It takes more than strong passwords to prevent credential theft. Security hygiene best practices are designed to proteect your data.
Those organizations that you might assume are the most secure suffer from the same weakness as every other company: basic security knowledge. Even those on the campaign trail, despite rampant political hacking attempts, are failing to address email security. The topic of cybersecurity is heard but not addressed, and even if the rules of keeping personal and professional information secure are understood, they are not taken seriously. When 90% of cyberattacks now begin with a phishing campaign, it’s clear that hackers have noticed as well. Email security is not being prioritized, and data breaches are a common result.
Phishing attacks are hard to identify.
Ongoing training is critical for everyone within an organization because phishing attacks are becoming more advanced each day. An employee may not think twice about a request to update a password for a commonly used website, or to submit private information to what appears to be a vendor. Employees blindly trust that an antivirus program will weed out the spam in their digital mailboxes, without considering that an email could be a phishing attack.
The two most common types of phishing attacks:
- Mass phishing – Although hackers are fond of specific targets, it doesn’t change the actuality of mass emails being sent company wide. It only takes one employee to offer credentials or click a link and the attack will have been successful.
- Spear phishing – This cyberattack targets individuals or specific groups of people that have desired information. The hacking attempt looks legitimate because the message is likely relevant and tailored to the intended recipient.
Preventing phishing attacks starts with best security practices.
Educating staff is essential in stopping phishing attacks, and it needs to be more than a brief presentation or a handout. Cybersecurity training should be comprehensive and provided on a regular basis, to communicate updates and these reminders about best practices:
- Secure personal information – Do not use the same password on multiple devices and at multiple sites, including personal networks. Hackers can target specific individuals and explore networks like social media to gain information. Passwords should be complex and changed periodically, and double authentication should be applied whenever possible.
- Use available malware and virus protection programs – If professional devices are asking for updates, make sure employees are not ignoring prompts. Also encourage employees to secure their personal devices and provide accessible security options. By incorporating best security practices into their personal lives, employees are more likely to implement these practices in their professional realms.
- Use secure networks only – It can be tempting for employees to sign in quickly to an office network at home, even if it is to innocently check an email. Unsecured access, however, can give hackers the opportunity they need to infiltrate secure networks.
- Be aware of threats – Train employees to be suspicious of emails requesting private information, such as credit card details. If an email requests immediate action, then a moment should be taken to confirm the request. Nothing is so immediate that your employees can’t take the time to verify a request with a supervisor.
Your employees can be your biggest risk, but they can also become your strongest defense against phishing attacks. Knowledge is the first step in preventing data breaches, and by educating employees regularly, you can establish a culture of best security practices. Download the thinkCSC email security guide to get started.
Meeting your business objectives is virtually impossible without a well-developed information security program. With businesses of every size and industry facing threats on a daily basis, comprehensive data security is now a primary need. However, many businesses don’t dedicate the personnel, time, or resources to maintain something that is always evolving. How can you address the constant barrage of hackers, malware, and phishing attacks and still stay in business?
The Importance of Managed Security
Cyberthreats are on the rise, and the technology used to launch these virtual offensives only gets more sophisticated with each attack. If you happen to have an experienced IT specialist at your disposable, you are one of the lucky few. Many small businesses lack the resources necessary to employ an IT professional, and even those businesses with full IT departments struggle to keep pace with cyberthreats. A Managed Security Service Provider, or MSSP, can offer premium IT services that are provided by highly-trained cybersecurity experts. Every aspect of data security for your business is covered, while an MSSP tackles cyberthreats so you can get back to running your business.
IT Departments Are Overwhelmed
It’s tough to admit when your professionals are stretched too thin, but outsourcing to a knowledgeable MSSP can offer relief to your entire organization. There’s no doubt that your IT personnel feel stress when a fraudulent email is opened and results in a system-wide crash, but all employees experience frustration when they can’t do their jobs. We work in a digital age that demands a reliable cybersecurity infrastructure. Even the best IT departments can lack the training and resources required to combat threats, and they are expected to simultaneously manage the daily upkeep of your business. IT security is more important than ever, making it crucial to control the many variables that exist.
