Today all aspects of our industries depend on internet connectivity to fuel the data collection and analysis, collaboration and innovative strategies of organisations. Unfortunately, this hyper-connectivity and access to information brings serious security risks. The World Economic Forum’s latest Global Risks Report includes large-scale cyberattacks and mass incidents of data theft among its top five risks based on their likelihood to occur, and it is believed that there will be more cyberattacks resulting in money and data theft as well as downtime in operations. In monetary terms, a recent report warns that a major cyber attack with demands for ransom from victims could cost US$193 billion (S$261 billion) and affect more than 600,000 businesses worldwide.
How prepared is Singapore to fend off such attacks?
The country is deeply aware of the need for defence against cyber attacks, from the individual to the state. The Cybersecurity Act, which became law in March 2018, is designed to create a resilient and trusted cyber environment for Singapore. This measure came at an important moment, as over three quarters of Singaporean business leaders reported in a PwC survey, published the same year, to having detected “one or more cyber incidents” over the previous year in the form of mobile device exploitation, phishing attacks and employee exploitation. In our assessment of the State of the Web in 2017, we found that nearly half of the websites we use most often were risky if they fit any of the following criteria:
- They were built on or routinely connected to sites that used server software known to be vulnerable to cybersecurity attack;
- The site was a “known bad,” meaning it has been used to distribute malware or launch attacks at some point in the past; or
- The site had suffered a security breach within the past 12 months.
We can only anticipate that this figure has increased since then, given the high profile breaches in Singapore – and across Southeast Asia – not to mention the breaches that have not been reported widely.
What can enterprises do to protect their organisation against cyberattacks?
If even the most popular and ostensibly reliable sites can’t be completely trusted, how can enterprises protect their data and use technology to filter threats so that security teams are free to address more complex risks? A malware prevention strategy featuring an isolation security solution that not only addresses the risk of potentially malicious content, but also maintains a seamless, native browser experience at cloud scale, is still of vital importance overall. However, for daily protection from threats, consider these practical tips for your organisation:
- Use an ad-blocker: Malvertising campaigns are increasing, and ad sites are typically infiltrated first to deliver ransomware to unsuspecting users.
- Use the Google Chrome Browser: Google Chrome has a higher degree of focus on security than most browsers, and features an implementation of Flash that is highly restrictive.
- Have your employees look closely at the URL from any email for special characters or numbers that could indicate phishing: In many cases, what looks like a message or URL from YourBank, for example, is not a YourBank site. If a financial institution sends your staff member a ‘password reset’ email, they should be educated to not click on the link and log into the bank directly instead. Phishing is becoming increasingly sophisticated, so this extra step is important.
- Disable or uninstall Flash: Flash is known to carry dangerous malware payloads. Users seldom need Flash and most sites have switched to HTML5 video.
- Keep the software on your PC, Mac and Smartphone up-to-date: Companies frequently update software for security vulnerabilities. This is elementary and the least you can do to stay safe.
- Do not download PDFs and Word documents from untrusted sources: Ransomware predominantly spreads via weaponised documents.
- Use Google’s free PDF URL converter: This allows you to safely view the contents of a PDF without having to download it.
- Avoid downloading executable and Zip files from untrusted sources: There’s no way to guarantee the safety of executable and Zip files.
- Use browser-based web email instead of an email client: The main advantage is most web mail providers have document previews, such as Google Docs, that can be used to safely view the document without having to download it first.
- Avoid custom apps and extensions, especially from untrusted sources: It is not unknown for extensions and apps to start out fine, but turn bad as part of a software update. Do not install apps from untrusted stores or sources, as you have no way of verifying if they have been weaponised.
Incorporating these tips into the daily protection of your organisation, along with a malware prevention strategy, will help to mitigate risks associated with employees, their devices, and the networks, apps, and clouds they use. However, companies should also seek to build upon these efforts with a state-of-the-art isolation solution that protects against web, document and email malware threats without impacting user experience or productivity.