That brings many positives; small businesses can give the impression of larger organisations to build credibility. Operations can be flexible without the need for a physic HQ.
But no matter how a business chooses to operate in this new world of hybrid working, the biggest threat – that is still growing – is that of cyber threats. Therefore, investing in securing your valuable digital data may be the best thing you do this year.
Here’s why…
Why does hybrid working increase vulnerability?
Especially since the pandemic, businesses have realised the benefits of adopting a leaner operating model. Typical broadband speeds are usually good enough for home workers, staff can collaborate on video calls and share documents through Cloud services, and businesses can save money on office space, utilities, hardware and more – what’s not to like!?
However, these extra devices and home internet connections open up businesses to added vulnerability.
Home networks aren’t usually as secure as business networks designed from day one to prevent malicious access with firewalls and network monitoring. And even if home networks have these added features, their protocols will not be as stringent, meaning a hacker may still be able to gain access.
So, what are businesses to do?
Common IT Security threats and how to avoid them
Phishing
Phishing describes a type of attack where a hacker creates a message – usually an email or SMS – that appears to be from a reputable source but actually acts as a way to gain personal data, such as email addresses and passwords, that could then be used to access business networks.
Attacks tend to leverage some form of urgency to prompt readers to act, which was highly evident at the start of the pandemic, when many businesses received emails that appeared to be from the NHS, offering ‘advice and support’ but were actually well-designed phishing attacks.
Solution
The most cost-effective way to prevent a phishing attack is training. These emails are usually written in non-English speaking countries with out-of-date logos and other easily identifiable errors.
For even higher levels of protection, businesses can leverage MFA or ‘Multi-Factor Authentication’, which provides two or more ways of validating a login before giving access. For example, after users log into a system, they are sent a code to their mobile number to ensure the right person is logging in.
Ransomware
A portmanteau of ‘ransom’ and ‘software’, these attacks will lock your staff out of their devices, usually desktop computers hardwired into your network. However, laptops and other devices still can fall victim.
One recent high-profile example of a ransomware attack is the US Colonial Pipeline attack in 2021. The team of hackers gained access to an essential oil pipeline system, locking all users out of their systems and threatening to release over 100 Gigabytes of confidential data unless a $5 million ransom was paid.
Obviously, this had a massive financial impact on the business paying the fine, its credibility and consumer confidence, as well as fuel shortages across the region, causing prices to soar. And it’s not just US companies! We’ll go into an equally impactful UK example of Ransomware further down this blog.
More recently, both our government’s 2021 Annual Cyberthreat report and Ivanti’s Ransomware Spotlight report, from across the pond, agree that Ransomware has now become the biggest threat to businesses on both sides of the Atlantic.
Sadly, it’s not as simple as switching off a single computer or connection. Ransomware attacks by design are meant to infect as many devices as possible, which means entire supply chains can all be affected by one single email.
Solution
Given that Ransomware is one of the biggest threats to UK businesses, this is where stakeholders should invest a considerable amount of time and resource.
Technology is constantly evolving, and so are the strategies that hackers use to gain access and spread software across a network without raising any red flags.
That means that constant network monitoring by an experienced IT security expert is essential. When combined with a robust firewall (that prevents access by unrecognised devices or connections), businesses can rest easier knowing that all the doors are locked from outsiders, and someone is keeping an ear out for anyone trying to break through with a digital axe!
“When it comes to defending against online threats, having relevant, timely alerts you can trust about malicious activity is vital for any organisation.”
Eleanor Fairford, NCSC’s Deputy Director for Incident Management
Out of date software
The most famous UK example of out-of-date software causing a significant attack is the NHS’ fall to the WannaCry attack back in 2017.
Did you know?
NHS England reported that 80 out of 236 Primary Care Trusts were infected, as well as 603 primary care and 595 GP practices, estimating the total cost at £92m!
In this example, the version of Windows (XP) that the NHS had been using, was no longer supported in lieu of more recent versions (Windows 7 and 8). This meant that security gaps already fixed in recent Operating Systems were still open to malicious activity, opening the NHS’ “digital door” for a phishing attack!
Solution
The fact is, we’re all guilty of not keeping our devices up-to-date… How many times have you skipped the notification on your phone or personal laptop when it pops up?
The problem is that businesses can’t afford to do this, and as we’ll describe a little later on, your staff, while well-meaning, can’t always be trusted. So, finding a central and seamless way to update all your devices is going to be vital in the coming years.
Thankfully, Managed Service Providers can install software on your devices that ensure that they can send any software updates directly to devices to install, without a prompt from the specific user. This means stakeholders can rest assured that all devices are as secure as possible.
Human Error
To quote another famous saying, “To err is human”, or in other words, we all make mistakes. While succumbing to a phishing attack may be one example of human error, there are multiple scenarios that are just as applicable…
An employee leaves a device with confidential data on public transport or accidentally breaks the device with unsaved data that is now irretrievable. What if a disgruntled employee decides they want to take information and give it to a competitor?
While none of these examples are desirable, they need to be considered and mitigated, just in case.
Solution
Just like your mobile, it’s possible to develop robust Backup policies that ensure that all data on business devices is centrally saved, just in case a device is lost or broken. You could even incorporate remote wipe solutions to ensure the data on lost devices doesn’t get leaked. And, in the case of a fire, flood etc., having all those back-ups will ensure a speedy Disaster Recovery process, too!
This also means you can ensure employees that have been recently let go don’t have access to confidential information by wiping their devices and revoking logins.
But just like phishing, training staff on data best practices, like Multi-Factor Authentication, can also mitigate these challenges and help the entire team shoulder the responsibility of data security, rather than a select few IT staff or stakeholders.
Wireless Networks
Wireless network attacks aren’t as common as these other strategies, but given the shift to hybrid working, we expect these types of attacks to grow significantly in the coming years.
Sometimes called ‘drive-bys’, hackers have been known to slowly drive down streets with a portable device that tries to gain access to wireless routers. If successful, this then makes all the data coming in and out of that router available to view, as well as the ability to send malicious code across the network.
One of the most significant factors here is that the attack victim will have no idea they’re being attacked. And with home routers usually only given the most basic of security policies – especially ones provided by ISPs – this attack vector is particularly troublesome for many businesses.
Solution
Penetration testing, where a security professional uses every trick in the book to try and gain access, combined with constant network monitoring by an IT security provider, is the best way to mitigate this risk.
By testing all the routers on your network, they can identify any at-risk connections and ensure safeguards are put in place (such as more complex passwords, firewalls and more) are leveraged to prevent a wireless drive-by attack.
Then, as best practice, the provider can keep an eye on the network and any strange activity to ensure those protections aren’t overcome, just like our ransomware example above.
What’s my first step to better Cybersecurity?
If you’re looking to secure your systems, the best thing you can do is partner with an experienced IT Security or Managed Service Provider.
We have over two decades of experience in supporting business communications, and we’ve got an entire universe of knowledge and expertise when it comes to securing your data.
With our own Security Operations Centre for constant network monitoring and a 24/7 Helpdesk for any issues – for example, checking to see if an email is actually a phishing attack – we can make sure all your team and data is protected no matter where they are.
Plus, our 5-step process ensures every aspect of your business – from HQs to hybrid workers – are secure. By providing VPNs, anti-virus software and a team of highly trained.
Network Engineers, we will ensure your data never gets thrown into a black hole!
So, get in touch and let’s discuss how we can help secure your business for our digital-first future.
