Businesses often throw money and technology at the problem: firewalls, content filters, encrypted data and email, antivirus and anti-malware tools. But a more all-inclusive approach covers much more ground than just hardware.
The nerves are shot. The internal screams of frustration finally slipped out across the salesroom floor. You need a vacation. And visiting an all-inclusive resort provides the ultimate peace of mind.
Every element of your vacation is already covered. An all-inclusive vacation package evokes low (or no) stress planning, freedom from last-minute decision making, and generally saving yourself immense stress (and time) as you recharge pool-side.
Is your company’s IT security plan "all-inclusive?" Not just a matter for the IT team, but a sound strategy for everyone within the organization?
All-inclusive means all-encompassing. Businesses often throw money and technology at the problem: firewalls, content filters, encrypted data and email, antivirus and anti-malware tools. But a more all-inclusive approach covers much more ground than just hardware. It includes:
- All employees on board, from executive stewardship, down to end user awareness and training;
- Beyond just available technical "tools," a more practical, all-encompassing perspective on the every-day cyber threats to employees.
Incorporating these elements into your IT security plan? That's the surest path to that pool-side peace of mind you're after.
Three Practical Tips for for an 'All-Inclusive' IT Strategy
1. All Organizations (of Every Size) are a Target
A 2019 Verizon Data Breach Investigations Report found that 43 percent of breaches involve small business victims.
You only have 50 employees, or you may live in a small, insulated town. But you have assets including money, intellectual property and customer data and access. Your data may also be gateway for further access to larger organizations (like the 2014 Target data breach), making you just as vulnerable for attack.
It’s crucial to understand that, yes, it can – and very possibly, will - happen to you.
2. All Employees Need Education and Training
Recognizing attack methods, as well as identifying risk mitigation strategies to limit exposure, are fundamental skills that often define whether or not your business becomes comprised.
Teaching employees to recognize suspicious activity is key, and email is a great place to start. Two terms that your team should know and the deceptive acts to be on the lookout for:
- Phishing: using brand-name company logos to send email messages to induce individuals to reveal personal information or to click links.
- Spear Phishing: This is similar to phishing, however specific individuals within a company are targeted for exploitation.
Social Engineering, increasingly prevalent, is a modern-day attack vector that uses social conditioning and naivety of humans to infiltrate networks, gain access to systems and steal confidential information from organizations. With social engineered attacks, it might be a phone call with a spoofed number, and it might say, ’this is Microsoft, and I’m calling to notify you that there is a bug outbreak in Little Rock area and I’ve been charged with your area. I need to log into your computer and apply a patch.’
We know that Microsoft does not operate in this manner.
Cybersecurity and data backup company Datto identifies four other everyday social engineered attacks to be aware of:
- Baiting: Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3 2016” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work
- Quid Pro Quo: Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker, posing as a researcher, asks for access to the company’s network as part of an experiment in exchange for £100. If an offer sounds too good to be true, it probably is quid pro quo.
- Piggybacking: Piggybacking, also called tailgating, is when an unauthorized person physically follows an authorized person into a restricted corporate area or system. One tried-and-true method of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their RFID card. Another method involves a person asking an employee to “borrow” his or her laptop for a few minutes, during which the criminal is able to quickly install malicious software.
- Pretexting: Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information. An example of this type of scam is an email to an employee from what appears to be the head of IT Support or a chat message from an investigator who claims to be performing a corporate audit.
The bottom line? Consider partnering with a business technology provider for proactive cybersecurity education. Further enforce training by setting up a program that literally sends out fake phishing emails to employees, and provides reporting on anyone who falls for the “bait.”
3. All Business Owners Should Ask These Four Questions
In contemplating your vulnerabilities, and considering your next security action items, start by asking yourself these four pertinent questions:
- What are we doing to educate employees on security?
- How are we testing them to know if they’re adequately trained?
- What is our disaster recovery plan? Do we have one?
- How long can we afford to be down?
Are you ready for a strategy that’s “all-inclusive”? Start by assessing your current security framework. Continue with a trusted Datamax partnership that recognizes the immense value in properly training your employees to guard against cyber attack. Intrigued? Schedule your technology assessment today!