Cybersecurity: practical advice for SMBs
The goal is to have the employees not answer requests in the messages for a response or information and also to have them report the incident. “Our messages begin at a basic level for new employees and get progressively more difficult to detect,” Hadnagy explains. “For example, a simple message might announce that the recipient had been photographed by a traffic camera while driving through a stoplight and instruct the employee to click on a link to pay the fine. In a more sophisticated attack, the employee receives an email signed by someone within the company who wants to share a file in Dropbox and is told to click on the link.
“Employees should get in the habit of looking at the URL to verify that it is the company’s domain,” Hadnagy says. “If they are told they need to download a software update, they should be trained to go directly to the software provider’s website rather than accessing it through a link in a message.” The hacker may have additional information such as the sender’s and/or user’s phone number, which makes a message or a caller seem legitimate. “So much information is given out freely now,” Hadnagy says, “there are many opportunities for deception.”
Seek outside assistance
Because most SMBs do not have in-house resources for full-scale security, another option is to engage outside help to address the technology side. One service such organizations often provide is gap analysis of the Top 20 Critical Controls from the Center for Internet Security (CIS). “If a company wants to make a comprehensive commitment to security, that’s what to do,” says Jesse Lee, a cybersecurity engineer with Progent (progent.com), which provides security and IT services geared toward small businesses, including stealth penetration testing and disaster recovery.
Those Top 20 Critical Controls are guided by a number of principles including developing protection against the threats that are most common; applying them consistently and, when possible, through automation; and using a variety of different strategies. “Companies should have at least an awareness of network traffic so they can detect anomalies,” says Lee. For example, any company housing personally identifiable information (PII) should be encrypting it, and if a 16-digit number is seen on the network, there could be a problem. A centralized logging system can provide that information.
“Enterprise level security is hard to come by for small companies,” Lee acknowledges. “The reality is that many end up accepting risk to a greater level than larger companies. If a company cannot implement a high-level of security and still make money, it is not feasible to do so. They should cover what they can and be aware of the remainder.”
The good news is that because people are the most vulnerable point in any network, even small companies can take steps to mitigate that vulnerability. “From an attacker’s viewpoint, the people side of things is an easy target,” Lee says. “If they think a message is coming from the IT staff, it’s especially easy to trick them. Employees need to be vigilant, read emails carefully and if something doesn’t look right, they should get a second opinion before doing anything. The goal is to turn all the people into advanced sensors.”