(0 comments, 281 posts)
This user hasn't shared any profile information
Home page: http://www.geekaid.com
Posts by admin
Ransomware is a particularly devious form of cyber attack, and is one that is made possible when a file somehow penetrates your network security, and then encrypts all of your data so that it can’t be used. The cyber attacker will then offer to decrypt your data, or provide you with a key that will accomplish the decryption, after a sum of money is paid.
This has become a very popular form of cyber attack, because there are very few alternatives available to the victim, especially if the company being victimized does not take daily backups of its data.
As a company, it’s very important that you take every step possible to prevent the penetration of malicious files like this which can cause such widespread damage to your business. In general, there are two kinds of action that every company should take to prevent cyber attacks such as ransomware from succeeding.
The first set of actions involves taking a proactive approach to instruct employees about the need for maintaining security at all times, especially with regard to emails, the social media, and even using devices which have company data stored on them. The second approach is to automate as many processes as possible, so as to minimize the potential for human error, whenever those processes involve sensitive data owned by the company.
Emails and Downloads
It is known that most ransomware attacks occur because humans have made simple errors that allowed a malicious file to gain entry into the network, and to subsequently lock up company data. Training staff to avoid such mistakes can go a long way toward eliminating all these casual cyber attacks, for instance those which gain entry to the network via emails.
All staff members should be thoroughly indoctrinated about not clicking on email attachments, and not divulging company information via emails to anyone claiming to be a company official. All it takes is one ill-advised click on an email attachment, and a ransomware file could be downloaded into your system, with disastrous results.
Another very likely candidate for data breaches are downloads which company personnel carry out from the Internet. For the sake of company security, it’s best that the majority of employees do not have the capability to download executable files like games and other applications. Because the user is initiating the download, it would pass right through a company firewall, so this is something that should be restricted to only a few people, with actual need for downloading specific files.
Promote Data Security as a Culture
The most determined hackers will research a company and its personnel for hours on end, probing for weaknesses and opportunities to develop phishing campaigns. Some of these cyber criminals will go to great lengths, monitoring social media, reading company blogs and press releases, and learning as many clues as possible about the nature of the company.
This makes it extremely important that all staff members contribute to a culture of data security, so that it’s always uppermost in everyone’s mind, and the likelihood of a lapse is significantly reduced. Part of this data security culture should entail reporting all suspicious activities noticed by individuals, including emails which seem odd, and files which cannot be identified.
With a regular meeting scheduled weekly to discuss security issues, data security will become part of everyone’s thinking process, and it will become a part of company culture. If necessary, you can even incentivize the process to where safe practices are rewarded, and any insecure practices which are identified, can be pointed out and corrected.
Automating Processes for Reduction of Human Error
The first thing you should undertake in this area is to make sure your data is backed up to the cloud. This will give you the option to access your data, even if a cyber criminal successfully penetrates your system and locks up the data for ransom. If you have full access to yesterday’s data, that data can then be restored to your system with minimal loss of business activity.
Another good process to automate would be to block all .exe files from email attachments, so that employees can’t accidentally click on them, and trigger the loading of malware into your network.
As soon as you receive updates and security patches, they should be installed right away, so as to catch the very latest Internet threats and protect you against them. If you can automate this process, it would be even better, because your protection would start much sooner.
Make sure that antivirus software is installed at all user-facing portals, and also at endpoints on the network, so that threats can be identified and thwarted. You might not catch every single snippet of malware, or every single virus coming through the system, but it will block the majority.
It goes without saying that you should also have a good firewall installed, in addition to threat detection systems which are behavior-based. Once you get all these protections in place, it’s a good idea to conduct your own version of penetration testing, which will identify any weaknesses in your overall security scheme, and will also point up any threats which could be carried out against your network.
Most small businesses as well as most large businesses, all do their computing on the cloud these days, and for good reason. It’s flexible, it’s fast, it’s secure, and it allows you access to other applications on the cloud, that you wouldn’t have in-house normally. In fact, it’s not much of a stretch to say that computing on the cloud is fast becoming the norm for all business today, and if you still need a reason to migrate your business to the cloud, several of the best reasons for doing so are listed below.
Automatic Software Updates
One of the great things about cloud computing is that all servers are performed out of sight and off the premises. Your provider of cloud services handles all the maintenance and repair work necessary for servers, so that you don’t ever have to be involved. The same thing is true for updates to software such as security patches, which is another thing you don’t have to be bothered with. Because this is taken care of for you, you and your employees are free to concentrate on activities more central to your business.
