Abhishek Chauhan
It seems hardly a week passes without another big news story about a data breach. Large companies are often targeted by hackers in order to access their private files and databases, either to make money or as an act of virtual vandalism. However, this doesn’t mean that smaller companies don’t have to worry about their own cybersecurity.
Cybersecurity is something that all employees need to be aware of, regardless of what files they have access to. The good news is that you don’t need to know a whole lot about computers or be good with technology – you just have to learn a few simple tips, and instil some common-sense practices when using computers at work.
Privilege abuse
Privilege abuse is an often-overlooked cyberthreat. Every enterprise manages critical endpoints, accounts, and information, and access to these must be strictly regulated. Often, employees have accounts with the least amount of privileges needed to perform daily operations. However, they may temporarily need higher privileges to perform business-critical actions, such as accessing critical logs, restarting applications, and troubleshooting servers. When the necessary access control mechanisms are not in place, these temporary privileges turn into standing privileges, granting users prolonged elevated access to critical systems. This leads to privilege creep, which can make your enterprise vulnerable to privilege abuse attacks.
When attackers gain access to accounts that have excess privileges, they can move laterally within the network and access more information by masquerading as authorized personnel. Without tight security measures in place, admins will be unable to differentiate legitimate activities from unauthorized ones, enabling the attackers further. Even in the absence of external threats, without privileged access management (PAM) routines, enterprises may fall prey to insider threats and human error.
Such threats can be efficiently tackled with the help of a PAM solution. Enterprise solutions like ManageEngine PAM360 help businesses discover, store, and manage privileged users, accounts, and resources all in one place. Such solutions can also integrate with your IT ecosystem and automate privileged access routines across your enterprise.
USB sticks
USB sticks, thumb drives, flash drives – whatever you call them, they’re an important part of many modern workplaces. USB sticks allow you to quickly and easily transfer files between two computers, such as between a laptop and a desktop. For younger generations, this will have been the primary way you commuted work between home and school, and is a habit that’s easily carried into the workplace.
While there doesn’t necessarily have to be a ban on using USB sticks at work, they should be approached with extreme caution. Many workplaces use something called a Local Area Network (LAN) to link computers together, with strict controls on what can be downloaded and accessed online. USB sticks can circumvent this, and introduce files to a network that can compromise multiple computers and storage devices.
The collapse of NHS England’s IT network a couple of years ago is an example of PCs being compromised by a virus-infected USB stick. This is often exacerbated by the old computers and operating systems used by businesses, which become increasingly vulnerable to viruses and other malware over time. A USB stick can essentially be a ‘breeding ground’ for dodgy viruses, and a vector by which they can infiltrate a network.
If USB sticks are a pivotal part of your business, there are a few steps you can take to increase security. One is to ensure they are fully formatted before use, cleaning out all data (and viruses). The second is to ensure that you only copy safe file types which have been virus scanned, such as .docx or .xls files. Never copy .exe or similar software files onto a USB stick, as these are common vectors for viruses, no matter how safe you think they are.
Email attachments
A similar problem arises with email attachments. We’re probably all familiar with spam emails, and some can be harder to spot than others. If you download and open a dodgy attachment on your home computer, this can introduce malware that repurposes your computer to mine cryptocurrency, ransoms your files, or uses your system in some other way. Do this on a workplace network, and it could spread to dozens or hundreds of PCs.
Most workplaces will use some kind of antivirus software to scan email attachments at source, and prevent you from downloading them if they contain a virus, or even if they use a certain file extension (e.g. .exe). But this isn’t foolproof, and some files can slip through the net. As such, it’s important to have good ‘spam literacy’, and follow a few simple tips.
The first thing to do is to check the address of the person who has sent you the file. Spam emails will often use an official sounding name to try and trick you into thinking they are from a legitimate source, but the email address is harder to spoof. Depending on the email client, you can usually find the email address of the sender underneath their name, or by clicking on their name to expand it. If it’s an email from a website such as Amazon, for instance, don’t trust any email address that doesn’t end with @amazon.co.uk.
The other trick is to simply not upload files to the Cloud, either using a service such as Dropbox or a platform such as Google Drive. These services will normally virus scan the files for you, while editing documents live in Google Drive eliminates the risk of downloading documents entirely.
Poor password security
You’ve probably heard the same spiel about passwords a hundred times already, but that doesn’t make it any less pertinent. Strong passwords are the foundation of all cybersecurity, and the best defences will fail if you give someone a key for the front door. Password security means not just keeping your password to yourself, but ensuring that it is unique and complex enough that it cannot be guessed, either by a human or by a computer.
On a basic level, this involves a few simple principles. Passwords should ideally be at least 8 characters long, and contain at least one number and one symbol. They should also be something obtuse, and not relating to your own personal information, which someone might be able to guess or find out online. For instance, your birthday would not be a great choice even though it contains numbers, and “P@ssw0rd” would not be an appropriate use of numbers and symbols.
There are two ways to get around the issues people often have with remembering complex passwords. The first is to write down your passwords in a physical document, as this prevents it from being accessed remotely (although presents its own issues with physical security). The second is to use a password manager such as LastPass, which generates secure passwords and keeps track of them for you. This means you only have to remember one password, which is recommended to be a long and unique phrase – something that should be easier to remember than a string of hashes and dollar signs.
Website plugins
One of the less appreciated but most common threats to a website is its plugins. Plugins are essentially ‘add-ons’ that provide new features to websites, such as those using the popular WordPress CMS. Using these plugins, you can alter and extend the functionality of the website to add features such as e-Commerce, advanced analytics tracking, comment systems and more, without having to develop them yourself.
Plugins do also present issues, however. While CMS’ such as WordPress are constantly being updated to improve security and functionality, external plugins put you at the mercy of small developers. If a plugin is poorly developed or not updated regularly, it can lead to security flaws being present, which could be taken advantage of by hackers.
The simple answer to website plugin issues is to never install anything without coordinating with your web development team. The same can even be true of updating plugins, as new patches can introduce vulnerabilities as well as get rid of them (although patching is usually a good idea). Fundamentally, any change you make to the infrastructure of your website – plugins included – risks leaving a hole that someone else can get in through. By leaving things to the experts, you can extend your functionality without putting your data at risk.
Sota is one of the UK’s leading IT support providers and experts in cloud computing, cyber resilience, connectivity, and unified communications. Having worked with countless businesses over the years, they are experts in their field, ready to advise and offer tailored solutions for each and every company.
