Posts tagged data security
If you’ve been thinking that phishing attacks only happen to someone else and that the employees of your company are relatively immune from such attacks, you might want to reconsider, because phishing attacks can and do happen in the real world to companies of all sizes, and in all industries.
In fact, criminals who carry out these phishing attacks have begun focusing more on small to medium-size businesses recently, simply because there are so many more of them, and because employees at small businesses may be more vulnerable to exploitation. Large corporations tend to have programs in place which indoctrinate their employees about the dangers of phishing and other social engineering attacks, and that training helps to minimize the number of successful phishing attempts.
Small businesses, on the other hand, tend to have the attitude that they are flying under the radar and that they are not suitable targets for cybercriminals. It’s this kind of indifference and unpreparedness which makes many small businesses ideal targets for phishing attempts.
What Exactly is Phishing?
Phishing is a form of social engineering in which emails are used most commonly to obtain personal information from employees, by some individual who is posing as a manager or other person known to the company and is considered to be a trustworthy source. By impersonating a known company employee or manager, or some other company which does business with your own company, some level of trust is established as a basis for extracting information.
The object of a phishing attack is to dupe the email recipient into taking some kind of action as directed by the attacker, for instance providing login information or passwords, and sometimes even sensitive information about the company. Once the desired information is obtained, it is then used by the attacker to carry out some other malicious attack on the company which results in a monetary gain.
A Typical Real-World Phishing Attack
In a typical real-world phishing attack, a cyber-criminal might send an email to a company employee which directs that employee to pay an invoice amount to a company which has recently done business with the original company. It looks completely legitimate because an invoice would be attached, and the invoice would include details of products or services that your company would legitimately deal in.
The email is also signed by a manager or other employee who actually does work for your company, and who might typically be expected to send such emails requesting payment of certain invoices. An unsuspecting employee would, of course, be drawn in by the legitimacy of having a real-world supervisor request this invoice payment, and would then open up the invoice attachment to begin the process of arranging a payment.
In the meantime, the act of opening up the attachment could very well trigger the release of some virus which infects the employee’s computer, and by virtue of that computer’s connection to the network, the virus then is released into a much wider area, where more important information can be obtained. Of course, it would be an added bonus if the employee actually does send out the payment requested to the bogus company listed on the invoice, and that check would then be cashed by the cyber attacker who organized the phishing attempt in the first place.
How to Avoid Phishing Attacks
As you can see from the above, there are some real-world dangers associated with phishing attacks, and the harm they cause can be more far-reaching than an embarrassment to a single employee. The fact that an entire company can be affected if a virus does get installed and becomes enabled, should be all the justification you need for implementing procedures to guard against phishing attacks to whatever extent is possible.
Here are some of the best ways to protect yourself and your company against phishing attacks by cybercriminals:
- don’t use departmental emails – it’s never a good idea to use departmental emails such as Payroll Dept, Human Resources, or Accounting Department. Using these email ID’s allows the cyber-attacker or to know that the emails are being sent to the right person and that it’s much more likely the phishing attack will be successful.
- change payment language regularly – when requests for payment are issued between company personnel, the language used should be slightly altered periodically, with important keywords being subtracted out or added in. Department personnel can then be instructed to never carry out any fund transfers unless the expected keyword is contained within an email message. Since successful phishing attacks are all designed to catch an employee off guard, this kind of focus on keywords within the text will derail any phishing attempt.
- use anti-phishing software – there are a number of good anti-phishing tools available which you should consider implementing at your company. The way some of these tools work is that you can send fake phishing attempts to employees all around the company, so as to identify who is most vulnerable to falling prey to phishing attacks. This can let you know the scope of the problem you may have and can alert you to the necessity for conducting widespread training so that your employees are less susceptible to phishing attacks.
