network's security
Jun 20

Do You Have Enough Eyes Looking Out for Your Network’s Security?

By Hana LaRock | Managed Services , Security

When it comes to companies protecting their network from hackers, most business leaders know what to do. Once a company has made the decision to utilize services of a third party in regard to their security, they’ve already made a move in the right direction.

But, how do you know you’re using the right cyber security service for your company? And, does the service you’re using possess the expertise, resources, and manpower to continuously monitor your network? It’s not just about outsourcing your cyber security, although that much is important. Ultimately, it’s about asking yourself whether or not there are enough eyes on your network to make sure your security situation is stable at all times.

Why You Need to Analyze Your Own Business Before Seeking Help

Just because you define your business as a small business, doesn’t mean your need for cyber-security is any less than anyone else’s. In fact, small businesses can actually be more of a target for cyber criminals, as most of the time, hackers assume you’re not taking proper precautions and your network is thus that much easier to hack. 

This means that you need to up your cyber security game as much as possible. Since you can be considered the low-hanging fruit for hackers, you need to be extra cautious of your network’s security, especially when you operate in the financial industry. As a small business, you’re vulnerable in a lot of ways; one of those ways being the reputation you have amongst your customers. When you’re small or just starting out, your customers’ expectations of you are that much higher. If you have a security breach, you may find yourself back at square one with your business.

Therefore, before you seek assistance from a third party managed service provider, have a general idea of what’s important to you security-wise. Even if you don’t know a lot, knowing what your business’ demands are and the value of what you need to protect, is enough to guide you in the right direction.

One Pair of Eyes is Never Enough

Before the technology era, how did people protect their businesses? Think about it. They locked and chained their doors. They installed alarms. They added security cameras. Many hired security guards to keep watch overnight. Already, that’s a lot of eyes watching that business.

In the Internet age, the concept is much the same. However, hackers don’t have to dress up in black and plan a heist to break in; it’s often much easier to breach your network. And, since a lot of security breaches can happen because of human error, it’s so important you have enough people looking out for you.

When someone writes a book, they have editors read over their work again and again. Don’t you want your network treated better than a bestseller? We think so. That alone is enough incentive to make sure there are enough eyes on your network. Therefore, when you seek out a company to take care of your cyber-security, figure out what their staff numbers look like and how many people will be on your case.

But, It’s Not Just About Eyes

When you’re working in the financial industry, you have a lot of responsibility when it comes to your customers. If you’re collecting sensitive information from your clients, such as credit card numbers, SSNs and home addresses, the stakes are higher for you than other companies. That means it’s not just about HOW MANY people are monitoring your network, but HOW they are monitoring it (and how often).

Before you buy the services of a third party provider, read their testimonials. See what they offer, what their guarantees are, and read up to make sure they haven’t made headlines for anything negative.

This is YOUR company and it’s your priority. Is your managed service provider making your security their priority? You better hope so. 

In the meantime, try our RiskAware™ Cyber Security Scan & Report to see where your security currently stands.

auditors
Jun 06

Three Categories Regulators Expect Your Risk Assessment To Fall Under

By Hana LaRock | CEO Best Practices , Managed Services , Security

Up until now, when auditors and regulators of cyber-security came to companies, most of the time they would just ask to see whether an assessment was done. It was even less likely that they would have asked the details of that assessment. But, now, that’s starting to change.

Some companies these days have gotten into trouble with auditors and regulators because even though they had done an assessment, the assessment was either not as comprehensive as it should have been or the company didn’t act on the risks that the assessment reported.

If you want to make sure your risk assessment is done correctly, then you must make sure it falls under one of these three categories:

1) Standardized:

There are many different kinds of risk assessments out there, and what you use will depend on a lot of factors. First of all, it depends on what kind of business you’re in and how much a hack could affect the lives of your customers and employees. Of course, there are some businesses that are held up to higher standards than others when it comes to an auditor’s discretion. That being said, you should always set the security bar high for yourself no matter what, this way you know you’ll be safe.

