Setup for Success: IT Security for Everyone

Setup for Success: IT Security for Everyone

Written by Scott Hall on . Posted in Computer Security

The consequences of malware, phishing attempts and breaches are known to be common amongst household name corporations in our times. Credit bureaus, video streaming and gaming console breaches as just some of the most recent that have made the news. Even though the resulting damages from these attacks totaled in the millions of dollars fiscally, the damage to their brand will take years to measure. Small businesses & start-ups do not have the financial, or social, capital to withstand these types of incidents without putting their very survival at stake.

The following are a few ways to ensure your business is facing modern threats as best it can:

Lock your network doors

In the same way that you wouldn’t dream of leaving your car unlocked, you shouldn’t invite cyber criminals into your business networks, either. Purchase a business grade firewall with comprehensive anti-virus and security threat definitions that are updated constantly. Stay current with your licensing to ensure you can meet the latest threats as they’re exposed. Do not rely solely on equipment provided by your ISP; these devices are intimately known by bad actors and have had their weaknesses make public knowledge.

Also, use SSL VPN connections for remote employees or after-hours access to your networks. Business grade firewalls can easily accomplish this.

Setting company policy

Size is rapidly becoming irrelevant in being an attractive target for cyber criminals. Teach employees and re-teach them about your security requirements and best practices as provided by your IT team.

Policy should include employees using company computers responsibly and not engaging in extra risky activities, how to spot phishing attempts in email, setting requirements for password complexity and expiry, and setting two-factor authentication wherever it can be applied.

Social Media Do’s and Don’ts

Social media is a part of our lives and isn’t going anywhere anytime soon, so reducing risk is paramount. Determine whom can speak for the business publicly and approve all social media content before publishing. When writing employee policy, cover social media sites like Facebook, Twitter, and the like in your non-disclosure agreement, especially their use on company time and premises. Assume the worst to get the best results. Encourage employees to limit the amount of personal information they share online for their safety and the safety of the business.

Protect with passwords

Passwords are the key to front line security, so they are important to protecting access to your networks. The more characters and variation you have, the stronger your password will be. Require strong passwords with a length of at least eight characters with embedded numbers, so you can stop simple attacks that guess passwords. Time out old passwords and require password changes frequently. Educate employees about why writing down passwords, storing passwords on cell phones, or using guessable choices puts company security at risk.

 

Get critical about Internet security

Stop the mad links. Don’t rely on employees to think about security. Restrict where and when they can access the network or Internet within the business. Along with guidelines for acceptable web use, select content filtering solutions that stop unacceptable use. URL filtering can limit access to unproductive sites completely or during business hours.

Bring Your Own Device

The level of adoption for employees bringing their own devices (BYOD) to work in the small and medium business market is soaring – but what about the security risks? Develop a plan. A BYOD plan will provide a safety net against legal repercussions and mobile system costs. Draft a comprehensive & clear BYOD policy that covers data deletion, location tracking, and content monitoring.

Regularly reflect on the benefits and impacts of BYOD programs. Most businesses adopt the BYOD trend because of the increased productivity and cost savings it can provide. However, not all take the time to gauge if the trend is worth the risk it can expose an organization to. Monitor your use of BYOD to help justify its deployment and prevent future device security problems.

Be Current

Be sure your mobile users, PCs and servers are using the best available threat intelligence and definitions. You are only as safe as your last update. Look for solutions that make use of remote servers or data centers to do most of the heavy lifting of security. Don’t rely on old antivirus. New methods of detection perform the equivalent of background checks on email senders, files, and websites to protect better and faster without slowing your PCs. Make it as simple as possible for your PCs to have the latest OS patches as well. Do not use end-of-life operating systems.

Choose a Security Partner

Select a vendor who understands the unique needs of security in a small business environment. Check their record. Vendors with a proven track record of years of defense against multiple threats, with knowledge of both small business and enterprise experience will be your best defense.

 

What you should know about RANSOMWARE

Written by Scott Hall on . Posted in Computer Security

Ransomware has become the scourge of the Internet. It’s so common that it no longer makes the news. In fact, it’s predicted that a business will fall victim to a ransomware attack every 14 seconds in 2019. The evolving nature of the threat makes malware attacks very difficult to counter. Regardless of the type of malware, they all have the same objective to encrypt or disable access to the files on a computer, or the network it is part of, and then demand payment for their recovery. Overseas, cybercrime labs often have budgets as large as or larger than the total spend of an enterprise level organization’s annual security budget.

