As cyber threats continuously change, there is a lot of uncertainty as to what is cybersecurity and what do you need to know about it?
In its most basic form, cybersecurity is the proactive practice of protecting your IT infrastructure from cyberattacks.
These cyberattacks are targeted at either accessing, changing, or destroying data or infrastructure. The next step by hackers can be to extort money or interrupt normal business processes.
Implementing an effective proactive cybersecurity system is challenging as there are more devices that people within an organization. The bigger challenge is cyber criminals are becoming more innovative.
What is Cybersecurity and What Do You Need To Know? We will breakdown in to several sections below.
Part 1 – Cybersecurity: Passwords and phishing
Many properly managed organizations have state-of-the-art remote monitoring and management (RMM) systems and centrally controlled and managed anti-virus and anti-malware programs.
That is a fantastic as your organization is being proactive but unfortunately that does not mean you are not at risk of a cybersecurity breach or that an employee is not putting your organization at risk.
According to Verizon’s 2018 Data Breach Investigations Report, employees are the weakest link in the any IT security plan. Over 93 percent of cyber security breaches come from phishing and social engineering scams.
Passwords have become even more easier for hackers to obtain as it was recently discovered that there is a file on the dark web for sale that contains 2.6 billion of them for sale. Hackers Are Passing Around a Megaleak of 2.2 Billion Records.
Companywide cyber security training can prevent phishing attacks and password hacks. The is why employee education is essential including making employees comfortable with reporting problems without worry about personal consequences.
Part 2 – Cybersecurity: Choosing a password
In its most simple state, a password is a word or string of characters used for user authentication. It is used to prove identity or access approval to a resource and must be kept secret.
Most people know a strong password means a mix of uppercase letters, lowercase letters, numbers, and symbols. Industry best practices states that passwords should be changed every 90 days and this was set by U.S. National Institute of Standards and Technology (NIST) back in 2003.
Here is the wild card. Some employees bypass these rules. They switched letters with symbols such instead of “S” they use “$”. Unfortunately, hackers figured this out where symbols are being substituted for letters and they are aware that most users change passwords every three months and they simply add sequential numbers at the end.
Recently, NIST revised its guidelines as instead of using a hash of numbers and symbols, it now states that you are better off with a password that’s longer than 64 characters. To many this sounds difficult however it is much easier because you can create a pass phrase with spaces between words. Choose words that don’t normally belong together, like “big cat small house.”
Another important consideration is to use multi-factor authentication (MFA). Organizations should encourage employees to choose a good password, and then move on to multifactor authentication (MFA), and single sign-on (SSO). This will make their lives even easier while making your business more secure.
Part 3 – Microsoft No Password
Microsoft is actively on a proactive quest to kill off passwords forever. Recently Microsoft has gained official FIDO2 certification for Windows Hello which is part of the Windows 10 biometric authentication system.
The good news is that Microsoft sites will be able to sign into with Windows Hello. This will give you access to Edge, Chrome, Firefox, Outlook.com, Office 365, Skype, OneDrive, Cortana, Microsoft Edge, Xbox Live, Microsoft Store, Bing, and MSN to mention a few.
Part 4 – Spot a phishing attack
If you run a company-wide phishing scam test, the results will surprise you. The reality is that employees are busy and unfortunately sometimes they get careless and may accidentally click.
Is seems harmless to them as they believe that if they do click on a bad link, their organizations antivirus and anti-malware software will save them. Now this may help, and it does reduce your exposure, but nothing is 100% as cyber criminals are constantly changing their attack plans.
A test phishing scam will provide an opportunity to educate employees about real cyber security problems the company faces.
Ask yourself the following about your organizations cyber security policies and procedures:
- Are your employees aware not to click links or attachments from unknown senders?
- Are they aware if an email comes from an insider or someone they know?
- Do they know to hover their mouse over a link to see if the address is different from the hyperlink text?
