We recently met Jake Moore, cyber security specialist for ESET and ex Dorset Police Digital Forensics Unit to discuss all things cyber.
NH. Jake, what are the main threats small business face and how they can deal with them?
JM. There are the usual suspects – backups failing, passwords being stolen, losing laptops and phones, malware infecting computers through lax update and anti-virus procedures, that sort of thing.
NH. So obvious fixes – at least a double backup – one external hard drive off site, one in the cloud, use a password manager that generates random passwords, and so on. Does that cover the biggest threats or are there more?
JM. Definitely do all of those. But the biggest is your lovely people. It might be obvious, but it still needs saying – don’t allow removable media that aren’t yours into the building. And ensure – in their contracts of employment if needs be – that everyone backups up their mobile phone, has anti-virus software on it, uses a password manager and make sure they turn on “Find My iPhone” for iOS or “Find My Device” on Android, which will allow them to wipe their phone remotely should it ever get stolen. Mobiles are the most commonly lost or stolen devices and have loads of personal information on them, as well as maybe company data. All the above is necessary for GDPR as well.
NH. That should get us all scrambling to our phones. Anything else on phones – you mentioned PIN codes when we were talking informally?
JM. Yes, we tend to use codes that mean something to us, like birthdays of our loved ones. To give a little context about how easy it can be, I was recently at an event where I was giving a talk about how cybercriminals can socially engineer passwords out of people. At that moment, a guy in the front row took his phone from his pocket and entered a PIN to unlock it. I noticed he entered a 6-digit code and I was able to view the last two digits, which were 1 and 4.
To most people this might sound like just two random numbers but if I add context to these numbers, I might be able to work out the other four. I decided to go off-piste in my talk, so I asked his name. He obliged willingly, and I entered his name into Facebook. On his “about” page I found he was married but apart from her name, there wasn’t much else to take in. I clicked on his wife’s profile and went to her “about” page.
She had lots of personal information open to public view, the date of her marriage which was the 1st September 2014. I then politely asked the gentleman if I could hold his phone and attempt to get into it and I entered “010914” into his phone and bingo, I was in!
NH. I’d better check that! You also mentioned our lovely people. Did I detect a clue there?
JM. Very good – yes you did. People are helpful, kind and in being so unwittingly can help criminals. Hackers sometimes want physical access to your computers. Dressing in a high visibility jacket, asking where the server room and holding a fake badge or waiting outside a company door holding a large box with both arms outstretched will undoubtedly result in someone opening the door with a smile.
NH. Physical attacks like that aren’t common though, Jake. What about more subtle off-site attacks?
JM. You are right, but they are still good examples of how people are too ready to trust. Social engineering is still a con, like the guy in the hi vis jacket. You saw how easy it was for me to crack the mobile phone PIN with easily accessible data on the web. It doesn’t take too much information to start a search that can be used to manipulate by pretending to be someone the subject knows – even a fellow worker who they will trust with company sensitive data.
NH. Scary stuff – what can we do?
JM. Train everyone on cybersecurity awareness. Not only will you thank them when threats are averted for your business, but you are helping them to keep their own personal life safe too.
NH. That’s a good tip. Everyone gains except the hackers. Where can we go to get more info?
JM. I’ll start with ESET’.s free cyber training of course. Also there’s a lot of good free info at the National Cyber Security Centre, and don’t forget the police. Dorset Police will happily talk you through what you can do. It’s great resource.
Thanks Jake. If you would like to know more about this or any other cyber threat to SMEs or more personal cyber risks, get in touch with Jake from ESET at firstname.lastname@example.org.