If your company is one that has been steadily experiencing growth, you will undoubtedly be going through regular increases in bandwidth demand as your computing needs increase. If you were managing that in-house, you would probably have difficulty scaling up every time your business experienced a growth spurt, but thanks to the inherent scalability of cloud computing, it’s not something you need to worry about. Of course, it works the same way in reverse, and if you should need to scale down due to a downturn in business, the flexibility provided by cloud computing can accommodate that as well.
Your in-house teams can be much more effective and much more productive when they can edit and share documents wherever they happen to be, using any kind of device. There are all kinds of cloud-based sharing apps and workflows which allow users to make real-time updates, and which provide each user with full access to documents as needed. When your company employees can do things together, they can do it better as well, and that means your company benefits.
Even the smallest-sized businesses can now participate in disaster recovery programs, simply by positioning their business on the cloud and taken advantage of disaster recovery services offered by your provider. In fact, statistics show that small sized businesses are twice as likely to have implemented regular backup procedures on the cloud, as well as recovery procedures. Both these processes being in place will help small businesses avoid disaster, should business-critical data be compromised or corrupted in some way.
No Capital Expenditures
Cloud computing avoids the need to make large expenditures for computer equipment and network infrastructure, that would ordinarily be required for an on-the-premises setup for computing. Using the pay-as-you-go model for cloud computing, a subscription fee which is paid either annually or monthly is virtually the only cost associated with your computing. To extend this concept, you also don’t have to worry about periodically replacing that high-priced hardware equipment to keep it current and functioning optimally. All that is transparent to you, and is taken care of by your cloud services provider.
Losing a laptop machine has surprisingly become a billion-dollar enterprise in this country, and even worse than losing the machine itself, would be the security nightmare presented by losing company data contained on it. Cloud computing provides a hedge against this kind of scenario, since data would be stored on cloud servers rather than in the local environment. In addition, once you know you’ve lost your laptop for sure, the data on it can be remotely erased, so it doesn’t fall into the wrong hands.
Working from Anywhere
As long as you have an Internet connection, you can literally work from anywhere. Since virtually all cloud services also provide the capability for you to work with mobile apps, you’re also not restricted to using any specific kind of device. This allows cloud-connected companies to offer perks to their employees such as working from home, to create a better work-life balance, with no loss of productivity. Studies have shown that a majority of workers would sacrifice income for the ability to work from home, so this is a major perk which could be provided.
Moving to the cloud will provide you with world-class technology, which you can put to use to stay competitive with your rivals. It also levels the playing field between smaller businesses and the giant corporate concerns, since everyone has access to the same technology. If there’s only one move you could make to become more competitive, migrating your business to the cloud should be that one move.
In the past, collaboration between employees often got to become somewhat nightmarish in execution, with employees sending files back and forth, often in the form of email attachments, so that each could work on a task sequentially. When you migrate your business to the cloud, files are centrally stored and managed, so that everyone sees a single version of the most current file. This increased visibility fosters much better collaboration, and that in turn impacts productivity, and the bottom line for your company.
It can be a difficult prospect to get a small business owner or manager to accept the fact that managed IT services might be a good move for his company. Most owners of small business companies have gotten to the point where they were successful by relying on their own judgment and their own capabilities.
That makes them reluctant to place the entire future of their business technology in the hands of someone else, even if that someone else is an expert in the field. This is easy to understand, because owners and managers like this have achieved a certain level of success in business by being in control, and they have a natural aversion to giving up that control.
However, there are certain ways to appeal to such owners and managers, even if they are generally reluctant to relinquish control of their IT service and the business technology which supports the company. ‘Type A’ personality managers for instance, are generally very independent people who have highly competitive natures. By appealing to the competitive nature of a Type A personality, and by showing them how managed IT services provide a competitive edge over their rivals, they can sometimes be won over.
Type B personality managers usually find static routines distasteful, and they prefer to be more creative and more innovative in finding business solutions. This is a tailor-made situation for the cutting-edge advantages offered by managed IT services, because it appeals to the creative nature of the Type B manager.
Regardless of personality types though, any manager who is considering a commitment to managed IT services, will need to be able to see the security, efficiency, and stability which the process brings to their company. In addition to seeing the value proposition which managed IT services provides for companies, the company owner or manager has to recognize that having IT infrastructure completely handled for them is a major undertaking that they need to be completely committed to.
Here are some other considerations that a business owner or manager might want to consider before plunging in to managed IT services.
Is Your Business Large Enough?
Some business owners have the idea that their company simply isn’t large enough to warrant managed IT services, possibly because the total number of employees and the company is less than 10, and most IT work is carried out on laptops and spreadsheets.
