SMBs (small and medium business) always enjoyed the one security advantage they had over large or enterprise businesses which was simply being small. Being small allowed them to fly under the radar of hackers and now that advantage is gone. According to the Ponemon Institute’s report from July 2016, 35% of SMBs didn’t have any IT security or see it as a priority. Unfortunately, hackers are now going after the small and medium business harder than ever.
Now in 2017, it is important for companies of all sizes to reassess their IT security and prioritize it properly. There are many urgent threats which will continue to expand and must be dealt with. If your IT team focuses on these first among its security tasks, that will reduce the odds of your business becoming an easy mark.
There is no product that will 100 percent block or prevent phishing attacks. Hackers are coming up with new techniques — not just email, but social networks, text messages, websites (infected with malware), and employees (targeted on open wireless networks) to exploit.
Phishing attacks are social engineering attacks, targeting the human element with the goal of collecting credentials that can be leveraged to access to your systems. Once they have the access, any number of things could occur including deploying malware, bot software, deploying keyloggers or just extracting all private information to resale on the black market.
For SMBs, the best way to prevent phishing attacks is to educate your staff. A 30-minute conversation during your monthly staff meeting would be sufficient. Highlight some examples of clever phishing messages. This will go a long way toward helping people understand the threat, how they could be approached and why reporting anything suspicious is critical.
The team at Fortify 24×7 can help your IT team create anti-phishing training materials emphasizing four key points:
- How to identify suspicious communications
- Never click on a link from someone unknown (or when known, passing the email by IT first if there’s even a hint of suspicion)
- Look for the “https:” to confirm encrypted websites
- Never bypass digital certificate warnings or pop-ups
Multi Factor Authentication
According to the Verizon 2016 Data Breach Investigations Report published in April of 2016, 63% of all confirmed data breaches involved weak, default or stolen passwords. Hackers using phishing attacks look for passwords, but passwords can leak out in many other ways: reuse on other sites, capture through malware, and even brute-force guesses if the passwords are weak.
The surest fix is to remove passwords from the equation. Getting rid of passwords through two-factor authentication isn’t simple but has become a lot less expensive and less complicated in the past few years. There are definitely solutions that small businesses can afford.
If two-factor authentication isn’t a possibility for your organization, spend time defining and enforcing a password policy. Look for accounts which are no longer needed. Reduce the number of accounts with administrative level privileges. Frequent password changes is perceived to waste everyone’s time but it is important. Make sure you do not allow users to reuse the same password more than once per year. Also considering requiring that passwords be 16 characters or more. It isn’t necessary to require symbols, but a long password reduces the attack surface and discourages password reuse.
Third parties (vendors) sometimes need access to an organization’s network. This can be extremely problematic as vendor accounts could be shared by multiple people. Whenever possible, require that vendor accounts not be generic, but person specific. It is a best practice to disable vendor accounts until the access is needed to resolve a problem.
Malware Is Everywhere, So Hunt It Relentlessly
Even the safest surfer in an organization will likely come into contact with some malware eventually, as attackers go after reputable websites. Although an IT team might feel it can’t handle upgrading to the latest Microsoft Windows operating system or Office, being an early adopter is the primary way to gain systemic protection against current and future threats. (And, Mac OS users, this means you too; see the sidebar below.)
Patching is essential and one of the simplest ways to maintain the security of your computers. It is necessary that a business start with the latest stable OS, internet browser and office productivity suite to gain that edge against a constant stream of new attacks. There will always be staff members who insist that they can’t survive without this or that, but they can. The risks are too high to indulge personal preferences. Create a list of approved applications which are allowed to be used on your computers. Deviation from the list should be approved at the highest level of your company to ensure that the potential risk is clearly acknowledged.
Make Yourself Secure Against Ransomware
As threat actors (hackers) aim to monetize their talents, ransomware has run rampant through businesses of all sizes. But the thing about these attacks is that they rely on bad IT practices to work: people storing sensitive documents on their local PCs, backups that aren’t done properly, easily sniffed passwords, poor network security.
Start by deploying end point protection technology which will prevent malware, ransomware and viruses. Next provide your users education about how and where to store important data. Next, invest in Continuous Data Protection (CDP) backup technology and ensure that the backups capture everything.
Think Before You Migrate to the Cloud
Pushing some apps to the cloud is part of most organizations’ IT strategies. But, a cloud move doesn’t alleviate the need for security best practices. Security must be a fundamental part of any cloud vendor selection and migration plan. In fact, people think that the cloud is secure, but it is still as or more vulnerable as a consequence of misunderstanding.
Take the time to link all systems using directory protocols, such as LDAP or Active Directory Federation Services. Put your company IT team back in control and ensures enforcement of password policies, accuracy of group memberships and prompt deactivation of users everywhere when necessary
For many reasons, 2017 is going to be an interesting year. No longer can SMBs think that their size will prevent them from becoming a target for hackers. It is more likely that the SMBs become more of a target as attackers know there security is more relaxed. Fortify 24×7 is here to help small and medium business keep themselves protected from security breaches and keep their IT systems operational. Schedule a 30 minute discussion with one of our technical project managers to see how our team can become an extension of yours.