Like any industry, cybercrime is continually evolving. New trends emerge, and new threats pop up all the time. October is National Cybersecurity Awareness Month, making this the perfect time to review and refresh your cybersecurity knowledge.
Here are four things you need to know right now:
In August 2018, 1 in every 480 emails contained malware and 1 in every 3338 emails was a phishing email (the numbers are a lot worse when you look at a highly targeted industry like finance).
Anecdotally, a lot of the phishing emails we’ve seen recently have just been more convincing than they were in previous years. They look much more like legitimate emails. They lead to landing pages that look real. If you aren’t looking for a red flag, these would be almost impossible to spot. Here are a few examples we’ve seen recently targeting the real estate industry.
But the plural of anecdote is not evidence, so here’s more research: Symantec found that while the overall number of phishing attacks went down slightly in 2017, the percentage of targeted attacks went up. Targeted attacks, like CEO impersonation attacks, where the cybercriminal has researched your company, are typically a lot harder to spot.
Last week, Microsoft announced an Authenticator app that lets you log in to your account without using a password at all. It marks a big step in the direction of getting rid of passwords altogether—something many members of the tech community have been advocating for.
Passwords just aren’t a great a method of protecting an account anymore. They’re too easy to steal or get around. This doesn’t mean passwords are going anywhere any time soon. They’re too ingrained in everything we do in tech right now.
For right now (meaning the next few years at least), you need a way to make your passwords more secure. The best way to do this is a combination of a strong password stored in a password manager and multi-factor authentication. In the long term, you may want to start looking at alternate authentication methods for your company.
This is actually the Department of Homeland Security’s theme for the 2018 National Cybersecurity Awareness Month!
Anyone can be a target of cybercriminals, so security is everyone’s responsibility. Of course, your IT team still needs to own handling cybersecurity from a tools and management standpoint. But everyone in your organization needs to be able to recognize the signs of a cyber attack and know what to do next.
While traditionally, upper-level executives have been the big targets for cybercriminals, more recently lower level employees have become targets, too. This is typically because of their unique access—executive assistants have send-as email privileges for executives, mid-level HR folks have access to personnel files, and lower level accounts receivable employees have access to financial information and bill pay.
This doesn’t mean everyone on your team needs to become a cybersecurity expert. But they do need to know the basics and what your policy is if they spot something weird.
You also need to provide them with the right tools. Look at tools that cut down on the number of malicious emails coming through (this is typically in addition to just spam filters) and something like multi-factor authentication that can protect an account even if a cybercriminal gets the password.
If you don’t know what you have in your network, you can’t protect it. As cybercrime evolves and privacy laws become stricter, it’s vital that you know what’s in your network. This means everything from hardware like computers to line of business applications to user accounts—even down to the types of data you have.
It’s not unusual for us to do a network assessment for a company and find equipment they didn’t know they still had running—even full servers. Or for the company to still have active user accounts for employees who left the company. Those are both a considerable security risk.
You also need to know what kind of data you have in your organization and categorize it correctly. Privacy laws, like the EU’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act put much stricter standards on how companies handle consumer data (and you don’t have to be located in those areas for the laws to apply to you).
If you’re working with an IT company, talk to them about what’s in your network and what tools you can use to help meet these regulations. One of our favorites is Office 365 Data Loss Prevention which can automatically identify sensitive data and put controls in place to prevent it from being sent outside your company.
If you want more information about cybersecurity for small businesses, check out our additional resources below. If you are a PTG customer and want additional training tailored for your company, please let us know!