Whatever route you decide to go with your risk assessment, you should ask the organization that’s doing it whether or not the test they choose to perform is standardized; meaning if the test were repeated again at your business or another, it would produce (more or less) the same results. At the very least, the assessment should yield the same, specific kind of information across the board.

2) Relevant:

As mentioned before, a test that’s done for one company may not work for another. If your third-party is running the same assessment on your small e-commerce site that’s it’s doing on a multi-million dollar health insurance company, that could very well be a red flag.

Some of the assessments you may have heard of include, but are not limited to, FAIR, OCTAVE, FMEA, etc. Some fall into the category of qualitative assessments, while others fall into the category of quantitative. This means that some assessments will look at data and other factors over a long period of time, while others are simply based on an expert’s opinion. The results of these assessments can be expressed in different ways, usually referring to the various direct or indirect costs.

When the assessment is done, it should be able to answer key questions that are relative to your business. What vulnerabilities do you have in your system? What could be causing the threat? What kind of damage are you looking at if these threats take hold? And, of course, how to fix it.

3) Explicit:

So, if auditors and regulators are starting to ask more questions, don’t you want to be ready with more answers? If you happen to have an auditor come knocking on your door that wants to know much more than whether or not you’ve simply done on an assessment, then you need to be prepared. What we’re trying to say is, your assessment shouldn’t merely report the date you had it done, when you’re due for a next one, and by whom was it administered.

Instead, your assessment needs to have explicit information and data on it that will be satisfactory to the potential auditor. If you want to get a heads up about what an auditor might look for, speak to the organization that will be conducting your assessment.

Remember, even if you go through all this work to have the right assessment done for your company in the eyes of the auditors, it won’t mean much if you’ve left that assessment report in a pile of papers on your desk. In addition to making sure your assessment falls into one of these three categories, you also need to address anything that assessment uncovers; immediately. Also, make sure you continue to get assessments done regularly in order to stay on top of your security.

In the meantime, try our RiskAware™ Cyber Security Scan & Report to see where your security currently stands.

WannaCry
May 31

Why The Recent WannaCry Ransomware Attack is Relevant to You

By Hana LaRock | CEO Best Practices

About two weeks ago, cyber-security made headlines yet again when the WannaCry Ransomware attack hit several large companies around the world. It affected companies globally, reportedly hitting 230,000 computers in 150 countries. It attacked computers running Microsoft’s operating system and asked for a ransom via Bitcoin payments. There were several reasons that this WannaCry Ransomware was so successful in its attack. And, even if you weren’t affected, here’s why the whole situation is relevant to you, anyway.

Have You Been Updating Your Software?

One of the reasons certain companies were vulnerable to this ransomware attack was because they had not updated their systems. Though Microsoft had advised their users to run an update a few months prior to the attack, we know that there are always those that pay no attention to the updates.

This is, of course, one of the factors that make this WannaCry Ransomware attack relevant to you. When it comes to your cyber-security, those updates may seem unimportant. But, they are actually very important. Software companies and operating systems generally do a lot to monitor their vulnerabilities. If they let you know about a potential risk and encourage you to make updates to protect yourself, don’t ignore it.

Are Your Files Backed-Up?

Luckily, the WannaCry Ransomware attack could have been a lot worse if experts hadn’t stopped it in its tracks. However, the virus was still able to get its hands on sensitive information by encrypting the computer’s data files which it had attacked. Of course, the main goal of any ransomware is to hold a ransom (hence the name). Agencies that work to fight against these kinds of attacks encourage victims not to pay up to the hackers. And, if you were proactive enough to have your data files backed up, you won’t have to pay up. Falling victim to a ransomware attack, even one as heavy as WannaCry, won’t be as much of a crisis if you have copies of your data. That being said, you still don’t want that data in the wrong hands.

Which brings us to our next point:

Pay Attention To Your Own Network’s Security

Though it’s important you stay on top of the news to see what new threats are out there, that’s not going to help you if you’ve already been hacked. And, when you’ve got a business to run, it’s not really easy to stay on top of your system all the time, monitoring and checking for risks and if there are risks, patching up your system.

