IS YOUR COMPANY ALREADY IN THE CROSSHAIRS?
We all have locks and alarms on our homes, businesses, and vehicles. None of us would think about leaving our property unguarded. Why would you take the chance with your digital property?
So, what can PEOs do internally to help secure the vulnerable areas of their business? As IT Manager at ESI, I have the task of guarding the gates of ESI through various techniques. Hopefully, by sharing some of these techniques, we will add some nuggets to your cybersecurity protocol.
FIRST LINE OF DEFENSE FOR CYBERSECURITY
You need to focus on a proactive first line of defense before implementing the coverages of cyber policies and developing reactive workflows to address worst-case scenarios. The following are some minimal security profile suggestions your company can implement quickly to raise your threat awareness tremendously in order to help avoid cybersecurity compromises. In addition, usually, these suggestions are mandatory when applying for a cybersecurity insurance policy.
First and foremost, secure passwords for all employees throughout the company. To help assist with this protocol, we suggest a secure password management system. With an enterprise level system, each employee has an account to save all of his or her login and sensitive information. A shared folder feature allows employees or entire departments to share standard folders/files. The employer will manage access based on the individual user or the groups we have assigned them. The employer can also see how well each employee performs with password strength on the security dashboard. There you have an overview of at-risk passwords for each user. You can also add email addresses to the dark web monitoring where companies can proactively be alerted if sites in our vaults (all registered user web access points) have been breached. Another benefit of most enterprise accounts is a free family account for each of your users. This allows each employee to have a five-user family account where they can secure their passwords and login info. Family accounts will enable them to share passwords between family members. For example, think of streaming accounts shared with the parents and kids and bank accounts shared with only the parents.
After securing the passwords, implement a two-factor or multi-factor authentication (MFA). In the new era of mobility and mostly work-from-anywhere, having a two-factor authentication needs to be a standard to protect your network and servers. Do you understand the work environment of every employee? Install your electronic front door bouncer on all remote login systems. Any system that your users access should have MFA enabled, if possible. There are too many examples of previous cyber events that could have been prevented if MFA had been allowed. MFA can take many forms, from a simple text message or email code to an authenticator app or security key. Users should also be encouraged to add MFA to their accounts at home.
Another great tactic is an internal testing protocol for phishing scams. Some companies provide a service sending fake phishing and scam emails to your employees. The benefit is that you, as the employer, can monitor the emails and see who clicks and enters their passwords. The testing will help you identify and train these users without putting your company at risk. Most systems allow you to configure training for users who click on links. Hopefully, the extra training helps if a real phishing or scam email gets through your regular email defenses. Incoming emails need to be going through a screening process before your users see anything. On average, one out of every 101 emails is phishing or malicious, and about 85% of emails are spam.
Phishing emails come in two main categories, with and without malware.
Emails without malware attempt to impersonate a trusted sender, your CEO, CFO, or IT department, to trick the user into giving away corporate information or assets.
Many of these emails include links to imitation login pages allowing attackers to obtain the user’s credentials. With these compromised credentials, they might be able to access your company resources, gain access to your internal systems, or start sending more phishing emails from your users.
Emails that include malware download to the network when an employee opens the email. Others contain a link that tries to convince you to download a program to your computer. Usually, this will seem like a helpful program, but it will contain malicious code along with the program. Some emails will download a small program on the user's computer that will then "phone home" to download more malicious software. Once the additional malware is in place, that action will allow the attacker to move sideways through your network without you knowing. This process is the most popular way ransomware attacks start.
After accumulating the testing data, review the findings at your next company roundtable or teams page. The more experience every employee has identifying scams, the lower your overall risk factor. Cyber thieves are training each day; make sure your teams are too.
Another central area of concern is your technology. Your computers and servers should be programmed to install security updates as soon as they are available automatically. The same goes for your software programs and network technology. When there is an option to allow automatic updates, we recommend allowing them if possible. There needs to be a severe business case not to enable security updates. The hackers are working overtime to get into your systems, and you do not have enough protection to allow doors to be left open for them to walk in.
The monitoring of your systems is imperative to be effective. It would be best if you had someone responsible for looking at the security profile and following up with your employees to help them make behavior changes. Having the systems in place is only part of the package. The hackers are working every day to get in, so you must work every day to keep them out and keep your data safe. In addition to good security practices and training to keep your data secure, it can be worth employing the assistance of third-party software and tools for added protection.
While attacks may seemingly happen overnight, the majority take days, if not weeks or even months, to be discovered. In return, it highlights one of the biggest challenges small businesses face regarding cybersecurity: awareness and available resources to defend against the threat actors. The key is to know what you're up against. FireEye has an infographic, Defending Against Malicious Email Attacks | FireEye, that helps to put it all together in one place1. This graphic helps to give you a bird's eye view of the threats businesses face today.
There is no singular approach to minimizing the human risks that lead to breaches. Employees must browse the web, open emails, and even answer the phone with a healthy amount of suspicion. An organization with a strong cybersecurity culture is an organization with a small social engineering attack surface. With 60% of small businesses closing within six months of a cyberattack, improving your security posture isn't just logical; it's vital to the survival of the organization2.
San Antonio, TX