Cyber Security for design businesses is more important than ever. According to government research, 50% of all businesses (including 70% of medium and 74% of large businesses) reported a cyber breach or attack in 2023. It’s not just your data that’s at risk. It’s your clients’ data, too. From intellectual property (IP) to email addresses, hackers can use any data for nefarious reasons.
We’re going to dive into the cybersecurity best practices for design businesses. For this article, we’ve enlisted the help of our friends over at Business Defence Systems, who have given us some advice on how to defend your design business against cyber attacks.
Why Design Firms Are Prime Targets For Cyber Crime
GCHQ, the UK’s intelligence, security, and cyber agency, has issued stark warnings about countries launching cyber attacks on the UK. Similarly, the National Cyber Security Centre (NCSC) has warned about bad actors launching attacks on UK businesses. The reason is to cause widespread disruption and reduce overall productivity. This means all businesses, no matter how small, are at risk. But, for design businesses, there is another level of risk.
Design businesses often take on clients with confidential work. Architects working on floor plans for buildings might hold the layouts of a building that someone wants to enter unspotted. Product designers might have the IP to a highly advanced product that a rival company might pay a lot of money to obtain. All businesses are goldmines of data that can be uploaded to the dark web or sold for profit. It’s not just data; an attack could bring down your company, resulting in lost productivity, extreme ransom payments or even GDPR fines. This becomes an even bigger issue if the company works on projects essential to the economy or infrastructure, such as railways, energy, local authority projects, buildings critical to the supply chain, etc. The goal of these attacks is to cause as much disruption as possible.
Hacking design businesses is getting easier. Design work is increasingly moving to cloud solutions and away from paper or online. With remote work on the rise and designers working with clients worldwide, it is much easier to work online. However, this makes the data accessible to hackers if the necessary security measures aren’t considered.
How Cyber Attacks Happen
When the media portray cybercrime, the example is often a person in a hoody in a dark room furiously tapping on a keyboard and trying to access a server. In fact, most cybercrime is conducted by organised crime or state institutions, using professionally trained teams.
The most common cyber attacks are:
- Imposter/Impersonation Attacks: These attacks happen when a third party pretends to be a supplier or customer. Usually, the bad actors send a false invoice, so the business sends the money to the hacker instead. In some extreme cases, the hacker can take over email chains and continue the conversation to increase costs, steal valuable information, or disrupt a project.
- Social Engineering: Hackers can engineer a situation where the person involved feels comfortable enough to hand over information they usually would keep to themselves. For example, they could create a web page that mimics a trusted website, such as a public sector or utility company, or use the CEO’s accounts to get staff to hand over information or wire money. This can also happen over the phone, such as someone impersonating the IT helpdesk and asking for passwords and 2FA information. Or in-person, with someone just walking into a building and talking to people – you’ll be surprised how far people can get with a high-vis jacket and a clipboard.
- Phishing/Spear Phishing: This usually occurs when an email, text, or other communication appears to come from a trusted source. The contents are designed to trick recipients into giving over their details, such as passwords, emails, or other valuable data. Spear Phishing occurs when the communication is targeted at specific groups of people, such as an email from the “CEO” asking for bank details. The telltale signs are usually incorrect URLs or misspelt email addresses.
- Brute Force Attacks: Hackers often use a list of email addresses and passwords taken from other data breaches and use software to rapidly test email and password combinations to see if someone has an account. Alternatively, they will use combinations of “obvious” passwords, like “Password123”, to see if they work.
- Malware: Malicious software that can be installed on a computer. This is usually done when a user clicks on a dangerous link or email attachment. Malware can block system access, obtain information or break/delete data from a computer or network.
- Denial-of-Services (DOS)/Distributed-Denial-of-Service (DDOS): Networks and servers are flooded with traffic to exhaust the bandwidth. This usually means the network grinds to a halt.
- Man-In-The-Middle: An attacker intercepts a network to eavesdrop on what’s happening. These attacks are common on public wifi networks, such as cafes or hotels, where an attacker monitors the activity going backwards and forwards from the device to the router.
- Zero-Day Exploitation: A hacker uses a vulnerability to hack into a system before the software manufacturer is aware of or able to fix the issue. In this scenario, regular software updates are not sufficient protection.
- SQL injections: Attackers insert code into various forms and search bars on websites, which can either cause the key systems to break, the website to crash, or the attacker to access sensitive information.
How to Protect Your Design Business Against Cyber Threats
Securing Design Software and Tools
The first step is to keep the software up to date. This includes:
- Ensuring your computers are running the latest operating system version
- Installing and updating anti-virus software,
- Keeping the design software itself up to date to prevent zero-day exploitation attacks.
Additionally, avoid pirating software or using download links from a dubious source. These can contain malware that can infect your computer or your company’s networks. Sometimes, there can be a delay between the malware’s installation and activation. Always use a trusted source, and if you’re unsure, contact your reseller to get safe download links.
Another way to protect your business is through penetration testing. This tests your website, APIs and other online systems against various attacks and reports on how to fix vulnerabilities.
Password Management and Access Controls
Passwords are often the first line of defence against cyber threats. However, passwords can be stolen in data breaches from other places. Hackers will use that same password and email combination on other websites to hack into different accounts. Websites like Have I Been Pwned allow you to check whether your email address has been stolen in a data breach. If you use the same password across multiple sites, hackers can access your other accounts.
The best way to combat this is to have policies to ensure passwords are changed regularly. Most companies ask users to change their passwords every 60-90 days. This includes on-design software and cloud storage, where sensitive IP might be stored. Using a reputable, third-party password manager can help staff keep track of passwords. Two-factor authorisation is also a great way to double-protect an account.
Access control helps to protect your network if an account is hacked. Ensure staff have access to the controls they need. Not everyone needs access to the admin controls.
Protecting Remote Design Work
Remote work is becoming more prevalent in the design industry. It’s a great way to attract top talent by offering them the chance to work from anywhere. It’s also good for creative minds to escape the office once in a while to enhance their creativity. However, this does mean opening your business up to vulnerabilities, such as man-in-the-middle attacks.
Setting up a secure Virtual Private Network (VPN) for businesses can encrypt internet connections, ensuring that data remains secure when accessed from public or unsecured networks. This can stop hackers from eavesdropping. VPNs also conceal IP addresses, making it difficult for attackers to locate a device. Additionally, VPNs allow staff to access company networks without needing to set up their own access. This makes access control outside of the office much easier.
Additionally, working with remote clients can expose companies to attacks. Cloud storage platforms used for file sharing should be chosen carefully, ensuring they meet high-security standards. Incoming files should also be screened, as they are primed for phishing attacks and malware installs from hackers.
Building a Security-Conscious Culture
Building a security-conscious culture starts with equipping staff with the right knowledge. Cyber Essentials training is a practical way to ensure that everyone in the business understands basic security protocols, from identifying phishing emails to safeguarding passwords. Regular training sessions keep security at the forefront of staff’s minds, empowering staff to spot risks early and follow best practices. Encouraging an open dialogue around security, where staff feel comfortable reporting potential threats, also strengthens the company’s overall resilience.
If you want to improve your business security even further, consider ISO 27001 certification. Larger organisations may even request Cyber Essentials and ISO 27001 certifications or choose a company that already has these in place over one that doesn’t.
Conclusion
Cybersecurity is no longer optional for design businesses—it’s a necessity. The risks of cyberattacks, from phishing to ransomware, are ever-present, and protecting your firm’s intellectual property, client data, and reputation should be a top priority.
Our friends at Business Defence Systems offer a FREE business security audit. Simply fill in the form, and one of the team will contact you with your personalised report.