Posts

6 tips for setting cybersecurity goals for your business

Cybersecurity is a major issue for every business, whether you’re running a multinational organization or a local company. Here’s what you need to know about why prioritizing cybersecurity is so important – and some advice on developing a cybersecurity strategy that aligns with your company’s needs and your IT budget. 

Why cybersecurity is so important 

When it comes to cybersecurity, there’s no such thing as being too careful. Cybercrime is rapidly on the rise, and the average cost of a security breach has shot up to over $13 million in recent years. 

What’s more, antivirus and antimalware programs aren’t enough anymore to protect your company from increasingly sophisticated threats. Statistics show that 52% of breaches featured hacking, 28% involved malware and roughly 33% included phishing or social engineering, respectively.

If you plan on keeping your business secure, there are a few steps to follow. 

1) Know what you need from your cybersecurity 

Every viable cybersecurity strategy is designed to achieve two things. Firstly, it should protect your business from external threats. Secondly, it should minimize the risk of negligent employees exposing your sensitive data to hackers. 

To get started, it’s a good idea to download or create a planning tool. This will allow you to note down your cybersecurity goals and how you plan on achieving them. You can revise this plan if necessary and set new goals as you go along.  

2) Establish threats and risks

Make sure you understand the impact of any disaster, be it a security breach or a malware infection, on your operations. Prepare for as many eventualities as possible and review the threats to your business regularly. 

3) Set targets for maintenance 

Update your antivirus and antispyware software regularly, and set up your systems so they automatically download crucial patches when they become available. Maintain your hardware and replace or repair faulty equipment when necessary. 

Make it a goal to change passwords regularly and always monitor access to your wireless network for any suspicious activity.   

4) Schedule backups 

Make sure that you back up important data and system processes at regular intervals. Automate these backups where possible so you don’t forget about them.   

First, decide how frequently you’ll back up data and where you’ll store it, such as in the cloud or in hard copy. Make sure you comply with privacy laws and other sector-specific regulations. 

5) Don’t forget employee training

Your employees are key to ensuring that your cybersecurity strategy is a success. Set training goals and review employee understanding of cybersecurity issues on a semi-regular basis. 

When setting training goals, set out a manageable schedule for cybersecurity training and a plan for monitoring adherence to cybersecurity processes. 

6) Seek expert advice

IT managed services providers are best placed to help you devise effective cybersecurity goals that suit your business needs and your budget. If you’re unsure how to get started on a cybersecurity strategy, or if you’re worried that your current strategy isn’t working, it’s a good idea to seek professional help.  

Staying protected

Although every business is unique, there are some cybersecurity goals common to them all. Ultimately, keeping company data secure from evolving and existing threats should be a priority for every business going forward. For more information on developing a cybersecurity strategy that suits your business, contact us today.

Why phishing is so dangerous

As 2018 begins, the total number of cyberattacks continues to rise. Data from the Identity Theft Resource Center and CyberScout showed there were 1,579 successful data breaches in 2017. This figure represents a nearly 45 percent uptick from the year before. The numbers turns especially troubling when broken out by industry.

On the whole, most sectors are tightening their security measures and reporting fewer breaches. Health care, government, education and financial industries all reported a continued decrease in successful data breaches. While this is good news, there is one market that more than made up for this gradual decline: business. In 2017, the business sector accounted for nearly 60 percent of all breaches. This trend has been steadily increasing since 2013, according to the report.

Part of this is the pace of cyberattack evolution. Businesses invest heavily in methods to prevent one type of cyberattack, only to have hackers change their strategy within months. At that point, the organization has already spent its budget in information security and may be scrambling to allocate more. However, data suggests that one of the simplest forms of cyberattack is still among the most effective: phishing.

"Less than half of all executives understand their company's information security policies."

False sense of safety
While ransomware and other, more elaborate types of cyberattack routinely make the news, phishing has been flying under the radar. Many equate it with stories of foolish people falling for schemes from a Nigerian prince or believing that they had suddenly acquired millions from the government – fantasies that businesses tell themselves they would never fall for.

Data from a couple years ago may also have looked hopeful. A 2016 Symantec report concluded that the overall email spam rate was falling and that fewer phishing bots were being used. This information, likely the result of email server providers like Gmail and Outlook stepping up their sorting technology, may have given a false sense of safety to business executives.

Compound this will another major problem in the business sector: Most executives are in the dark when it comes to understanding cybersecurity concerns. A cybersecurity survey report from BAE systems in 2016 found that less than half of all executives claimed to understand their company's information security policies.

This same survey found that only 60 percent of companies had formal cybersecurity training sessions in place, and that 70 percent of that number only had training roughly once per year. Given how rapidly cyberattacks change and adapt, this strategy would leave companies exposed to vulnerabilities – perhaps more so than other organizations because of the misplaced sense of safety.

"Cyber criminals now create fake websites that look legitimate."

Phishing is getting smarter
Part of Symantec's data – the decline of phishing bots – should not have been received with good news. Especially when, according to Comodo Threat Intelligence Lab data, the overall number of phishing attacks continues to increase. Bots are, for lack of a more proper term, dumb. They follow predictable formulas that can be easily filtered into spam boxes and out of employees' vision.

However, phishing has gotten smarter. One of the new methods outlined in Comodo's report is called "clone phishing." In this scenario, hackers intercept an authentic email communication, typically from an executive, and recreate it nearly flawlessly. The fake email is then sent to the employee in the hopes of getting a response.

In addition, the practice of spear phishing is on the rise. Most early phishing was a mass attack – the same email or recorded message sent to many people, hoping to snag a minority of those contacted. Spear phishing is more precise. This phishing tactic learns of the victim's personal information and uses it. This means that the phishing message may include real names, dates and relevant organizations – all factors that will make the communication look more genuine.

