Two weeks ago, I presented 6 points of best practice for your small business when it comes to cybersecurity. This week I’m going to dive just a bit deeper into Prioritizing Cyber Security in your business.
Every office team has its own dynamics, but there is always a leader – and if you’re reading this, the leader is probably you! So, how can you lead your team in good cybersec hygiene? Start with information, then make a plan or two, and follow up with being an example AND never let cybersecurity fall to the bottom of your to do list!
What information do you need to know?
First, every business, no matter the size is likely to be someone’s target. Second, the very things that every business owner wants to achieve – name recognition, online presence, success, and growth – are the very same things that will make you a bigger target. Third, the most successful attacks are nearly always a result of human error; essentially, we let our guard down and the bad guys get their foot in the door. Fourth, and this is really important, the higher your position in your company the more likely that you will be the vector of an attack. Lastly, do not be dismayed – because you can defend yourself and your business!
Facts and Stats:
The FBI’s Internet Crime Complaint Center – affectionately known as IC3, publishes an annual statistic report. Here are some facts and figures for 2019…
In 2019 $3.5 Billion total reported losses were incurred, due to Internet crime
The 2019 count for reported victims and dollar loss:
Phishing/Vishing/Smishing/Pharming 114,702 $57,836,379
Non-Payment/Non-Delivery 61,832 $196,563,497
Spoofing 25,789 $300,478,433
Confidence Fraud/Romance 19,473 $475,014,032
Identity Theft 16,053 $160,305,789
Employment 14,493 $42,618,705
Government Impersonation 13,873 $124,292,606
Tech Support 13,633 $54,041,053
In 2019, the IC3 received 23,775 Business Email Compromise (BEC) / Email Account Compromise (EAC) complaints with adjusted losses of over $1.7 billion.
“BEC/EAC is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. (T)he scam evolved to include compromise of personal emails, compromise of vendor emails, spoofed lawyer email accounts, requests for W-2 information, the targeting of the real estate sector, and fraudulent requests for large amounts of gift cards…(and) the diversion of payroll funds. ”
“Tech Support Fraud continues to be a growing problem. This scheme involves a criminal claiming to provide customer, security, or technical support or service in an effort to defraud unwitting individuals. Criminals may pose as support or service representatives offering to resolve such issues as a compromised e-mail or bank account, a virus on a computer, or a software license renewal. Some recent complaints involve criminals posing as customer support for well-known travel industry companies, financial institutions, or virtual currency exchanges. “
“Ransomware…In one scenario, spear phishing emails are sent to end users that result in the rapid encryption of sensitive files on a corporate network. When the victim organization determines it is no longer able to access its data, the cyber actor demands the payment of a ransom, typically in virtual currency. The actor will purportedly provide an avenue to the victim to regain access to its data once the ransom is paid. “
What to do?
Start today – not tomorrow, to make a priority of security for your business!
Do NOT put your head in the sand! Start reading up on the cybersecurity attacks that are hitting your business model, and listen to your peers when they talk about attempted attacks on their businesses. Then carry that dialog through to your staff – the more you talk the more everyone will be aware. I have a great app on my phone that notifies me when a cyber-security incident has occurred.
Bring a pro in to train you and your staff about Social Engineering (yep, TRG does training!) Your trainer can show you what to look for in Social Engineering, how to limit your vulnerabilities, what red flags you need to look for, and how to manage social media – which is one of the biggest vectors that lead to attacks.
Simulate attack scenarios with your staff and with your IT company. We call it roll playing – when we sit down with an employee and say “what would you do if…” So, you should plan both how to defend your business AND what to do if someone does click on that link in that email. To err is human; to recover your data without loss is divine! And write out the plans that you develop for all of your staff to learn. In fact, you can create some policy updates with this new planning.
Last, but most important of all: be the leader! Scrutinize your own online habits to make sure that you are setting high standards. If your staff uses Chrome@, are you enforcing browser security and privacy settings? Do you send out confidential emails willy-nilly, without using encryption? How secure are your passwords? Set the standard high, and increase awareness of the vulnerabilities that you have, so that you and your staff will start developing better digital hygiene habits.
Please join the conversation! Series 1 Next contribution will be about the maintenance and monitoring that a small business network needs for good health.
1 FBI – Cyber Division, “IC3.gov,” 11 February 2020. [Online]. Available: https://pdf.ic3.gov/2019_IC3Report.pdf.