Cyber criminals have upped their game, but small businesses can still put up a fight.

With the frequency and sophistication of cyber-attacks increasing year on year, maintaining the security of our data & systems, is a real concern and a key priority, and we must do this whilst maintaining open teamworking practices that are crucial in the modern construction industry.

The increasing lengths we go to secure our systems, not only benefit ourselves, but also the systems of the clients and consultants we work with.

With major corporations investing millions protect their systems, the weak link remains to be the users of the systems, along with smaller consultants & suppliers that work with these corporations.  The criminals know this, and in many cases, are more tech-savvy and on-game than many businesses.

To read more about how RGP’s Cyber Warrior, Nick Ioannou, works to secure the team’s data, click here.

Why Now?

This year we have seen the criminals up their game.  To reach the ‘big boys’, criminals are targeting the consultants they work with to infiltrate their email and send out ‘genuine’ messages to their contacts.  The recipient sees an email from someone they work with, which looks genuine, but the links or attachments will be malicious, and will often target finance or board directors, the people with access to the cash!  Though not a direct victim of this approach, we have seen the numbers of hacked emails from genuine contacts rocket in the last 6 months.

This is in addition to the endless fake CVs with javascript attachments, hundreds of bogus invoices, and not to forget your poor uncle, 40 times removed, who has suddenly passed on leaving you a small fortune!

What to look for?

If you didn’t expect an email, and the text doesn’t look quite right, it probably isn’t right.

Often there are no suspect attachments in the malicious emails, just hyperlinks to fake cloud file sharing solutions.  This makes it difficult for many security systems to detect that anything is wrong, and you are relying on users to make the right judgement call.  If they do click, the last few layers of security are the ones that need to kick in, but ideally, you want to stop these attacks earlier.

What do RGP do?

The reason most SMB’s end up in trouble is they spend too little, with the average being less than £1000 a year.  At present, we spend 10 times this which doesn’t include training.  Though this seems a lot, based on head count and the high risks at stake, the costs are less then a typical mobile phone contract.

To deal with the current threats, we take a layered security approach to provide the widest range of protection.

Where possible, we utilise cloud based services like email filtering, internet traffic inspection, and endpoint antivirus combined with patch management, to check as much as we can before it gets near our systems, and to make sure all known software vulnerabilities are removed as soon as they are patched.

Locally, limiting a user’s rights on a system, also restricts what some virus’ can do.  Using application whitelisting to define what software can run, limiting rights with privilege management, installing anti-ransomware & antivirus on the users computers, and running managed server security to protect our core data, all from behind a next-generation firewall, we can put up a good fight.

Given that a ransomware virus can put an office out of action and cause severe disruption for days, we signed up with a vendor for a fully managed security solution for all our servers, who will deal with any breaches or infections for us, giving us additional peace of mind.

Finally, and most importantly, train, train, train!  We brief the RGP family at least every quarter, with what’s new, what to look out for, and what to do if they suspect something has gone wrong.  Maintaining vigilance is key.

How do you know it is working?

We employ an external agency to undertake penetration tests, where they attempt to gain access to our systems.  The security assessment found no security vulnerabilities and the ‘surface area’ for an external attacker is NIL.

Also, our cloud services provide reporting of our systems against all their clients.  These show that total incidents and policy violations on our system are 80% lower than the average at 0.74%, whilst security threats are 94% lower, with a risk of 0.01%.

All good results, but no signal to sit-back and relax.

What Next?

Cybersecurity is an ongoing battle.  The solutions we have invested this year may not be up to the job this time next year, as the criminals change tactics on a regular basis, so layering up security solutions is our best approach.

It feels though like I’m wearing eight bullet proof vests and I’m hoping one of them stops the bullet, but often it’s the last layer and I’m getting nervous. Still the alternative is a lot worse because we are a stepping stone for the criminals to our clients.