 

Security analysts estimate that most hacking related breaches are because of stolen or weak passwords. Other attack vectors include vulnerabilities exposed in a web application, open or insecure network ports and email-based phishing. These are all sobering data points, whether you’re a large corporation or SMB. The impact of breaches can be highly damaging – monetary payments, lost data, productivity impacts, system downtime during recovery, just to name a few.

 

Although the different kinds of malware attacks have existed for years, the success of the latest generation is due in part to improved techniques. Machine learning and other heuristics help hackers learn about network and people patterns. This is very different from prior automated or cryptologic based methods because skilled IT resources and improved security software can detect and disable, or even prevent these kinds of attacks outright before they cause damage.

 

Ransomware falls into the broad category of malware. The definition of malware is to damage or disable a computer or an entire system. In one scenario of ransomware, the attack disables access to systems by encrypting files. The attacker then demands a ransom in exchange for a key to decrypt the files and regain access. Another scenario in the Ransomware attack is to simply lock one or more systems, so they can’t be accessed. Unfortunately, there’s no single solution that can stop this type of attack, despite many claims to the contrary.

 

This leaves two options in response:

 

The first is to pay the ransom which most all security experts advise against. This could make an organization a repeat target. The second, more realistic option is to use a multi-layered approach to make it more difficult for Ransomware and other attacks to succeed. Implement a security management practice that includes regular patching of all systems, services and software, including network device firmware, like IP security cameras, printers and scanners. Proactive measures reduce the likelihood of an attack being successful but there is no guarantee. Ransomware authors continue to get smarter, and their attack software usually include routines to find and delete or encrypt backups along with primary data. This means organizations can’t rely solely on backups as a response tactic, without taking additional security precautions and measures.

 

Given how many ransomware attacks succeed, educating employees to detect phishing and related attempts to penetrate the network is a must. Strengthening your security management practice with added employee training will help minimize your exposure to malware and maximize your response management. If you’re wondering where to start, SOS can help. Reach out to us today.

The Real Deal on Cybersecurity Failures

Written by Scott Hall on . Posted in Computer Security

A 2018 study revealed that small to medium businesses increasingly face the same cybersecurity risks as enterprise and well-known corporations, but only 28 percent of SMBs rate their ability to mitigate threats and attacks as “highly effective.”

The quantity of breaches and attacks, including malware, phishing attempts and ransomware attacks is steadily rising — with 67 percent of SMBs experiencing a cyber-attack, and 58 percent experiencing a data breach in the last year. Despite that, nearly half of respondents (47 percent) say they have no understanding of how to defend their businesses from these attacks.

As this vulnerability increases, the risk of employees, vendors, and outside contractors causing data breaches or being inadvertently complicit in these attacks is simultaneously increasing — 60 percent of study respondents cited a negligent employee or contractor as being the root cause for a breach, compared to 37 percent pointing to an outside source. Still, 32 percent of survey participants stated that they could not determine the root cause of a breach or attack they experienced in the past 12 months.

40 percent of respondents say an attack occurred with the compromise of employees’ passwords in the past year, with the average cost of each being $383,365. Accordingly, 19 percent more IT and security professionals consider password protection and management to be increasingly critical in 2019 as compared to 2018.

Part of creating an environment that is vulnerable to outside attack is a failure to use strong passwords, two-factor authentication and unique passwords for every website, application and system. These steps are often inconvenient, but have stopped attacks from occurring, limited the intrusion that occurs, and even notifying of a breach before it can actually occur. In this vein, respondents indicated their two biggest password-related pain points are having to deal with passwords being stolen or compromised (68 percent) and employees using weak passwords (67 percent). Almost certainly, this is cause and effect at work. Often, human memory and/or insecure spreadsheets are used to store and protect passwords. Only 22 percent of respondents say their companies require employees to use a password manager. Of the 74 percent of respondents who say password managers are not required, more than half say their companies rely upon unreliable methods to protect passwords.

SMBs, by nature, do not necessarily have the funds or the expert staff to have effective security, and as a result 74 percent of respondents note this as a huge obstacle. The remaining 26 percent of respondents who believe they are ‘highly effective’ at mitigating vulnerabilities and attacks state that the reason for this belief is due to a higher investment in both personnel and funding to adequately face these threats. These companies also dedicate a higher percentage of their IT budget to cybersecurity efforts.

As time progresses and technology evolves, cyber criminals are often ahead of the curve, and companies, no matter how big or small, are only as strong as their weakest link and their ability to react to an ever-changing security landscape. Staying ahead of threats in this area pays untold dividends by fostering a healthy respect for security and the responsibility of being good stewards of consumer data.

 

A Practical Guide to Data Encryption

Written by Scott Hall on . Posted in Computer Security

There are few organizations that do not hold some kind of sensitive data, be it something as simple as customer addresses for delivery, or something as serious as patient medical records. Breaches of this data are happening every day, and not knowing the consequences of a successful breach is not a valid defense in modern times.

