Cyber Security Tips for Entrepreneurs and SMEs
Cybercrime ranks among the greatest risks for the business world and no longer only affects large corporations. We have also noticed at exali that especially small and medium-sized companies, but also entrepreneurs and freelancers are increasingly becoming the target of a cyber attack. We talked to Dominik Münsterer, founder and CEO of DeltaSecure, a service provider for cyber security, about how you can protect your business from cyber attacks, what you should look out for and how you should react in the event of an attack.
- Cybersecurity: What Are the Most Common Mistakes?
- Mobile Devices as a Cyber Risk
- Cybersecurity Basics for Entrepreneurs
- Working Remotely and Cybersecurity
- Ransomware as a Cyber Risk
- Software and Operating System Vulnerabilities as a Cyber Risk
- Cybersecurity for Companies: Identifying Security Risks
- Business Risk Cybercrime: How you can protect yourself
- Identifying Cybercrime Attack Scenarios
- How To React In The Event Of A Cyberattack
In your experience, what are the main mistakes companies make when it comes to cyber security?
Underestimating the risk and not dealing with the topic of cyber security sufficiently. Often the thought is, "Why should someone want to hack me? There's nothing to get from me". But this is a misconception, because the danger of a cyber attack affects everyone without exception, and unfortunately this is now evident on a daily basis.
Speaking of mistakes: It seems that the word has not yet got around that smartphones are computers, too. What security measures do you recommend for mobile devices such as smartphones or tablets?
Exactly, smartphones and tablets can also be a major gateway into the company. With the following three measures, you can already reduce your risk enormously:
Use a Secure PIN:
This is probably the most trivial point: using a secure PIN - and one that you do not use for anything else, such as a bicycle lock or credit card. I recommend at least 8 numbers or, even better, a password consisting of upper and lower case letters and numbers/special characters. Because what many people don't realise: With the iPhone or iPad, the PIN alone is enough to steal the Apple ID and change the password. Attackers can then access all emails, documents, pictures, notes and so on.
Update Critical Apps Regularly
Very sensitive information such as Authenticator apps or access to cloud services like OneDrive or GoogleDrive is often accessible through the smartphone. It is therefore important to install the regular updates offered by manufacturers as quickly as possible. This prevents attacks that exploit vulnerabilities in the operating system.
Limit Apps to the Most Necessary
Although all apps in the Apple and Google App Stores are always reviewed, malicious apps still turn up from time to time. My tip: Limit the apps to the bare essentials and only download apps from trustworthy manufacturers, especially for security-relevant apps such as Authenticator, Mail or password managers.
In addition, you should not trust other people's devices, i.e. do not use other people's PCs or charging points for charging via USB. If you are not careful here, attackers can easily access all data. On a newer smartphone, the memory is also encrypted by default - if this is not the case, you should definitely activate the setting.
Regardless of whether you are a freelancer or a company: What do you think are the absolute basics that all entrepreneurs should implement in terms of cyber security?
Cybersecurity is a very complex topic and the measures should be based on the risk and the individual possibilities. The following three measures already reduce the risk of cyber attacks considerably:
The concept of 2-factor authentication (also known as 2FA or MFA) is that users are only authenticated if they are able to identify themselves using more than one principle. This might be a password and the possession of a certain smartphone. Since attackers now need both the password and the user's smartphone to log in, attacks from a distance are much more difficult. It is recommended to use so-called authenticator apps, which are now offered by almost all major platforms. After entering a password, users are shown a code on their smartphone that is valid for one minute and must also be entered. 2FA should be activated at least for security-critical platforms such as Microsoft 365, Amazon, Google, PayPal, etc.
