In December 2018, just a few days before Christmas, the director of the Australian Cyber Security centre joined the United States and other nations in condemning an alleged Chinese plot to steal intellectual property and corporate secrets by means of cyber attacks conducted by state-sponsored hacking groups.
Alastair MacGibbon, national cyber security adviser to the Commonwealth of Australia, mentioned that several companies had been targeted by the notorious cybercrime outfit known to intelligence agents as Advanced Persistent Threat 10 or Stone Panda, a group that focuses on staging sophisticated attacks against major targets such as IT firms that manage the networks of small and medium enterprises.
MacGibbon’s comments were made in the wake of news stories that underscore the need for stronger information security measures and strategies.
In November 2018, the Sydney Morning Herald reported that networks managed by the Australian Defence were penetrated by Stone Panda hackers on various occasions since 2009. A week later, The Australian Financial Review reported that the Lowy Institute, a prominent think tank that often provides advice to the government on foreign affairs, was targeted by Stone Panda at least twice in 2018.
Big Hackers Target Small Business
In Australia, many owners of small online enterprises incorrectly think that their businesses will never be targeted by hackers; this false sense of security emanates from the belief that hackers have bigger fish to fry or more enticing targets to go after.
The reality in 2019 is that cybercrime groups are increasingly pursuing small and medium companies because they know many owners fail to implement adequate information security measures; in other words, hackers are happy to strike easy targets regardless of their size.
An e-commerce shop, for example, can be an attractive target to hackers who specialise in identity theft and the quick profits they can generate with stolen credit card information.
With the above in mind, here are seven information security tips that owners of small online businesses should follow:
1. Train Yourself and Staff on Information Security
Phishing attacks are more successful when the individuals being targeted lack information security awareness. Business principals and employees should learn to spot and recognise suspicious emails and potential Trojan horse attacks at a time when phishing attacks are at their highest levels in history.
Company owners who provide training in cyber security matters are often surprised by how much their employees learn and by the interest they show in these topics. Companies that follow “Bring Your Own Device” policies should do more than just configure the laptops and smartphones of employees; proper training should be provided on how to keep devices (and the company network) safe.
2. Implement an Effective Data Backup Strategy
Since 2015, ransomware attacks have caused billions of dollars in global business losses, many of which could have been strongly mitigated with an effective data backup strategy.
Many companies affected by ransomware incidents were shocked to learn that their backup practices were inadequate, insufficient and ineffective; this is often caused by failure to test backup and recovery procedures. Encryption is another data backup aspect that business owners should keep in mind, particularly if they use cloud-based storage solutions.
3. Never Let Your Guard Down
It only takes moments for hackers to inject malicious code or breach an unsecured network. A simple action like an employee connecting her work laptop to a public Wi-Fi hotspot without security protocols is all it takes for hackers to install malware, steal username/password credentials or copy sensitive files.
Whenever portable or mobile devices are used outside of the office, they should only connect to the internet via a VPN. Firewalls and antivirus software should never be disabled, and staff members should be extra cautious when connecting to outside networks.
4. Adopt Two-Factor Authentication Practices
Strong username and password combinations are no longer sufficient to stop the most sophisticated hackers; to this effect, two-factor (2FA) authentication has become one a modern security necessity.
Of the various types of 2FA strategies that can be implemented these days, biometric systems such as fingerprint scanning are among the most effective; however, even smartphone notifications and SMS codes are better than not having any 2FA at all.
Even the smallest online enterprises should follow a cyber security policy at all times. Unfortunately, this is something that many companies disregard. Even if the policy consists of a single page document, it should establish minimum guidelines for all staff members to follow, including:
- Acceptable use of company networks and devices.
- Secure remote access.
- Phishing attack prevention.
- Safe use of peripherals and removable media devices such as memory cards and USB drives.
- Password creation, maintenance and change policy along with 2FA authentication.
6. Establish Content Control and Management Policies
Limiting access to risky software, websites and content can go a long way in terms of information security. It is estimated that a quarter of all data breaches are accidentally caused by employees, managers and even business owners who accessed a malicious website or who inadvertently allowed the execution of malware hidden within a Trojan attack element. Content management and file restrictions can also protect against insider attacks perpetrated by rogue employees or corporate spies.
7. Keep Systems Properly Patched and Updated
Zero-day vulnerabilities are constantly being discovered or exploited. Hardware manufacturers and software developers often inform clients and the public about potential exploits found by information security experts, but it is up to company owners to ensure that the adequate measures are implemented in this regard.
In 2018, Microsoft was forced to delay the release of a major Windows 10 update, but several patches and fixes related to operating system security were released in the meantime. It is always better to take action on upgrades and fixes as soon as they become available than to wait on them to be released as a packaged update.
Antivirus software should always be allowed to connect to the developer’s remote servers for definition updates and fixed, and the same goes for web browsers, content management systems and apps that connect to the internet.
The Bottom Line
In case we haven’t made the point plainly enough yet, small business owners should take this stuff seriously. You might think you’re flying under the radar but you would be wrong. Hackers are out there testing your defenses right now. If they get in, the damage done could put you out of business faster than you can say, “Dang, I wish I would have paid more attention to that cyber security article.”