Alternative Cyber Security Advice
In an era where technology touches every aspect of our lives, from banking and emails to phone calls and social media, the significance of safeguarding our digital presence is more important than ever before.
To gain some insight into the current cybersecurity landscape, we caught up with Patrick, a seasoned cybersecurity expert from Computer Clinic for his insights.
What are the top things you can do to mitigate becoming compromised?
The answer to this will depend on the business and their budget. Some first steps include:
Implementing MFA/2FA on all your logins
Ensuring your devices are up to date
Having professional antivirus
Using a password manager and making sure these are strong and unique
To be honest, I can give you a complete list along with the pros and cons of each one. However, realistically, only large companies are able to implement everything.
I believe business owners are intelligent people and, armed with the right information, they can assess their own risk versus the costs and are able to decide on how far to go in terms of cyber security. Effectively how many layers of protection do you want to implement?
So here are three alternative potential vulnerabilities that I am currently experiencing:
1. Have better controls on where your domain names are hosted and access to them
You need to ensure that you know and control the login details of your domain host provider and have MFA/2FA on this login to protect against hackers accessing your domain records.
Plus if any other companies have access to this you need to ensure this is also kept safe.
Why?
With access to your domain a hacker can then implement their own additional MX record with a higher priority which means they can intercept all emails without entering your email system or computers. Most people leave this to their website company or IT company. So what protections do they have in place and do they have MFA/2FA on these logins to avoid the username and password simply being used by hackers?
2. Protect domain names that you own but don’t actually use along with sub domains
Parked domains are usually for brand protection and sub domains are for domain services such as online systems.
Why?
Parked domains are unused but they can be used to send emails from to make it look like you have sent emails when you haven’t. To prevent this, set these domains up with specific zone records to stop this from happening. Thus, if these are spoofed, emails sent by these domains will be rejected worldwide and not reach their target.
A sub domain is an extra word in the domain name. E.g. blog.domainname.co.nz or shop.domainname.co.nz. A spoofed email could be sent from, for example, accounts@finance.companyname.co.nz however if your subdomains (such as finance) are protected in a similar way to your parked domains this will simply not work.
3. Have your domain name (the one actually used for email) set up with SPF DKIM and DMARC zone records to avoid spoofing
This will prevent a hacker from looking like they are emailing from yourname@companyname.co.nz which is known as spoofing. This is a complex topic so I suggest reading our blog on this but I’d say this is the most important thing to do right now to avoid being spoofed.
How many cyber breaches are your clients experiencing at the moment?
One a week on average and they are all completely different. Unfortunately it is through lack of investment in their security layers or a genuine belief that everything is being handled correctly by their current website or IT provider.
Antivirus Protection
A lot of people believe that if they have antivirus software they are protected but as you are now learning, it is a layered approach so antivirus alone is not enough. Antivirus does protect against viruses in software but it does not stop human error where passwords are inadvertently obtained by hackers.
Human Error
So what is human error?
It is people inadvertently giving away information - clicking or opening stuff they shouldn’t.
So training is a key defence.
How good are your staff? Have they ever been sent a phishing test to identify security gaps?
Have they ever received formal cyber security awareness training to improve their knowledge?
Scams are very elaborate these days, so very hard to spot and impulse clicks on the spur of the moment often lead to trouble.
What is the most common type of hacking attack?
There are too many to go into and they are always changing so there is not a one size fits all solution for this. However, some common examples are:
Gaining local access to a computer due to someone opening a corrupted file
Gaining access to an email account due to someone clicking on a corrupted link
Gaining access to servers due to using older types of remote access protocols such as VPN and RDP which don’t have MFA/2FA on them too.
Spoofing emails at a domain level where companies don’t have SPFM DKIM & DMARC zone records and policies employed between their domain and their email system (see our blog for more information).
What is the impact on a business when a breach occurs?
It’s the unknown, what happens next? The stress and additional workload for both the business owners and the staff. The physical aspects are downtime, outages, reputation damage, loss of data, identity theft and being held to ransom. It’s a terrible situation to be in.
What to do if a cyber breach happens?
Call for professional IT support immediately and although there are set action plans and procedures, being able to think on your feet is vital.
Focus just as much as finding a way to keep the business operating immediately as to finding out how it occurred in the first place and stopping the breach.
Send out a communication (have one ready) to inform everyone of the situation too, as it is best coming from you than others.
What is your best tip and suggested method to store passwords?
Bit Warden Teams or Enterprise versions – see our blog on this.
Are there any free websites or tools I can use to see what my security posture/profile looks like from the outside to a hacker?
Install the SecurityScorecard Security Ratings plugin to your browser. e.g. the one for chrome is below. This will tell you how secure your security profile is based on all the domains you own. However if you haven’t been checked as yet, there will be no score but you can request a free check from them which normally takes about 2 weeks to complete.
Click here for the SecurityScorecard plugin for Chrome.
Another website (that hackers use) is Shodan. Link below. This shows in real time all the vulnerabilities worldwide.
A hacker would use this website to search for a specific item to target, such as a vulnerable VPN connection in NZ.
Shodan provides a comprehensive view of all exposed services to help you stay secure. It allows you to keep track of all your devices that are directly accessible directly from the Internet. If you can see them, so can a hacker!
Is there a minimum requirement I need to comply with to obtain cyber insurance?
Insurance companies will ask key questions to assess your risk. The problem is that you can tick yes to what you want on insurance forms thinking it is genuinely correct but if the worst happens and you do make a claim, then if some of these ticks end up not being accurate or true, then it could invalidate your insurance. Effectively you would have to then prove that what you stated on your insurance form was actually in put in place (which is hard to do in the middle of a cyber crisis) and if you can’t prove this to the insurance company then technically you were insured on the wrong basis which may ultimately invalidate your insurance.
So we would suggest getting your insurance form professionally assessed by an IT company.
If all my data is in the cloud, is it backed up and safe?
No, the cloud is just another computer/server in another location in the world. You need to contact your cloud provider to establish what measures they have in place to safeguard your data and ensure it is backed up too.
The main way to protect your cloud is by putting MFA/2FA on everyone’s login to the cloud provider’s system. This could be anything from emails, a CRM system to data storage such as Dropbox or One Drive.
Summary and conclusions
Please take these insights from Patrick to heart. Cybersecurity affects us all, and by staying informed and implementing best practices, we can better protect our digital lives in an increasingly connected world.