Cybersecurity is more a people problem than it is a technical one. Many of the losses you read about could be prevented if people better understood how security works.
There are 7 key areas of cyber threats that every business owner or manager needs to know about as they consider the use of technologies to grow their business. In each of these concerns, you'll see a technical issue. But, underlying most are people problems.Let's take a look...
1. False Security
First it's important to understand (regardless of what you've been told) firewalls and passwords don't keep hackers out. If your data is on a network or in the cloud, it's accessible to a hacker no matter what you do.
This may sound like a hopeless situation, but there are things you can do to greatly minimize your risk. And if you bring your risk down to an acceptable level you can continue to leverage your technology without too much worry. The benefits outweigh the risks when technology is approached correctly.
2. Social Engineering
You've probably heard the term social engineering. It's not new. But don't underestimate the power the hacker has through social engineering attacks.
Almost every major attack involves social engineering. Social engineering is used to con unaware users into installing programs on their computers which in turn gives access to the hacker. Examples targeting small businesses include Corporate Account Takeover and Invoice Fraud.
In the case of Corporate Account Takeover, hackers take over your email and begin issuing orders to carry out directives only you are authorized to perform. A common ruse is to email your accounts payable person requesting a wire transfer to a supplier or customer.
In a recent case, one small business owner transferred over $400,000 to three suppliers which should not have been paid. Of course, the wire transfer information directed those funds to the hacker's account. The victim's $400,000 is not recoverable. And per bank policy, while individuals have 60 days to report fraudulent activities, in most cases you only have 24 hours as a small business owner.
3. Mobility and BYOD (Bring Your Own Device)
BYOD initiatives are going on in companies all over the country right now. Since almost every aspect of life involves technology, drawing a hard line between work and personal life is becoming impossible.
The danger comes in thinking computing on one device or in one location is just as safe as another. And so, your employees are likely to treat your most sensitive data as they would their personal email or media collection. They will store and transmit your company's secrets just about anywhere and on any device. The employee's assumption is, security technology has me covered. They're wrong.
4. Misuse of Social Media
The use of social media at work is an ongoing Achilles heel for office managers. Facebook and Instagram can be time wasters. But wasting time is of little concern when compared to the mindset social media has created.
Remember when people were afraid to make online purchases? Or when you were scared to write something about yourself or post a photo? That's gone. People share pictures and information about themselves across the Internet every day. If they're willing to expose themselves, what will they do with your data?
5. Internal Threats
Cybercriminals, spies, and hacktivists are real. But in just about every major data breach, there's an internal component. In some cases, it's operator error. In other cases, it's a bribe to cooperate with an insider.
The security mindset assumes the threat is always outside, yet studies show that employees admit they steal data. When employees are laid off, don't get promoted, or move on to a better opportunity, you can assume they'll be taking data with them. But it's also true that a hacker can easily bribe one of your employees, giving them 5 to 10 times what they make in salary, to cooperate in a data heist.
6. Nation-State & Advanced Persistent Threats
You've probably seen the term "Advanced Persistent Threat," or APT. What is it? APTs are groups of people that want in - they are a "who," not a "what."
The APT is bigger than malware. These groups are sophisticated, well sponsored by Nation-States, and determined to get something they specifically want. In other words, they are "Persistent."
Finally, there is the growing threat of war or cyberterrorism. While this is not a targeted attack on the small business owner or entrepreneur, the impact is real. In a worst-case scenario, hacker groups will take down power grids and other critical infrastructure you rely on for your business.
There's not much you can do to protect yourself here. The best thing is to be aware of it, and at some level be prepared for disaster and recovery.
One more threat. Misunderstanding compliance can take your business down.
Compliance is not security.
Lawmakers would like you to think HIPAA (Healthcare privacy requirements) and PCI (Credit Card Industry Requirements) compliance will keep your data safe. They won't.
The truth is, compliant companies get hacked all the time. Compliance rules are set up to move a company toward security, but in no way are these cumbersome regulations actually addressing the problem. The problem is, compliance falls short. According to Mike McConnell, former Director of National Security to the White House, "Once a company passes the compliance audit, they stop working on security."
The reality for all businesses is that losing your data can put you out of business. It's important to understand your risk and exposure and figuring out what to do about it.
As always, if you need help in developing a security plan and managing your data, we have professional and experienced engineers who are ready to help if you prefer us to manage it for you.
Contact us at firstname.lastname@example.org or call 504-733-5633.