That’s why it’s a good idea to have a third party assess your systems. Those companies affected by the WannaCry Ransomware that knew about the updates but neglected them, could face serious fines. Especially if the hackers got their hands on credit card information of those company’s clients, there could even be lawsuits in order.

Therefore, it’s essential that you have your systems constantly monitored by an unbiased third party. This way, you can not only make sure you and your customers are protected from hacks like ransomware but that you’re also protected against the questions of auditors and regulators.

Though you may wonder what such a large-scale cyber attack like this has to do with you, we promise you that it’s completely relevant.

In the meantime, try our RiskAware™ Cyber Security Scan & Report to see where your security currently stands.

cyber security add-ons
May 16

5 Add-On Tips to Ensure Your Security is at Its Absolute Best

By Hana LaRock | Security

When it comes to securing your network, there is never really such a thing as “too much.” That being said, a lot of the time people who believe they have a stable security system will neglect it after a while, especially if they’ve hired someone to look after it.

But, security isn’t just something you install and leave. In order to get the most out of your security program, it must be constantly monitored. Whether you’re doing the monitoring or someone else is doing it, these add-ons will help ensure your security is at its absolute best.

1. Add More Authentication Stages

Most of us know that a two-step verification process is a smart way to keep your systems secure. Unfortunately, as much as people know the importance of this, they still are not implementing it where they should. These days, hackers are still finding success by stealing passwords or just by guessing them.

Adding a little more authentication, such as MFA (multi-factor authentication) will help you put up more of a wall on your systems. MFA makes users present multiple forms of evidence in order to gain access to the network. This could be anything from answering personal security questions to providing two separate and unique passwords.

2. Add a Web Application Firewall

Companies and individuals alike should not rely only on a firewall to secure their system. Firewalls are easy to surpass and don’t have the capacity to block out the really serious stuff. That being said, firewalls are still good to use as long as they are combined with other forms of security.

A web application firewall is a type of firewall that can help filter out common web application attacks that are affecting security systems, like SQL Injection attacks. Of course, the best way to be sure this firewall is working properly is to change your settings to only allow apps you trust, and by checking frequently to see if blunt force against an attack would be a necessary added component thereafter.

3. Add More Security Scans and Filters Overall

When you have a lot of traffic coming into your site, that’s a good thing for business. But, it’s not really a great thing for security. Bad sites have a way of sneaking into your regular traffic stats, posing as an ordinary user. The problem is, this won’t be an ordinary web user that you think it is, but some form of Malware that can be easily overlooked.

To help prevent this, you can first add a filter to block off the URLS of these bad sites. You also need to look beyond the traffic and proceed with caution when you receive emails that include suspicious-looking links.

4. Add an Approach That Works Worldwide

In this day in age, many companies have employees that work remotely. These employees need to have the ability to access your company’s network without any hassles. But, finding a solution that lets employees log on easily while maintaining the security of your network is a bit of a challenge. Fortunately, all you need to do, in addition to using a VPN, is make sure data is encrypted at every point of the network. And, make sure your employees are being careful if and when they ever use a public Wifi network.

5. Add On the Best Security Staff There Is

When it comes to your network’s security, you can’t do it alone. Even after you implement all these add-ons, the most important thing is that your security is left in the right hands. Having an educated IT team is a start, but IT, especially one IT guy, isn’t always as prepared for such a situation as a third party provider would be. Whatever route you decide to go, it’s essential that you leave your security with the experts if you’re not already doing so.

In the meantime, try our RiskAware™ Cyber Security Scan & Report to see where your security currently stands.

URL
May 09

Phishing Scam: What to Ask Yourself Before Trusting That URL

By Hana LaRock | Cyber Scams , Security

These days, most people would say that they can tell the difference between a good URL and a bad one. In fact, most people may not even consider the fact that a URL could be ‘bad’ in the first place. The only time anyone might second-guess a URL is because it would have a lot of strange numbers or characters. However, hackers know that most people are aware of this, which is precisely why they’ve gotten more sophisticated on creating URLs that will trick people.

Whether you’re a personal user or you’re the CEO of a company, here’s why you should think twice before trusting a URL, and how to recognize the signs of a hack.