The Truth About Phishing
The unpleasant truths about phishing attacks are that they are successful far more often than they should be, and the reason for that is that the human element in any company is usually the weakest element. Businesses need to adapt to these real-world situations, and train employees to spot such phishing attacks, and to alert the appropriate personnel when one is identified. When company employees become aware of the possibility of phishing attacks, they are far less likely to be caught off guard and then become victims of those phishing attacks.
It is estimated that as many as 50% of small businesses have no backup plan at all for security and recovery to protect against cyber-attack or to secure themselves against garden-variety downtime. In a recently conducted survey, 41% of small business owners consulted said that they had not even given much thought to implementing a backup plan or steps for data recovery.
Some owners also cited the high cost of implementing such a program and indicated that it was their decision to defer the process until business became more profitable, or until backup and recovery costs became more affordable.
The question is – can you really afford not to have a backup plan and recovery measures in place when the high cost of downtime might be the consequences of having no plan at all? Of course, many small business owners may simply be hoping that their companies are not the ones which will be impacted by downtime, or by attacks from cybercriminals, so they rely on good luck to see them through.
This strategy will work fine – right up until the time it doesn’t. If your small business is ever confronted with the real-life situation of an extended period of downtime, or having your business-critical data hijacked by a clever cyber-criminal, you’ll understand a little better about the true value of having a formal backup plan and recovery plan in place.
On the other hand, some small businesses with very meager resources may feel that they simply can’t afford to implement such formalized plans. If you’re on the fence about this and wondering whether the cost of backup and recovery plans is justified by a disaster that might happen, you can consider some of the questions below to help clarify your thinking on the matter.
Backup and Recovery Cost Justification Questions
What would be the impact on your company if customers could not access their data every day, and how would employee productivity be affected on a daily basis, if your network was completely shut down?
What kind of backup and recovery plans do you have in effect right now, and how long could your business survive if it were forced to endure an extended period of downtime?
What kind of support could you quickly access from I.T. personnel, and could that support be enlisted quickly enough so as to reduce downtime damage?
What is the confidence level that you can get back online quickly enough that there will be minimal disruption to the company, and to customers who rely on your company?
How often does your most important data get backed up? Do your employees have a lot of company data on their smartphones, iPads, or business laptops? Are your backups stored off-site, and are they protected against damage which might occur to your business location?
Does your company make use of any custom-developed software, and is the original developer of that software still in business, so that it could be recovered in the event of theft or corruption?
Do you have all your licensing agreements, account details, and information about security stored in a central location somewhere, and is there a copy of it off-site?
Do you feel you have adequate protection against viruses and cyber-attacks and do you apply all security patches as soon as they are made available by the appropriate vendors?
Do you have a company policy in place which calls for the changing of passwords any time a new employee comes in, or when a current employee exits?
How frequently do you check your backup and recovery processes, to make sure that they are performing as intended, and that there are no flaws in the process?
Can You Afford to not Have a Backup Plan?
As a small business owner, it would be well worth your while to arrange a meeting periodically, with managers and other important employees in your company, so as to review the issues raised in the questions above. If these questions are answered accurately and honestly, it should help to clarify in everyone’s minds exactly what the risks and rewards are, relative to establishing and maintaining a good data backup and recovery plan.
Some small business owners simply feel that their business is too small to justify the expense of implementing formal I.T. procedures like data backup and recovery and that this belongs more in the realm of Big Business. However, by considering some of the questions raised in this article, you should be able to figure out whether or not you could actually survive an extended period of downtime or data loss, regardless of the cause.
If it becomes clear that your business would not survive if you are forced off-line for several days or longer, then you should really consider implementing the programs necessary for data backup and recovery. These days, a great many I.T. services are available as an on-demand service, rather than having to pay the cost of I.T. personnel, hardware, and software all by yourself. Even small businesses should be able to find a vendor willing to supply I.T. as a service, to help you protect your important data, and avoid business disaster. With all of the relevant factors assessed and a suitable backup plan in place, you can remain confident in the security of your business-critical data.