Phishing has also gotten more complex in the sense that it has evolved past emails, phone calls and text message. Cyber criminals now create fake websites – similar to originals – that look legitimate. However, these malicious sites often betray themselves in the domain name, which is typically longer or more complicated than it needs to be. These website forgeries will almost never use common domain names like .com or .org.

Everyone is a target
According to the Comodo report, 50 percent of employees will open an email from an unknown sender if it lands in their inbox. This number alone explains the increasing amount of phishing attacks, as well as why they are such a prevalent method. Every employee is a potential target.

Phishing stresses the need for comprehensive employee training at every level. Even one person being compromised can put an entire organization at risk. For example, if an entry level analyst is targeted and successfully breached, the hacker or malicious group may be in possession of the network passwords, meaning that they suddenly share his or her level of access. This can be used to install ransomware or other harmful programs. 

Every employee who receives corporate emails on a professional or personal device is the potential victim of phishing.Every employee who receives corporate emails on a professional or personal device is the potential victim of phishing.

Training to beat phishing
Information shows that training sharply decreases the likelihood of phishing success. A PhishMe report concluded that susceptibility fell to roughly 20 percent after relevant sessions on improved cybersecurity practices occurred.

Even these newer, smarter methods of phishing have telling signs. CSO stressed that malicious emails are usually more threatening or urgent than typical office communication. This is part of cyber criminals' strategy, as panicked employees are less likely to think clearly if they legitimately believe their job is on the line.

Employees should also be advised to carefully check the sender's name. If it is an unknown sender, all emails should be double-checked with the supervisor before response. Spelling and grammar are also more likely to have mistakes as cyber criminals have no corporate standard or editing department.

Business companies should be willing to partner with the experts to ensure the best training and prep programs for their employees. IT service providers like ISG prepare cybersecurity compliance as part of our extensive product portfolio. Consult with us today to find out how we can help secure your company against future data breaches. 

Lessons learned from the Bangladesh Bank hack

Years ago, bank robberies were a very physical affair. Criminals donned ski masks and shot automatic weapons in the air, shouting for tellers to step away from the silent alarm buttons. That said, it would appear thieves have decided that this is just a little too much work. Hacking banks in order to steal money allows for the same reward without having to deal with a hostage negotiator.

In fact, the most recent cyberattack levied against Bangladesh Bank shows just how lucrative these schemes can be. The hackers involved in this scenario made away with around $81 million, which is more loot than any ski-masked thug could ever carry away. However, perhaps the most interesting part of this whole debacle is that this is nowhere near what the culprits originally intended to get. Investigators have discovered that the original plan was to take close to $1 billion when all was said and done, according to Ars Technica.

Unfortunately for the individuals involved, a simple typo wrecked what could have been the biggest criminal act of all time. A transaction meant for the Shalika Foundation was spelled as “Fandation,” which tipped employees off that something was afoot. Regardless, this is still a massive undertaking that demands intense review.

“Bangladesh Bank isn’t completely free of blame.”

How did they get in?

To understand how this whole scheme began, it’s important to comprehend how Bangladesh Bank sends and receives funds. Institutions like this rely on SWIFT software, which basically creates a private network between a large number of financial organizations. This lets them send money to each other without having to worry about hackers – or so the banks thought.

Gaining access to the transactions within this network was basically impossible, unless someone were to be able to compromise a bank’s internal IT systems. This is exactly what the criminals did.

However, Bangladesh Bank isn’t completely free of blame here. The only reason that hackers were able to gain entry was because the financial institution was relying on old second-hand switches that cost about $10 each. Considering how much was at stake, pinching pennies in such a crucial department seems incredibly irresponsible in hindsight. What’s more, the bank didn’t even have a firewall set up to keep intruders out.

Once hackers bypassed this low level of security, they were given free rein to do as they pleased. Accessing Bangladesh Bank’s network allowed them to move on to SWIFT, as the cheap switches didn’t keep these two separate. However, the really interesting part of this whole criminal act was how they took the money without anyone noticing.

Why weren’t they discovered sooner?

In order to make off with the cash, the criminals had to access a piece of software called Alliance Access. This is used to send money, which allowed the hackers to increase transactions in order to make a profit. However, Alliance Access also records transactions. This was a big problem for the thieves, as they couldn’t make money if someone knew they were stealing it.

To fix this, the hackers simply inserted malware that disrupted the software’s ability to properly regulate the money that was being moved. On top of that, this malicious code also modified confirmation messages about the transactions. This allowed the criminals to continue to operate in obscurity, racking up millions of dollars without anyone being the wiser. In fact, they would have gotten close to $1 billion if one of these altered reports didn’t have a spelling error.

A small error cost these hackers hundreds of millions. The hackers could have made so much more money if they’d checked their spelling.

However, understanding so much about how Bangladesh Bank’s system worked has pointed investigators to the notion that this was an inside job. In fact, The Hill reported that “people familiar with the matter” know that a major suspect is a person who works at the bank. No one has been named yet, but getting an employee in on the job certainly makes sense.

Network assessments are a must

Regardless of whether or not this turns out to be an inside job, the fact still remains that Bangladesh Bank was incredibly vulnerable to a hack like this. Relying on cheap network switches is bad enough, but not having any sort of firewall is a major hazard that modern institutions simply cannot allow.

This is why every company should consider receiving a network assessment from ISG Technology. Our skilled experts know how to spot glaring vulnerabilities such as these, and can suggest fixes to ensure the security of private data.