Have you ever thought what would happen if your website got hacked? What about getting your sensitive company data leaked? Do you know if your business has strong cybersecurity mitigation plans to cope with the risks of remote working conditions?
Within a short period, the COVID-19 Pandemic has pressured many industries to perform a large-scale business operations shift. The pandemic situation escalated without warning, forcing many businesses to quickly transition to remote working.
Unfortunately, this means businesses with premature remote working policies are more vulnerable than ever to cyber threats. This suspicion is confirmed by Viljoen and Nunn-Price of Deloitte Australia (2020)1, who observed a sharp increase of around 400 thousand spam emails just in mid-March alone.
Despite this, the benefits clearly outweigh the risks. Many businesses, including ours, have already seen first-hand the increase in productivity after the transition to remote working . As the new normal seems to settle towards hybrid working (a combination of physical and remote working), now would be a good chance to review your company’s cybersecurity policies.
For more information about the benefits of remote working, read our blog on the topic here.
To make sure your business is well-equipped against cyber attacks, follow these 10 simple tips:
1. Ensure remote business meetings are secure from hijacks
Remote business meetings are necessary for successful remote working. However, there have been quite a few incidents where unwanted meeting participants gain access to meetings and bombard them with inappropriate materials (Novet, J. 2020)2. These hijacks, also known as Zoom-bombing, are very detrimental to your business image and relationship.
Here are some ways you can protect critical business meetings from hijacking threats when using some of the most popular online meeting applications:
Only share Personal Meeting IDs with selected participants
Secure your meeting rooms with an additional password
Enable the Waiting Room feature (where the host or co-host has to manually approve participants)
Only enable participants’ screen sharing feature when necessary
Google Meet doesn’t support passwords, but only attendees you invite through Google Calendar can join the meeting without approval. Other participants have to join the meeting through Meeting Codes, which then have to be approved manually by the host. Make sure you review who these participants are before you approve them.
2. Maintain files in the cloud with strong user access policies
Remote working conditions need the use of cloud storage for data. Make sure you maintain all business files within your company’s chosen cloud storage environment. Having your files in separate cloud platforms makes it harder to manage as well as increasing data redundancy.
You might also want to look into file access permissions. For example, you can restrict your company’s Financial Report folder to be viewable by the management team but editable only by your Accounting department, for example. Each cloud platform has different ways to do this. Here’s how you can do it in Google Drive and Dropbox.
3. Backup your files and website data regularly
Backing up your data in multiple locations is a good idea in case of data loss incidents. Generally the more backup locations you store your files in, the better.
Below are some options of backup media you can try:
External hard drive: The most common and cheapest backup medium. While backing up data with external hard drives isn’t the safest method out there, you can still limit access to these hard drives. We would definitely recommend you to have other backup methods available in case of hard drive failure or loss.
Cloud storage: If you want the convenience of storing data without worrying about the security, paying for cloud storage is the perfect solution. Cloud storage services will encrypt your data and protect them from cyber attackers.
Network Attached Storage (NAS) system or servers: If your business has a dedicated storage server, backing up data there might be the most secure backup solution you can use. The only downside would be the steep barrier of financial and technical entry. However, someone has to be physically in the office to perform regular maintenance.
4. Change your passwords regularly
Think about this – what if there’s someone out there that attempts to log in to your user accounts every minute? What if they try out every single combination of characters to work out what your correct password is? This type of attack, better known as brute-force attack, happens more often than we think and it could very well be happening to your user accounts right now.
We’ve recently looked at our website login attempt logs and found out that brute-force attacks were being done on our website every minute, and we had to act quickly to improve our security!
These attacks are usually done with the help of computer bots. The bots will try to guess random password combinations and remember them if they fail. This process will be repeated until the user account is eventually breached. Usually the attacker runs multiple instances of these bots simultaneously to shorten the amount of time they take to guess the correct password.
Here are some tips to help you better protect your user accounts from brute-force attack attempts:
A longer password is harder to guess, try to make yours at least 12-15 characters long
Passwords are typically case-sensitive, try using different combinations of lower-case and upper-case letters
Use numbers and symbols (e.g. !, ?, #, etc.) when creating a password as they’re much harder to guess
Try not to use common passwords that are easily guessable (e.g. birth date, password123, etc.)
Minimise reusing the same password on multiple websites
Some websites assign default passwords when creating new user accounts – it’s best to change these as soon as possible
The more random the combination of alphabetic letters, numbers and symbols are, the more secure the password is from brute-force attacks. When creating passwords, we would recommend using a random password generator while also following the criteria above.
But how would you remember what the password is? If only there was a way to save the passwords in your computer somehow.
5. Don’t save passwords in your browser – use Password Manager platforms instead
With the introduction of password saving features in web browsers, gone are the days where someone has to write down their passwords in a notebook. But is it truly safe to trust your browser with your passwords?
At its first inception in 2008, Chrome used to store all saved passwords in your computer without additional encryption (The Guardian 2008)3. Anyone could simply open up the browser’s settings page and view the passwords in plain text.
This has been rectified and now Chrome, just like other major web browsers, requires you to fill out a password (called Master Password) before you can view the saved passwords in plain text form. No harm done, right?
Unfortunately, there’s still another problem with saving passwords in web browsers – the autofill feature. Once the password is saved to a website, the web browser will automatically fill out the username and the password for you every time you get prompted to login. Your web browser won’t verify your identity when you enable this feature. This means anyone can login to your user accounts, provided they have access to your device and the web browser you’re using. Simply put, using the browser’s built-in password autofill feature trades your security for convenience.
Once the password has already been autofilled, anyone can even change the password field to display in plain text format through some minimal web editing.
All done in a minute. Scary to think anyone can find out what your password is, isn’t it?
