18 April 2017
When it comes to cyber security, sometimes it's better to assume the worst and take action to control what users can and cannot do on your systems.
We are constantly inundated with news about businesses being held to ransom by hackers. Recent events have included personal data and sometimes passwords of tens of thousands of people (LinkedIn and Three), if not millions (NHS), being lost or stolen.
This is very scary, and indeed if you ever visit a webpage called ‘Have I been PWNED’, it gets scarier still. This website uploads details of hacked accounts from a variety of sources, letting you find out if your username and password are available for sale online. Many people often use the same passwords for multiple accounts, including their work accounts, and a lot of small businesses also rely on passwords as their principle form of cyber defence. Hackers are aware of this.
So, it’s important not to rely on passwords, and even if you do, you certainly can’t rely on users as most breaches are caused by their behaviour. You probably can’t even rely on yourself. You are busy and your business is growing, or fighting to grow.
Businesses need to take advantage of new technologies and platforms quickly. Often, you will need to be agile and yet able to scale, so you work with third parties and put your trust in services you have not had the time to properly review. Your risk appetite is probably not being set by your Board, with your assessment of the ‘threat’ being set by the speed at which your competition and customers are moving.
Sooner or later it’s likely someone might do something that ultimately puts your business at risk of being hacked. You need to try and stop this happening. The good news is there is a lot of useful free guidance to help you do this. But you need to also assume the worst and take action to control what users can and cannot do on your systems. Think about what information you are trying to protect, what frauds you are trying to prevent and ensure you make it hard for anyone with access to your systems to cause your business any pain.
This means putting good old fashioned controls in place, such as payment approval settings, authorisation to update payment details, tolerance thresholds, enforced matching of key documentation, validation checks and exception reports.
Of course, some levels of access can circumvent even the best controls, but adopting the above techniques will make it easier to lock down and protect powerful access rights. It will also make it possible to monitor and report on any exceptional activity or spot the outcomes of any level of compromise.
You need to make sure third parties also operate robust controls, and that they are obliged to do so as part of their contract with you. Never sign up to services without reading the terms and conditions. This may sound a very basic instruction, but it’s surprising how many small businesses are unaware of what terms and conditions they are operating under.
Finally, make sure you can recover key services quickly - ransomware is on the increase and is becoming more sophisticated. But regular backup and recovery can defeat it quickly, without you spending a fortune.
In short, don’t put all your eggs in the basket of password controls. Think about what is critical to your business and build the necessary defences in order to protect it.