threats

The Modern Office and Security: What you need to know about protecting your business and its data

April 16, 2019 by securewebsite

One of the most critical components of the modern office environment for a healthy, scalable business infrastructure is security. It is the cornerstone of your IT for it protects the other components that your company needs to keep thriving and surviving in the modern marketplace. Today’s business security entails much more than just an anti-virus program and requires some pre-planning as well as a regular investment of time.

This blog covers the most important things every business should know about security. Additionally, it includes what business leaders should consider to best protect their organization, data, and clientele. As you will see, having the right security in place can make the difference between growing your business and shutting its doors permanently.

Secured Access

Every business should have secured access in place for both internal and external users on its network. As a modern company, both internal and external users will be accessing your data whether its email or highly-sensitive information not meant for prying eyes. This is important because data falling into the wrong hands can cost your business its reputation, revenue, and even its livelihood.

According to the 2018 Data Breach Investigations Report by Verizon, 73 percent of breaches were perpetrated by outsiders. This means your business data needs to be protected as much as possible and that external access to your network should be limited and monitored at all times. Hackers are always looking for a way to infiltrate networks. Phishing, ransomware, and malware were among the top means used by nefarious outsiders to access business networks in 2018. Of those breaches studied, 90 percent were motivated by monetary gain or strategic advantage (i.e. business espionage).

While you may believe that your business is too small for anyone to care about hacking its data, think again. A report by USA Today shows 61 percent of cyberattacks are aimed at small and medium-sized businesses. The same piece reported that a whopping 60 percent of small businesses close their doors for good within six months of an attack so it’s clear why security is so imperative to business survival in our modern society.

Though most breaches occur due to external sources, insiders can be just as dangerous to your business. Whether due to simple user error or something more insidious such as a disgruntled employee or cyber espionage, the aforementioned Verizon report concluded that 28 percent of breaches involved internal actors. Of those breaches, 12 percent involved privilege misuse. That’s why we always recommend implementing the practice of least privilege. This means allowing access to data only to those who require it to fulfil their job duties.

Email Security

Email is the bread and butter of communication for most modern offices. The use of email for both internal and external communications is a necessity for today’s businesses so securing it effectively is imperative. The issue is that it is also a major point of entry for many attacks.

A blog by CSO from IDG shows that 92 percent of malware is delivered by email. In addition, the blog stated that the average ransomware attack (which often occurs via email) costs a company $5 million. The same blog also stated that phishing attacks is one of the most common methods of email malware infection.

There is email and network scanning software available to help protect your business. At ORAM Corporate Advisors, we recommend Mimecast for email protection. It is a terrific solution to help organizations prevent email-borne ransomware as well as protect against the associated downtime and data loss such attacks can cause. ORAM recommends Mimecast because it “safeguards employee communication and reduces risk with targeted protection, data leak prevention, and enforced security controls.”

Mimecast, which I mentioned above for email and network scanning, is also an excellent solution for data loss prevention. Its data loss prevention solution scans all emails and file attachments and identifies potential leaks using flexible polices based on keywords, file hashes, pattern matching, and dictionaries.

Another piece of modern technology you’ll want to have in place is multi-factor authentication. Multi-factor authentication is a security system that requires more than one method of authentication to verify a user’s identity. This can range from requiring passwords that must periodically be changed by legitimate users to requiring a one-time PIN provided via smartphone for access. It adds an extra step for employees to access your network but it will help ensure your business’ data security.

In addition to software, we also recommend that employee training become a regular event. Every business should offer employee training during the onboarding process and at regular intervals throughout the year (every six months) to every employee. They should be trained not to click on email attachments or to follow links in emails from unknown or untrusted sources. Employees should also be taught to verify emails with links and attachments with a trusted source before opening them if something comes into their email that they weren’t expecting. While this training can take some time, it can prevent a costly breach later on.

Manage Your Network

While securing access to your network is important, managing your network is even more imperative to keep business operations running smoothly. Your network houses your most critical data while supporting the daily workflow and processes of your business. That means maximizing uptime, optimizing network capacity and utilization, and ensuring its protection.

There are a great deal of pieces that comprise your network and all of them need to be addressed on an ongoing, regular basis. Start with a network technology assessment and auditing. This will tell you where your network is in terms of optimization and data security. By assessing where your network is now and taking a full audit, you will be able to tell where your strengths and weaknesses are to tweak it to work at full capacity for your business needs.