The importance of cyber security is now being stressed to the point where pretty much everyone these days is aware that there is an urgent need for it, and that literally, every company connected to the Internet could be subject to an attack. The types of attacks carried out against company networks and databases have been found to fall into several predictable categories, for which some fairly effective defenses have been developed.
This doesn’t mean that companies are now safe from cyber-attack, but it does mean that more companies are availing themselves of the right kinds of security measures because they understand what the consequences might be if they fail to do so. This being the case, many cyber attackers are now turning their attention to a more exploitable link in the security chain for companies around the world, which is the human element.
For some time now, there has been an increasing development for company employees to become the focal point of criminal attacks, because they are not usually equipped with the same kind of defenses that hardware and software can be. Humans can be tricked into making security mistakes, which can then be exploited by the criminal-minded for their own monetary gain.
Since humans do constitute another link in the corporate chain of security defenses, that is definitely an area which every company needs to consider, in order to protect itself against the threat of cyber-attack. The actions taken should include a combination of systematic education and campaigns to raise awareness, as well as encouraging employees to behave in a more secure manner.
Here are some of the ways that companies can help to make their employees less of a security risk, and instead become one of the strong links in the defense against cyber-attack.
It will be worth the time and effort it takes to canvass the entire company so that potential entry points for malicious software can be identified and remediated. One of the most obvious entry points, of course, are emails coming into the company, and this calls for thorough training of employees, so as to spot potential risks such as those emails which ask you to click on the attachment.
There are also malicious emails sent to employees where the sender impersonates a company official and asks for some payment to be sent to a vendor at the address on an attached invoice. Other impersonation attempts could be from companies which the email recipient supposedly does business, asking for payment on a recent purchase.
Whatever the weak points might be around the company for potential exploitation, these need to be identified in a campaign which seeks them out, and these should then be used as examples to employees of what to avoid.
Raising Employee Awareness of Security
Another track that your security assessment campaign should take is to evaluate the culture of your business, in terms of how effective training is, how often it’s conducted, and how it can be tailored to your company environment. When that understanding has been achieved, a suitable training program should be implemented, so that your employees are constantly thinking about cybersecurity.
The educational components should include all those possibilities which constitute cyber-attack risks, and what actions employees should take when suspicious activity is identified. Most importantly, employee training should not be a one-time operation, but should instead be something which is updated every six months to a year, and at that time, new training sessions should be initiated, so that updated material can be conveyed to employees.
There are always new and more malicious methods being devised by the criminal-minded, so that means training of employees has to be adapted periodically as well, to include all those new threats.
All usage of the company network should be periodically analyzed and evaluated to determine whether or not there has been any malicious activity occurring. Transaction logs and other sensing software should be assessed for anything that looks like a preliminary attempt at a data breach.
Things to look for in particular might be employees who are attempting to access the company network after hours, extremely large downloads of data files, and possibly individual employees spending unusual amounts of time accessing sensitive company data. Any such digital trails which strike the evaluator as being out of character for normal company business should immediately trigger a red flag, and possibly an action by a response team.
Top Management Support
It’s essential for any cybersecurity program in a company to have the full support of upper management, which means it should be more than lip service and should be a legitimate effort, which is appropriately funded and supported. When employees recognize that top management is in earnest about cybersecurity issues, they will be much more likely to adopt the necessary measures themselves.
There should also be a dedicated cyber security manager or officer within a company because this is the type of program which requires full-time implementation and monitoring. If there are multiple individuals involved in the cybersecurity program, there should be a clear hierarchy, with well-defined roles for each person in the group.
It seems that more and more these days, there are major headlines announcing the fact that another giant corporation or huge agency has suffered a breach resulting in data loss, and that thousands, if not millions of clients have been affected. This in itself can be pretty frightening for everyone who is a subscriber or a client of one of these companies, because it means that your personal data can be in the hands of a criminal seeking to use it for personal gain.
For executives of these giant corporations and agencies, it can be a nightmare as well, because it’s a huge blow to the credibility of the company, conveying the notion that inadequate security measures were being used, and that customer data was not afforded proper importance. When companies suffer a loss of credibility and reputation, that usually translates to a loss of business as well, as clients abandon the company for theoretically safer places.
