Cybercrime is a lucrative business. Nefarious fraudsters never tire of dreaming up new and inventive ways to target businesses and their employees. Could you be sleepwalking into a major cybersecurity breach?
Consider this unnerving statistic: Verizon’s recent Data Breach Investigations Report found that small businesses make up 43% of data breach victims. (In this instance, a small business is under 1,000 employees) Why are small businesses vulnerable? Hackers and fraudsters usually take the path of least resistance, and smaller companies may not have the same resources to pour into security measures as do larger organizations. And a small company is less likely to have a dedicated IT or security team.
However, small can also mean agile and responsive. A large company with numerous employees can face an uphill struggle in persuading all staff to buy into security measures. If you have a thousand employees, what are the odds that none of them will fall prey to a social engineering scam? Whether large or small, you can turn your company into a formidable target — if you understand the risks, shore up your defenses and educate your employees.
Know your enemy
Forewarned is forearmed when it comes to cybercrime. Most attacks rely on the victim being duped into trusting an untrustworthy source. The most common cyberattacks start with a phishing scam.
Spam filters can be fairly effective at intercepting phishing emails, but some will still slip through the net. Most scam emails are easy to spot. They'll use a generic form of address or will carbon copy a large and often random list of other contacts, and may even be full of spelling mistakes. However, phishing scams are becoming increasingly sophisticated as people become more scam-aware.
Basic phishing emails involve fraudsters attempting to trick you by reporting unusual activity from a service provider (such as PayPal or Microsoft) or even your bank, with threats of dire consequences if you don’t take action (e.g., click on a bogus link). The email may look convincing, but contacting the sender directly will confirm it’s a scam.
Spear phishing scams target a person or company and often contain a fair amount of personalized information. “Whaling” attacks are directed at the CEO or board members who are less likely to have participated in security awareness training. “Pharming” scams redirect users from a trusted site to a fake version infected with malicious code. A recent pharming scam targeted 50 banks, and the extent of the damage remains unknown.
Ransomware is a form of phishing attack that involves downloading malware attached to an email or from a suspicious website. The malware then holds your data hostage until you pay the ransom. This is one of the most common forms of attack that can be prevented by keeping your security measures up to date and scheduling regular data backups to a secure location.
The best way to avoid any phishing scam is to use your common sense, never click on a link in an email unless you have independently confirmed it is legitimate, and never enter any login details on an insecure site (i.e., check the address is https, not http).
Distributed Denial of Service (DDoS) is a particularly pernicious form of attack. Your system is flooded with data requests, causing it to grind to a halt. The only way to protect yourself from this risk is to build a secure and robust system with security measures and monitoring, which can utilize the cloud (with its greater bandwidth).
So where do you start?
There are numerous practical measures you can take to protect your company’s computer systems. Five of them include:
- Define a detailed security protocol. Cover all aspects of your business. Be sure to include standard best practices, such as regular data backups, system and application patches and updates. Consider taking measures to protect your identity, the impact of social media on your privacy, repeated use of old passwords and failure to do simple things, like installing regular software updates on your mobile devices and desktop computers.
- Build up your defenses. Invest in a strong firewall and use spam filters and automatic data encryption. Install anti-malware, anti-virus and anti-spying software and security monitoring applications. If you don't have a dedicated IT department, consider hiring a security professional to oversee this process, educate employees with security awareness training and help you uncover system vulnerabilities via penetration testing. Believe it or not, employees still remain the weakest link in any organization’s fight against cybercriminals.
- Provide all employees with cybersecurity best practices. Advise them to ignore a suspicious email, and then run scenarios or spot checks to make sure employees are prepared to head off outside intruders. Awareness training shouldn't be a one-time occurrence; rather, it's an ongoing event. Complacency is your enemy. The vast majority of cybersecurity breaches result from human curiosity (such as clicking a link or attachment in a phishing email) and can be avoided if staff know what to look out for. Make sure all employees know how to report a suspected breach and reward vigilance.
- Install up-to-date software patches. In an era of Bring Your Own Device (BYOD), it's nearly impossible to prevent employees from linking unsecured devices to your Wi-Fi network. However, you can reduce the risks by using endpoint security solutions to detect malicious apps and mobile device management software to block targeted attacks. Make sure that all employees know the risks involved in downloading an app from an untrusted source.
- Strictly control employee access to both data and systems. Keep a record of all interactions, which includes blocking system access to former employees. Staff members should have their own login details. Passwords should be complex, changed regularly and not repeatedly used. Take advantage of free password managers available in your internet browser, such as Google Chrome, which will remember passwords for you. Use two-factor authentication when it’s made available, such as from your bank. Some employees might grumble about following these smart protocols, but an ounce of prevention is worth a pound of cure.
Be vigilant, be wary and be proactive. Cyber insurance, which continues to be rapidly adopted, is another way to limit your risk exposure and is an option that your insurance professional can discuss with you in greater detail. You have it within your power to protect yourself and your company from being the victim of a cybercrime.