Posts

IT Security for Small Businesses

Security, Privacy, & ComplianceStreamlining IT Security for SMBs

Streamlining IT security is a more balanced message about why and how to protect your business. Over the past year, we have covered the on-going, and increasing, threats to small businesses.  We often highlight the scope and severity of the risk, including how security trends will affect small business.  Hopefully this information, along with cost-effective solutions, prompts you to act. At times, we may appear to be fear-mongering.

Sound business practices, not fear, should be your motivation to protect against cyber attacks.

The market is awash with cyber security solutions. These range from single-protection products to complex advanced security monitoring and response services.  The number of options, and competing claims, is overwhelming.

Our Recommendations on IT Security for Small Businesses

Focus protections on the most common, and most damaging, types of attacks.

1. Focus on Risks

We know that:

  • More than 80% of cyber attacks start with, or involve email via phishing and other social engineering tactics
  • Ransomware is the most common type of attack
  • Business email compromise (BEC) is the most costly type of attack
  • Attacks via DNS and web content are becoming more of a risk

As such, small and midsize businesses should focus on preventing these types of attacks. Plan to limit your security approach and spending to prevention and recovery from these risks.

2. Use our CPR model as a guide

Communication and Education

Make sure your team knows how to spot an attack and what to do if they suspect an attack.  They should know the risks and steps you are taking to protect your business.

Periodically sharing articles or updates may be sufficient to strengthen your business.  Subscribing to a security awareness training service is an affordable way to provide this education. Your cyber insurance policy may require this service.

Protect and Prevent

To protect your business from the greatest risks, put the following solutions in place:

  • Multi-Factor Authentication (MFA)
  • Encrypt data at rest, including on servers, desktops, and laptops
  • Use advanced threat protection (ATP) on all email accounts for inbound messages
  • Ensure your endpoint protection (local anti-virus) is a next-gen solution
  • Use DNS/Web protection to prevent harmful downloads

Specific to business email compromise attacks and ensuring your legitimate emails are not flagged as dangerous, ensure your domain configuration include the following protocols and services:

  • An accurate and complete Sender Policy Framework (SPF) record
  • DomainKey Identified Mail (DKIM) for all sources of email (including marketing tools)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Respond and Recover

Even with protections in place, cyber attacks can be successful.  Ensure that you can return to operations quickly, even as a full recovery may take time. Your ability to recover and respond should include:

  • Backup/Recover data stored in the cloud (Microsoft 365, Google Workspace, etc.), as well as on local servers, desktops, and laptops
  • Continuity services so you can run images of key servers, desktops, and laptops if they are damaged by an attack

Note that continuity services also protects you from the impact of hardware issues, theft, and other losses.

Start with an Assessment to See Where Your Small Business Stands with IT Security

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

To learn more, please join us on May 17th at 3:00 PM ET for Streamlining Security, our May 3T@3 Webcast or schedule a no-obligation call with one of our cloud advisors.


Business Email Compromise – The Costliest Type of Cybercrime

Email, Communications, & MobilityBusiness Email Compromise

While the massive number and scale of ransomware attacks get the most media attention, Business Email Compromise (“BEC“) attacks are the costliest type of cybercrime.

What is a Business Email Compromise (BEC)?

In a BEC attack, the criminal impersonates you and convinces somebody who trusts you to send money. While successful attacks often begin with unauthorized access to your email account, savvy criminals use email and domain impersonation techniques. They trick others into thinking that you are asking for, or instructing them to complete, a money transfer.

As we noted in a recent post, real estate agents and brokers are prime targets of Business Email Compromise attacks because they regularly discuss transferring large amounts of money with their clients. As noted in this recent email scam article from the Associated Press, however, BEC attacks are hitting a wide range of small businesses, nonprofits, and schools.

Business Email Compromise attacks succeed when cyber criminals are able to collate enough information about you to gain access to your account or impersonate you.  Here is how they do it:

  • Given that you use your email address to log into many systems, a third party breach can provide attackers with your email address and enough information to calculate your password.
  • Third party breaches often provide hackers with enough personally identifiable information (PII) about you to launch a successful phishing attack that captures your username and password.
  • Scanning social media posts can also provide hackers with enough PII to successfully phish for your identity.
  • Malware, known as an Advanced Persistent Threat (APT), that makes it past your endpoint protections can gather usernames, passwords, and other information while running undetected on your computer.

