Activities that can stop cyber-attacks

The cyber-criminal identifies, selects, and profiles potential targets. For example, with a trojan attack this activity would include harvesting email addresses and social media information to find and profile targets.

Monitor website traffic

Monitoring website traffic will alert you as to whether your website is being used to gather information or to establish weaknesses in its configuration prior to a cyber-attack. 

A popular tool here is Google Analytics, which is free and provides alerts for suspicious website traffic. You may wish to engage a professional monitoring service for this.

Firewall with access control list

For an SME with its own network, a firewall with an access control is a simple and necessary tool that denies network access to cyber-criminals whilst allowing users to access the internet-enabled resources they need. An access control list shows usernames and passwords used to access the network through the firewall.

A software-based firewall implemented on a personal computer only prevents applications from accessing that computer unless they are approved or trusted. 

For SMEs with their own network, they should ensure that the network is protected. It is best that the firewall be a dedicated technology. Usually, this is a modem, firewall, or router (or a combination).

Most firewalls are integrated into internet modems and routers and offer at least adequate protection if properly implemented. Such a firewall should be implemented, configured, and maintained professionally.

The cyber-criminal builds the cyber weapon to be used. Their aim is to minimise the risk of detection and investigation. For example, with a trojan attack they might select, tailor or develop malware that uses known issues with the victim’s systems.

Your business has quite likely already been targeted through cyber-attacks in the reconnaissance stage without your knowing. These first two stages of a cyber-attack have a light touch and are easily missed.

Network Intruder Detection System (IDS)

A Network Intruder Detection System (IDS) detects whether unauthorised users have accessed the network. These systems provide an alert when user activity deviates from the norm, or the pattern of usage matches known attack patterns. The IDS is a valuable tool for checking a large network and can show when a cyber-criminal is exploring the network for potential vulnerabilities. 

Although an IDS is an effective tool in managing cyber-attacks, it can be expensive as it requires specialist skills to implement, keep and check and is more suited to a large network. An IDS is likely less relevant for an SME managing its own network infrastructure. 

However, an IDS is an important consideration when selecting an external service provider for network services.

Network Intruder Prevention System (IPS)

Instead of detecting unauthorised users, a Network Intruder Prevention System (IPS) denies access to unauthorised users of the network. An IPS prevents the intruder from accessing the network by reporting, blocking, and/or dropping the user from the network.

Although an effective tool in managing cyber-attacks, an IPS can be expensive as it requires specialist skills to implement, keep and monitor. An IPS is less relevant for an SME managing its own network infrastructure. 

However, an IPS is an important consideration when selecting an external service provider for network services.

The cyber-criminal transmits the cyber weapon to the victim’s environment. There is an increased chance of detection as the activity is more likely to be noticed. The cyber-criminal has several options for delivering their malicious payload, for example email, web or a USB drive. At the end of this stage – unless detected - the cyber-criminal is ready to start their attack.

Patch applications*^

It is also critical to ensure that you keep your software up to date through patch applications as they are updated. 

Many applications can be set to update (or ‘patch’) the software automatically and regularly. Doing so will remove a key means by which cyber security attacks are conducted. 

User awareness and undertake regular cyber security training^

Your employees and contractors need to be sceptical and aware of the risks of cyber-attack. Employees are often the first to be affected by a cyber-attack. Subtle symptoms might include their computer being slower than usual or receiving a suspicious scam email.

Employees should be encouraged to develop user awareness and undertake regular cyber security training. As part of this, your employees should be offered training to know how to recognise suspicious links and attachments. It may be useful to share examples of scam messages to help them identify cyber security threats. 

Users should also understand how to regularly update their own personal devices with the most recent system and application software. 

This training and the development of a strong cyber security culture changes habits. Users need to be more sceptical of sharing information with others (including through social media) and be careful with using technology. The development of personal discipline and good habits will ensure that data is managed with care and respect. 

To reduce the risk of confidential data being inadvertently shared with the wrong address or forwarded to others, businesses could use an authenticated sharing service and a secure portal with a strong and secure password. That way, if an email is sent to the wrong address, you can prevent unauthorised access to that information. This can be easily done using, for example, shared links with passwords on Dropbox and OneDrive.

Upgrade devices and software^

You should upgrade devices and software when they are out of support. If the operating system or software on the device can no longer be upgraded, or the software is no longer receiving active updates, there is no way to close any security threats.

This is particularly relevant for older Android or iPhone mobile phone devices that no longer receive system updates. You should also be wary of buying a new phone that uses an out-of-date version of Android. 

Strong passwords^

Ensure that users have complex passwords and change all devices from their default passphrases.

Good passwords or passphrases are long, unpredictable, and unique. The Australian Cyber Security Centre suggests aiming for a password or passphrase that is at least 14 characters long. To aid with passwords that are used regularly, consider using a random mix of unrelated words as a passphrase so that they are memorable for the individual, but not easily guessed. Passwords should be unique and not re-used on other accounts. 