In addition to regular assessments and audits of your network, you will need to plan ahead for storage, disaster recovery, business continuity, and more. Here are some of the things that go into managing a business network:

Email Continuity
IT Asset Tracking and Reporting
High Availability Services
Cloud Solutions
Network Design, Implementation, and Support
Data Assessment, Analysis and Recovery
Security and Monitoring Services
Workflow Assessment and Optimization

Up-To-Date Security

Your business should also have up-to-date technology security in place. You will want to ensure that your company has installed intrusion prevention software on all of its data networks to keep hackers from getting their hands on your information. You can check to ensure you have such software in place during the audit process.

The intrusion prevention system we use at ORAM is Cisco hardware that scans on a network level. It scans everything going into and out of your network to ensure that your network traffic is safe. This could catch someone maliciously trying to access your internal network, bad email attachments, and other threats.

In addition, you will want to put together policies for your employees that protect your business. Ensure you have a solid computer use and data loss prevention policy in place so employees know exactly when and for what purposes they can use their company devices. Make it clear what sites they should not visit and what the repercussions are for visiting non-work related sites on business devices.

You’ll also want to have a password policy in place so employees are not using the same passwords for multiple accounts or old passwords that could leave them at risk of being hacked. Passwords also need to be strong so encourage your employees to develop passwords that use letters (both lowercase and capital), numerals, and special characters. There is even software available to prompt your employees to change or update their passwords over time. You may even offer your employees a password manager so they can easily recall their passwords.

Many enterprise businesses are also moving to the cloud. Not only does this allow for greater flexibility for your employees, but it can offer greater data security. When you save both to your local network and the cloud, you have your data backed up. This is ideal in the event of a disaster and will get your business up and running again with less downtime or the worry that valuable information can’t be recovered.

Don’t Forget Your Physical Security

Remember that all data is not digital. Whether you have data files stored in locked filing cabinets or your HR employees are printing personally identifiable information (PII) during tax season, the physical security of your business is just as important as its digital security. You don’t want someone walking out with printed files or sifting through your garbage to steal information.

ORAM recommends that all businesses have a clean desk policy. This means requiring that all employees keep their desk clear of papers, notes, and other information that could lead to a breach or loss of information if it were to fall into the wrong hands. When they are not as their desk, employees should have a clean desk since everything should be put away, hopefully under lock and key.

Businesses should also limit physical access to certain areas such as file storage areas, server rooms, and other places where information is stored. If an employee doesn’t require that access to do their job on a regular basis, they shouldn’t have access. Such areas should be locked with limited persons possessing keys for access. We also recommend adding video cameras at data rich entry points to protect against a physical breach. This small addition will let administrators know who accessed the area(s) and when they did so which will help in an investigation.

Finally, you’ll want to ensure that all data is properly disposed of. Shred all hard copies before tossing paper information and consider hiring a disposal company that handles this type of waste. Don’t leave such waste out on the curb for anyone to take. Ensure the company will come in to gather paper for disposal. In addition, make sure that valuable paper data isn’t thrown into the recycle bin but is shredded before being thrown out. When it comes to cyber espionage, dumpster diving isn’t unheard of.

Have a Plan

Every business should also have a written information security plan (WISP) in place. It should include everything from regular IT audits to employee training. There are many mistakes that businesses make when it comes to backup that are completely preventable. Your WISP will outline effective administrative, technical, and physical safeguards specific to your organization to help prevent such mistakes. It will also define security measures for your business, protect against anticipated security threats, and unauthorized access. The WISP for your business will put safeguards into place to protect your data. It will also help you and your employees know exactly what to do and who to contact if disaster strikes.

If you need help with securing your modern office or want more information about building stronger security for your business, contact ORAM today at (617) 933-5060. Our experts are always here to assist you in bettering your business and data security.

Technology Assessments: What they are and why every business needs them

December 11, 2018 by securewebsite

Information technology, or IT as it is known in most modern business settings, can be a challenge for small to medium business owners. Whether your business may have its own IT expert in-house or be too small to employ its own, your organization uses IT every day. Government regulations change regularly and growth means IT needs to adapt, too. Additionally, the world of technology is always experiencing new development.

