There's more evidence that many businesses' security practices are not good enough. In response, a number of experts are promoting a back-to-basics approach.
Last week we published Symantec's advice that small businesses should foster security awareness among their staff, including the use of strong passwords and being cautious about opening emails and attachments.
Now Verizon says phishing emails have increased dramatically over the last year. Phishing is the practice of sending messages that appear to come from real companies but are designed to trick recipients into revealing their usernames, passwords and other sensitive information, or simply to drive them to a web page that is loaded with malware.
"Alarmingly, 30 percent of phishing messages were opened – up from 23 percent in the 2015 report – and 13 percent of those clicked to open the malicious attachment or nefarious link, causing malware to drop and a foothold gained by cybercriminals," Verizon said in its 2016 Data Breach Investigations Report.
The company said a 'three-pronged attack' strategy is common. The phishing email is the first step, and the attachment or linked web page installs an initial piece of malware on the system. That malware downloads additional components that may seek out and upload sensitive files, encrypt files (ransomware), or collect keystrokes in order to steal usernames and passwords. Those stolen credentials are then used to access internet banking and other services.
Perhaps because of its focus on larger organisations, Verizon also warned of human errors such as sending sensitive information to the wrong person.
Verizon's security basics
Like Symantec, Verizon called on organisations to attend to security basics, which it said are more important than complex security systems. These basics include:
- Utilise two-factor authentication for your systems and other applications, such as when logging into popular social networking sites
- Patch promptly: Most attacks exploit known vulnerabilities that have never been patched despite patches being available for months, or even years
- Encrypt your data: If stolen devices are encrypted, it's much harder for attackers to access the data
- Train your staff: Developing security awareness within your organisation is critical especially with the rise in phishing attacks.
"This year's report once again demonstrates that there is no such thing as an impenetrable system, but often times even a basic defence will deter cybercriminals who will move on to look for an easier target," said Bryan Sartin, Verizon's executive director of global security services.
Sophos' security tips
Other security-related organisations give similar advice. Sophos senior security advisor John Shier said his top three online safety tips are:
- Keep all software up to date: Automatic updating makes that job easier
- Use multi-factor authentication: Even if a crook gets hold of your password they'll also need the second factor. Two-step verification is good (such as SMS codes), two-factor authentication is best (such as a hardware token or biometric)
- Connect with care: Be suspicious of all emails you receive that contain attachments or links, especially the ones that urge you to act right away. Phishing emails are better than ever.
Stay Smart Online
The federal Department of Communications and the Arts' Stay Smart Online guide for small businesses also focuses on the basics, including:
- Tell staff to create a password using a phrase and replacing some letters with characters and number; for example 'Be good, be wise' can be modified to B3g00db3w1$e
- Back up your data to a removable storage device such as a hard drive. Take your backup offsite or store it securely, like other important documents. Test your backup system regularly to ensure that it restores all information correctly
- Take responsibility for making your team understand information security, and include this in your business plan
- Set your systems to automatically update software
- Check that websites have a padlock symbol in the browser bar before entering information into them – this is the best indicator that your information is kept private as it is transmitted to and from the website. If your organisation does not control a network (such as public Wi-Fi), treat it as insecure.
Got the message?