I just audited cyber security of 4 small to mid-size companies and organizations (both non-profit and for-profit). Wow – wasn’t expected such poor results. It reminded me of educating Boeing corp. managers and engineers in the age of Windows XP when they a few departments at Boeing were still using Windows 95! Way behind the times and yet the departments were part of the leading aerospace company in the world!
While everyone knows the possible dangers of scams and malware on a personal level, many companies may not be aware of just how weak their cyber security systems are to defend against attacks from the Dark Web. Cyber attacks on corporations are on a steady rise. According to a study by the Ponemon Institute, the cost of fighting cyber attacks went up 96% in recent years. There was a 176% increase in attacks with around 138% attacks successfully hacking their target.
Cyber hackers have successfully stolen information from top companies such as Target, Google, Yahoo, Neiman Marcus, Michaels, AT&T, eBay, PF Chang’s, Home Depot, UPS, a number of utility companies, and more. According to an annual report on internet security by Symantec, 5 out of 6 companies with over 2,500 employees were the targets of cyber attacks. These statistics only cover the readily available information. They do not account for cyber attacks that have not been found yet. The Ponemon Institute’s survey placed the average amount of time to find an attack at 170 days after the initial infiltration. Not only are cyber attacks hard to find, but they take significant amounts of time to clear up; the Ponemon Institute pegged the average time to recover from an attack as taking 45 days. That gives hackers, on average, about 215 days to steal company information.
Many attacks come as phishing and fraudulent email campaigns. Just one employee who accidentally engages with a hacked email message can create a breach in the company’s internet security big enough for hackers to make their move. Over the past couple of years, email scams have become more effective and precise at targeting different companies. Some cyber attacks result from within a company. An intentionally malicious employee can use their internal access to damage the cyber security of their company. Additionally many malware schemes target Point of Sale (POS) systems, as was the case with Michaels and Aaron Brothers, allowing hackers to steal customer credit card information.
Dealing with cyber security attacks is highly expensive. Hiring cyber security help, closing down programs to prevent further contamination, and loss of customer trust all lead to major profit losses. While the majority of attacks aim for big companies, small companies are still at significant risk. There may be less targeted attacks, but smaller companies tend to have less cyber security protocols and therefore when an attack comes, there is less in place to stop it. Time estimates that non-targeted attacks continue to grow as well, with 1 million new threats arising every single day. Symantec/NCSA estimate cyber attacks cost medium/small businesses around $188,000 and forced most of the businesses to close shop within six months.
The good news for small companies is cyber security requires much less protection than bigger companies. Because most of the attacks are untargeted without a hacker specifically trying to break your company’s security, small companies usually only need to standardize their security rather than specialize it.
So, what to do?
The first step is to start encrypting all of your sensitive data. Most computers come standard with encryption software. When crucial information such as social security and credit card numbers are simply being stored and not transmitted, this data should always be encrypted. The process only takes a few minutes. Encryption programs generally only work when users have logged out of the computer, so companies should also set up an automatic sign out system for their computers so they will be protected when not in use.
Physically securing your computers in the office can also help protect your company. Many small company attacks actually come from burglars stealing company technology. Burglars are constantly fighting the time in an effort to avoid being caught, so by adding physical locks and obstacles on the computers can slow down burglars enough to prevent the theft.
A very important key to protecting your company is to make sure the company wifi is encoded. Wifi should be password enabled and the passwords should be as complex and random as the modem allows. This will prevent hackers from forcing their way onto your wifi network which would give them access to your company computers and files. The best way to prevent wifi attacks, however, is to do away with wifi completely and use wired internet exclusively. The increased hassle of wiring the office will pay off in the reduced chance of hackers getting into the network. Hackers would need to physically connect to the internet rather than simply connecting to the wifi in nearby locations.
There is a number of different software on the market to help both individuals and companies protect themselves against cyber attacks. For individuals, a software suite is the most recommended method of protection. Software suites contain not only anti-virus protection but also anti-malware, scam protections, firewalls, and warnings about potentially dangerous sites. The real world test puts the security programs out onto the internet and studies how well they perform across the huge spectrum of malware, hacking, and spam programs the internet currently has to offer. Symantec’s Norton Security is one of the best security suites for cross-platform protection (But there are many other great choices as well).
Companies should also invest in security suites for all company computers, but may also require higher level protection. Many security tools work just as well for companies as they do for individuals, with competitive prices when purchased in bulk. Businesses should assess whether they need specific software to meet particular needs. For example, companies that store sensitive personal information of employees or customers should get higher level encryption software such as Folder Lock or Advanced Encryption Package Pro. Both packages offer the best in modern day software encryption, as well as additional features such as file shredding.
For companies that send sensitive information through email, encryption software for those emails is essential. There are good tools out there for email encryption too. Many services are accessible across almost all platforms and have various verification methods. They have easy one-click encryption that is top of the line. They also secure bulk emails and email replies to make communication throughout the company quick, easy, and safe.
Trying to figure out where a company’s weakest area of cyber security is can be difficult. Many security tools out there provide vulnerability assessment and management to alert users of possible areas of security weakness. Companies can then directly address potential problems.
Employers also need to do their research, or better, hire an expert to educate the employees on proper internet safety to reduce the risk of a successful cyber attack. Many cyber attacks hit their mark through email campaigns. The emails get blasted to everyone at a company. Even when 99% of the company recognizes the spam, just one person can cause a breach. By educating your employees, the chance that anyone will allow a cyber attack drops significantly. Security companies can also be hired for general protection. They are specially trained to monitor your company and can spot cyber attacks much faster than the untrained eye.
For companies that do fall victim to a cyber security attack, the faster they address the attack, the less damage will be caused. The first step is stopping the attack and assessing the damage. Security companies will be able to help you fix the security breach and figure out how much damage has been done. Customers should be alerted if their personal information was possibly stolen. The police should be contacted and may recommend bringing a case to the FBI. If money was taken, they will help to catch the perpetrator and get your money back. It is also important to immediately address any negative reputation that may result. Online reputation firms such as my firm specialize in helping companies reduce negative publicity and recover their good name.
In fact, I can provide you a complimentary security audit to see what you need for your business or organization. I will look into your firewall, anti-virus, email security, physical security, cloud security and file/folder encryption, etc. Just email me at firstname.lastname@example.org and I will get the process going.