m.a.collins

Cybersecurity: The Razor’s Edge Between Education and Scare Tactics

TCS is committed to educating our client base and small-to-medium sized organizations at large about Cybersecurity – the existing threats out there and how best to protect against and mitigate the effects of those threats.  To some, that can sound scary.  The scary reality is that there are real threats out there that can disable and sometimes even pose an existential threat to your company or organization.  Sticking our collective heads in the sand is not a viable option.

The Distinction between Scare Tactics and Education

So what is the distinction between educating about scary topics and using scare tactics?  Education first seeks to increase awareness, not for the sake of scaring but for the sake of providing reasonable dialogue regarding ways to protect against those scary outcomes.  Scare tactics seek to manipulate emotion and shutdown dialogue.  They present no discussion, but only seek to scare someone into a decision.  Education, on the other hand, presents the potential scary scenarios and then reasons through a range of solutions to protect against them.

For instance, there is a world of difference between informing someone that accounts tied to their organization are available for sale on the dark web, and detailing every scary outcome that could result from that vulnerability.  Scare tactics use threatening language to get their desired outcome while education seeks to have a simple conversation.  The fact of the matter is that those accounts for sale on the dark web may not have the most current password associated with that login, which makes it less of a threat.  Nevertheless, a conversation can be had regarding how even old passwords can give attackers clues as to how you typically approach creating your passwords.  Simply changing the password may not be the best solution in that scenario. 

TCS Is Committed to Cybersecurity Education

Is your MSP doing a good job of educating you on those matters?  Do you know whether you have compromised accounts on the dark web?  If your internet/email domain has been online for more than a few years, then chances are you do have some compromised accounts.  The real question is, do you know what those accounts are and what have you done as a result?  The only thing that makes this scenario scary is the unknown.  TCS seeks to take out that unknown and educate organizations on how they can respond in a way that mitigates the ill effects of compromised accounts.

Coming out of the Dark

What differentiates TCS from other MSPs?  In this context, TCS doesn’t want you to be in the “dark” (pun intended) regarding your Cybersecurity position.  We encourage all Cybersecurity education, whether it comes from TCS or not.  Hopefully, if someone comes along and mentions to one of our clients that they have compromised accounts on the dark web, our customer is educated in Cybersecurity enough to respond, “Of course we do, and we’ve responded in these ways to mitigate the effects of those compromised accounts.”  When a prospect responds in a way that indicates they are unaware of what that means or the potential ramifications for what that means, we see opportunity to educate – not for the aim of scaring them, but to the end that they comprehend what’s at stake and how best to protect themselves against it.  Sure, there is a fine line there; but TCS is committed to education, not emotional manipulation.

/by
m.a.collins

Are You Gambling with Your Business Continuity?

As security professionals, we’ve been saying this so long that it’s become a bit cliché:  Users are your biggest threat to security and therefore business continuity.  Nevertheless, it remains true.  Sometimes, an employee’s desire to prove helpful is exactly what a malicious actor will use to gain access to sensitive information.  Other times, the gullibility of users provides useful.  Then again, the desire to keep security simple and convenient (remembering passwords) can lead to an opportunity to exploit.  All this being the case, why is it then that so few companies choose to invest in educating their users on what’s at stake and how to reduce the odds of becoming a cybersecurity victim?

There are many reasons for this, but most commonly it’s the business owner’s ignorance of the threats posed and what’s at stake for their business.  According to Inc Magazine, nearly 60% of all small businesses close within 6 months of falling victim to a cyberattack.  Yes, cybersecurity poses an existential threat to small and medium sized businesses. 

One cliché that proves false regarding cybersecurity is “If it isn’t broke, don’t fix it.”  Many businesses are playing digital roulette with their cybersecurity stature.  Business owners think that since they haven’t been attacked yet, they aren’t at risk of falling pray to an attack.  The truth is, though, that every company is one click away from a successful attack.  All it takes is an errant click on one email attachment or malicious banner ad on a website to open the gates for a successful attack. 

Some business owners think they have a firewall and other protections in place, so they are covered.  What makes the user so critical in securing the network, is that users are easier to “hack” than networks. Users are now the front line of digital security – they are the target, because the malicious actors know that the internal user is a trusted agent on networks and Cloud platforms.  By default, and generally for good reason, actions that originate from an internal user within the boundary of a network or application platform are trusted actions.  Thus, if a malicious actor can get behind that trusted perimeter, they will generally have free reign to launch their attack.  Most companies don’t even have the ability to perform a post-mortem on an attack, because they don’t have audit trail capabilities enabled.