How to Prevent Business Email Compromise

Protect Your Identity

To keep your email account secure, you need to protect your identity.

  • Understand the risks and follow practical advice for safe online hygiene. Use unique, complex passwords across systems; avoid oversharing personal information; and learn to recognize phishing and impersonation attacks.
  • Use “Next-Gen” endpoint protections to prevent zero-day attacks, APTs, and more traditional forms malware.  These solutions use heuristics, AI, and behavioral analysis of files to identify an attack. They can also “roll back” changes to stop an attack.

Secure Your Email Service, and All of Your Services

Even as you protect your identity, you still need to secure your email service through proper data protection and security services.

  • Advanced Threat Protection (ATP) protects your account from phishing attacks, bad links, infected attachments, and other risks. ATP verifies sender information and test links and attachments in a “sandbox”, allowing safe messages to arrive in your inbox.
  • Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA), can prevent access to your accounts if your username and password are compromised.
  • Ensure that all of your information is encrypted at-rest and in-motion. Your email service should use Transport Layer Security (TLS) to encrypt messages between sending and receiving services.  Encrypt files on your local disk, on any file servers, and in the cloud.

Prevent Email and Domain Impersonation

As noted in a recent blog post, you can use three (3) different levels of email security to prevent email and domain impersonation.

  • Sender Policy Framework (SPF): Authenticates addresses you use to send email.
  • DomainKeys Identified Email (DKIM): Digitally signs messages to ensure emails are not altered en-route.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Authenticates email origin and instructs recipients how to process bad messages. A DMARC service will track and report any potential issues.

These protocols and a DMARC monitoring service offer the best protection against BEC and impersonation attacks. They also help improve the deliverability of your email. Our ebook, Email Security: Good, Better, Best, dives deeper into this topic.

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

 

Cyber Protection Solutions for SMBs

Data protection iconAs our businesses become even more reliant on technology and cloud services, the frequency and sophistication of cyber attacks continue to accelerate. Your Cyber Protection 

Cyber Protection Needs

We need our businesses — and our people — to be aware, protected, and able to recover.

At Cumulus Global, our CPR model maps the necessary components of cyber security into three areas.

  • Communicate & Educate
    • Ensure you team understands the risk, educate them so they can avoid falling prey, create a culture of security and data privacy.
  • Protect & Prevent
    • Leverage advanced and “next gen” technologies to prevent attacks and to protect your networks, systems, data, and people from attacks.
  • Recover & Respond
    • No system is perfect; make sure you can recover your data and systems, return to normal operations, and respond to the technical, legal, and communication challenges.

Successful Cyber Protection relies on your policies and procedures, technologies, and people working in sync. Across more than a dozen focus areas, you need to balance the level or protection you need with the costs and with the risks of not doing enough. You need to balance external requirements, such as government and industry regulations, with internal priorities.

Your Cyber Protection Solution

To design and implement an affordable, integrated, and effective cyber protection solution for your business, start with a Cyber Protection Assessment (CPA).  A CPA will assess your needs, within the context of your business, and preferred solutions across 15 areas of focus:

  • Written Information Security Plan
  • Patches and Updates
  • Email Encryption
  • Data Destruction
  • Background Checks
  • Written Information Response Plan
  • Antivirus and Intrusion Detection
  • Email and Web Security
  • Account and Identity Management
  • Employee Training
  • Firewalls
  • Backup / Continuity / Disaster Recovery
  • File Encryption
  • Network Access Security
  • Responsible Parties

Using the results of the Cyber Protection Assessment, you can plan and implement your levels of protection in each area to create the balance that is best for your business.

Next Steps and Resources

Your best next step is to contact us and discuss your cyber protection status and needs with one of our Cloud Advisors. Consider using our Cyber Protection Assessment to understand your needs, current protections, gaps, and priorities.

Related Resources:

Phishing Attacks Spike Amid COVID-19 Crisis

Cyber AttackIt should be no surprise to you that we are seeing a surge in phishing and other cyber attacks, as criminals look to take advantage of the COVID-19 crisis. A sample of recent news reports illustrates the scope of the problem.

  • In April, the FBI issued a warning about COVID-19 stimulus package scams (CNET).
  • In mid-April, Google reported the daily volume of malware and phishing attack emails jumped to more than 18 million per day (The Verge).
  • Last week, TechRepublic reported a surge in phishing emails trying to exploit DocuSign and COVID-19.
  • Hackers are impersonating Zoom, Microsoft Teams, and Google Meet for phishing scams (The Verge 5/12/20).