It All Starts with Language

The first step in being able to identify a bad URL is by understanding what a URL is. A URL is, of course, letters that are put together to make words (or made up words) to lead you to a place on the Web. Maybe you’ve never realized it before, but, almost all URLs on the web are made of English characters. That’s because the Internet was designed initially for an English-speaking audience.

The problem is (or, rather, the benefit for hackers) is that there are many letters in the English language that look exactly the same as letters in other languages. Although these letters don’t hold any of the same phonemic significance, they can be manipulated to make fake URLS that are a mix of letters in other alphabets and English letters. This is known as an “IDN Homograph Attack.”

How to Prevent a Homograph Attack

The reason these fake URLs are able to be created is because the phisher on the other side of the screen has found a website that has let he or she create a domain in which they can take characters from different languages. While a lot of these sites are cracking down on this behavior, it’s pretty much possible to find anything on the Internet. So, one of the easiest ways to stop an IDN Homograph Attack is by restricting IDNs under your browser settings. If this isn’t an option for your company, (maybe because you work with many international businesses) new technology is coming out in various browsers that when updated, will help protect you against such attacks.

Other Ways to Detect Danger

Homograph attacks aren’t the only ways in which people are tricked into opening bad URLs. As long as you know what to look for, you can detect danger and put a halt to it before being affected.

  • Is the Site You’re Going to Secured?: Most browsers will let you know if a website is “unsafe” before continuing. If you see a warning but you’re fairly confident that it is safe, check if the site has security seals. Something as simple as seeing that green address bar can help you be sure.
  • Are the Letter Cases Different?: Typically, letter cases don’t make much of a difference when you’re trying to visit a website. But, checking the letter case on a URL, especially if it was sent to you via email, can help prevent an attack. If something looks out of place, exercise caution, and instead, type in the URL on the address bar as you know it.
  • Is the SSL Certificate Up to Date?: If the website’s SSL Certificate is expired, this could be a red flag. It may not be that the website is being run by a hacker, but it could make the site itself more vulnerable to hackers who want to use it as a bridge to get to you.

Cyber scams can be hard to detect. If you want to protect your company, knowing the signs of such attacks like these are important. Next time you click a new URL, stop and follow these steps.

In the meantime, try our RiskAware™ Cyber Security Scan & Report to see where your security currently stands.

May 02

Will You Be Able to Recognize Executive Impersonation Fraud?

By Hana LaRock | Cyber Scams

There are all different kinds of ways for a hacker to breach a system, and it seems like once we figure out how to prevent one of them, another one arises. Whether it’s Malware or Phishing scams, it’s hard to predict what the next one will hit and when it will be.

But, right now, there’s a new scam on the rise, and it’s just as concerning as it is clever. Executive impersonation fraud is becoming more and more prevalent and harder to catch. Will you be prepared if it’s used against you?

What is Executive Impersonation?

An Executive Impersonation is yet another type of Business Email Compromise scam. While it may seem like the type of hack anyone could attempt, it’s in fact, very sophisticated. Hackers who do this go to great lengths to pretend to be an executive of a company and seek the information they are looking for. Therefore, it’s one of the hardest scams to recognize.

In an Executive Impersonation hack, hackers target businesses that frequently do wire transfers. These hackers, or impersonators, “take the place” of a CEO, attorney, or trusted vendor with a leadership position; someone who has the power to initiate a bank transfer. Needless to say, these hackers can get their hands on all kinds of sensitive information and use it to their benefit.

Who are the Scammers?

Though many of us tend to fear the biggest threat actors when it comes to data breaches, an Executive Impersonation attack doesn’t need to be carried out by a whole country. Like many other scammers out there, it could just be a random individual. That being said, it does take a lot of research to impersonate a high-powered executive, and we can assure you that these hackers read up.

Which brings us to our next point…

Why Do People Fall For It So Easily?

These days, when you can hide behind a computer screen, you never really know who you’re dealing with. You may wonder how someone could so easily fall for one of these Executive Impersonation scams, but what you really should be asking is, “How can you not?”