If a breach occurs in an industry with any government oversight at all, any organization found to be careless or deviating from industry best practices on security can face substantial penalties, not only reputational damages but monetary fines as well.

On the other side, maintaining proper security protocols can open up a number of business opportunities. For example, a start-up engages in a partnership with an established company that needs to ensure its new vendors are taking security seriously as to not jeopardize their own operations. This is but one case where failure to adhere to security standards can impact your organization.

For whatever reason a company would need to encrypt their data, it may seem like a daunting and intensive task, however critical it may be. It doesn’t have to be difficult at all. Ideally, encryption functions best when it is absolutely unobtrusive and invisible to daily users.

While large company data breaches make the headlines and cable news, it’s often small and medium businesses that are harmed by these intrusions. Potential fines, loss of reputation and lack of consumer confidence can be an often fatal blow to SMBs, whereas larger enterprises can absorb that kind of damage. When taking the potential loss into account, encryption and data security is critical in the small to medium business space.

There are many technical methods of data security, and while these are essential, they work best in tandem with employee awareness and training. Employees can minimize the organization’s risk profile and even limit the data’s exposure to the world at large, just by being aware of best practices and the consequences of mishandling.

Developing non-obtrusive methods of data encryption & security are imperative, as humans naturally seek out ways to be most productive, even if it means cutting corners for access to critical data in the name of efficiency. These process shortcuts can sometimes become the very method of attack used by criminals to steal data, or insert malicious programs behind firewalls.  Common issues that occur are passwords written and left in proximity to the PC or device they belong to, or removing hardware from a secured facility to an unsecure one, and not preventing access by unauthorized persons, such as ex-employees or vendors. Recognizing your vulnerabilities through an objective assessment can go a long way in minimizing your risk profile and ensuring that even in the event of a breach, your organization has taken great care in adopting standard practices to ensure data security is taken seriously.

Contact the professionals at SOS if you believe your organization can benefit from an in-depth review of data security practices.

Cybercrime and Real World Terrorism: Strange Bedfellows?

Written by Scott Hall on . Posted in Computer Security

We know the impact of cyber-crime as it relates to every day users. Credit card theft, sensitive personal data stolen, and much more have been attributed to so-called ‘cyber terrorists’. Is it then possible that more ‘conventional’ terrorists would be interested to use similar tactics? This may sound extreme, especially due to the limited and reversibility nature of the impact of certain cybercrime tactics and the precautions that forewarned businesses and organizations can take. However, it is difficult to brush off the threat in an external inspection of both the dynamics and methodology of these types of attacks, and the tools used to perpetrate them.
Conventional terrorists–regardless of ideology have engaged in the digital space for any number of reasons, most having been born of necessity. For things like covert communication, recruitment, propaganda, transferring illicit funds undetected, and, most importantly, sharing amongst a geographically dispersed command structure. Information disseminated in the cyber space also includes target assessments for real-world terrorist acts, and tactical assignments.

However, this could change with increasing technical competency and capability for network-based attacks and growing number of bad actors in the online community. Opportunity for online interaction and training has compensated terrorists the loss of physical space for such activities on the ground. Current social networking tools such as Facebook, Twitter, and Instagram, among others, provide platforms not only to share information and expertise but also practice it in virtual space. It’s simply a foregone conclusion that funding terrorist acts, either directly or via support and logistical infrastructure, through cybercrime and ransomware is ongoing.
Ransomware tools like WannaCry and others have the potential to reduce the opportunity cost for conventional terrorist attacks as well. Al Qaeda and the Islamic State of Iraq and Syria (ISIS) have demonstrated much interest along with some capability to develop and use chemical, biological, radiological, or nuclear weapons (CBRN), and while there has been no successful mass casualty terrorist attacks involving them, there is the concern that these groups might lose control over the consequences of such an attack, in such that they could affect the members of the communities they are purportedly fighting for. However, use of weapons of “mass disruption” like ransomware as against weapons of “mass destruction” will enable terrorists to cause large-scale damage (loss of data and equipment), chaos (in hospitals and other public utilities) and fear, while simultaneously filling their coffers. Imagine the impact if terrorist groups like Al Qaeda or ISIS were involved in WannaCry attack. For terrorists, it’s a win-win tactic as they can achieve almost similar attention and without firing a shot or exploding a bomb, all without garnering the attention of conventional law enforcement and military tactics used in stopping them.

If you are concerned about your organization’s susceptibility to cyberattack, contact us today.

Tech Headaches? We can help! Contact us now »