* by Mark Matthews
Technology Officer of Revenir and top technology speaker, Brian Wagner, reveals how businesses can protect themselves against cyber-attacks. In this insightful Q&A, discover how to respond to a ransomware attack and the importance of GDPR regulations in business.
How can businesses protect themselves against cyber-attacks?
Brian Wagner: I think the absolute top tip – it’s easy to implement and realistic – use a password manager. I think a lot of the breaches that we see now are commonly used passwords or passwords that are leaked on the internet, that’s probably the absolute number one easiest way to prevent a breach.
Another one is to be vigilant about emails. So phishing, if you’re not familiar with the term, is a way to get people to send information, either their username, password or bank details. We ‘re talking about businesses, so when someone gets fished, it’s typically for their credentials, and then someone uses those credentials to log in. So, there’ s really not one individual action, but just be sceptical of phishing emails.
I think one more useful tip for businesses is, everybody is using third party services these days. Everything is a subscription, you pay monthly for just about every software we have, and there are logins everywhere. If you enable multi-factor authentication and you do lose your password to somebody, if they don’t have that second factor of authentication, then that password is effectively useless.
Why are some businesses so vulnerable to cyber-attacks?
Brian Wagner: The difference between working in an office and working from home is that in the office, you are using a known network in a known space. It varies from business to business, but I guess, it’s at least predictable. It’s expected; you know where the perimeter is.
When you work from home, the perimeter is dissolved. Think of it like a Castle or fortress, you protect the walls. When you ‘re in the walls, theoretically, the people inside the walls already have some level of trust because they wouldn’t be there if they weren’t trusted.
Same goes with an office. It’s like, ‘well, if you’re here, you’ve passed some level of trust. Maybe someone recognizes you and you say, ‘oh, I know that person’, but without that perimeter anymore, the attack surface is exponentially larger and there are more opportunities for attack.
If someone wants to attack a business, I’m generalising here, if you want to attack a business, you must breach the perimeter. But now, when you want to attack a business, every individual person who is no longer within that perimeter and working remotely is now a target. So, you go from one-to-many targets, which makes everybody more vulnerable.
What should a business do after a ransomware attack?
Brian Wagner: First of all, do not pay them. That is the absolute number one thing, do not pay them. If it didn’t make people money, no one would actually do it. That is absolutely number one.
I think number two would be figure out what the impact is. So ideally, if you’ve already been backing up and archiving data, then it would be an inconvenience at worst. You wouldn’t theoretically lose data, if let’s say, that data never becomes unencrypted. You would ideally have a backup.
Now, the inconvenience there from the business side is that it will take time to restore that data. So that’s an outage for some period, which again is an inconvenience at worst. Now the other side of it depends on what data is being stolen or ransomed because if your attacker decides they want to exploit the data, ask yourself, is that personal information, is that information about your customers or is it internal information?
Not to say internal information is any more or less bad, but my point is if they have logins and passwords and data – like personal data – then you as a business have an obligation to notify those people. Not just under GDPR, but just as a respectable business, you should absolutely invest in cyber security options and reach out and say, ‘look, this is what’s happened here’s what we think. But like I said, rule number one, don’t pay them.
How have GDPR regulations transformed how businesses manage people’s data?
Brian Wagner:It’s really put a lot of responsibility [on the business]. I mean, that was the whole point. It put a lot of responsibility on how data is handled. I think before GDPR was a thing globally, data is sort of treated very, very casually.
GDPR makes you really think about how that data is being used and shared. It’s inconvenienced a lot of companies who weren’t really looking after their data because they ‘ve had to restructure the way they store and share that data.
Asking for consent from every individual is not something a lot of companies were used to doing. But what’s really done is it’s brought a lot of responsibility and consideration into how you build infrastructure, how you protect data, which is, I think, good for everybody.It’s beneficial for the whole world, businesses and individuals alike.
* This article was first published at the UK’s first dedicated website to Cyber Security Experts