This is part six in a seven-part series regarding security concepts for small businesses. As an owner or principle of a small to medium sized business, you have the ability and the responsibility to understand security basics and ensure they are implemented for you.
- Part 1 of 7: Who has your back(up)?
- Part 2 of 7: Be on the Alert
- Part 3 of 7: When to (NOT) be an Admin
- Part 4 of 7: Gone Phishing
- Part 5 of 7: You Must Have a Filter
- Part 6 of 7: Staff Security Training
Things are different today. Cybercrime is the fastest growth industry in the world and damages to organizations who suffer a loss from a successful attack are hitting astronomical, record numbers. You cannot afford to keep doing things the way you have in the past, because the ones who seek to harm you (and by harm I mean take your money) are not doing it the same way they have in the past.
Types of Attacks
There are three basic types of attacks from which you need to protect yourself:
1> Ransomware: This attack locks up all of your valuable data and leaves you with only two choices:
- Pay the Ransom: Pay a ransom to have your files restored, which is typically anywhere from $900 to $90,000, or
- Restore from Backup: Restore from backup, which can take some organizations several days.
The one thing for sure in this type of attack is that you will suffer a period of downtime, as both options take more time to implement than it took for the criminals to lock up your files.
2> Banking Attacks: These are either automated malware, which whisks money from your bank account directly into the hands of the criminals. There are also “low tech” attacks which trick your own people into willingly sending money to the wrong people. And yes, this does happen. Both types have one thing in common; nobody ever thinks it can happen to them… which is exactly why they work so well.
3> Information / Identity Theft: This is a bit of a “Silent Killer,” as you do not always know when it happens. Information can be stolen without you knowing it happened; it can be quietly siphoned away during another type of attack or your people can be blatantly tricked into sending valuable personal data (such as W2 info) to the wrong people.
Where do Threats Come From?
Back in the day, a firewall was one of the most important parts of your defense. Perimeter defense is still necessary, but why would cyber criminals spend time trying to kick in the door when it is much easier to have someone inside open it for you?
In today’s world, nearly all successful attacks come through the end-user of the computing system. There are three common paths of attack:
- Portable Media: Much less common than it used to be, but still a viable method of accessing the network.
- Websites: One incorrect myth is that only the “bad sites” contain malware. A recent report indicates 75% of sites are vulnerable to malware unwittingly launched from them. The site owner has no idea that his visitors are being infected from his own website.
- Email Phishing: This is the big one. As it is the highest payoff, it also gets the most attention from cyber thieves. Some spam filters are besieged with tens of thousands of attempts per hour to break through to the end-users. With this much persistence, some degree of malware is bound to make it through your other defenses, no matter how robust they are.
How to Lower Your Risk
All cyber defense strategies depend on building layers of protection. These include utilizing the latest defensive technology, such as content filtering, advanced email filtering and firewalls, but the most vulnerable layer is always the front lines, the people who use your computer systems.
Training Your Staff
Most attacks have signs. Victims often realize moments after being infected that something was amiss. Cyber criminals are counting on the hustle of the daily work day to illicit a quick reaction from employees, before common sense kicks in. Basic employee training is critical in the defense against cybercrime, and should include these concepts:
1. Treat all attachments as suspect, in particular if they are not expected, not requested or from an unknown source.
2. Avoid clicking links in emails at all. Instead, go to the website itself or google the information.
3. Never respond to requests to send money or valuable personal information without independent verification, such as a phone call or in-person confirmation.
4. Never use the same password on the office network that you have ever used anywhere else. This includes close variations of passwords.
5. Use strong passwords — use a combination of numbers, symbols, and letters (uppercase and lowercase). Consider using an entire phrase instead of a word.
6. Avoid going to websites that are not needed to do your job. Use your mobile device or surf these sites at home instead.
7. If you suspect issues, seek help before logging into banking or financial accounts. If possible, log in to monetary accounts from a different, dedicated machine.
8. Never send sensitive information outside the company via email. Unless it is encrypted, this is easily readable by others who may intercept it.
9. Test all flash drives or other media before attaching them to your computer.
10. Immediately report all suspicious activities to technology staff. Even a slight delay can be extremely costly to yourself and your company.
Employees that follow these practices serve as an effective layer of protection against cyberattacks. The trouble is that just sending an email with these policies, telling employees or having a written policy is just not enough. Effective cybersecurity awareness training, preferably in a live interactive setting, is crucial in the current world of technology.
Frankel Zacharia Technical Services provides awareness training customized to your organization and delivered on-site or remote to your staff. Contact us to discuss how this and other preventative services can add to your cyber defense strategy.
Let us know what we can do to help.
Thanks, and remember, you can and should understand your own technology
Tim Weidman is the Director of Information Technology at Frankel Zacharia Tech Services, a department of Frankel Zacharia, LLC. Tim has a technology career spanning over 25 years and holds professional certifications in Certified Ethical Hacking and Penetration Testing, Security+, A+, Network+ as well as Microsoft, Apple, Linux and Novell technologies.