Archive for December, 2018

Cyber Security Begins With Small Business Culture

December 4, 2018

Many small business leaders think they aren’t big enough to be a target.  This is a myth hackers want them to believe.  Because fully one of three hacker attacks in this year’s first six months involved a small company.

Based on those statistics, a small business can expect a cyber-attack in the next three years, say cyber security professionals.

These same professionals say attacks are increasing for small businesses because they are often easier targets for sabotage.  The main reason, they say, is because small business leaders do not have the time or funds to fully devote to preventing or thwarting cyberattacks.

While the simplest way for hackers to gain entry is through your company employees there are ways of cutting down the threat through creating a company-wide awareness of the danger.  Even if the funds for greater cyber security are not available, by putting in some or all of the following recommendations can help your company be safer from cyber-attacks.

Security starts with the culture. Effective cyber security requires acknowledgment, assessment, and total participation.  Many users do not implement these basic protections because they assume additional security controls will complicate usability and interfere with efficiency.  To truly secure their assets, businesses must work towards proactive risk management rather than reactive compliance.

Take the words out of passwords.  Remember this simple adage: the best possible password is one that you don’t know.  According to Open VPN, 25% of employees reuse the same password for everything.  One person’s weak password has the potential to compromise not only an entire organization’s data, but also the data of those serviced by that company. Using password management software such as 1Password or LastPass disperses responsibility and risk in a visible, automated manner.

Test your business’ readiness by phishing yourself.  After you simulate a phishing attack at your organization, you will be better prepared for a real attack.  Available are free programs such as Microsoft’s Attack Simulator and KnowBe4 that gauge your organization’s awareness of and response to hacking attempts. This will not only train your users, but also give you the visibility into how well they’re trained.  As a general rule, tell your users to read the fine print: hover over links to fully read domains exchanged through email.  Spelling errors and suspicious redirects are highly legible, even when embedded into a lengthy link. (Pro tip: Open any foreign link in an incognito browser.)

Since emails are a popular attack vector, it’s critical that security and forensic teams have complete awareness of email activity within the organization.  Step one is connecting O365 or G Suite to your SIEM (security information and event management), which will, for example, correlate login events to look into potentially compromised accounts.

Use Multi-Factor Authentication. The more barriers are put in place, the more difficult it will be for hackers to infiltrate your data infrastructure.  According to the Verizon 2017 Data Breach Investigation Report, 81% of breaches are the result of stolen, default, or weak credentials.  MFA significantly reduces the chance that credentials can be compromised.  Have your employees present two or more pieces of evidence to verify their identity for a login or other transaction.

Use MFA such as Google Authenticator that does not connect to a phone number, because phone numbers are no longer secure and most are publicly available

Better yet, use physical MFA layer to your defense, especially key executives and employees, with encryption keys such as Yubico Security Keys that plug into USB ports.

Lead the leaders. Security is a top-down solution and should be considered as an integral part of business.  Business owners and leaders should be the most secure so that the culture permeates down.  Aside from altruistic business concerns and the cost of a security breach, owners and leaders should be doubling down on security efforts out of self-interest: today, hackers are targeting the top.