According to a PricewaterhouseCoopers survey, in 2014, 69% of business executives expressed concern about cyber threats, including a lack of data security. In 2015, an updated survey increased that number to 86%. These numbers indicate that it’s clear there’s a pressing need for better cybersecurity. The issue is not going away anytime soon. If anything, it’s only getting worse.
Stronger cybersecurity has become a global priority over the last few years as hackers penetrate the IT infrastructure of government and enterprises with increasing frequency and sophistication. According to a study conducted by the Identity Theft Resources Center, the total number of data breaches reported in the US grew from approximately 400 in 2011 to approximately 750 in 2015. This represents an increase of more than 60% and does not include breaches that went unreported – a figure that is likely higher. Coupled with the Internet of Things (IoT) and the explosive growth of mobile devices, the threat landscape and potential for data leaks is even more significant.
In this E-Book, we explore the need for employees to practice strict and secure cybersecurity habits – not only to thwart digital attacks, but also to prevent someone from simply walking by their desk (in the office or at home) and picking up a device or document that contains sensitive information. We also present the key steps SMB business owners and executives can take to educate their employees to help secure their company’s data and intellectual property. We can’t stress enough the importance of security awareness training for internal employees. Education them on what it takes to protect proprietary documents and data is critical. Any leaks – unintentional and intentional – could hurt the business in the form of information that assists a competitor, violates regulations, or harms the corporate image. Leaks can also hurt employees from the standpoint of personal information that might be exposed. Lastly, customers and business partners could be at risk, compromising the industry reputation of any business that does not properly protect confidential information. It only takes one incident to completely destroy any goodwill you established and built with your customer base.
82 percent of SMBs say they’re not targets for attacks as they don’t have anything worth stealing (Towergate Insurance). In a Webroot survey, less than a quarter of respondents indicated having a dedicated in-house cybersecurity team or individual (Webroot).
It makes complete sense and sounds so simple, but keeping a clean desk is often overlooked when talking about data security. It’s also the perfect place to start the discussion with employees. Employees that keep a cluttered desk tend to leave USB drives and smartphones out in the open. They also often forget to physically secure their desktops and laptops so someone can’t simply walk off with them. A messy desk also makes it more difficult to realize something is missing such as a folder with hard copy print-outs of customer lists. In addition to increasing the likelihood of something being removed, a cluttered desk means that the discovery of any theft will likely be delayed—perhaps by days or even weeks if the employee is out of the office. Such delays make it more difficult to determine who the perpetrator is and where the stolen material might now be located. Encouraging employees to maintain a neat desk pays off in two ways. In addition to making digital and paper assets more secure, employees with clean desks are more apt to be productive because they can quickly—and safely—access the tools and resources they need to do their jobs.
The following list presents 11 “messy desk” mistakes employees are prone to commit and which could cause irreparable harm to the business, the employee, fellow employees, customers and business partners. These are all bad habits for which to educate employees to stop:
1. Leaving computer screens on without password protection: Anyone passing by has easy access to all the information on the device; be sure to lock down screen settings.
2. Placing documents on the desk that could contain sensitive information: It’s best to keep them locked up in drawers and file cabinets.
3. Forgetting to shred documents before they go into the trash or recycling bin: Any document may contain sensitive information; it’s best to shred everything rather than taking a risk.
4. Failing to close file cabinets: This makes it easy for someone to steal sensitive information and more difficult to realize a theft has occurred.
6. Neglecting to erase notes on whiteboards: They often display confidential information on products, new ideas and proprietary business processes.
7. Dropping backpacks out in the open: There’s often at least one device or folder with sensitive information inside.
8. Writing user names and passwords on slips of paper or post-its: This is especially important given that user names and passwords are typically used to log in to more than one site.
9. Leaving behind a key to a locked drawer: This makes it easy to come back later—perhaps after hours when no one is around—and access confidential files.
10. Displaying calendars in the open or on the screen for all to see: Calendars often contain sensitive dates and/or information about customers, prospects and/or new products.
11. Leaving wallets and credit cards out on the desk: This is more likely to impact the employee, but wallets may also possess corporate credit cards and security badges. The Common Messy Desk Mistakes to Avoid In today’s fast-paced world where employees are always on the go, it takes too much time to determine whether documents, USB drives, devices and other items contain sensitive information. The safe bet is to make sure everything is filed away and kept locked up or else properly destroyed.
