It’s common belief that people are the last line of defense during a cybersecurity attack. Wrong. In many instances people are in fact the first line of defense. If your employees are (1) aware and (2) properly trained, then they will be one of your single strongest assets in fighting a never-ending war against cybercrime.
Basic human behaviors such as inquisitiveness, excitement, distraction, and indecision make people extremely vulnerable to one of the most popular and effective cyber-attacks called Social Engineering. Social Engineering is a term used to describe a wide variety of techniques that are used by malicious hackers to exploit human beings and execute a successful cyber-attack.
The most common example of a Social Engineering attack is called Phishing. This is an exercise where an email is sent with the intent of tricking the recipient and convincing them to either click on a malicious link, download a malicious attachment, or even relinquish sensitive information such as passwords, credit card numbers or bank account details. The victim rarely knows they are being exploited until it is too late.
The results of a successful Phishing attack can be devastating. In some cases, the network is infected with malware or a virus causing loss of data and significant outages or disruptions. In other cases sensitive information or data is stolen and further exploited or resold on the dark web. There are even many documented cases of unauthorized wire transfers resulting in tremendous and unrecoverable financial losses.
So, how does an organization take a group of employees and turn them into an effective cybercrime fighting machine? I’m glad you asked. There are three simple steps that must be executed:
Step 1. Develop A Culture Of Security
Cultures are ultimately defined and upheld from the top down. Leadership, Executive and Management teams must commit to the creation and enforcement of cybersecurity policies, procedures and processes. They must also emphatically message and communicate the importance of good cybersecurity hygiene.
Employees should understand how exactly they can be good cybersecurity stewards and more importantly why it is so critical that they are. Lastly, employees who transform into skeptical, protective and enlightened cybercrime fighting soldiers should be recognized and rewarded.
TIPS to help Develop A Culture Of Security:
- Create cybersecurity policies – these are the guidelines and rules.
- Publish cybersecurity policies – allow employees to read and digest the content.
- Assign roles and responsibilities – tell employees what they must do.
- Good governance – enforce the rules, reprimand offenders & celebrate achievers.
- Frequent Communication – talk about cybersecurity often, remind and reinforce!
Step 2. Educate And Train
The best armies are well trained. They are not only armed, but they understand exactly how and when to use their weapon. They understand their mission, know what they are fighting for, and they have practiced and are ready for combat.
Teach your employees about common threats and dangers such as Social Engineering attacks. Show them how to use software and computers in a secure fashion. Explain correct process and procedures are. Provide them with the critical training they need to effectively fight cybercrime.
TIPS to help Educate And Train:
- Implement a security awareness training program – commit to the training.
- Be sure the content is meaningful and relevant.
- Make the training fun and engaging – tell lots of stories.
- Make the training mandatory.
- Make the training frequent – at least once a year.
- Focus on the basics – keep the content simple and easy to understand.
Contact us today to learn how we can help you start establishing cybersecurity throughout your organization.
Step 3. Test The Effectiveness
It will be difficult to know if your new cybersecurity culture is performing as you hoped unless you test the effectiveness of policies, processes, procedures and awareness training. Is the effort you’ve put into creating an army of equipped cybercrime fighting employees actually providing the protection you desire?
There are only two ways to find out. One, wait for a legit attack to occur and hope for the best – or – two, launch a simulated attack yourself. Controlled Phishing attacks, penetration tests, table top incident response exercises or even a Monday morning pop quiz can all be effective exercises to test your employees’ level of understanding and compliance.
Use the test results as an opportunity to re-engage with employees or even re-tool training efforts. Get better with practice.
TIPS to help Test The Effectiveness:
- Launch simulated Phishing attacks – see how employees actually behave.
- Spot check for policy compliance – it is after 5PM, is the Clean Desk Policy working?
- Include social attacks in the scope of penetration testing.
- Conduct table top exercises.
- Document and share results.
- Learn and get better.
Right now, your employees are probably the weakest link in your cybersecurity defense chain. Make them your strongest link. Our Breach Prevention Platform and Security Awareness Training with simulated phishing tests will give your employees the tools they need to spot a phishing attempt. Reach out today at 716-373-4467 x115 or firstname.lastname@example.org to speak with one of our experienced team members about getting started.
Content used with permission from Cyberstone.
Once upon a time, our most precious assets were confidently protected behind layers of security defenses. Cash was neatly stacked in a cast metal safe which was bolted to the floor of the building. Customer lists and bank records were locked in a filing cabinet and only accessible to the person who had the key. Human Resource records were protected by the shelter of the impenetrable HR office door.
