Latest News

How to make your business unattractive to cyber criminals

By Marion Stewart, CEO, Red Helix

The majority of thieves are opportunists. Leave your car unlocked, chances are someone might steal it. Leave your backdoor open, your house is far more likely to get robbed. It doesn’t have to be a Ferrari or a mansion in the Chelsea suburbs, if a thief is presented with an easy opportunity they are going to exploit it.

The exact same thing applies to cyber crime. It doesn’t matter if you’re a small startup software company or a Fortune 500 corporation with thousands of employees, if you present cyber criminals with an open access point, they are going to use it.

It is therefore crucial that, regardless of your business size, you lock your ‘cyber doors’ and make your businesses as unattractive a target as possible.

The inevitability of cyber attacks

We are now living in an era where cyber attacks are considered an inevitability. But that isn’t to say there is nothing you can do to minimise the risk of these attacks being successful. There are many effective strategies that can be implemented to maximise security and minimise cyber risk.

A key thing to keep in mind here is that, although some criminals might actively target certain organisations, the majority don’t. There has been a huge increase in the use of bots over recent years, with criminals deploying these automated programs to exploit any vulnerabilities found over a digital platform. Likewise, social engineering attacks – which are responsible for as many as 90% of all cyber attacks – are often run as mass campaigns with billions of phishing emails sent daily.

Think of it as someone casing a neighbourhood by driving around and checking which buildings would make for an easy target, or walking down the street and trying door handles to see if a car has been left unlocked. They are not targeted attacks, just attempts to find an easy entry point. For cyber criminals the easy entry point is a business that is susceptible to social engineering attacks, or those that have exposed vulnerabilities discovered by their bots.

While hackers may have access to an increasingly advanced suite of tools to find entry points, including those powered by AI, there are simple steps you can take to close them and make yourself a less attractive target.

Steps for making your business unattractive

Making your digital assets unattractive to criminals follows the same logic as securing a physical asset; you introduce additional cyber defences, in the same way you might install new locks and alarms to a property, making it more difficult for people outside your organisation to gain access.

Following these key prevention methods can help to stop your business from attracting the attention of criminals:

1. Check government guidance:

For those at the very beginning of their security journey, this is a great place to start. The UK government has launched a strategy to make the country a tech superpower and, as part of this, it is invested in increasing the nation’s security. The check your cyber security page offers some basic guidance, which will allow you to ensure you’ve at least closed the ‘cyber door’.

That said, this is publicly available information, so criminals will be able to access it as easily as anyone else.

2. Train your staff:

The importance of cyber awareness training cannot be overstated. The majority of successful breaches start as social engineering, making your human firewall one of the most powerful tools in preventing them. But only if it is strong enough.

Training must be an ongoing process, supported by regular assessments to identify any areas where more focus is needed.

3. Get the cyber hygiene basics right:

There are some basics that every company should have set up by now. If you don’t, now is the time to do so. These include multi-factor authentication, password policies requiring frequent changes, timely account closures when staff leave, regular software updates, and getting on top of vulnerability and patch management.

Without these in place your business will be more exposed than the majority, making you a prime target.

4. Secure your IT infrastructure:

Once you have the basics in place, you can move on to introducing layered security across your IT infrastructure. This should focus on email, endpoints, and your network, with signals and data collected and analysed across these different elements.

While this can be conducted in-house, using tools such as Extended Detection & Response (XDR), you will need to have the resources and expertise to manage this. For many, a more cost-effective and efficient option is to outsource this task to a security company that offers a managed detection and response (MDR) service. Not dissimilar to how property owners can monitor and manage their own burglar alarms, but many find it easier to have an external security company monitor alerts on their behalf.

5. Check for existing breaches and dormant malware:

Not all cyber attacks will be immediately obvious. In fact, in some cases, criminals will go out of their way to remain unnoticed, waiting for the right time to strike. A famous example of this was the Marriott hack which had been going on for four years prior to its discovery in 2018.

With that in mind, it is important to not only focus on improving security going forward, but also scan existing systems for any signs of malicious activity or dormant malware.

6. Conduct regular penetration testing:

The best way to check if your perimeter security is up to scratch is to test it. Penetration testing simulates an attack and identifies any weaknesses in your defences, so that they can be fixed before an attacker takes advantage of them.

These tests should be carried out on a regular basis, to ensure security systems are updated and any new vulnerabilities are identified.

7. Put a remediation plan in place:

This step is slightly different from the rest, as it doesn’t necessarily make your business harder to breach, but it is just as important. Even with the best security tools in the world and the most cautious employees, you still need to have a plan ready in case an attack slips through.

To put this together, you’ll want to identify and prioritise your critical assets, outline how incidents should be managed, create a playbook for the major incident types, create and train an incident response team, test your plan and then refine it.

8. Avoid being an easy target

Cyber criminals, like others, are naturally opportunistic. They will go after low-hanging fruit, the businesses where access to systems and data requires little time or effort. This means that many breaches can be avoided by following simple steps to increase your security and encourage criminals to look elsewhere.

In a world where breaches may seem inevitable, adopting a proactive and layered approach to cyber security is the key to making your business a harder, less attractive target for cyber criminals.