In truth however, any size company regardless of how many people are employed, is large enough to have its IT services managed by an efficient third-party provider. Any business will run much more efficiently when technology is maintained and monitored by experts in the field.
It’s also worth considering that any business which is online is subject to cyber attack by the criminal-minded individuals who abound on the Internet, and if you don’t have the expertise to protect your company against these possible incursions, you could suffer serious damage. Even a small company would benefit by having its business-critical data protected by a third-party which is expert in cyber security.
How Does Managed IT Services Save Money for Your Company?
Many small business owners have the notion that all investment should be earmarked for marketing and sales, as well as toward improving their core operations, rather than for a non-income generating function like IT. These are the kinds of managers who only worry about technology when it’s not working, or when it has somehow become broken.
For these managers, technology can be repaired by calling in a service technician when some kind of disaster strikes, or by simply replacing the broken equipment at the local hardware store. The problem with an approach like this, is that when you just wait for equipment to break and call in a service technician, you’ll be paying top dollar for the time that service technician is on the job.
On top of a steep hourly rate, you’ll also have to pay for replacement of any hardware which is broken, and it may not even be possible to replace the hardware immediately. The bottom line on why this approach is far less than ideal, is simply that it’s a reactive strategy rather than a proactive one. A proactive strategy is what a managed IT provider would implement, constantly monitoring equipment for potential failure.
Another obvious flaw with this strategy is that your servers and your applications may run slowly, and your employees’ computers may take forever to boot up at the beginning of a day, simply because they’re not optimized for performance. You may also have machines which are infected with malware and you don’t even know it.
When you have non-technical employees dashing around your facility trying to fix technical problems, you will definitely lose efficiency and productivity from your workforce. One last problem with the ‘run until it breaks’ approach is that your customers will undoubtedly notice how slowly you respond to them, how poor your technology profile is, and how responses are generally mismanaged. Even worse, if your system experiences downtime often enough that customers notice it, they may just take their business elsewhere.
Managed IT services will avoid all these nasty scenarios, and save your company a bundle of money, just by being proactive, and by doing things right ahead of time.
In many companies around the country, there is a growing disconnect between the IT department and other organizational departments, especially with regard to current technology used by the company. Part of this disconnect is due to natural causes, since the language spoken by IT personnel is often quite different from normal business jargon, but in other cases, non-IT personnel simply prefer to seek solutions on their own.
This represents a clear communications breakdown which can lead to a number of security vulnerabilities, and some serious errors as well. As a manager of an organization, it is incumbent upon you to bring these two groups of people together, so that possible security breaches can be avoided, and all company personnel can be working together toward the accomplishment of business objectives.
The Millennial Mentality
Millennial’s at your place of business have all grown up in a world which was tightly connected by the Internet, and for all of them, finding answers to any questions they had has been a simple matter of just Googling for it. This has fostered the kind of mentality which is characterized by reliance on themselves, when it’s necessary to find out any kind of tech-related information.
While this is admirable up to a point, it can definitely cause problems for your company, because any information learned through generic searches will provide generic answers, rather than information specific to your company. Making matters worse, most staff members today are now used to having the absolute latest in available technology, with their laptops being top-of-the-line and their smartphones being the very latest on the market.
Because of their dissatisfaction with the level of technology provided by IT, a number of staff people simply prefer to do their own information searches, because they are unhappy with technology provided by the company. This has also lead many staffers to seek out apps which they need to handle certain business functions, and none of these apps will have gone through company security protocols.
Usage of Non-sanctioned Software
Because of the dissatisfaction with existing company technology, a number of young staffers commonly turn to apps which they discover online, and which will satisfy some business requirement they have. However, this can cause a number of security issues, especially if these apps are used to transmit or store business-critical data belonging to the company.
When some of the younger people in your organization feel that technology provided to them is inadequate, they can also develop a perception that the CIO is out of touch with the organization, and is unwilling to provide current technology. A serious vulnerability can develop in your company’s cyber security when some staff personnel begin to feel that the organization is unwilling to provide adequate IT support, and that’s how the usage of non-sanctioned software can slowly creep in.
Changing Staff Perception
In order to combat the prevailing sentiment described above, a firm commitment by management is necessary, so that IT policies are thoroughly explained to all staff members. People are always much more willing to accept decisions and policies which are explained to them, rather than being in the dark about matters, and simply being forced to accept any results of those decisions.
In this case, it should be clearly conveyed to staff members why there is a strong need to restrict information to authorized applications only, and what the consequences are of any kind of data breach. When your staff members understand exactly what the issues are, and how those issues will impact everyone in the company, including themselves, they should be more willing to accept any restrictions imposed.