Use Password Managers and Strong Passwords:
You expose yourself to an extremely high risk if you use the same password for several logins. Attackers now only have to crack one service and gain access to the entire infrastructure. Instead, it is advisable to use a password manager such as Bitwarden, which functions as a kind of "password vault" and generates secure passwords for each service. Such a password might look like this: v^5X^s4e#nz7FPEkV4ne
If you also use the corresponding app on your smartphone and the extension in your browser, you have access to the accounts everywhere and can have the password entered automatically and much faster. Since the password manager only suggests passwords if the correct page is open, the risk of phishing is also reduced. A great tool that also works on smartphones or while on the move is Bitwarden, for example. The classic password manager KeePass is also very secure, but somewhat less user-friendly.
Login data is valuable - especially for cyber criminals. In this article, we have compiled some tips on the subject of passwords for you: 5 Tips for Good Password Management in Business
When all technical measures fail, you have to rely on people. In order to prevent breaches, you should get into the habit of always paying attention to at least the following things:
- Does the sender's email address match the name given (an email from Dominik Münsterer should not come from firstname.lastname@example.org)?
- Do I know the sender of this email?
- Did I expect this email and does the context make sense?
- Is the link in the URL bar at the top really from Microsoft, Paypal etc. or does the URL look strange?
- Do I know the site I am downloading a file from and is it trustworthy?
Freelancers in particular like to work remotely - are there additional cyber risks that I should be aware of?
As soon as you operate your own network, you should of course immediately pay attention to its security. Especially with regard of open ports to the outside and access to the network (for example via VPN + 2FA). A backupping concept should then also be part of it, in order to be able to restore data that is lost. If a company operates its own network, security basics such as an intrusion detection/prevention system need to be used in order to at least detect/prevent conspicuous attacks immediately. Often firewalls already have such functionality.
You should start with a risk analysis in which you assess the protection needs of the respective system or network with regard to the following factors: confidentiality/integrity/availability. In this way, it can be determined which risks and which impact exist for which system.
Digital nomadism as a life model is becoming increasingly interesting for many freelancers and entrepreneurs. In this article, we have summarised the potential risks - besides cyber security - that you should know about: Five Risks Self-Employed Digital Nomads Should Be Aware Of
Ransomware is considered the greatest cyber risk for companies: Do you see it the same way and what makes ransomware so dangerous?
Ransomware is definitely one of the biggest risks in the cyber sector. Particularly because ransomware has developed from a "classic" encryption Trojan into sophisticated malware. It no longer focuses only on encrypting data, but also uses other tactics such as exfiltrating sensitive information or destroying essential data. This can be seen in such recent cases as the car supplier Continental, where 40 terabytes of data were stolen in a ransomware attack, or the 60 gigabytes of data offered on the dark web that allegedly originated from a cyberattack on Deutsche Bank.
Cyberattacks can also occur via security vulnerabilities in software or operating systems - is there a way - apart from regular updates - that I can protect myself against something like that?
Yes, software vulnerabilities are a major attack vector that is unfortunately extremely difficult for small and medium-sized enterprises to get to grips with. In order to create a high level of security here, the problem must be approached from various places:
- Patch and vulnerability management: There must be regular checks to see whether the software used is up to date and has vulnerabilities that can be exploited.
- Penetration tests: Regular tests must be carried out to determine whether attackers can gain access to systems through various measures - this is done by a hacker with good intentions.
- Security monitoring: It must be checked continuously, i.e. 24/7, 365 days a year, whether suspicious actions are taking place on PCs, servers and networks and whether insecure protocols or ports are being used. If something like this is detected, competent security experts must analyse how the incident occurred and what the risk is now.
It is precisely because SMEs are struggling with this security risk that we at DeltaSecure offer all these services as part of our all-round carefree package.
With regard to cybercrime, you always read the statement: Once technical devices such as PCs or smartphones are used, 100 percent cybersecurity is impossible. Is that correct from your point of view or are there ways to make a system absolutely secure?
Yes that is correct, no system is one hundred percent secure. Because if it is to be beneficial, it has to be accessed and used by people in some way, which offers opportunities for attack.
Potential security risks exist everywhere and the trick is to:
1.Identify the risk, i.e. understand that the risk exists.
