Story image

Hacking a risk to all businesses, no matter the size

15 Aug 16

Cyber security is an issue facing all businesses regardless of size, type or location.

That’s the stern word according to Aura Information Security, who says the recent hacking of several New Zealand schools is a timely reminder about the importance of security.

Aura Information Security general manager Peter Bailey says that while schools may seem an unlikely target, they have resources and information that hackers find valuable. The same applies to most businesses in New Zealand.

“In the case of the schools hacking, it is possible that servers and storage may have been taken over by attackers. In addition, the personal information schools often hold may also have been used for ‘downstream’ crimes,” Bailey explains.

“When resources are taken over by hackers, they can be used to store contraband such as illegal digital content or to launch further hacking attacks on the information assets of other organisations,” he says.

Personal details, such as those contained in school systems, can be used by hackers to perpetrate identity theft. This data can then be used for crimes such as opening fraudulent lines of credit.

If the email accounts of senior school staff members are hacked, those individuals can be impersonated to request payments from the finance team for bogus invoices (this is also known as the ‘CEO Fraud’, where a message purportedly from the boss authorises a payment). Because the email appears quite legitimate, hackers often succeed.

Notably, Bailey says schools and small-to-medium businesses have something in common where security is concerned.

“They often have similar IT and security setups featuring weak passwords which are used for multiple services,” he says.

“This makes it relatively easy for hackers to ‘brute force’ the password. Brute forcing is a technique where hackers use a computer to automatically guess a password until they gain access.”

Is your business at risk?

According to Bailey, the short answer is yes. ‘

’Like schools, small-to-medium businesses tend to focus on ‘why’ they might be hacked, often coming to the conclusion that they don’t have anything of particular value in terms of information assets,” Bailey says.

“This leads to the inevitable conclusion that information security doesn’t warrant priority.”

Bailey says nothing could be further from the truth, as the school hacking has demonstrated.

Information such as customer lists, trade secrets, financial, corporate data and credit card information is valuable to them.

“Today, hackers aren’t generally breaching computer systems for mischief. Instead, they are looking for things that are relevant and which give them an advantage,” Bailey explains.

“This includes information such as credit card details which enables them to directly make money, or information and resources which help them indirectly hit payday,” he adds.

Because hackers make use of automated tools to run their attacks, any organisation at any time is at risk, says Bailey.

These tools scan the internet looking for vulnerable sites, whether a school or business and, in much the same way that a burglar will seek out the unlocked house, hackers pick the easy targets.

“Generally, if they find they can hack in to one company using a certain type of malware, they will look for similar companies using the same malware. This is probably why multiple schools were hacked,” Bailey says.

Bailey says the lessons for all businesses are clear: use secure passwords backed by a strong policy.

“Use tools that securely generate passwords that don’t need to be remembered. Don’t use shared passwords, ever. And don’t allow repeated logins: if the password isn’t correct in three tries, block access (this stops ‘brute force’ attacks),” he says.

Most importantly, Bailey reminds organisations that good information security is about people.

“Know the signs of an attack and educate your staff,” he explains.

“Make them aware of the scams out there and make sure they know what to look out for.”

Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why Australian enterprises are prime targets for malware attacks
"Only 14% of Australian organisations are continuously training employees to spot cyber attacks."
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
Kordia launches Women in Tech scholarship at the University of Waikato
The scholarship is established to acknowledge and support up-and-coming female talent and future technology leaders.