Then too, there can be a much more bottom-line effect which results from a data breach, and that can be expressed in dollars. In some cases, a cyber-attacker will hold the data hostage from a corporation, and he/she will demand some ransom amount for the safe return of the data. If that business-critical data has not been properly backed up on a regular basis, the company might have no recourse whatsoever, other than to pay the demanded ransom figure, so that data can be recovered.
Small Business Attacks
All this is pretty disconcerting in and of itself, with weekly or monthly attacks garnering national attention. However, the attacks which don’t make headline news are much more common, albeit perhaps not quite so spectacular, in terms of dollar amounts and in terms of numbers of customers affected. Many cyber attackers have eschewed attacks on corporate entities because they tend to be well protected, and instead have turned their attention to the endless number of small businesses operating in the country, simply because there are so many inviting targets.
While the profits to be earned from attacking small businesses aren’t quite so impressive, the sheer number of possible targets makes up for it, in terms of volume. It has been estimated that a small to medium-sized business which has suffered data loss to a cyber-attacker will typically lose about 25% of its daily revenue, one week after a loss. One month after a data loss, the estimated daily revenue losses will have climbed to around 40%, which is more than enough to cripple most small to medium-sized businesses.
Data maintained by the National Archives and Records Administration (NARA) reveals that when small to medium-sized businesses suffer a significant data loss, which triggers a period of downtime lasting at least 10 days, more than 93% have had to file bankruptcy within a year of the incident. Even more startling, more than 50% of those companies didn’t even waste a year’s time, and they had to file bankruptcy immediately after the data loss.
Records kept by the same NARA agency in Washington, D.C. show that small to medium-size businesses with no data recovery plans, go out of business at a rate of 43% following any significant data loss. All these facts and figures should point up the critical need for data backups and data recovery plans. Those companies which think they will never be the ones impacted by cyber-attack, and which don’t take the necessary steps to prevent disaster resulting from such attacks, are the companies which very often are forced to file for bankruptcy.
There is simply no substitute for being proactive about your data protection processes, and for having a formalized plan for backup and recovery. More than this, these processes should be periodically tested to ensure that they are still valid and that they are providing maximum effectiveness against data loss. Failure to implement such safety procedures can make it much more likely that a small to medium-size business will end up as one of those statistics regarding the fate of companies experiencing significant data loss.
How to go About Protecting Against Data Loss
Data backups should occur either daily or weekly, depending on cost-effectiveness and on the volume of transactions your business accumulates in a single day. If you have a high volume of transactions every day, chances are you’ll need to have daily backups, because if your backups are no more current than last week, you will have lost a tremendous number of transactions, if you have to restore from a week ago.
Make sure that your data backups are actually saving the data that you need, and also make sure that the restore process functions as it should, in the event that you have to carry through on it, to retrieve business-critical data.
Regarding the data to be backed up, you should have a prioritized approach, which assigns the most resources to the most important data. Your business-critical data is comprised of all the customer data that you store for clients, all personal data, and all data necessary for daily operations. Company managers can determine this priority scheme with I.T. personnel so that if you do have limited resources for data backup and recovery, you can always be sure that the most important data is saved, and can be restored whenever necessary. With this approach in mind, you will ensure that any possible data loss will not be irrevocable.
An Endpoint Protection Platform (EPP) is an enterprise solution typically comprised of capabilities such as port and device control, a local firewall, and anti-malware software. One of the things which most strongly characterizes an EPP is its ability to provide anti-malware scanning, based on detection methods which rely on known signatures, in other words antivirus software.
Advanced Endpoint Protection Platforms
Some EPP platforms go a bit further than this, providing detailed monitoring of endpoint file activity, as well as the detection of suspicious or malicious behavior from such files, which may be completely missed by other layers of security. Going one step further, when this kind of suspicious activity is detected, some EPPs even provide the means of managing it.
