In short, the chances of not being on the receiving end of one of these attacks is reducing by the day.
Things are hotting up pretty much everywhere at the moment: Russia has invaded Ukraine, the world responded by letting its displeasure be known through a combination of damning statements and various sanctions against Russia. The White House has released various warnings about cyber-attacks from Russia; the NCSC (part of GCHQ) has advised organisations to “improve their resilience” for the same reasons.
In short, the chances of not being on the receiving end of one of these attacks is reducing by the day. The one thing that you have control over is what the effect of that will be: will it stop your organisation from being able to function, or will the attack fail.
It is all well and good having advice from government saying that you should take steps to make your organisation safer, but what do those steps look like? What is needed for a defence proportional to your risks?
- Cyber security training. There is a reason that insurance companies insist on this being supplied to your users, it greatly reduces risk. The approach of getting everyone in a room and lecturing them once a year has been shown to be particularly ineffective as it does not change how people behave. To change user behaviour for the better you need ongoing training: little and often.
- Adopt a security standard. Doing this reduces unsafe practices, and that is exactly what is required. At one end of the spectrum you have the NCSC’s Cyber Essentials and at the other, ISO 27001. Cyber Essentials is a great starting point as this closes down some of the obvious vulnerabilities. It is also fairly easy and low cost to attain.
- Use a good password manager. Your browser’s offer to remember your passwords is most definitely not a “good password manager”! Many users keep on reusing the same username and password combination for multiple logins. It only takes one data breach for these to be exposed and then that combination will be tried on lots of different online platforms, which could very well give criminals access to your data and systems.
- Use MFA (Multi Factor Authentication) wherever possible. This limits what a criminal can achieve when they have your username and password. However, do not be fooled into thinking that this answers your security needs by itself, there are ways around it.
- Make sure that everything is backed up safely, preferably to a cloud service. Use of unencrypted USB backup devices is very unsafe for several reasons.
- Ensure that your security software is both up to date and up to the job. If you just use free antivirus or a service that comes with Windows, you may want to check as to what you are still vulnerable to. There are reasons that people pay for security software, it is best to find this out before you are attacked.
One thing to remember in these troubled times is that your insurance company may well not pay out if the cyber attack that caused you to have to claim is deemed to be part of a nation state attack. For more details, see this article.
If you haven’t got this all worked out yet, then please get in contact to be put in touch with your local cybersecurity expert.