On the other hand, if there is serious resistance to accepting company policies regarding technology and the restriction of various applications and software, it might be a good time for the CIO and other IT members to have a significant conversation with staff members. If there really are areas of deep inadequacy, this will be brought to light in a brainstorming session, and some avenues for possible remediation can be discussed.
The main thing to remember about all this is that there should be an honest and open discussion with staff members about why policies have been implemented, while at the same time understanding their complaints about potentially inadequate software or technology.
Training on New Technology
When new software is made available to staff members in your organization, it would be a terrific idea to hold training sessions for everyone, so they can quickly get up to speed on how to make best use of that new software. A good way to get the masses on board is to choose champions for the new technology, who can influence their fellow department members to embrace and excel in using the new software.
It’s extremely important to maintain good relations between the IT staff and all other non-IT departments, in order to accomplish company objectives. With this being the case, all possible efforts should be focused on establishing and maintaining good communications between the two groups, and if regularly scheduled meetings will help to accomplish that, that should definitely be a company goal.
In the constant cat and mouse game between cyber attackers and cyber security professionals, new areas of focus come into play every few months or so. Hackers continually probe for new weaknesses, and security personnel counter those moves by shoring up defenses in those same areas.
Since antivirus software has become so good at protecting networks and computer systems, hackers have had to find other ways to breach systems and carry out their insidious attacks. File-less malware has undoubtedly been developed by hackers in response to the efficiency and effectiveness of traditional file-based software and security measures. With this relatively new threat poised to run rampant, here are some things you can do to counteract infection by file-less malware.
What Fileless Malware is
Traditional malware made use of executable files that would attack computer networks, primarily by delivering executable files through phishing attempts and specific hacking efforts against systems. To counteract this, companies were forced to implement cyber security training for their employees, and to ensure that the latest antivirus software was always being installed to catch any attacks being made.
File-less malware completely bypasses the security protocols in place for an organization, and instead relies on manipulating macros in existing software applications used by a company. Powershell and other programs which have scripting capabilities are ideal, because executables can be hidden within such applications, and manipulated by hackers for their own intentions.
Hackers have also been writing more efficient code which does not drag down system resources to give itself away, through slowed performance. These kinds of in-program malware scripts have capabilities that are extremely versatile, and which can be manipulated by a hacker to collect data, to infiltrate secure or sensitive data, to monitor user behavior, and to escalate privileges, so as to make traditional hacking methods easier to implement.
Once scripts like these are in place, data can be hijacked outside the network, with no real traces of the activity which caused the hijacking. Since files are not altered in any way, the attacks very often go unnoticed, because file scanning software will not detect them. Even worse, some file-less malware operates in such a stealthy way that no immediate damage is caused to any system, but enough doors are opened for future incursions, that a longer-term weakness can be exploited sometime in the future.
Example of a Fileless Malware Attack
Reducing Your Risk of Fileless Malware Attacks
First of all, you should review your current malware detection software as well as your antivirus software, and even all email systems within the company. It could be that you encounter settings which automatically disable macros in any files which are received in. You should also check to determine whether software can use behavior-based detection methods to identify possible breaches.
To the greatest extent possible, you should shore up your endpoint security, meaning that every connected device which touches the Internet has all security patches applied and that all software is updated against attack.
The exploitation kits which are developed by hackers run in browsers, and are all hosted on websites where they have taken a great deal of time to create, which means that they seldom move around. This means that they can be avoided, so by using your antivirus capabilities to block specific websites, you can go a long way toward eliminating the possibility of having exploitation kits infect your network.
Another good measure to take in the fight against file-less malware is to make sure all staff members are aware of the best security practices. By keeping your staff alert to security possibilities, phishing attacks can be reduced or eliminated, and the risk of file-less malware attacks right along with them. Make sure your staff members understand that it’s better to speak up, when any kind of security issue may have arisen, than to be silent and allow a breach to be exploited by hacker.
Whatever kind of software you might currently be using, you might be able to emphasize the visibility of any system weaknesses you have through logging efforts. Logging might be tedious and a hassle to review every day, but it can point out unusual activity that’s worth investigating, so that any kind of breach attempt can be thwarted. Your IT team and your cyber security team can monitor all logging files created, so that any suspicious activity carried out on your network is spotted immediately, and hopefully halted before a penetration occurs.
As practically any manager in business will tell you, business continuity is a very important concept, one that is crucial to maintaining a solid company presence regardless of all external influences. However, even though practically all businessmen admit the importance of business continuity, not all of them take adequate steps to provide for it.
Some businessmen in fact, prefer to ignore the situation and hope that nothing ever happens to their business which could result in extended downtime. There are a number of things in today’s world which can cause major disruptions to your business continuity, including all the possible natural disasters, as well as intrusion from cyber criminals, bent on earning money for their own profit.
