Cybersecurity Month is over! What do I focus on next?
The answer is simple! ‘Focus on Cybersecurity not only during Cybersecurity Month but EVERY month.’
Cyberattacks are much more common than people realize. The data on the frequency of attempted cyberattacks is staggering, with a victim every few seconds and several thousand ransomware attacks targeting businesses daily. Some of these attacks are random, but many are targeted. So, if you have not yet been a victim of a rogue actor, it is only a matter of when and not if.
We hear about so many of the largest corporations with all the resources at their disposal still falling victim to cybercrime. So how do small business with limited resources keep their data and their customers’ data secure? While this article is not meant to list every possible scenario and safeguard, I will focus on tips for Email security as it is the most common attack vector being used to gain access to a user account or computer systems.
Malicious emails appear to be from a known source such as Office 365 or can even appear to be from internally within the company i.e., from the CEO or the CFO, in an attempt to get the recipient to open the email attachment or click on a hyperlink to a compromised website. Malicious emails could contain ransomware attempting to take over computer systems or be phishing attempts trying to deceive an individual into providing sensitive information, such as a bank account number or a social security number, etc.
Be certain that any emails containing links or attachments that you intend to open are from an expected individual. Many email systems can be configured to add a banner to the email alerting employees of when an email is from an external party. Always check the email address of the sender before acting on the email or responding. Many a times, an indication of a malicious emails is how poorly it is written and formatted.
Always be vigilant. When in doubt, ask a member of your security team for input / guidance. Most importantly, report / mark for quarantine these bogus emails so that they can be blocked at the domain level. Most malicious attacks are attempted to propagate through the company and impact others. So, if you suspect you may have inadvertently done something wrong, what could be more detrimental is not reporting it.
While there are several technical safeguards that companies can put in place, such as intrusion prevention and detection systems, strong logical access controls including multi-factor authentication, strong data encryption practices for data at rest and in transit, one of the most important controls is to train all employees in good information security practices. Training should be given upon hire and at least annually. Besides, constant security reminders to all employees must become part and parcel of the company’s internal communication practices. I strongly encourage companies to perform remote social engineering exercises that incorporate not only email but smishing campaigns. Last but certainly not the least, periodical vulnerability scans and at minimum, a thorough annual penetration test, will help you strengthen and better manage your company’s Cybersecurity posture.