Check out our Quick Security Awareness User Training as a great free resource for employees.
Part 5 – How to Spot a spear phishing or social engineering attack
Spear phishing is a targeted cyber security attack that is asking for data or wiring of money.
Phishing attacks usually contain malware while phishing attacks do not contain malware. They completely rely on tricking employees to act on the request in the email.
There are various ways they can do these cyber-attacks. Hackers will sometimes hack an email of the individual they are impersonating while other hackers rely on “spoofing”. They may also use email address with a letter or digit off. Other hackers can edit the “From” field to make the fake addresses identical to the real one but if you click “Reply,” they are different than what is shown.
Cyber criminals looking to put together spear phisher scams will look all over the internet for all information possible. They will look at LinkedIn, Google, Facebook, Instagram, and other websites to learn about your company, personnel information, suppliers, and relationships with partners. They then combine all the information to put together possible requests such as wiring money to pay an invoice or handing over an employee’s personal information.
Size does not matter as hackers go after small and large businesses. If you Google phishing scams, you will even see large sophisticated tech companies that have been fooled by hackers.
Internet giants like Google and Facebook got duped out of $100 million through an email phishing scheme when a hacker impersonated a computer-parts vendor. The FBI reported that criminals made off with over $676 million in 2018 using phishing scams that are attacks designed to trick company executives or accounting departments into sending money to fake vendors.
Cybersecurity education is vital to employee education and your organizations security. When employees realize that their personal information is out in the open as well as your business data is at stake, they are more likely to pay more attention to training and become more vigilant at protecting data.
Employees are different and you need to ensure your employee security training will be able to recognize attacks and help protect your organization.
Security is only as strong as its weakest link, and as we have seen, that includes your employees.
Part 6 – Lost or stolen devices
Even if your employees have their own device and your company supports Bring your own device (BYOD), there are some basic rules to follow and make your employees aware.
If your employees lose their phone, are they aware they need to notify IT right away? Does your company have a policy that educates employees to report the loss of the device?
Here is an example to consider when it comes to your security within your organization:
An employee loses a device on a Friday and they wait until Monday because they want to see if it turns up. When it does not turn up, they will then report it. The bad part is the phone has been out there giving potential cyber criminals a 48 window to take advantage to penetrate your organizations network and sensitive data.
When you put together your IT security training, you need to build a custom IT security curriculum with as much detail as possible including items such as how reporting a lost or stolen device right away enables IT to lock it down before information can be stolen.
Part 7 – Wi-Fi and Bluetooth problems
Free Wi-Fi is everywhere, and many smart devices come with limited data plans. This has now created a new thing where employees are constantly searching for open Wi-Fi connections everywhere they go.
This is good as it gives them faster internet as well as free internet but there are many considerations and warnings to consider.
It is very important to make employees aware how a free Wi-Fi connection can make it easy for a hacker to station himself between your employee’s device and the hotspot. This will give them access to every bit of information they send over the internet including all their personal information as well as security credentials for your organizations network.
Once cybercriminals have the employee’s information no matter if it is business or personal, they can then easily log in and impersonate them anytime they want. Public Wi-Fi can also allow hackers to send pop-up messages offering software upgrades where if clicked, they install malware and infect the device.
Wi-Fi is not alone as there is also Bluetooth to consider. Bluetooth is not safe either as it gives an open door to your network. Cyber criminals have taken advantage of security flaws to hack into connections and steal business data from corporate networks. Once breached, it can easily spread malware to other nearby devices including office computers, printers, and much more. Although most devices have been patched for this particular problem, hackers tend to be one step ahead of device makers, meaning there could be other nasty surprises in store for the future.
Part 8 – Use a Virtual Private Network
Staying connected means you can work from anywhere. Now to avoid security problems with WiFi and Bluetooth, most IT departments or managed IT services providers have employees use a virtual private network (VPN) connection instead as it is a private connection that encrypts all traffic, protecting your company’s data.
