Every month we see breaking news articles about the latest data breach or form of cyberattack. You've probably seen headlines like:
- "Meet the New Ransomware That Knows Where You Live"
- "Cybercriminals Turn to AI to Bypass Modern Email Security Measures"
- "Cyber Threats to Small Businesses Prompt Pleas to Report Attacks"
- "ChatGPT and Cybersecurity: The Good, the Bad, and the Careful"
As these headlines attest, ransomware, phishing, and other types of cyberattacks are increasing in number and sophistication. To avoid becoming a victim, you must take measures to protect your company, and there are many smart and affordable things you can do to help. No business is too small to go unnoticed by cybercriminals. The fact is that cybercriminals like to attack small companies because those businesses often do not have the expertise or resources to fend them off.
You're probably already running anti-malware software in your business, realizing the essential role it plays in detecting and blocking known ransomware, viruses, and other types of malware. However, that is only one of several measures you need to take to protect your company against cyberattacks. Other important measures include reducing known security vulnerabilities, educating your employees, and preparing for the worst-case scenario.
Reducing Security Vulnerabilities
You can make it much harder for cybercriminals to attack your IT systems by addressing vulnerabilities that cybercriminals tend to exploit. Here are a few basic starting points:
Update Your Software Regularly
Cybercriminals like to target operating system software and applications that have known security vulnerabilities. These vulnerabilities provide a crack that cybercriminals can slip through in order to access your computer systems and install malicious code. Updating your software regularly with newly released patches eliminates known vulnerabilities, thereby reducing the number of exploitable entry points into your computer systems. "Patch Tuesday" occurs the second Tuesday of every month, and that's the day that Microsoft releases free updates. Security is a bit of a "cat and mouse game". All security has vulnerabilities, and as vulnerabilities are identified, they're patched. Cybercriminals will constantly seek out vulnerabilities, so if you don't have an ongoing patch strategy, you'll fall behind.
Update your Firmware
Computers, printers, routers, and other hardware devices include firmware, which is software that gives a device its functionality. Just like software, firmware can have vulnerabilities that cybercriminals exploit. So, it is important to patch your devices' firmware whenever the device manufacturers release an update. Also, never use the default passwords that come with the device either, update to strong password whenever possible.
Update your Software When Necessary
At some point in time, software vendors stop supporting older operating system software and applications. This means that they do not provide any security updates. As an example, Microsoft will stop supporting Microsoft Server 2012 in Fall of 2023. Cybercriminals keep track of when versions of popular applications reach their end of support. When that day arrives, cybercriminals intentionally launch new attacks that target the unsupported software. Sometimes, they stockpile malware until the end-of-support date and then set it loose. As a result, your business is much more vulnerable to cyberattacks if you are running software that is no longer supported by the vendor. Old tech can't protect against new threats!
Our team can conduct a vulnerability analysis to identify security issues that are leaving your business susceptible to cyberattacks. Once identified, we can work with you to address those vulnerabilities and reduce your risk.
Your employees can establish an important line of defense against cybercrime. Many people call this the "human firewall". By educating employees on how cybercriminals carry out cyberattacks, employees can spot these attacks rather than fall victim to them. Phishing, spear phishing, and social engineering should be at the top of your list of topics to cover.
Phishing and Spear-Phishing
Despite being around for years, phishing emails are still being used by cybercriminals to obtain login credentials and other sensitive information, which they then use to steal money and data from businesses. Although people are now more aware of phishing, the attacks are still effective because of the growing sophistication of the emails.
The emails used to be easy to spot, as they often contained numerous misspellings and grammatical errors, really bad graphics, and spun fantastic tales about how you won the lottery or how a Nigerian prince needs your help. These days, cybercriminals are increasingly posing as legitimate companies "impersonation", creating emails that look almost identical to real ones sent by those organizations - some of the most impersonated brands include Microsoft, FedEx, American Express, and UPS. Plus, cybercriminals sometimes personalize the email to the point where it includes your name and other information about you—a tactic referred to as spear phishing. With the widespread use of AI, phishing emails keep getting more advanced.
Despite being more sophisticated, there are elements that indicate an email might be a phishing or spear phishing attack. Train your employees to look for elements such as:
- A deceptive email address in the "From" field. At first glance, the email address might seem legitimate. For instance, cybercriminals might send out an email message using the address "email@example.com" instead of the real "firstname.lastname@example.org" address. Watch out for hard to spot differences like a lower case "L" swapped with an uppercase "I".
- A request to update or verify information. Cybercriminals like to get sensitive information by posing as a popular legitimate financial institution (e.g., a bank) and asking you to update or verify your information.
- A sense of urgency. A common tactic in a phishing or spear phishing scam is to create a sense of urgency. The cybercriminals first let you know about a problem that requires your attention. Then, they let you know that there will be unfortunate consequences if you do not take action quickly. They set the stage to make it look like the most efficient path is to just do what the email recommends to make the problem go away.
- A deceptive URL. A deceptive URL is one in which the actual URL does not match the displayed linked text or web address. For example, the displayed text might specify a legitimate bank name ("Chase") or bank web address ("www.chase.com"), but when you hover your cursor over it (without clicking it), you might discover that the actual URL leads to a website in a foreign country known for cyber attacks.
- An attachment. Cybercriminals sometimes use email attachments to install malware on computers. Many different types of files can contain malicious code, including PDF files and Microsoft Word documents.
When discussing how to spot phishing and spear phishing attacks with employees, be sure to stress the risks associated with clicking an email link or opening an email attachment, especially if the email is from an unknown source. You also need to let employees know what they should do if they receive a suspicious email (e.g., simply delete it, notify someone about it). Note that many malicious attacks have a long "dwell" time. If you click on a link, you won't see a ransomware message right away, so don't let your guard down and assume nothing is wrong because you can't see it.