That’s where technology assessments come in. Every business should undertake an annual technology assessment to ensure its IT needs are being met. Here’s a look at what technology assessments are, the purpose behind them, and what types of things they evaluate.

Technology Assessments
Every organization uses technology. Whether your business is using the internet for ecommerce, your non-profit is building a new business website, or your company is sending and receiving emails, you and your employees utilize IT. As your business grows, the complexity of your IT does as well. This can be a challenge for small to medium businesses, however, as they often don’t have the budget to hire a full-time employee to handle such matters. Even if you do have IT staff on hand, they may be so busy that a third-party such as ORAM may be the key to getting your annual IT assessment done quickly and efficiently.

This is where an independent technology assessment comes in. Such assessments evaluate multiple aspects of your existing IT to determine if what you have is effective enough to cover your growing organizational needs and, if not, what changes need to be implemented. Just as you should see your doctor every year for a full physical, your company also requires an annual IT checkup.

The Purpose of IT Assessments
The costs of IT are rising every year, the complexity of IT planning is becoming increasingly difficult, and regulatory compliance is beginning to overwhelm organizational leaders. An annual technology assessment can tell you what your company currently has in terms of IT to overcome these obstacles versus what it really needs to achieve your technology and business goals.

An IT assessment should cover several aspects of your business technology including:

• Strategically evaluating whether your IT infrastructure is ready to grow with your business.
• Identifying areas of opportunity to improve your business processes and reduce your IT costs.
• Pinpointing any “red flag” areas that require deeper analysis and adjustments.
• Prioritizing your IT investments to reflect your business strategy.

What They Do
Information technology assessments examine your existing IT infrastructure and business goals such as growth. Through this audit of your business’s current systems and processes, it can be determined if they are effective at meeting your organizational goals.

For example, if you operate a law firm that wishes to grow by 10 percent each year for the next five years, your IT must be able to adapt to the changing needs of your law firm. In addition, you are bound by several governmental regulations such as the protection of your client’s personally identifiable information (PII). This means you must have achieved a certain level of security to meet those requirements with your IT.

An annual assessment can determine if the IT your business has in place is capable of handling these requirements and, if not, what adjustments need to occur. A strong technology assessment will answer the following questions:

• How is the health of technology in my organization?
• Is my business using technology to its fullest extent?
• Can my existing technology accommodate growth?
• Is my company exposed to risk that can be avoided with proper planning?

What They Cover
Just like a physical, an IT assessment comes with a checklist of things that are covered to ensure the best IT health and the lowest risk to your organization. Areas that should be covered in your IT assessment include the following:

• Physical assets: Servers, desktops, laptops, telephones, networks (internal and external), Peripherals (scanners, printers, copiers, etc.), and data management and tracking (such as storage and disposal)
• Applications: Desktop programs, email management, accounting and other business-critical applications, document management, security programs, and your organizational web site
• Policies, Procedures, and Processes: Business continuity plans, disaster recovery, change management, security management, on-boarding and off-boarding of employees, ongoing IT training, and help desk
• Partner & Vendor Management: Collaborations, sales, purchasing, software licensing, voice and data circuit providers, third-party service providers
• Industry or Business Specific Details: Government-issued regulations, industry requirements, and unique company needs

This list of items is reviewed by conducting interviews with key people in your business and through checks of your business infrastructure. During the interviews, you or your IT staff will be asked to answer specific questions about the technology in place that supports your organization. You will also be questioned about your business and its goals.

When ORAM conducts a full technology assessment, we have a list of 300 questions that thoroughly examine everything from your existing IT policies and procedures to your key IT assets and their settings. We also look at the infrastructure of your organization to determine what you have, how well it works, and what you need. All of this is wrapped up into a results report specific to your company.

Results-Oriented IT
All of the data gathered during the assessment is put into a final report that will allow business leadership to make informed decisions about the IT of your company. In addition to the current status of your IT health, recommendations will also be made to keep your business operating smoothly, protected against threats, and compliant with industry and/or government regulations. Business leadership should review the results to determine what steps to take in order to keep moving forward with safe, effective, and efficient IT that meets business goals within their budget.