Social engineering is non-technical, malicious activity that exploits human interactions to obtain information about internal processes, configuration and technical security policies in order to gain access to secure devices and networks. Such attacks are typically carried out when cybercriminals pose as credible, trusted authorities to convince their targets to grant access to sensitive data and high-security locations or networks. An example of social engineering is a phone call or email where an employee receives a message that their computer is sending bad traffic to the Internet. To fix this issue, end users are asked to call or email a tech support hotline and prompted to give information that could very likely give the cybercriminal access to the company’s network.
One of the most common forms of social engineering is email phishing—an attempt to acquire sensitive information such as usernames, passwords and credit card data by masquerading as a trustworthy entity. Phishing is likely the #1 primary email threat employees need to focus on. Such emails often spoof the company CEO, a customer or a business partner and do so in a sophisticated, subtle way so that the victim thinks they are responding to a legitimate request. The FBI says CEO (or C-level) fraud has increased 270 percent in the past two years with over 12,000 reported incidents totaling over $2 billion dollars in corporate losses. Among the reasons these scams succeed are the appearance of authority—staffers are used to carrying out CEO instructions quickly. That’s why phishing can be so easy to fall victim to.
The scope of phishing attacks is constantly expanding, but frequent attackers tend to utilize one of these four tactics:
Employees should always be suspicious of potential phishing attacks, especially if they don’t know the sender. Here are five best practices to follow to help make sure employees don’t become helpless victims:
Although it should be common sense, employees need to avoid the use of passwords that are easy for hackers to guess. Among the top ten worst passwords according to www.splashdata.com are those that use a series of numbers in numerical order, such as <123456>. The names of popular sports such as <football> and <baseball> are also on the list as are quirky passwords such as <qwerty> and even the word <password> itself. Emphasis should also be placed on the importance of avoiding common usernames.
While most websites don’t store actual username passwords, they do store a password hash for each username. A password hash is a form of encryption, but cybercriminals can sometimes use the password hash to reverse engineer the password. When passwords are weak, it's easier to break the password hash.
Here is a list of common word mutations hackers use to identify passwords if they feel they already have a general idea of what the password might be.
Educating end users on these tactics underscores the importance of creating long passwords (at least 12 characters) and applying multiple deviations, rather than something simple like just capitalizing the first letter.
An advanced and under-used password security tip to consider is two-factor authentication, which is a way for websites to double confirm an end user’s identity. After the end user successfully logs in, they receive a text message with a passcode to then input in order to authenticate their ID.
This approach makes sure that end users not only know their passwords but also have access to their own phone. Two-factor authentication works well because cybercriminals rarely steal an end user’s password and phone at the same time. Leading banks and financial institutions enable twofactor authentication by default, but if not, the service can often be turned on by asking the website to do so. More and more non-financial websites are now offering two-factor authentication as well.
Mobile security is increasingly becoming a big concern as more and more companies adopt Bring Your Own Device (BYOD) environments, which allow end users to connect to corporate networks through their own (often multiple) devices. Even in cases where a business does not offer BYOD, end users often find a way to log onto business networks on their own.
With personal devices accessing corporate networks, businesses must now protect endpoint devices that are not completely under their control, which opens up the business to greater risk. Trying to gain control over personal devices also presents the challenge of making sure the company does not infringe on personal apps and information employees store on their own devices.
Employees that utilize unsecured public Wi-Fi are another area of concern. Hackers in the vicinity of or on the same network can overtake a device without the end user even being aware, capturing sensitive data in transit. The end user can then become the victim of a man-inthe- middle attack, also referred to as hijacking. The hacker leverages the device so that it turns into an invasive device against other unsuspecting end users.
This is the first line of defense—if someone wants to access the device, they first need to break the code. This is not an easy task and can operate as a deterrent against theft. Some device manufacturers also provide the option to automatically wipe the device after a few unsuccessful attempts at the passcode or PIN. So even if a phone is stolen, information cannot be accessed.