First of all, when a CEO gives any type of order, it’s usually respected. Most people, when given a request by someone in power, will automatically say “yes.” The scammers make sure to use that factor to their advantage while replicating business practices unique to the company they’re hacking. To carry out this type of hack, they will ultimately conduct wire transfers on unauthorized funds by compromising email accounts.

Preventing Attacks

The first step to preventing attacks like these is simply being aware. The more your company is up to date with what’s out there, the higher chance you’ll have for keeping yourself safe.

Who is a Target?

If you think just because you’re a small business you won’t be a target for an Executive Impersonation hack, think again. Smaller businesses tend to be the most vulnerable since often times they’ll put their cyber security on the back burner. Therefore, making sure you take as many precautions as possible, like practicing two-step verification and strong passwords, will help you stay safe.

Know The Different Ways Hackers Carry Out the Attack

In Executive Impersonation attacks, there are three main ways in which the hack is carried out:

  • Executive/Attorney Impersonation: When the hacker pretends to be an attorney asking for money for a time-sensitive transaction for whatever reason. Usually, the “attorney,” or the account that’s hacked, is a person in which the company already knows and trusts, and would have no reason to question the request.
  • Data Theft via Human Resources: This is when the hacker impersonates the CEO by compromising his or her email, then contacting someone in HR, Finance, or any other department that deals with the payroll. That employee will then send the “CEO” the payroll or sensitive information requested without second-guessing it. Then, the hacker will use this info to get what they want.
  • Executive Money Transfer Request: This is when an Executive Money Transfer Request is put through when the hacker compromises the executive’s email. They will contact the person who handles money at the office (again, HR or Finance) to submit a direct transfer to a “vendor” or “customer” account.

No cyber attack can be a 100% prevented. However, if you know the signs of an Executive Impersonation attack while making sure your systems are secure, you should be in good shape.

Smeester & Associates can help CEOs like yourself make the right decisions for your company, whether those involve cyber threats or other concerns in your IT department. To see if you’re at risk of a security breach, take our RiskAware™ Cyber Security Scan & Report today.

Apr 25

Are You a Small Business with Big Clients? Your Cyber Security Better Measure Up

By Hana LaRock | CEO Best Practices , Security

If you work in the distribution/manufacturing industry, then it’s likely a lot of your clients are pretty big names. They need your services to help them run their businesses, which could very well be large, powerful companies. Therefore, these clients will have very high expectations of your company’s security and expect certain standards when you collect their sensitive information.

If you’re a small business with big clients, your cyber security better measure up. Here’s why:

You Should Provide Your Client With a Huge Sense of Security

If you work in manufacturing or distributions, then you need to have tight security on all levels. Even if you’re a small business, it’s likely you could be doing work with a lot of different clients.

From the time a new client walks in the door (or sends you an email inquiring about your services) their information needs to be 100% secure. They’re already well aware of the consequences if your systems are non-compliant.

Are you?

Don’t even give them a chance to wonder. Pride yourself on letting your clients and future clients know what steps you’ve taken to make sure their information is safe with you.

Word of Your Security Situation Can Spread Quickly

If you’re the business that big-name companies come to, you’re most likely a household name in those industries. Clients are quick to recommend their friends to a company like yours. If you’ve been around a while, a lot of people probably know you.

But, there’s also a chance that if you’ve been around a while, cyber security may not have been such a concern ten or fifteen years ago. People are going to want to know you’ve stepped up your game to accommodate them. If someone knows you’re not taking those measures seriously, people will know.

You don’t want people saying, “Be careful with that guy.” Instead, you want them saying, “You’ll never have any issues with him!” Most of all, it’s important to remember that if you’re the leader of your company,

Most of all, it’s important to remember that if you’re the leader of your company, you’re ultimately responsible if a data breach occurs. You definitely don’t want that to happen to you and your company’s overall reputation.

If Their Data isn’t Protected, You Could Face Legal Consequences

If you’re taking any payment card information or other sensitive information from your clients, then you must be held to certain standards. If those standards aren’t met, you don’t even need to have a data breach in order to be fined. But, if you do experience a breach and the information of your “VIP” clients gets leaked, you could easily face tough legal consequences. The price you’d have to pay could wipe out your business entirely…if you’re lucky.