The final report is also a terrific means for documenting your IT and planning business continuity in the event of a disaster such as a breach. While this is a wonderful report that can do much to support your business health and goals, it does need to be updated annually to address the changes in technology and your company.

Why Every Business Needs IT Assessments
Since every organization uses IT, every business needs an annual technology assessment. The final report is not only a document that keeps businesses on the cutting-edge of technology and security, but also provides assurance that government regulations are being achieved. Finally, it gives leaders a look at the IT health of their company and acts as a roadmap to guide them through the necessary changes to their existing technology that will allow them to achieve their desired outcomes in the future.

If you are interested in a short, free technology assessment by ORAM, a full technology assessment, or simply have questions regarding your organization’s IT, please contact ORAM at (617) 933-5060 or visit us online today.

October is National Cyber Security Awareness Month

October 9, 2018 by securewebsite

A look at cyber awareness and tips for protecting yourself online

Whether you are turning on the television, checking the daily newsfeed online, or reading a magazine, you’re sure to hear about the breach of a major business such as Yahoo, a data leak by the government, or hackers attacking a local school. Over the last two decades, cybersecurity has been legislated to protect consumers, businesses, and the government alike. There’s a need for greater awareness of cyber security and how people can best protect themselves and their businesses. That is the purpose behind National Cyber Security Awareness Month (NCSAM) which has been celebrated every October for the last 15 years.

The History of NCSAM
Developed as a collaborative effort between industry and the U.S. government, the purpose of NCSAM is to ensure every American has the necessary resources to stay safer and more secure online as well as advance awareness of the threats we all face when we log on. Launched in 2003, NCSAM was conceived by the U.S. Department of Homeland Security and the National Cyber Security Alliance.

According to the National Cyber Security Alliance, the goal was to reach as many people and businesses as possible to educate them about cybersecurity. The target audience consists of consumers, small and medium-sized business, corporations, educational institutions and young people across the country.

STOP. THINK. CONNECT.
This year marks the 8^th anniversary of the STOP. THINK. CONNECT.™ campaign used during NCSAM which offers tips and advice for everyone from the daily internet user to business owners.

The message to consumers of every age is clear. We are all warned to stop and think before connecting which means doing things to protect ourselves before we get online. We are warned to “Keep a Clean Machine,” “Protect Your Personal Information,” and “Connect with Care.” But what does all of this really mean?

Keep a Clean Machine
All of your internet-connected devices should be kept free of malware and other infections such as viruses as they can interrupt your connectivity at home and at work as well as spread to others. A dirty machine can also threaten your safety and the safety of others online. This is especially true when it comes to malware that connects your devices to botnets, which are networks of computers controlled by cybercriminals that can steal your information and make money from it.

There are several things you can do to keep a clean machine including:

Use the Latest Software– Ensure you have the newest security software, web browser and operating systems to offer the best defense against known viruses, malware, and other threats.
Automate Updates– Most software programs automatically update to defend against threats. Keep auto updates turned on and turn your computer off each night so updates will occur when you reboot.
Protect Every Device– In addition to computers, be sure to turn on auto updates for all devices including smartphones, laptops, and tablets.
Plug & Scan– External devices such as USBs can harbor viruses and malware. Use security to scan them before using.
Get Rid of Garbage– Delete links, emails, tweets, posts, etc. that look suspicious. These are ways cybercriminals compromise your computer. If it’s not from a trusted source, trash it. Don’t open it.
Hot Spot Smarts– Limit the business you conduct when away from your home or office. Be sure to adjust the security settings on your device to limit who can access it.
Act Fast– If you think your machine is infected, get help fast to remove viruses and malware before they can spread or cause more damage.

Protect Your Personal Information
Each one of us has the responsibility of protecting our personally identifiable information (PII) online. If your personal information ends up in the wrong hands, there could be serious consequences from a breach in your social media or theft from your business to your identity being stolen and your bank account being wiped out.

