Is Your Business Cyber Ready?
Given how often big-name data breaches make headlines these days, you probably think cybersecurity is only a concern for big businesses. Whether it’s Colonial Pipeline or Kaseya, the one thing they all have in common is that they’re operating on a scale much larger than your organization is. That might lead you to believe you’re too small to be a target for cybercriminals.
Are You Making Dangerous Assumptions About Your Cybersecurity?
The most critical mistake companies make about their cybersecurity is assuming that they don’t need it and that they are not a target. Or even worse, they think they are already protected without taking any steps to ensure they are.
Your size is no guarantee of your security. In 2020, the rate of cyberattacks grew 400% compared to the previous year — the fact is that a rising tide lifts all ships. As cybercrime becomes more prevalent, your organization becomes a more likely target, no matter its size.
The State Of Cybercrime
Did you know that the global cybercrime industry will cause up to $6 trillion in damages in just a few years? Consider the rate at which attacks are occurring:
- COVID-19 Poses Unprecedented Cybersecurity Threats: The number of phishing emails and social engineering scams that use the COVID-19 pandemic as a topic represents the single largest thematic series of cybercrime attacks ever.
- The Rate Of Ransomware Attacks Is Rising: It is estimated that a ransomware attack will occur every 11 seconds in 2021.
- Small Businesses Rarely Survive A Breach: 60% of small businesses that are hit with a cyber attack will go out of business within six months.
Growing Cybersecurity Threats You Need To Defend Against
Going forward, you’ll need to think more critically about the way you approach and manage cybersecurity for your organization. Consider the threats the business world is facing:
- Social Engineering: Cybercriminals keep relying on the same tactics because users keep falling for them without learning the skills needed to protect against them. The fact is that the greatest cyber threat businesses face today isn’t hackers exploiting software vulnerabilities — it’s their staff. By using manipulative tactics to trick employees into sharing sensitive information like usernames and passwords, hackers are gaining access to valuable data, and it’s costing businesses a lot of money.
- Internet-Facing Vulnerabilities: Any system that is connected to the Internet is at risk — that includes business networks, remote users with VPNs, cloud applications, and everything in between. Cybercriminals will target these types of systems, looking for unpatched and out-of-date infrastructure, as well as exposed Remote Desktop Protocol (RDP) connections. Protecting against these types of threats means implementing a vulnerability management program.
- Exploited System Administration Tools: As networks grow and systems become ever more connected, abuse of system administration controls has become more dangerous. These tools are already installed on systems, and once a cybercriminal has access to them, they can deploy viruses and malware with ease.
- Ransomware: Datto recently released their Global State of the Channel Ransomware Report, developed from statistics reported by over 1,400 survey respondents. 85% of MSPs report ransomware as the most common malware threat to SMBs, and an average of 1 in 5 businesses report being a victim of a ransomware attack.
- Phishing: This is the practice of sending fraudulent emails that resemble emails from reputable sources. The intent is to get the target to do something (open an attachment, click a link, give sensitive data like credit card numbers and login information). It’s the most common type of cyber attack.
- Zero Day: This method takes advantage of a security vulnerability before the vulnerability becomes generally known (i.e., there are zero days between the time the vulnerability is discovered and the first attack).
Who’s Going To Attack Your Business?
- Disgruntled Employees: Employees who are dismissed, or feel they have been mistreated by their employers may use their remaining authorized access to compromise business data.
- Human Error: An unaware employee can inadvertently delete a critical file or download dangerous malware by accident, putting the entire business at risk.
- Thieves & Corporate Espionage: A properly motivated employee may be convinced to steal proprietary and sensitive data to share with your competitors.
- Organized Attackers
- Terrorists: Cyberterrorism has been on the rise in recent years, with cybercriminal groups targeting sensitive US organizations.
- Hacktivists: Cybercriminals are also using their methods to target startups and government contractors and expose operations that clash with their political stances.