It's hard to remember all those passwords - so stop trying and use a password manager instead. A password manager such as LastPass or 1Password works with your phone and tells you which of your passwords are weak or have been compromised. It can also help you with creating secure and unique passwords on all your accounts. 

Cyber-criminals know that many people use the same password in various places. Even when the password is known to be compromised, many people do not change the password on all the sites they use. Users can check whether their password has been comprised with the ‘haveibeenpwned’ (http://www.haveibeenpwned.com) or ‘IntelligenceX’ (http://intelx.io) websites.

Application control*

Application control allows businesses to identify an ‘allow list’ that allows only authorised software applications to run its system. This approach is the opposite of common anti-virus software that sets out a ‘deny list’ of the software that cannot run. 

Only allowing authorised applications to run is restrictive and an inconvenience for some users, but most users only need to use a small set of easily identified applications. 

On Microsoft’s Windows Pro or Enterprise Edition for Windows 10 or Windows 11, the allow list capability is part of Windows Defender Application Control. Other third-party applications are available to create an allow list if you do not have these versions of Windows. 

On macOS, application control is usually achieved by limiting applications to only those listed on the App Store as part of the Security & Privacy settings. 

Proxy filter

A proxy filter acts as a gateway to your network that checks for malicious communication both in and out of your organisation. It blocks your users from accessing known unsafe websites. This is helpful to protect against phishing attacks where a cyber-criminal sends a website link that masquerades as a legitimate website.

With content filtering enabled, proxy filtering can also block access to websites that contain listed keywords. 

Anti-virus software

Automatically updated anti-virus software is essential. Preferably, this software should use heuristic analysis to recognise viruses and infected software that is not yet known as well as definition files for known viruses. 

Microsoft Office macro settings

Another option that can prevent malicious software from running is to configure Microsoft Office macro settings so that these macros do not run. Macros (“Visual Basic for Applications”) in Microsoft Office are useful and relatively simple, but maybe prone to cyber-attacks. At the least, macros should be blocked so that only approved macros are run. 

In its Web versions of Office 365 Microsoft Office software, such macros cannot be created, edited, or run. This is only possible in the desktop versions of the applications.

Harden user applications

Unlike application controls (‘allow’ and ‘deny’ application lists) that prevent applications from executing, user application hardening allows applications to run only within defined boundaries. User application hardening may also mean the removal of software that is not needed to reduce risk exposure to weaknesses in that program. 

Application hardening aims to remove features from applications that make the computer more vulnerable to cyber-attack. 

Email content filtering (anti-spam)

Through email content filtering you can detect and quarantine phishing emails that pretend to be from legitimate senders. 

Most SMEs are unlikely to have their own email server and be managing their own email domain. They are more likely to receive emails through an external service provider or website provider. 

Most SMEs will be unlikely to implement and administer their own email content filter. However, the availability of an email content filter is an important consideration when selecting an email service provider.

Block unapproved cloud computing services

You should block unapproved cloud computing services (including personal webmail) to prevent data loss by using outbound web and email services. Or, instead of blocking such access, you can log the use of the service and record the recipient, size and frequency of outbound emails. You may also block and log outgoing emails with sensitive keywords or data patterns considered to be too sensitive for the recipient’s email address.

The ability to block unapproved cloud computing services may be an important consideration for you when selecting an external service provider for internet access.

The cyber-criminal triggers the malicious payload in the victim’s systems with the goal of creating a platform for a sustained and ongoing cyber-attack. In the example of a trojan attack, this stage occurs when the cyber-criminal executes the trojan code on the victim’s system to exploit its vulnerabilities.

Patch Operating Systems*^

As with applications, security weaknesses are often discovered in operating systems. The suppliers of these operating systems require users to regularly patch operating systems to keep them up to date.

Automatically updating the operating system defends against many cyber-attacks. 

If the operating system is patched and up to date, then it is likely that the malicious payload is unable to use the vulnerabilities of the operating system and so its impact is greatly reduced.

Host-based Intruder Detection System (HIDS)

A Host-based Intruder Detection System (HIDS) detects whether an unauthorised user has accessed your data on a specific server or computer. However, the HIDS is focussed on an individual server host, not the network.

An alert from the HIDS can provide an early indication that an important server or host is under attack. 

Managing a HIDS is likely less relevant for an SME that manages its own server infrastructure due to the expense and need for specialist skills. However, a HIDS is an important consideration when selecting an external service provider for online services.

The cyber-criminal aims to preserve access to the existing cyber weapon already delivered and install more cyber weapons and payloads onto the victim’s systems. For a trojan attack, they might use the trojan to download further malware. At the end of this stage, the victim’s systems are so compromised that the cyber-criminal can take over completely.

Restrict administrative privileges*

Administrator privileges should only be provided to end users on an as-needs basis, otherwise it increases the probability of a cyber-criminal gaining access to the ‘keys to the kingdom’ and can corrupt the computer itself.

