Seeing through the jungle of dangers

Due to the global IT world, it is primarily English technical terms that are used when talking about cyber security and sources of danger: AI-based phishing attacks, credential stuffing, web scraping, skewing, DDoS and DNS scrubbing, and so on. Just reading them in can be a headache, at least if you're not familiar with the virtual world of data and communication. And this often happens in smaller companies. This is because there is neither a head of security nor an IT manager; these services are usually outsourced to external experts and agencies or you "muddle" through the issue as best you can. Both approaches also have disadvantages: External agencies keep their expertise to themselves and thus create dependency. And "muddling through" yourself harbors the aforementioned dangers, about which you simply know too little and therefore cannot protect yourself.

Sources of danger

To give you an idea of the dimensions, here is a brief summary of the threats mentioned: The term phishing (comes from "fishing") refers to attempts to impersonate a trustworthy communication partner via fake emails or websites. The aim of the fraudsters is to persuade Internet users to log in to fake advertising worlds, where they may leave behind confidential data such as passwords or user names.

Credential stuffing is an automated and frequently repeated cyberattack in which hackers use bots (from the English word "robot") in a largely automated attempt to access background data on a website. This is partly legal and desirable so that search engines can identify and publish the requested information. But there are also harmful methods of the process known as web scraping: data is misused, falsified or fed into the darknet.

Skewing attacks, the English verb to skew meaning to distort, also fit in with this. Attackers attempt to distort the information and statistics obtained via web analytics data, for example from Google Analytics. It is therefore not about data theft, but about the target companies being misled into making the wrong business decisions because of the manipulated data. And finally, DDoS; it stands for Distributed Denial of Service and describes cyber attacks that cause website outages by means of artificial and repetitive requests. So-called scrubbing services work against this, identifying such harmful traffic and preventing systems from being overloaded. And these are by no means all the dangers. How can small and medium-sized companies defend themselves against this?

Larger flashlight

The first step is to look closer and more closely, because the theft or misuse of internal company digital information has become the most frequently reported fraud, far more intense than physical theft. So whether a company has adopted cloud computing or only sends two or three emails a week, cyber security has become a core competency for even the smallest businesses. The key task for every responsible manager is therefore to create a culture of security.

Step 1 has already been mentioned several times in M&Q: regardless of which generation you belong to, you need to read up on the topic and get to grips with it. This does not mean that a manager has to understand or master everything, but that they have an overview of the topic, the external and internal influences, the opportunities and challenges, and any budgetary elements. If younger and more digital-savvy people in the team then take on certain tasks, that's perfectly fine. But the boss needs to know the big picture.

Safety culture

The first thing to do is to keep your system clean. This requires regular cleaning of old data, the latest security software and the installation of software updates as soon as they are available. Anti-virus software should be set up so that it automatically runs a scan after every update. This also includes the need to back up all company data at least once a week and store it off-site. The most important documents include personnel files, financial files, accounts receivable and accounts payable, as well as word processing documents. Anyone who does not do this is ultimately grossly negligent.

With the basic understanding gained through reading, a manager must now be able to define the basic security practices and guidelines for the company and its employees. These include clearly defined access rights to the system and to data, secure passwords, guidelines for using the Internet (including during free time spent in the office), and rules of conduct regarding company data and customer information.

Monitor accesses

Quite underestimated: private mobile devices can also cause considerable security problems, especially if they contain confidential information or can access the company network. Employees should protect such devices with a password, encrypt the data or install security apps. The same applies to laptops, which can easily be stolen or lost. Each employee should have a separate user account; and the corresponding passwords should only be assigned by expert IT personnel.

The company's internal Wi-Fi network can also be a potential source of trouble. It should be encrypted, only accessible with a password and set up using a router so that the network name (SSID, the so-called service set identifier) is not transmitted.

Either way, all passwords are potential areas of attack: firstly, they must be created in a complex way. This means that they must be at least eight characters long and consist of four different types of characters (upper and lower case letters, numbers and special characters). Secondly, sensitive passwords should be changed every three months, including those for employees' private devices. And thirdly, there is the option of multi-factor authentication for sensitive data, which requires further information in addition to the password. Certain banks, for example, offer their customers such services.

Cybersecurity is a core competence - and it can only be properly illuminated with a powerful flashlight.

Author

Daniel Tschudy is a publicist, speaker and consultant in the hospitality sector. However, he also deals with other topics relating to the new dimensions of global cooperation.