Small Business Security: It is Hackers v. You – Don’t Let Them Score

Small Business Security: It is Hackers v. You – Don’t Let Them Score

Selling stolen IDs and other personal data is a lucrative trade for hackers. They are always looking for weak small business security and sources where vital information is stored. As a small to midsize business you store your client’s personal information, collected from different sources, on your computers and servers. Your Point-of-sale (PoS) terminal and some website transactions can be completed by use of electronic banking, credit cards or debit cards only. Your customers have to key-in their pins or passwords to make payments. That information has to be saved. Also, depending on the kind of services or products you provide, you may be collecting Social Security numbers, addresses, driver’s license numbers and DOBs of your clients. Information that personal is as important as it can get. Any source of that information is like a gold mine for a hacker. All this means only one thing for you: A small business security nightmare. Here are the channels hackers can use to break into your IT infrastructure Your website: Hackers have become very sophisticated in cyber attacks on websites. They can access specific information by targeting websites that have the information they are looking for. For example, if they want only financial information about their victims, they can use tools that will fish for the websites that carry that kind of information. Implementation of web-based applications has made it easier for cyber criminals to connect to your website data base. They are able to find the loopholes and hack into systems. They can then access your customer’s personal information, allowing them to steal from your clients by committing credit card...
Mobile Hacks: Why SMBs Must Proactively Address the Threat

Mobile Hacks: Why SMBs Must Proactively Address the Threat

More cyber criminals are targeting small-to-medium sized businesses. One reason for this is too many workplaces have insufficient bring-your-own-device (BYOD) policies in place and are vulnerable to mobile hacks. Some have none at all. Although firms are generally more knowledgeable about network security risks than in years past, they still woefully underestimate the security vulnerabilities linked to mobile devices like smartphones and tablets. Mobile Hacks Can Be Devastating This is a real cause for concern since data breaches have the ability to put many already financially challenged SMBs out of business. If customer/client data has been breached, there could be potential litigation costs, and naturally, lost goodwill and an irreparable hit to brand or company reputation. Don’t Just Say You’re Worried About the Bad Guys… Deal With Them SMBs say they view network security as a major priority but their inaction when it comes to mobile devices paints a different picture. An April 2013 study found that only 16% of SMBs have a mobility policy in place. Despite the fact that stolen devices are a major problem in today’s mobile workforce, only 37% of mobility policies enforced today have a clear protocol outlined for lost devices. Even more troubling is the fact that those firms who have implemented mobility policies have initiated plans with some very obvious flaws. Key components of a mobility policy such as personal device use, public Wi-Fi accessibility, and data transmission and storage are often omitted from many policies. Thankfully, most SMB cybercrimes can be avoided with a comprehensive mobility policy and the help of mobile endpoint mobile device management services. A Mobility Policy Is...
IT Defense in Depth Part II

IT Defense in Depth Part II

In our last post we started talking about the different layers of security necessary to fully create an IT defense and defend your data and business integrity. Today we will look at the human aspect of it, and network defenses. The human layer refers to the activities that your employees perform. 95% of security incidences involve human error. Ashley Schwartau of The Security Awareness Company says the two biggest mistakes a company can make are “assuming their employees know internal security policies: and “assuming their employees care enough to follow policy”. Hackers and Your IT Defense Here are some ways hackers penetrate your IT defense and exploit human foibles Guessing or brute-force solving passwords Tricking employees to open compromised emails or visit compromised websites Tricking employees to divulge sensitive information For the human layer, you need to: Enforce mandatory password changes every 30 to 60 days, or after you lose an employee Train your employees on best practices every 6 months Provide incentives for security conscious behavior. Distribute sensitive information on a need to know basis Require two or more individuals to sign off on any transfers of funds, Watch for suspicious behavior Network Layer The network layer refers to software attacks delivered online. This is by far the most common vector for attacks, affecting 61% of businesses last year. There are many types of malware: some will spy on you, some will siphon off funds, some will lock away your files. However, they are all transmitted in the same way: Spam emails or compromised sites “Drive by” downloads, etc. To protect against malware Don’t use business devices on...
BYOD Strategy: 4 Essential Pieces For Any SMB

