By: Brian DeVault
As your company grows in size and reputation your chances of being the victim of a cyber attack increases. That is why you need to start thinking of the best ways to go about protecting your business. It is important to know what types of dangers your company is at risk from and how to prevent a cyber attack before it happens. This video will explain some of the main cybersecurity threats and how to safeguard against them.
What Is A Cyber Posture?
A cyber posture, also called a security posture or cybersecurity posture, refers to a company’s ability to assess and protect against cyber threats such as hacking, data theft, or end user error. There are several areas of focus for an organization to begin to improve their cyber posture, including:
- Administrative tasks like policies, procedures, documentation, and insurance
- End user tasks like training and testing
- Assessing the security of mobile devices used by employees
- Assessing the security of computers used by employees
- Assessing what data is revealed to contractors and third parties
- Assessing the security of the networks used by the company
- Assessing the security of cloud and on premises applications
It is important to assess your organization’s security processes and attitudes in each department, while also being aware of your organization’s size and industry. Research has shown that departments like customer service, legal, sales, and distribution are more likely to have a poorer awareness of security best practices, while departments like IT, marketing, human resources, and management are more likely to have a greater understanding. It has also been shown that the smaller an organization’s size, the more likely they are to have a poor cyber posture and that some industries are less prepared for a cyber attack such as retail, agriculture, education, and construction. You can read more details of that study here, New Study Links Employee Sentiment to Security Posture.
Cybersecurity has grown vitally important since 2020, as there has been a dramatic increase in cyber attacks since that time. In fact, a 2019 study by RiskIQ reported that cyber attacks cost companies $2.9 million every minute (source). Another recent study by Insight and IDG has shown that 78% of Executives lack confidence in their company’s cybersecurity posture, prompting 91% of companies to increase their 2021 security budgets (source). Below, we will list several types of threats that are common in today’s cyber landscape to increase your awareness of the threats that may target your business.
End User Risks
An end user is a person or organization that consumes or uses the goods or services produced by businesses. In this way, an end user may differ from a customer, since the person or organization that buys a product or service may not be the one that actually uses it.
End users introduce 90% of the risks into IT environments. End users introduce security vulnerabilities every day by falling victim to phishing scams, social engineering ploys, user error, and accidentally leaking confidential information through email and file sharing. For example, you could have just purchased a product that you were very happy with and wanted to post on social media about it. That person then receives an email from who they believe to be the CEO of the company you just happily bought from and would like further information for a survey they are doing or something along those lines, and just like that you’ve become a victim of a phishing attack and put your company at risk along the way.
Keep yourself and your business safe from these types of attacks with employee education on security. It’s fine to click on links when you’re on trusted sites, however, clicking on links that appear in random emails and instant messages isn’t such a smart move.
Another important tip is to train employees to hover over links before clicking on them. Do they lead where they are supposed to lead? A phishing email may claim to be from a legitimate company, but when you click on a link it will take you to a website that looks exactly like the real website, but the URL will be different. For example, the real password reset link for Facebook is here, however, a scammer may create their own similar page, but with a different URL, such as tacebook.com (notice the F has been replaced with a T?). When in doubt, go directly to the source rather than clicking a potentially dangerous link.
Cloud Threat Vectors
The cloud has been around for many years now and is no longer considered an emerging technology, but it’s certainly an area where you want to focus on security. Sometimes, the biggest threats to an organization’s cloud security are internal. Insider threats are usually seen as more hazardous than outsider threats as they can take several months or years to identify.
The attackers are usually individuals with legitimate access to an organization’s cloud systems. Whether they happen intentionally or maliciously, insider threats will cause a lot of harm to your cloud system. Therefore, it is essential to detect, investigate and respond to them as fast as possible.
The reason why these attacks can go undetected for long periods is that businesses lack the proper systems to identify these attacks and are unprepared to identify and resolve them. This is an instance where having an MSP (Managed Service Provider) or MSSP (Managed Security Service Provider) is crucial to detect this for you. In addition, companies have little to no control over underlying cloud infrastructure. Traditional security solutions may not be effective as long as significant power remains with the vendors.
Monitoring user analytics and gaining visibility into behavioral anomalies can be a way to signal an active insider threat as well as putting employees and processes to the test with adversary simulation and control tuning.
Data Threats
Hackers are able to create revenue opportunities out of stolen data. As the world becomes more electronic with digital transformation, hackers are more on the prowl than ever. For instance, hospitals putting their medical records online and opening up portals to customers are an opportunity that somebody could use to potentially steal data. The same goes with any type of business; if it has PII, (personally identifiable information) that’s stored within their systems, there has to be proper security in place because the risk is too high nowadays.
Employees sharing sensitive data either publically or with third parties outside the company can spell disaster. This usually happens out of carelessness, a reply all button is hit instead of a single reply, then information is sent to the wrong email address and something is accidentally posted publicly.
These kinds of incidents are rarely helped by training as they represent human errors which we are all prone to. Specialized software like Data Loss Prevention (DLP) tools can help organizations keep track of sensitive data and ensure that its transfer, whether by email or other internet services, is limited or blocked altogether.
Physical theft of company devices is a big issue as well. In today’s increasingly mobile work environment, employees often take their work computers and portable devices out of the office. Whether working remotely, visiting clients, or attending industry events, work devices often leave the security of company networks and become more vulnerable to both physical theft and outside tampering. Encryption is always a good solution to guard against physical theft. Whether it’s laptops, mobile phones, or USB drives, encryption removes the possibility that anyone who steals them can access the information on them. Enabling remote wipe options can also help organizations erase all data on stolen devices from a distance.
At the end of the day, the best option for you may be to invest in an MSP or an MSSP like NETRIO to handle these types of threats on your behalf so you can focus on running your business instead of cybersecurity. This blog post is part of NETRIO’s weekly Whiteboard Wednesday series. Follow along on Linkedin and YouTube each week as Brian and Mike discuss use cases, new technology, and trends.