It seems that no matter how many times some managers hear about disasters which befall other companies, they just never think it can happen to their own. And then one day, the unthinkable does happen, and your company experiences some kind of disaster, and there’s a question about whether you can even recover adequately to stay in business. Here are some of the things that can happen to your small business which should have you thinking about disaster recovery and business continuity.
Malware is something which is much more likely to strike your small business than a flood, hurricane, an earthquake, or a tornado – but the damage done by malware can be just as bad as any of those natural disasters. Cyber attacks from malware have been growing by leaps and bounds over the past five years, and hackers have been focusing much more attention on small businesses.
Whereas corporate giants were once the chief target of cyber attacks, criminal-minded operators on the Internet have discovered that the cumulative profits which accrue from attacking many small businesses can be just as lucrative as targeting a single corporate entity. Ransomware is a favorite approach taken by cyber attackers, wherein they gain entry to your computer system, and a virus locks up all your corporate data by encrypting it.
Then, you are asked to pay a specified amount of money in order to receive the key that will decrypt the data and make it usable again. If you haven’t backed up your data very recently so that you have a usable version, you’ll probably have only two choices – pay the ransom, or go out of business.
Daily Business Disruptions
Apart from criminal attacks, there are a number of possible disruptions to your business which can occur on a daily basis, which are of the perfectly normal variety. For instance, you could have an infrastructure problem with your network which cripples the network for a day or two, until repairs can be made.
Meanwhile, your business is off-line, and you have no choice but to close your doors until your computer systems have been restored, and you can resume business operations. These kinds of daily disruptions have affected at least half of all small businesses in this country, and although recovery is generally within two days, it still means a loss of business for the time your computer system is off-line.
Statistics Concerning Business Disasters
It is known that more than 80% of all businesses which undergo some kind of major disaster, usually to the computing network, end up having to go out of business within three years of the disaster. At least 40% of all businesses which experience a major IT failure are obliged to close their doors within one year of that failure.
A full 44% of all companies which have been subjected to a fire or other disaster are never able to reopen and resume business, and of the 56% of those companies which do reopen, only 33% of them managed to survive for a period longer than three years.
Despite these chilling statistics on disaster recovery, data compiled by the Hughes Marketing Group suggests that over 90% of all companies sized at 100 employees or less, spend as little as eight hours a month considering business continuity and disaster recovery.
Another Source of Disasters
Apart from natural disasters and attacks from cyber criminals, there’s another major source of disasters which can plague small businesses. Statistics provided by disaster recovery solution experts tell us that between 60% and 70% of all disruptions to small businesses occur as a result of an internal failure.
The most common kinds of such failures are hardware failures from servers or other components in the network, software failures such as key applications becoming corrupted, and plain old human error. In this country alone, there are approximately 140,000 hard drive crashes each week, and many of those crashes certainly contain business-critical data. Despite all this, is known that at least one third of all small businesses never bother testing their backup or recovery procedures, even if they do have a formalized process in writing.
Among those companies which do test their backup and recovery routines, 75% have found flaws in the strategies, which would have prevented a full recovery in the event of an actual disaster. One last statistic about how serious a problem can be when you can’t retrieve your company data – 93% of all businesses which have lost access to their data center for at least 10 days, were forced to declare bankruptcy within a year of the events causing the loss of access.
Give some serious thought to business continuity and disaster recovery.
Keeping your network safe from potential attacks by cybercriminals is a top priority for any business owner or manager who wants to avoid the disasters which might develop if a network were compromised by a clever cybercriminal. As the Internet, itself has grown, and businesses around the globe have increasing tied their fortunes to it, so too has criminal activity increased, because there are so many more opportunities to exploit businesses for monetary gain.
With every new safety measure developed by security experts, determined cybercriminals learn ways of circumventing those new safeguards, so that they can continue their money-making schemes by living off businesses developed by others. There is no such thing as an entirely safe business enterprise these days, simply because there are so many cybercriminals plying their trade, and because so many of them are extremely clever and skilled at what they do.
However, there are a number of precautions you can take which will at least limit your exposure to such attacks, and give you fighting chance of avoiding disaster by having your data, applications, or network infrastructure breached by a cyber-attack. Of course, there are some very expensive security measures you can have installed for extra protection on your network, but even those are not guarantees of safety. That being said, here are some very common precautions you can take, which will increase the likelihood that you can avoid the depredations of a cyber-attack.
