Skip to content

The Importance of a Risk Assessment

November 2, 2018

As a Pisces, I’m naturally empathetic. As an IT Consultant for the past 15 years, that empathy has developed in me a passion for securing my clients’ networks against the near-daily attacks they face from hackers.

Knock on wood, I have been fortunate that my small business customers in that 15 years have experienced only two security incidents.

Both were relatively minor, didn’t cost as much to recover from as the average data breach, and didn’t meet regulatory requirements to report the breaches to the media.

Nonetheless, the second incident required the organization to notify the approximately 60 individuals whose Personally Identifiable Information (PII) had been compromised.

Those two incidents and the ongoing anxiety my clients feel about their network’s security are why I offer a free, no-obligation Cyber Security Risk Assessment to not only my clients but also to prospects.

Whether you ultimately use our FlexIT End-User IT Security Program or not, I want you to take advantage of this free Cyber Security Risk Assessment so you know, instead of guessing, what cyber security measures you need in place to protect your organization, employees, customers and vendors.

When the risk assessment is complete, you’ll know:

  • The current state of your IT security measures
  • The types and sensitivity of the data your employees handle
  • The interest hackers would have in your organization’s data
  • The value of your data to hackers
  • The cost of a data breach to your organization
  • Your current vulnerabilities to social engineering attacks
  • The likelihood that your company will face direct or indirect attacks by cyber criminals

From this assessment, which will take about an hour of your time, you will be able to make educated decisions rather than guess about what kinds of cyber security measures you should have in place and how much you should spend on them.

To assure your customers and vendors that you take their data’s security seriously, contact me at ericm@enduseritsecurity.com or 302-537-4198. You can also complete the form for our FREE, no-obligation Cyber Security Risk Assessment.

Advertisements

Why hackers like social engineering

September 25, 2018

You’ve undoubtedly seen the movies where highly skilled hackers need only a few minutes to crack the most secure computer networks in the world.

The reality is quite different. Successfully hacking a network, even a small business network protected by just anti-virus and a firewall, takes days, weeks and even months.

That’s why hackers often utilize social engineering against small businesses and organizations that — rather than spending all of that time trying to get past the technological defenses — con unwitting employees into giving up their login credentials or other information that the hacker can use or monetize.

For instance, rather than trying to guess passwords or break through the firewall, they can simply send out phishing emails tricking an employee into entering their login credentials into a fake web page. They know they will get a fairly high percentage of clicks because they have already tested various versions of the same email against smaller lists of email addresses.

They might also place phone calls impersonating a company’s tech support to get a user name and password they can use to log on to the network and conduct their illegal activities.

Whatever social engineering technique they use, it will be easier than trying to break into a network.

Plus, it can give them access not only to the network, but bank accounts, medical records, tax info, proprietary information, or other data or files that they can use themselves to commit various types of fraud or re-sell to other cyber criminals.

What can you do about it?

Security Awareness Training for your employees, along with phishing simulation testing and ongoing alerts and tips about the latest scams, provide the best defense against social engineering scams.

For information on security awareness training, contact me at 302-537-4198 or ericm@enduseritsecurity.com or visit our web site at http://www.enduseritsecurity.com.

Market Your Security Measures

July 26, 2018

The most common lament about cyber security for small business owners is it drains profits while adding no value to the business.

That shouldn’t be the case, however.

Let’s set aside the truth that proper cyber security measures reduce the likelihood of a successful attack and the ensuing headaches, including bankruptcy, which engulfs 60 percent of SMBs within six months of a breach.

In today’s security-challenged business environment, where most small business owners mistakenly think they are “too small” to be of interest to hackers, a proactive cyber security program can differentiate you from your competition.

A PSFK Lab study with MasterCard revealed that 89 percent of customers expect stores to keep their financial information secure. With heightened alerts about Russian cyber attacks and one breach after another in the headlines, consumers have become more paranoid about their data than ever.

Suppliers — 2/3 of whom reported in a recent study that they have been victimized by a breach originating at a client or another vendor — are requiring stronger security of third parties before they allow them on their networks.

But perhaps most damning of all — a 2017 study by PWC of consumers’ attitudes about the safety of their personal information showed that only 25 percent believe businesses handle their data responsibly.

Prove to your customers that you do handle their data responsibly by touting your company’s cyber security measures as part of your marketing.