BYOD Strategy: 4 Essential Pieces For Any SMB

Believe it or not, once upon a time, kids at the bus stop didn’t have cell phones and the byod strategy (bring your own device) of many businesses was typically you’ll take what you’re given, refrain from using it for any personal use, and the data may be scrubbed clean whenever we please. We’ve come a long way. The Blurred Lines And Reasons For A BYOD Strategy Today, businesses really have no choice but to let employees use personal devices for work purposes. Blurred lines now make it difficult to differentiate between what is professional and what is personal. A company or organization may partially pay for an employee’s tablet computer or smartphone, but that same device is used to upload photos to Facebook or download torrents of this season of Game of Thrones. Naturally, security and privacy issues are a concern since these devices synch to the company network. Larger corporations may be able to hire IT support or produce sophisticated BYOD guidelines for employees to adhere to but smaller businesses have limited resources. In fact, recent surveys suggest that the small business sector is doing very little to preemptively prepare for potential network security risks that could arise with the use of BYOD devices. Not having a BYOD strategy could prove to be disastrous. According to market stats from a survey conducted by Cisco in 2012, approximately 88% of employees are doing business on personal devices. However, only 17% of companies currently have a BYOD security policy in place, and only 29% of companies have plans to implement a mobile device security plan in the near future....
Password Security That Is Still Ignored

Password Security That Is Still Ignored

You can have all the locks on your data center and have all the network security available, but nothing will keep your data safe if your employees are sloppy with password security. There are many ways data can be breached, and opening some link they shouldn’t is one of the most serious security sins employees can commit, but today we’ll just talk about passwords. Here are some basic practices that you should require your employees to follow. These are basic tips. System administrators should implement other policies, such as those that forbid using passwords previously used and locking accounts after a few failed attempts to login. But just for you as a manager, here are a few tips. Basic Password Security Tips Change Passwords – Most security experts recommend that companies change out all passwords every 30 to 90 days. Password Requirements – Should include a of mix upper and lowercase, number, and a symbol. Teach employees NOT to use standard dictionary words (any language), or personal data that can be known, or could be stolen: addresses, tel numbers, SSN, etc. Emphasize that employees should not access anything using another employee’s login. To save time or for convenience, employees may leave systems open and let others access them. This is usually done so one person doesn’t take the time to logout and the next has to log back in. Make a policy regarding this and enforce it. You’re FIRED! … now give me your password Another occasion when password security comes into hand is in the moment of losing an employee. It is not usually a good experience. If...
Penetration Test vs. Vulnerability Test Of Your Network

Penetration Test vs. Vulnerability Test Of Your Network

Have you ever conducted a vulnerability test on your network? If not, you might be hearing “all of your confidential information is extremely vulnerable, we know this because…” Which is very bad news, but whatever follows the ellipses determines just how bad. Consider these two scenarios. Scenario One “All of your confidential information is extremely vulnerable… we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.” “All of your confidential information is extremely vulnerable…we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence. Scenario 2 Scenario 2 describes the statement after you have had a vulnerability test conducted. Vulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly. When And How To Conduct A Vulnerability Test Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outside consultants.They should be done quarterly, or whenever you are incorporating new equipment into your IT network. What is a pen-test: A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have...
BYOD Security: The Good, The Bad, and the Ugly

BYOD Security: The Good, The Bad, and the Ugly

There are a lot of advantages to mobility in today’s workforce, but the Bring-Your-Own-Device (BYOD) movement has also brought its share of headaches. And the question, does the risk of BYOD security outweigh it’s great advantages? Or do the cons defeat the movement in it’s tracks. We live in a society where everyone must have the newest technology. We are inundated with ads reminding us that the smartphone or tablet we just bought a year ago is laughably outdated and inferior to the upgrade that just hit the market. People who have just bought the latest technology don’t want to have to set it aside to use a separate company-issued device. As a result, businesses are beginning to grant these employee-owned devices access to their file and email servers, databases, and applications. While this brings certain competitive advantages to employers, it naturally carries many risks, too. Let’s begin with the pros of BYOD… BYOD Security: The Advantages of BYOD Greater Flexibility and Productivity – Personal devices allow workers more flexibility, which in turn can increase productivity. Today’s employee isn’t restricted to their office workstation or cubicle. They can carry out job responsibilities from home, a coffee shop, their child’s dance recital, or while traveling. Reduced Costs – Purchasing even the most basic Blackberry for an employee can cost a company $900+ per worker. Costs like that can be completely eliminated by adopting a BYOD policy where employees are required to use their own device. Happier Employees/Attractiveness to Job Seekers – Recent studies have found that 44% of job seekers are attracted more to employers who are open to BYOD...
Hackers Target SMBs More Than Large Business… Stay Secure

