Cybersecurity threats to small- and mid-sized businesses are not only getting more sophisticated, they’re also intensifying. Organizations that would have seen one attack a year are now experiencing them on a weekly or monthly basis. As the threat landscape changes, businesses need to evolve quickly and aggressively to protect themselves and their clients.
Trend 1: Attackers are targeting the small fish to land the big ones
Attackers are targeting small organizations in order to penetrate their larger partners. Two recent examples are LabCorp and Quest, both of whom had customer data compromised by hackers penetrating their smaller sub-contractors. “Right now, there’s no longer security in obscurity,” said David Rossell, Ph.D., CISSP, who runs the security practice at Ntiva, Inc. “Just because you’re small doesn’t mean you’re safe from attackers.”
It’s common practice for hackers to gain access to confidential data by stealing passwords through phishing emails. They are also buying stolen passwords from other criminals. Since many people use the same password across multiple websites, a hacker only needs a single password to infiltrate a wide variety of accounts, both personal and business.
The Solution: Multifactor Authentication (MFA)
One of the best ways to stop hackers in their tracks when it comes to stolen passwords is Multifactor Authentication (MFA). MFA is a security system that verifies a user’s identity before allowing her or him to access online applications.
Most people are very familiar with MFA in their personal lives. If you’re attempting to log in to your online bank account or if you’ve had to re-set a password, you’ll often be sent a code to your smartphone that must be entered before access is granted. That’s MFA at work!
MFA is an extremely cost-effective solution and every single business, regardless of size, should be implementing MFA as a basic element of their data protection program.
Trend 2: Rise in phishing as the vehicle for attacks
MFA helps prevent attackers from logging into your system remotely using stolen credentials, but it’s not much help in blocking viruses and other malware that are delivered by phishing emails. Phishing has grown extremely sophisticated in recent years, and one wrong click can launch a virus that wipes out all your data.
The Solution: Phishing Prevention Training
Well-trained employees are your first line of defense against phishing attacks. Phishing prevention training will provide your employees with monthly simulated phishes, teaching them how to recognize the little clues, which are sometimes very subtle, that can help identify an attack.
Trend 3: Basic anti-virus is proving less and less effective against sophisticated attacks
As cyber threats continue to escalate, older tactics to prevent security attacks and breaches are falling behind. This includes basic anti-virus software that once would have done the job successfully. The problem is that this software is simply not agile enough to stop many of the modern phishing or ransomware attacks.
The Solution: Advanced Endpoint Protection
A simple but effective first step is to ensure employees do not have local administrative rights on their computers. Viruses rely on a user’s access privileges, so restricting your employees’ access to the bare minimum to do their work also restricts the harm that a virus can do.
The next step is to add an extra layer of protection against ransomware and other viruses by implementing an advanced endpoint protection solution. This will protect your end user devices both inside and outside your firewall, including laptops and other mobile devices that remote and traveling employees use daily. “This technology will stop attacks automatically without user intervention and let you know that an attack is happening in real-time,” Rossell says. “It’s a great supplement, especially for organizations with little tolerance for downtime or risk.”
Trend 4: Spam filters aren’t keeping up
It may seem acceptable that your spam filter stops 97% of the phishing attacks directed at your organization, until you realize that thousands of pieces of spam are hitting your filter every day. A 97% success rate on 1,000 messages means that 30 potential viruses made it into your users’ mailboxes!
The Solution: Phishing Prevention Training and Advanced Endpoint Protection
Again, it boils down to the continual training of employees on phishing prevention, and then backstopping them with advanced endpoint protection solutions that are as sophisticated as the malware worming its way into your systems.
Trend 5: The nature of due diligence is changing
Attackers are engineering more complex attacks and on a larger scale than ever before. The perception of what is “baseline” protection has already shifted to compensate, including MFA as standard protection, and moving up to additional protection from there. Note that the Department of Defense now requires its contractors not only to use MFA, but also to implement full intrusion detection solutions.
The Solution: MFA, Phishing Prevention Training, Endpoint Protection, Intrusion Detection
“There’s no avoiding it,” Rossell says. “As a bare minimum, it’s an absolute necessity to protect remote access to your data with MFA.” Adding on phishing prevention training is inexpensive and easy to deploy, and should also be part of every organization’s basic security program. Organizations in regulated industries such as finance, government contracting, healthcare or law are also well advised to take a hard look at additional measures such as intrusion detection and advanced endpoint protection.
Meeting the new security baselines need not be expensive. The investment associated with advanced measures pales in comparison with the costs associated with a data breach. “A sound, strategic IT security program can be a differentiator that allows an organization to position itself ahead of rivals and win new business,” Rossell says. “Find the right security partner, a firm that understands both security and IT operations, and lean on them to provide the expertise so that you can focus on your core business.”-30-