How to Secure Your Business Against Cyber-Attacks

IT security is currently a hot topic. From all sides we hear about a rising threat, recent security incidents, quite considerable losses in enterprise values and damaged reputations. But how did our companies become so vulnerable in the first place? Anja Dörner takes a look at the most frequent mistakes that companies make and then provides six tips that you can use to protect your business. The detailed Internet Security Threat Report 2017 gives you a precise low down on where exactly the threats are lurking.

Threats are ubiquitous in every IT environment. Just recently the media was awash with reports on the global spread of the encryption trojan named "WannaCry" that paralyzed computers in their tens of thousands. Among others it affected the healthcare industry in England, telecommunications companies in Spain and even the German rail company Deutsche Bahn. The ransomware infects un-patched legacy versions of Windows, spreading like a worm through networks, nesting in computers and encrypting their data. WannaCry instructs users to pay a varying amount in Bitcoins and threatens to destroy their data otherwise. And it’s not even a targeted attack.

The Internet Security Threat Report 2017  shows you precisely where the most dangerous attack vectors are found, describes the risks that ransomware presents and how IoT and the cloud are now in the cross-hairs.

Why are companies such easy targets?

None of this is new. That’s true, but something has changed in our modern age. We want progress across the board and all the time. Faster, higher and further. The world of work and all its attendant areas are characterized by transience and maximum productivity. And IT needs to keep up with these developments.

But the sheer complexity of it all makes it feel like we’ve fallen into a raging torrent and our only concern is to escape the floods unscathed.

So what are the challenges facing your company and which aspects do you need to keep in mind at all times?

Let’s imagine you fork out for your absolute dream car. It is the latest model by your favorite automaker, has the best engine, incredible comfort features and an amazing sound. The vehicle is the sum of everything you have ever wanted. What’s more, yours will be the very first one sold in Germany.

Absolutely the real deal. Then the special day arrives. Finally, you can pick up your new car. Arriving at the showroom, you see it hidden beneath a bright red cloth. But when the friendly showroom salesman Mr. Miller whisks the cloth aside, you get the shock of a lifetime.

Your dream car for just under €80,000 doesn’t have doors or mirrors! And when you ask what’s going on, Mr. Miller responds: “The car’s brand new. The doors and mirrors will be built later. You can expect them to be ready in around two years.” Would you still take the car? I don’t think so, but that’s what the situation looks like in the software industry.

Every new development is rolled out as quickly as possible to keep up with the competition. This means that an increasing number of vulnerabilities enter the market at the same time. In its current report “The State of IT Security in Germany 2016”, the Federal Office for Information Security (BSI) outlined the growth rate in individual operating systems in the following chart:

Hint: There are very simple technologies such as Sophos Intercept X or Symantec Endpoint Protection that close these points of attack in your basic IT. Call our Publihser Advisory teams for insights.

Nobody likes admitting mistakes, but we still make them daily. Often it takes just a moment of carelessness for disaster to strike. Naturally we hope that the damage will be minor, but frequently it is far more serious. The reason is entirely unimportant, actually. It’s not possible to turn back the clock. Very often we only start thinking and become aware of the consequences when something bad has already happened.

My personal favorite example from the world of IT is the encryption trojan 'Locky'. The widely reported malware and its various offshoots infected many companies in 2016. Frequently I heard that an employee had mistakenly clicked on a link in an e-mail, downloading malware that then worked its way through the network like a worm, encrypting all the data. The financial damage was considerable. Suddenly there was a tremendous outcry from all the companies, calling for 100 percent protection against this kind of attack. But nobody guarantees blanket protection. So you need to take steps on your own.

Tip: Train your employees regularly and make sure they are sensitized. Don’t forget your backups. Even if it’s old hat to you, you should still take care to check regularly that your backup works and define what you need to do in case of an incident.

I usually bump into the customers’ IT security specialists at industry events like the popular IT Security Symposium. But all these people are already experts. They spend their time visiting specialized events, expos, seminars and webinars. Why doesn’t the Board or Management take the time to visit some of these events? After all, the buck stops with them in the event of a security incident.

Tip: Make sure that management is directly invested. Socialize the urgency of developing a sophisticated security strategy based on more than just technology alone. Take a good look at which IT trends you really want to adopt in your company.

Stick to what you’re good at. In this case I’m not talking about your company, rather the specialists for the world of cybercrime. Even cybercriminals want to save costs and resources and are therefore prone to using tried-and-true attack scenarios like infected macros in e-mails.

Tip: Modern real-time monitoring keeps you up-to-date and helps you respond quickly.

Top security vendors like McAfee, Microsoft, Sophos, Symantec and Trend Micro have solutions for these tasks as well, and SoftwareONE's security experts will gladly introduce them to you.

It’s a well-known fact that companies lack IT specialists. This is simply a consequence of the rapid development. Criminals are modifying their strategies and optimizing their attack scenarios. So the need for the security specialists in companies is growing by the day.
Tip: Bring in a competent partner or train your own staff to become specialists. Of course it will cost you, but believe me: it’s worth every cent!

The complex internal structures within companies frequently make it impossible to keep tabs on everything. Departments tend to have their own particular focus, and that’s what they stick to. Often we neglect to include the bigger picture, to the detriment of our IT structure.

Tip: Get support and have your IT structure checked for potential threats on a regular basis. What’s more, it’s important to know which data the company has, how important it is, who has access, and who is permitted to process it. Analysis tools, for instance by VERITAS, as well as suitable encryption solutions like those from McAfee, Microsoft, Sophos, Symantec and Trend Micro, can help you here.

My tips, in a nutshell

• Install all the available security updates as soon as they become available.
• Raise the awareness of your staff.
• Install security software and take steps to ensure it is used properly.
• Make certain that management is invested.
• Test your backup! Not even the IT experts can help once a malicious attacker has encrypted your data.
• Keep an eye on your risks and vulnerabilities.