By Natasja Bolton, Senior Acquirer Support QSA
Steps to protect small businesses from this year’s security threats
As 2017 rolls out, we continue to explore the security threats and cyber-attacks expected to feature this year. Following on from part 1 which can be read here, in part 2 we examine other risks such as email scams, Internet of things attacks and mobile device threats. In this article we highlight the dangers and suggest actions that businesses can take to protect themselves, so that you can share with them these proactive, preventive measures.
1. Targeted business email scams
In parallel with expanding the ransomware threat, in 2017 we can also expect cyber criminals to exploit and develop other direct revenue attack methods and scams. Researchers at both Dell Secureworks and KPMG noted the emergence of scams that target businesses’ order and payments processes. For instance, cyber-criminals have been able to masquerade as a legitimate business issuing and have convinced customers to pay false invoices. Attackers have also succeeded in exploiting the communications between supplier and customer. For example, compromising the business’ email to send invoices for legitimate orders but with amended payment details so that the money owned is paid directly to the cyber-criminal.
What can businesses do to protect themselves?
Law360 and the FBI outline the steps businesses can take to protect themselves. Protecting the business from these types of attacks is reliant on two things: robust process and buyer/seller awareness.
Robust processes:
Have established order, invoicing and payment processes
Keep a record of payment and bank account details for all suppliers
Always check order details, confirm the validity of the customer, verify the information on invoices
Double check payment or bank details against those on record before sending any monies.
Buyer/Seller awareness:
Make sure staff adhere to order, invoicing and payment processes
Train staff to watch for these types of scams and to report any suspicious activities
Educate customers on the established ordering and invoicing processes, on the valid payment details and to query any deviation from the norm
2. Internet of Things (IoT) attacks
As the recent Consumer Electronic Show (CES 2017) demonstrated, more and more ‘things’, from hairbrushes to home security systems, will have an embedded Operating System, be wireless enabled and Internet connected in 2017. Gartner claims 5.5 million new ‘things’ were connected every day in 2016, this number is only likely to grow in the next twelve months.
2016 saw the first major attacks leveraging IoT devices. For example, in October much of America’s Internet access was disrupted when a distributed denial of service (DDoS) attack targeted the Dyn’s Domain Name (DNS) infrastructure. A significant proportion of the 100,000 malicious endpoints that were part of the attacking botnet were IoT devices compromised by the Mirai worm. Security Analysts and industry commentators expect further large scale security breaches and attacks relating to IoT to occur in 2017.
What can businesses do to protect themselves?
Resolving the issues of poor security and easily exploitable weaknesses in IoT device will take industry leadership and government support for industry standards or regulation to help make sure that IoT devices are ‘secure by design’. The DHS (US Department of Homeland Security) and NIST (US National Institute of Standards and Technology) are leading the way with publications setting out best practice to secure the Internet of Things.
In the meantime, businesses need to make sure they protect themselves and others from the IoT threat:
Avoid connecting IoT devices to the business network or cardholder data environment. Poorly understood and probably inadequately secured IoT devices could open up new attack paths and vulnerabilities into the business.
Control access to/from the business network: Use firewalls and other access controls to close down any open inbound or outbound access to the business network. Firewalls should only allow the specific connections and communications that the business needs for its operations.
Patch and update Internet-facing systems: Make sure all Internet-facing systems can be and are regularly patched and updated.
Change vendor defaults: Remove all unused accounts and make sure all default ‘pre-set’ or ‘out of the box’ passwords have been changed to alternative, strong passwords for all built-in user and system accounts.
Improve DDoS defences to detect and mitigate a DDoS attack against the business: Implement guidance such as that published by eSecurity Planet and F5 Networks. Consider whether the business would benefit from the DDoS protection offered by companies such as Cloudflare, Kaspersky or Akamai.
3. Mobile device threats
Another common expectation for 2017, is that cyber attackers will increasingly focus on exploitation of mobile devices. Although Android now accounts for 86.2% of mobile devices in use, making it the preferred target of attackers, Apple iOS is not immune. Welivesecurity reports that new variants of malicious code created for Android averaged 300 per month in 2016 while for iOS the number is 2 per month.
Mobile device attacks and malware are likely to have a significant impact on consumers and businesses due to peoples’ reliance on their mobile devices in both their personal lives and for business activities. As we explored in State of Pay, the move to mobile-dependent mPOS solutions, ranging from simple ‘plug and play’ mPOS card payment solutions to fully functioning cloud-based mPOS solutions, means that more small businesses may find themselves reliant on mobile devices for business operations.
What can businesses do to protect themselves?
It is recommended that businesses follow good practices to protect mobile devices that are critical to business activities:
Use the mobile devices for business purposes only.
Limit access to the mobile devices to authorised personnel: Make sure only authorised staff have physical/logical access to the devices, use a passcode/PIN to lock inactive devices.
Avoid jailbreaking or rooting the mobile devices.
Install software and apps on the mobile devices only from trusted sources.
Minimise the number of apps on the mobile devices to those needed for business purposes.
Protect the mobile devices from malware: Install and update anti-malware software.
Patch and update the mobile devices: Regularly update operating system and install any application updates as they become available.
What next?
Sysnet has extensive experience in compliance and security. Our passion for pragmatic and innovative solutions when it comes to addressing Cybersecurity problems allows us to be the thought leaders in the market when it comes to addressing such multi-layered and complicated challenges related to security. If your customers require further guidance and assistance with mitigating such security threats, then we can help.
Read part 1 here:
2017 – Anticipate and prepare, Part 1
The post 2017 – Anticipate and prepare, Part 2 appeared first on Sysnet Global Solutions.