Technology Advisor Blog

To keep up with high demands for thousands of businesses, global supply chains have become more dependent on technology. Becoming more dependent on technology equals a greater risk of being exposed to evolving cyber threats. One of the biggest hurdles for cybersecurity is the huddled mindset that if it is not directly happening in my backyard, then it doesn’t apply to me. In 2025 alone, this has become a pivotal year, where the need for businesses to implement cybersecurity is no longer optional, but essential to staying safe.

Every year, Verizon publishes a Data Breach Investigation Report (DBIR). The Verizon DBIR is one of the most comprehensive reports illustrating REAL security incidents and breaches, not just hypothetical "this could happen" warnings.  The 2025 Report - the 18th annual report! -  was published on April 23, 2025 and as usual, its full of inciteful information for both small business AND enterprise. To generate the report, the Verizon DBIR team analyzed 22,053 real-world security incidents, of which 12,195 were confirmed data breaches. 

With the start of the new month and Tax season now over, cybercriminals are beginning to shift their focus on to new trends. This time targeting tech and healthcare giants for patient sensitive information out by the millions.
I’m sure you all have heard it before ‘I’m just one person and keep my circle small, I’m not going to fall victim to a cybercrime. I’m so careful.’ Or even; “I just use the necessities and take what I believe are the cautionary steps”. Until you’re not. Even just this morning a colleague received a phishing text claiming they saw their ‘resume’ and had a job opening with no further context. They pointed out the message’s red flags, which included a high amount of compensation for said job, no description of position or company name and contact information did not match. As annoying as it is to receive these types of unwanted messages, the attempt likely came from the individual placing their email to receive newsletters & updates of a product and service of their choosing. Not expecting their email or any other additional information to be involved for phishing attempts.

Did you know that 28% of consumers have fallen victim to credit card fraud in the last year? With nearly a third of people affected, it’s no surprise that 37% report feeling anxious about their credit card accounts being compromised. Families and career-driven individuals are especially on edge, with Gen X and Millennials (40%) sharing equally high levels of concern.

When the pandemic hit, businesses all over the globe had to shift to remote work almost overnight.  Now, with the vaccine rollout in full swing, the hybrid work model is gaining popularity. This allows employees to work from home, the office or split their time between both. According to a recent Accenture Report, close to 65% of businesses have adopted a hybrid model, and most workers prefer it that way.  

However, a distributed workforce comes with its own set of challenges. One of the primary concerns of IT leaders across the globe is the unprecedented increase in cybercrime. The FBI reports that cybercrime has shot up by almost 300% since the start of the pandemic.

Relying on one basic security solution will, therefore, prove to be futile against sophisticated attack vectors.  You may have seen advertisements on-line or on television promoting a single security solution that solves all your cybersecurity problems, but it just doesn't work like that! This is where an approach like Defense in Depth (DiD) finds its relevance.  If you've attended any of our security workshops, we also often refer to this as "layers of security".

Defense in Depth is a cybersecurity approach in which multiple defensive methods are layered to protect a business. Since no individual security measure is guaranteed to endure every attack, combining several layers of security is more effective.  

This layering approach was first conceived by the National Security Agency (NSA) and is inspired by a military tactic of the same name. In the military, layers of defense help buy time. But in IT, this approach is intended to prevent an incident altogether.

While Defense in Depth is critical to protecting your business against evolving cyberthreats, it’s an undertaking that requires time, extensive knowledge and experience. Partnering with a technology service provider like Ekaru can simplify the process, reduce stress and minimize opportunities for error.

How Your Small Business Can Help Defend Against Threats

All of the major cybersecurity protocols and frameworks (NIST, HIPAA, CMMC, etc) focus on three primary areas of control:

1. Administrative Controls
The policies and procedures of a business fall under administrative controls. These controls ensure that appropriate guidance is available and that security policies are followed.

Examples include hiring practices or employee onboarding and offboarding protocols, data processing and management procedures, information security policies, vendor risk management and third-party risk management frameworks, information risk management strategies, etc.

2. Technical Controls
Hardware or software intended to protect systems and resources fall under technical controls. Examples of technical controls are firewalls, configuration management, disk/data encryption, identity authentication (IAM), vulnerability scanners, patch management, virtual private networks (VPNs), intrusion detection systems (IDS), security awareness training, etc.

3. Physical Controls
Anything aimed at physically limiting or preventing access to IT systems falls under physical controls.  Examples include  fences, keycards/badges, CCTV systems, locker rooms, etc.


Essential Elements of Defense in Depth:

A technology service provider will help you implement all the elements of an effective Defense in Depth strategy to minimize the chances of threats seeping in through the cracks. These elements include:

1. Firewalls
A firewall is a security system comprised of hardware or software that can protect your network by filtering out unnecessary traffic and blocking unauthorized access to your data.  We strongly advise implementing a "business class" firewall and not simply relying on what your Internet provider installed.

2. Intrusion Prevention and Detection Systems
Intrusion prevention and detection systems scan the network to look for anything out of place. If a threatening activity is detected, it will alert the stakeholders and block attacks.

3. Endpoint Detection and Response (EDR)
Endpoint Detection and Response (EDR) solutions operate by constantly monitoring endpoints to find suspicious or malicious behavior in real time.

4. Network Segmentation
Once you divide your business’ network into smaller units, you can monitor data traffic between segments and safeguard segments from one another.  If there's a breach in one segment of the network, the other segments may be protected.

5. The Principle of Least Privilege (PoLP)
The principle of least privilege (PoLP) is a cybersecurity concept in which a user is only granted the minimum levels of access/permissions essential to perform their task.  If an employee doesn't need access to protected information, they should not have access.  In many cases, over time data winds up being stored in a way that multiple people have access to it when they don't need to.  Conduct regular audits of the data you hold.

6. Strong Passwords
Poor password hygiene, including the use of default passwords like “123456” or “admin,” can put your business at risk. Equally risky is the habit of using the same passwords for multiple accounts. To protect your accounts from being hacked, it’s essential to have strong passwords and an added layer of protection by using practices such as multifactor authentication (MFA). 

Recently there have been many reports on a clever twist on an old scam that's made more believable with your hacked password.  The email purports to be from a hacker who has compromised your computer and recorded you watching porn and will release the information to all your contacts if you don't pay the ransom (payable to a crypto currency account so it's not traceable).   

We've all seen the headlines of the major cybersecurity incidents:  Target, Yahoo, Equifax, Sony, etc... Cybersecurity is a topic that affects everyone, and we view it as a public safety issue.  With all the headlines over the past years, at this point, most people "get it" that cybersecurity is a big problem, but the education can't stop there.   

This past week a Massachusetts school district paid $10,000 ransom to unlock its files after a cyber attack.  The Police Chief commented that there is no further investigation of this crime because solving this crime is "impossible". This is unfortunately a sign of the times.

Everyone thinks they won't click on a phishing link, but when we run tests, there's always someone who does!