Understand the Risk

The risk to your business, employees, and customers is greater at time when your systems may be less secure.

If your employees are using home computers while following stay-at-home orders and guidance, your risk of falling victim to an attack is significantly greater.  Most home computers do not have commercial-grade, next-generation endpoint protections and many run outdated versions of the consumer-grade products installed.

CPR is Still the Best Practice

Our model remains the best, holistic method of avoiding attacks at the human and tech levels, and for responding should something slip through.

Communicate & Educate

  • Remind your employees to be on the look out for suspicious emails, phone calls, web links.
  • Encourage your team to get help and verification if a message or interaction appears or feels suspicious in any way (better safe than sorry).
  • Consider testing employees with simulated attack messages and identify those that may need additional training and guidance.

Prevent & Protect

  • Deploy multi-factor authentication (MFA) and, optionally, single sign-on (SSO) services to prevent the use of compromised accounts.
  • Install Advanced Threat Protection solutions for inbound and outbound email to catch phishing, ransomware, and other illegitimate message.
  • Deploy “next generation” endpoint protection on computers and mobile devices to detect, prevent, and undo damage from dangerous files and applications.
  • Put Web and DNS protection services in place to prevent downloading attacks from hacked websites and identity impersonation.
  • Monitor the “dark web” for direct and third party breaches that may compromise your employees’ business accounts.
  • Take advantage of data loss prevention features built into G Suite and Microsoft 365, and consider tools to identify and prevent unauthorized access, permission errors, and data loss.
  • Eliminate the use of “shadow IT” services, particularly free or consumer-grade services by providing those capabilities to employees and making sure they know how to use them.

Restore & Recover

  • Ensure that you back up and can recover your data, regardless of location.  Your data is not just on your physical or virtual servers, it resides in your Microsoft 365 or G Suite environment, in SaaS applications like Salesforce, on desktops and laptops, and on mobile devices.
  • Put business continuity systems in place with affordable services that let you spin up and run images of your servers and workstations in a cloud data center while you recover your primary systems.
  • Have a breach response plan and service in place as an increasing number of attacks are stealing information, as effective data breach response involves:
    • Forensic analysis and recovery
    • Legal compliance with reporting requirements
    • Legal strategies to minimize liability
    • Increased customer service demand
    • Communications with customers, stakeholders, and the media
    • A potential need to provide consumer protection services
    • Cyber Insurance claims management

Fortunately for most businesses, putting these protections in place is affordable and can be done with minimal impact on your employees and their productivity.  Understand your needs, assess the value proposition (include the risks and costs of doing nothing), and deploy a solution that is the best fit for your business.


Please contact us for assistance as you evaluate your risks, needs, priorities, and solutions.


 

Drive-by Downloads

This post is part of our Cyber Threat Series.

The Challenge:

Drive-by downloads are exploit kits that download invisibly from infected websites. These websites may be malicious sites built for malware distribution or trusted sites infected by hackers. Many of these attacks take advantage of weaknesses in popular software and tools, including video players, Java, and Adobe Reader.

Downloads may install and run other malware or may themselves be malicious. Many drive-by downloads install cryptoware, or ransomware, that encrypts files and holds them for ransom.

What to Do:

User education and web protection are the best protection from drive-by downloads. Cyber-aware users understand the risks and can avoid malicious links and sites. Web protection can prevent unexpected downloads and malicious behavior from reaching your systems and users.

DNS protection and secure DNS services provide additional protection by preventing impersonation, hijacking, and domain level attacks.

 


Contact us to discuss your cyber threat protections. The Cloud Advisory session is complimentary and without obligation.


 

The Email and Web Browser Protections You Need

A decade ago, the big problem with email was SPAM.  Unwanted messages pushing “healthy pills” and cell phone deals inundated our mailboxes and clogged our Internet connections.  At times, over 90% of all email traffic reaching our local servers was unwanted junk. We fought back and, for a long time, won the battle with updated email and web browser protections. With tools like Postini (purchased by Google and part of Gmail since 2008), we were able to block spam and email viruses “in the cloud” before they reached our email servers and services. And while spammers became more sophisticated, our data protection and security technologies were able to keep up.

Over the past years, however, we have clearly lost ground. It feels like we are back to square one.

Spam and malware attacks via email are on the rise. This time around, the consequences can be disastrous. Blocking unwanted emails about supplements is still needed, but cryptolocker, ransomware, and destructive malware can destroy your data and your business.