Do Regular Backups to Stop Cybercriminals
One of the best things you can do to avoid having your data or applications held hostage, is to back up your data files and your applications every day. If a cyber-attacker should somehow gain access to your data and encrypt it so that it is unusable unless you pay for an encryption key, you would have no recourse but to pay the ransom amount, unless you had been backing up your data every day.
A recent survey conducted on the question of backups discovered that only 50% of small businesses routinely back their data up on a weekly basis, and that percentage shrinks to less than 23% for daily backups. When you have a backup of yesterday’s data, that insulates you against a hijacking of your data today, because all you have to do is restore yesterday’s backup and you have current data again, minus any transactions which may have occurred today. A cyber-attacker would be defeated.
Check Backup Processes Regularly
Having a regular backup routine is great, but in order for it to have any value, you have to be sure that it’s doing what you intended it to do, i.e. saving all your important data to a storage medium, from which it can be readily retrieved. Many small business managers have found that their backups weren’t really functioning properly when the time came that data needed to be restored.
When a data restore becomes critical is not the time to find out that you’ve had a problem for several weeks or several months, because crucial data may have been lost. You should also make a point of having a full understanding of exactly what is getting backed up. Obviously, the focus should be on business-critical data, but these days it’s sometimes also important to backup data which is resident on employees’ laptops because that can be just as important to business operations.
Keep Virus Protection Updated
Your first line of defense against cyber-attack is generally your firewall, so make sure your firewall is functioning properly and that it’s always enabled so that it can deflect any casual cyber-attacks. It’s also very important to make sure that your protection against viruses is as current as possible. Every time you get a security update from a software vendor, or from your operating system provider, those updates need to be applied promptly.
Since many of those security updates include protection against newly discovered viruses and security threats, they need to be applied to your system as soon as possible. Updating employee passwords regularly is also a good idea because passwords which go unchanged for long periods of time become vulnerable to interception by cyber attackers.
Check Your Transaction Logs Regularly
You should always make a practice of checking transaction logs daily for any unauthorized activity, either internal or external. It happens frequently enough that businesses which have suffered a cyber-attack could have prevented the fatal breach by regularly consulting transaction logs to discover previous break-in attempts. This should be done as a matter of routine just for normal business operations, but it can also be your first warning of an impending major cyber assault.
Indoctrinate Your Employees
It has rightly been said that in many cases, your employees are your weakest link in the security chain because they are the most exploitable. Employees who are not trained to use safe business practices and avoid security breaches are constantly being targeted by cybercriminals who are aware of the potential for exploitation.
Employees should be trained to be very cautious about opening email attachments, about providing passwords or other important company information in emails or via the social media, and they should be encouraged to change passwords monthly to protect against interception.
If you’ve been thinking that phishing attacks only happen to someone else and that the employees of your company are relatively immune from such attacks, you might want to reconsider, because phishing attacks can and do happen in the real world to companies of all sizes, and in all industries.
In fact, criminals who carry out these phishing attacks have begun focusing more on small to medium-size businesses recently, simply because there are so many more of them, and because employees at small businesses may be more vulnerable to exploitation. Large corporations tend to have programs in place which indoctrinate their employees about the dangers of phishing and other social engineering attacks, and that training helps to minimize the number of successful phishing attempts.
Small businesses, on the other hand, tend to have the attitude that they are flying under the radar and that they are not suitable targets for cybercriminals. It’s this kind of indifference and unpreparedness which makes many small businesses ideal targets for phishing attempts.
What Exactly is Phishing?
Phishing is a form of social engineering in which emails are used most commonly to obtain personal information from employees, by some individual who is posing as a manager or other person known to the company and is considered to be a trustworthy source. By impersonating a known company employee or manager, or some other company which does business with your own company, some level of trust is established as a basis for extracting information.
The object of a phishing attack is to dupe the email recipient into taking some kind of action as directed by the attacker, for instance providing login information or passwords, and sometimes even sensitive information about the company. Once the desired information is obtained, it is then used by the attacker to carry out some other malicious attack on the company which results in a monetary gain.
A Typical Real-World Phishing Attack
In a typical real-world phishing attack, a cyber-criminal might send an email to a company employee which directs that employee to pay an invoice amount to a company which has recently done business with the original company. It looks completely legitimate because an invoice would be attached, and the invoice would include details of products or services that your company would legitimately deal in.
The email is also signed by a manager or other employee who actually does work for your company, and who might typically be expected to send such emails requesting payment of certain invoices. An unsuspecting employee would, of course, be drawn in by the legitimacy of having a real-world supervisor request this invoice payment, and would then open up the invoice attachment to begin the process of arranging a payment.
