In June, Russian ransomware-as-a-service gang,
Qilin, stole data covering
300 million NHS patient interactions – and demanded an alleged £40 million for its return.
The leak meant that two of the health service’s biggest trusts, King’s College hospital and Guy’s & St Thomas’, “had to cancel 1,134 planned operations, including cancer and transplant surgery, and postpone 2,194 outpatient appointments in the first 13 days
alone after the attack,”
The Guardian reported. Unfortunately, this is
not the first state-sponsored cyberattack against the UK.
Given the potential for organisation-wide disruption, the question on the lips of UK government, businesses, and financial institutions is
preemptive: How do we prevent a
cyber-attack?
Nine strategies to prevent cyber-attacks
There are many kinds of cyber-attack, from [inhales deeply] identity theft, to fraud, phishing,
malware, viruses, extortion, social engineering, crypto-jacking, drive-by downloads, denial of service (DoS), structured query language (SQL) injection, cross-site scripting, URL poisoning, domain name system (DNS) tunneling, spamming, spoofing, password
sniffing, as well as internet of things (IOT), man-in-the-middle, botnet, watering hole, eavesdropping, birthday, and insider attacks [exhales].
As dizzying as these may sound, there is a shortlist of
strategies that can be deployed to defend against them all:
1. Train staff
Organisations’ Achillies heel is the employee. They can easily be targeted by cybercriminals via email or phone calls, and convinced to hand over sensitive information.
The way to safeguard against this is to set up a regular training programme for all staff –keeping them abreast of the ever-evolving landscape of cybercrime, and how to remain vigilant to threats.
2. Update systems
A common means by which institutions are caught out is through outdated software.
To counteract this, there are solutions such as patch management, which look to cover all systems updates and security functionality.
Such a strategy may include establishing boundary firewalls, internet gateways, listing and execution controls, content checking, web proxy and filtering, as well as secure configuration. Over this can be laid anti-virus and anti-malware software or even
artificial intelligence (AI) threat tools for real-time monitoring.
3. Assess and monitor vendors
Once staff and systems are tightened, the strength of a firm’s cybersecurity becomes equal to that of its third-party partners and providers.
Technology officers are advised to look at whether their vendors are following the appropriate operational and strategic risk strategies, sensitive to the latest legal,
regulatory, and compliance considerations of their industry, and hedging all associated systemic vulnerabilities adequately.
4. Strong password management
What is the password policy of your organisation? Is it a requirement that passwords be strong and complex? Are passwords regularly changed? Is a password required to access each separate application?
As ever,
multi-factor authentication (MFA) is a solid option – an electronic authentication method in which users are granted access to a system once they can present two or more pieces of evidence. This approach ensures that systems are ultra-secure.
5. Backup and encrypt data
Assuming a hacker does get through the ‘password gates’, firms should ensure that a copy of all their most important data is stored on another system, so that if lost or stolen, it can be restored. This will limit financial and reputational damage, as well
as any downtime that often comes with a breach.
Furthermore, the data that sits on the main or at-risk system, should be encrypted, so that even if it is seized, it will be illegible or unusable in ransoms.
6. Protect physical premises
Much of the focus is nowadays placed on the digital world, but most organisations (despite remote working trends) still have physical premises that could be plundered for sensitive data or login codes. Don’t overlook this attack vector.
Put any data which cannot fall into criminals’ hands behind keycard-enabled or biometric-secure ‘doors’.
7. Reduce the attack surface
A business’ attack surface may include the physical premises – as already discussed – the digital edifice (including all assets accessible over the internet or that sit outside a firewall), and the ‘social engineering’ front, which encompasses that area
exploited by hackers to take advantage of employee psychology.
At-risk companies are advised to conduct an ‘attack-surface’ analysis so that they can thoroughly get to grips with security soft spots, and how to board them up.
8. Cybersecurity policy
All the above should come together to form a holistic cybersecurity policy, but there are many other elements to consider. Here are some of the most noteworthy:
- Regular security audits: This finds place at the top of the section intentionally. By continuously checking and reviewing your organsiation’s security measures, it is less at risk of falling behind and letting weaker defenses become business-as-usual.
- Levels of control: Perhaps aligned with seniority, varying types of control measures should be assigned to each employee’s account. This enables firms to give individuals only the information or privileges they need to fulfil their role. This may include
the ability to download software that could become compromising. This point harks back to the strategy of reducing the firm’s attack surface.
- Data sharing: In an
interview with Finextra, Beate Zwijnenberg, chief information security officer at ING, emphasised the need for further data sharing between financial institutions to better identify the tactics, techniques, and procedures (TTPs) of cybercriminals. “I think
it’s key to understand the attackers' perspective,” she said. “If you’re capable of sharing data, and intelligence, amongst each other, you’re in a better place to find a strategy. So, learning from each other and leveraging knowledge.”
- Disaster recovery: Finally, if an attack does land, having a reaction plan will instill order for staff and customers. A step-by-step process is key to controlling the damage.
9. Killswitch
If all else fails, have a killswitch. This figurative, plan-Z button is there to shut an entire system down if an attack is running away and data is becoming unretrievable.
Rather like a heart attack, warnings come ahead of the event – it is just a case of spotting them. In the case of a cyber-attack, IT teams will need to be
watching what is happening within the company – at data traffic, session details, or access issues – as well as outside of it, be it open-source intelligence or the dark web.
As old as the adage
When it comes to the battle tactics of fighting cybercrime, firms should defer to the immutable words of George Washington, who wrote in
1799, “offensive operations, often times, are the surest - if not the only - means of defense." Preparedness, in other words, is far better than mitigation.