Cyber security is a wide-ranging term that can relate to a plethora of complicated issues that are far above the head of the average person. However, small businesses can take strides towards making themselves more secure by taking simple steps to secure their information by avoiding negligent security habits.
These small practices begin with a basic understanding of the very basic risks faced today – something surprisingly few small business owners possess. That’s why we produced The small business A – Z of Cyber security, a glossary of terms with definitions of common phrases relating to cyber security and the PCI DSS. Download it and keep it on your desktop to refer to when needed.
So, to begin gaining a basic understanding of this topic, let’s examine some common threats that will help you get to grips with cyber security.
This is a broad term but refers to a malicious piece of code that can cause a computer system to malfunction in a variety of ways to the detriment of the machine or its user. Effects can range from upsetting the use of programs such as Word or Excel, making data inaccessible, slowing the speed of the machine to simply downloading advertisements. Basic viruses can be defended against using robust anti-virus software.
A worm is a form of virus that replicates itself and then moves to another computer or system quickly and without permission. It uses computer networks to duplicate rapidly and thrives on systems without adequate defences in place. Again, antivirus software is a good place to start to defend against worms.
A Trojan Horse is a virus/malware that disguises itself in some way with the intention of tricking the user to allow it onto the machine’s system. It often hides itself within a folder of genuine files and when the unsuspecting victim opens the file, the malicious content executes. Businesses need to employ strong anti-malware and endpoint protection software to defend against Trojans and ensure they scan all incoming files. Effective firewalls are a good defensive technique against Trojans also.
Malware (short for malicious-software) is an umbrella term used to describe a host of different viruses, worms and Trojans ranging from the relatively harmless to the very malicious. It is Software or Firmware designed to infiltrate or damage a computer’s system without the owner’s knowledge or consent, with the intent of compromising the confidentiality, integrity, or availability of the owner’s data, applications, or operating system.
Adware (short for advertising-supported software) is a form of Malware that’s purpose is to display advertisements. It commonly displays advertisements via pop ups on websites or in free versions of software. Adware often display itself in ways that are intrusive to the user causing a negative browsing experience. Although more annoying than harmful, Adware is often coupled with Spyware (see below).
As the name suggests, Spyware is a form of Malware which spies or monitors victim machines in order to gain information which can be used for malicious purposes. Spyware can monitor a user’s online activity, gain login credentials and even log the keystrokes users are inputting to their keyboard. It then reports this information back to its creator who can then use the information to access personal online accounts. Good anti-virus software and regular scanning are needed to avoid Spyware.
Ransomware is a form of malware that infects a victim’s system by encrypting or blocking access to all folders and files on the user’s network. The victim must then pay money (i.e. a ransom) for access to the blocked files to be restored. Payment is usually demanded via an untraceable cryptocurrency such as Bitcoin. It is a favourite with organised hacking groups as it gives them a revenue stream to fund their extensive efforts.
Businesses need to employ strong anti-malware protection and firewalls to mitigate the risks of Ransomware as well as taking regular backups of valuable files. It’s important to educate staff on how not to fall victim to Phishing attacks (see below). Using Endpoint Protection with Containerisation enabled is also an effective (but not guaranteed) defence.
Phishing is the practice of a hacker attempting to fool an unsuspecting user into accessing a malicious link or downloading an infected file through the practice of Social Engineering. A Hacker will send an email to an employee pertaining to be from a legitimate business with offers via “The Link Below” or in “The Attachment.” The unsuspecting employee clicks the link or downloads the attachment which then downloads malware or ransomware. As the user allows the code to download or the link to execute, this can enable the malware to bypass traditional anti-virus software or inadequate firewalls, heightening the impact.
Educating staff to the dangers of clicking links and downloading unknown files is the most effective form of defence against this attack form. Strong Endpoint Protection and Firewalls are also needed.
Social Engineering goes hand in hand with Phishing and involves a hacker looking for information from an unsuspecting employee in a variety of ways to gather information to launch a targeted attack. For e.g. a hacker may make a phone call to the target company, asking for names of individuals and their job titles etc. They can then compose a Phishing email (see above) that will look much more realistic and more likely to gain a click or download.
Again, educating employees so they are aware of this threat is the most effective defence. Information Security policies and procedures need to be clearly outlined and communicated to staff.
A Distributed Denial of Service (DDoS) attack is an attack on a website whereby hackers overload the target site with fake web traffic with the intention of it crashing due to an overload. Many small business websites fall victim to DDoS attacks as they lack basic security in place. This threat can be mitigated against with the application of a Web Application Firewall (WAF) (see below).
Type of malicious software that when installed without authorisation, can conceal its presence and gain administrative control of a computer system. It differs from viruses and ransomware as the aim of a rootkit is to remain concealed from notice by the user, exfiltrating data overtime. Powerful anti-malware solutions are required to detect rootkits on computers.
If you haven’t already done so, consider some of the following defensive elements and apply them in your business.
AV software is essential for any business and is an imperative first step in your defences. There are many different types and various levels of protection, but it generally works by scanning your machines and systems for signs of known viruses or malware and then either deletes them or moves them to a secure vault. It’s very important for small business to employ high AV protection and to scan your machines regularly. The use of free anti-virus packages is not recommended.
A firewall is a form of protective barrier around your system that blocks malicious files from getting to your machines in the first place and can be configured to prevent sensitive files from being extracted. It needs to be set up properly and a set of rules or policy applied for it to be effective.
Many businesses protect the main desktop computers in use in their business but then neglect their other devices – mobiles, tablets etc. As a business you need to consider Advanced Endpoint Protection to defend all devices from threats. Any machine that connects to your business’ network is a potential weak point.
Web Application Firewall (WAF)
A WAF acts as a firewall for your website, defending it against common forms of online attack. It is particularly effective in defending against DDoS attacks.
Awareness and Education
Ensuring you and your staff are aware of the common threats is a major step towards protecting your business. An Information Security Policy is mandatory to comply with the PCI DSS so ensure this is applied across the board. Consider applying other policies to areas such as responding to a virus outbreak or policies around the use of personal mobile phones and the use of work computers for personal browsing to limit risks.
There are many ways in which you can protect your business from cyber-attack, these are just some measures.
Ensure you have an understanding of all the common terms with The small business A – Z of Cyber security, a glossary of terms with definitions of common phrases relating to cyber security and the PCI DSS. Download it and keep it on your desktop to refer to when needed.
If you are a merchant that requires technical or PCI DSS help, please click here