I recently sat on a conference panel in Hong Kong on cybersecurity where the title of the panel was “Cybersecurity – should I be concerned?”. Considering this was a conference for financial institutions in Hong Kong the title somewhat scared me that in this day and age we are still asking whether or not a company should take cyber crime seriously. Those days have long gone and every company should by now have a strategy to deal with this serious issue.
This article is not meant to cover all aspects of cyber security as it is extremely complex and can be very expensive to implement. The purpose here is to cover the basics in a business English with real world examples of how to make yourself protected such that the criminals will go after someone else because your business is just that bit too hard to get into.
In this article, I will cover a few points from definition of cybercrime to types of cybercrime to how to prevent it with free and cost based initiatives. But first lets start with some interesting statistics.
Some Cyber Stats
Time to try to scare you into action with a few stats. Gone are the days where the target of cyber attacks were large organisations or government bodies. It is important to know that now 43% of cyber attacks target small business and of those that are unfortunate to get successfully attacked 60% of them go out of business with six months of the attack. One of the main reasons for this is that in small and midsized companies 60% of all employees use the exact same password for everything they access and that leads to 63% of all data breaches are caused by a weak, default or stolen password.
Once the criminals are in they stay dormant for an averages of 200 days whilst they gather information about your company. On average compromises go unnoticed for 17 months.
By 2019 the global cost of cyber crime will reach US$2 trillion. Cybercrime will reach US$2T by 2019 so lets try to ensure that your business is not contributing to that amount by being aware of the risks and how to mitigate them
So what is Cybercrime?
Cybercrime is defined as a crime in which a computer is the object of the crime (hacking, phishing, spamming) or is used as a tool to commit an offense (child pornography, hate crimes). Cybercriminals may use computer technology to access personal information, business trade secrets or use the internet for exploitive or malicious purposes.
Common types of attack
- Phishing – when someone sends an email pretending to be genuine but trying to get passwords or credit card info etc.
- Spear Phishing (whaling) – a attempt to extract confidential information from a specific person by pretending to be a known trusted person.
- Malware – malicious software delivered by attachments to email or websites that are supposed to disrupt business or control computers.
- Ransomware – a type of malware that encrypts data and demands a ransom to unlock it. (wannacry)
- Watch out for Mobile Malware – 300% growth month on month. Delivery by email, social media, sms. Infection can mean full access to corporate email
Cyber Action Items
Before anything else is done the absolute first thing to perform is Security Patching and Updating of your servers, firewalls and desktops / laptops etc. A policy and strategy on patch management could be drafted at this stage.
Next is to engage a third party security company to do an independent Vulnerability scan of all external facing infrastructure. With that report your internal or outsourced IT should perform remedial work to fix any issues found in the report.
Whilst the first two items are being performed this is a good opportunity to check your Backup strategy and perform restore testing. A good backup strategy will ensure you do not have to pay any ransomware fees.
Also at this point a complete change of passwords should be implemented if it has not been done recently. A strong Password Policy should be implemented with regular updates.
Here is where it gets a bit more complex. Get your IT vendor or Department to implement the following 4 solutions:-
- An Email gateway solution on top of your email system to filter out threats and add an additional layer of security. There is a cost to this but it is well worth implementing.
- If you have a good firewall then implements its Web Filtering functionality to block malicious sites. If you don’t then use an external third party solution. Again this will cost but this should reduce the risk of infection from users clicking links in emails or websites etc.
- Two factor authentication is becoming more readily available and in many instances it is free. This helps to prevent stolen access to accounts because if someone gets your password and tries to log in you will get a mobile sms.
- Enable Encryption for all mobile and laptops. If you then lose your device the contents are secure because no-one can see them.
An additional policy to implement with staff is to never use free public Wi-Fi’s. Always hotspot from your mobile phone if you want to use your laptop in a coffee shop. Ensure in the office you have Separate Wi-Fi for corporate use from guests. If you are really paranoid then at home separate your wifi for business use from your family used wifi.
Finally the most important of all aspects of cyber crime prevention is Staff Training, training and more training. Engage an external vendor to train your staff on how to be cyber aware and act accordingly to suspicious situations.
HK Government Support
Any now to the easy part. The Hong Kong Innovation and Technology Bureau in November 2016 launched the Technology Voucher Programme (TVP) which is a 2 : 1 cost matching programme for projects up to HK$300,000. This means if the company wants to implement a cybersecurity project that costs HK$300,000 then the company initially pays HK$300,000 and the Government will reimburse HK$200,000.
This can be applied for projects that improve the use of technology in a company that can be packaged as an application to the government for funding.
The scope of projects covers many areas where technological improvement can be made to a company but specifically it includes Cyber Security.
Details can be found at https://tvp.itf.gov.hk/
COO, FunctionEight Limited
Email : firstname.lastname@example.org
Phone : +852 2868 2855
Website : www.functioneight.com