Two things smaller professional services firms can do to improve cyber security

Cyber security is all very well for large professional services firms with big budgets, but what can you do if your resources are more limited? Here we explain how you can make yourself safer without breaking the bank and taking up valuable working hours.   

Many smaller firms are unclear about the cyber threats they face and don’t really understand the ways in which they’re vulnerable. Some even think they’re not a viable target; they’re mistaken. If this sounds familiar, don’t worry – the vast majority of cyber attacks can be mitigated with basic controls. Below are two common ways in which you are vulnerable to attack, and some advice on what you can do to improve your firm’s security and protect your business.

1. Network and software vulnerabilities

The majority of cyber attacks are automated, so they require practically no skill to execute, are cheap and easy to run, and are indiscriminate, looking only to exploit common vulnerabilities rather than specific websites or companies. Every internet-facing organisation is at risk. These attacks invariably focus on network and software vulnerabilities, which few managers and business owners understand or appreciate.

Network vulnerabilities result from insecure operating systems and network architecture, such as flaws in servers and hosts, misconfigured wireless network access points and firewalls, and insecure network protocols (the rules that govern how network devices, such as modems, routers, etc., communicate with each other).

Software vulnerabilities are flaws such as coding errors or software responding to certain requests in unintended ways.

Sometimes these vulnerabilities are discovered by criminals, who exploit them before the vendors realise, prompting a scramble to close the hole once they do become aware.

Sometimes they’re discovered by responsible security researchers, who inform the products’ vendors, giving them enough time to find a solution and release a new version that patches the flaw before disclosing the vulnerability to the public. (Most vendors, including Microsoft, Apple and Google, offer rewards for this.)

Once vulnerabilities are made public when patches are released, cyber attacks that try to exploit them will intensify. If you don’t update to the latest versions or apply vendors’ patches as they are released, the vulnerabilities in your systems will remain exploitable.

Similarly, if the vendor is no longer supporting the product by issuing patches, any discovered vulnerabilities will remain exploitable. Just think of all the havoc caused in 2017 when the WannaCry ransomware spread via vulnerabilities in version 1 of Microsoft Server Message Block.

You are very unlikely to notice that a vulnerability has been exploited until it’s far too late. Most intrusions are not detected for months – more often when the breached organisation finds out about the breach from a third party. A programme of regular penetration testing – in which a certified tester will try to access your systems via known vulnerabilities that could affect your applications and networks – will help you identify where your security weaknesses lie.

What can I do?

Your IT department should have a patch management programme that ensures the timely installation of updates. It’s also very likely that your machine will be set to update automatically to keep it up to date. While it sometimes seems that it will want to update and restart at the most inconvenient times, it’s important not to postpone updates any longer than you must.

It’s also important to limit your exposure to attacks that seek to exploit vulnerabilities. The majority of software exploits are delivered by phishing emails, which masquerade as legitimate communications from trusted senders, but contain links to malicious sites or have infected attachments that drop malware. As soon as you or any of your colleagues open one of these attachments or click one of these links, you risk giving criminals a foothold on your network, especially if you are running vulnerable versions that are susceptible to attack.

Learning to recognise malicious emails is essential to combatting this threat. Once malicious content gets past your antivirus, anti-malware and firewall software, your staff are your last line of defence. Things to look out for include:

  • poor spelling and grammar;
  • invitations to click links or open attachments (especially zip files) if you’re not expecting them; and
  • dubious senders’ names and email addresses.

2. Weak, default and reused passwords

Passwords are a common point of intrusion for cyber criminals. Far too often, default passwords are left unchanged, or weak and easily cracked passwords are used. However, the biggest issue by far is the extent to which people reuse their credentials on different sites and services.

If another website has been compromised and login details have been stolen, criminals will automate attacks using the username/password combinations they have gained to see what else they can access. Password reuse is rife, so the likelihood of their gaining access to multiple sites with a single set of stolen credentials is high. So, it is essential to use a different password for every account you have, especially if it is linked to the same username – often your email address.

What can I do?

Traditional advice is to make passwords complex, to use upper- and lower-case letters and numbers, and to change them regularly. However, this is almost impossible for the average user to follow – especially as you need a different password for each online account. How, then, do you select memorable but complex passwords, and manage them?

Modern advice is to use passphrases rather than passwords. Phrases are much easier for people to remember than random combinations of letters, numbers and symbols, and when it comes to password strength, length matters more than complexity: with every character you add to your password, its inherent security increases exponentially.

For example, assume you can only use lower-case letters in your password. If you choose a one-letter password (‘a’), it’d take a maximum of 26 attempts to crack it, as there are 26 letters of the alphabet. If you choose a two-letter password (‘aa’), that increases to 676 attempts, or 26 squared. If you choose a ten-letter password (‘aaaaaaaaaa’), anyone attempting to crack it would have to try 141,167,095,653,376 combinations. And so on.

As long as your longer password or passphrase isn’t reused or common, it should be considerably more secure than a shorter one, even if it might not appear to be more complex, and ought to withstand both dictionary attacks and brute-force attacks. So, something like ‘troublesome mollusc vernacular ’ is far more secure than ‘p4ssw0rd1’, and is arguably easier to recall.

If you have difficulty remembering passphrases, however, I recommend you use a password manager – a tool that will create complex passwords and remember them for you. There are many on the market, including Dashlane, LastPass, RoboForm and 1Password.

IT Governance has a wealth of experience in the cyber security and risk management field. As part of our work with hundreds of private and public organisations in all industries, we have been carrying out cyber security projects for more than fifteen years. All of our consultants are qualified, experienced practitioners.

Our services can be tailored for professional services firms of all sizes in any location.

Contact our experts here or call us on +44 (0)333 800 7000 to discuss your firm’s cyber security requirements.

More information on our cyber security solutions can also be found on our website. Find out more >>