Businesses are realizing they’re not too big or too small or too low-profile to be hit with a cyberattack, and they’re stepping up cybersecurity efforts. But with attacks coming from all directions and changing by the hour, where do you start? Colorado Springs cybersecurity experts weigh in on what you can tackle right now to protect your business.
Get a password locker
Stop writing your passwords on post-its. Stop saving them in your phone. Stop making Word files called “passwords.”
Get a password locker like Dashlane, LastPass, Zoho Vault, Keeper, 1Password, Blur or EnPass, and remember one password for everything.
“It’s too complex now to manage without a password locker,” said Mark Turnage, CEO of DarkOwl. “Choose a password for the locker and that’s all you have to remember.” Password lockers will help you generate highly complex passwords — or generate them for you — and will fill them in for the sites and apps you use.
Firma IT Solutions & Services founder Rodney Gullatte Jr. strongly recommends password lockers — but, he cautions, “if you forget your password to get into it there’s no reset. There’s no calling customer service to get your password unlocked — no, there’s none of that.”
Don’t use the same password for multiple accounts. That’s asking for trouble.
“You’ll see somebody use their Amazon username and password and it’ll be the same username and password as their bank, as their X-Box account,” Gullatte said. “All I have to do is compromise one of those, and I’m going to try it along every one of your accounts.”
Other tips: Turn on two-factor authentication. Don’t use pets’ names or family names in your passwords. Require a password to access your computer, your laptop, your tablet, your phone. Change passwords every 90 days — or have the password locker do it for you.
Trust (almost) no one
According to Beazley Breach Response Services, hacking and malware breaches accounted for 13 percent of the incident reports it received in the first quarter of this year.
“Incidents are usually caused by an employee clicking on a link in a phishing email, HelpDesk message, or Microsoft survey,” BBRS reported. “After clicking on the link, the employee is redirected to a legitimate-looking website and asked for email credentials. The hacker then harvests those credentials and logs into the mailbox undetected.”
It doesn’t stop there.
“A hacker … breaks through concentric layers of protection. I get on the network, then I get user level access, I get the main administrator access, then I can get to the crown jewels,” said Terry Bradley, chief technology officer at PLEX Solutions. “Phishing is just the initial hack. I’m going to spread from there … and find other things I can exploit. This is how security fails. It’s not just one catastrophic blow. It’s a bunch of little attacks. I’m going to leverage everything along the way to get further access.
The short of it: Don’t click on links in emails. Hover your cursor over senders’ names to make sure you recognize the email address that appears. Don’t give credentials or personal information over email, or follow instructions to transfer money — even if the request appears to come from your own company’s IT, HR or CEO. Hackers have polished their tactics and can adopt almost any persona online.
Back up, back up, back up
And don’t just back up locally, because then all it takes is a flood or a fire or a ransomware virus and your backup is gone, too.
“Offsite backups are what people should be using,” said Gullatte. “If ransomware hits your systems and the worm propagates through your network … it’ll attack anything connected. If you’ve got all local backups, all your backups are going to be tainted. You can’t come back from that.”
“I don’t think most people realize that their only real recovery to cyber incidents, in most cases … is to protect the data — to protect it from deletion, modification and theft,” said Shawn Morland, Navakai co-founder and technology adviser. “There is no magic we can do to rebuild or reconstruct your data if it becomes damaged or encrypted — we rely on these backup systems. The only recovery mechanism we have is a qualified backup.”
Morland said there are “a lot of flavors of backup out there, and most of them aren’t very effective.”
The best, he said, take multiple snapshots of your data throughout the day, encrypt those copies, keep a local copy and move another encrypted copy of the data to an offsite location, so multiple versions are protected.
Shawn Murray, president and chief academic officer for Murray Security Services, said a good backup means defending against ransomware — and other data loss — does not have to be complex.
“It can be as easy as having a backup of your critical data and software applications,” he said, “so that if breach occurs, then you just rebuild those systems to get back up.”
No ransom, no downtime, no regrets.
Get cyber insurance
In the event of an attack, cyber insurance could be the difference between sinking and surviving — but only 15-20 percent of small businesses nationwide carry it. It’s designed to help offset the costs of recovery after a cybersecurity breach, and covers things like breach mitigation; recovery from a ransomware attack, including recovery of compromised data and repairing damaged systems; notifying customers and other affected individuals about a data breach; credit monitoring for individuals whose information has been compromised; forensic investigation of the breach; and legal defense costs and damages. Doug DePeppe, cyberlaw attorney at EosEdge Legal, describeds cyber insurance as “a must-have component of a company’s approach to its cybersecurity plan,” and Bradley, Gullatte and Morland all say they advise their clients to carry it.
Finding yourself in the midst of a cyber attack without a response plan, without an IT support provider and without cyber insurance, is “like you’re on the operating room in the hospital,” Bradley said. “When you’ve had the breach, you have no leverage at all. You have no negotiating power. The checkbook’s open and you’re saying, ‘Make it stop.’”
You can start with an audit of your current business insurance, and find out how to add cyber coverage (it’s sold separately). In the Springs, CB Insurance, Hub International Insurance Services and Justin Burns Insurance (Farmers) are among those offering cyber insurance.
Educate your people
Research from the annual Black Hat security conference showed that 84 percent of reported cyberattacks are due to human error, and the 2017 IT Risks Report found 100 percent of government workers surveyed saw their own employees as the most likely culprits during a security breach — whether accidental or malicious. As many security measures as you may have in place, human error or insider threat “is just as big. It’s just as big as someone trying to attack you from the outside,” Gullatte says. “We have so many technologies, we have so many companies that can keep the bad guys out, but you’ve still got people working for you that might end up being a bad guy by mistake.”
Bradley agreed: “This is what you’re up against even if you spend all the money on products and have all the policies — you still have your own non-cybersecurity-educated staff that clicks on a pop-up…” Locally, the Pikes Peak Small Business Development Center offers training including “Cybersecurity Simplified: What Your Small Business Needs to Know” (the next one will be May 23) and the National Cybersecurity Center offers “Cyber for Executives” as well as the annual Cyber Symposium, coming up in October.
“Take classes and educate yourself,” Gullatte said. “The more people know, the better.”