Several software solutions help locate lost or stolen devices through GPS and geofencing capabilities. Apple offers a service like this for mobile devices aptly named Find my iPhone. For Android users, the Android Device Manager offers these services, and Windows mobile users have this same option from the Windows Phone website. Similarly, many third-party applications are available in each of the app stores. Do you invest in or recognize the need for cybersecurity? 82 percent of SMBs say they’re not targets for attacks as they don’t have anything worth stealing (Towergate Insurance). In a Webroot survey, less than a quarter of respondents indicated having a dedicated in-house cybersecurity team or individual (Webroot 2015 SMB Threat Report).
Phones are mini-computers, and just like “big” computers, they need to be cleaned up from time-to-time. Utilizing an antivirus and malware scanner is always a good idea. Malware can compromise information stored on mobile devices and has a snowball effect that continuously piles up until it slows downs or stops the device.
Mobile Device Management (MDM) solutions help businesses and their employees apply these best practices by providing the ability to remotely wipe any devices that are lost or stolen. Such solutions also isolate personal apps from corporate apps in separate digital containers so that personal information remains private, and when an employee leaves the company, only their corporate apps and data are deleted while their personal apps and data are left intact.
By deploying an MDM platform, businesses can also enforce the use of passcodes to access devices, and they can apply geofencing capabilities that allow a lost device to be more easily located. End users can also be restricted to using only the corporate apps for which they have proper authorization. MDM also protects devices from jailbreaking and rooting—where hackers try to gain access to the operating system to open security holes or undermine the device’s built-in security measures.
When end users venture out onto the Internet, it’s easy to get tangled up in the vast web of threats lurking on many website pages. Some of them are readily apparent, but others are well hidden.
Malvertising— a form of malicious code that distributes malware through online advertising—can be hidden within an ad, embedded on a website page, or bundled with software downloads. This malvertising can be displayed on any website, even those considered the most trustworthy. According to security firm RiskIQ, malvertising increased by 260% in the first half of 2015 compared to the same timeframe in 2014.
Social Media Scams— Hackers have created a playground of virtual obstacles across all the major social media sites. According to an article in The Huffington Post, some of the most common Facebook hacks and attacks include click-jacking, phishing schemes, fake pages, rogue applications and the infamous and persistent Koobface worm, which gives attackers control of the victim's machine while replicating the attack to everyone on their Facebook contact list.
Twitter isn’t immune to security issues either. Since the microblogging site is both a social network and a search engine, it poses extra problems. According to CNET News, just 43 percent of Twitter users could be classified as “true” users compared to the other 57 percent, which fell into a bucket of “questionable” users. Among the things to watch for on Twitter are direct messages that lead to phishing scams and shortened URLs that hide malicious intentions.
As for Web-based exploits, Internet websites are now the most commonly-used angles of attack, most often targeting software vulnerabilities or using exploits on the receiving client. This makes keeping up-to-date browsers paramount for all employees.
Cybersecurity isn’t just a matter of compliance, although customer requirements – for regulations such as HIPPA, PCI and ITAR – often drive company investment in security. Businesses should recognize that there is value in their information and view security as a strategic initiative. To start assessing possible risk, businesses need to first analyze what information they possess, and what would be at risk if it was lost. The loss of intellectual property and operational data could result in loss of competitive advantage. Compromised employee information could result in legal exposure. The repercussions of lost financial data or unauthorized access to finances could have far reaching results that extend from loss of customer confidence to the financial stability of the business.
Partnering with a Managed Services Provider (MSP) that provides IT strategy along with IT department service can bolster your cybersecurity defenses. Human error is still highly dangerous, and many employees grow complacent at some point as they fail to follow best practices, but companies that offer fully managed IT services work proactively to mitigate risk and damage, while focusing IT activity and investment on your business goals.
When cybersecurity is part of your IT strategy, you begin to view it as more than just a matter of technology, and more than just a matter of compliance. The right managed IT service company will bring IT leadership and cost effective access to cutting edge resources that will allow security to be a function that makes your business better.
As your business begins the journey to enhance its cybersecurity posture, it all starts with educating your employees. The tips provided within this E-Book along with some basic common sense can go a long way in making sure sensitive information does not fall into the wrong hands. Succeeding in applying the necessary cybersecurity measures is paramount to your long-term business success. In today’s world of advanced hackers, who revel in breaching corporate networks, confidential information will always be at risk. Businesses must take the necessary steps to protect their intellectual property, their confidential information and their reputations while also safeguarding their employees, customers and business partners.