You may believe that cybercrime only happens to large corporations or big businesses. However, Scott Augenbaum, retired FBI special supervisory agent, found that there are four commonalities of instances with victims. To help keep yourself off the victim list, here are five simple steps to help prevent cybercrime in your personal life and your business.

5 STEPS TO PREVENT CYBERCRIME

1. STOP USING THE SAME PASSWORD FOR EVERYTHING

   If you do nothing else, stop using the same password for everything, or for more than one thing. Using the same password for different accounts just hands over your password to the bad guys. Fact: Compromised credentials are used in more than 40% of data breaches. Almost all of those credentials came from other hacks where the criminals pulled down huge lists of usernames, usually email addresses, and passwords. If you use the same password for LinkedIn and your business email, and Mr. and Mrs. Criminal got a copy of the LinkedIn user database (and this has happened multiple times)… now they have access to your email. Yes, it’s that simple. Read this article from LastPass for more details on the risks: https://blog.lastpass.com/2021/09/breaking-the-cycle-of-password-reuse/

2. ENABLE MULTI-FACTOR AUTHENTICATION (MFA) ON AS MANY ACCOUNTS AS POSSIBLE

   Enable MFA on as many accounts as possible, especially your business email account. According to Microsoft, 99.9% of BEC, Business Email Compromise instances would have been prevented if MFA was in use. The majority of cases we have been involved with didn’t have MFA enabled. It’s such a simple precaution and acts as a safety net for your passwords that do leak out.

3. LEARN TO RECOGNIZE PHISHING AND SOCIAL ENGINEERING SCAMS

   Educating yourself and your business on these most common threats will really decrease the risk of falling victim to a phishing email. All data breach events were the result of one of two things: (A) Someone did something they should not have done, such as clicking that link in the phishing email, or using the same password multiple places, or (B) Someone didn’t do something they should have, such as updating software to close a vulnerability.

4. USE A PASSWORD MANAGER

   Supporting bullet point #1, use a password manager to handle all of your good, secure, unique passwords.

5. GET CYBER INSURANCE FOR YOUR BUSINESS

   Get an appropriate Cyber Insurance policy for your business. Every business should have coverage because you never know what can happen.

WILL THESE TIPS WORK?

I will guarantee you this: If you take this advice and diligently follow these 5 strategies, you will greatly reduce your risks of falling victim to all manner of cybercrime in your business or personal lives.

IS THIS ALL I NEED TO DO TO PROTECT MYSELF OR MY BUSINESS?

No. But without these foundational security strategies in place, spending all manner of money on fancy cyber tools, BCP/DR services, Intrusion Detection Systems and all the fancy buzzwords in the cyber security space, won’t yield the results you expect.

 LEADING CAUSE OF CYBERCRIME

Every single breach that RealTime has been consulted on was the result of failings in these subjects. The highest leading cause of cybercrime was successful phishing attempts which provide criminals access to their business data and communications. The second leading cause was poor password hygiene, usually in the form of using the same passwords everywhere.

 What are four things victims of cybercrime have in common? Read now!

COVID-19 AND RELIEF CHECK SCAMS

The rollout of COVID-19 relief checks in the US has created a new open door for cybercriminals. 

An estimated 4,300 malicious web domains related to COVID-19 relief have popped up in the last month, and Google reports that they’re stopping 18 million suspicious COVID-19 related emails per day.

-IDAGENT

With “Where’s my stimulus check?” a top query on Google, many of these domains are being used to snare unsuspecting users into giving away their personal information. There’s a huge onslaught of phishing attacks that aim to capture personal information or deliver malware using COVID-19 money as a hook.

With most working remotely, warn your staffers to be on the lookout and be very wary of downloading any type of guide that helps them claim their stimulus check or other items of that nature. If a staffer checks their personal email on their work computer and downloads a guide that is malware, it’s now a business problem.

STAY AWARE AND SKEPTICAL WITH EVERY EMAIL THAT ARRIVES, BUSINESS OR PERSONAL.

Large corporations have the resources to invest heavily in the most sophisticated security strategies and successfully stop most cybercrime attempts. A typical large enterprise may have over twenty inhouse IT dedicated employees ensuring that every device connecting to their network is adequately protected.

In comparison, Small Businesses (SMBs) have neither the money nor the manpower of large enterprises and can’t afford the same level of security. Very few SMBs have full-time IT dedicated personnel on hand to run routine security checks. Even those who do have in-house IT support often find that their internal resources are too bogged down with other tasks to properly address security upkeep.

SMBS ARE NOT “TOO SMALL TO MATTER”

Since most cybercrimes affecting smaller businesses go unreported by the media, there is no sense of urgency by SMBs to prepare for cyber attacks. Too many SMBs mistakenly view their operations and data as trivial to hackers. They feel that large online retailers, global banks, and government entities are much more attractive targets for hackers.

The goals and methods of cyber attackers are evolving and will continue to evolve. The era of one “big heist” for hackers is over. Cybercriminals today often prefer to infiltrate the data of many small businesses at once, stealing from victims in tiny increments over time so as to not set off an immediate alarm. This method takes advantage of those SMBs who are especially lax with their security processes and may not even realize there has been a security breach for days or sometimes even weeks.

SMBS - THE ACCESS RAMP TO BIGGER & BETTER DATA

Many breaches are the result of good employees making mistakes or of technology failure. SMBs don’t necessarily need a large budget or dozens of employees to adequately protect sensitive data. A secure environment is possible even on a SMBs budget.