This can be an extremely important part of any security system. The truth is that it’s impossible to be 100% protected from malware attacks, and some will break past your firewall and your antivirus software. When they do, having such monitoring of file activity on your endpoints can provide just the kind of alert that you need to spot an attack, before malware has a chance to do any serious damage.
What is Endpoint Detection & Response?
By contrast, Endpoint Detection & Response is a security system comprised of at least four major capabilities:
- the detection of security incidents
- the localization of any incidents right there at the endpoint of detection
- the ability to conduct a full investigation of any potential security incidents
- and the restoration of endpoints to their original status prior to infection.
From this it can be seen that the difference between EPP and EDR is that EPP tends to be more of a front-line defense and EDR tends to be more of a second or third line of defense. While the hope is that any Endpoint Protection Platform will detect almost all malware attacks, the EDR security provides many more tools for managing attacks which have been identified, and have already been carried out to at least some extent.
Hybrid EPP and EDR Systems
It was inevitable that security vendors would develop a package that includes elements of both an EPP and an EDR system to provide the ultimate security system. The market for such products is definitely there, because there are many small businesses and large corporations which have woken up to the dangers of ignoring security, and have now swung their security pendulums entirely to the opposite side.
You can never have too much security in place at an organization, and anything which provides a full toolkit of options is a good idea when it comes to security. For that reason, some companies now provide hybrid systems which include features of both an EPP and an EDR, so that threats can not only be identified, they can also be dealt with right on the spot.
Here are some of the features you might find in a hybrid security platform:
- threat identification using signature-based methods
- ‘sandboxing’ capabilities that perform on-the-spot analysis of files against hundreds of known behavioral indicators, to detect suspicious activity
- malware detection and blocking, using techniques such as signature matching and fuzzy fingerprinting at the endpoint prevent network breaches
- when potentially harmful files slip past the front line of defense, the secondary features can be invoked. That means a continuous analysis of files that enter the network, regardless of what their status is. If later analysis should indicate suspicious behavior, an alert can be sent to the security team, along with the recorded history of file activity thus far. Your team will have a full understanding of where such files came from and what it’s been doing once it entered your network. You’ll then also have the capability of controlling it and deciding what to do with it.
Which is Best for Your Enterprise?
Deciding which approach your company should take to protecting its valuable data assets and network infrastructure will depend on a few things – but one of them should NOT be that you’ve been immune from attacks in the past. That’s the kind of mindset which can easily make your company next on the list for a harmful cyberattack.
Instead, you’ll probably have to take cost into consideration, especially if your security budget is somewhat limited. Then too, you should consider the offerings available from a short list of vendors which you’ve prepared, or which you have been advised about by a security consultant.
Don’t forget to take into account what you already have in place, so that you won’t have to gut the system and completely replace it. Whatever you end up with, make sure to use all the information provided to you, keep it as current as possible, and back up your data files.
A study recently conducted by RiskVision, a respected developer of Risk Management software, determined that more businesses today are concerned about company reputation than they are about potential breaches of security which might impact them. It has long been known that companies consider a brand name to be one of their most significant assets, even though it’s an intangible that has value to no one outside the company itself.
In this survey, damage to a brand name was considered to be potentially more damaging than security breaches, even though the two often go hand-in-hand today. Hackers who successfully penetrate into a company’s computing network often do inflict serious damage to the reputation of the business, and subsequently its brand name. It should, therefore, be kept in mind by all business owners that security breaches need to be taken seriously, to prevent damage to the company brand-name, as well as all the usual financial ramifications.
How a Security Breach Can Damage Your Brand Name
Typically, the first thing a customer considers when thinking about brand names, about products or services, is whether or not the product or service provides quality and value, and whether the cost is in line with the levels of quality and value delivered. However, any company which has suffered a known security breach often falls into an entirely different frame of evaluation.
