By Carl Mazzanti, eMazzanti Technologies President | The FBI’s Internet Crime Complaint Center logged more than 791,790 reports of suspected internet crime, the agency announced in 2021, with losses exceeding $4.2 billion. New Jersey ranked No. 9 for the number of victims, so business owners are increasingly realizing that it is not a matter of if they will be attacked — rather it is when. The key, however, is to make it difficult for the hackers to penetrate your systems, increasing the odds that they will skip over your firm and move on to an easier target. |
Unfortunately, securing systems is not simple. It can be done and it does not have to break the budget, but to be effective, a security approach should be thorough, deep, and comprehensive. We call it a defense-in-depth strategy, where your devices and protection are layered, like a cake, so there are tailored protective solutions for one device and other solutions for additional, connected devices on top or below it. That is because there are so many entry points for cybercriminals including: emails (a favorite target), accounting systems, and APIs, or application programming interfaces, the stuff that ecommerce is built on, which enable your products and services to easily communicate with other products and services without having to build each connection from scratch. There are so many entry points and evolving threats that business owners just do not know what is coming next.
The threats are especially acute in today’s interconnected environment, with lengthy and complex supply chains that interact with multiple APIs. In one case, a managed security service provider’s systems were compromised, and the virus quickly spread to its clients, infecting and locking out more than 2,000 users in just one day.
To provide some level of protection, businesses need a good security plan. An effective one will be custom developed to meet the needs and vulnerabilities of each specific business, but there are some common basics. One starting point involves MFA, or multifactor authentication. This adds a layer of protection — by utilizing an additional step — to the sign-in process before email and other accounts or apps can be accessed. With MFA, a user is prompted to provide additional identity verification, such as scanning a fingerprint or entering a code received by a phone or other device.
Strong passwords are another basic. Individual hackers and state actors alike have advanced tools to crack simple – and in some cases, not-so-simple — passwords, but many business owners continue to use combinations (like 1234) or names, like their mom’s maiden name, which are easily cracked. Machine-generated passwords, which can run up to 100 characters, are fantastic, but people have trouble remembering them and often change them the first time they are used, or they end up writing the long passwords down on a Post-it Note that is left on desks or other accessible areas. Recently, when I was on a videoconference with a CEO, I could not help but notice that he had a password written on a board that was clearly displayed on the call. So for daily use, one option is to use words that are easily remembered, but in a string that would not occur in normal use, like “surfboard string building.”
Other cyber-defenses include firewalls — or network security systems that monitor and control incoming and outgoing network traffic based on preset security rules — email security; behavior-centric threat detection-and-response security on endpoints like laptops, smartphones, servers and other devices that communicate with networks; DNS (Domain Name system) security that can help to prevent users from visiting dangerous sites, or can keep malware from communicating with its operator. This layered approach is designed to keep users and data secured even if one or more individual systems are compromised.
In addition to reducing the chance of suffering a time- and money-draining attack, business owners have other incentives to enhance their cybersecurity. Insurers, for example, have tightened their underwriting standards and increasingly require businesses to attest to (and often prove) that they meet a variety of cybersecurity standards. Companies that fail to meet them may find they cannot renew existing policies or get new ones.
And government agencies that contract with firms are increasingly pushing cybersecurity down the supply chain, to the point where a small company that makes a minor component may no longer qualify for a contract if they cannot prove their systems are adequately protected. This trend is likely to accelerate and expand as “smart” medical and other devices proliferate.
Even unregulated industries like beauty salons, lawncare companies, and just about any business that has liability insurance and processes credit card transactions, can benefit by having a sound security framework in place. Even if they never sell to the Department of Defense, an in-place cybersecurity framework will increase their chances of obtaining and renewing their liability policies and, if they ever are hacked, will offer a better defense.
And remember that hackers, like business owners, generally follow certain sustainable principles: they want to maximize their revenue stream over the longest period possible. Legitimate companies do this by providing quality goods or services at competitive prices that encourage client loyalty and retention. Cybercriminals, however, often do it by snaring a victim — usually by locking up their files — and then demanding a payment to release the data. And once they get the first payment, they are likely to stick with that “good customer,” and target them again.
Developing and implementing an effective cybersecurity plan is not just about hardware and software. It also involves attitude.
In today’s fast-paced digital landscape, businesses cannot thrive without effective collaboration. Microsoft continues its unwavering…
An email signature accomplishes much more than simply telling readers who you are and how…
Cyber security professionals work hard to safeguard companies’ information. But with criminals constantly changing their…
Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is an e-mail security protocol designed to validate…
My job is to manage my law office’s cloud servers here at Justice Freaks. As…
My worst nightmare would be to date someone who isn’t who they say they are.…