Basic Cyber Hygiene – Cybersecurity Basics
Here we describe basic cyber hygiene – the bare minimum any company should be doing regardless of size to protect itself from cyberattacks and liability. These items should be seen as a starting point – a way to begin making yourself safer as you work towards a full cybersecurity program and compliance. At Touchstone Security, we highly recommend consulting with cybersecurity professionals to begin building a comprehensive plan.
Implement Two-Factor Authentication
2FA (Two-Factor Authentication) should be absolutely mandatory for all employees. Two-Factor Authentication involves using a second token in addition to a password to prove a user’s identity. While some particularly sophisticated attackers may find ways around this, enabling 2FA on all applicable services is an extremely easy measure that can dramatically reduce your risk. Consider enabling 2FA on:
- Business Banking Accounts
- HR Accounts
- Email Accounts
- Web Hosting Services
- Cloud Accounts
- Any other accounts which present an option for 2FA
Provide Comprehensive Employee Training
Employee training has been convincingly shown to have one of the highest returns on investments in cybersecurity. By training employees, you can reduce their risk of visiting malicious sites, downloading malware, and clicking on phishing emails at an extremely low cost. As we discussed in a recent blog post, Security Awareness Training is one of the most cost-efficient ways to reduce the risk of breaches and incidents. If you are unsure where to begin, Touchstone Security also offers an award-winning Security Training Program.
Unfortunately, 56% of Americans don’t know what steps to take in the event of a data breach, and 32% of data breaches involve phishing. The majority of cyber attacks, 82% to be exact, begin with end-users. When an attacker compromises one device, like an employee’s laptop or tablet, they gain a valuable foothold into the entire network that can be exploited to launch further attacks on your organization.
Providing comprehensive security awareness training that includes education on common attacks like phishing, business email compromise (BEC), ransomware and physical security is critical to reducing the risk that your organization suffers a catastrophic breach. It is important to take preventative measures and provide comprehensive security training before an attack occurs. Many government regulations and compliance requirements now hold companies liable for data breaches that expose customer information and levy heavy fines against businesses found to be negligent.
Your employees are often the first line of defense against a cyber attack. Well-trained employees know the best tactics to prevent, respond to, and recover from an attack.
So where do you begin? What topics should be covered? Here are the basics employees need to know.
Physical security is the protection of personal information, hardware, software, networks, and data from physical actions that could cause damage or a serious loss to an organization. This also includes protection from fire, flood, natural disasters and other physical risks an organization might face.
Physical security is often overlooked and underestimated by both employees and the IT department. Organizations instead focus on more technical threats like ransomware, DDOS attacks, and malware threats. However, it is important to remember that hackers are criminals – and criminals are opportunistic. An attacker could spend weeks searching for a zero-day exploit in popular software and hours trying to crack into a database – or they could just follow one of your employees into the office building and take a laptop, install a thumb drive, and access all of your valuable sensitive information. Which is easier? Physical security attacks can cause just as much damage as cyberattacks, if not more.
Even if your organization spent a million dollars on cybersecurity it could all be for nothing in the event of a physical security breach. The good news is that many physical security attacks can be easily avoided.
Physical security is made of three vital elements: access control, surveillance, and testing.
Access control: This is the ability to restrict access to appropriate zones that employees may enter based on their role. There are many safeguards you can use to ensure that privileged information is only accessed by authorized individuals. These can include badges, motion detectors, and intrusion detection alarms. These are designed to discourage unauthorized individuals from accessing the information and detect anyone who does.
Surveillance: A basic surveillance measure is ensuring proper visibility of spaces by creating more open and visible floor plans for security personnel. This way, possible intruders cannot enter undetected. Proper visibility from lighting is also important, as installing a security camera will do no good if the space it is monitoring is too dark to be captured on camera. Security cameras should also be placed in a highly visible location to deter potential intruders. Security camera recordings should be stored securely for a reasonable period depending on your business needs. Ideally, cameras should also be monitored by a human so that a response can be delivered in an appropriate time frame when a possible incident is detected.
Testing: Disaster recovery and intrusion policies and procedures should be tested on a regular basis to help ensure safety and reduce the time it takes to recover from disruptions in business due to cyberattacks or natural disasters. Having a set of policies and procedures is great, but they are only truly valuable if your organization actually practices or tests them to ensure the readiness of your team. Just as your team performs fire drills or tornado drills, you should periodically perform phishing tests and other cybersecurity awareness drills.