As stated above, nothing is 100%. In order to follow industry best practices and harden network gear, it can make networks tricky to set up therefore an incorrect protocol can lead to security flaws and security holes in the network.
Your run a professional business and for this reason you should not use a free VPN solution as a recent study found that over 38 percent of free VPNs available contained hidden malware.
VPNs are used to encrypt communication between endpoints. They are not there to protect you from rogue applications or websites that may infect your network with malware.
Part 9 – Avoid USB drives
USB drives come in handy as it easily allows you to take information with you. Unfortunately most of them are not encrypted therefore making it easy for hackers to get information or share malware with an infected USB drive. Because they are so small, thumb drives are also easy to lose.
Here are some alarming statistics from a recent study on USB drives:
- 90 percent of employees who use USB drives for company use
- 80 percent of them are not using encrypted USB drives
- 87 percent of the employees surveyed admitted they had lost a USB drive
What happens to USB drives when lost or to organizations?
Researchers planted over 300 USB drives in an experiment. An alarming 48 percent of people picked them up and plugged them in to check them out.
Last year, Heathrow Airport Fined was fined £120,000 for a lost USB storage drive. The USB drive was lost by a Heathrow employee and found by a member of the public who viewed its contents on a library computer. None of the data stored on the device was encrypted or password protected.
Employee training on how to properly use their USB drive responsibly and how to report a loss or theft is a crucial part of your security processes. You need to engage employees and security policies by getting them involved with real life examples.
Part 10 – Cybersecurity takes a step forward
Companies are evolving and so is cyber-security. Simply purchasing a cybersecurity solution is not enough. Organizations need to rethink and design their IT infrastructure by implementing a security-by-design strategy.
According to Verizon 2019 Data Breach Investigations Report, there were 2,216 data breaches and more than 53,000 cybersecurity incidents reported in 65 countries in the 12 months ending in March 2018.
A proactive defense gives organizations the chance at holding off cyber-attacks. Understanding the threats can help you manage risk effectively.
Part 11 – The human employee factor
Your organization and employees must work as one when it comes to IT security and cybersecurity strategies. The entire organization must be aligned as cybersecurity is a business pillar that must be used for all IT initiatives and IT projects moving forward.
Organizations must look at their IT department or managed IT services provider to ensure their employees are trained in cybersecurity.
When you look at the IT landscape, you will see how there are multiple levels to consider.
- Internal IT departments are not Managed Services Providers (MSP)
- Managed Services Providers (MSP) are not Managed Security Service Providers (MSSP)
- Managed Security Service Providers (MSSP) is not an internal IT department or Managed Services Providers (MSP)
Organizations need to find the correct firm to address the proper business goal. As complexity rises and demand is booming, there is a large shortage of cybersecurity talent that is impacting global security.
Part 12 – How do you invest in Technology
Organizations have to properly align business goals with technology.
You need to look at some of the following steps:
- Remote management and monitoring (RMM) for laptops, workstations, smart devices, and servers
- Cybersecurity monitoring and management to monitor all aspects of your network
- Next-generation firewall with active security services such as intrusion detection
- Centrally managed and monitored virus and spam blocking
A strong network foundation is crucial for organizations that want to keep secure and thrive.
Managed Services Providers (MSP) and Managed Security Service Providers (MSSP) are always on the lookout for next-gen solutions that can create sustainable and resilient networks as well as make cybersecurity tasks easier and faster.
What is Cybersecurity and What Do You Need To Know?
Simple, cybersecurity allows organizations to operate while under persistent threats and sophisticated cyber-attacks. This enables organizations to embrace disruption safely, strengthen customer trust, and boost value.
Our complimentary network and security assessment can put your IT infrastructure and business to the test.
365 iT SOLUTIONS is Toronto’s leading IT consulting boutique firm offering industry leading IT solutions including Managed IT Services, IT Support Services, IT Outsourcing Services, Tech Support Services and Cloud Services.