2.Assess the risk, i.e. determine the likelihood of occurrence and the magnitude of the
risk if it does occur.
3.Mitigate the risk, i.e. take measures to prevent the risk from occurring.
In order to minimise the identified risks, measures such as the use of 2FA, VPN access, backup concept, etc. can be used as mentioned above.
A cyberattack has several implications: Firstly, there is the damage caused to your business, such as business interruption, reputational damage, as well as high costs for repairing or restoring your damaged systems, programmes or data. But on the other hand, there is also the potential damage to your customers caused by the cyberattack on your business.
Professional Indemnity Insurance: Coverage against Cyber Third-Party Damages
If your clients or customers suffer damage as a result of a cyber attack on your business, this is called third-party cyber damage. This type of damage is generally covered by Professional Indemnity Insurance through exali.
Cover Cyber Risks
The damage caused to your business by a cyber attack is called cyber first-party damage To cover this type of damage, exali offers the add-on First-Party Cyber and Data Risks Insurance (FPC)
This can be added to Professional Indemnity Insurance and protects your business against the incalculable risks of hacker attacks, cyber blackmail, D(d)oS attacks or other cyber crime. What makes it special: In addition to the costs for repairing or restoring your IT systems, programmes or data, the insurer also covers the costs for PR and crisis management, specialised lawyers and computer forensics specialists.Cybercrime-Angriffsszenarien erkennen
At Deltasecure, you offer cybersecurity solutions for companies, but how exactly do you ensure that they work?
In order to prevent cyber attacks, you have to understand how they operate. My colleagues and I bring with us experience that we have gained on a daily basis at many companies. Among them were, for example, highly vulnerable companies such as Commerzbank and KfW Bankengruppe.
Since we do not recognise attacks exclusively on the basis of a specific virus, but rather across the entire attack chain, we also detect new types of attacks in which individual tactics have been modified.
Here is a real example: A user receives a malicious e-mail and opens the Excel file in the attachment, which contains a macro. This macro is then used to download malware from the Internet, which persists on the system and exfiltrates and encrypts data three months later.
Since we use all available information from the email server, firewall, intrusion detection system, PCs, etc., we very quickly detect all tactics carried out:
- Suspicious email with attachment
- Opening the attachment, which originates from an email
- DNS and network requests from Excel Macro
- Writing a file downloaded from the Internet
- Opening this file
- Persistence of malware in the system and communication with servers on the Internet
- Encryption of data
This is, of course, only one example of many tactics, but it shows that attacks always follow certain patterns that can be broken down and for which connections can be made. Naturally, we keep up to date on the various tactics of cyber criminals and also test attack scenarios to see if we have recognised certain types - so far with very satisfactory results.
How should I respond if I fall victim to a cyberattack?
The first step should always be to get an overview: That is, to understand what has happened and the extent of the attack. If you have problems with this, an expert team like ours should be commissioned to determine this. Ideally, a so-called Emergency Response or Business Continuity Management Plan already exists, in which one has thought about how one should act under which conditions.
The next step should be to communicate with affected parties. These can be customers, suppliers or authorities who should or must be contacted due to exfiltrated personal data, for example. The last step should be to determine what led to the successful attack and how to prevent it in the future. A good approach here, but certainly before an attack, is to introduce an information security management system (ISMS) to create a structure for information security in the company.
Thank you very much for this interesting and in-depth interview!
Dominik Münsterer is the managing director of DeltaSecure GmbH and looks back on extensive experience in cyber security, gained daily in consulting and development of civil and military security solutions from SMEs to large corporations. He is also a certified ISO27001 Lead Auditor for Information Security.
You can find more about DeltaSecure here: deltasecure.de
Daniela has been working in the areas of (online) editing, social media and online marketing since 2008. At exali, she is particularly concerned with the following topics: Risks through digital platforms and social media, cyber dangers for freelancers and IT risk coverage.
In addition to her work as an online editor at exali, she works as a freelance editor and therefore knows the challenges of self-employment from her own experience.