Successful cyber attacks often start by targeting company employees via social engineering, the psychological manipulation of people into performing actions, including divulging confidential information or granting access to critical infrastructure. Social engineering is the primary way cyber criminals gain access to sensitive data, infrastructure and money.
Adam Anderson is co-founder of Hook Security, providing cyber security awareness training, and managing general partner of Ansuz Capital, a cybersecurity venture fund. With his twenty years of experience in the field of cyber security, Anderson has pioneered and created a new field of study inside security, psychological security (PsySec), to combat the epidemic of social engineering.
From an interview with Anderson, here are seven things business owners can do to prevent and survive a cyberattack.
Take regular backups
Taking backups of your critical data is, well, critical. It mitigates risk should you be the target of a ransomware attack, reducing the impact by enabling you to reliably retrieve your data. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomware is serious business; Garmin was reported to have paid a $10million ransom when its systems were hacked in 2020.
Anderson recommends you “use cloud-based tools such as Dropbox, Google Drive and Box, instead of storing files only on your computer. Configure them to back up your important information automatically. “Whilst it is true that online companies such as Microsoft, Google and Apple get hacked, they are still many times better at security than you are,” he added. With cloud-based programmes, if the worst should happen, you can “simply rebuild the computer, or pick up a new one, and log back into your applications,” which means you are down for “hours, not weeks.”
Take out cybersecurity insurance
Cybersecurity insurance policies are valuable in two main ways, according to Anderson. Firstly, they help reduce the impact of a cyber attack by reimbursing your losses and providing resources for recovery. Secondly, “they explain exactly what they need to see from your security posture to guarantee a pay out on the policy.” In just the act of adhering to the insurance requirements, your protection will be higher.
Anderson recommends the policy you take “comes with a disaster recovery team, a financial pay out, and clear instructions on what you must do to be compliant,” but says “there really isn’t a significant difference” between providers.
Another area of risk comes from security issues within the software your company uses; the ones already installed on its devices. But before you throw away your laptop, understand that most of these vulnerabilities have likely already been discovered and updated in the latest version of the software. This means software updates are key.
Anderson explained that “the technology and paths used to breach a machine are dependent on holes in the system that hackers can exploit.” The computer industry announces fixes to these holes on what is known as patch Tuesday, where software updates are available to all users. But it’s not that easy. “Cyber criminals know that most people won’t update their machines and they immediately deploy new attacks that count on the presence of those security holes.” Updates are essential to stay safe. “By updating your computer, you defeat the majority of automated attacks that hit users thousands of times each day.”
Two factor authentication
A password is just one factor of authentication, and “cracking a username and password can be very simple.” Cyber criminals will either “trick you into giving them the information” or “crack it using technology.” By having two-factor authentication (2FA) in place, more information is required, and accessing your accounts is much harder. Yes, it’s a pain but Anderson believes it’s well worth it.
“When 2FA is in place, even if they have your username and password, they can’t log in because they don’t have your key fob, phone or whatever else they need.” Two-factor authentication typically takes the form of a phone app or text message containing a code that you type in during login. “Almost all applications have 2FA. Check the help section of their websites and follow the instructions.” Note, don’t store your 2FA in a 1FA place. “Programmes such as LastPass offer to store your 2FA codes safely, but LastPass only requires 1FA to log in.” If in doubt, keep them separate.
Uses no admin accounts
“Don’t give yourself permission to accidentally hurt yourself,” Anderson implores. Multiple logins can protect you. For every programme you use, “create a non-administrator account for your computer and conduct your day-to-day access using that account.” It makes sense. Keeping your master accounts untouched and accessing them via reduced admin rights means “reduced likelihood of you installing harmful software by accident.”
If you don’t require full daily access to your programmes, why needlessly open yourself up to exploitation? Write a list of your software programmes and create new user accounts to further minimise risk.
Surfing whilst travelling
Working from new places poses further risk. In a quest to be productive whilst travelling, unsecure WIFI networks are tempting. What can go wrong, right? A lot. Working remotely, from coffee shops and hotel lobbies, brings more risk than logging onto your home network but most of it is unavoidable.
Anderson recommends you use a “virtual private network (VPN) to protect your data whilst you access it.” VPNs encrypt your internet traffic and disguise your online identity, making hackers more likely to target someone else. Protect yourself further by “never using WIFI networks that don’t have a password as they are rife for hacking.” It wouldn’t be difficult for a hacker to log right into your computer and “record your keystrokes, camera or microphone, plus all your files.” It’s just not worth it. Instead of relying on dodgy coffee shop internet, “carry a portable router, tether from your phone or stay offline.”
Think like a hacker
Gadgets and programmes aside, “the most important part of all this is training your brain.” Think like a hacker to fill the holes they will exploit. Know what they are looking for to ensure it’s not found. Cybersecurity awareness training programmes are a way to “train yourself and your people to spot scams and stay safe.” Knowing the difference between a genuine email and a phishing attempt, plus locking down data and software, can save thousands in material, mental and reputational damage.
What’s the value of your data and software? What price do you put on your peace of mind? Taking just a few steps can mean that hackers are deterred, reducing the risk of a successful cyber attack and the impact it has on your organization.