An IT Strategy is a Necessity
Do you know when your basic programs need an upgrade? What are the proper security precautions for your eCommerce store? Are you in compliance with the latest regulations? These questions, and more, require up-to-date answers, and many businesses struggle to establish an IT strategy that covers all angles. An IT strategy should also create defense mechanisms within your systems that will alert you to data breaches. Faster responses save time and money, and although every breach can’t be prevented, hackers can be promptly stopped in their tracks. Not every strategy is going to look the same, and an MSSP can offer specialized solutions that fit your business objectives.
You Can’t Afford Regular Attacks
When considering an IT budget, many businesses don’t recognize the hidden costs that are inevitable. Breaches cost money, and frequent attacks will exhaust whatever budget resources you have established. Cutting costs where IT personnel and strategy is concerned will hurt you in the long run, putting your entire business at risk. You’ll spend more time on pursuing hackers and repairing the damage they have caused than you will on improving cybersecurity. An MSSP can greatly reduce costs by preventing breaches of sensitive information, and an agreement will usually offer a predictable monthly fee.
What Can thinkCSC Do for Your Business?
At thinkCSC, we take security seriously, and we want to give you the most control over your business with the necessary cybersecurity measures. Our determination to offer ourselves as an experienced MSSP has promoted the development of innovative levels of security monitoring for our clients. Massive cyberthreats are a normal part of doing business, but they are risks that can, and should, be addressed and abated. thinkCSC provides excellent levels of monitoring and detection designed to protect your data and keep your organization running smoothly.
At thinkCSC, cybersecurity is simply what we do. We can partner with you to develop a unique solution designed to fit your business model. Take the first step towards advanced cybersecurity practices and contact us today to learn more about our enhanced Managed Security options.
We keep repeating this, because it bears repeating: Cybersecurity is one of the most pressing issues facing businesses in today’s technological world. Business size, resources, location, and other characteristics are almost irrelevant. From small, individualized breaches to worldwide ransomware attacks, the scope of cybersecurity compromises has risen dramatically throughout the last decade.
This trend has led to the need for organizations of every size to establish strategies to enhance cybersecurity and combat attacks. One such approach is known as vulnerability management (VM), which focuses on identifying threats and reducing exposure rather than merely reacting to incidents. In broad business terms, this approach differs from the old quality control systems (detecting problems as they happened or early in their appearance, thereby containing potential crises) and is more like the newer quality assurance approach (putting measures in place to assure the prevention of problems occurring at all). Quality assurance approaches include expeditious handling of issues that occur, but they focus on identifying potential systemic weaknesses and strengthening them in order to prevent issues from the start.
How is this done? What does this mean in practical terms? How can even small and medium-sized businesses (SMBs) employ a sufficiently robust VM plan?
The following are a few answers to these key questions:
Treat the Issue as More than Just a Requirement
Too many companies approach cybersecurity in general, and vulnerability management in particular, as an item on a checklist – a chore that must be done. These companies perform an annual scan and often use outdated or mismatched software systems. Treating cybersecurity simply as a requirement leads to inadequate protection and a never-ending cycle of escalating issues over which they never gain full control. Solving a serious problem requires seeing it as a serious problem and then treating it as such.
Conduct Regular Vulnerability Scans
Solid VM programs involve much more than just threat-detection scans. They do employ regular scans (at least quarterly) using up-to-date systems, but they also include additional elements, such as root-cause analysis, tracking, remediation, and detailed reporting. Without such comprehensive essentials, businesses leave themselves open to risks that can be eliminated systematically.
Consider Both Authenticated and Unauthenticated Scanning
Unauthenticated scanning is a simple scanning process through which devices are scanned remotely to determine exposed vulnerabilities. Authenticated scanning goes one step further and logs into the system with a valid user account. Using authenticated scanning can identify system configuration issues, as well as embedded vulnerabilities that simple scanning cannot catch.
