Alex Scott, CTO at ParagonEX and Chair of the Digital Forum at Isle of Man Chamber of Commerce
We all know that cybersecurity is important, but how do you know if the security measures you have in place are doing their job? Here are five signs that your IT setup needs some love and attention.
1. Your Password Looks L1k3Th15
We’re often told that passwords should contain special characters, numbers and both lower and uppercase letters. While this does have an impact on the security of the password, in practice it’s of little importance.
Take an 8-character password for example. If it’s numbers only – like 12345678 – a bog-standard computer can crack it instantly. If it uses numbers, uppercase and lowercase letters, and special characters, it takes longer to crack – about 8 hours. In other words, a complex 8-character password, on its own, is still useless against a security threat.
The point is, with a mind-boggling password, you might feel safer, but in reality you’re not. In the IT business we call this ‘security theatre’, which is the act of making people feel like they are safe without actually making them safer. Often, this security theatre has real costs. For example, you’re much more likely to forget a complex password, and so you and your IT team wastes time with a lot of password resets.
So what makes a password really secure? The answer is simple – length.
A nine-character password is exponentially harder to crack than an eight-character password. A ten character password is exponentially harder than a nine-character password. And so on. The longer you can make your password, the more secure it is.
A great way to create long passwords that you can remember is to create a passphrase – a series of three or more words. For example, the password Chewie-Banana-Odyssey (three words that, ahem, randomly occurred to me just now) is easy to remember, but would take a computer over a hundred quintillion years to crack by brute force.
Even better, you can use a password manager to create and store lengthy, unique passwords for every service that you use. Password managers are now built into Apple and Android devices and will even notify you if your password has been involved in a security breach in the past.
2. You change your password every 30 days
This is another great example of security theatre, which makes your life inconvenient without providing any real protection.
No argument for changing passwords on a regular basis stands up to scrutiny. The main reason is that if somebody has cracked your password, and so you change it – they can simply crack your password again! The act of changing the password on a regular basis inconveniences you more than the hacker, and costs your company more in wasted time and resources.
What would actually make a difference? Well – what if instead of needing only a password to access your account, you also needed something like your mobile phone? We call this two-factor authentication, and it is the best way to secure your account against hacking. The idea being – somebody could crack your password (something you know), but unless they also steal your phone (something you have), they can’t access your account.
Most websites and all workplace IT environments support two-factor authentication. Not using it is like leaving your doors unlocked – it’s a matter of when, not if, something bad happens.
3. You’re still using Windows 10
No, really! Windows 11 has been released for days now, what are you waiting for?
Well OK, Windows 11 is brand new at the time of writing, so you’d be forgiven if you hadn’t rolled it out to everybody yet. But you should have a plan. Keeping your systems up to date is one of the most important ways to protect against cyber threats. The majority of ransomware attacks that exist, for example, rely on users having outdated devices. The infamous WannaCry ransomware attack, which caused billions of dollars worth of damage to organisations including the UK National Health Service, only affected machines which were a year or more behind on their updates.
In the olden days, IT teams used to delay updating machines to ensure that nothing went wrong, no compatibility issues were introduced, and so on. Nowadays, security professionals overwhelmingly agree that the benefits of updating quickly vastly outweigh the risks.
Get it done, and don’t forget your personal devices either. Update all the things!
4. Nobody has ever tried to hack you before
Yes, they have.
No, really, they have. You just don’t know about it.
I have a personal website. It’s nothing special, just a few blogs and videos. Nonetheless, somebody tries to hack it every day. I know this because I have a firewall that fends them off, and tells me about it. It tells me what they are trying to do, so I can improve my defences.
If somebody tries to hack my personal website every day, you can guarantee that your business is being attacked every day. If you didn’t know that, it’s probably because you don’t have monitoring in place to tell you.
Pretty much everybody has antivirus and firewalls protecting them, but monitoring takes that to the next level – watching what is happening, and informing you when something is out of the ordinary, so you can do something about it. Monitoring can tell you if one of your employees’ passwords has been breached, if somebody is trying to attack your corporate website, or if an employee is looking at personal information that they shouldn’t have access to.
Monitoring is easily added to your corporate setup and if you don’t have it, you should get help.
5. Frogs sit on logs
Anybody with young children knows that cats sit on mats and frogs sit on logs, and that those are the rules. But if that’s where your knowledge of logs ends, then you need to talk to your IT team.
Imagine a situation where you have suffered a cyber attack. There are a million things to do, but a top priority is to find out how the attack happened, so that you can prevent it from happening again. Logs enable you to do that, by keeping a record of every little thing that happens on your devices and networks. If you don’t have the logs, you won’t have a record of how the attacker gained access to your systems, and what they did when they had access.
Somebody or something should be reviewing the logs on a regular basis for signs of suspicious activity. Don’t forget to keep backups of your logs. A clever attacker will delete the logs to cover their tracks, enabling them to come back and repeat the attack at a later date. They might also attack your backups, so be sure to store them in a way which is completely disconnected (‘air gapped’) from the rest of your infrastructure.
If any of these five things resonate for you, don’t worry. It’s National Cybersecurity Awareness Month, and on the 19th October the Villa Marina will play host to CyberIsle, a world-class cyber security conference. Come along to the conference for loads of practical advice for businesses small and large. Alternatively, reach out to us at the Chamber of Commerce – any of the members of our Digital Forum can signpost you to the help and support you need.
Interested in cyber security and all things digital? Chamber of Commerce’s Digital Forum is looking for new members. Visit https://www.iomchamber.org.im/about-iomcoc/committees-forums/digital/ to find out more.