Tag Archives: cybersecurity

Password Best Practices Keep Your Business Secure

According to an article in the HIPAA Journal, May 2nd was “National Password Day.” You didn’t know there was such a day? National Password Day was declared in 2013 to bring awareness of both the importance of passwords in keeping personal and company data safe, but also about  password risks and best practices to mitigate those risks. Read on to learn about the state of thinking about passwords, and how to better manage login credentials.

 

A Brief History of Passwords

 

Even with biometric methods of identification, and single sign-on technology, passwords are still relevant as the most common way to secure personal and business accounts. Passwords were first developed in the 1960s at the Massachusetts Institute of Technology (MIT) to guard accounts against unauthorized access. Incidentally, the first password breach occurred there, too.  More recently, a survey of 2400 respondents in the U.S. and other countries revealed some sobering statistics about password practices.

 

Common Password Practices

 

Using the same password for multiple accounts was a common practice, with 84% of respondents admitting to using the same password for multiple accounts. If a hacker can steal the password to just one account, they can easily gain access to others.

 

54% of respondents relied on memory for passwords, and because of this the passwords can be too short and weak.

 

36% incorporated personal information (family names or birthdays, for example) in passwords to make remembering easier. 

 

33% used only a password, rather than two- or multi-factor authentication, to access their accounts. 

 

Moreover, even when changing passwords, users didn’t change them sufficiently. Instead, they only changed a few characters, with the idea of keeping them easy to remember.  All of these practices can facilitate the theft of passwords by social engineering (email “phishing” or text-message “SMiShing”) attacks, or even brute force attacks. How can thinking on passwords be changed?

 

Best Practices for Password Management

 

First, the article suggests thinking not in terms of passwords but passphrases, multi-character combinations of upper- and lower-case letters, numbers and symbols, that are more difficult to guess. Also, the article suggests using password management systems where the list of passphrases is itself protected by a passphrase of at least fourteen characters. Companies can develop clear, enforceable policies for password management, which might then influence how workers handle passwords outside of work, too. 

 

Passwords are still necessary to secure business and personal accounts, and thus need to be unique and strong. For help developing your company’s password policy, contact your trusted technology advisor today.

Cybersecurity Challenges for Small to Medium-Sized Businesses

Cybersecurity, ever a topic for businesses of all sizes, poses special challenges for small to medium-size businesses. Not only can they be special targets for bad actors, but they also deal with tight budgets and at times a lack of understanding of what cybersecurity means. Read on to learn how a small business can meet cybersecurity challenges and build strong defenses.

 

A number of cybersecurity issues are challenging for smaller businesses, according to a CompTIA article. First, just getting started with a cybersecurity plan can seem like a huge task. And what does cybersecurity mean for your business? What mission-critical data and applications need protection? Once your company has decided on your goals, how will you reach them? 

 

Another issue is spending. Often, a small organization’s cybersecurity budget is tight, and the business cannot spend very much on an IT team, or the training to upskill current workers. How much will a third-party solution cost? These and other costs can seem daunting. 

 

Knowledge and understanding of the threat landscape is another challenge. Small or medium-size businesses might think that, being small, they are “under the radar” of cybercriminals. However, they are likely to be the victims of a cyberattack. According to the FBI, small businesses comprised the majority of victims in 2021. Even if the bad actors don’t specifically target a small company, they may use the small company to target larger businesses. Often, the criminals are looking to steal data – credit card and bank account information, customer data, even proprietary business information–from anyone they can. 

 

One of the challenges is complacency; small companies may think they don’t need to learn new skills. On the contrary, they need to adapt to an ever-changing threat landscape. Cyber attacks are becoming more frequent and more sophisticated, with  attackers banding together. Previously, hackers may have worked on their own, trying to execute brute force attacks or use bots to take down a website with a distributed denial of service (DDoS) attack.   

 

Cybersecurity Help for Small Businesses

 

So, what’s the solution? The good news is, though cybercriminals are banding together, small to medium-sized companies can do the same. Technology service providers  can help small businesses access threat intelligence and learn from organizations that have been attacked and have recovered. And with help from the Cybersecurity Infrastructure Security Agency (CISA) and its various resources, businesses can get information and start acting on that information to develop their cybersecurity plan. What’s more, a company might seek out third-party partners that can help supply the IT talent to improve their cybersecurity posture.

