How do you stop an Energetic Bear?

Companies must think like a hacker and commit to penetration testing to protect themselves from data breaches, says Chema Alonso.

How do you stop an Energetic Bear?
How do you stop an Energetic Bear?

It's fair to say that 2014 has been something of an annus horribilis for cyber security. 

First in April we had Heartbleed, which saw the data of some extremely large companies being jeopardised, and proved to be one of the most high-profile cyber security vulnerabilities there's been in years. That was swiftly followed by CryptoLocker's doom-inducing ‘two week countdown'. Now we have an ‘Energetic Bear' on our hands – an attack which inserted malware into legitimate software updates to target European and US energy companies, and is believed to have compromised more than 1,000 companies in 84 countries.

Aside from being imaginatively named – cyber threats almost feel like the new tropical storms in this sense – this flurry of attacks has made it abundantly clear that sensitive digital data is constantly at risk.

As much as technology can play its part in preventing such breeches for companies, it's humans that are the weakest point in any organisation. We are easy to hack, and easy to manipulate. In fact we've found that around 90 percent of all cyber-attacks begin with a human weakness. Look no further than Edward Snowden for a prime example.

Hackers know that their best entry route is through a human controlled function, such as a seemingly routine software update or opening an email attachment, so they will take advantage of this wherever such an opening exists.

So with this in mind, what steps can organisations take to best protect themselves from the threat of malware through software downloads?

Systemise your processes

The best advice for businesses is to systemise their processes as much as possible and embed these into a multi-layered security solution. There's no one service that can do everything, so having many silos and layers will help to keep an attack contained. Ultimately, there's often too much trust placed in humans by businesses when it comes to cyber security, and while we realise human involvement will always be necessary to a degree, the systemisation of functions, alongside technical security methods, is the best way to limit the risk of a cyber-attack.

Think like a hacker

Something which has stirred much debate recently is whether companies should consider enlisting those who know the cyber threat landscape from the inside out. To me, any modern security task force today shouldn't just include security experts and engineers but 'ethical' hackers too, who can provide the vital outside eye required to fortify against the 'bad guys'. As the cyber threat landscape is continuously evolving, the importance of getting one step ahead at all times is as apparent as ever.

Hack your own system

Penetration testing is a vital part of a security strategy. There is no room for ego in network and cyber security, so don't assume your systems are secure. The constantly evolving landscape means, that if you do, you'll probably be hacked first. You need to find the vulnerabilities before someone else does and exploits them. Push your systems to the absolute limits regularly and dynamically, and you'll really find out where your weaknesses are. Being proactive and unassuming about your security system will ensure you stay one step ahead of the game.

Plan like a CSO, even if you don't have one

Don't limit security to the server room. It's an issue that permeates all levels of an organisation. From the boardroom to the front desk. Education is the key, and a more security-conscious work force is more likely to prevent and deal with cyber threats much faster. Just knowing what malware is, what it looks like and what it does is a step in the right direction. If budgets are tight it's important to be innovative in your security. You don't always need huge budgets to be secure. There are many free services available that can help, from two-factor authentication applications to intelligence communities that share the latest security information and updates.

Chema Alonso is CEO of Eleven Paths