In the meantime, the act of opening up the attachment could very well trigger the release of some virus which infects the employee’s computer, and by virtue of that computer’s connection to the network, the virus then is released into a much wider area, where more important information can be obtained. Of course, it would be an added bonus if the employee actually does send out the payment requested to the bogus company listed on the invoice, and that check would then be cashed by the cyber attacker who organized the phishing attempt in the first place.
How to Avoid Phishing Attacks
As you can see from the above, there are some real-world dangers associated with phishing attacks, and the harm they cause can be more far-reaching than an embarrassment to a single employee. The fact that an entire company can be affected if a virus does get installed and becomes enabled, should be all the justification you need for implementing procedures to guard against phishing attacks to whatever extent is possible.
Here are some of the best ways to protect yourself and your company against phishing attacks by cybercriminals:
- don’t use departmental emails – it’s never a good idea to use departmental emails such as Payroll Dept, Human Resources, or Accounting Department. Using these email ID’s allows the cyber-attacker or to know that the emails are being sent to the right person and that it’s much more likely the phishing attack will be successful.
- change payment language regularly – when requests for payment are issued between company personnel, the language used should be slightly altered periodically, with important keywords being subtracted out or added in. Department personnel can then be instructed to never carry out any fund transfers unless the expected keyword is contained within an email message. Since successful phishing attacks are all designed to catch an employee off guard, this kind of focus on keywords within the text will derail any phishing attempt.
- use anti-phishing software – there are a number of good anti-phishing tools available which you should consider implementing at your company. The way some of these tools work is that you can send fake phishing attempts to employees all around the company, so as to identify who is most vulnerable to falling prey to phishing attacks. This can let you know the scope of the problem you may have and can alert you to the necessity for conducting widespread training so that your employees are less susceptible to phishing attacks.
The Truth About Phishing
The unpleasant truths about phishing attacks are that they are successful far more often than they should be, and the reason for that is that the human element in any company is usually the weakest element. Businesses need to adapt to these real-world situations, and train employees to spot such phishing attacks, and to alert the appropriate personnel when one is identified. When company employees become aware of the possibility of phishing attacks, they are far less likely to be caught off guard and then become victims of those phishing attacks.
It is estimated that as many as 50% of small businesses have no backup plan at all for security and recovery to protect against cyber-attack or to secure themselves against garden-variety downtime. In a recently conducted survey, 41% of small business owners consulted said that they had not even given much thought to implementing a backup plan or steps for data recovery.
Some owners also cited the high cost of implementing such a program and indicated that it was their decision to defer the process until business became more profitable, or until backup and recovery costs became more affordable.
The question is – can you really afford not to have a backup plan and recovery measures in place when the high cost of downtime might be the consequences of having no plan at all? Of course, many small business owners may simply be hoping that their companies are not the ones which will be impacted by downtime, or by attacks from cybercriminals, so they rely on good luck to see them through.
This strategy will work fine – right up until the time it doesn’t. If your small business is ever confronted with the real-life situation of an extended period of downtime, or having your business-critical data hijacked by a clever cyber-criminal, you’ll understand a little better about the true value of having a formal backup plan and recovery plan in place.
On the other hand, some small businesses with very meager resources may feel that they simply can’t afford to implement such formalized plans. If you’re on the fence about this and wondering whether the cost of backup and recovery plans is justified by a disaster that might happen, you can consider some of the questions below to help clarify your thinking on the matter.
Backup and Recovery Cost Justification Questions
What would be the impact on your company if customers could not access their data every day, and how would employee productivity be affected on a daily basis, if your network was completely shut down?
What kind of backup and recovery plans do you have in effect right now, and how long could your business survive if it were forced to endure an extended period of downtime?
What kind of support could you quickly access from I.T. personnel, and could that support be enlisted quickly enough so as to reduce downtime damage?
What is the confidence level that you can get back online quickly enough that there will be minimal disruption to the company, and to customers who rely on your company?
How often does your most important data get backed up? Do your employees have a lot of company data on their smartphones, iPads, or business laptops? Are your backups stored off-site, and are they protected against damage which might occur to your business location?
Does your company make use of any custom-developed software, and is the original developer of that software still in business, so that it could be recovered in the event of theft or corruption?
Do you have all your licensing agreements, account details, and information about security stored in a central location somewhere, and is there a copy of it off-site?
Do you feel you have adequate protection against viruses and cyber-attacks and do you apply all security patches as soon as they are made available by the appropriate vendors?
Do you have a company policy in place which calls for the changing of passwords any time a new employee comes in, or when a current employee exits?
How frequently do you check your backup and recovery processes, to make sure that they are performing as intended, and that there are no flaws in the process?
Can You Afford to not Have a Backup Plan?