Organizations must develop physical security plans that protect employee lives and facilities. The first priority of physical security is the safety and security of your employees and personnel. The second priority is security and safety for your company assets and the ability to restore IT operations if a natural disaster happens.
Employees must be aware of the importance of physical security. Employees should make it a habit to shut down computers when not in use, avoid writing passwords on sticky notes, and ensure no one is “piggybacking” behind them when using a key card to enter a building. All of these are vital aspects of security that can be easy to overlook and cause major damage.
Business Email Compromise
Business Email Compromise (BEC) is a form of cyberattack that uses email fraud to target an organization. BEC scams often target companies that conduct wire transfers that attackers can leverage to redirect funds. Hackers are able to carry out hundreds of these attacks because the email accounts of high-level executives can often be found on websites with email scrapers and can be easily spoofed with phishing attacks to conduct fraudulent transactions. These attacks have the potential to lead to millions, if not tens of millions of dollars of losses.
BEC scams use social engineering tactics to dupe unsuspecting employees and executives into following their instructions. These hackers will often try to impersonate a high-level executive of the company to convince their target they are trustworthy and legitimate. Because BEC scams don’t use suspicious links or downloads they can often go undetected by traditional cybersecurity safeguards such as firewalls and antivirus programs.
One real-world example of BEC comes from “Shark Tank” host Barbara Corcoran who fell for a $400,000 scam. The hackers sent an email and tricked her bookkeeper into sending a bill that appeared to come from Barbara’s assistant. She thought she was paying a contractor, but in reality, she wired almost $400,000 to a fake bank account in Asia. “I was upset at first,” she said, “but then remembered it was only money.” Fortunately, she was able to get her money back eventually. Unfortunately, most businesses are not in a position to float almost $400,000 – or lucky enough to have a team of lawyers to get it back. For most companies, a loss like this would close the doors immediately.
This is why comprehensive cybersecurity training is important for all members of an organization, not just the IT Department or your accountants, but also your CEO, President, VPs, and any other executive with access to your organization’s information. The Ponemon Institute estimates the total cost of the average cybersecurity breach is $4M. Your executive team may scoff at the idea of completing security awareness training with the rest of the team, or simply say they don’t have time. When the stakes are this high and the game is this easy for hackers, it is necessary to ensure your entire organization is on the same page.
Phishing and Spear Phishing
Phishing is the process hackers use to obtain sensitive information through email by impersonating a trustworthy entity. Hackers will often try to obtain passwords, credit card numbers, and other forms of personal information from unsuspecting users. Attackers can gain access to your accounts by using fake links that appear to be genuine links to your bank account or online shopping sites, or by asking you to change your password after it has been compromised. Hackers can also impersonate a shipping company and ask you to confirm your address or create a false sense of security and urgency by impersonating your boss and asking you to buy $500 in Target Gift Cards.
Like most criminals, hackers are looking for the biggest score that requires the least amount of effort. This often comes in the form of a phishing email to a busy unsuspecting employee. Unfortunately, one study showed that 78% of employees are aware of the risks of suspicious links in emails but click on them anyway. Even worse, only 16-20% of people admitted to clicking on the suspicious link in the study. Even one unsuspecting employee can compromise an entire business.
Spear phishing uses a more targeted approach to steal personal information. These attempts can take more time and effort to perform on the part of the hacker but may produce a greater score. For example, a spear-phisher will disguise themselves as a trustworthy person and make contact with their victim via email, common social media platforms, and even text messages.. Spear phishing attacks are personalized for each individual victim and try their best to look authentic. Hackers gather as much information about their target as possible before making contact to increase their chances of success.
Spear phishers can often glean valuable information from a simple social media profile like Facebook or LinkedIn. They can easily find their target’s email addresses, friends list, location, education history, businesses they frequent, and more.
In April of 2020, cybersecurity news site ZDNet reported that hackers had breached the email accounts of high-ranking executives at more than 150 companies, launching spear-phishing attacks. Hackers based in Nigeria and South Africa tried to trick high ranking C-suite executives into entering their Office 365 credentials into fake login pages. Hackers were able to compromise email accounts within a day of users entering their information. They used this access to send phishing emails to other individuals outside the original victim’s organization and conduct spear-phishing attacks.