You know the old phrase, “A chain is no stronger than its weakest link?”
It’s a pretty good idiom, but when it comes to cybersecurity, I think the idea is worth revisiting. It’s not that you aren’t as strong as your weakest link, or in terms of cybersecurity, it’s not that you aren’t as secure as your most vulnerable endpoint…
You are less secure the more users you have.
If you’ve been using email for a while, you’ve definitely experienced spam. You’re probably pretty conditioned to ignore it by now, as are most of your employees. Spam is a fact of life, and generally, I think the average person is pretty aware that it exists.
But here’s the thing; not all spam is obvious. Here’s the other thing; not every user is completely immune to it. Dave from sales might finally shrug his shoulders and think “What’s the risk?” and try to sign up for that $10,000 Costco gift card.
The point is, each one of your employees (again, including yourself) is being confronted with the occasional scam or attack. Cybercriminals treat this sort of attack vector as a numbers game—they know that eventually, they will slip past the defenses.
Catch someone on a bad day, or send them a scam that they happen to be receptive to, and you’ll have a means to do far worse. Usually phishing attacks lead to much larger problems like data breaches and ransomware, which can end up putting a business out of commission for a time and costing thousands of dollars or more.
The best scams look legitimate, and phishing attacks are no different. We can all joke about the bogus Nigerian prince scams (which, by the way, were still raking in nearly a million dollars a year for scammers as recently as 2019), but most phishing attacks are much more subtle.
In fact, the most effective phishing attacks look like legitimate emails coming from big entities like Microsoft, Google, Facebook, Best Buy, and popular banks. They look just like the typical emails these businesses might send you if you needed to reset your password, or were experiencing some sort of technical issue. They’ll warn the recipient that there is an issue with the account, or mention that there was a large transaction that you didn’t expect, and encourage the recipient to log in and rectify the problem.
The trick is, they don’t send you to a legitimate page to log in—they give you a fake website that looks exactly like the real thing, but when you go to log in, you are just giving your credentials to the bad guys.
Some of these tricks are so elaborate that the user doesn’t even realize they were scammed, even after they fall for it. Your user might move on and go about their day, meanwhile someone else has critical access to sensitive company information.
If someone gains access to your bank account, the issues are pretty obvious, but most people don’t think about the ramifications of accidentally granting access to, say, a Google or Microsoft account.
I’d argue that it’s much worse—if a hacker found their way into my bank account, I’d know exactly what I lost. On top of that, most of the time there are protections in place, so as long as I report it to my bank quick enough they should be able to cancel any transactions that took place. It’s still annoying, and it could still result in money being unrecoverable, but again, you know exactly what you are in for.
If someone were to gain access to your Google account, that can govern a whole lot more stuff. If you use the Gmail account that comes with it, they have access to virtually any website you have tied to that email. If you manage your business analytics or search console or Google My Business account through this account, they have access to all of that. They can claim your business listing on Google and steal it, or make it look like your business is closed to most people who look you up. Any other accounts that you log into with your Google account are up for grabs too.
This type of chaos is so hard to come back from, and it’s even possible that years can go by before you get everything back to normal. It’s costly to fix, it can damage your reputation, and it can turn your business into a spam factory, pumping out scams to your contact list. In other words, it’s a nightmare.
If your business isn’t thoroughly defended against modern ransomware, then there is absolutely no way to “cure” a ransomware attack if you should fall victim to one. Sometimes, even the most modern cybersecurity solutions can fall flat on their face when it comes to ransomware, so the best bet is to be proactive and always have a thorough, tested backup, and take every precaution to not fall for ransomware in the first place.
As a refresher, ransomware is a type of threat that quickly takes over your entire PC, and sometimes will take over every PC or server on your network. It encrypts your files, making them impossible to access, open, or use. The only remedy is paying the cybercriminals the ransom they display on your screen, which could be a few hundred dollars, or thousands and thousands of dollars.
While you are struggling to deal with that, they are stealing your data. They might decide to resell it, or hold it hostage, and demand even more compensation to keep them from making it publicly available. Cybercriminals know the value of customer data, and know how harmful this can be to an organization’s reputation. They know it can break compliance laws and get your business in a lot of hot water if you have industry-level or local compliance regulations to meet.
We don’t advise that you pay off the cybercriminals either. Not only does it perpetuate the issue, but most companies that get hit with ransomware tend to suffer from a subsequent attack shortly after—you already paid them once, why wouldn’t they make it easy to extort some more money from you again?
Educating your staff on how to spot these threats and ignore them or report them will go a long way. The more employees you have, the more chances you are at risk, so training needs to be fully comprehensive.
That includes higher ups and management, and any other end user who has email or works on a computer. Some individuals might be reluctant or scoff at the training, but it is critical that everyone has the same basic knowledge when it comes to preventing cyberthreats.
On top of that, many business insurance providers are getting more demanding when it comes to preventative measures for cybersecurity and want your business to make an effort in being secure to provide you with coverage. In many cases, regular staff training is a requirement for this.
Fortunately, we can help. Give Washington Works a call at 301-571-5040 to talk to our cybersecurity experts and we can help audit your network, establish a baseline that will prevent issues, and provide training.
Comments