Cybersecurity is an important and under-considered topic for lots of businesses today.
What is Cybersecurity?
First and foremost, we believe that cybersecurity is a mindset.
There are lots of software and hardware products that you can put in place to protect your business and to protect your network. But even if you spend all the money you have on products, if you don't educate your people and create a culture of cybersecurity within your organization, those tools won’t be effective.
We start by helping you understand how to form a culture in your company that is cybersecurity-focused. We provide online and in-person training so that your people know what to look out for, and what they should click or not click on. That's where cybersecurity starts.
From there, we start with a complete assessment of the client’s existing cybersecurity. We put a plan in place to bring their cybersecurity to the level of where it needs to be.
Compliance & Insurance
Many companies are required to meet some sort of cybersecurity and compliance requirements. We take that into account and add cybersecurity insurance policies if necessary.
We can work with your provider on insurance, but clients that work with us are automatically approved for a policy through Lloyd's of London, and we can bring that to bear as well.
What Does Cybersecurity Do?
One important component of cybersecurity is making sure that your business is protected from attacks.
Small business owners think they may not have to worry about this, but small businesses are common targets now. They're a lot easier to access or hack into than large businesses. They don't have the products, security controls, mindset, or culture of security.
These bad actors are looking for your money, and one of the ways they do that is through wire fraud.
The Phishing Scheme
They start out with a phishing email that looks legitimate. And when you click on a link or answer a question, they know you’re engaging with them. Then they send another email that goes a little bit deeper. Maybe it has an attachment that you click on, and that attachment asks you for a username and password for something like Dropbox or OneDrive, which is part of the Office 365 suite.
You only need one username and password to get into the Office 365 suite, so if they can get you to give away your credentials, they can log in through the web interface and they have access to your email account.
And once they get access to your email account, they can monitor the emails that are coming and going. They can see who you're communicating with. And if you're in a finance-related position like a controller, bookkeeper, or business owner, they might watch for two or three months to see what's going on in your email account.
Finally, when someone sends you a request for wire information or you send someone to request for wire information, they’ll jump on that and change the account number. The next thing you know, you think you’ve wired funds to pay a legitimate bill but you've wired funds to China. And it all starts with this seemingly innocuous phishing email.
One of the things to do for this is to train end-users to look very carefully and not give their credentials away. Users should always analyze the emails that they're responding to.
There are also technical precautions you can put in place like two-factor authentication.
Two-factor authentication goes beyond your username and password by incorporating something you have, like an app on your phone that delivers a code that you have to put in. You can also put your username and password in and a request or a code is sent to your phone.
These extra precautionary steps are useful because if someone does give their credentials away in a phishing scheme, the phisher won't be able to get into your account because they don’t have the piece of information required from the two-factor authentication.
We’ve also seen money stolen through crypto viruses. A cryptovirus is also usually introduced by clicking an email link or downloading/opening a file. When these viruses get on your network, they look at your files and encrypt or lock all of your files.
Over a 24-hour period, a cryptovirus can lock all your files you don't have access to any of your data. Your accounting system, your files, your email, and everything else gets locked out, and then they'll ask for a ransom.
If you don't have a backup or any other way to restore and reverse this, you may have to pay a ransom to get your data back. And there's no guarantee that you'll get your data back after you pay that ransom.
Phishing aimed at wire transfer fraud and ransomware or crypto viruses are two of the most common cyber attacks that we see.
Some business owners think that because they have cyber insurance they don’t need to care about protecting their systems. But just because you have cyber insurance doesn't mean that you have no further responsibility to protect your business and protect your data.
Insurance can serve as a safety net, but many cyber insurance policies today have requirements for the business owner. You need to protect your data, have backups in place, and protect against possible ransomware. You need to have precautions in place for phishing attacks that could result in wire transfer fraud.
Also, there's almost always a training component. The business owner has a responsibility to provide cybersecurity training to the employees and provide proof that they've done so.
With our clients, we have those components built into the services that we provide. We provide employees with in-person and online cybersecurity training. And we have a way to track that and report back to an insurance company if they need it.
We also provide phish testing so that we send sample emails that look like a phishing scam and we can see how people respond to those. So, we take a proactive approach, I've said before that cybersecurity starts with a mindset and a culture. And that's really where we focus when we start with a client is starting to create that mindset and shift the culture.
Basic Tips to Stay Safe
There are many ways to protect your data, but you can start by focusing on three in particular.
1. Password Security
The first is password security. Make sure that you use a password that is complex. Passwords should have:
- More than eight characters
- At least one number, letter, and symbol
An easy way to do that is to kind of create a phrase, like “I like to get up early.” You can use that phrase as your password, but the “I” could be a one, and you can add an exclamation at the end. You can also substitute a three or a plus for an E or an A within that phrase.
The point is to come up with a phrase that's easy to remember. Studies show that the more complex and difficult you make a password, the less secure it becomes. That sounds counterintuitive, but it isn't. If your password is complex and you can't remember it, you're gonna write it down on a sticky note or put it underneath your keyboard or something.
We recommend setting a good password, changing it regularly, and not using the same password for everything. This last point is really, really common.
2. Don’t Use the Same Password for Everything
If you use the same password for your company email that you use it at Macy's or Target or Home Depot, if one of those sites gets hacked, those credentials can be leaked or published on the dark web.
The dark web is a place where cybercriminals publish information. You can buy lists of passwords from hacks like that. When they have your username and password, it doesn't take long for them to trace that back to your email account. And if it's the same password they can hack your email.
We use services that monitor the dark web and notify us when that's happened. But please don't use your password in multiple places. Also, put two-factor authentication on your email so that it requires more than just a username and a password to log in.
3. Cybersecurity Mindset
The third component is the cybersecurity mindset we mentioned above. End-users need to ask questions, for example, if an email appears to be suspicious.
Would you expect to get this email from this person asking for this type of information? You can put your mouse over a link in the email to see if it's actually coming from Bank of America, for example, or if it’s coming from bankofamerica.something.com. So just being aware and suspicious is crucial.
When we meet with a client, hardly anybody requests a dark web scan directly. But as part of a cybersecurity assessment, we do a dark web scan on them, and we can come back with a list of usernames and passwords that are compromised.
We’ve never put in a domain that didn’t come back with at least a few compromised sets of credentials. And the company that provides that for us also provides our online cybersecurity training videos and our phish testing system.
We also have a dark web scanning tool on our website. You can go to our website and request a dark web scan. We will scan your domain and provide you with information if users on your email domain have been compromised.