At the least, the main day-to-day user account used on the device should be kept separate from the administrator user account for the installation of software on the device.

Multi-factor authentication^

A strong password is a necessary step in securing your systems, but multi-factor authentication when logging onto computer systems provides greater security that the user is authorised. When using multi-factor authentication, the user needs another ‘factor’ in addition to the password for their account (particularly for ‘privileged actions’ on the computer such as installing software). 

These factors might include, for example, a separate PIN attached to your mobile phone, a physical USB token, or a fingerprint scan in combination with a password to access your devices. 

Anti-virus

As discussed above, automatically updated anti-virus software is essential. Preferably, this software should use heuristic analysis to recognise viruses and infected software that is not yet known as well as definition files for known viruses. 

The heuristic analysis capabilities of anti-virus software can limit the ability of infected software and the malicious payload to spread to other machines on the network.

Host-based Intruder Detection System

As discussed above, a Host-based Intruder Detection System (HIDS) detects whether unauthorised users have accessed your data on a specific server or computer. During installation of cyber-weapons, an alert from this system can also provide a sign that the network is under attack. 

Again, managing a HIDS is likely less relevant for an SME that manages its own server infrastructure due to the expense and need for specialist skills. However, a HIDS is an important consideration when selecting an external service provider for online services.

The cyber-criminal sets up their own connection with the compromised system to ensure complete control. For a trojan attack, this would allow the cyber-criminal to remotely manipulate their victim.

Access Control List^

An Access Control List can be used to ensure that there are no usernames that are used day-to-day with administrative privileges by default. You should regularly review the access your users have to digital files and folders, be sure that no passwords are shared between users, and remove accounts that are no longer needed.

As a rule, users should only be provided with access to resources on the network where the users need that access to do their job. 

Regular backup of important data^

You should make a regular backup of the important data on your network – preferably, at least daily. This backup should be made even if you use a cloud storage provider. You should consider what data you can afford to lose in a worst-case scenario to guide you in how often you backup your data.

The more automated this backup can be, the better – anything that requires manual intervention is likely to be skipped on occasions. However, off-line, incorruptible, and disconnected backups – that cannot be encrypted by malware – are a key corrective control that stops the malware from encrypting your ‘live’ data as well as the backed-up data. 

Although off-line backups are often difficult to automate, they are important as they provide the possibility of a recent, uncorrupted back-up to restore your data if you find yourself the victim of a ransomware attack. 

As part of regularly backing up your important data, you should also regularly evaluate the backup process to be certain that it is working. 

Network Intruder Detection System (IDS)

As discussed above, a Network Intruder Detection System (IDS) detects whether unauthorised users have accessed the network. Managing an IDS is likely less relevant for an SME that manages its own server infrastructure due to the expense and need for specialist skills. 

However, an IDS is an important consideration when selecting an external service provider for online services.

Audit and secure devices on the network^

If you have a network with your own IT servers installed on it, you should audit and secure the devices on you network and any internet exposed services on your network such as remote desktop access, email hosting or cloud storage. 

You will likely need to engage an IT professional to do this if you are not sure how to do this. Doing this regularly will act as a catch-all in case a cyber-criminal installs devices on your network. For example, a keylogger captures your keystrokes – especially your password – and sends the typed characters to the cyber-criminal. 

Network Intruder Prevention System (IPS)

As discussed above, a Network Intruder Prevention System (IPS) denies access to unauthorised users of the network. Although an effective tool in managing cyber-attacks, an IPS can be expensive to implement as it requires specialist skills to implement, keep and monitor. An IPS is likely less relevant for an SME managing its own network infrastructure. 

However, an IPS is an important consideration when selecting an external service provider for network services.

The cyber-criminal takes their final steps to steal or destroy data on the victim’s systems. In a trojan cyber-attack, the cyber-criminal might use their system access to steal or destroy data on the victim’s systems.

Review of log files

The review of computer log files can flag whether the SME’s systems are compromised and under the control of a cyber-criminal. All information systems can be configured to record log files of all actions taken on the information system. For example, relevant log files would record who accessed your hosts and servers, database activities and actions taken by individual users. Log files would also record application activities, changes to system configuration changes and security devices. 

The configuration and regular review of log files by an IT professional might show whether your systems are compromised. These log files will also be a source of guidance for reconfiguring and improving cyber security into the future. Again, professional advice is likely important here. 

Cyber insurance

Cyber insurance is an insurance policy that mitigates the risk of cyber-attack. If your business is successfully attacked, cyber insurance may make payments that allow the business to survive the attack. Cyber insurance may also provide loss mitigation services to help with business recovery. For example, cyber insurance may provide an incident response platform, phishing assessments, or password management services. 

Premiums and services offered vary considerably between insurance providers. Customers should thoroughly understand the value of a specific cyber insurance policy and whether its coverage suits the business’s needs.