Last week's Security Serious events and seminars drew attention to the simple ways smaller business in particular can improve their security without spending lots of money, or in many cases any at all. The problem is that a lot of advice remains trapped inside some of the country's most experienced security professionals and companies and is not always heard by the SMEs that would benefit from it.
The perception remains that to improve security requires huge organisational change and major investment, possibly beyond the pockets of smaller businesses. But as Security Serious underlined, the biggest weaknesses don't always require large investment as long as organisations pay attention to the handful of big weaknesses attackers always look to exploit. Here we collect some of the best advice.
Stop ignoring email threats
Email is the front door attackers will always try first when targeting a company's systems, with numerous case studies from real-world cybercrime incidents pointing to the ease with which the tactic works. All it takes is one email with a malware-booby-trapped attachment, possibly from a known named contact, and an attacker has gained a foothold on that system. From there, they can email other contacts, access parts of the network, and so the scope of the attack spreads quickly.
Telling people not to open attachments from unknown contacts is, frankly, almost useless advice - if staff can never open attachments from third-parties then why have email at all? Inevitably they will.
The first reform is to look at the email systems being used. Hosted Exchange and Gmail services can be configured to use whitelisting from contacts added to the address book, and they also use their own filtering to reduce the load of suspicious emails in the first place. All recent email clients, including webmail services such as Gmail will also treat attachments from unknown contacts as automatically suspicious, applying similarly tough rules to emails with embedded links. This is a start.
The problem is that attackers just as often use phishing attacks on what look like legitimate websites so the second layer of defence requires training users to spot the sometimes subtle signs they are being targeted. Easier said than done but a number of companies offer anti-phishing training and testing systems, which usually cost money. However, US consultancy KnowBe4 offers a free online test which is worth trying out to get an idea of how well oriented a workforce is to phishing.
Assume websites are vulnerable
Exploiting flaws in e-commerce websites using SQL injection, Cross-Site Scripting and the like is another absolutely standard way to attack a company, with even the largest firms struggling to contain what should by now be a well-understood issue, as TalkTalk recently found out to its cost. The precise role of web flaws in this attack has be to be confirmed but the company has been accused of ignoring known issues.