Four things hackers don’t want you to know

Hackers like to keep things hidden

It’s something of a cliché to say that hackers are shady types, often lurking in the shadows. Usually this is just a metaphor, though if you take stock imagery at face value, you’d be forgiven for thinking they only ever appear at night whilst wearing a hoodie. Like most clichés however, this contrivance does have an element of truth in it. The fact is that hackers often work just as hard to keep themselves and their tactics hidden as they do to find vulnerabilities to exploit. The more sneakily cyber criminals can carry out their attacks, the more successful they’ll be. Afterall, you can’t defend against an attack if you don’t know about it.

1. Your best security tool isn't technology, it's people

We’re starting the list with the most important. If this were a buzzfeed article I’d title it “one weird trick to increase your cyber security”. People are the heart of any business and it’s their actions in their day-to-day working life that can have the biggest impact on an organisation’s cyber resilience. That’s not to play down the necessity of technology – anti-virus and firewalls (etc) are still needed of course – but don’t overlook the importance of people.

Get ‘people security’ right, and you’ll embed a culture of security and trust within your organisation. Benefits of a cyber-vigilant workforce include:

• Social engineering attacks are more easily thwarted
• Security policies are taken seriously and followed
• BYOD devices are used more appropriately
• Applying secure configurations become second nature
• Security culture is more easily maintained

It works the other way too: people can be your greatest liability. Even advanced technical cyber controls can be undermined (wittingly or not) by human error. The quintessential examples here are clicking a dodgy link in a phishing email, or being fooled into opening a malicious MS Office document – both of which let hackers straight in.

The solution is one weird trick simple, cheap and effective: training. Train your staff to be aware of their security responsibilities and the cyber impacts of their actions. This will drastically increase your security posture and make successful cyber attacks much harder.

Though ‘training’ can often conjure up images of grey people armed with boring powerpoints, it doesn’t have to be this way. Bulletproof recently ran a Covid-safe virtual training exercise for a healthcare provider, and we made it hyper-engaging by gamifying it into red team vs blue team scenario. Showing the types of hacks people might experience in the real world gave context to the learning which boosted knowledge retention and, ultimately, made their organisation more secure.

2. A third of your critical security flaws are just missing updates

A critical security flaw is like an open door to a hacker. And as we discovered in our Annual Cyber Security Report, a whopping 32% of all critical flaws are just down to outdated components and missing patches. On one hand, that’s a huge opportunity for a low-effort cyber criminal to scan you and waltz into your corporate infrastructure. On the other hand, it’s also a huge opportunity for a quick-win fix that will significantly reduce your attack surface.

Don’t think you’re not a target or that you can stay hidden – hackers remotely run scans to find you and your security holes. In fact in last year’s Annual Cyber Security Report we uncovered that hackers can find you in as little as 32ms. That’s quicker than the blink of an eye.

The defence against this is simple: keep on top of your patching. This alone will reduce critical vulnerabilities by a third. Missing patches are easy to find. Any decent vulnerability scan will pick up these critical vulnerabilities arising from missing patches. Patch management isn’t always easy, especially for larger organisations, but it is always necessary.

As for the rest of your security vulnerabilities, conduct pen testing at least every year and run vulnerability scans at least every month. This will let you know about all types of security flaws in good time, allow you to remediate quickly – effectively closing the door on the hacker. Penetration testing is more affordable than ever, whilst vulnerability scans are quick and cheap, so you’ve got no excuses.

3. You can't hide in the cloud

Migrating to cloud services is often seen as a silver bullet for reliability, performance and security. And it can certainly go a long way to boosting all these compared to other options, but as our friendly compliance officers like to remind everyone, outsourced service is not outsourced responsibility.

As discussed in our 2021 Cyber Security Report, cloud services are not risk free and it’s down to you to ensure you’re secure. Cloud services are not hiding places and there’s still plenty of scope for cyber criminals to attack you:

• Cloud services, by their very nature, are generally accessible from anywhere with an Internet connection. This means there’s a larger number of potential hackers.
• The huge number of customisation options in cloud platforms means it’s easy to introduce security vulnerabilities through misconfigurations.
• The shared responsibility model, and the resulting grey areas, means many organisations don’t know who’s responsible for what, creating gaps in your security.

The solution is to realise that cloud security can’t be treated as an afterthought (well it can, but you’re going to get breached). Hackers love relying on complacency and oversight in order to gain access to corporate data – it makes their job so much easier. This is also why so many data leaks come from misconfigured cloud storage buckets.

The sudden shift to cloud tools and remote working in 2020 means that many organisations are actually operating outside the walls of their security investment. Now that the transformations to remote working have been completed, it is time to review your security policies, processes and technical controls. I’m not saying it’s going to be fun but it is necessary – and probably long overdue. To make your life easier, you can rely on trusted security providers for strategic elements, such as Bulletproof’s Office 365 security healthcheck. Bulletproof covered the topic of securing remote working in more detail here.

4. The less you comply, the more you can be hacked

Let’s face facts: security compliance standards exist for a reason. And that reason isn’t just to give your over-worked IT teams more stuff to worry about. Security compliance frameworks are the minimum you need to do to attempt to stay secure. Without best-practice fundamentals in place, you’re making life wildly easier for a hacker. For example, gaining Cyber Essentials certification is reported to prevent around 80% of the most common cyber attacks. Some standards are more involved than others and whilst the robust measures in ISO 27001 might be overkill for smaller organisations, there’s no excuse for even the tiniest startup not to be Cyber Essentials certified.

Cyber Essentials is a true universal security baseline, based on 5 simple best practices, and is backed by the NCSC. It’s very affordable and the protection it gives helps harden your business to opportunistic attackers. Cyber Essentials also has the added incentive of being a requirement for certain Government, NHS and MoD contracts.

Once you’ve got Cyber Essentials in place, make a plan to invest (and it is an investment, not an expense) in more involved standards, such as ISO 27001. One vital caveat to note is that if you’ve treated your compliance framework as a box-ticking exercise and aren’t practicing what you preach, you won’t be any more secure. Compliance is an on-going process.

Discover the solutions to your security challenges

The first step to good security is to realise the challenges in front of you. Much like Scrooge’s three ghosts, this includes fixing the mistakes of the past, analysing your security status quo, and investing in a secure future. Revealing these four things hackers don’t want you to know should go some way to helping you tackle all three on your journey to better security in 2021.