While you may have worked hard to protect that information, all of us must still assume our personal information has been leaked because hacks happen all of the time. Here are some tips for protecting your PII online from the New York Times:

Use Different Passwords– Across multiple sites from Facebook to your bank account, NEVER use the same password in more than one place. Doing this allows a hacker that gets your password in one place to use it in another. Password managers such as 1Password or LastPass can help you keep track of them all.
Never Your Social- Never use your social security number as a username or password. This is especially true in the face of the recent Equifax breach.
Be Suspicious- Treat everything online with an abundance of suspicion. Hackers send emails, notices, letters, etc. posing as people you know and businesses you solicit to gain information. Contact a business or individual requesting PII online by calling them directly before deleting the email as they may need it to press charges or stop the cybercriminal from targeting others.
Use Stronger Passwords- Sites such as LastPass can help you create unique passwords for each site you visit and save them for you in a protected database. If you create your own, be sure to use uppercase and lowercase letters, numerals, and special characters in each password.
Employ Extra Security- Passwords are not enough. If a site allows you to use secondary or two-factor authentication, enable those features. When you enter your password, you will receive a message with a one-time login code to allow you to finish logging in.

Connect with Care
Many web users are very quick to click whether it be on an email, a link, or an attachment. Slow down and take time to examine what it is you are about to click before you do so. Ensure you know who an email is from before opening it. If you don’t know the sender or aren’t expecting an email, delete it without opening it.

If you receive an email from a person or business you know and the email address looks familiar, feel free to open it. Once open, look at the email itself. Does it sound like it’s from the sender or does it seem odd? If the English is suddenly broken, the business logo is not right or is missing, or something else is off about the email, do not click on any links or attachments. Contact the person or business directly to see if they have sent you something via email.

Use care when connecting to public Wi-Fi. This is especially true if you are conducting business such as banking or shopping online. Use only trusted secure connections when using portable devices outside of the home or office.

Be Web Wise
Personal information about anyone is now easy to find online. This is especially true with the advent and use of social media. That means we all have to be wise when it comes to using the web. The first thing you should know is how your information gets online. Here are some ways you may inadvertently be sharing your personal information:

Posting on social media
“Checking in” through social location sites such as Foursquare
Commenting on blogs or shopping sites
Creating online wish lists online at sites like Amazon or Pinterest
Sharing videos or photos online
Using online games
Giving location data when uploading photos online

If you are on social media, check to see if you can change your privacy settings to limit what others can see about you or who has access to your information. Be sure to read the privacy policy of any company before sharing your information with them to ensure they don’t sell it to third parties. You’ll also want to ensure that your data is backed up at home and at the office in the event of ransomware, other cyber attacks, or even a computer shutdown.

Be a Good Online Citizen
Being a good online citizen involves employing the Golden Rule of treating others online the way you would like to be treated and using common sense. Don’t visit unsecured sites and don’t forward emails from unknown sources to others.

Be aware of how the action of one person can damage an entire online community. For example, one employee surfing unsecured sites through your business network can open the door for malware, viruses, and cybercriminals. Have common expectations in your home and office about what is an acceptable use of the network and what types of sites should be avoided.

Report cybercrime and breaches immediately. These should be reported not only to your internal technology personnel but to law enforcement as well. By reporting such issues, you are helping others avoid becoming victims, too, and stopping cybercriminals in their tracks.

Own Your Online Presence
This means safeguarding your own personal information and activity. For example, data should be treated like money. It should be protected. This means everything from your birthdate and personal address to the names of your children and pets which are often used as passwords. It can be easy for a hacker to get into your accounts with such personal information floating around on the web.

Be careful about who you share information with. For example, you may get “friend” requests from people you don’t know on social media. Simply delete the request. This is not being rude, it’s being prudent. Also, don’t send login information via email. Email can easily be hacked without the proper, updated security in place. If you get a request for information from a business online, call them to see if the request was really from them and provide any data they may need that way.

Lock Down Your Login
One of the main points of the STOP. THINK. CONNECT.™ campaign is to Lock Down Your Login. There are several ways you can ensure your login information stays secure. Here are six tips to get you there:

Protect accounts with strong authentication
Keep security software updated
Avoid phishing by thinking before clicking
Use unique passwords for every site
Protect your mobile devices
Employ trusted security tools

Our Responsibility
Staying safe online and protecting those we are connected with is everyone’s responsibility. Because the world has become so digital, we are more interconnected than ever before. From our desktops to our tablets, phones to laptops, we find ourselves working, playing, learning, and living online. That means all of us has a responsibility to try to stay as safe as possible by adhering to the advice of cyber experts.