Cybercriminals sometimes try to con employees into giving them the information they need to access businesses' computer systems or accounts. This is referred to as social engineering. Hackers like to use social engineering attacks because exploiting human behavior is usually easier than hacking security and computer systems.
While social engineering attacks typically occur via email (a.k.a. spear phishing emails), they can also occur over the phone and in person. The cybercriminals often masquerade as employees, but they also might pretend to be suppliers, customers, or even trusted outside authority figures (e.g., firefighters, auditors). Microsoft won't every call you out of the blue!
To get into character, cybercriminals usually learn your business's lingo. When cybercriminals use the terms that employees are accustomed to hearing, the employees are more apt to believe the cybercriminals and do what they ask.
Besides learning the business lingo, cybercriminals sometimes search the Internet for information that can help them in their impersonations. Without realizing it, many people provide a lot of information about their professional and personal lives on LinkedIn, Facebook, and other social media sites. Don't over share!
When discussing social engineering with your employees, stress the importance of being careful about what they post on social media sites. It might become fodder for a sophisticated spear phishing attack. Or, it might provide cybercriminals with the information needed to hack online accounts. For example, if an employee posts pictures and stories about her favorite cat, cybercriminals might try using the cat's name as a password or the answer to the security question "What is the name of your favorite pet?" With some online accounts, all it takes to reset a password is an email address and the correct answer to a security question. If cybercriminals are able to reset an account's password, they gain full access to that account.
Our team at Ekaru can share their vast knowledge about cyberattacks with your employees. Armed with this information, your employees can present a formidable line of defense against cyberattacks.
Prepare for the Worst-Case Scenario
Cybercriminals are constantly devising new ways to attack businesses, so despite your best efforts, your business might become the latest cyberattack victim. This is yet another important reason why you need a data backup strategy.
Although having backup copies of your data and systems will not prevent a cyberattack, it can mitigate the effects of one. For example, if your business becomes the victim of a ransomware attack, you will not have to pay the ransom to get your data back.
We can help you develop a data backup strategy and test it to make sure that your information can be restored in case your company is attacked.
Protect Your Business
Cybercriminals are constantly releasing new malware programs or variants of existing ones. As a result, relying solely on anti-malware software to protect your business is risky, as it takes a while for the vendors to update their anti-malware software to defend against the new programs and new strains.
After conducting an in-depth security assessment, our security experts can recommend other measures you can take to protect your business from cybercriminals. We can also help train your employees so that they can spot cyberattacks rather than fall victim to them.
Contact us today to make sure your company has the proper safeguards in place. Waiting until tomorrow might prove to be too late.
CMMC: Cybersecurity Maturity Model Certification - Local Businesses in the Defense Industrial Base (DIB): Changes are coming for security certifications. We've put together resources on CMMC for local businesses: CMMC - Cybersecurity Maturity Model Certification Resources
Train, Test, and Prevent Attacks.
Big companies make the headlines when there's a cybersecurity breach, and too many SMBs believe they are "under the radar". Today's threats are automated, and everyone is at risk. The Employee Security Training program is a cost-effective way to increase security and protect your business, and demonstrate compliance to training requirements of the MA Data Security Law, HIPAA, and other industry specific security compliance requirements.
The basic documents you need for compliance such as a Written Information Security Policy (WISP), Acceptable Use Policy, Sanction Policy, (and more!) and a Security Risk Assessment template are also included.
Small and Midsize Businesses (SMBs) are Victims of Cyber Attacks
Dark Web Monitoring
With more and more data breaches happening every day, even if your site is not affected, your employees credentials can still wind up on the Dark Web.
Watch our 2-minute training overview video
- Extensive Use of Multimedia (Videos, Animation, Graphics, Quizzes)
- Interesting and Engaging Training Material
- Training Delivered Via Online Training Portal
- Training Takes Around 1 Hour for the annual exam, and about 2-3 minutes a week for weekly training updates
- Employees Can Start, Stop and Resume Training
- Employees Feedback Has Been Outstanding
Security Training Topics
- What is Personally Identifiable Information (PII)?
- Protecting Credit Cards and Customer Information
- Spotting Phishing Scams
- Avoiding Phone Scams
- Using Strong Passwords
- Public Wi-Fi Dangers
- Protecting Mobile Devices
- Clean Desk Policy
- Many More Security Topics
Training Certificates and Reports
After employees finish the security training, they will take a 20 question security quiz. They need an 80% or better to pass the quiz. Upon passing the security quiz, they will be able to print out a certificate of course completion. There is a report that you can access that shows the progress and results of each employee.
*Source: IBM’s 2014 Cyber Security Intelligence Index
**Source: National Cyber Security Alliance Study
How do you manage passwords?
Your business is only as secure as how you store and access passwords. In a survey of 130,000 business owners, users were asked: How do you manage passwords?
With Ekaru MyGlue, you'll be able to provide employees a secure password storage area and access solution to manage their corporate passwords. It also delivers the ability to securely share and synchronize passwords between executives employees, contractors, and clients, eliminating anyone from being blocked from the most up to date password.
Within MyGlue, there can be an unlimited number of users and storage for an unlimited number of passwords. The Admin can then create custom permissions for each user. That way each user no longer has access to every password in the database and you can block any user from particular credentials. Every interaction inside the site is recorded. Therefore audit logs and reporting are all easily accessible and can be run to see how old passwords are, who has had access to them, etc. You can even go back and find what password were previously used if needed. If the site user is ever drawn into any compliance audit they can easily provide the information needed.
Site users can also use the site to collaborate internally with each other. You can create security groups or buckets for “administration”, “accounting”, “management” or however works best for your business. Users can be added an removed at any time.