13th May 2019
Nobody wants to fall victim to a cyber attack but all too often, businesses and consumers alike are a little bit too blase about online security, wouldn’t you agree? Think about it – how often have you ignored a software update on one of your devices… and did you know that doing so could actually make said device more vulnerable to an attack?
To help increase awareness about the very real dangers of being hacked and the consequences, as well as to encourage behavioural changes to ensure better protection, the government has just announced that new laws are likely to be brought in for devices connected to the internet.
These plans include building basic cybersecurity features into products and providing people with better information as to how secure their devices actually are, with a consultation now having been launched ahead of potential legislation.
The consultation will include discussions on whether a mandatory new labelling scheme is introduced that would say how secure products are, which would mean that retailers will only be able to sell devices that come with an Internet of Things security label.
Once the consultation has been carried out, this label will be launched as part of a voluntary scheme to help people identify those devices that do have basic security features.
Not only that but the focus will also be on mandating three security requirements – that device passwords be unique and not resettable to universal factory settings, that a public point of contact is provided by manufacturers and that the minimum length of time for which the device will receive security updates be explicitly stated.
Margot James, digital minister, said: “Many consumer products that are connected to the internet are often found to be insecure, putting consumers privacy and security at risk. Our Code of Practice was the first step towards making sure that products have security features built in from the design stage and not bolted on as an afterthought.
“These new proposals will help to improve the safety of internet-connected devices and is another milestone in our bid to be a global leader in online safety.”
Dr Ian Levy, technical director at the National Cyber Security Centre (NCSC), explained that serious problems in consumer devices like preset passwords that can’t be changed are even now being discovered, describing it as “unacceptable” that manufacturers aren’t fixing such issues.
That being said, it’s also worth noting that people aren’t necessarily always as vigilant as they could be when it comes to choosing their own passwords, either. Have you ever used the same password for more than one account? If you haven’t, then at the very least we bet that you know someone who has.
Recent NCSC research revealed some of the most commonly used passwords that have been accessed in global cyber breaches – and as disturbing as it might be, the results do make for somewhat entertaining reading.
The most used password – used 23.2 million times – was 123456, which we can all probably agree is somewhat uninspired… and certainly not that hard a password to crack! This was followed by 123456789, qwerty, password and 1111111.
From a business perspective in the glorious days of GDPR, you cannot afford to be complacent when it comes to online security. If you do suffer a breach, you could find yourself hit with a serious financial penalty that could spell the end for your company… so perhaps make sure you’re not using 123456 as a password as soon as you can.
There’s actually a very useful little tool you can turn to, thanks to the NCSC, called Exercise in a Box that can help you work out just how prepared and resilient your organisation is to cyber attacks.
You’ll be taken through a series of exercises to help you practice your responses to critical incidents in a safe environment and create summary reports from the exercises, designed to help you identify and improve ways of managing certain threats.
There are lots of different ways you can protect your company from a breach or an attack, but you may not have considered them all. Here are just a couple of steps you could take today that will afford you a greater level of protection.
These make sure that people on your team are unable to choose passwords that are commonly found in data breaches. It might be worth reading the full NCSC password report so you can see the kind of terms to include in the blacklist.
This is a quick fix job for programming and software designed to resolve any potential functionality issues, improve security and add new features… so whenever you get a prompt for an update, always install it as soon as you can.
Training and education of potential cyber risks are one of the biggest steps you can take towards protecting yourself, as many cyber breaches take place because of human error.
Phishing can be carried out via a text message, phone or social media account, but these days such an attack will usually come in email form. Training people properly and on a regular basis so they can detect phishing emails will be useful, but you should also do all you can to make it hard for attackers to reach your team members in the first place.
Use anti-spoofing controls like SPF, DMARC and DKIM, and reduce the amount of publicly available information about your organisation as far as is practical. This is what attackers will use to make their phishing messages more convincing and genuine.
Regular backups of all data should be taken by all businesses, no matter how big or small they are, making sure that all backups are recent and can be restored. This means that your business will still be able to function, no matter what happens – and that you can’t be blackmailed by ransomware hackers.
Malware (or malicious software) is content that can be used to harm your business, with viruses the most well-known form. To prevent damage being done by malware, install antivirus software, prevent workers from downloading apps, keep all IT equipment up to date and switch on your firewall.
People work remotely a lot which is great for striking a good work-life balance and giving workers more freedom and flexibility over their lives, but it can pose a bit of a security risk if you’re not careful.
Make sure that all mobile devices have password protection switched on, that all devices can be tracked, locked or wiped in the event that they’re lost or stolen and keep apps and devices up to date.
If you want to talk to software consultants about any of the above to find out what you can do to really protect your business at the moment, get in touch with the team here at Smashed Crab today.