Then, digital electronics revolutionized the typical business office. Instead of accessing records from a locked filing cabinet, employees now used computers to navigate a digital file system which contained an abundance of information – much of it considered to be confidential. The sensitive documents that were once tangible and secured behind a physical lock and key were now accessible in digital format and stored in the data network for end users to access.
Security controls such as passwords and file permissions were established to protect the confidential information in its new digital format. This was a time however, when computing devices were stationary and did not typically leave the confines of the physical office. Employees would report to the office for work, log onto their computer, and only then – be granted with access to confidential information. The data that companies treasured most rarely – if ever – left the building.
The same statement cannot be made today. Mobile computing devices are very popular and can be found in most corporate computing devices. Employees are no longer forced to work on a computer that is tethered to the floor beneath their office desk. Laptops and tablets have provided employees with the freedom and flexibility to work from just about anywhere. Mobile devices have also changed the corresponding security landscape too.
The Customer Lists, HR records and Bank Statements are now leaving the building.
The 2 Significant Risks Associated with Mobile Computing Devices:
People lose them and people steal them.
The most common item stolen by thieves is cash, the second is electronic devices. So, what happens when the hotel maid swipes your work laptop or tablet? Or, what if it’s accidentally left at a train station or airport?
The answer to both questions is simple: Someone now has a device that contains sensitive and confidential business information. Chances are that “Someone” is not a trusted entity at all. Many data breaches start with a stolen work device. The stolen property is then compromised, and the thief has the ability to use or sell the stolen data.
There is no doubt that mobile computing devices pose a real security challenge. We have grown accustomed to the elasticity they provide and it is unreasonable to think we will revert back to using the stationary computer we once used at our desk. Laptops and tablets are here to stay.
Human beings will continue to lose these devices and criminals will continue to steal them. Although we can fight to minimize these occurrences through effective awareness training, the reality is that we will not be able to prevent them all together.
However, there are security controls you can put in place to help minimize your businesses risk when it comes to laptops and tablets.
Use a VPN
Free Wi-Fi may be a welcome site when you’re on the road, but it can also be dangerous. You don’t know who else is using that Wi-Fi. A hacker hanging out on the connection can easily steal your data if you’re not protected.
It’s better to use either your mobile carrier connection or a virtual private network (VPN) app. VPN plans are inexpensive and will keep your data encrypted, even if you’re on public Wi-Fi. It is highly recommended that VPNs are secured using Multi-Factor Authentication, this provides an additional layer of security against threat actors.
Visit our website here to learn more about VPNs and what factors to consider when choosing a plan.
Backup Your Data
Don’t lose all your work data with the device! Back up your devices to the cloud or local storage before you travel. This ensures that you won’t lose the valuable information on your device.
Need help with a Data Backup and Recovery plan for your business? Contact us today or visit our website to learn more.
Local Admin Privileges allow employees to make adjustments to their work computers without the need for IT interference. This means that they can download programs, connect to printers, and modify software already installed on their computer.
This can be convenient, but poses a major cybersecurity risk.
If a device is stolen and the thief were to gain access to an account with local admin privileges, the damage could be endless. This is especially true for a business that is not utilizing security measures such as Multi-Factor Authentication (MFA) or Password Managers.
Once a hacker has breached your computer they could download malware, spyware, or even ransomware. Resulting in computer files being locked, credentials being stolen, or even a virus spreading throughout your entire network.
Visit our website here to learn more about Local Admin Privileges.
Databranch Can Help
There are key digital solutions we can put in place to keep your business safer from online threats. Contact us today at at 716-373-4467 x115 or email@example.com to schedule a chat about mobile security.
Content provided curtesy of Cyberstone.
Once data began going digital, authorities realized a need to protect it. Thus, the creation of data privacy rules and regulations to address cyber threats. Many organizations have one or more data privacy policies they need to meet.
Those in the U.S. healthcare industry and their service partners need to comply with HIPAA. Anyone collecting payment card data must worry about PCI-DSS. GDPR is a wide-reaching data protection regulation that impacts anyone selling to EU citizens.
Industry and international data privacy regulations are just the tip of the iceberg. Many state and local jurisdictions also have their own data privacy laws. Organizations must be aware of these compliance requirements along with any updates to these rules.
By the end of 2024, about 75% of the population will have its data protected by one or more privacy regulations.
Authorities enact new data privacy regulations all the time. For example, in 2023, four states will have new rules. Colorado, Utah, Connecticut, and Virginia will begin enforcing new data privacy statutes.
