Skip to main content
Tag

cyber security

Cyber Security for mid-large size business and organizations New Frontiers

Cyber security for medium/large businesses and organisations

By New Frontiers blog

Cyber Security for mid-large size business and organizations New Frontiers

Recent UK Government statistics found that nearly half of all UK businesses suffered a cyber breach or attack in the past 12 months. Firms holding personal data and processing money are top targets. With an average cost to the business of £3,000 for medium business and £19,000 for larger ones, the most common attacks were fraudulent emails, followed by viruses and malware.

Cybersecurity: challenge your assumptions

The survey also revealed that nearly seven in ten large businesses identified a breach or attack, with the average cost to large businesses of all breaches over the period being £20,000 and in some cases reaching millions.

Medium and large companies tend to be better prepared to deal with cyber security (although is not always the case) than smaller enterprises, however there are still areas of confusion and complacency.

The area I want to focus on in this post is cloud security, as many modern businesses no longer manage their own physical server infrastructure, instead opting for cloud services.

Who is responsible for security?

Many assume that their cloud provider – such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud – are responsible for their security. This assumption is wrong. They are simply facilitators in terms of IT infrastructure. One has to distinguish between managed and unmanaged services.

Yes, AWS are responsible for the global security of the entire cloud infrastructure, but they make it very clear that their clients are still individually responsible for securing their own data. So what does this mean?

Often, IT teams incorrectly assume that because they have a trusted third party in charge of their infrastructure, that vendor will also manage security. Like the small businesses who assume that their web developer is on top of security, large business often assume that the public cloud is secure and that this is managed by their vendor.

Of the cloud and in the cloud

In general, the cloud as an overarching entity is very secure. However – AWS clearly states that it will address “security OF the cloud” – compute, storage, database, networking, and global infrastructure. Amazon is responsible for the physical security and the hosts servers, so called hypervisors, but they are not responsible for your network or your own server instance.

However it is the customer who is 100% responsible for “security IN the cloud” instance – data, apps, identity management, OS, network and firewall configuration, network traffic, server-side encryption, and client-side data.

This is an important distinction – think of it as a property management company being responsible for the common areas of an apartment development, but the individual owners being responsible for locking their own doors and windows and to whom they give keys or access to their houses.

Spotting vulnerabilities

We recently did an assessment of the digital assets of an international law firm. At first pass the firm appeared to have a clean bill of health – they used AWS, their servers were in the US, and the website was secure.

On further analysis, we discovered a major vulnerability. Their site was hosted on a shared server operated by their their web designer and the hosted server could have been compromised even though the hosted site was fairly safe. This could have led to the website being maliciously hacked by attacking the host’s server rather than the site itself, and thereby taken down. The situation arose because of some incorrect assumptions about whose responsibility it was to secure the site.

Some concrete suggestions on cyber security for larger organisations

  1. Make you know who is responsible for your security, in the cloud. 
    Challenge your assumptions and don’t be hesitant to ask seemingly stupid questions!
  2. During system/server provisioning and setup, apply at least the basics of hardening in your environment.
    Keep your system patched and up to date.
  3. As Bruce Schneier, security expert, notesthe security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.”
  4. Remove unused services from your server and restrict access to those services where there is no need for a public interface (anything outside of http(s) basically)
  5. Always grant the minimum required privileges for your users/employees.
    Know what your ‘Data Crown Jewels’ are – any access to sensitive data should be tightly controlled.
    This sensitive data should only be accessible to employees that absolutely need it as a part of their job, in the moment they need it.
  6. Install, maintain and update antivirus, anti-malware and firewall software for desktop and mobile

This may be too much for your own IT team to handle, so consider booking a security health check with a reputable provider. There are great resources put together by the UK National Cyber Security Centre and the Cyber Essentials Programme.

About the author

Donal Kerr New FrontiersDonal Kerr

New Frontiers participant, Donal Kerr, is the co-founder and COO of 4Securitas – an automated cybersecurity intelligent defence system. The startup will will enable organisations to protect themselves against hacking, malware, fraud and cybercrime. It will enable staff without an IT or security background to handle some of most critical and sophisticated security tasks, manage risk and reduce costs.

Cyber security for small businesses New Frontiers

Cyber security: an important issue for small businesses

By New Frontiers blog

Cyber security for small businesses New Frontiers

New Frontiers participant, Donal Kerr, examines why companies are continuing to fall victim to cyber attacks despite increased awareness of such threats, and gives us some proactive steps companies can take to avoid such security breaches.