How did we get here and what can you do to implement modern email and web browser protections

5 things that happened to email and web browser protections

We see a convergence of several factors leading to the increase in successful malware attacks.

1. The IT Industry Became Complacent

Antivirus and email security vendors wrongly assumed that their existing models of protection were capable of keeping up with new types of threats.  For nearly a decade, this assumption held true. Cyber-criminals study and understand how to exploit weaknesses in our existing protections; they build malware that goes undetected by our traditional methods of discovery. Our industry was slow to recognize that systemic changes were needed to stay on top, and ahead, of the game.

2. We Face New Threats

To stay ahead of anti-virus protections, malware has grown up. A new class of malware, known as Advanced Persistent Threats, exists. On average, APTs sit on systems and networks for more than 4 months before activating. During this time, they periodically test the system security and protections. They learn how to act to avoid detection. While our legacy protections are watching the doors and windows, the threat is hiding under the bed.

3. Humans Deliver the Goods

Cyber-criminals have learned that human nature is easier to exploit than technology. They now send us messages and present web pages that look and feel valid. We are willing but unknowing accomplices when click links and install malware on our systems from fake emails and web sites. The human instincts to help and trust readily betray us when we are not careful.

4. We Assume our Vendors do the Work

Both Microsoft and Google tell our customers that their email and other information in the cloud gets backed up. What they do say is that these backups are to maintain service reliability and not to protect us from damage or loss due to application or human error. We hear “data backup” and we assume our protection is greater than the reality. This assumption holds true when we are told about built-in protections against cyber-threats.

5. We focus on Cost not Value

Cloud computing drives down cost perception faster than it drives down cost. Major cloud players wage periodic price wars. Cloud services like Microsoft Office 365 and G Suite continually add new capabilities without increasing prices. We do not expect, and do not want, to pay for extras. You are as likely to fall victim to ransomware from a corrupt or hacked web site than by clicking on an email attachment. While nearly all of our customers protect email, fewer than 5% protect web traffic. Web protection is added cost that does not appear to have value until after the cyber attack.

Good News: We have new solutions for email and web browser protection

While we have created a bit of a mess, we do have options. Innovative vendors have built new solutions that affordable confront and address the new wave of threats. Using the power of cloud infrastructure, some vendors have radically improved their solutions while others have taken a step back and built new, strategic solutions. To protect your business, you need to protect your email service and your web browsing.

  • Web protection should scan and analyze all web traffic, intended (page you click) and unintended (the auto-start video stream, cookie update, etc.) for all web traffic from any device you use.
  • Email protection should pre-screen (open and validate) links and attachments in a sandbox (safe environment) before allowing messages to reach your inbox.

The solutions are affordable, are easy to manage, and can be up and running in no time. A dollar of cost can protect against thousands of dollars loss.


For more information, or a free assessment and set of recommendations for your business, contact us today.


 

The Best Unknown Add-on for Office 365

MS Office 365Microsoft Office 365, from the entry level Exchange Online plans through the Business and Enterprise plans, includes a robust infrastructure for spam/virus protection. As we have blogged about on numerous occasions, cyber attacks continue to get more sophisticated and are using social engineering to trick and trap more people than ever.

Advanced Threat Protection

Advanced Threat Protection (ATP), a little know add-on for Exchange Online and Office 365, offers additional protection against cyber attacks. Using a secure “sandbox”, ATP tests and validates links within email messages and tests attachments for malware and other threats before the message makes it to your inbox. With minimal latency, ATP can block messages or strip them of the offending item(s).

With the increasing threats of ransomware and identity theft, ATP is well worth the nominal per user fee.


If you want to add ATP to your ecosystem, please contact us.


 

library

2023 OpenText Cybersecurity Email Threat Report

eBook | Source: OpenText Security — Attackers persistently adapted their email-based techniques throughout 2022, introducing more nuances into their methods. This eBook shares current information about Phishing, Business Email Compromise, Cryptocurrency Scams; and the Top Malware Threats. The report provides examples of attacks as a learning tool for understanding attacks, how to prevent them, and how to respond.

15 Best Practices for Cyber Protection

eBook | Source: Cumulus Global 

Webcasts

Next Normal: IT Efficiency

(02/23/2021) – COVID-19 and the events of the past 10 months have, and continue, to change the way we run our businesses. Are the IT choices made during the crisis the best for your business in the long term?