What happens next?  Often, once behind the secured perimeter, the attacker lays low and surveils.  They will often siphon sensitive data, disable data protections, and plan out their attack to have the greatest negative impact upon your business.  They realize that you must be desperate if you are going to pay a lot of money to regain access to your information or to avoid public embarrassment.  Even if you can get your information back, many times the reputation hit your company takes from getting breached is enough to pose an existential threat to a company.  The bad actors know this, and they will look to exploit every way possible in order to get paid.

So what can you do to protect your business?

  1. Invest in security awareness training for your users.

This is a very simple and first step to take.  You can vary your tactics to ensure you get the best coverage across all employees/users.  You can use written forms of training and documentation, video training, or even simulations that will give feedback on which users are most susceptible to posing a security threat to the company.  Speak with your trusted security adviser for details on how best to engage your employees with security training.

  1. Invest in products and services that can mitigate the impact of a successful attack.

So many times, we have seen or studied instances where companies had a backup system, but their backup was not ransomware proof (for a variety of reasons).  Due to this, they were forced to pay thousands of dollars to recover their data from ransomware, either by paying for technical labor to find a way to decrypt it or by paying the bad actors to get their data back.  Discuss your backup plan with your trusted security adviser to ensure you are completely protected, and that you have everything in place to mitigate the loss of data in a ransomware attack scenario.  Also, verify with your security advisers that you have tools in place to identify and mitigate attacks as quickly as possible, as well as provide an audit trail for permissions use.  Your business needs vary depending on your attack surface, which differs from company to company.  There’s no good one-size-fits-all approach to security.

  1. Start writing policies and procedures for responding to an attack.

Just like anything else in business, whenever you invest the time to plan ahead for a security event, you’ll be more prepared to cope with a security incident.  Even if the plan isn’t perfect, you will fair better than those who are “winging it” with no plan at all.  The race to the South Pole between Roald Amundsen and Robert Falcon Scott, about which numerous books have been written, highlights the necessity of planning even when reality plays out differently, which inevitably it will. 

The reason we use language like “start writing” is because as quickly as technology is evolving and changing, there will always be a need to refine and expand your policies/processes.  It is imperative to commit to maintaining an updated plan for how to respond to a security event within your organization.

  1. Build protections in your finance department and bank for any transaction above a specified amount.

Your banking or trusted financial institution can put policies in place to authorize the transfer of funds above certain amounts.  This can protect you from unauthorized wire transfers and other large payouts of funds, should a hacker gain access to your financial accounts.  Your banking institution wants you to avoid losing money as much as you do, as their reputation is at stake in such an instance.  Be sure to discuss best practices with your trusted finance adviser for how to avoid such scenarios.

  1. Discuss cybersecurity insurance options with your trusted insurance provider.

Cybersecurity insurance is fairly new in the insurance industry, so it is still evolving and adjusting to ensure viability and sustainability.  Many insurance providers now require a security audit and other protections are in place to mitigate risk on their end.  Nevertheless, if you put too much stock in your insurance plan over against taking actions to embolden security in your organization, you could find yourself in a situation where the insurance provider claims willful negligence and decides not to pay out in a security breach.  In order to protect yourself from such a claim, you must be able to demonstrate good faith efforts to protect yourself from security incidents.

  1. Finally, make your security mandates as convenient for the user as possible. 

If your security measures are too inconvenient for the end user, they will find ways to circumvent them and expose your company to unnecessary risk. For instance, there are much easier ways to enforce multi-factor authentication for users today.  A lot of users were frustrated by the cumbersomeness of multi-factor authentication in its early phases.  Today, with authentication apps and the coming technologies surrounding password-less authentication, it is easier than ever to ensure the identity of your users and protect your organization from the vast majority of attacks. Again, users will find creative ways to circumvent annoying security requirements and expose the company to risk, so this is a vital component in today’s marketplace.

In conclusion, don’t gamble with your company’s existence.  There are ways to protect your business from these bad actors that won’t break the bank.  Most industries require less than 5% of gross revenue to ensure their business is protected against the malicious hackers of the world.  While there is no silver bullet that will protect you completely, you can mitigate the effects and ensure business continuity despite a successful attack.  If you need some assistance with knowing where to start with business security and continuity planning, feel free to reach out to TCS for assistance.  We can assess where you are, where you need to be, and roadmap a plan to get there over a timeframe that works best for your organization.

/by