Are You A Sitting Duck?

You, the CEO of a small business, are under attack. Right now, extremely dangerous and well-funded cybercrime rings in China, Russia, and Ukraine are using sophisticated software systems to hack into thousands of small businesses like yours to steal credit cards, client information, and swindle money directly out of your bank account. Some are even being funded by their own government to attack American businesses.

Don’t think you’re in danger because you’re “small” and not a big target like a J.P. Morgan or Home Depot? Think again. 82,000 NEW malware threats are being released every single day and HALF of the cyber-attacks occurring are aimed at small businesses; you just don’t hear about it because it’s kept quiet for fear of attracting bad PR, lawsuits, data-breach fines and out of sheer embarrassment.

In fact, the National Cyber Security Alliance reports that one in five small businesses have been victims of cybercrime in the last year – and that number is growing rapidly as more businesses utilize cloud computing, mobile devices and store more information online. You can’t turn on the TV or read a newspaper without learning about the latest online data breach, and government fines and regulatory agencies are growing in number and severity. Because of all of this, it’s critical that you protect your business from these top 10 ways that hackers get into your systems.

1. They Take Advantage Of Poorly Trained Employees.

The #1 vulnerability for business networks are the employees using them. It’s extremely common for an employee to infect an entire network by opening and clicking a phishing e-mail (that’s an e-mail cleverly designed to look like a legitimate e-mail from a web site or vendor you trust). If they don’t know how to spot infected e-mails or online scams, they could compromise your entire network.

2. They Exploit Device Usage Outside Of Company Business.

You must establish and maintain a set of security policies and best practices for how your organization’s equipment can be used, data can be accessed, and how it will be protected from attackers. An example is an Acceptable Use Policy that outlines how employees are permitted to use company-owned PCs, devices, software, Internet access, and e-mail. We strongly recommend putting a policy in place that limits the web sites employees can access with work devices and Internet connectivity. Further, you have to enforce your policy with content-filtering software and firewalls. We can easily set up permissions and rules that will regulate what web sites your employee’s access and what they do online during the company
hours and with company-owned devices, giving certain users more “freedom” than others.

Having this type of policy is particularly important if your employees are using their own personal devices to access company e-mail and data. In these cases a bring your own device (BYOD) policy would be appropriate.

If that employee is checking unregulated, personal e-mail on their own laptop that infects that laptop, it can be a gateway for a hacker to enter YOUR network. If that employee leaves, are you allowed to erase company data from their phone? If their phone is lost or stolen, are you permitted to remotely wipe the device – which would delete all of that employee’s photos, videos, texts, etc. – to ensure YOUR clients’ information isn’t compromised? If you haven’t had them agree to the proper controls up front, you have no leverage after they have left.

Further, if the data in your organization is highly sensitive, such as patient records, credit card information, financial information and the like, you may not be legally permitted to allow employees to access it on devices that are not secured; but that doesn’t mean an employee might not innocently “take work home.” If it’s a company-owned device, you need to detail what an employee can or cannot do with that device, including “rooting” or “jailbreaking” the device to circumvent security mechanisms you put in place.

3. They Take Advantage Of WEAK Password Policies.

Traditional password policies requiring “complex” passwords have gone extinct. The current secure standard for passwords is at least 16 characters and should be made up of combinations of distinct words or passphrases. These types of passcodes are logarithmically more difficult for a hacker to break and provide a much higher level of security for your devices and data.

4. They Attack Networks That Are Not Properly Patched With The Latest Security Updates.

New vulnerabilities are frequently found in common software programs you are using, such as Microsoft Office; therefore it’s critical you patch and updates your systems frequently. If you’re under a managed IT plan, this can all be automated for you so you don’t have to worry about missing an important update.

5. They Attack Networks With No Backups Or Simple Single Location Backups.

Simply having a solid, reliable backup can foil some of the most aggressive (and new) ransomware attacks, where a hacker locks up your files and holds them ransom until you pay a fee. If your files are backed up, you don’t have to pay a crook to get them back. A good data security plan will allow you to not only recover from an attack without paying but can get you up and running much more quickly. These types of programs will allow you to restore your entire server in minutes as opposed to days if configured and maintained properly. Again, your
backups should be AUTOMATED and monitored; the worst time to test your backup is when you desperately need it to work!

6. They Exploit Networks Using Credentials Purchased on the Dark Web.

One of the fastest ways cybercriminals access networks is by purchasing credentials that have been stolen in other data breaches and made available on the Dark Web. . Monitoring the dark web for your information and changing compromised credentials immediately after they become available is critical to your organization’s security.

7. They Attack Inadequate Firewalls.

A firewall acts as the frontline defense against hackers blocking everything you haven’t specifically allowed to enter (or leave) your computer network. We recommend a next-generation firewall that included real-time services that watch for malicious behavior and traffic passing through the firewall. All firewalls need monitoring and maintenance, just like all devices on your network. This too should be done by your security team or security partner as part of their regular, routine maintenance.

8. They Attack Your Devices When You’re Off The Office Network.

It’s not uncommon for hackers to set up fake clones of public WiFi access points to try and get you to connect to THEIR WiFi instead of the legitimate, safe public one being made available to you. We recommend that you not use free public wifi for business purposes. If you need to access the internet while on the road, you can do so using your cell phone as a hotspot. If you must use public wifi, before connecting, check with an employee of the store or location to verify the name of the WiFi they are providing. Next, if you are accessing any business network, it should be done over a virtual private network (VPN) connection. Last, NEVER access financial, medical or other sensitive data while on public WiFi. Also, don’t shop online and enter your credit card information unless you’re absolutely certain the connection point you’re on is safe and secure.

9. They Use Phishing E-mails To Fool You Into Thinking That You’re Visiting A Legitimate Web Site.

A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular web site or to click and download a virus.

Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous – they LOOK exactly like a legitimate e-mail.

Train your employees to recognize the signs of a phishing email so they can avoid falling into the trap of the attacker and giving open access to your network.

10. They Use Social Engineering And Pretend To Be You.

This is a basic 21st-century tactic. Hackers pretend to be you to reset your passwords or they make requests on your behalf for money transfers or to send other important information that will get them to the next step in their hack. In any situation that that looks suspicious, be suspicious. Always check by another communication means with the original requester to determine if it is legitimate.

Here’s what you should do…

There’s no sense in continuing to worry without taking proactive action. The best place to start is to create a plan to update or establish your cybersecurity plan. We can help you find the right place to start by running a gap analysis on your current policies, procedures, and technology.

Do you have concerns about the effectiveness of your firewall?