Nowadays, Expectations are High for Everyone

While manufacturing and distribution companies should, for these reasons, take more precautions to keep their customers’ data safe, they aren’t the only ones. Small businesses like these need to take extra care in protecting their data from the get-go, as they can be easier targets with fewer resources to handle such a thing.

But, it’s not just about small businesses, big businesses, or the type of industry you’re in. These days, customers everywhere are well aware of what can happen to their information in a data breach, and how easily hackers can get their hands on it. Therefore, expectations are high for EVERYONE, no matter what kind of business you’re in.

Don’t be the company who loses business because you thought you could take the chance. Trust us, it’s not worth it.

Smeester & Associates can help CEOs like yourself make the right decisions for your company, whether those involve cyber threats or other concerns in your IT department. To see if you’re at risk of a security breach, take our RiskAware™ Cyber Security Scan & Report today.

Apr 18

Here’s a Secret: How To Save on Your Cyber Insurance Premium

By Hana LaRock | CEO Best Practices , IT Best Practices , Managed Services , Security

For company leaders that are already investing in cyber security, you don’t need a reminder of why it’s so important. You’re probably well aware of the seriousness and frequencies of data breaches these days, and you, therefore, want to make sure you’re protected at all costs. But, for those who still haven’t taken that budget leap, know that a cyber insurance plan can help offset major costs associated with any type of data breach.

Is that still not enough of a reason to allocate your budget to insurance? Then consider this. What if you could save money on your cyber insurance premium, just by being proactive? Would that be enough to push you to make the right decision for your company?

We’ll tell you more:

The Costs of Cyber Insurance

Cyber insurance isn’t cheap per se, but it can be affordable. And, when you consider how much it would cost to make “repairs” after a data breach, (often thousands upon thousands of dollars, depending on the size of your company and the extent of the damage) it’s definitely worth the price.

Like any other type of insurance, you pay a premium every month, and you can be covered for A LOT. This can be anything from privacy liability to lawyers, plaintiff lawsuits, forensic investigations, PR, penalties and fines, etc. Does that sound expensive already? We’re only scratching the surface. But, what if you could clear all the anxiety about the “what ifs” just by paying a premium every month?

Cyber insurance policies can be customized to your needs. You can go based on the size of your company, what industry you’re in, and ultimately what the stakes would be. No two policies are the same. Some premiums can be as low as $1,000 per year, while others can be as high as $50,000. But, don’t worry. It’s typical that the premium you pay is relative to what your company earns.

Still, that’s a lot of money, especially for a start-up. 

This is usually the biggest factor that deters people from taking out cyber insurance in the first place. They just don’t see that it makes sense to add something onto the budget that hasn’t even happened yet.

IT companies who specialize in cyber security understand this. So, we’ll let you in on a little secret. One that only professionals know about.

You can actually save a huge amount of money on your policy premium if you just take a few steps, first. We’re talking around 60%. Here’s how:

How to Save on Your Cyber Insurance Premium

For company leaders like you who understand the importance of cyber security, but still want to save, there’s a way to have the best of both worlds.

All you have to do is be proactive. How do you do that? It’s easy. Get yourself a network assessment from an unbiased third-party. These professionals will analyze and evaluate your system for any vulnerabilities. If they find something that makes your security weaker than it should be, they’ll let you know and fix it up for you. Then, they’ll issue you a document proving you’ve done the assessment. This document will say that you’ve taken all the precautions you can on your end to make sure your system is as secure as possible.

Of course, even if you take those steps, hackers can still find a way in. That’s why it’s important to have cyber insurance, so you’re covered no matter what. However, we can understand how frustrating it can be to spend money on an assessment that’s supposed to clear you, but then having to spend more money on insurance, anyway.

So, here’s how you save. Just bring that assessment to wherever you’re purchasing your cyber insurance plan from. Show them the measures you’ve taken (again, all explained in that assessment overview). More often than not, you can get a huge discount on your policy premium just with that paper. If they’re not eager to offer you that discount, then tell them what you now know!