Why informed companies continue to get hacked

Recent UK Government statistics found that nearly half of all UK businesses suffered a cyber breach or attack in the past 12 months. Firms holding personal data and processing money are top targets. With an average cost to a business being £1,380, the most common attacks were fraudulent emails, followed by viruses and malware. So, why do companies continue to get hacked, despite massive media coverage and widespread usage of commercial security products?

Some reasons would be:

  • Small businesses are less likely to have sought any expert guidance on the topic compared to medium/large firms, and they cannot afford qualified/skilled security experts
  • Poor advice received from non-technical advisors or software salespeople
  • Poorly configured software and systems
  • Inadequate staff training and qualified staff
  • Lack of scenario planning around incident management

On the other hand, it has never been easier to engage in malicious hacking for profit or simply for malevolence. A plethora of tools are available freely and as digital life becomes more complex, with more and more devices connected to the internet without a thought for security, systems become more vulnerable. You might have heard of affiliate marketing – in which a business rewards one or more affiliates for each visitor or customer brought by the affiliate’s own marketing efforts. But have you heard of Malware Affiliate marketing? Malware authors, having seen what works elsewhere, have developed their own affiliate program.

In the security assessments that we have performed for small businesses in Ireland, we regularly encounter the following:

  • Weak cipher/encryption (whereby committed hackers could easily break into password controlled logins and take control of a site/server)
  • All service ports are open to public interfaces i.e. database, ssh, rdp. In these instances, there was absolutely no need to leave these open to the world.
  • Lack of redundancy or backup: one e-commerce retailer (just to pick one) has its entire site (IT asset, front-end, backend, etc.) on just one server with single storage, not to mention the configuration/setup. Despite the security risks, this is just bad practice as servers are known to fail for purely technical reasons.
  • Nicely designed sites delivered by competent front end developers, which have security flaws due to poor configuration. By this we mean the web server on which the website lives could easily be compromised. Developers often do not change standard admin configurations, leading to easily exploitable vulnerabilities. They often just are not aware of the security implications of what they are doing.

What companies can do for themselves

Imagine going to a car garage for a service. Would you assume that the mechanics would adjust your child’s seat for maximum safety or update your sat nav software? Don’t assume that your otherwise excellent IT people are looking after security. You may be surprised to hear it, but many IT graduates have never studied anything security related. Security is a very specialized discipline, at the pinnacle of IT and requiring a combination of skills in networking, system administration, development engineering, software engineering and infrastructure engineering with a solid background covering all areas. For small businesses, especially those holding data or processing payments, security is not something that should be compromised on.

Take a moment to consider these questions :

  • Do your IT team or 3rd party developers know how to secure your digital assets?
  • Who do you depend on if you suffer a data breach?
  • What would you do if your customer database was hacked, your website defaced or taken down, or you couldn’t access your email or business files?

Ciaran Martin, CEO of the UK’s National Cyber Security Centre advises:

“The majority of successful cyber attacks are not that sophisticated, but can cause serious commercial damage. By getting the basic defences right, businesses of every size can protect their reputation, finances and operating capabilities.”

Steps you can take to significantly improve your cyber security:

  • Install, maintain and update antivirus, anti-malware and firewall software for desktop and mobile.
  • During system/server provisioning and setup, apply at least the basics of hardening in your environment. Remember to keep your system patched and up to date.
  • Consider Open Source products which can be more cost effective than commercial solutions.
  • Remove unused services from your server and restrict access to those services where there is no need for a public interface (anything outside of http(s) basically).
  • Always grant the minimum required privileges for your users/employees.
  • Set up a proper user access policy in your environment and keep it up to date (for new entries and leavers).

It is possible that this may be too much for your own IT team to handle, so consider booking a security health check with a reputable provider. There are great resources put together by the UK National Cyber Security Centre and the Cyber Essentials Programme.

Why this is important

All businesses holding customers’ personal data will need to ensure that they comply with the EU’s General Data Protection Regulation (GDPR) legislation from May 2018. This will strengthen the right to data protection, which is a fundamental right, and allow individuals to have trust when they give their personal data. Security is constantly evolving so make sure to carry out regular health checks. This could mean vulnerability and penetration testing, where security experts (with express permission) put on a ‘white hat’ and attempt to penetrate your system, yielding valuable data that can be used to strengthen your defenses.

Part 2: coming soon!

About the author

Donal Kerr New Frontiers
Donal Kerr

New Frontiers participant, Donal Kerr, is the co-founder and COO of 4Securitas – an automated cybersecurity intelligent defence system. The startup will will enable organisations to protect themselves against hacking, malware, fraud and cybercrime. It will enable staff without an IT or security background to handle some of most critical and sophisticated security tasks, manage risk and reduce costs.