To remain secure against increasingly-sophisticated attacks, organizations need to take a more practical approach: One that involves heightened employee awareness and full executive stewardship of a collaborative, company-wide security initiative.
IT Security: It can often still be considered an “IT issue.”
But it’s more than that. Just as revenue and performance are routinely reviewed, assessed and collaborated on, security should be a talking point inside the executive boardroom and an initiative that involves all employees. It’s not just an IT issue. It’s a business issue that involves your entire organization.
The cliché image of online attack usually involves a dark room, a person hunched over a dozen or so computer screens in a pitch-black hoodie, cracking ultra-secret code. The reality is that cyber crimes are committed amid much more mundane scenarios, using traditional trickery and shenanigans, presenting themselves via email or even phone calls to your employees.
Businesses often throw money and technology at the problem: firewalls, content filters, encrypted data and email, antivirus and anti-malware tools. But to remain secure against increasingly-sophisticated attacks, organizations need to take a more practical approach: One that involves heightened employee awareness and full executive stewardship of a collaborative, company-wide security initiative.
Three Practical Tips to Help Your Approach to IT Security
1. Understand That It Can Happen to You
You’ve read the headlines about the high profile attacks on entities like Equifax and Target. What would a cybercriminal want with you?
You only have 50 employees, or you may live in a small, insulated town. But you have assets including money, intellectual property and customer data and access. Your data may also be gateway for further access to larger organizations (like the 2014 Target data breach), making you just as vulnerable for attack. In fact, a 2019 Verizon Data Breach Investigations Report found that 43 percent of breaches involve small business victims.
It’s crucial to understand that, yes, it can happen to you.
2. Educate Yourself…. And Your Employees
Teaching employees to recognize suspicious activity is key, and email is a great place to start. Two terms that your team should know and the deceptive acts to be on the lookout for:
- Phishing: using brand-name company logos to send email messages to induce individuals to reveal personal information or to click links.
- Spear Phishing: This is similar to phishing, however specific individuals within a company are targeted for exploitation.
Social Engineering, increasingly prevalent, is a modern-day attack vector that uses social conditioning and naivety of humans to infiltrate networks, gain access to systems and steal confidential information from organizations. With social engineered attacks, it might be a phone call with a spoofed number, and it might say, ’this is Microsoft, and I’m calling to notify you that there is a bug outbreak in DFW and I’ve been charged with your area. I need to log into your computer and apply a patch.’
We know that Microsoft does not operate in this manner.
Cybersecurity and data backup company Datto identifies four other everyday social engineered attacks to be aware of:
- Baiting: Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3 2016” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work
- Quid Pro Quo: Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker, posing as a researcher, asks for access to the company’s network as part of an experiment in exchange for £100. If an offer sounds too good to be true, it probably is quid pro quo.
- Piggybacking: Piggybacking, also called tailgating, is when an unauthorized person physically follows an authorized person into a restricted corporate area or system. One tried-and-true method of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their RFID card. Another method involves a person asking an employee to “borrow” his or her laptop for a few minutes, during which the criminal is able to quickly install malicious software.
- Pretexting: Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information. An example of this type of scam is an email to an employee from what appears to be the head of IT Support or a chat message from an investigator who claims to be performing a corporate audit.
The bottom line? Consider partnering with a business technology provider for proactive cybersecurity education. Further enforce training by setting up a program that literally sends out fake phishing emails to employees, and provides reporting on anyone who falls for the “bait.”
3. Ask Yourself These Four Questions:
In contemplating your vulnerabilities, and considering your next security action items, start by asking yourself these four pertinent questions:
What are we doing to educate employees on security?
How are we testing them to know if they’re adequately trained?
What is our disaster recovery plan? Do we have one?
How long can we afford to be down?
In asking yourself those questions, did more questions arise? Ready to maximize your security efforts? Join us for MAXIMIZE: A Datamax Partner Success and Appreciation Event on Thursday, June 20.
As part of our event, we’ll help you calculate ways to: Recognize attack methods and business threats, identify risk mitigation strategies to limit exposure, and assess your current security framework. Click below to learn more about this great event, which includes other great topics and speakers!