Cyber Security Tips for Entrepreneurs and SMEs

Cybersecurity: What Are the Most Common Mistakes?

exali:
In your experience, what are the main mistakes companies make when it comes to cyber security?

Dominik Münsterer:
Underestimating the risk and not dealing with the topic of cyber security sufficiently. Often the thought is, "Why should someone want to hack me? There's nothing to get from me". But this is a misconception, because the danger of a cyber attack affects everyone without exception, and unfortunately this is now evident on a daily basis.

Mobile Devices as a Cyber Risk

exali:
Speaking of mistakes: It seems that the word has not yet got around that smartphones are computers, too. What security measures do you recommend for mobile devices such as smartphones or tablets?

Dominik Münsterer:
Exactly, smartphones and tablets can also be a major gateway into the company. With the following three measures, you can already reduce your risk enormously:

Use a Secure PIN:

This is probably the most trivial point: using a secure PIN - and one that you do not use for anything else, such as a bicycle lock or credit card. I recommend at least 8 numbers or, even better, a password consisting of upper and lower case letters and numbers/special characters. Because what many people don't realise: With the iPhone or iPad, the PIN alone is enough to steal the Apple ID and change the password. Attackers can then access all emails, documents, pictures, notes and so on.

Update Critical Apps Regularly

Very sensitive information such as Authenticator apps or access to cloud services like OneDrive or GoogleDrive is often accessible through the smartphone. It is therefore important to install the regular updates offered by manufacturers as quickly as possible. This prevents attacks that exploit vulnerabilities in the operating system.

Limit Apps to the Most Necessary

Although all apps in the Apple and Google App Stores are always reviewed, malicious apps still turn up from time to time. My tip: Limit the apps to the bare essentials and only download apps from trustworthy manufacturers, especially for security-relevant apps such as Authenticator, Mail or password managers.

In addition, you should not trust other people's devices, i.e. do not use other people's PCs or charging points for charging via USB. If you are not careful here, attackers can easily access all data. On a newer smartphone, the memory is also encrypted by default - if this is not the case, you should definitely activate the setting.

Cybersecurity Basics for Entrepreneurs

exali:
Regardless of whether you are a freelancer or a company: What do you think are the absolute basics that all entrepreneurs should implement in terms of cyber security?

Dominik Münsterer:
Cybersecurity is a very complex topic and the measures should be based on the risk and the individual possibilities. The following three measures already reduce the risk of cyber attacks considerably:

2-Factor Authentication:

The concept of 2-factor authentication (also known as 2FA or MFA) is that users are only authenticated if they are able to identify themselves using more than one principle. This might be a password and the possession of a certain smartphone. Since attackers now need both the password and the user's smartphone to log in, attacks from a distance are much more difficult. It is recommended to use so-called authenticator apps, which are now offered by almost all major platforms. After entering a password, users are shown a code on their smartphone that is valid for one minute and must also be entered. 2FA should be activated at least for security-critical platforms such as Microsoft 365, Amazon, Google, PayPal, etc.

Use Password Managers and Strong Passwords:

You expose yourself to an extremely high risk if you use the same password for several logins. Attackers now only have to crack one service and gain access to the entire infrastructure. Instead, it is advisable to use a password manager such as Bitwarden, which functions as a kind of "password vault" and generates secure passwords for each service. Such a password might look like this: v^5X^s4e#nz7FPEkV4ne

If you also use the corresponding app on your smartphone and the extension in your browser, you have access to the accounts everywhere and can have the password entered automatically and much faster. Since the password manager only suggests passwords if the correct page is open, the risk of phishing is also reduced. A great tool that also works on smartphones or while on the move is Bitwarden, for example. The classic password manager KeePass is also very secure, but somewhat less user-friendly.

Awareness

When all technical measures fail, you have to rely on people. In order to prevent breaches, you should get into the habit of always paying attention to at least the following things:

• Does the sender's email address match the name given (an email from Dominik Münsterer should not come from max.mustermann@gmail.com)?
• Do I know the sender of this email?
• Did I expect this email and does the context make sense?
• Is the link in the URL bar at the top really from Microsoft, Paypal etc. or does the URL look strange?
• Do I know the site I am downloading a file from and is it trustworthy?

Working Remotely and Cybersecurity

exali:
Freelancers in particular like to work remotely - are there additional cyber risks that I should be aware of?

Dominik Münsterer:
As soon as you operate your own network, you should of course immediately pay attention to its security. Especially with regard of open ports to the outside and access to the network (for example via VPN + 2FA). A backupping concept should then also be part of it, in order to be able to restore data that is lost. If a company operates its own network, security basics such as an intrusion detection/prevention system need to be used in order to at least detect/prevent conspicuous attacks immediately. Often firewalls already have such functionality.