Hackers Target SMBs More Than Large Business… Stay Secure

Many SMBs don’t realize it, but the path to some grand cybercrime score of a lifetime may go right through their backdoor. These days more hackers target SMBs than the larger corporations. SMBs are commonly vendors, suppliers, or service providers who work with much larger enterprises. Unfortunately, they may be unaware that this makes them a prime target for hackers. Worse yet, this may be costing them new business. Larger companies likely have their security game in check, making it difficult for hackers to crack their data. They have both the financial resources and staffing power to stay on top of security practices. But smaller firms continue to lag when it comes to security. In many cases, the gateway to accessing a large company’s info and data is through the smaller company working with them. Exposed vulnerabilities in security can lead cybercriminals right to the larger corporation they’ve been after. Hackers Target SMBs with 250 or Fewer Employees In 2012, Symantec research confirmed that hackers target SMBs with 250 or fewer employees. In fact, these attacks are on the rise. Attacks aimed at this demographic practically doubled from the previous year. This news has made larger enterprises particularly careful about whom they do business with. This means that any SMB targeting high-end B2B clientele, or those seeking partnerships with large public or government entities, must be prepared to accurately answer questions pertaining to security. This requires an honest assessment of the processes taken to limit security risks. View Security Measures as Investments CIOs must start viewing any extra investment to enhance security as a competitive differentiator in attracting new...
Data Protection and BYOD

Data Protection and BYOD

BYOD refers to a firm’s policy of allowing employees to use their own personal phones, tablets and laptops for all their work applications.This is a pretty common policy, and it has many benefits, but it brings along risks. How are you addressing these risks? Here are some of the issues raised by BYOD A lost device – If you issue company phones, you have the ability to remotely wipe the unit clean if it is lost or stolen. With employee’s personal devices, do you still have that ability. If not, your data is at risk. Software updates – Is the employee responsible for updating all the software and virus protection programs on their own devices? If that responsibility transfers to them, you are at the mercy of their willingness to keep track of such tedious tasks. If you accept responsibility for it, do you have the in-house staff to handle all the extra work? Back ups – with data being entered on many different devices, something must be done to ensure back up procedures are routinely followed. In short, BYOD is probably an unavoidable approach to device management. It is unrealistic to expect people to carry around 2 different phones or tablets 24/7. But BYOD means extra work for the in-house staff of a small business. How does your company handle BYOD and data protection? Do you have any specific policies in place that work best with both worlds? Share your experience in the comments below. Have an idea for our next topic? Let us...
Everyday Human Error Can Affect Data Protection

Everyday Human Error Can Affect Data Protection

Are you under the impression that data protection is all about putting up firewalls to protect against evil cyber attacks? Some of the biggest sources of data loss include sloppiness, human error, and just plain forgetfulness. What are some of the unglamorous things that we do every day that leave us vulnerable? Passwords Old or easy passwords are a good first example. Employees set up simple passwords that are easy to crack. More importantly, employees may share passwords, and many often fail to create new ones on a frequent basis. Both of these represent critical breakdowns of good data protection practices. E-mails Another significant problem caused by bad judgement is the tendency of people to open phishing scams. Most everyone now knows about the Nigerian who wants to send money to your bank account, but many new scams come along everyday and people fall for them. This is such a serious source of virus infection that some companies now deliberately send out their own phishing email to teach workers not to open anything from an unknown source. (The employee who opens one of these gets a pop up screen that tells them they’ve been tricked and then offers guidelines for identifying bad emails.) Browsing the Web Bad websites. Yes, everyone has policies about internet use at work, but that doesn’t mean people pay attention and don’t visit places they shouldn’t. Most significantly, a lot of those “sites they shouldn’t visit” are far more likely to be infected than CNN, Ebay or Amazon! Losing Your Belongings And finally there is just old-fashioned forgetfulness. Phones left on a barstool. Or the...