SMBs, however, are often the inroad to larger better-protected entities. They are often sub-contracted as a vendor, supplier, or service provider to a larger organization. This makes SMBs an attractive entry point for raiding the data of a larger company. Since larger enterprises have more sophisticated security processes in place to thwart cyber attacks, SMBs often unknowingly become a Trojan horse used by hackers to gain backdoor access to a bigger company’s data. There is malware specifically designed to use a SMBs website as a means to crack the database of a larger business partner.

For this reason, many potential clients or business partners may ask for specifics on how their data will be safeguarded before they sign an agreement. Some may require an independent security audit be conducted. They may also ask SMBs to fill out a legally binding questionnaire pertaining to their security practices.

Moving forward, a SMB that is unable to prove they’re on top of their infrastructure’s security will likely lose out on potentially significant deals and business relationships. More large enterprises are being careful to vet any business partners they’re entrusting their data.

TO STAY SECURE A GOOD DEFENSE IS THE BEST OFFENSE

SMBs must understand that the time has come to get serious with their security.

Cybercrime is only one cause of compromised data. There are 3 primary causes of breached security at businesses according to the Symantec Global Cost of a Data Breach study. Only 37% are attributed to malicious attacks. The remaining 64% are human error and technology errors.

Data breaches aren’t always about bad people doing bad things. Many are the result of good employees making mistakes or of technology failure. SMBs don’t necessarily need a large budget or dozens of employees to adequately protect sensitive data. A secure environment is possible even on a SMBs budget.

REALTIME CAN PUT TOGETHER A GREAT DEFENSE FOR YOUR BUSINESS

Contact RealTime now to discuss a great defense for your business. Email us here or call us at (334) 678-1417.

5 FOUNDATIONS OF A SOLID CYBERSECURITY PLAN

CRAFTING A SOLID CYBERSECURITY PROCESS

The first steps in crafting a solid cybersecurity process for your business fall under the IDENTIFY domain: perform a Risk Assessment, a Vulnerability Assessment, and an Impact Analysis on your business to help document your business risks. 

Let’s dig into this a bit. Beware, lots of links ahead!

Here is a great resource that you’ve already paid for with your tax dollars – the NIST Small Business Cybersecurity corner, https://www.nist.gov/itl/smallbusinesscyber. NIST has a roadmap, https://www.us-cert.gov/sites/default/files/c3vp/smb/DHS-SMB-Road-Map.pdf to help visualize the journey to improved cybersecurity for your business. This guide covers the five foundations discussed earlier in a user-friendly format -https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf.  

• Risk Assessment – compare proven best practices against how your business approaches various actions/processes that can impact your security. RealTime has a shortened Risk Assessment to get you started, all based upon the NIST Cybersecurity framework. Save some time by calling us to review your processes or use the full assessment using the NIST framework tools provided below:

  • Latest NIST CSF Framework PDF, version 1.1 https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

  • Spreadsheet to perform the evaluation with https://www.nist.gov/document/2018-04-16frameworkv11core1xlsx

• Vulnerability Assessment – Test your network inside and out for technical holes using this assessment. A competent professional should perform this step and RealTime is available. You can do this yourself, but it’ll be faster, cheaper, and better to engage a professional to perform this step.

• Business Impact Analysis – Outline the most important things your business does and technologies or systems used to perform these important functions. This will help you focus your resources where you can get the most positive impact to your business. A Business Impact Analysis is definitely a DIY step – no one knows your business better than you. RealTime can help guide the process and the risk discussion if you need it.

IDENTIFIED RISKS AND POTENTIAL IMPACTS

After you’ve gathered this information, prioritize your findings to help make educated decisions on

1. What risks you need to mitigate now;

2. What risks to plan to address in the future;

3. What risks you choose to accept for now.

   The goal is for your business to understand what your identified risks are and the potential impacts; this allows you to prioritize and begin mitigating those risks. Most small businesses find that many risks are process/procedure oriented. These things can largely be addressed internally with proper staff training on new processes.

   Additionally, it is likely that there will also be technical risks and these will need to be addressed by your Technology Department or an outsourced provider like RealTime.

 ARE YOU GOING TO SLEEP WELL TONIGHT?

We hope this piqueS your interest in getting on the path to improving cybersecurity for your business. EVERY business, small or large, needs a comprehensive cybersecurity program now more than ever. Call us if we can help or fill-out the form below, (334) 678-1417.

Pro tip – this is part of RESPOND, but is something you’ll want to have in place sooner rather than later – Cyber liability insurance. Talk to a qualified insurer, ask lots of questions and make sure the policy is going to be effective in providing the coverage your business needs. 

[Guest post written by RealTime VP Todd Swartzman]

WANT ADDITIONAL RESOURCES?

We have resources such as a Business Impact Analysis spreadsheet and other items to help your business. Just fill-out the form below and we will help you out.

October is Cyber Security Awareness Month

Phishing

Play hard to get with strangers.

Cyber criminals cast wide nets with phishing tactics, hoping to drag in victims. Seemingly real emails from known institutions or personal contacts may ask for financial or personal information.

Cyber criminals will often offer a financial reward, threaten you if you don’t engage, or claim that someone is in need of help. Don’t fall for it! Keep your personal information as private as possible. If they have key details from your life—your job title, multiple email addresses, full name, and more that you may have published online somewhere—they can attempt a direct spear-phishing attack on you. Cyber criminals can also use social engineering with these details to try to manipulate you into skipping normal security protocols.

If you’re unsure who an email is from—even if the details appear accurate—do not respond, and do not click on any links or attachments found in that email. Always avoid sending sensitive information via email.

If you receive a suspicious email that appears to be from someone you know, reach out to that person directly on a separate secure platform. If the email comes from an organization but still looks ‘phishy,’ reach out to them via customer service to verify the communication.

*This information is courtesy of the Department of Homeland Security as part of the 2018 National Cybersecurity Awareness Month.