After all, the law favors those who make an effort from the get go. Also, the more you do now will be less for the insurance provider to have to worry about when they cover you.

We want to help you save money on your cyber insurance premium. To get you started, take our RiskAware™ Cyber Security Scan & Report.

Apr 11

What You Should Learn From The Yahoo! Data Breach

By Hana LaRock | CEO Best Practices , Security

Last year, Yahoo! reported two major data breaches which were the largest data breaches the world had ever seen. The first breach occurred in 2014 and reportedly compromised more than 500 million accounts. The second breach Yahoo! reported, which happened back in 2013, compromised more than one billion user accounts. While data breaches can happen to anyone, the extent of damage in the Yahoo! case raised suspicions. How was it that so many user accounts easily got hacked, and why did it take so long before anyone knew what happened?

Now, it’s becoming more clear what actually led to such a disaster.

While many of us can sit and judge Yahoo! for its mistakes, there’s actually a lot your company should learn from the Yahoo! breach.

What Information was Leaked?

When a data breach happens, there’s no limit as to what the hackers can take. Whether you work in the PCI or in the healthcare industry, a customer’s information can be used to do all sorts of terrible things. In the case of the Yahoo! breach, although financial information was likely not taken, the hackers did get their hands on everything from names and email addresses, to birthdates and encrypted security passwords. Obviously, this information can be used to ultimately take financial information.

Who Was to Blame?

With a record number of accounts compromised, it was only a matter of time before the higher-ups at Yahoo! started pointing fingers. After all, no one wants to take the blame in such a newsworthy situation. Ultimately, Yahoo Inc. directed attention to the executives for not taking appropriate action to investigate the breach, let alone take steps to try and prevent it from happening in the first place.

A review by Yahoo!’s board revealed some concerning truths. Supposedly, there was a complete disconnect in internal reporting and management, which was probably what allowed the hackers to slip through so easily and do so much damage. The consequences for the people held responsible were life-changing. One of Yahoo!’s lawyers stepped down, CEO Marissa Mayer didn’t receive her bonus, and needless to say, their stock went down dramatically. The FBI is currently investigating the details.

So, do you think Yahoo! was right in blaming their executives, even though it could have been an IT or internal problem? Actually, yes.

The Leaders of the Company are ALWAYS Responsible

There are a lot of things that can cause a data breach. And, a report done by the Online Trust Alliance (OTA) showed that over 90% of hacks in the first half of 2014 were preventable. Whether it was an outside hacker or an error on the staff’s part, that’s a pretty shocking number. So, when it comes to Yahoo!, why couldn’t they see it sooner?

Though we don’t know all the answers yet, it’s likely that the breakup in communication allowed the hack to happen so easily, and more than once. No matter what the actual cause is, any time a data breach occurs, it’s always the responsibility of the company executive, much of the same way a captain needs to go down with his or her ship. This is why Yahoo!’s CEO had to take the blame and a pay cut as a consequence, which could have definitely been worse. At the end of the day, it’s the company executive’s responsibility to help prevent data breaches as best as possible.

Here’s How You Don’t End Up Like Yahoo!

You understand the responsibility you hold as an executive. That’s great. But, you might be feeling overwhelmed with this responsibility, as data breaches can still occur even after taking the property security measures. But, don’t be alarmed. As long as you’re taking the steps to be cyber-compliant, you have security protocol for staff, and you make sure your systems are secure as possible on a regular basis, you don’t have much to worry about!

Smeester & Associates can help CEOs like yourself make the right decisions for your company, whether those involve cyber threats or other concerns in your IT department. To see if you’re at risk of a security breach, take our RiskAware™ Cyber Security Scan & Report today.

Apr 05

Is Human Error the Biggest Risk to Company Data?

By Audrey Smeester | CEO Best Practices , Employee Education , IT Best Practices , Security Best Practices

We all make mistakes. I mean, we’re only human after all. But did you know that according to CompTIA’s Trends in Information Security study, human error actually accounts for 52 percent of security and data breaches? Yikes, looks like being human can be a big cause for concern when it comes to any business’s data security.

