The #1 threat to ANY business is …You! Like it or not, owners and their employees are the number one cause of all security breaches in business.
The most common way for attackers to infiltrate your network is through a phishing or social engineering attempt. When an employee clicks, downloads or opens a file that is infected from a website or phishing email they grant attackers access to company data. The targeted employee is usually unaware of what they’ve done — even a smart, tenured employee can click on the wrong link and open the door to TOTAL FINANCIAL DEVASTATION. The malicious software that gets installed on your network (also known as malware) can lock up files and important software like Adobe, QuickBooks, Sage and FOUNDATION so that you cannot access or use them. After encrypting your data, attackers will demand a ransom payment in exchange for an encryption key to unlock your files. Sometimes attackers will even threaten to expose the breach to the public and potentially cause damage to your reputation if payment is not received.
the percentage of hackers using phishing and social engineering to break in through tricking employees vs. breaking through a company’s security layers is “in the high 90’s”.
At a technology conference in 2017, Neal Juern, President and CEO of Juern Technology, was fortunate enough to be chosen from the audience to ask Theresa Payton, keynote speaker at the event and former White House Chief Information Officer, a question. Neal asked Theresa “what percentage of the time are hackers breaking through all of the security layers put in place and what percentage of the time are they just using phishing and social engineering to break in through people?” Theresa’s answer was that the percentage of hackers just using phishing and social engineering to break in through people is “in the high 90’s”. This confirms that humans are undeniably the weakest link.
Take the story of this CFO of a large real estate firm. She returned from vacation to find that while she was away someone had impersonated her through a very convincing business email sent to their accounting department asking for a change in her direct deposit information. When she came back into the office, the accounting employee let her know that she had made the requested change to her direct deposit. At that point, they realized they had been attacked and luckily, payroll had not been processed and accounting was able to reverse the change before any money was lost. They have an IT company protecting them from data breach yet all those security layers mean nothing when an employee clicks a malicious link on a sketchy website or phishing email, or downloads infected media from the internet. Consistent cybersecurity training for employees and having an Acceptable Use Policy (AUP) that outlines how employees are able to use company-owned devices, software, internet, and email is the best way to protect your business from financial ruin due to a security breach.
The ugly truth is…Antivirus software is useless and ineffective against the number one cause of breaches – Humans! (tricked by phishing attacks and social engineering attacks that target people). Antivirus software only protects against KNOWN viruses; it doesn’t even know about the latest viruses out on the prowl that inadvertently get downloaded to your network. However, there is a new approach to cybersecurity that could significantly shrink your company’s threat surface (EVEN if an employee clicks on a malicious link) that I will elaborate on later but, for now, always keep in mind Cybercrime is a very real threat to your business and I can almost guarantee that you are underestimating the potential damage ONE cyber-attack can have or you are being misguided or inadequately served by the employees and vendors you hired to protect your business from threats. Are you unsure if your network is being protected and properly served? Take this free quiz to find out: “How Does YOUR Current Computer Guy Stack up?”
Every single day, 978,000 NEW malware threats are being released, and more than HALF of the cyber-attacks occurring are aimed at small and midsized businesses; it’s just kept quiet for fear of attracting bad press, lawsuits and fines, and out of sheer embarrassment – but make no mistake: small businesses are being compromised daily, and the smug ignorance of “that won’t happen to me” is an absolute surefire way to leave yourself wide open to these attacks.
If you get attacked with ransomware and you report it, it will most likely involve an investigation into what measures you took to protect your organization from attack. Businesses are expected to provide cybersecurity training, documentation on firewalls and penetration testing. Fines and penalties should also be expected, especially if you lose customer’s personally identifiable information (PII).
Who are the bad guys? According to Marc Goodman, author of Future Crimes and former FBI agent, a large percentage of attackers in our generation are nation-state hacking groups. American companies are constantly being attacked by countries that have sophisticated and organized hacking operations. In the book Future Crimes, Marc reports that China placed 150,000 children in programs training them to join these nation-state hacking groups. Russia and North Korea are other known hotbeds for cyber threat activity that invest significant resources in this world-wide multibillion-dollar industry. It’s just too easy to set up a “cyber hook and bait” to cast out into the vast ocean of unaware web surfers that will fall for the trick and take the bait.