Businesses must stay on top of their data privacy compliance requirements. Otherwise, they can suffer. Many standards carry stiff penalties for a data breach and if security was lacking, fines can be even higher.
The Health Insurance Portability and Accountability Act (HIPAA) uses a sliding scale. Violators can be fined between $100 to $50,000 per breached record. The more negligent the company is, the higher the fine.
Don’t worry, we have some tips below for you. These can help you keep up with data privacy updates coming your way.
Steps for Staying On Top of Data Privacy Compliance
1. Identify the Regulations You Need to Follow
Does your organization have a list of the different data privacy rules it falls under? There could be regulations for:
- Where you sell (e.g., if you sell to the EU)
- City or county
- Federal (e.g., for government contractors)
Identify all the various data privacy regulations that you may be subject to. This helps ensure you’re not caught off guard by one you didn’t know about.
2. Stay Aware of Data Privacy Regulation Updates
Don’t get blindsided by a data privacy rule change. You can stay on top of any changes by signing up for updates on the appropriate website. Look for the official website for the compliance authority.
For example, if you are in the healthcare field you can sign up for HIPAA updates at HIPAA.gov. You should do this for each of the regulations your business falls under.
You should also have these updates sent to more than one person. Typically, your Security Officer or equal, and another responsible party. This ensures they don’t get missed if someone is on vacation.
3. Do an Annual Review of Your Data Security Standards
Companies are always evolving their technology. This doesn’t always mean a big enterprise transition. Sometimes you may add a new server or a new computer to the mix.
Any changes to your IT environment can mean falling out of compliance. A new employee mobile device added, but not properly protected is a problem. One new cloud tool an employee decides to use can also cause a compliance issue.
It’s important to do at least an annual review of your data security. Match that with your data privacy compliance requirements to make sure you’re still good.
4. Audit Your Security Policies and Procedures
Something else you should audit at least annually is your policies and procedures. These written documents that tell employees what’s expected from them. They also give direction when it comes to data privacy and how to handle a breach.
Audit your security policies annually. Additionally, audit them whenever there is a data privacy regulation update. You want to ensure that you’re encompassing any new changes to your requirements.
5. Update Your Technical, Physical & Administrative Safeguards As Needed
When you receive a notification that a data privacy update is coming, plan ahead. It’s best to comply before the rule kicks in, if possible.
Look at three areas of your IT security:
- Technical safeguards – Systems, devices, software, etc.
- Administrative safeguards – Policies, manuals, training, etc.
- Physical safeguards – Doors, keypads, building security, etc.
6. Keep Employees Trained on Compliance and Data Privacy Policies
Employees should be aware of any changes to data privacy policies that impact them. When you receive news about an upcoming update, add this to your ongoing training.
Good cybersecurity practice is to conduct ongoing cybersecurity training for staff. This keeps their anti-breach skills sharp and reminds them of what’s expected.
Include updates they need to know about so they can be properly prepared.
Remember to always log your training activities. It’s a good idea to log the date, the employees educated, and the topic. This way, you have this documentation if you do suffer a breach at some point.
Visit our website here to learn more about our Breach Prevention Platform and Security Awareness Training which includes simulated phishing tests and weekly micro-trainings!
Get Help Ensuring Your Systems Meet Compliance Needs
Setting up well-designed IT compliance may be a long process, but it can make a world of difference in terms of business security. It keeps your business reputation intact and allows you to avoid penalties and fines.
However, you’ll need to pay special attention to several aspects and one of the most significant ones is your IT provider.
If your IT isn’t living up to its potential, you’re bound to face compliance issues. This can cause tremendous stress and halt your operations.
Luckily, there might be an easy way out of your predicament. Contact us today at 716-373-4467 x115 or firstname.lastname@example.org to schedule a quick chat with Databranch to discuss your IT problems and find out how to get more out of your provider.
Article used with permission from The Technology Press.
Buyer beware – software programs or tools that claim the ability to conduct a risk assessment by scanning your network with little to no human interaction should raise concern!
These tools will generally do a nice job discovering vulnerabilities that exist in your technology environment, but vulnerabilities are not risks by default.
Is you business familiar with vulnerability assessments and their benefits? If not, visit our website here to learn more about the benefits and how they can enhance your cybersecurity posture.
What is Needed
Risk requires the presence of a vulnerability PLUS the action of threat actor.
To illustrate this concept using an example from the tangible world, lets visualize a car. The car is parked, and the doors are unlocked. A premature conclusion would be to state that the doors being unlocked translates to risk. If you apply critical thought however, you will discover that the unlocked doors are simply a vulnerability that could be exploited.
