I recently saw a funny cartoon by John Klossner which joked … there are only 2 groups that are a security risk -those who work here, and those who don’t … But the current reality in 2019 is no longer a joke… the new reality is that the majority of small businesses have been breached, they just don’t know it yet. 2 years ago, 1 in 5 small businesses were affected, now some estimates put it at 3 out of 5… and getting worse by the month!
A quick definition; “a security breach is any unauthorized access of any of your systems”. So, it may not yet mean that your important systems or user accounts have been compromised; but it might mean you have been quietly breached by some small software that sits there gathering information. Either way, any breach is serious and needs immediate attention. Breaches are a key part of how cyber criminals gather the information to steal and extort monies at an alarming rate.
Maybe you think, it won’t happen to me! Or, maybe you think, that’s for large companies in large cities, surely nobody would worry about my business out here on the prairies… Sad to say, while that may have been true in the past, it is no longer true today. Perhaps you’ve heard of some recent breaches from the summer of 2019…
- In August 2019, the City of Saskatoon were the victims of internet fraud for about $1m. https://www.canadiansecuritymag.com/city-of-saskatoon-hit-by-internet-fraud-that-sends-1m-to-wrong-bank-account/
- Within a couple of weeks, it was announced that a North Battleford business, Spence Heavy Equipment Sales & Rentals, was the victim of a $1.4m fraud – https://battlefordsnow.com/2019/08/21/north-battleford-business-falls-victim-to-similar-email-transfer-scam-as-saskatoon/ .
What do these have in common? Both of these are examples of a fraud that started with a breach of some kind. I applaud both of these organizations for coming forward and sharing their experiences so that we can learn from them! But these are just the ones that have been published this year. While I cannot share names, I can share that we know of several other businesses in the area that have had breaches where the losses were many $10s of thousands of dollars each, some many $100s of thousands!
You might wonder then, how would I know if I’ve been breached? And, if I suspect I have been, what do I do about it?
It goes beyond a quick blog post to cover all potential scenarios, and the fact is that the answers to the above questions are changing as new exploits popup weekly, even daily. But here are 6 steps you should consider for your business:
- Business Grade Firewall. Use a business grade firewall and enable all of the smart security features. Note that this usually means paying for an ongoing subscription, but in my experience, it is money well spent.
- Multi Factor Authentication. Do not simply rely on passwords no matter how well crafted. While this was once considered adequate, the new reality is that passwords are regularly compromised, then captured and sold on the Dark Web. Instead, the current best practices (as of the end of 2019), are to enable Multi Factor Authentication (MFA). This practice is in keeping with the current recommendations of NIST and other security organizations. Note that this again will require a paid subscription.
- Dark Web Monitoring. Speaking of the Dark Web, it is highly recommended to regularly scan the Dark Web to see if any of your usernames or passwords have been discovered and published there. It is a money making scheme for cyber criminals to do this, and if your credentials are out there you want to know asap. There are free tools like haveibeenpwned.com , but free tools are overly simplistic and often miss details. More powerful monitoring tools are available and prices range, almost always involving a subscription.
- Security Awareness Training. Educate your users with Security Awareness Training (SAT). I often think of the bible example of Rahab who lived in the walled city of Jericho. She let a rope down that allowed spies to enter the city and scope it out, which eventually led to the fall of the city. The lesson? If we spend time and money to build secure walls around our systems but then have users invite “spies” in, through phishing emails or compromised websites, then our “walls” could be compromised too. Basic free training can be found on the internet, whereas it will be a paid service to also add in random testing; for example, a well designed program will send emails to your users to test whether they will react to fake emails.
- Next Generation Antivirus and Advanced Threat Protection. Consider next generation versions of antivirus and detection software. These software packages don’t wait to be programmed to deal with known vulnerabilities (the way traditional products have worked for decades). Instead, they rely on AI and other computer intelligence to determine if something unusual is beginning to happen; or in some cases will determine this before it happens! So far, most of these products are not inexpensive, but there is more competition and that should be good for options and pricing.
- Security Operations Center (SOC). The ultimate solution is to engage with a provider that can enable monitoring 24/7 using a Security Operations Center (SOC). A SOC is a facility that houses an information security team that monitors and analyzes an organization’s security on an ongoing basis. They watch activity on networks, servers, endpoints, databases, applications, websites and other systems. Their goal is to detect, analyze and respond to cybersecurity incidents. Again, this is a new, expensive solution that is seeing a lot of growth. I expect that prices will fall as more competitors enter this space.
I hope the above gives you some ideas to consider. The reality is that this list will change frequently -some of the things that are now optional will likely become mandatory, and as new threats emerge, new ideas will be needed to protect against these.
If it sounds intimidating, it can be. But it does not have to be done all at once. And, it does not have to be overly expensive. If you are interested in having one of our security specialists discuss with you what makes sense for your organization, please contact us anytime!
And, if you think this article was useful, please share it.
Thanks for reading and wishing you a secure future!
Brad Kowerchuk, CEO