 

Cybersecurity, especially for smaller businesses, can seem like a huge challenge. However, help is out there. To learn more about developing a security plan, contact your trusted technology advisor today. 

Protect Passwords to Safeguard Personally Identifiable Information

Businesses large and small deal every day with personally identifiable information from customers, employees and additional stakeholders. How do they protect it? While passwords alone are not considered personally identifiable information, they help keep it safe. Read on to learn more about how to manage passwords and keep data safe

 

The Role of Passwords in Safeguarding PII

 

Personally identifiable information (PII) is defined as data that can be linked with or traced to an individual. Such PII includes names, date of birth, address, Social Security numbers and other specific information about a person. Some of it is n-sensitive, part of public records or easily found online. Sensitive PII can include biometrics (used as part of multi-factor authentication, employment and financial records, and bank account credentials. Every business owner handles a great deal of personally identifiable information in the course of doing business. How can they protect it?

 

Passwords authenticate a user’s access to websites (including company websites) that hold personally identifiable, often sensitive, data on employees, customers and more. Employees properly trained in password management can be helpful in safeguarding a company’s data. One key practice, along with developing strong passwords, is refraining from sharing these passwords with others. 

 

Keeping Passwords Private Benefits Your Business

 

The reasons for keeping passwords secret may seem obvious–no one else can get into your accounts, or change your data, or leave it in danger of falling into the wrong hands. If your workers keep their passwords secret, they prevent sensitive information from being leaked to those who can misuse it. Individual workers (and your business as a whole) avoid penalties associated with regulatory non-compliance. By keeping passwords confidential, they avoid being held responsible for misuse. What’s more, with a strong password, they can always access the resources they need to succeed in their work. Even companies with strong controls and policies need to train their workers in password maintenance, making the practices part of the organization’s culture.

 

While passwords may or may not fall under the category of personally identifiable information, they definitely serve to protect it. For help in developing your company’s password policy, contact your trusted technology advisor today. 

From Cybersecurity to Cyber-Resilience

Cybersecurity is an ever-present issue, especially in these times of rapid innovation. With this innovation, companies need to remember the importance of protecting systems, devices, networks and data from cyber attack. But what if we all went a few steps beyond, thinking of what to do to deal with an incident while it’s occurring and after it happens. Read on to learn how to work toward making your organization cyber resilient in the face of today’s threat landscape.

Cybersecurity and Cyber-Resilience

The two concepts sound similar, but the difference between cybersecurity and cyber-resilience is the focus. Cybersecurity refers to protecting systems, networks and data from cyberattack, whereas cyber-resilience is about an organization’s ability to withstand and recover from an attack while and after it happens. Both are important, and both contribute to business resiliency. An attack happens about every 39 seconds, according to some sources. Common types include malware attacks, ransomware, and Distributed Denial of Service (DDoS), and these attacks can steal data or access to it, or even stall your system. And the effect on your business is potentially devastating; even a short power outage can result in costly downtime. How will your organization not just prevent these hazards, but deal with and recover from them, and stay running and resilient?

Benefits of Cyber-Resilience

The threat landscape continues to expand, with more attacks and the attacks becoming more sophisticated. Considering the rate of cyberattacks already occurring, the probability of one striking any one organization is high. Protecting yourself, as well as having a plan to respond to an attack when it happens, benefits your company in numerous ways. For one, you can continue operating during the disaster and avoid lost revenue. Second, the ability to protect customers’ personally identifiable information increases their trust in your organization. Third, you avoid fines for failure to comply with data-protection regulations. Finally, your business can even achieve a competitive advantage in staying open when others have to close.

Elements of a Cyber-Resilience Strategy

According to a CompTIA article, a strategy will prepare you to respond to attacks and mitigate their damage. A cyber-resilience strategy starts with assessment and prevention, a deep knowledge of your technological assets, and any possibility of gaps that attackers can exploit. Actively implementing preventive measures can help you look out for threats before they become problems. Plans for response and recovery position your company to respond quickly and mitigate damage. Adaptation and flexibility involves knowing that each attack is different and being able to respond at the moment. Finally, education and ongoing training can acquaint workers with possible threats and how to respond. Practice through attack simulations is very helpful as part of training.

Cybersecurity, of course, is still important. Cyber-resilience goes beyond that, to recovering from an attack and keeping the business running. For help with your strategy, contact your trusted technology advisor today.