You would need more information to determine actual risk. Is there anything valuable in the car? What is the crime rate associated with the place the car is parked? What would the impact be if someone gained access to the car? Who would attempt to gain access to the car? Are there other compensating controls in place, like a security camera? The same logic applies to the digital world.
The presence of vulnerabilities like unpatched computers or misconfigured devices will contribute to the likelihood of a risk event occurring, but it is shortsighted to say that vulnerabilities equal risk. That statement simply is not true.
A risk assessment requires critical thought to occur beyond the discovery of vulnerabilities by software tools. It requires critical thinking and the use of logic and reason. All of which made capable by the involvement of qualified human beings during the risk assessment process.
Relying on the arbitrary risk statements and scores created by software tools that simply discover vulnerabilities in your network, can lead to a false understanding of your actual risk profile. This can then easily lead to the wasteful allocations of resources – intended to reduce risk – but end up remediating a vulnerability instead.
What Happens After the Assessment?
Typically, a vulnerability assessment can be completed in a day or two. The results of a vulnerability assessment are documented and provided to the stakeholder complete with recommendations around remediating any weaknesses found.
Security shortcomings found during a vulnerability assessment can almost always be fixed. Many times, the fixes are very easy to accomplish. Roughly 60% of all reported cybersecurity breaches occurred because the bad actors exploited common vulnerabilities and exposures (CVE).
This means that roughly 60% of all reported cybersecurity breaches could have been prevented if the victim had simply conducted a vulnerability assessment and made small improvements to their cybersecurity posture that would have eliminated a substantial amount of risk.
Interested in setting up a vulnerability assessment? Contact Databranch today at 716-373-4467 x115, email@example.com , or fill in the form below to set up a meeting with one of our experienced team members.
Not only will we help with the assessment, but our team of highly trained engineers will help your business prioritize based on your specific business needs.
Request your free security risk consultation with a Databranch Security Expert here:
Content was provided courtesy of CyberStone.
What does “End of Support” mean? It means that after this date, these products will no longer receive non-security updates, security updates, bug fixes, or technical support. It also means that you will not be in compliance with most industry wide compliance standards and regulations.
What Should I Be Doing?
- Start planning your migration NOW.
- Determine how many instances of Server 2012(R2) are being utilized in your current network setup.
- Assess the upgrade path for applications that currently run on these operating systems.
- Allocate resources and budget for necessary hardware upgrades to transition to a newer version.
What Happens If I Don’t Upgrade?
Security & Compliance Issues
Software and OS vulnerabilities are sought out and exploited all the time. This is what hackers do for a living. The vulnerability cycle usually begins with hackers finding a software “loophole.” They then write code to exploit it that allows them some type of system access.
The software developer learns of this, usually once hackers start breaching systems. They write code to fix that vulnerability. Developers then send the fix to users via an update that they install. This protects the device from one or more hacker exploits.
When a software reaches its end of life, these fixes are no longer made. The developer has moved on to focus on its newer products. So, the vulnerability remains. It leaves a device vulnerable to hacks for days, months, or years afterward.
Approximately 61% of security vulnerabilities in corporate networks are over five years old.
Visit us here to learn more about penetration testing and how it helps identify the vulnerabilities in your business.
If you have to comply with a data privacy regulation, like HIPAA, you’ll also run into issues. Data privacy rules dictate making reasonable efforts to protect data. Using a device with a outdated software jeopardizes meeting compliance.
The older a system gets, the slower it will get. Staff that must work on outdated software often complain that it hurts productivity. 77% of surveyed employees were frustrated with outdated tech. Employees dealing with outmoded systems may also quit. They are 450% more likely to want to leave and work elsewhere.
An outdated operating system can hold your staff back. They will miss out on modern time-saving features and they can also run into problems with bugs that will no longer get fixed.
Incompatibility With Newer Tools
Software and hardware developers aren’t looking back. Once Windows Server 2012 reaches “End of Life”, they aren’t prioritizing its compatibility. In fact, some may not want their product to be compatible with it because of the liability.
When you run into issues because of outdated software and modern hardware, it hurts your business. You become less competitive and begin to fall behind.
Get Help With Your Windows Upgrades
The good news is, we are still six months away from the end of support date. But it’s important to start preparing now. Databranch has successfully migrated numerous clients and our team is excited to work with you to create a migration plan for your organization! Reach out today at 716-373-4467 x115 or firstname.lastname@example.org to speak with one of our experienced team members.