The bare minimum EVERY business must do to fight back against cybercrime is:
- Never reuse the same password twice, this includes variations. Always use unique passwords for every login and get a password manager to remember all your passwords. This is the best way to manage your passwords until passwords eventually go away altogether.
- Never connect internet-enabled devices to your main WiFi network. Internet-enabled devices (also known as IoT devices or Internet of Things) must ALWAYS be connected to a guest WiFi that is denied access to your network and only provides internet connection to the user. IoT devices like Alexa speakers, Google Home speakers, Ring doorbells, smart thermostats, smart light bulbs, smart surveillance cameras, smart TVs and other smart devices are extremely vulnerable to attack. Are WiFi connected devices leaving YOUR company “back door” wide open for hackers?
- Always be suspicious of links. Never click a link in an email or on a website before hovering over it to see where it’s going to take you. One tell-tale sign is that the destination will be completely unrelated to the link. It’s best to avoid sketchy websites altogether and refrain from downloading free: movies, music, audiobooks, and the like, from the internet.
- Always update your software and keep your patches up to date. Attackers will take current technology/software and find its security loopholes. That’s why it’s important to install updates that fix these security loopholes as they are discovered. Just do it and stop hitting “Remind me tomorrow”.
- Backup your data BOTH on-premise and in “the cloud”. If your files do get encrypted, you can avoid paying the ransom and recover your data if you set up this fail-safe data backup solution. You’ll need professional assistance from your IT services provider for this one.
- Don’t let employees access company data on personal devices. It’s becoming commonplace for employees to use their own personal devices for work. Now that most of our data is stored online, employees are getting access to company data remotely and all they need is a username and password. If their device is lost or stolen and the device is not being monitored by the company’s IT service provider and/or IT department, then it is impossible to wipe that device of all sensitive company data.
- Provide year-round cybersecurity training for employees. It only takes ONE cyber-attack…one mistake can cause a fatal blow to any business. Raise your organization’s cyber threat intelligence by getting a cybersecurity training service to raise everyone’s awareness little by little, over time, with short educational videos and penetration testing.
- Get a third-party to audit your network security. Don’t gamble on cybersecurity by blindly trusting that your current IT support has it “handled”. It’s important to get a cybersecurity audit every year to make sure your security layers are keeping up with the ever-changing attack methods of today’s innovative cybercriminals.
- Always use multi-factor authentication. The reason why this type of added security is so effective is because attackers will have to know your password AND possess something of yours – like your fingerprint or cell phone – to verify your identity. It is very difficult for attackers to impersonate you when using multi-factor authentication. ALWAYS use this for bank logins at the very least.
Advanced Cybersecurity Measures:
Even with all the above security measures in place, you are still extremely vulnerable to attack. If an employee falls for a phishing or social engineering scam by clicking on a bad link, this will cause encryption of your valuable data until you pay a ransom to the hackers who may or may not return your data. Luckily, there is a new approach to cybersecurity that could significantly shrink your company’s threat surface and it is called zero-trust security.
The Zero-Trust Security Approach
With zero-trust security, even if a single employee clicks on a malicious link, it will STOP the attack BEFORE any damage can be done. Two very aggressive forms of zero-trust security measures are “application whitelisting” and “ringfencing.” Learn more about What You Think Your Anti-Virus Does And What It Actually DOESN’T Do.
Your Antivirus can’t protect against employees that click, download or open an infected file. Hiring people and handing the devices that are connected to your network without giving them any security training is similar to handing someone a loaded gun without first giving them gun safety training — It’s irresponsible. To learn more about this rising issue and what you can do to protect yourself, download our free executive brief: “The Top 10 Ways Hackers Get Around Your Firewall and Anti-Virus to Rob Your Blind” or give us a call today at (210) 245-6900 to schedule a FREE computer network assessment (a $397 value).
Juern Technology is a complete IT services company for San Antonio businesses. We are 100% committed to making sure business owners have the most reliable and professional IT service in San Antonio. Our team of talented IT professionals can solve your IT nightmares once and for all.
