Cyber security threats are growing year on year, and according to the UK Government’s Cyber Security Breaches Survey 2022, 39% of UK businesses have been attacked at least once in the last twelve months.
Despite this, only 23% of businesses have a documented cyber security strategy in place, and only 17% have carried out a vulnerability audit. This means that most businesses aren’t even aware of serious security flaws in their IT ecosystem – let alone how to fix them.
Innovative cyber security consultancy firm FoxTech runs security analyses on hundreds of companies every year using open-source intelligence, picking up on the most common security problems that make companies particularly vulnerable to being hacked. Here, FoxTech provide their insights into four of their most frequently identified issues to help businesses become more aware of the problems they might have, and what to do about them.
Issue 1: You don’t know what devices your employees are working on
The UK government’s Cyber Security Breaches Survey 2021 found that organisations have found it more difficult to keep track of their endpoints since home working has become a widespread practice. Not only have the number of endpoints in the average business increased, but so have the type. Many employees now conduct business on a number of devices each day, including office desktops, company-owned laptops, personal computers and smartphones.
Why is having a lot of devices a problem? Anthony Green, CTO of FoxTech discusses:
“It isn’t a problem in itself,” says Anthony, “but it becomes an issue because today’s model of working can mean that business owners or IT managers don’t even know what devices are being used to access sensitive company data, or how secure these devices are. Problems such as working with unsupported versions of Windows and not updating malware protection and firewall software increased markedly in 2021, compared to 2020, and the Cyber Security Breaches Survey 2021 attributes the decline in proper endpoint security measures to large and diverse device profiles.”
What to do:
- Minimise the amount of sensitive data stored on both company and personal devices by making sure employees can access only the data they need
- Create a ‘bring your own device’ (BYOD) policy. The National Cyber Security centre (NCSC) has an excellent step-by-step guide to creating a BYOD policy
Issue 2: You haven’t kept track of your online assets
“When we run our security analyses, one of the most common things we find are forgotten assets such as website domains and databases. Often, these are exposed to the internet – completely unbeknownst to the company. Forgotten assets are an easy entry point for hackers – they can use them to jump to software, files and devices that you are using in an attempt to steal your data.”
What to do:
- Companies who have lost track of their online assets can run one of FoxTech’s free CyberRisk Assessments. This shows instantly what assets you have, and whether they are exposed to the internet
- Remove/take down any unused assets to ensure your online presence is limited to only what is necessary and manageable
- Invest in professional cyber security monitoring for existing assets to ensure any suspicious activity is spotted
Issue 3: You don’t have DMARC set up
Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication, policy, and reporting protocol. In layman’s terms, it protects you from email spoofing (people sending emails on behalf of your domain), spam and phishing scams.
“According to security software firm Trend Micro, 91% of breaches start with a phishing email, so setting up DMARC is one of the best ways to prevent anyone from successfully targeting your email database.”
What to do:
- Configure DMARC. The good news is, it’s not expensive. Installing it yourself is free, and getting it set up by a trusted third-party cybersecurity firm comes at a low cost
Issue 4: You put off installing software updates
Installing software updates is a fast and free way to strengthen company system security. Software updates offer a number of benefits and revisions including patching security flaws, removing bugs and getting rid of any outdated features from your device.
“Installing software updates is incredibly important. Outdated software versions will have security flaws, and hackers look for these types of vulnerabilities because they can be exploited and used to gain access to your device, and eventually, your data. Luckily, this one is an easy fix, once you know what devices need updating.”
What to do:
- Locate devices that are still running on outdated software
- Don’t just rely on alerts. Not all devices give adequate software update alerts, so it’s good practice to manually check for updates at least once a month
- Educate employees on the importance of software updates, and create a company policy around regularly checking for, and installing updates across all your devices and software packages