Sleepless aims to help keep SMEs safe from ‘malware as a service’

Information security can never be perfect, but the right partner can guide any business up the ladder of complexity and safety, says Daragh Naughton of Sleepless

Daragh Naughton, managing director, Sleepless. ‘If someone partners with the right cyber security company they can get a competitive strategy in place and it doesn’t have to cost the earth’. Picture: Michael Dillon

First things first: Daragh Naughton, managing director of online, cloud and data centre services provider Sleepless, said that when it came to security it was essential to get the basics right. But what does that mean?

The first step, he said, is to institute a policy of two-factor authentication (2FA) or multi-factor authentication (MFA) across all of a businesses' accounts and its network, such that a password alone was not enough to gain access.

“You really need strong authentication wherever possible, preferably using physical security keys as the second factor,” he said.

Of course, many users object to 2FA, finding it cumbersome or an irritation. This can be solved, Naughton said, by making the process more seamless for end users, but at the end of the day it should be done because it is necessary, not because it is fun.

“Two-factor authentication is one of these necessary evils, but it genuinely is necessary. You really can't do without it. Statistics show that if you have two-factor authentication, any kind of two-factor authentication, then you immediately prevent 90 per cent of hacking attempts on your accounts. Then if you use a higher standard of two-factor authentication [such as using a physical token] you improve it even more,” he said.

The weakest form of 2FA or MFA is to use SMS messages sent to a mobile phone, as these can be spoofed.

“SMS is the worst kind. It can be circumvented and we've heard of people walking into phone shops with fake IDs doing Sim swaps,” he said.

A significant step up is to use an authenticator app, and options are available from the likes of Microsoft and Google.

“Microsoft and Google authenticator are the same in that they work on the same premise and are feature interchangeable, and they use open standards. The ultimate best choice, however, is the hardware key,” he said.

Naughton himself uses a hardware key called YubiKey.

“It's a low-cost key, you buy it and pair it to your identity. That gets your account up and is 99 per cent impossible to hack,” he said.

Everybody, since the eighties, has been aware of two-factor authentication, because everyone has a bank card: if you break down two-factor authentication it’s something you have and something you know. You have to have both,” he said.

Facing down criminal enterprises

Businesses need to take security, including authentication, seriously, Naughton said, because on the other end of the threat were criminal businesses whose entire business model was to extract money from hapless victims.

“What they're typically trying to do is find a target: ‘how are we going to extract money from this company?’ They want to try and get in by any means necessary; it could be calling up reception and saying they are IT support, or a phishing email. Once they're in they try to observe and move laterally within the organisation.

'Then they could install ransomware or else, as is increasingly common, perform extortion. Not only are they saying ‘we have all your data locked up', because of backups they are now saying ‘not only do we have your data, we will leak it over the internet’,” he said.

In other words, these criminals don’t just mean business, they are businesses. Alarmingly, however, with the rise of so-called ‘malware as a service’ they are increasingly small businesses. The upshot of this is that these freebooting entrepreneurs typically target other small businesses, seeing them as a soft target.

“Many of the recent ones [extortion attempts] we have seen have been for less than five grand – two; two and half, three – because the skill level needed to do it is now so low,” Naughton said.

Of course, he said, larger businesses already have better protection and joined-up thinking in their IT strategy, which drives ever more attacks toward the SME and SMB sectors. What may surprise smaller businesses, however, is that security is not expensive to get set up properly.

“If someone partners with the right cyber security company they can get a competitive strategy in place and it doesn't have to cost the earth,” he said.

The HSE attack created a lot of awareness, Naughton said, but nonetheless he still sees a lot of small businesses that have buried their heads in the sand. Indeed, cloud in particular can be a sticking point, with many SMEs thinking that using Azure or AWS means Microsoft or Amazon handles security for them.

“Your data is your responsibility; all of the cloud providers have this published. Yes, they provide all the tools that are needed, but they don't provide them out of the box. It's up to you.”

Every business should have a mantra of ‘trust and verify’, he said.

“If you assume [then] you're preparing to fail,” he said.

The bottom line, Naughton said, was that security was a process that began with getting the basics right: start with a good foundation and work from there.

“I would say there are three or four things that everyone needs to be doing, at least to get started. For instance, backups, MFA and conditional access”.

Beyond these measures, however, a good managed security service provider should work to guide its clients.

“But there are levels above that. You can move up the ladder. Obviously right at the top of the ladder would be some sort of security panacea, but at the bottom are the steps we all need to take to begin with,” he said.