- Nation-State: Often originating in Asian and Middle Eastern countries, nation-state cyberattacks are unique in their danger because they are often executed with greater resources and near-total immunity from any sort of justice when compared to garden variety, US-based hacks.
- Black Hat: This is the conventional type of hacker, which breaks into business networks to steal data for financial gain or to disrupt operations.
- White Hat: This type of hacker works with businesses to break into their systems under controlled conditions, helping them to identify vulnerabilities that need to be addressed.
- Gray Hat: A middle ground between the other two, Gray Hat hackers will break into business systems without the owner’s knowledge, inform them of vulnerabilities, and expect a reward for doing so. Business owners that refuse to pay the fee risk having those vulnerabilities posted online.
These are your basement-dwelling hobbyists, who poke around businesses’ defenses in search of an easy way in. For the most part, they engage in hacking as a way to learn new skills and pass the time.
Email Security 101
Email is perhaps the most ubiquitous technology used in the business world today — possibly even more so than the phone. It’s instantaneous, can deliver important files, and doesn’t require the immediate attention that a phone call does.
However, just as it’s popular with consumers around the world, it is equally as popular a method for hackers trying to do damage to unsuspecting businesses. While there are plenty of giveaways for a fake email when you know what to look for, there are three in particular that you should keep an eye out for:
- The Wrong Domain: Before even taking a look at the body of the message, check out the domain in the sender’s address. They may claim to be from your bank or a big-name company. It’s more difficult to spoof an actual domain name, and so it’s more common to see domains that are close, but not 100% correct.
- Spelling and Grammatical Errors: The fact is that a lot of hackers will be working from outside of North America, and so, English isn’t necessarily their first language. When crafting the body of the email, they’re likely to make a few errors in their spelling or grammar. This is compounded by how quickly they’re working to get the emails sent out in the first place, which leaves little time for editing.
- False Hyperlinks: If the email includes hyperlinks to any external websites, a good clue to look for is whether they match the hyperlinked text. The text in question may suggest that it’ll take you to a secure site, but that’s not always the case. That’s why it’s important to hover over the link and see where it’s really headed. If it’s to a site that starts with “http” and not “https” then it’s not secure.
There are many steps that staff members can take to secure their email, and given that they’re more about practice (common sense and logic), instead of expensive technologies (antivirus, antimalware, etc.), they’re also cost-effective to implement.
Keep the following in mind:
- Keep Link Clicking / Attachment Downloads to a Minimum: Clicking on links that appear in random emails just isn’t safe. Hyperlinks are commonly used to lead unsuspecting employees to phishing and malware websites. Be sure to only click links when they’re from a confirmed, expected source, and when they aren’t part of a sales pitch, or an attempt to get information from you. Furthermore, suspicious email attachments from unknown or untrustworthy senders are the most common source of malware, ransomware, and other digital threats. Even if it’s from a friend or colleague, consider the message they send along with it, and whether it’s worded properly. It’s always wise to call the sender or speak in person if possible to confirm that they sent the email. Otherwise, simply delete it until you can be sure of its authenticity.
- Manage A Safe Senders List: No matter how effective your current spam filter is, it won’t keep unwanted spam out of your inbox forever. Whenever you see that a spammer’s email has made it past your filter, take a moment to block it so that it won’t happen again. Furthermore, make sure to only open emails from confirmed contacts.
- Encrypt Your Email: This is a fundamental part of email security. One-click email encryption measures are easy to use and ensure that the user’s communication is secured against unwelcome readers while in transit. Furthermore, mobile device capability will allow users to read and send encrypted messages from the mobile platform without having to store the message locally, or any unnecessary battery or bandwidth usage.
Best Practices For Managing Strong Passwords
Are you confident in your business’ password practices? Find out for sure by reviewing these common password mistakes:
- Length and Complexity: Keep in mind that the easier it is for you to remember a password, the easier it’ll be for a hacker to figure it out. That’s why short and simple passwords are so common — users worry about forgetting them, so they make them too easy to remember, which presents an easy target for hackers.
