As a business owner you are responsible for ensuring the cyber security of your staff and customers. Small business owners often make the mistake of thinking that hackers are only interested in targeting global enterprises, but the truth is your business is under just as much threat - hackers are interested in data, not where it comes from.
Being aware of the types of cyber threats is the first step in ensuring the cyber security of your business. Three of the biggest and most publicised internet security threats of 2014 were Heartbleed, Shellshock and Poodle.
Heartbleed
The Heartbleed bug was a widespread encryption bug designed to capture private information users enter into websites, applications and web email such as passwords and credit card details. At the root of heartbeat was encryption. The internet has a set of protocols for security and encryption commonly known as secure sockets layer (SSL) and transport layer security (TLS), and the most common implementation of SSL and TLS is a set of open source tools called OpenSSL. The Heartbleed bug had the ability to defeat these security layers and capture passwords, forge authentication cookies and obtain private information. The Heartbleed bug affected a host of popular websites including Google and Yahoo!.
Shellshock
Shellshock, also known as Bashdoor, is a flaw in a software component known as Bash. Bash stands for ‘Bourne Again Shell', which is a command line shell allowing users to launch applications by typing text commands, and is typically installed on non-Windows operating systems such as Mac, UNIX and Linux.
The bug allows malicious code-extension within the bash shell to take over an operating system and, in turn, gain access to any data on the machine. In layman's terms, data such as passwords and credit card details stored on computers using operating systems such as Mac, UNIX and Linux could have been compromised.
Poodle
Google researchers have recently uncovered the latest bug affecting web-encryption technology SSL 3.0, which allows hackers to take over email, banking and other online accounts. The bug exists in old software that is still used by some web browsers and servers.
Poodle, which stands for Padding Oracle On Downgraded Legacy Encryptions, works when websites use SSL 3.0 to encrypt traffic, and hackers can trick computers into downgrading its encryption standards to SSL 3.0 to send sensitive information.
Poodle is believed to be less threatening than Shellshock and Heartbleed as the attacker would need to be physically close to their victims, whereas Shellshock and Heartbleed vulnerabilities could be exploited from any location.
Threats to small businesses
It pays to have an awareness and understanding of the capabilities of the hackers and the potential threats they could pose. There are four common ways hackers can gain access to your business and sensitive information relating to your staff and customers. Identifying your vulnerabilities is key to protecting your business from potential cyber-attacks.
Weak passwords
Weak passwords are one of the most common ways hackers can gain access to your data. A hacker can run 420 billion simple, lowercase, eight-character password combinations per minute.
A staggering 80% of cyber-attacks involve weak passwords and 55% of people use the same password for multiple accounts. In 2012, LinkedIn was targeted by hackers who obtained 6.4 million passwords.
Malware attacks
When you establish an internet connection your system is vulnerable to malware attacks. The term malware encompasses Trojan Horse viruses, worms and other system viruses; malware often makes its way into your system via infected email or instant messaging attachments and through file sharing programs. Reduce your risk of attack by not opening emails or attachments from unknown users.
Phishing emails
Phishing Emails are bogus but official looking emails that prompt you to enter your password, account details or click infected web links. The damage caused by phishing can range from being unable to access accounts to serious financial loss.
Social engineering
Social engineering is when hackers pretend to be you to reset passwords. In 2009 social engineers posed as Coca-Cola's CEO, persuading an employee to open an email containing software that was able to infiltrate their network.
Install browser and operating system updates
Hackers are constantly devising new sophisticated ways to infect web browsers and operating systems, so ensure your web browser (e.g. Google Chrome, Firefox, Internet Explorer and Safari) and OS (e.g. Windows, Linux, Mac) are up-to-date and you are using the latest versions.
Implement a password policy
Use different passwords for each account and use a mixture of upper and lower case letters, numbers and punctuation marks. It is good practice to change passwords frequently, especially when an employee leaves the business. Keep passwords on a need-to-know basis, the fewer people who know the password the better.
Use two factor authentication where possible: two factor authentication (2FA) is when two pieces of different information are needed to access an account and is widely available on many services such as Google Drive and Dropbox. Visit twofactorauth.org for a list of services that use 2FA.
Physical security
Mobile devices such as notebooks, laptops, smartphones and tablets are at higher risk of being stolen; ensure password or pin code protection and data encryption is used where possible on these devices to limit the risk of information being accessed. Never store account passwords on your devices.
Internet security software
Software such as Norton AntiVirus, McAfee and AVG are designed to protect your computer and emails from viruses. It is important to install software updates and schedule regular virus scans on all of your computers.
Protecting your business
There are a variety of ways to protect your business against cyber-attacks. One of the most important things to remember is to be vigilant, always believe you are vulnerable to attack and take the above precautions to ensure your business's internet security.
Cyber Streetwise
Cyber Streetwise is a government campaign to help businesses and consumers protect themselves against cyber threats. The website, Cyberstreetwise.com, provides easy to follow advice, resources and guidance specifically for SMEs covering everything from anti-virus protection to simple IT policies which will equip them and their staff with the basic tools to defend their business against online attacks.
For more information visit www.cyberstreetwise.com