National Cyber Security Awareness Month is a chance for us all to become more aware of the threats we face online and ways to protect ourselves and others. For more information, safety tips, and ways to get involved in NCSAM, visit the National Cyber Security Alliance online or contact Oram at (617) 933-5060.

Threats to business cybersecurity and a strategy for resiliency

October 4, 2018 by securewebsite

Imagine going into work, settling into your routine, and realizing you can’t access your email. You try refreshing your browser, logging out and then back in again, only to realize something malicious has happened. You start to panic. You can’t work, don’t understand how this could have happened, and wonder what the cost to your business will be.

Email is arguably the most vital tool used in modern business. It helps us communicate with our customers, collaborate internally, and keeps the information we need to move forward flowing like the blood in our veins. Without it, the livelihood of our business is at stake.

What has become the lifeblood of today’s businesses, Cybercriminals are using to become just as successful. According to the report The State of Email Security 2018 by Mimecast, email is the main way hackers initiate attacks to defraud businesses such as phishing scams, malware delivery (such as ransomware), and impersonation. As a matter of fact, the report shows a whopping 90 percent of global organizations studied in the 2018 report described consistency or rise in the number of phishing attacks experienced in the previous year.

BEC and EAC Threats
The 2017 Internet Crime Report issued by the United States Federal Bureau of Investigation’s Internet Crime Complain Center confirms email is a major target of bad actors. The report shows business email compromise (BEC) is a huge trend. This sophisticated scam targets organizations that frequently work with foreign suppliers and/or businesses and perform wire transfers on a regular basis. A variation of the threat, known as email account compromise (EAC) specifically targets individuals who regularly make wire transfers.

The FBI warns that though some businesses report using checks rather than wire transfers, cybercriminals will very casually employ the method that your business typically uses to steal your funds so as not to draw attention to themselves. They do this by compromising your “legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

Hacking and Spoofing
In 2013, the FBI’s report shows victims indicated the email accounts of Chief Executive Officers (CEOs) and Chief Financial Officers (CFO’s) were often spoofed or hacked.

When an email is hacked, criminals can intercept important messages and data. One example is Climategate. This occurred when email archives from the Climatic Research Unit at the University of East Anglia were copied by the thousands. The breach occurred just before the Copenhagen Summit on climate change. Skeptics used information from the stolen emails as grounds to argue that global warming was a scientific conspiracy.

Email spoofing, or impersonation, is the forgery of an email header so a message appears to have originated with someone other than the actual source. This is a common tactic used by cybercriminals in phishing campaigns and spam emails because employees with access to data and/or funds are likely to respond to emails from supervisors or clients. A bad actor may spoof the email header of a CEO and send an email to someone that often handles wire transfers within the company, demanding an immediate wire transfer to avoid an emergency situation. In addition, spoofing can also be used by bad actors to fraudulently invoice business customers for goods or services with the funds going directly to accounts they have set up in order to steal money from the pockets of your unsuspecting clients.

Attackers are becoming ever more clever in the way they deceive victims. With social engineering, cybercriminals are learning to target specific individuals in a company by impersonating them online. In the last year, nearly 40 percent of organizations have seen impersonations of “finance/accounts” personnel and 28 percent report C-suite executives as targets of impersonations. Another 25 percent of organizations reported impersonations of human resources staff. In total, 20 percent of respondents studied in the Mimecast report suffered a direct financial loss as the result of an impersonation attack.

Phishing by Numbers
Phishing is another form of email threat. Phishing occurs when someone sends an unsolicited email, text message, or telephone call that is purportedly from a legitimate company. Such phishing messages may request personal or financial information or even login credentials. An online article by TripWire reported that three-quarters of organizations experienced phishing attacks in 2017. This number held steady from the previous year.

A study by Dr. Zinaida Benenson, a professor at the University of Erlangen-Nuremberg who leads the “Human Factors in Security and Privacy” research group, demonstrated that 45 percent of people will click on a malicious link if it includes their name. In a second study where the recipient name was not used, 20 percent of people still clicked on the link. She suggested companies employ a “reporting” feature to flag suspicious emails or that utilize digital signatures to stop them before employees have a chance to get click happy.