Use the Common Vulnerability Scoring System (CVSS)
The CVSS uses a calculation metric to assign severity scores to vulnerabilities. The three core areas analyzed are: base metrics (qualities that are intrinsic to a vulnerability), temporal metrics (vulnerabilities that evolve over time), and environmental metrics (vulnerabilities that require specific implementation or a particular environment). This allows organizations to prioritize their responses in an intentional, meaningful, and productive manner and avoid the tendency to spend disproportionate time and resources on minor threats.
Fix the Issues That Cause Vulnerability
Scans merely identify threats. Most companies do nothing more than remove the threats discovered by their scanning measures. What they fail to do is fix the core issue that allowed the threat into their systems in the first place. Thus, the same threats often reappear, are discovered by future scans, are removed once again, and the cycle continues. Eliminating the entry portal exploited continually by the threat closes the existing security gap and stops this cycle of entrance and removal, which altogether eliminates the risk posed by the threat.
If Necessary, Outsource Vulnerability Management
Vulnerability management can be overwhelming, especially for SMBs with limited technical expertise and limited budgets. Just as outsourcing HR, legal, or security services can be beneficial, partnering with an established, knowledgeable Managed Security Services company can be a perfect, cost-effective solution to such a daunting task.
Many organizations, especially small businesses, rely on username and password protocol as their primary cybersecurity protection method. They assume that requiring employees to use strong passwords, and then requiring regular changes to those passwords, is an adequate approach to cyberattack prevention. On the contrary: Relying primarily on passwords is not as secure as most of us are led to believe.
The Verizon 2017 Data Breach Investigations Report revealed two of the major findings that bear directly on this issue. Of the data breaches that were analyzed:
- 75 percent were perpetrated by outsiders (with the exception of healthcare, where 68 percent were internal)
- 81 percent of hacking-related breaches (50 percent of all breaches) leveraged weak or stolen passwords
What does this say about relying on usernames and passwords to secure your network – and why are strong passwords not a solid cybersecurity strategy?
Most people don’t want to remember numerous usernames and passwords for multiple accounts and programs, and many don’t feel confident in their ability to accurately recall that information. More so, they dislike having to regularly change passwords on individual accounts, and being forced to forget previous passwords in exchange for new ones. To deal with this frustration, they tend to do one of two things (or both):
- Re-use the same usernames and passwords across multiple accounts
- Write down their usernames and passwords, and store them in their workspace (usually in a place that is easy to find, often on their desk or in a top drawer)
The problems with these widespread tendencies are simple:
- Remember, 81 percent of all hacking-related breaches leveraged weak or stolen
- Repeated passwords used on multiple sites increase the risk of successful breaches on internal company sites. If passwords on personal accounts (online shopping, banking, personal email, social media, etc.) match passwords on company sites (employee login, company email, etc.), hackers can apply those identical passwords to other accounts with the same or similar usernames – and many people use the same username format across multiple accounts (e.g., John_Doe, or John.Doe).
- This means that any password, no matter how strong it is, is vulnerable the more often it is used with multiple accounts, especially when it is associated with the same (or similar) username.
- If 75 percent of breaches were perpetrated by outsiders, this means that 25 percent were committed by insiders. Many internal attacks don’t have to target one particular employee’s access; in many cases, accessing one member of a team or department (or even the entire company) is all that is required. Thus, having an employee record usernames and passwords, and store them in an obvious place, makes internal attacks much easier and more likely.
Having a system of employee usernames and passwords is not enough. Passwords, to be at all effective, need to be randomly generated strings of characters, changed frequently, and accompanied by two-factor authentication and protected by additional layers of security, backup and recovery, and monitoring.
thinkCSC is here to help ensure your cybersecurity systems are strong and vibrant, to assist you in your preparation for and response to cyberattacks. Together, we can avoid the mistakes that are common among so many businesses and organizations, in the end becoming as secure as possible in today’s technological world.
While thinkCSC believes that employees will always be the first line of defense against ransomware attacks, the only real solution is for leaders of all –organizations – businesses of all sizes, government entities, schools, hospitals, and –others – to invest in stronger IT security that includes offsite backup and recovery and managed security. These protections, combined with ongoing staff training, strict security policies, and constant vigilance, are an absolute necessity in today’s cyber-environment.
For new customers interested in information on obtaining our services, please contact us at email@example.com