By Alexander Kaufman | CISSP, CISA, GSTRT, GSNA
Because of the pandemic, 2020 saw the majority of social, educational, or business interactions take place online. Apps like Zoom became a vital necessity, overnight. With that, we saw the rise of another trend. Viral videos of people hacking their way into these meetings and playing pranks.
These videos can be terrifying for business owners. They show how easy it is for someone to break into a seemingly secure network. What if the next thing someone gains access to is the crucially valuable data of the business?!
If you have pondered these things, chances are you’ve come across terms like Cyber Security and Information Security. Words like that get thrown around often, creating a huge buzz that can cause their true meaning to be lost.
Let’s try to understand cybersecurity and information security better.
What is an information security and cyber security?
Information security is a term that refers to the act or process of making certain information unattainable by individuals or groups you don’t want to access that information. This can be either for physical (paper) or virtual (databases) information.
Cyber security is the more modern version of information security. It applies only to virtual data or information.
The first thing to pop up to mind is probably passwords! They are a very neat and slick way of securing stuff, right? Well, not all data is protected with a password. For example, our geolocation, buying habits, latest actions, preferences – are all on the Internet and not protected by passwords.
Cyber security is a deep and complex field. To understand how cybersecurity functions further, we need to first understand what cybersecurity tries to prevent from happening.
How Phishing, Fraud, or Social Engineering can affect your business, and what are they exactly?
If you are managing a small or medium business, most of the time you will have to deal with relatively small volumes of data. Your most confidential and most important data might be gathered in an Excel spreadsheet. For larger businesses it is different – pretty much everyone is connected to the cloud…
You surely want to make those files very secure, and pretty much impossible to hack, yet that might be not the perfect choice. Why making your data completely inaccessible is useless and wrong? Because eventually, you will need to access it yourself or share it with some customer, partner, investor, and so on…
Therefore, the storage of this data should be configured in a way that allows multiple networks to be built around it and have access to it. The trick is to make sure that only the networks you want are granted access. And here we see the first big issue that arises.
Your data security is only as efficient and as secure as the workers using it. If only one of the networks that access your data is compromised, then the entire thing is essentially useless. The most common way people get access to this data is through something called ‘Social Engineering’.
Social engineering is, to put it simply, pretending to be someone you are not. Most of the time people will hack your network or your files, by using your employees against you. All a hacker needs to access your network, is for one of your employees to let them in. This can be easily achieved by tricking people into doing that.
For example, all it might take is a quick Google search of someone’s name which most of the time can be found on social media. We all post about our life, things we love, people we admire. Using this information against or to trick you is the next step.
Phishing is when someone sends you emails, using a fake identity, with the intent to gain access to your device. Usually this is done in the form of fake emails, where the sender pretends to be some higherup mailing someone on the lower ladder of the company.
Or it could be something like this: The CFO of a company receives an email that seems to be coming from the CEO. The CEO is requesting to send a decent payment to a certain bank account, as an especially important deal is on the line. The CFO goes ahead and sends the payment. That is it. Phishing can be used even against small and large businesses alike. The example with the CEO and CFO is a great example of fraud conducted over the web!
Ransom is the act of demanding a specific payment from a business or individual after the criminal has gained access to the files that are important to the business (or individual).
During the pandemic, we have seen a sharp rise in cases of ransom, fraud and general failures of cyber security and information security. Since people needed some time to adapt to the new changes, a lot of bad faith individuals were able to capitalize on this.
When it comes to cybersecurity, it is vitally important that you understand one major thing: the greatest risk is the insider risk. Whether it is malicious or unintended, most of the time, the hack will come from within.
How to increase cyber security as a small or medium business?
As we mentioned, there is a huge difference between small and large businesses. While a corporation might allow spending a portion of their budget on expensive and professional cyber security services, a small business needs to fix cyber security on a budget.
Here are four things small business leaders can implement immediately, and on budget.
- Be ready: It sounds cliché but being prepared and ready is tremendously important. Having plans in place on how to act if such an attack happens, can save a lot of trouble. Know that every cyberattack goes through different phases. If you can stop the attacker on its tracks, you won’t have to deal with the aftermath of an attack.
- Education as preventive against phishing or social engineering: Make sure that your employees know about the risks of hacking, social engineering and else. Ideally, hold seminars where an expert shows you and your employees how to recognize phishing, how to prevent social engineering, and so on. If hiring an expert sounds out of the budget, a willing and tech-savvy individual within the company could pull a decent presentation off, try working with them.
- Limit the use of the internet: Many schools have adopted a system where their internet can’t access anything other than the necessary websites for the teaching process. Implement something similar to your work environment. Work computers and devices should be used only for work-related activities. Personal computers are used for anything else.
- Change passwords: Having passwords is always good, but you can go one step further. To make things as secure as possible you can try and have routine password changes. This doesn’t cost anything and can go a long way in preventing cyberattacks.
Hearing of cyberattacks and taking measures can seem rather daunting. However, 90% of phishing emails can be prevented by simply educating employees. The task of cyber security can seem hard, but at the end of the day, just like anything else, it’s completely related to how you approach it.
If you would like to know more about cyber security, information security, cyber attack and the prevention of those drop us a line.