How your company can get a cybersecurity boost through these inexpensive methods
Strong firewalls and passwords are essential defenses in a business’ cybersecurity plan, but the weakest point in any plan might just be the person reading these words.
Cybersecurity experts in the North Bay say training staff about methods to trick employees into compromising company security is one of the most cost effective and essential pieces of a digital security strategy.
“Social engineering is probably the biggest vector for hacking,” said Allan Jaffe, vice president of technology at Top Speed Data Communications in Petaluma, using the industry term for cyber attacks that target individuals, often through emails. Common social engineering attacks include phishing, where a hacker sends a fake email that looks legitimate and includes links or attachments that when opened can give them access to a company computer network, bypassing external security measures like passwords and firewalls.
“Security training can be $2 to $3 dollars per month per user,” said Jaffe, noting it can he highly effective to educate employees on common features of email phishing attacks like misspellings in emails, that signify they are not actually from your bank for example.
To combat this, Jaffe said outside consulting companies can send dummy phishing emails to employees. If they open them, they are directed them to training.
“They get a sense that their action was inappropriate,” Jaffe said.
According to Steve Moore of Vista Consulting, the problem with implementing proactive measures like training “is getting managers to pay for them.”
“Entrepreneurs are by nature gamblers,” Moore said.
Many smaller businesses will look at even a $5,000 expenditure on training and choose instead to invest that money elsewhere because they see a hack as unlikely, he said.
Moore said many companies only hear about large hacks in the news like those perpetrated against Target and Capital One. But hacks can happen to any company.
He said strong defenses can be expensive but encouraged businesses to purchase what training they can afford.
One of the more obvious, cheaper ways of hardening your business against hackers is also simple: your password.
Moore recommended using computer settings that require a periodic change of each employee password while not letting them reuse old ones and calling for a certain level of complexity.
He said the “single-sign-on movement” offered by companies such as Okta allows users to remember only one longer password that gives them access to their larger cache of passwords. Employees don’t have to remember multiple code words.
But Moore noted even this defense has its limits.
“It’s a threat because it’s a single point of failure,” he said. noting that if the main password is hacked into, a bad actor has access to a trove of other password data.
Scott Schulze of Fusion Technology Solutions LLC in Healdsburg said long passwords with numbers, letters and special characters are particularly difficult to guess. Programs like LastPass can also encrypt passwords and store them online for added security, although they too are not immune to intrusion.
Schulze said customer information, including passwords, from hacks of large companies like Capital One can be purchased illegally on the so-called “dark web,” an unregulated anonymous portion of the internet. Frequently changing a password or making it more complex can help to mitigate the risk from these breaches.
During the North Bay Cybersecurity Summit for Business last month, Ryan Donham, director of information technology at Empire College in Santa Rosa, demonstrated another threat — phones that can be accessed remotely even when they appear to be off, allowing hackers to use its camera and microphones to spy on its owner and those around them.