You should start with a risk analysis in which you assess the protection needs of the respective system or network with regard to the following factors: confidentiality/integrity/availability. In this way, it can be determined which risks and which impact exist for which system.

Ransomware as a Cyber Risk

exali:
Ransomware is considered the greatest cyber risk for companies: Do you see it the same way and what makes ransomware so dangerous?

Dominik Münsterer:
Ransomware is definitely one of the biggest risks in the cyber sector. Particularly because ransomware has developed from a "classic" encryption Trojan into sophisticated malware. It no longer focuses only on encrypting data, but also uses other tactics such as exfiltrating sensitive information or destroying essential data. This can be seen in such recent cases as the car supplier Continental, where 40 terabytes of data were stolen in a ransomware attack, or the 60 gigabytes of data offered on the dark web that allegedly originated from a cyberattack on Deutsche Bank.

Software and Operating System Vulnerabilities as a Cyber Risk

exali:
Cyberattacks can also occur via security vulnerabilities in software or operating systems - is there a way - apart from regular updates - that I can protect myself against something like that?

Dominik Münsterer:
Yes, software vulnerabilities are a major attack vector that is unfortunately extremely difficult for small and medium-sized enterprises to get to grips with. In order to create a high level of security here, the problem must be approached from various places:

• Patch and vulnerability management: There must be regular checks to see whether the software used is up to date and has vulnerabilities that can be exploited.
• Penetration tests: Regular tests must be carried out to determine whether attackers can gain access to systems through various measures - this is done by a hacker with good intentions.
• Security monitoring: It must be checked continuously, i.e. 24/7, 365 days a year, whether suspicious actions are taking place on PCs, servers and networks and whether insecure protocols or ports are being used. If something like this is detected, competent security experts must analyse how the incident occurred and what the risk is now.

It is precisely because SMEs are struggling with this security risk that we at DeltaSecure offer all these services as part of our all-round carefree package.

Cybersecurity for Companies: Identifying Security Risks

exali:
With regard to cybercrime, you always read the statement: Once technical devices such as PCs or smartphones are used, 100 percent cybersecurity is impossible. Is that correct from your point of view or are there ways to make a system absolutely secure?

Dominik Münsterer:

Yes that is correct, no system is one hundred percent secure. Because if it is to be beneficial, it has to be accessed and used by people in some way, which offers opportunities for attack.

Potential security risks exist everywhere and the trick is to:

1.Identify the risk, i.e. understand that the risk exists.

2.Assess the risk, i.e. determine the likelihood of occurrence and the magnitude of the
   risk if it does occur.

3.Mitigate the risk, i.e. take measures to prevent the risk from occurring.

In order to minimise the identified risks, measures such as the use of 2FA, VPN access, backup concept, etc. can be used as mentioned above.

Identifying Cybercrime Attack Scenarios

exali:
At Deltasecure, you offer cybersecurity solutions for companies, but how exactly do you ensure that they work?

Dominik Münsterer:
In order to prevent cyber attacks, you have to understand how they operate. My colleagues and I bring with us experience that we have gained on a daily basis at many companies. Among them were, for example, highly vulnerable companies such as Commerzbank and KfW Bankengruppe.

Since we do not recognise attacks exclusively on the basis of a specific virus, but rather across the entire attack chain, we also detect new types of attacks in which individual tactics have been modified.

Here is a real example: A user receives a malicious e-mail and opens the Excel file in the attachment, which contains a macro. This macro is then used to download malware from the Internet, which persists on the system and exfiltrates and encrypts data three months later.

Since we use all available information from the email server, firewall, intrusion detection system, PCs, etc., we very quickly detect all tactics carried out:

• Suspicious email with attachment
• Opening the attachment, which originates from an email
• DNS and network requests from Excel Macro
• Writing a file downloaded from the Internet
• Opening this file
• Persistence of malware in the system and communication with servers on the Internet
• Encryption of data

This is, of course, only one example of many tactics, but it shows that attacks always follow certain patterns that can be broken down and for which connections can be made. Naturally, we keep up to date on the various tactics of cyber criminals and also test attack scenarios to see if we have recognised certain types - so far with very satisfactory results.

How To React In The Event Of A Cyberattack

exali:
How should I respond if I fall victim to a cyberattack?

Dominik Münsterer:
The first step should always be to get an overview: That is, to understand what has happened and the extent of the attack. If you have problems with this, an expert team like ours should be commissioned to determine this. Ideally, a so-called Emergency Response or Business Continuity Management Plan already exists, in which one has thought about how one should act under which conditions.

The next step should be to communicate with affected parties. These can be customers, suppliers or authorities who should or must be contacted due to exfiltrated personal data, for example. The last step should be to determine what led to the successful attack and how to prevent it in the future. A good approach here, but certainly before an attack, is to introduce an information security management system (ISMS) to create a structure for information security in the company.

Thank you very much for this interesting and in-depth interview!