"In any moment of decision, the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing”. -Theodore Roosevelt
As October draws to a close, and Cybersecurity Awareness Month ends, it’s important to remember that cybersecurity requires constant attention and diligence all year long to ensure the best protection against ever-increasing threats. Small businesses are more vulnerable than ever as the profits from cybercrime continue to rise. Taking the first steps on cybersecurity can prove confusing and daunting. For a small business, enacting cybersecurity safeguards can seem like building a nuclear power plant to power a light bulb. There are many sides to cybersecurity, and they all need to work together to achieve comprehensive protections needed to sufficiently mitigate today’s cyber threats.
Compiled here is a summary of information and best practices from our month-long posts on remaining secure.
What Is Cyber-Smart?
Cyber-Smart is the awareness and understanding that cyberthreats are everywhere and attacks are occurring with increasing frequency. Cyber-smart is recognizing reasonable safeguards and training are a necessity – no matter how inconvenient or costly -- to keep a company, its clients and stakeholders safe.
Understanding Cybersecurity Cybersecurity is a collection of policies, training, best practices, safeguards, equipment and physical protections that, when combined, offer the best protection against cybercrime. Cybersecurity protects data, online information, smart devices, personal information and the reputation of a business.
Small businesses are an increasing target of cybercrime because they are more likely to postpone safeguards and best practices that mitigate the chances of a breach or scam. Many small businesses falsely believe that they have nothing a cybercriminal wants. The most common cyber crimes against small businesses are:
Identity Theft and Scams
States from Maine to California recently enacted privacy, data security, cybersecurity, and data breach notification laws. The New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act and the Florida Information Protection Act of 2014 (FIPA)both expand notification requirements on covered entities that get, use, store, or keep state residents' the personal information. Businesses that do not follow the regulations laid out in the SHIELD Act may face civil penalties of up to $5,000 per violation. The SHIELD Act increases the penalties that can be recovered for noncompliance from $10 to $20 per failed notification and increases the maximum penalty from $100,000 to $250,000. Businesses that do not supply required notices under FIPA violate the Florida Deceptive and Unfair Trade Practices Act (FDUTPA) and are subject to civil penalties: $1,000 per day for the first 30 days. $50,000 for each 30-day period up to 180 days. A maximum penalty of $500,000 for violations exceeding 180 days.
Adopt Multi Factor Authentication One of the easiest ways to mitigate cybercrime is adopting Multi-Factor Authentication (MFA) or Two-Factor Authentication (2FA). Adopting it makes stealing information much more difficult for the average criminal. The more hurdles there are, the more likely that thieves will choose someone else to target. Traditional passwords aren’t secure enough anymore and password theft is evolving. MFA and 2FA help protect an organization by addressing the possibility an employee will use a weak password.
Preventing Ransomware Attacks The four keys to preventing a ransomware attack are: Configuration, Access, Patching, and Employee Awareness and Education.
Configuration ─ Reduce the number of entry points an attacker could use to gain access to a system. Ransomware attackers can access a network through misconfigured security controls. Ensuring these controls are configured properly reduces the attack surface to help prevent this access.
Access - If the number of internal access points for an attacker who has entered a system is reduced, the amount of damage the criminal can do is limited. Once inside a network, criminals often move sideways and access vulnerable targets. For example, they can gain access to a particular employee’s account and then use their access privileges to move within the network, sometimes escalating their permissions and access as they go. While local administrative rights on workstations and broad access to network file shares may empower your organization’s employees, it’s critical to restrict access as much as possible.
Patching – Reduce the chances of an attack via an unknown or entry point. Even with comprehensive cybersecurity safeguards in place, software vulnerabilities remain. As these vulnerabilities are discovered, patches and software updates are released. However, these updates aren’t effective if they aren’t deployed right away. In general, exploits are available to attackers the same day that patches are announced. Installing patches as soon as they are released reduces an attacker’s opportunity to take advantage of these vulnerabilities.
Employee Awareness and Education - Phishing and similar tactics are often used to introduce ransomware malware into systems. Close this common entry point for cybercriminals by conducting regular mandatory phishing prevention training and testing as well as cybersecurity awareness training for employees.
Keep Current Follow our Roark Tech Services Blog to have the latest cybersecurity tips and news delivered right to your inbox.
If you don’t have an IT Partner that you can trust to give you the right support and advice, we’d love to help. We’d love to help your business become more secure. Contact us.