Note that I’m not saying to advertise the technology you use to protect your network because that would just give the bad guys key technical tidbits to break in. I’m talking about advertising on your marketing collateral and in your ads things like:

* “Our employees participate in ongoing cyber security training to protect your data”, or
* “Our employees have completed cyber security training to protect your data”, or
* “We deploy state-of-the-art cyber security measures to protect your data” or
* “Our network security meets (insert government and / or industry-specific regulations here)”, or
* Posting security training certificates or posters in your business

So, rather than grousing about the cost of security measures like hardware, software and training, turn this aggravating expense into an investment in your bottom line by assuring your customers and vendors that you protect their sensitive information as diligently as you protect your own.

Eric Magill is the owner of enduseritsecurity.com, which creates a culture of security in small businesses with security policies and security awareness training for employees. Call us at 302-537-4198 or Email us.
Read more…

Prompt Breach Disclosure Essential

June 27, 2018

At the RSA Cyber Security Conference this spring, a shocking double-standard was exposed in a survey of attendees regarding breach disclosures by access management company Thycotic.

Not shockingly, 84 percent expected an organization to notify them immediately if it suffered a data breach.

Shockingly, only 37 percent said they would notify their customers promptly if their organizations suffered a breach.

On second thought, when you see the blatant disregard for users’ privacy and PII by corporate America (think Uber, Equifax, Panera Bread breaches, etc.), the figure shouldn’t be that shocking.

Far too often, businesses in particular compound the inherent damage of a breach by covering up the facts as long as possible out of a greater concern for the company’s and executives’ reputations than their customers’ identities.

Of course, such foot-dragging in disclosing breaches never ends well for the company, as it claims a hefty percentage of sales in the immediate aftermath, a dramatic drop in stock price for publicly traded entities, causes a public relations disaster and lost goodwill, government investigations, and typically costs the CEO and key IT personnel their jobs.

Unnecessary butt-covering in disclosing breaches is why business owners are so often viewed as suspiciously as the hackers instead of like other crime victims.

Nevertheless, we get survey results like this one indicating the desire to cover up is stronger than the desire to do the right thing by customers and suppliers.

But, if ethical and moral considerations don’t motivate executives enough, perhaps increased regulatory pressure like the GDRP in the European Union or increasingly strict state disclosure laws across the United States will.

The GDRP requires companies doing business in the EU to disclose breaches within 72 hours of discovery. State laws also put a time limit on notifications. Federal legislators have even proposed a bill to jail executives who hide breaches.

Just from a moral and ethical standpoint, you should inform your customers and vendors, as well as the authorities, ASAP after a breach has been discovered and its breadth has been determined.

I’m talking days, not weeks or months. It will go much more smoothly, too, if you have developed an Incident Response Plan that lists those responsible for breach disclosures in your company — who contacts authorities, who handles customer / vendor / public notifications, public relations, etc.

Don’t be stupid and irresponsible with your breach disclosures when you become a victim. Be considerate and responsible and look out for your customers’ and vendors’ best interests too.

Does Your Data Depart With Employees?

June 11, 2018

When employees leave your company, do you know if your company’s data leaves with them?

Part of your procedures for off-boarding employees should involve the protection of the data they had access to while employed.

You pay a lot of money to build relationships with customers and clients. Your data of their activities, purchases, etc., fuels those relationships.

Unscrupulous employees, however, could take all of that hard work and expense and give it to their next employers — quite likely your competitors — for free.

That happens more frequently than you might think, as corporate presentations, customer lists and intellectual property leave with departing employees. Osterman Research reported that 69 percent of employees take data with them to their next employers. A Biscom survey in 2015 put that number at 87 percent.

The consequences range from loss of revenue to regulatory violations, legal battles and damage to a company’s competitiveness.

Protection of that data should begin while your employees still work for you. For example, employees should be required to sign an Acceptable Use Policy that explicitly states that the data they handle belongs to the company. It should specify that company data may not be copied to any removable storage media or external network drives or emailed or transmitted in any way without the written permission of management.

Other controls should include:

  • Visibility into employee practices
  • Limiting employee access to only the data they need for their jobs
  • Requiring encryption of sensitive data
  • Managing devices properly
  • Ensuring that data is backed up and archived properly
  • Requiring the use of enterprise apps
  • Deploying technologies that aid in achieving the above

For more information on how FlexITechs can help you protect your data from loss to departing employees, contact Eric Magill at 302-537-4198 or ericm@flexitechs.com

 

Supply Chain Security

February 18, 2018

If you haven’t already, chances are you will be required in the next year or two to submit proof to a supplier or customer that you are taking all reasonable precautions to secure their data or network when you access them.

