Cybersecurity Awareness Refresher For Small Business
Technology alone cannot protect you and your business from cyber-threats. This is because, even if your systems are well protected, attackers usually target the weakest link in your cybersecurity system, i.e. the people. So, to mount an effective defense, you need to create a security-conscious culture where the people and technology work together to mitigate cybersecurity risks.
In this blog post, we share with you 6 security practices that will mitigate a majority of the common cybersecurity risks faced by businesses.
But before we begin, here’s a quick look at cybersecurity risks to businesses.
Is Your Business Too Small To Be Targeted By Cybercriminals?
If you believe you aren’t at risk of cyberattacks, you can’t be further from the truth. You are exactly what cybercriminals are looking for! Ransomware attacks on your business may be the scariest but there are many more threats lurking in the cyber world. Here’s what the cyber-criminals are usually looking for:
Credit card and financial information,
Medical data such as prescriptions, insurance, etc. that may be used for scams or identity theft,
Computer resources for crypto mining or using your computer as a launching pad for further attacks,
Email credentials for sending spam or spoof emails, and to recover or reset linked accounts.
No business is too small or insignificant for cyber-criminals.
Here are some figures to help you understand the threat landscape and how likely it is for your business to face a cyber-attack:
28% of security breaches involved small business victims.
22% of attacks involved phishing.
86% of breaches were financially motivated.
Organized criminal groups were behind 55% of breaches
22% of breaches were caused by errors such as misconfiguration, misdelivery, loss, etc.
Source: 2020 Data Breach Investigations Report by Verizon
It is important to note that the above figures are based on breaches, i.e. events that resulted in confirmed disclosure of data, and not just security incidents, which may have been contained.
Cybercrime is growing at an astounding rate. It is expected that by 2021, the damage related to cybercrime will hit $6 trillion annually. One of the reasons why the number of cyberattacks has steadily increased is how easy and inexpensive it is to buy and own malware. You don’t need to be a cybersecurity expert, you don’t even need to be a programmer; all you need to do is get on the dark web with an online wallet loaded with some cryptocurrency. You can get off-the-shelf malware and ransomware on darknet marketplaces for very little money and sometimes even for free.
This has increased the number of attacks, especially by amateur cybercriminals using such off-the-shelf malware. Often the free malware comes with backdoor access for the original creator. The amateur attackers do all the heavy lifting unaware that the malware is backdoored, while the original creators simply wait for stolen credentials to roll in. So even if your business isn't specifically targeted by a professional hacker, you are still at risk of experiencing malware or ransomware attack.
Now that we have established the risk, let’s take a look at how you can mitigate those risks.
Here’s a list of 6 cybersecurity best practices that will help you in protecting your business:
Loss of data is probably the scariest nightmare for most businesses. According to data compiled by bostoncomputing.net, 60% of companies that lose their data shut down within 6 months. That’s why ransomware attacks that target and encrypt your data are so effective. Sadly, there’s no foolproof way to protect your data from ransomware. No cybersecurity solution can offer 100% protection.
The only “guaranteed” protection against ransomware is regular backups. Backups keep your data safe and once you’ve completely cleaned the ransomware from your network, you can restore your data using the backup and get back to business. A few things regarding backups that you need to be aware of are:
Don’t keep your backup media connected at all times. You don’t want your backups to get infected, so keep them separate.
Test your backups by running recoveries once in a while. This ensures that your backups are healthy and will be available when required.
Follow the 3-2-1 strategy of backup for all critical data and files.
Operating systems, programs, and applications are never perfect. Due to this reason, they receive updates to improve functionality, usability, and performance. These updates or patches are also called bug fixes and are released by the software provider. However, that’s not the only reason why updates are important. Many times the updates are released to fix security vulnerabilities.
It is surprising that many organizations still fall prey to cyberattacks that leverage know vulnerabilities even after the security patches are already released. Remember the WannaCry ransomware attack? It was totally preventable as Microsoft had already released patches to stop such an exploit. But many companies still got infected and had to pay a huge ransom because they hadn’t updated their system.
So the key takeaway here is to install patches and updates as soon as they are available. It is also recommended to enable auto-updates, especially for antivirus and anti-malware. Also, ensure that your company uses licensed software that is supported so that you receive updates and bug fixes.
Password hygiene has been a constant pain point for IT security professionals as well as for users. Remembering long, complicated passwords is burdensome and given the number of different applications we use at work, the struggle is understandable. Due to this many people resort to easy to remember passwords. Here’s a list of the 25 most common passwords.
The cybercriminals know this and when they try to hack into your accounts, they will cycle through these common passwords first. So if you use any of these, you should change your password right now. Over 80% of security breaches due to hacking involve the use of brute force tactics and lost or stolen credentials. So you need to be very careful with your passwords. Never write down your passwords on paper or plain text on your computer or share them with your colleagues.
But such strict password policies needn’t cause you any stress. You can use a password manager to make your life easier. Password managers help you by taking the tedious tasks related to generating and remembering passwords off your plate:
They generate strong passwords for your online accounts,
Remember all your passwords and associated usernames, and
Fill web-forms for you.
As a business owner, you need to ensure that you have a strong password policy and that it is implemented. The password must require users to follow these:
Have separate passwords for every account,
Not to use personal details as passwords,
Change default passwords on devices,
Use passwords made up of a combination of letters, numbers, and special characters.
If you are curious why a long and complicated password is necessary, here’s a look at how long it usually takes to hack a password, based on its length and composition…
The moral of the story is to use at least a 10 or more characters long password composed of lowercase, uppercase, numbers, and symbols.
If you read cybersecurity news, you must have come across many instances of hacking resulting in stolen credentials. Millions of stolen passwords and usernames are regularly put up for sale on the darknet. Many users tend to reuse passwords, i.e. they use the same password on multiple accounts. Couple this with the stolen passwords and it’s a disaster waiting to happen. All that the hackers have to do is to plug your stolen credentials into the right website and they will gain access to your account; it’s just a matter of time.
Another reason why passwords aren’t very safe is because of our social media presence. We tend to share a lot of our personal information online and then use the same personal information as passwords for our online accounts. Even if you don’t share much personal information online, cybercriminals can use social engineering to acquire such information online.
You can completely shut out the threat of stolen credentials by using two-factor authentication (2FA). Once you activate 2FA on your accounts, in addition to your password an additional factor such as a code sent to your phone as an SMS, or a random number generated by an app is required to log into your account. The hackers won’t have access to this second factor and will be unable to hack into your account.
2FA is simple to implement, doesn’t cost anything, and effectively adds a layer of security to your accounts. Additionally, if you choose the right authentication factor, 2FA becomes easy to use and isn't burdensome for the users at all.
94% of malware delivery happens through email. Phishing emails are, therefore, a persistent threat to businesses. Remember the Google Docs phishing scam that affected over 1 million users? At work, we usually need to multitask and often have to dedicate our mental resources simultaneously to multiple things. This is exactly what the scammers try to leverage; they are counting on us being too busy or stressed to notice the scam.
The typical phishing emails have many red flags that should immediately alert you. With a little scrutiny, phishing emails can easily be spotted but some of them can be quite convincing. Therefore, you need to be vigilant. So, before you click on links or attachments in emails, remember the following:
Is the sender familiar? Is the email address correct? Does the address have an unfamiliar domain or subdomain?
Were you expecting the email? Were you expecting to receive a link or attachment via email?
Hover your mouse pointer over the link to ensure the URL goes where it says. But don’t click on the link.
Do you recognize the website? Does it have an “https:” prefix?
Does the link have a misspelled domain or subdomain?
Does the email try to create a sense of urgency?
Is it a standard process in your organization to receive such requests via email?
If you feel you won’t remember these typical signs of phishing emails, just write them down and stick them on your desk.
In addition to email phishing, your business may also be targeted with voice phishing (vishing), i.e. you receive phone calls trying to elicit sensitive information, or to get you to make payments. They work in the same way as emails do, by creating a sense of urgency and are often purposely confusing. Phone numbers are often spoofed so be vigilant and don’t fall for such scams. Just remember that banks, government agencies, and tech support will never contact you out of the blue or ask you for sensitive information over the phone.
If you receive a call that appears suspicious, verify their identity by asking questions, hang up and call on a number that’s officially published on their website.
Cybersecurity is a vast field and trying to figure out solutions to each of your problems on your own is exhausting, to say the least. It is very likely that someone has already solved the problem you are experiencing and there’s no need to reinvent the wheel. All you need to do is to learn from others and be open to adopting industry best practices.
Here are a few security best practices to get you started:
Install antivirus and anti-malware on all your devices,
Don’t allow users to connect unknown media or devices to your network,
Don’t allow the use of untrusted browser extensions or add-ons,
Don’t allow users to install anything suggested by random pop-ups,
Make it mandatory to use a VPN for remote access,
Use disk encryption on all computers,
To ensure network security all your network devices should use WPA2,
Prevent social engineering attacks by protecting your online data with privacy tools such as NoScript, uBlockOrigin, etc.,
Restrict physical access to servers and other critical infrastructure.
Conduct IT Security Audits regularly.
Conclusion
That’s all you need to know about cybersecurity… NOT! Don’t stop here because the attackers won’t stop trying. The cybersecurity landscape is constantly changing and you need to keep pace with the changes. If you fall a step behind, there will be gaps in your security systems and your business will be that much more vulnerable to cyber-attacks.
For more security tips, tricks, and best practices, check out our cybersecurity-related blog posts.
We also post daily cybersecurity news and updates on Twitter. Follow Jones IT on Twitter.
If you are a Jones IT customer feel free to reach out to our support team to schedule a Cybersecurity Awareness Training. If you aren’t a customer yet, reach out to us to learn how we can help improve your IT Security posture.
If you liked the blog, please share it with your friends