No matter how much people hear about data safety, sloppy cybersecurity is still prevalent. Maybe you and your users are tired of constant reminders and warnings, and it all becomes background noise. However, think about it like driving a car: if you start glossing over the rules of the road: sliding through stop signs and lights, going over the speed limit, parking where you’e not supposed to—what happens? Well you might be a lucky one that never gets caught and ticketed—or worse cause an accident, but chances significantly increase for those actions catching up with you with every infraction made. Digital security works similarly. Let your defenses down here, develop a bad habit there, click on the wrong link once, download unapproved software, or divulge sensitive information in any number of ways to the wrong party and hold on!
Threats Evolve
Cybercriminals get craftier all the time. They’ve had marketplaces and forums to swap tools and tips for a long time, but AI has really stepped up the game to make it quite easy for anyone with ill-intent and not necessarily a lot of their own skill to launch attacks or lay traps. Indeed, many of today’s “attacks” aren’t outright and obvious afronts. Instead, most threats aim at lying low, undetectect by typical malware-prevention tactics and tools, on recognaisance missions. They are classified as Living Off The Land (LOTL) threats. They monitor system activity and file access, looking for sensitive information, making use of legitimate system resources and privileged access to spread and seek even more information. While doing so, they may install other tools to monitor key strokes (harvesting credential information), access cameras and microphones and send harvested data to command-and-control servers. Systems may be utilized to process data, unknown to the user and eventual ransomware attacks may be launched. Even though it’s unsophisticated and has been around for years, users still fall victim to a common ruse: a web page pops up that uses text and audio to panic the user into calling a number for help. The window is blown out to full-screen to hide all controls from the user. If they call the number, most users let the criminal onto their computer by remote session where they can install who-knows-what to carry out any of the aforementioned. The bonus? They usually charge you hundreds of dollars for the privilege and get your credit card and/or bank information to boot! Some are so bold as to just call you purporting to be one of your vendors. Think you and your users are too smart for this? Think about anyone having a hectic day close to the end and all of a sudden, a well-crafted phish or “attack” is launched. We are all vulnerable if we don’t take the time to go through steps we know to identify whether something is legit or not.
Everyone is at Risk
Small business owners ask “when’s the last time you had a customer hit with a data breach?” Well, it happens more often than one would think. Small businesses don’t usually make the news like large corporations, but that doesn’t mean it doesn’t happen. In recent years, here are a few that we’ve helped customers through:
- Ransomware: opened what they thought was a legit file. It encrypted their entire computer and file sharing utility that they used as “backup”. The utility didn’t have ransomware protection. Thankfully, our malware protection stopped the threat from getting across the network and gave the user literally seconds to unplug their computer.
- Two cases of requests to deposit an employee’s pay into a different account that actually resulted in money being moved where it should not have been.
- Multiple cases of lost or stolen laptops.
The good news is that stopgaps were put into place in all places, some recovery was made and there’s been no further fallout—that we know of. But that’s the problem: once data is out there, it’s out there and that’s the very reason to protect it in the first place and ensure that nothing goes any further than it should.
Security in Reach
Large corporations have teams of tech experts, lawyers and can implement some pretty expansive and expensive solutions that are out of reach of the types of small businesses we support. But that does not mean small businesses are without recourse! There are simple, low-cost, even non-technical things everyone can do. Everyone is capable of due diligence: the care that a reasonable person exercises to avoid harm to other persons or their property. In the event you expose sensitive data, being able to demonstrate that you have done what is within your power to do, will go a long way in your defense. In our next few posts we will be covering some basics. We hope they will be of use to you. Have questions? Please feel free to contact us.