Category

Communication Security

Make Your Employees Your First Line of Cybersecurity Defense

By | Communication Security, Data Security, Managed IT Services, thinkCSC Leadership Series

One of the most common misconceptions about cybersecurity is that small- and medium-sized businesses (SMBs) don’t need to worry about cyber-threats or attacks. This simply is untrue. Over the last few years, more than 70 percent of the organizations that have lost money to cyber-crime have been SMBs. Make no mistake: Small businesses are a big target. There are many reasons for this, but one of the most prominent causes is a lack of training and awareness among employees. People are the biggest threat to an organization’s security. But you can make your people your first line of defense.

Who?

Every person – from the President, CEO, and Chairman of the Board to the custodians, cashiers, and administrators – should receive cybersecurity training and be held accountable for following all security policies. It is important to note that almost half of the losses associated with cyber-crime have been attributed to insider fraud and carelessness.

Given how widespread the usage is of personal devices among employees, on and off company premises, BYOD security policies must be addressed, as well. This is particularly true when employees use personal devices to conduct company business – including accessing work email accounts. Any device that connects, even sporadically, to company systems and accesses business data can be targeted by cyber-criminals and should be subject to specific security requirements.

Why?

Employees need to understand not only what the risks are but why training is so critical. Most millennials and post-millennials are well-versed in the use of technology, but even the savviest tech user is easily tricked by ransomware. And most people are unaware of the extent of cyber-attacks in today’s business world.

What?  

Employees cannot avoid nor help address what they do not understand and recognize. Whether the potential risks are phishing emails, malware, ransomware, out-of-date software, or the use of unapproved applications, employees must be taught to recognize and report suspicious activity, to avoid clicking on links and opening attachments, to think before clicking. Threats are far more likely to be handled properly and avoided altogether when employees are routinely trained. Thus, it is critical to make cybersecurity training an integral part of the onboarding process, as well as an ongoing practice  throughout their employment. This training should include the basics of current threats and information regarding emerging threats.

How?

The following elements should be a part of both initial and ongoing training:

  • Common Threats Employees must understand and be able to recognize signs of common threats. At the very least, these warnings should be written down and displayed in visible locations in every department. Download our email security guide to get started (PDF).
  • Communication Employees need to feel encouraged to speak up and speak out if they suspect an issue. They need to feel empowered to take time away from normal business long enough to address concerns with a supervisor, manager, or managed services partner.
  • Prevention Rules Employees need clear guidelines regarding the sites from which they can or cannot access information, as well as guidelines detailing what may or may not be installed on their company computers and devices. They need simple instructions about what attachments should not be opened and which links should not be clicked. They should be required to report any solicitations or non-work-related messages from unrecognized sources. Finally, companies should use high spam-recognition standards to minimize threats that otherwise would require skilled employee intervention.
  • Password Standards One of the most frustrating aspects of our modern technological world is the need for multiple passwords on multiple devices and accounts, especially the frequent changing of passwords for the same accounts. While biometric capability may soon relieve some of this frustration, insisting on strong passwords, multifactor authentication, and password security is essential.

None of these measures are terribly difficult; none of them are particularly time-consuming; none of them are overly-burdensome; all of them are critical. Given the rise in cyber-attacks over the last decade and, especially, the recent, coordinated, worldwide ransomware attack, not providing cybersecurity training to employees is not an option for any company that wants to survive and flourish. Of all expenditures that do not generate revenue directly, this is one of the most fundamental and unavoidable. It cannot be ignored.

While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all organizations and businesses of all sizes to invest in stronger IT security that includes offsite backup and recovery. These protections, combined with ongoing staff training, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.

For new customers interested in information on obtaining our services, please contact us at sales@thinkcsc.com.

The Argument for Endpoint Security

By | Communication Security, Data Security, Email Security

endpoint securityAn organization is only as secure as its weakest access point, and certain endpoints – smartphones, laptops, and other portable devices that are often connected to public WiFi hotspots or are apt to be lost – are a weak spot for most organizations.

Endpoints are an easy target. Endpoint security is designed to thwart the most common risks these devices present, by detecting and blocking malware, as well as reducing vulnerabilities while ensuring a sensible balance between protection and user access.

Does Your Organization Need Endpoint Security?

Does your company use mobile devices? Do your employees have the ability to take these devices offsite and off-network? Would a data breach cost you customers, downtime, or lost business? If you answer yes to any of these questions, then endpoint security is something your organization should consider.

Endpoint Security and Phishing Scams

Email security is a challenge for every organization. Your employees, whose split-second decision to click on a link or open a file puts you at risk – are part of the solution. But can endpoint security help you prevent phishing attacks? As part of an overall strategy to implement multiple layers of security designed to block as much malware as possible, endpoint security can work at the device level by:

  • Requiring security and monitoring software that can detect rapid file encryption, even on employee-owned devices used for work
  • Making sure all operating systems used on devices are fully patched and up to date
  • Whitelisting apps
  • Implementing analytics that rapidly detect and block threats

Threats from phishing emails and malware, such as ransomware, worms, and bots, are a constant threat. Proactive measures must be taken to prevent existing and emerging threats, not just on your network and servers but at every point of access as well as through employee training and consistent reinforcement.

As cybersecurity remains a top concern for business leaders in every industry, taking the necessary steps to protect your organization becomes a high priority. Minimizing your risk is easier when you partner with a trusted managed IT service provider who partners with your organization, understands your needs, and provides customized solutions to ensure that you have the protection you need. thinkCSC is committed to helping you find the most economical solutions to meet their needs. For more information, contact us today.

Avoid Devastating Security Breaches with Sender Policy Framework

By | Communication Security

at-99378_960_720Over the last year we’ve seen a significant increase in the volume of “spoofed” email, where the sender of the email appears to be internal to the company, attempting to trick the recipient into initiating an action that appears to be legitimately requested, such as a wire transfer or the opening of an attachment that enables ransomware. These emails can be very deceptive. Often, company executives are impersonated, and emails are sent to people within the organization who would typically be involved in such transactions. While there is no foolproof way of stopping these messages – and the best line of defense, of course, is a well-trained staff who reacts with caution before opening attachments or sending money – we do recommend implementing Sender Policy Framework (SPF) technology to help prevent the spoofed emails from even reaching their destinations. 

Sender Policy Framework 

Sender Policy Framework is a technology used to establish approved email systems for a domain. To implement SPF, thinkCSC creates a special DNS record that identifies which servers are allowed to send email for your domain. This record is then read by supported mail systems and processed according to their configured policies. In other words, we create a special code that tells the email provider which messages are legitimate email, allowing the provider to better detect spoof messages and mark them as spam. Most major mail providers now factor SPF evaluation into their overall scoring mechanism for determining whether a message should be delivered or marked as spam, and some mail providers will automatically junk messages that fail an SPF evaluation. While this technique does not ensure that spoofed message will always be considered spam, it does increase the likelihood considerably.

In order to successfully implement an SPF record, it’s critical to identify all of the mail servers and third-party services that could be used to send email on behalf of a domain, including the email provider, company websites, relays, third-party SaaS tools (like CRM), and marketing software that sends emails on behalf of the organization. Once these are identified, thinkCSC will create the DNS record, test and validate email flow from known senders, and update the SPF record as needed.

If you have been the victim of phishing emails or would like to learn how to protect your organization from sender address forgeries, contact thinkCSC for more information.