Ransomware
Ransomware is a form of malware. It targets weaknesses by both security technology and human users. This malicious type of malware is typically delivered through vectors such as remote desktop protocols which allow computers to connect to one another across networks. Additionally, ransomware can also be sent through phishing emails that are sent to an end user resulting in the rapid encryption of sensitive data or files in a network.

Cybercriminals seize control of a business’s data in these ways and then hold it for ransom, often demanding large sums of money to restore access. Some cybercriminals even threaten to release proprietary information or data if a ransom is not paid within a given timeframe. Aside from that, the Mimecast report shows an average downtime three days after a ransomware attack which can cost your business even more money.

WannaCry, also known as WannaCrypt, was one of the major ransomware attacks in the history of IT. It affected several hundred thousand machines around the world bringing businesses from banks to law enforcement agencies as well as infrastructure companies to their knees.

Internal Threats
The Mimecast report also demonstrates that internal threats are also on the rise. Of the organizations studied, 88 percent reported internal threats caused by careless employees over the course of the last 12 months. To make matters worse, another 80 percent reported accounts had been compromised and 7- percent identified malicious insiders as a cause of internal issues during the same period.

Insiders have a distinct opportunity to wield emails. They can steal information and send it to outsiders or publish it for their own gain. This is where using the practice of least privilege can help protect your business.

Prevention is the Best Medicine
It’s been said that the best defense is strong offense. That is particularly true when it comes to cybersecurity. Just as you inoculate a child against disease with vaccinations, businesses should employ preventative measures to reduce the odds of an attacker getting in through their email.

Oddly enough, businesses have taken a more reactionary approach to cybersecurity and it’s costing them big time. Changes in data storage technology such as migrating email to platforms such as the Cloud or Microsoft Office 365 is leading businesses to oversimplify their security strategy. Business leaders believe they can save money and minimize the complexity of managing their cybersecurity by employing a defense-only model. This way of thinking falls short of providing the forethought and prevention the best security has to offer.

“Attackers are leveraging these same changes and are working in real-time to exploit gaps in your security program,” warns the Mimecast report, which predicts that 50 percent of organizations will suffer a negative business impact from an email-borne attack this year.

Education is Key
While email is unequivocally a major business tool, it can also be a major security threat. Of the organizations studied for the Mimecast report, “61 percent were hit by an attacker where malicious activity was spread from one infected user to other employees via email.” That is why cybersecurity awareness training is so imperative to a solid business security strategy, especially for business leaders.

According to Mimecast, nearly 40 percent of organizations see the CEO of their organization as a “weak link” in the cyber security chain. In fact, the study showed 31 percent of C-level employees have unintentionally sent sensitive information to the wrong person in the last year compared to 22 percent of other employees. This is due in part to corporate level employees having access to more sensitive business data than the average employee. Over the last 12 months, the report also showed 20 percent of organizations had C-level employees send proprietary data via email in response to a phishing email.

All employees should receive regular cyber security awareness training to prevent breaches before they can happen. While every employee needs regular training to keep up on the latest threats, this is especially true for C-level employees and those with access to sensitive data. You want to ensure there is security expertise at the leadership level of your business and the right training can get you there.

Cyber Resilience is Everyone’s Job
Implementing a solid cyber resilience plan is the responsibility of every employee. It doesn’t just fall to one person or department. Of businesses that have employed a cyber resilience plan, 80 percent feel prepared to fight ransomware and are confident that their sensitive data and files are properly backed up and encrypted, according to the report by Mimecast.

There are several steps to implementing a cyber resilience plan for any business based on the four dimensions of cyber resilience: Threat protection, adaptability, durability, and recoverability. Those steps include ensuring:

• The right security services are in place before an attack happens.
• A durability plan to keep email and business operations running during an attack or security breach.
• The ability to recover data and other corporate IP after a cyber incident or breach occurs.

Extra Tips
Here are a few more tips from the State of Email Security report to help close the security gaps at your business:

• Place cybersecurity into the function that manages overall risk mitigation for your business.
• Understand upper management sets the tone for company culture including security.
• Benchmark your security controls and risk management programs against similar businesses on a regular basis.
• Engage your security team on a regular basis to discuss your security program and requirements as well as the need for changes.
• Leverage internal marketing to communicate that security is everyone’s responsibility.

For more information on implementing a winning cyber resilience strategy for your small business, contact Oram now at (617) 933-5060.