As a small business owner, it would be well worth your while to arrange a meeting periodically, with managers and other important employees in your company, so as to review the issues raised in the questions above. If these questions are answered accurately and honestly, it should help to clarify in everyone’s minds exactly what the risks and rewards are, relative to establishing and maintaining a good data backup and recovery plan.
Some small business owners simply feel that their business is too small to justify the expense of implementing formal I.T. procedures like data backup and recovery and that this belongs more in the realm of Big Business. However, by considering some of the questions raised in this article, you should be able to figure out whether or not you could actually survive an extended period of downtime or data loss, regardless of the cause.
If it becomes clear that your business would not survive if you are forced off-line for several days or longer, then you should really consider implementing the programs necessary for data backup and recovery. These days, a great many I.T. services are available as an on-demand service, rather than having to pay the cost of I.T. personnel, hardware, and software all by yourself. Even small businesses should be able to find a vendor willing to supply I.T. as a service, to help you protect your important data, and avoid business disaster. With all of the relevant factors assessed and a suitable backup plan in place, you can remain confident in the security of your business-critical data.
The importance of cyber security is now being stressed to the point where pretty much everyone these days is aware that there is an urgent need for it, and that literally, every company connected to the Internet could be subject to an attack. The types of attacks carried out against company networks and databases have been found to fall into several predictable categories, for which some fairly effective defenses have been developed.
This doesn’t mean that companies are now safe from cyber-attack, but it does mean that more companies are availing themselves of the right kinds of security measures because they understand what the consequences might be if they fail to do so. This being the case, many cyber attackers are now turning their attention to a more exploitable link in the security chain for companies around the world, which is the human element.
For some time now, there has been an increasing development for company employees to become the focal point of criminal attacks, because they are not usually equipped with the same kind of defenses that hardware and software can be. Humans can be tricked into making security mistakes, which can then be exploited by the criminal-minded for their own monetary gain.
Since humans do constitute another link in the corporate chain of security defenses, that is definitely an area which every company needs to consider, in order to protect itself against the threat of cyber-attack. The actions taken should include a combination of systematic education and campaigns to raise awareness, as well as encouraging employees to behave in a more secure manner.
Here are some of the ways that companies can help to make their employees less of a security risk, and instead become one of the strong links in the defense against cyber-attack.
It will be worth the time and effort it takes to canvass the entire company so that potential entry points for malicious software can be identified and remediated. One of the most obvious entry points, of course, are emails coming into the company, and this calls for thorough training of employees, so as to spot potential risks such as those emails which ask you to click on the attachment.
There are also malicious emails sent to employees where the sender impersonates a company official and asks for some payment to be sent to a vendor at the address on an attached invoice. Other impersonation attempts could be from companies which the email recipient supposedly does business, asking for payment on a recent purchase.
Whatever the weak points might be around the company for potential exploitation, these need to be identified in a campaign which seeks them out, and these should then be used as examples to employees of what to avoid.
Raising Employee Awareness of Security
Another track that your security assessment campaign should take is to evaluate the culture of your business, in terms of how effective training is, how often it’s conducted, and how it can be tailored to your company environment. When that understanding has been achieved, a suitable training program should be implemented, so that your employees are constantly thinking about cybersecurity.
The educational components should include all those possibilities which constitute cyber-attack risks, and what actions employees should take when suspicious activity is identified. Most importantly, employee training should not be a one-time operation, but should instead be something which is updated every six months to a year, and at that time, new training sessions should be initiated, so that updated material can be conveyed to employees.
There are always new and more malicious methods being devised by the criminal-minded, so that means training of employees has to be adapted periodically as well, to include all those new threats.
All usage of the company network should be periodically analyzed and evaluated to determine whether or not there has been any malicious activity occurring. Transaction logs and other sensing software should be assessed for anything that looks like a preliminary attempt at a data breach.
Things to look for in particular might be employees who are attempting to access the company network after hours, extremely large downloads of data files, and possibly individual employees spending unusual amounts of time accessing sensitive company data. Any such digital trails which strike the evaluator as being out of character for normal company business should immediately trigger a red flag, and possibly an action by a response team.
Top Management Support
It’s essential for any cybersecurity program in a company to have the full support of upper management, which means it should be more than lip service and should be a legitimate effort, which is appropriately funded and supported. When employees recognize that top management is in earnest about cybersecurity issues, they will be much more likely to adopt the necessary measures themselves.
There should also be a dedicated cyber security manager or officer within a company because this is the type of program which requires full-time implementation and monitoring. If there are multiple individuals involved in the cybersecurity program, there should be a clear hierarchy, with well-defined roles for each person in the group.