Consumers will often think that any business which has allowed itself to be hacked by criminals is not worthy of their trust and patronage. After all, if their business practices were lax enough to permit the cyberattack in the first place, that may be a sign that other important aspects of the business are also conducted with inadequate attention to detail. This fact is borne out powerfully in a poll jointly conducted by CSO and OnePoll, which attempted to determine the connection between insufficient security and a company’s brand name, as perceived by consumers.
In the survey, a whopping 86% of customers declared that they were unlikely to patronize a company which had suffered a severe security breach, especially if the breach was related to customer information. This represents a definite shift in consumer thinking from the early days of cyber attacks when businesses were perceived as victims entitled to understanding and sympathy from the public. In the now-famous cyberattack against department store giant Target, sales for the entire quarter after their security breach dropped like a rock, falling almost 50% from the prior quarter.
Impact of Security Breaches on Small Businesses
Major security breaches perpetrated against small companies can have an enormous effect and can cause irreparable brand-name damage from which recovery is either very difficult or downright impossible. In 2016, a study was conducted by KPMG which determined that almost 90% of small businesses had suffered serious brand name damage in the immediate aftermath of a security breach.
In a white paper published by the National Cyber Security Alliance, figures were released which showed that as many as 60% of all small businesses completely collapse less than six months following a significant cybersecurity breach. Interestingly, both of the studies referenced above reported that less than one-quarter of all small businesses considered cybersecurity to be a top priority. The fact that there has historically been relatively little concern about cybersecurity breaches may account for the often devastating impact that attacks have had on those business entities.
Taking Steps to Secure Your Business
A cyber security plan doesn’t need to be especially elaborate, and it doesn’t need to be funded to the hilt, with every conceivable kind of virus detection software. There just needs to be a well thought out plan for cybersecurity, and a legitimate effort to enforce that strategy. There are some straightforward but very cost-effective measures which can be adopted to thwart the vast majority of cyber attacks.
Using strong passwords on all company computers is a good start, followed up by installing security software on company devices. It’s always best to keep hardware and software updated with the latest available security patches and to periodically back up business-critical data. The weakest point of any company’s network should not be overlooked, which means employees need to be educated about the risks of cyber attack.
The important thing to remember about any cybersecurity policy is just to implement as many of the simple steps listed above as possible and to do it immediately so that your system is not left vulnerable to penetration by cyber attackers. As some of the survey results mentioned above make clear, every kind of business from the corporate giant on down to the mom-and-pop retail outlet must take all steps possible to avoid the possibility of major security breaches. Failing to do this can cost you a lot more than money – it can cause irreparable harm to your company’s reputation.
Remotely Erase Data: Deletion with SecureDrives
Remotely erase data: This hard drive will self-destruct in the amount of time it takes to send a text message.
In a world where privacy and security are at the forefront of people’s minds, that’s pretty much what everyone wants to hear. It’s no longer just a thing of spy movies. Thanks to SecureDrives, a tech company based in London, any business or individual can have an external hard drive with a kill switch. They look like a normal portable drive, but all it takes is one text to make the device unusable and unrecoverable.
At a mere two and a half inches, the drive is tiny and easy to transport. You get 128 GB of solid state drive that you can connect via USB. If you prefer an internal hard drive with a self-destruct, it has a SATA II connection as well. It’s the perfect hard drive when you have to store sensitive data.
While a text is by far the coolest way to crash the drive, it’s not the only option you get. You can program the device to self-destruct in a number of ways: if the battery level gets too low (not sure how I feel about that one); if pin code entries are mistyped repeatedly; when the drive is removed from the PC (just don’t forget you have that setting on if you have to move the drive); or if it loses the GSM signal for longer than the amount of time that you set.
So, what does it do? Erase the data, but leave it available for recovery programs? Of course not! It actually destroys the NAND chip as well as the security controller. According to the company, there’s no way to recover the deleted data after this happens.
Super spy tech isn’t cheap, and the ability to remotely erase data goes for over a thousand pounds (which works out to about $1,650 USD). You get the first year of GSM for free. It’s $47/year after that.