Our recommendation in this case is to use password managers instead. You gain the convenience of the password autofill features while maintaining your security. You can easily fill out passwords with the click of a button. But to do this, you are required to enter a password (i.e. Master password) when accessing the password managers.
There are several reasons why these platforms are better than a web browser’s save password feature:
Supports sharing passwords to other users
Only one password needs to be remembered (Master password)
Logged in users can be prompted to re-login after a set amount of time to prevent unauthorised access
Platforms typically include a random password generator
Some password managers with desktop or mobile apps can be used for non-web-based applications
Some of the most well-known password managers we would recommend are LastPass and PassCamp.
6. Use Two-Factor Authentication (2FA) if possible
A Two-Factor Authentication (2FA), also known as Multi-Factor Authentication, is a term for additional security measures used in conjunction with a user’s password for verification. These act as extra passwords you need to enter within a limited amount of time. Once it expires, the code will then be randomised.
Whenever you can, 2FA should always be enabled. In case your password has already been cracked, the attacker will still need to figure out the correct 2FA code in a short time frame before they can breach your account.
Most 2FAs are set up by scanning a QR code on your mobile device within an authenticator app like Authy or Google Authenticator. Once your device is linked, you will be given recovery codes that you can use to login if you ever lose your device. Make sure you save these, but don’t store them in your computer – either write these down or store them in your password manager for safekeeping. It should be done this way to prevent the attacker from easily learning what your recovery codes are if they ever gained access to your computer files.
7. Provide employees with sufficient training and documentation
Every year an analysis of the cyber landscape confirms one thing: human errors remain one of the major reasons for successful cybersecurity breaches. Confirmed by 2019’s analysis from the UK-based cyber security firm CybSafe (2020)4, 90% of 2376 cyber breaches in the UK are attributed to human error.
Ahola (2019)5 states that most of these errors are simply caused by a lack of awareness by illustrating how phishing attempts work more effectively against people who are less wary of them. He also suggests that companies should start tackling this issue to make their business more secure.
We recommend documenting all your business practices, processes, and procedures within a centralised management system. This not only mitigates the human error issue, but also gives you a head start in meeting the requirements of the ISO 9001:2015 Quality Management Systems Standard.
8. Be wary of phishing links and spam emails from fake email accounts
Modern spam emails have come a long way from looking dubious. These days there are all sorts of clever tricks to make spam emails and phishing links look legitimate at first glance, whether by imitating a website or a real person. We’ve had a couple of incidents where these seemingly come from someone from our team, until we found out they came from an unknown email address.
Below are some questions you can ask to find out if an email is a spam:
Topic relevance: Is the topic relevant to you? If not, there’s a high chance it is a spam email.
Sender: Does the sender look like a legitimate email address? If the sender is a known person, does the sender email match their usual email address?
Typos and grammar mistakes: If the email comes from a large business entity, does the sender make a lot of spelling and grammar mistakes?
Verify the info with the sender with another contact method: Does the email content look believable? If the sender is a known person, you might want to verify the validity of the info within the email via a phone call, or their usual email address.
Be extremely careful of links within suspicious emails. Some malicious links (phishing links) can inject malware or even steal your data. If you think you ever clicked on one, make sure you follow these steps:
If the link points to a website you’re familiar with, look at the website address. If the link doesn’t have the same formatting as they usually do, there’s a high chance that you’re in a phishing website
Don’t interact with anything on the website – close the website tab immediately
Perform a full system scan with the antivirus software installed on your device
For more information about scam emails and phishing scams, please visit https://www.cyber.gov.au/acsc/view-all-content/threats/phishing.
9. Review software being used across the business
Do you know if the software you’re using is being updated regularly?
Are your employees using different software platforms for the same purpose?
The more platforms you use, the harder it is to maintain and the easier it is for cyber attacks to slip through. Outdated software tends to also be the weakest chain in your cybersecurity protection, especially if they have known vulnerabilities that weren’t patched at that point of time.
We suggest maintaining a regular schedule for updating software and keeping a list of all software platforms being used up to date. An easy way to keep this manageable is by using your password manager to keep track of all software being used within your business.
10. Deny access from ex-employees
Make sure you always take the following measures for safety whenever employees leave:
Change all passwords being used
Remove the employees from password managers
Remove the employee’s access from cloud storage and other business platforms
Have all company property returned upon termination
If the pandemic has taught us anything, all businesses moving forward have to be ready to adapt with the changes, especially in their cybersecurity plans. With the move to remote working, all businesses nowadays not only have to be scalable but also be more primed to face cyber threats.
We hope this got you thinking about how you can develop strong cybersecurity plans for your business.
1Viljoen, T. & Nunn-Price, J. 2020, “Actions to managing Cyber Security during COVID-19”, https://www2.deloitte.com/au/en/blog/financial-advisory-financial-services-blog/2020/managing-cyber-in-the-remote-workforce.html.
2Novet, J. 2020, “Intruders are hijacking Zoom calls with noise and gross images — here’s how to avoid becoming a victim of ‘zoombombing’”, https://www.cnbc.com/2020/04/02/how-to-avoid-becoming-a-victim-of-a-zoombombing-on-zoom-video-calls.html.
3The Guardian 2013, “Google Chrome security flaw offers unrestricted password access”, https://www.theguardian.com/technology/2013/aug/07/google-chrome-password-security-flaw.
4CybSafe 2020, “Human error to blame for 9 in 10 UK cyber data breaches in 2019”, https://www.cybsafe.com/press-releases/human-error-to-blame-for-9-in-10-uk-cyber-data-breaches-in-2019/
5Ahola, M. 2019, “The Role of Human Error in Successful Cyber Security Breaches”, https://blog.usecure.io/the-role-of-human-error-in-successful-cyber-security-breaches.