Although human error is normal and inevitable in some cases, it can be more of a threat to businesses than most are aware of! Backup and disaster recovery (BDR) plays an important role in ensuring that these mistakes don’t turn into serious problems. Read on about these threats to discover how to protect yourself against potential data disasters.

What Is Human Error?

Any business with employees has something to worry about when human error is this high. However, it can be difficult to define because error comes in many forms. Typically, it involves circumstances in which certain actions, decisions or behaviors threaten business security. Some goofs and gaffes may seem harmless, but major slip-ups happen more often than you’d think and can seriously jeopardize sensitive data. So why are these mistakes so threatening to IT environments, and just what kind of bad habits should be corrected? Here are some examples of what human error could look like:

Using weak passwords

Although passwords may seem like the most basic security technique, they can be easily cracked or obtained by malicious perpetrators when not handled with proper care. In this year’s Verizon Data Breach Investigations Report, they found that 63 percent of confirmed data breaches involved using weak, default or stolen passwords. This goes to show that using simple passwords, sharing them with other employees or even leaving Post-Its with credentials lying around, can lead to precious and private data being compromised.

Low security awareness

Most employees have a surprisingly low awareness about phishing and other cybersecurity attacks. According to the same Verizon report, 30 percent of phishing emails were opened, and of those, 13 percent caused malware to activate. Emails containing malicious links are becoming increasingly sophisticated, and malware authors are finding new ways to bypass filters and make it to your inbox. Without full user awareness of these security risks, employees could click on phishing links, exposing their network to viruses and malware. Employees with insufficient cybersecurity education could be unknowingly helping hackers gain access to their business networks. What would that mean for you? Do you know how to spot a malicious scheme before the damage is done?

Carelessly handling data

We’ve all had those days when we’re not feeling at the top of our game, but when it comes to handling sensitive company data, careless actions can result in major disaster. According to the same study by CompTIA, 42 percent of error-related breaches are caused by “general carelessness” of users or employees. Whether it be accidentally deleting important files, sending company data to the wrong email recipient, neglecting software updates, or even misplacing mobile devices – a little carelessness can cause a lot of trouble.

 

Why Is Human Error a Threat?

Most businesses are unaware that the greatest security threat could be internal. With criminal cyber-activity on the rise, not enough business owners are paying attention to the avoidable consequences of human error. Unfortunately, people still suffer from what I like to call the “this could never happen to me” mindset.

You could have the best technology and procedures in place, or a well-thought out disaster plan, but one unforeseen slip-up by an employee could mean the end of the road. It is your Managed Service Provider’s responsibility to ensure that your network and data are protected from these potential threats. Understanding that human error is the root of these problems is only the first step, so what else can you do?

 

Have a Strategic Business Advisor

Having an effective backup and disaster recovery (BDR) solution can give you the opportunity to strengthen your data security, but there are other methods as well.

Walk through your errors

Talking about common mistakes and mapping them out is the best way to work through problems. Tracking and analyzing how errors occur can help you minimize the chances of them happening again and also mitigate the potential damage.

Create a solid security policy

It’s always a good idea to have a documented procedure when it comes to data security. Strategically creating rules and best practices will ensure clarity and that all company data and information is being handled and stored properly.

Inform and train

CompTIA’s study also revealed that only 54 percent of companies offer some form of cybersecurity training! Avoid falling under that statistic and use your BDR advisor to educate yourself and your employees about smart security procedures. Have a conversation with them about the daily threats that human error can pose, or provide tips on security best practices. This will also open the opportunity to reinforce the benefits of your BDR solution, the ultimate backup plan. Employees at all levels within your company will walk away with a better appreciation for how a business continuity solution can protect your bottom line if and when human error occurs.

 

In the end, eliminating human error is nearly impossible, but having a BDR solution will help ensure the preservation of sensitive company data in the event someone makes a business-crippling mistake. Remember, users likely won’t know if they’re endangering corporate proprietary information because they’re probably not familiar with the various data threats to watch out for. Set your company up for success by regularly having an open dialogue with your backup and disaster recovery provider.

1 2 3 6