With hackers learning that the easiest way into a large enterprise’s treasure trove of data and dollars is through a smaller supply chain partner that can’t afford 24×7 cyber security, you will find those large enterprises will expect proof that you are securing your own network when you access their network portals and handle their data.

In fact, you might consider requiring that of your partners and commercial customers yourself.

Why should you or your suppliers and customers care about each other’s cyber security practices?

Some of the largest breaches in history started with a hack of a third-party supplier or vendor and these supply chain breaches are rising.

  • The Target breach that lost 40 million credit cards didn’t start with a sustained hack on Target but with an employee at one of Target’s HVAC vendors opening a bad file attachment that installed malware on that employee’s computer. Using that machine, hackers found the HVAC company’s login credentials to Target’s vendor portal and from there worked their way to Target’s cash registers. When the dust settled, Target lost all of those credit cards, its sales fell 46 percent at one point, and recovery costs exceeded $200 million.
  • The Home Depot breach also resulted from a third-party breach and the home improvement giant spent more than $150 million in recovery, even after insurance paid $100 million.
  • According to the 2017 Ponemon Institute Data Risk Study, 56% of respondents reported they had suffered breaches that began with intrusions at third parties — a 7 percent increase over 2016.
  • Cyber criminals routinely hack email accounts to send email to all of that account’s contacts to make the email — laden with infected file attachments or links to fraudulent web sites — appear to be from a known and trusted source.

The security institute, SANS, has developed a document detailing how to establish a supply chain security program at https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252.

SANS conclusion:

“Supply chain partners are just as likely to be attacked today as any organization, and if not managed properly, they may afford attackers a back door into the networks of host organizations.”

You can also assure your partners and customers that you have taken appropriate security precautions to protect your network by implementing anti-virus and firewalls, patching software, and Security Awareness Training for your employees.

For details on such a program, call enduseritsecurity.com at 302-537-4198 or email us at securityinfo@enduseritsecurity.com.

SMBs Profitable Targets for Hackers

January 20, 2018

Most small business owners don’t believe they would be of interest to hackers. They can’t envision that cyber criminals would spend weeks or months trying to break into their networks.

And they’re right …  except for one thing.

Cyber criminals take their “businesses” as seriously as legitimate business owners by investing in more efficient methods of stealing data and money from all sizes and types of organizations — and no business is too small, right down to moms-and-pops who have found themselves caught in the cross-hairs of a Ransomware attack.

By following the practices of legitimate businesses, hackers can efficiently attack thousands of small businesses at a time and trick unsuspecting employees into divulging sensitive information such as login credentials that “earn” a hefty ROI — up to 1,400% in 30 days on a $5,000  investment — without ever trying to crack a single password.

The fact is, businesses of all sizes have data hackers want and can monetize. The data you store on yourself, your customers, your employees and your vendors can generate anywhere from 50 cents per record for basic contact info to thousands of dollars for financial account login credentials on the Dark  Web underworld.

As long as the ROI remains high and the risk of getting caught remains low, cyber criminals will continue to invest in ever more efficient methods of stealing your data and money — including A / B market testing, out-sourcing, franchising, demos, and customer service — that legitimate business owners would instantly recognize.

A study by UBM in 2016 found that “Businesses aren’t up against hordes of elite hackers but an industry efficient at finding those who  are vulnerable.” Hackers have concluded that small businesses are most vulnerable because they can’t afford the 24×7 security monitoring solutions that large enterprises can.

Further, that same UBM study stated that “The most common weak spots are employees who get caught by attacks that use social engineering and under-budgeted IT teams that don’t have the necessary skills, tools, or time to properly patch and defend complex, sprawling networks.”

If you don’t think your small business has a “complex, sprawling network”, a risk assessment will likely provide an eye-opening look at just how vulnerable your network is for your company, employees, customers and vendors.

In fact, a study by Check Point Software Technologies found that almost half of those surveyed had been victims of social engineering attacks and had experienced 25 or more attacks in the past two years. Those attacks cost victims between $25,000 and $100,000 to recover from.

To learn more about the risk your small business faces of a cyber attack, and how to make your small business less profitable to cyber criminals with Security Awareness Training, read our FREE report, “The Business of Cyber Crime and Why Small Businesses are Profitable Targets”, at http://www.enduseritsecurity.com/reports.shtml.

%d bloggers like this: