Why your business is not immune to cyber-attack

Why your business is not immune to a cyber-attack

Over the last few weeks, you may have heard about cyber-attacks against the Solarwinds and Microsoft Exchange platforms using “state sponsored” complexity (which means a particular government, from a particular country has sponsored the attacks).

Both of these technology giants are well funded and spend a great deal of money to create secure platforms for their customers to use across the globe.

And yet, they were still susceptible to cyber-attack.

The Solarwinds Attack

The attack on Solarwinds was aimed at a particular piece of software within the Solarwinds suite of products. While it’s not one that we use, it is common amongst big business and government organisations.

The attacker was able to gain access to the target’s systems, copy files, and basically view and steal whatever they found including 425 members of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, and hundreds of universities and colleges worldwide.

The Microsoft Exchange Attack

If what happened to Solarwinds and their customers isn’t scary enough, in early March the widely used email platform Microsoft Exchange was targeted in a similarly widespread attack.

The cyber-criminals used a recently discovered security vulnerability that affected not only old versions, but also the latest version of its platform (Exchange 2019.)

Luckily for our clients, there are very few still using Exchange on premises and Microsoft 365 Online Exchange was not affected by the breach. 

If your IT providers systems are compromised, then you can be compromised

Just the other week, I heard of a local, Australian IT managed service provider that was affected in a similar way. Their systems were compromised, so the systems of their customers were compromised.
Talk about having a bad day!

The bottom line here, is that you never know the next target of a cyber-attack. 

It’s critical that you take every possible precaution to protect yourself.
We’ve said it many, many times before; if you do the basics, then there’s a good chance that they attackers will move on to the next, low-hanging fruit.
But in cases where there’s a zero-day vulnerability (which happens when an attacker discovers a vulnerability that the software developer hasn’t yet identified), or where the attack is highly sophisticated and targeted, using social engineering (like the sort of things you see in blockbuster spy films), it’s easy to feel like you don’t have a chance.

Always consider the worst-case scenario and use our tips to help protect your business

#1 – Don’t use email to send passwords or store credit card information.

Having your email compromised is one of the most likely avenues to data theft.

If all your emails are about what to do for the work Christmas party, then who cares? But if you’re emailing sensitive client information, credit card details or the password to your internet banking, then you’re in serious trouble should an attacker get access. 
 
#2 – Password protect any files in cloud storage

If you need to store important information in the cloud, then make sure the files have a different password on them. This means that even if someone managed to get access to your SharePoint or Dropbox account, they couldn’t easily open your critical files.

#3 – Just because it’s on the cloud doesn’t mean you don’t need backup

Your files and critical applications may all be online and in the cloud, but it’s still possible for them to be corrupted, stolen and encrypted.

Have a separate copy of all your critical data, wherever possible. In some cases this isn’t an option, but you should definitely be asking the question.
 
#4 – Archive your backups

Have an archive of your backups, so that even if the last 28 days of backups are lost or compromised you have another copy from the end of last month somewhere else. Yes, it’s far from ideal, but it’s definitely better than nothing. 

#5 – Test and document your backup plan

If a Solarwinds or Microsoft Exchange attack were to happen to you, then having a documented and tested plan in place will minimise the stress and reduce your downtime. If you don’t already have a plan in place, then it’s not too difficult to get one. All it takes is a bit of organisation and a good IT partner to help you. 

If you’re keen to know more about how to protect your business from cyber-attack, check out our article 15 Cyber Security Tips for Business. 

« Back to News