What’s Coming Up: Technological Trends in 2024 and Beyond

With cutting-edge technology and digital innovation continuing to take center stage, technology spending is expected to continue expanding. With digital innovation like artificial intelligence, cloud computing and even the Internet of Things also comes a greater potential of cyber threats. Read on to learn more about technology trends and how they may affect businesses in 2024 and beyond

 

Tech Spending to Increase in 2024

 

In general, worldwide technology spending is expected to increase by 8%, according to a Gartner article in October of 2023. The key sectors expecting growth include software at 13.8% IT services at 10.4%. Data privacy spending is expected to jump from 18.5% in 2023 to nearly 25% in 2024, and even network security equipment is expected to grow but more modestly, from 12.9% to 13.9%. Main business drivers are digital innovation, artificial intelligence, and cybersecurity, according to a Telarus report for 2023. Businesses are expecting to think about moving legacy systems for business operations to the cloud, when previously most of the cloud applications used were for customer-facing services. This has the possibility of driving managed services spending as well. Along with digital innovation comes cybersecurity concerns, propelling information security and risk management spending to $215 billion, a 24% increase from 2023. 

 

Harnessing Artificial Intelligence

 

An IDC blog post forecasts global IT spending to expand to over $500 billion by 2027, with more spend allocated to AI implementation and adoption of AI-enhanced products and services. Technology providers anticipate investing money along with time and  brainpower in incorporating AI into the core of their business. Although AI is a major turning point–with ChatGPT’s 3.5 series released nearly a year ago– generative AI is not expected to come to the fore until about 2025. Artificial Intelligence is still expected to be in the background, improving processes. For example, it works with Microsoft’s Copilot to aid collaboration by combining the power of large language models with users’ data. It can operate with common MS applications like Word and Excel, offering assistance in real time. While primarily for businesses of 300 workers or more, it has potential to serve smaller businesses as well. 

 

Applications of Internet of Things

 

Internet of things (IoT) involves connecting devices to networks, with applications  in the energy and security sectors, including video surveillance. With more cloud use, data centers need physical security protection. A “smart” (connected) surveillance camera can be connected to other devices like alarms, to alert security professionals to potential threats. Artificial intelligence might operate with IoT to produce close-to-human image analysis.

 

The Internet of Things has much to offer the energy sector, too. Connected devices can monitor energy usage, helping reduce cost by scheduling appliances to be on and off at different times, shutting off some during peak times. Customers can partner with utility providers to make energy use more efficient and less expensive. 

 

Cybersecurity Considerations

 

Because digital innovation also leads to more threats, businesses looking to move customer service and back-office work to the cloud must pay attention to (and possibly spend more on) cybersecurity. Protections are needed for data, applications and infrastructure against escalating cyberthreats. The software sector also needs to pay attention to cybersecurity, with AI creating security fears like loss of data control. According to Gartner, double-digit growth is expected in all segments of enterprise security spending in 2024.

Taking a Proactive Approach to Cybersecurity

The state of cybersecurity seems to be getting better, though there’s always room for improvement. According to a recent report by CompTIA, “The State of Cybersecurity 2024”, more companies see the need to take a proactive approach and look at cybersecurity from a risk management standpoint. Read on to learn what this might mean to your efforts to protect technological assets.

 

Encouraging Signs, with Room for Greater Improvement

 

In recent years, businesses have made strides in adopting a proactive stance toward cybersecurity, according to the CompTIA report. Of the small to medium-size businesses surveyed, solid percentages have formal frameworks for cybersecurity (45% for small businesses, and 63% for medium-size companies. Many small companies are assessing their risk, but without a formal framework. Over the last year or so, general satisfaction about the state of cybersecurity has increased, as well as satisfaction of respondents with their own company’s cybersecurity. Even with these modest increases, progress is still somewhat slow.

 

In spite of said progress, data breaches still occur. The global average cost of a data breach is $4.45 million! In 2022,  96% of organizations had at least one breach, according to a report cited by CompTIA. The top of mind question is quite naturally “What is the cost of a cybersecurity incident?” What if organizations could also ask what the cost is not just in terms of money but in time and effort taken to prevent an incident? 

 

Constructing a Risk-Management Plan

 

Cybersecurity has often been considered a secondary factor in the past, but businesses are now shifting from a defensive posture to a proactive one. Risk management involves identifying the risks that come with doing business; assigning probabilities to specific risks relevant to the company; and proposing mitigation plans. A formal framework is helpful in considering all risks, including ones not normally connected with IT. One such risk comes from phishing schemes, where individuals are targeted with email containing links to ransomware. Many workers posting on social media sites could make their employers targets for these social engineering attacks. One concern cited by the cybersecurity report was whether new technology a company buys can introduce new cybersecurity concerns. 

