there’s a specific target for the hack and the hacker knows the name, address and other details of the person already.
One example Joe shared was from one of his clients who’s PA had received an email apparently from him, asking to confirm some bank account details. What had actually happened was that a hacker had created a spoof email that said it was the target’s email address, but when the PA clicked ‘reply’, it went back to the hacker’s address.
That’s becoming more and more common as people are able to gather more information about you as an individual online, and therefore can craft emails that look pretty convincingly to be from you. There are even websites out there that will create spoof emails for this purpose. It’s a scary world!
This is the one that’s received the big press lately, with the NHS falling victim to a hacker who encrypted all their information and demanded a fee to give them access again. The main issue, and the reason this was such a high profile case, was that the interconnectivity of the NHS and the lack of patch on a known vulnerability meant that the virus spread quickly across the country.
91% of ransomware viruses come through email, so be wary of any attachments that you don’t recognise or expect, and of email addresses you don’t know.
It’s worth being more wary of zip files, said Joe, as often virus files are zipped up to disguise them. Also look out for macros in Word documents; if you try to open a Word doc and it asks you to allow macros, it’s probably a good idea to leave well alone.
As an ‘ethical hacker’, Joe’s role is to try to hack businesses and their websites, to identify the flaws. He said one technique he finds works pretty much every time is to send the virus in a file called ‘CV’, as people often open a CV that comes into their inbox.
To protect yourself, be sure of keeping patches and updates up to date.
How hackers steal your passwords
In his presentation, Joe shared a range of methods that hackers use to steal your passwords. The big takeaway here? Have different passwords for everything, or use a tool like LastPass (which we use here at Impression).
This is where people steal your details by intercepting your wifi connection.
When I arrived at Pyranet for this talk, I was surprised to see my phone connect to the wifi at my local skydiving centre – which is over an hour away from Pyranet’s Eastwood HQ. It was only at this point in Joe’s presentation that I learned he had installed a device known as a ‘wifi pineapple’. This picks up requests from your devices to connect to known wifi networks, and then tells that device that it is that network, and the device connects. At that point, the wifi pineapple can emulate the login portal of that wifi network and start gathering your data that way.
For this reason, it’s essential to have different passwords for everything. If the pineapple picks up your password that you’d normally use for Cloud access, for example, that password can then be tried for all your other platforms. If it’s the same password, you’ve given the hacker easy access.
Joe also suggested forgetting known wifi networks every time you leave them, and keeping wifi switched off while you’re out and about as a way of mitigating this risk.
This is where people steal your information by simply asking for it.
Sounds a bit far fetched, right? You wouldn’t just give away your password!
But that’s not how social engineering works. These people use more complex methods to identify your hobbies, birthday, wedding anniversary and more – all these common things that tend to feature in passwords, that they can then use to guess.
These are USB pens – and now a wifi version – which collects a record of every key stroke on your computer. The hacker then works through that data to identify passwords based on commonly used phrases or random selections that don’t fit any dictionary words.
Browser password revealer
Do you save passwords in your browser?
If so, you shouldn’t be ashamed; many people do it, because it makes their lives easier. But is also makes the life of the hacker easier, as they can reveal your passwords saved within your browser and use them to gain access to your information.
Never save a password to your browser, says Joe. LastPass is a great tool to store passwords – and one we use here at Impression for storage as well as password sharing.
This is where a hacker simply watches over your shoulder to gain your details.
Let’s say you were doing some online banking on the train. You don’t know who’s watching and possibly recording your key strokes using one of the high quality cameras found on today’s mobile phones.
This doesn’t even have to be close proximity watching. With zoom cameras able to zoom large distances, hackers can be watching your key strokes and stealing your password without being anywhere near you.
This is where hackers use trial and error to find your password.
The longer and more complex your password, the harder is it to crack. It’s worth noting that there are tools that make it easy for hackers to try dictionary words, and dictionary words with the ‘I’ swapped for a ‘1’ etc within seconds – avoid using dictionary words in your password, and be sure to use upper case, lower case, numbers and symbols for added complexity.
Mitigating the risks
It may all sound quite concerning, but there are steps businesses can be taking to mitigate the risk of cyber security threats.
One way Joe explained is to come up with a simple formula that allows you to remember a different password for every platform. For example:
- Start with your address as your password. So for us, it would be 2630StoneyStreetNG11LL. Here, we have the complexity of letters and numbers.
- Then, come up with a unique identifier for each platform. So if we were creating a password for Amazon, we might use A, and for eBay, E. Now our password for Amazon would be A2630StoneyStreetNG11LL.
- You can add complexity by adding another number, this time the number of syllables in the word. So Amazon has 3 syllables, and our password for Amazon would now be A32630StoneyStreetNG11LL.
- Then, add a symbol at the end, e.g: A32630StoneyStreetNG11LL!
Using this technique, you can create memorable passwords for every platform.
An alternative is to use a random password generator, and then save that password to LastPass.
Two stage authentication
You can also mitigate the risks associated with cyber security threats by implementing two stage authentication. This can be done using the native settings on most applications.
Alternatively, Joe suggested Duo as a two step authentication tool that works across platforms.
Separate guest wifi at work
If you don’t already, it’s worth having a separate guest wifi network for visitors to your business; be sure to change the password regularly.
Data encryption essentially makes that data impossible to read. So if someone were to steal your laptop after you left it on the train, data encryption would make it impossible for them to steal any data from you.
At Pyranet, the team uses a key for each laptop which has to be plugged in for the user to be able to access the data within. So no key, no access.
Joe also suggests encrypting all of the data you plan to take offsite, e.g. on a USB key, and encrypt any cloud based backups too.
You’ve heard of HTTPS and its importance for websites. From the user’s point of view, looking out for that padlock symbol or ‘HTTPS’ at the beginning of the URL is an important indicator of a site’s trustworthiness.
Always look for a secure website before submitting any details through it.
Joe suggests not everyone in your company needs admin privileges, so restrict it only to those who do.
When new staff members arrive at the business, assess that access level requirements and document the access you give them. When they leave, you can revoke that access more easily.
Cyber Essentials is a government backed scheme which gives an accreditation to businesses that meet cyber security criteria.
Your business can obtain Cyber Essentials (CE) by running a self assessment via a form online. Cyber Essentials Plus (CE+) is more difficult to achieve. It’s worth noting that some insurance companies are now starting to favour CE accredited businesses.
An important part of security, particularly for marketers, is GDPR. This is the new legislation that will be coming in on the 25th May 2018 that requires all businesses, of all sizes, to update their data protection processes to conform to stricter regulations set primarily by the EU and then by the UK government (note: Brexit will not change this). We’ll be providing further guidance on GDPR in another blog post, coming soon.
Cyber security: what now?
Cyber security threats can affect any business, of any size. You don’t need to be a multi-national corporation to be hit by a hacker and that can have devastating effects on your business.
The tips provided in this post should go some way to helping you better understand cyber security. Essentially, you’re only as strong as your weakest link, so educating everyone in your business of the risks of cyber threats and the mitigating steps we can take is important.
Businesses like Pyranet can help you identify weak spots so if you are concerned about a cyber threat, we recommend speaking to a specialist like them. Alternatively, contact us and we’ll be happy to point you in the direction of someone who can help.