Companies are under constant attack from cyber criminals who are looking for one small crack that can lead to a big payday. Every year these attacks become more and more sophisticated, leaving businesses scrambling for ways to stay ahead of the curve. Many businesses are paying hundreds of thousands of dollars on the latest and greatest in software, hiring full-time or virtual CISOs, or paying third-party consultants to keep their data secure.
Organizations are hoping for some magic application that can safeguard against all potential threats, but up to this point, that app does not exist. Mitigating risk has always come down to two steps:
- Knowing the major threats to your company
- Implementing ways to minimize the risk of falling victim to those threats
These two steps have always been, and still are, the quickest and least expensive ways to protect your system and the data within it. This is not an attempt to downplay the importance of investing in top of the line hardware and software, as they are extremely important and valuable measures to take when securing your network. But at the end of the day, once a new piece of hardware or software comes out, hackers will spend countless hours trying to find every possible way to compromise it.
First let us investigate the most common threats businesses, whether in Dayton or in the surrounding areas, may be facing:
- Social Engineering: Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. Essentially, this is where a cybercriminal will be masquerade as someone else, maybe a cell phone provider or the IRS, and will try to pressure you into giving up information. This can be done through phishing (email), smishing (SMS texting), or vishing (voice solicitations). Phishing accounts for nearly 90% of all data breaches.
- USB Littering Campaign: This type of social engineering attack is where a hacker attempts to get an employee to input a portable storage device, like a USB drive, into their company computer. This is usually accomplished in two ways. The first is where the criminal will leave several devices laying around in common areas within your business, hoping an employee will see the device and plug it into a computer to see what is on it. The second way is through gifts. Many hackers are now sending gift cards to high ranking employees, and inside the package with the gift card is the USB drive containing a list of products that can be purchased.
- Ransomware: Ransomware is a type of malicious software that is designed to block access to a computer system until a sum of money is paid. This is usually accomplished through a phishing email or littering campaign. The hacker will utilize one of those methods to get an employee to unknowingly download their software. The software will spread throughout the system, locking down all company files, then the cybercriminal will only provide the password to unlock the files once the money is paid. Even after the money is paid, companies must spend countless hours unlocking all their files. These types of attacks are devasting to a company’s bottom line and have been steadily on the rise.
- Insider Threat: This can be any security threat that originates from within the organization being attacked or targeted, most likely an employee or officer of the organization. These threats can be malicious, like an employee trying to intentionally download ransomware onto the system; or they can be innocent in nature, like an employee believing customer data they collected over the years belongs to them since they were the ones obtaining the data. Whether malicious or not, these threats are very damaging for a company, and is something every organization needs to keep in focus.
Now that you have a basic understanding of the most common threats to your system, you can start taking steps to manage and mitigate those potential threats. It doesn’t matter if you are in healthcare, a dental office, insurance provider, credit union, dealership, or government agency, we believe the first three steps in information security are the same:
- Information Security Risk Assessment is the first step in building the foundation for a strong information security program. Conducting an assessment on the information technology system and analyzing the policies will highlight areas that may need additional attention and provide a roadmap of where to invest your time and money. Any business can perform a risk-based assessment on their own, but it is highly recommended to have a third-party professional provide a non-biased approach to evaluating your company’s information security.
- Staff Training is the next extremely vital step in locking down your company and customer data. Recent polls suggest less than 50% of adults understand phishing, malware, and ransomware, and even less are knowledgeable on how to defend against these attacks. A risk assessment provides a remediation plan on policies and infrastructure, whereas staff training IS the remediation plan with regards to the employees who handle the data on a day to day basis. Monthly social engineering simulations and ongoing security training will get your entire organization focused on intelligent information security habits and provide the staff with the necessary tools to keep their mind engaged in defending your company from cyber-attacks.
- Penetration Testing is the final step in the process. Companies spend tens of thousands of dollars (if not more) on robust IT infrastructure, hoping their design will keep the cyber threats away. Although these systems are incredible, none of them are perfect. Penetration testing is utilized to find possible holes within these systems and is a crucial step in securing the entire organization.
Although the above actions will not guarantee safety from every threat, taking a few steps is better than not taking any at all. These three measures are something all companies should be able to afford. They will present your company with a very good understanding of your security posture and will help guide your actions toward building a secure network for you and your customers.