Cybercrime is at an all-time high, and hackers are setting their sights on small and medium businesses who are “low hanging fruit.” Don’t be their next victim! This report reveals the most common ways that hackers get in and how to protect yourself today.
You, the CEO of a small business, are under attack. Right now, extremely dangerous and well-funded cybercrime rings in foreign countries are using sophisticated software systems to hack into thousands of small businesses like yours to steal credit cards, client information, and swindle money directly out of your bank account. Some are even being funded by their own government to attack American businesses.
Don’t think you’re in danger because you’re “small”? Think again. 560,000 new pieces of malware threats are being released every single day and 82% of the cyber-attacks occurring are aimed at small businesses. This kind of news doesn't spark enough media attention to land in the news. It’s often kept quiet for fear of attracting bad PR, lawsuits, data-breach fines and out of sheer embarrassment.
In fact, the latest PurpleSec report states that 47% of small businesses had at least one cyber attack in the past year. 44% of those had two to four attacks. While it's not shared on TV or in the newspaper as much as it happens, you can still use these mediums to see how the latest online data breach, government fines, and regulatory agencies are growing in number and severity. Because of all of this, it’s critical that you protect your business from these top 10 ways that hackers get into your systems.
The #1 vulnerability for business networks is the employees using them. It’s extremely common for an employee to infect an entire network by opening and clicking a phishing e-mail (that’s an e-mail cleverly designed to look like a legitimate e-mail from a website or vendor you trust). If they don’t know how to spot infected e-mails or online scams, they could compromise your entire network.
You must maintain an Acceptable Use Policy that outlines how employees are permitted to use company-owned PCs, devices, software, Internet access and e-mail. We strongly recommend putting a policy in place that limits the websites employees can access with work devices and Internet connectivity. Further, you have to enforce your policy with content-filtering software and firewalls. We can easily set up permissions and rules that will regulate what websites your employees access and what they do online during company hours and with company-owned devices, giving certain users more “freedom” than others.
Having this type of policy is particularly important if your employees are using their own personal devices to access company e-mail and data.
If that employee is checking unregulated, personal e-mail on their own laptop that infects that laptop, it can be a gateway for a hacker to enter your network. If that employee leaves, are you allowed to erase company data from their phone? If their phone is lost or stolen, are you permitted to remotely wipe the device (which would delete all of that employee’s photos, videos, texts, etc.) ensuring your customer’s information isn’t compromised?
Further, if the data in your organization is highly sensitive, such as patient records, credit card information, financial information and the like, you may not be legally permitted to allow employees to access it on devices that are not secured; but that doesn’t mean an employee might not innocently “take work home.” If it’s a company-owned device, you need to detail what an employee can or cannot do with that device, including “rooting” or “jailbreaking” the device to circumvent the security mechanisms you put in place.
Passwords should be at least 8 characters and contain lowercase and uppercase letters, symbols and at least one number. On a cell phone, requiring a passcode to be entered will go a long way toward preventing a stolen device from being compromised. Again, this can be enforced by your network administrator so employees don’t get lazy and choose easy-to-guess passwords, putting your organization at risk.
New vulnerabilities are frequently found in common software programs you are using, such as Microsoft Office; therefore it’s critical you patch and update your systems frequently. If you’re under a managed IT plan, this can all be automated for you so you don’t have to worry about missing an important update.
Simply having a solid, reliable backup can foil some of the most aggressive (and new) ransomware attacks, where a hacker locks up your files and holds them ransom until you pay a fee. If your files are backed up, you don’t have to pay a crook to get them back. A good backup will also protect you against an employee accidentally (or intentionally!) deleting or overwriting files, natural disasters, fire, water damage, hardware failures and a host of other data-erasing disasters. Again, your backups should be automated and monitored; the worst time to test your backup is when you desperately need it to work!
One of the fastest ways cybercriminals access networks is by duping unsuspecting users to willfully download malicious software by embedding it within downloadable files, games or other “innocent”-looking apps. This can largely be prevented with a good firewall and employee training and monitoring.
A firewall acts as the frontline defense against hackers blocking everything you haven’t specifically allowed to enter (or leave) your computer network. But all firewalls need monitoring and maintenance, just like all devices on your network. This too should be done by your IT person or company as part of their regular, routine maintenance.
It’s not uncommon for hackers to set up fake clones of public WiFi access points to try and get you to connect to their WiFi over the legitimate, safe public one being made available to you. Before connecting, check with an employee of the store or location to verify the name of the WiFi they are providing. Next, NEVER access financial, medical or other sensitive data while on public WiFi. Also, don’t shop online and enter your credit card information unless you’re absolutely certain the connection point you’re on is safe and secure.
A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular website or to click and download a virus.
Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous — and they look exactly like a legitimate e-mail.
This is a basic 21st century tactic. Hackers pretend to be you to reset your passwords. In 2009, social engineers posed as Coca-Cola’s CEO, persuading an exec to open an e-mail with software that infiltrated the network. In another scenario, hackers pretended to be a popular online blogger and got Apple to reset the author’s iCloud password.
If you are concerned about employees and the dangers of cybercriminals gaining access to your network, there are a few things you can do.
In utilizing Secure Managed Services with Centre Technologies, you get access to preventative cybersecurity tools and services, from Employee Security Awareness Training and EDR to application controls. You also get access to our Security Risk Assessment, which helps you to answer questions like:
Even if you have a trusted IT person or company who put your current network in place, it never hurts to get a third party to validate nothing was overlooked. Here at Centre Technologies, we work to be an extension of your team. Contact us today!