 

Many factors need to be considered when analyzing and managing cybersecurity risks. For help with your company’s efforts, contact your trusted technology advisor today. 

Business Benefits and Risks of Using Artificial Intelligence

Artificial Intelligence (AI) and its applications have the potential to radically improve business processes. Like all technologies, it comes with risks, too. Read on to learn more how small to medium-size businesses can leverage AI while mitigating the potential risks of this growing technology. 

 

More and More Businesses Use Artificial Intelligence

 

Use of artificial intelligence is growing, and is only expected to increase. According to a report cited by a CompTIA article, the market for AI is expected to grow by 38.1% each year until 2030–from 2022’s market of $119.7 billion. Tech and financial services are the industry sectors using it most, with telecommunications at 5%. Customer satisfaction for companies using artificial intelligence is expected to grow by 25%. What makes AI such a draw, especially for small to medium-sized businesses?

 

Benefits of Artificial Intelligence

 

Artificial intelligence can be used for business processes like automated chat, or to analyze great amounts of data in a way more time- and labor-saving than humans can. For smaller companies, having automated processes can free up a smaller staff from performing mundane tasks.  Businesses can use AI to get customer feedback to change course in product/service offerings if needed. Automation by AI can even help with cybersecurity by detecting patterns and even anomalies in the sea of data generated by businesses–perhaps stopping a cyberattack in its tracks. Artificial intelligence can also be taught to shut down affected systems and isolate the threat. In terms of saving costs, businesses can allow automated chat to handle simple and quick customer service queries, allowing workers to focus on more complex issues. Moreover, your business may be seen as proactive and responsive, giving it a competitive edge.

 

Possible Risks of Using Artificial Intelligence

 

The benefits are apparent, but so are the risks. A substantial percentage (62%) of McKinsey 

Respondents named cybersecurity as the biggest risk. Systems using AI can be hacked and data stolen or manipulated, because of the autonomy of these systems. Use of AI to analyze data can expose that data to loss or theft. Other concerns are whether the decisions AI makes are trustworthy as far as accuracy (explainability–how did the machine arrive at the result it did?) and that the results are as free of bias as possible. Compliance is another risk–does the system handle data in the way that complies with industry regulations. Artificial intelligence, even with its abundant promise, still needs to have a strong framework of policies and procedures for maintaining security and privacy.

 

Artificial intelligence can provide many benefits to small and medium-sized businesses, as well as bring up questions about safety and privacy. For further information, contact your trusted technology advisor today. 

Using Multiple Layers for Comprehensive Cybersecurity

How do you know if your company’s cybersecurity efforts are working? Is the lack of a data breach enough to tell you that you’re doing well? Maybe, maybe not. Read on to learn about analyzing your risks and using that information to keep your systems and data safe, and your company doing business.

 

Start with Analyzing Your Company’s Risks

 

It used to be that companies just needed a firewall, some security patches and endpoint protection to protect digital assets. Nowadays, the secure perimeter is far outside company walls, with numerous endpoints connected to networks as employees work anywhere and everywhere. Events of the past few years have introduced new security challenges, including the uncertain security of network endpoints. More than tools, a comprehensive understanding of your firm’s risks and the consequences of these risks will help with security efforts. A good place to start is considering your company’s unique risk picture. What are your mission-critical data and applications, and what are the consequences of a data breach? Perhaps your business is subject to compliance regulations like HIPAA or PCI-DSS, or even GDPR. Financial and reputational consequences also exist, like the cost of downtime and  clients’ trust in you to keep their data safe. 

 

Multiple Layers Increase Security

 

A layered approach to security, more than any single technical tool, will help protect your company’s digital assets. Network monitoring is one such layer, showing both normal and suspicious activity. Multi-factor authentication protects your workers by keeping information out of the hands of attackers. Training your workers to spot phishing emails that can carry ransomware, and educating them in password maintenance, gives them the tools to keep bad actors out. Principles of zero trust, like identity access management and giving users the least access they need to perform functions, can also protect data and applications.

 

While there is no such thing as perfect cybersecurity, your business can take many steps to protect itself and keep running. For a risk assessment, contact your technology advisor today.

