Cyberattacks are becoming more prevalent, especially among small- and medium-sized businesses, said Kok Tin Gan, of PwC’s risk assurance practice in Hong Kong. He shared some key tips on how to better protect your business during a recent webinar.
GLOBAL REPORT—Cyberattacks have seen a sharp uptick in just the past two years, according to Kok Tin Gan, partner with PwC’s risk assurance practice in Hong Kong.
Gan, a self-described “professional hacker,” said attacks are especially common these days against small- and medium-sized businesses as hackers view them as “low-hanging fruit” due to their relative lack of investment in cybersecurity.
Speaking during a recent HFTP webinar, he noted that those businesses would be better-served at creating more “layered-type defenses” against cyberattacks, whereas defenses are now more geared toward preventing attacks than detecting or reacting to breaches.
“There are complex issues,” he said. “In reality, there is not a single silver bullet that can solve this problem, so it’s about layering your cyber defenses.”
1. Invest in detection
Gan pointed to an example of a breached telecommunications company he worked with to highlight that often hackers will seek entry into systems and lie in wait while they learn more about businesses and how to exploit them.
This highlights that fact that very few companies invest in resources to help detect abnormal activity, focusing instead on things like firewalls and antivirus to prevent breaches.
“In the hacker world, antivirus and firewalls are considered 1980s defenses,” he said. “They’re outdated and a bit useless, but a lot of companies don’t modernize their defenses.”
2. Empower employees
An overreliance on IT staff for expertise is a common occurrence, and employee training to avoid potential issues goes a long way, Gan said
“A lot of companies ask IT employees to do the protection,” he said. “In return, most of the attacks happen to be awareness issues. Make sure your people understand that important of this, what types of attacks there are and what they need to do to protect themselves and the company.”
3. Embrace multifactor authentication
Gan said many businesses and employees don’t understand that a breach on a big public website, such as Yahoo, can expose their email and passwords that are often reused for accessing business systems. He said this is one reason why it’s important for businesses to implement multifactor authentication at log-ins to add a second layer.
“That way, even if your password is compromised, you still have that authentication put in place,” he said. “At least then that hacker still needs to get a hold of your second factor.”
4. Guard your entry points
Many companies are more interested in devoting cybersecurity resources to protecting things like internal servers with sensitive data, but it is just as important “protect the endpoints,” Gan said.
“Most of the time it’s a desktop PC that connects to the internet … Because this is the first those hackers will exploit or come in to, I’d suggest companies put more focus on that endpoint protection,” he said.
5. Protect against lateral movement
Businesses need to be careful that a hacker getting into one of their systems doesn’t give them access to all of their systems, Gan warned. Having different systems and servers interconnected and not protected internally can be dangerous, he said, noting companies need to protect against that sort of “lateral mobility.”
“You need to do more complex segregation to make lateral movement more difficult,” he said.
6. Hack yourself
At least once a year, companies should venture to hack into their own systems to try to highlight their vulnerabilities, Gan said.
“Do that at least once a year, but the more frequently you do it, the better it is for you,” he said.
7. Confirm banking changes
One of the reasons hackers will lie in wait with access to company systems is to observe how things like payment and banking protocols work so they can create what seem like credible communications asking for banking changes to reroute payments to their accounts, Gan said
“Because an attacker has been monitoring communications for a prolonged time, they can plant messages that are relatively accurate with the right tone to try to trick the person to remit money to an account,” he said.
Because of this, he suggested creating processes to double-check any requests for things like banking changes.
“If (the request) comes through email, I suggest you (double-check) outside the email channel, either through messaging apps or using the phone,” he said.