- Numbers, Case, and Symbols: Another factor in the password complexity is whether or not it incorporates numbers, cases, and symbols. While it may be easier to remember a password that’s all lower-case letters, it’s important to mix in numbers, capitals, and symbols in order to increase the complexity.
- Personal Information: Many users assume that information specific to them will be more secure. The thinking, for example, is that your birthday is one of 365 possible options in a calendar year, not to mention your birth year itself. The same methodology applies to your pet’s name, your mother’s maiden name, etc. However, given the ubiquity of social media, it’s not difficult for hackers to research a target through Facebook, LinkedIn, and other sites to determine when they were born, information about their family, personal interests, etc.
- Patterns and Sequences: Like the other common mistakes, many people use patterns as passwords in order to better remember them, but again, that makes the password really easy to guess. “abc123”, or the first row of letters on the keyboard, “qwerty”, etc., are extremely easy for hackers to guess.
Passwords protect email accounts, banking information, private documents, administrator rights, and more. However, user after user and business after business continue to make critical errors when it comes to choosing and protecting their passwords in use today.
Keep these tips in mind when setting your passwords:
- Password Strength: Commonly, passwords are required to include uppercase letters, lowercase letters, numbers, and special characters. Consider using a passphrase—which is when you combine multiple words into one long string of characters—instead of a password. The extra length of a passphrase makes it harder to crack.
- Password Managers: These programs store all of your passwords in one place, which is sometimes called a vault. Some programs can even make strong passwords for you and keep track of them all in one location, so then the only password or passphrase you have to remember is the one for your vault.
- Multi-Factor Authentication: Multi-Factor Authentication is a great way to add an extra layer of protection to existing system and account logins. By requiring a second piece of information like a randomly generated numerical code sent by text message, you’re better able to ensure that the person using your employee’s login credentials is actually who they say they are. Biometrics like fingerprints, voice or even iris scans are also options, as are physical objects like keycards.
10 Simple Tips To Enhance Your Cybersecurity
- Be careful what you click on — the wrong link can put your entire business in danger.
- Back up your data regularly (and check the backup). Your best defense against ransomware and data loss is a recent, tested, and isolated backup.
- Patch promptly to protect your systems against recently identified vulnerabilities.
- Protect all endpoints including mobile devices. Any device connected to your network is a potential doorway to your data.
- Encrypt sensitive data. Encrypted data is useless if thieves have no way to decrypt it.
- Use two-factor authentication. This is the simplest way to add a reliable layer of security to your logins.
- Don’t forget about physical security (e.g. surveillance cameras). Digital security is just one aspect of defense, so make sure your offices and servers are properly secured as well.
- Create unique passwords. Don’t let a repeat password that’s compromised on one account put your other accounts at risk.
- Train your employees to keep them updated on the latest threats. One unaware staff member can negate the vast majority of cybersecurity technologies and processes. Make sure your staff is a cybersecurity asset — not a liability.
- 10. Plan, Plan, Plan — if you don’t have a strategy in place now, you’ll have no way to limit the damage once an attack is underway.
The Primary Threat: A Lack Of Cybersecurity Expertise
The fact is that, even if you deployed all the necessary cybersecurity technologies, invested in all the necessary tools and solutions, and did everything you could to protect your business, you’d still be missing one thing — cybersecurity expertise.
Cybersecurity expertise is in high demand these days. As cybercrime continues to grow, and as businesses become more and more digital in their operations, cybersecurity becomes a much more critical priority. However, there’s only so much cybersecurity talent available to hire.
Need Expert Cybersecurity Guidance?
Don’t let your cybersecurity suffer, and don’t assume you have to handle it all on your own — Hammer IT Consulting can help you assess your cybersecurity and develop a plan to protect your data.
You can start improving your cybersecurity in three simple steps:
- Book a meeting with the Hammer IT Consulting team at a time that works for you.
- Let us assess your cybersecurity and address any vulnerabilities.
- Get back to focusing on your work, instead of worrying about your cybersecurity.