Developing a Culture of Cybersecurity

When it comes to cybersecurity, tools and technology help. What can help even more is making cybersecurity a part of company culture, to the point of safety becoming second nature. Read on to learn more about establishing a culture of cybersecurity. 

 

The Vital Importance of Cybersecurity

 

The attacks just keep coming. In recent years, SolarWinds and Colonial Pipeline are just a couple of well-known incidents. According to statistics, more than half of cyber attacks result from human error–weak or poorly managed passwords, susceptibility to phishing schemes, perhaps even ignorance of company policies and of best practices. The cost of attacks is supposed to continue increasing, to over $10 trillion by 2025. 

 

The Cybersecurity Conversation

 

It’s never too late–or too soon–to openly discuss cybersecurity in your organization. Your executives, both in your IT department and outside of it, can set the tone for your company’s cybersecurity culture. For example, sharing learning from past experiences can show your workers that anyone can learn from mistakes. More than technology and tools, cybersecurity training needs to be an integral part of company culture–it saves costs, preserves your company’s reputation, and keeps your company in business. You can freely discuss cybersecurity in team meetings and everyday work conversations. Ideally, this will get workers of teams talking about ways to keep your company safe and may reach the individual level, encouraging them to evaluate their cybersecurity savvy and improve it. Regular training and retraining should also be part of the organization’s culture of cybersecurity. Staging mock “phishing” attacks to test workers’ knowledge and ability to act, will help to make training concrete. This is where tools and technology can come in, providing engaging ways for workers to understand the importance of cybersecurity.

 

Clear Policies and Procedures

 

Having and clearly communicating policies and procedures helps all employees know what to do in case of emergency, and even how to avoid an emergency in the first place. Does everyone know what a phishing email looks like, and how to report one? Do they know to choose strong, hard-to-guess passwords, and change these passwords periodically? What’s the first thing they should do in a cyber attack? If everyone, from the top executive to the newest trainee, knows what to do, all contribute to the security of the organization. 

 

Establishing a culture of cybersecurity begins at the executive level. Establishing cybersecurity as part of your company’s philosophy, as well as clear policies and procedures, can help everyone understand their role in protecting company systems and data. For additional assistance, contact your technology provider today.

Defense in Depth Provides Robust Cybersecurity

Many companies, while they have defenses against cyberattack, still fight to keep ahead of cyberattacks. What if your company is one of these, and could find a better way to protect your technological assets–data, applications, your network itself–from attack? Read on to learn more about “defense-in-depth” and how your company can use it to build a robust defense in all parts of your network.

 

Definition of Defense in Depth

 

Simply defined, defense-in-depth is a cybersecurity approach in which independent layers of controls are employed to build redundancy. If one control fails, another will take over. If an intrusion occurs, the bad actor can go only so far and will be dealt with before they cause serious harm. All the way from your perimeter to the most sensitive data at the core of operations, controls will keep your data and applications safe from loss and compromise. A first layer is detection, which catches anomalies and reports them to cybersecurity personnel, stopping them from intruding further into your network.

 

Evaluating Your Current Cybersecurity Posture

 

How do you know what an anomaly looks like, and whether it is a cyberattack in the making? Before making the transition to a multi-layered cybersecurity structure, knowing your current cybersecurity posture is important. One thing to consider is what a possible attack might look like. Viewing intelligence from past activity logs, especially when an intrusion occurred, should show you what unusual activity looks like. A next step is identifying your mission-critical data and applications, not to mention your most sensitive data, to determine which assets need the greatest protection and should be at the innermost layer of protection. Finally, what intrusion detection systems can you put in place to detect anomalies in usage?

 

Multiple Modes of Protection

 

A defense-in-depth system contains multiple defenses dedicated to controlling access to physical and data resources, as well as the resources themselves. Physical controls include security (say, at cloud data centers) and technical controls (firewalls and antivirus protection) defend the contents of physical systems. Administrative controls refer to policies and procedures for network security–for example, data-handling procedures and digital codes of conduct. Cybersecurity controls help maintain data integrity within a company’s network; examples of these protections include encryption at rest and encrypted backups offsite. Network monitoring of processes and of possible intrusion, along with endpoint protection, are yet more layers. 

 

Ideally, with defense-in-depth, you can protect your systems by using multiple tools that work better than any one tool by itself. For assistance with this approach, contact your technology advisor today.