Hacking Humans

The FBI warned that the Russian government hacked the Democratic National Committee and may have been trying to influence the Presidential election. A cyber organization affiliated with the National Security Agency (NSA) got hacked and a number of military grade cyber tools were released on the internet. A group of hackers stole $63 million dollars in BitCoin, (a digital currency used primarily for anonymous transactions on the internet,) causing a 30% drop in value of BitCoin. Every day another story of cybercrime becomes front page news but the simple truth is most cybercrime is never reported to law enforcement.

Cybercrime cost the world $3 trillion dollars in 2015 and that’s expected to double in the next 5 years predicts Cybersecurity Ventures, a research and security intelligence organization. Organizations of all sizes are being directly and indirectly impacted by cybercrime.   Cyber criminals are indiscriminate in their targets, and smaller organizations are at a loss on how to protect their business. Most cyber defense tools and guidance are aimed at individuals or large organizations but small businesses arguably have the most to lose.

The good news is it doesn’t take an engineering degree or a ton of money to protect your organization. The fundamentals of good cyber hygiene start with training & awareness for your employees, which doesn’t have to cost anything other than time.

91% of all cyber attacks begin with an email. Why an email? Emails go directly from the bad guy to the end user, assuming they aren’t caught by a spam filter or anti-virus. It’s always easier to hack a human rather than try to break through a firewall or trick anti-virus. Criminals hope that the person reading the email is willing to open the attachment, click a link, or respond to the email. Using a little psychology and targeting in bulk they are able to get the responses they desire.

With attachment names such as “Department Salaries.doc”, links promising free tickets to concerts, or emails impersonating the IRS demanding a response, it’s no wonder email is the preferred malicious method into an organization. Since you now know how these bad guys operate; you can take steps to protect yourself.

Here are 8 quick tips for keeping your small business safe:

1. Have security awareness training. Organizations like Stop Think Connect offer free security material for your small business.   https://www.stopthinkconnect.org/ (Cost: $0)

2. Use a spam filter. A spam filter will go a long way in removing lots of the bad emails that end up in your inbox. Talk to your email provider to see what protection they offer you for spam. If they have a business or corporate version it may be worth exploring the cost. (Cost: starts at $0)

3. Deploy a web filter. The internet is full of dangerous links and malicious pages and one wrong click can get your organization into trouble. Using a web filter helps to block traffic to the worst parts of the internet. (Cost: as low as $20 per user per year)

4. Keep Your Systems Patched. Microsoft (Windows, IE, Office, Silverlight), Apple (OSX, Safari, iOS), Mozilla (Firefox), Google (Android, Chrome, ChromeOS), Oracle (Java), and Adobe (Reader, Acrobat, Flash, ColdFusion) account for the vast majority of all patches businesses need to deploy. (Cost: free)

5. Keep your Anti-Virus up to date. Anti-Virus at its best is only 40% effective but 40% still beats 0%. Understand it’s not a silver bullet but machines without up to date anti-virus are very exposed. (Cost: starts at free)

6. Don’t give your non-IT staff admin access. Admin access allows you to install software; it’s also an easy way for malicious software to get installed by an unsuspecting user. Most users should be able to do their everyday job with a standard user role. (Cost: $0)

7. Use a password manager. Using weak passwords is a surefire way to lose access to an account. Instead, use a password manager to help create and store strong passwords. PCMag has a great article on the best password managers available here: http://www.pcmag.com/article2/0,2817,2407168,00.asp (Cost: Starts at $13 per user per year)

8. Turn on two -factor authentication. Two-factor authentication requires that you use more than just a password to get into a website, usually a text message or phone call gives you the second piece of authentication. This will go a long way to keeping bad guys out of your accounts and best of all it’s free. Check out 2 Factor Auth List for an up to date list of which sites support this login method: https://twofactorauth.org/ (Cost: $0)

Nathan Horn-Mitchem is first vice president of Information Security at the Provident Bank. Based in Provident’s Iselin office, Horn-Mitchem oversees the bank’s Information Security and Cybersecurity programs. He holds a bachelor’s degree in business administration from Georgetown University in Washington D.C.