Posts

Preparing for Your Cyber Insurance Renewal

5 Cybersecurity Standards

As you approach your annual cyber insurance renewal, you can take specific steps to ensure you have appropriate coverage and reasonable premiums.

The cyber insurance market has matured greatly over the past two years and continues to evolve rapidly. Insurers have become significantly more savvy regarding risks, protections, recovery costs, and potential liabilities. As a result, carriers are more precise in their underwriting practices.

Reviewing your cybersecurity risks and protections is a wise investment of time and resources. In a recent blog post, for example, we outlined 5 minimum cybersecurity standards that – if in place – can significantly reduce your premiums.

Here is a roadmap:

Review Your Original Application and Security Declarations

When you first applied for cyber insurance, you completed an application and, in most cases, a security survey/questionnaire. If you have not formally asked to complete a new questionnaire, take the initiative to review and update your answers.

As a part of the review, document any changes in your cybersecurity protections. Make note if you added new protections or updated procedures.

If you’ve removed or replaced any cybersecurity tools, specify which ones and the reasons for the change. It’s important to track modifications as your needs and environment evolve.

Reassess your Cybersecurity Protections

Policy renewal is a great time to step back and reassess your cybersecurity. Compare your protections to industry, regulatory, and compliance standards relevant to your business.

Our eBook, Cyber Security Requirements for Cyber Insurance, outlines basic, preferred, and best-practice protections to consider before getting or renewing your policy.

As part of your analysis, consider completing new assessments, such as Penetration Testing and Security Audits of your Microsoft 365 or Google Workspace tenant. These evaluations can offer valuable insights, helping to inform decisions and set priorities for future cybersecurity improvements.

Deploy Additional Protections

Based on your review and assessments, determine if you should modify your cybersecurity protections. As you consider changes, prioritize your choices and efforts. hYou can make low-effort changes, as well as changes that address higher-level, critical risks.

You do not need to address every risk and gap. Instead, focus on demonstrating improvements and prioritizing the most likely and impactful risks for your business.

Put Your Policy Out to Bid

Finally, put your policy out to bid. Avoid simply adding coverage or riders to your general liability business coverage.

Cyber insurance is a specialized coverage, and the industry has become more adept at evaluating risks and potential liabilities.  Partner with a broker who specializes in Cyber Insurance to market your coverage to multiple, specialty carriers. This will help you find the best balance between coverage and price.

Your Next Steps

If you are ready to move forward, here are four steps you can take today:

  1. Schedule time with one of our Cloud Advisors.
  2. Ask your Cloud Advisor about discounted and free Security Assessments.
  3. Evaluate options and deploy additional protections, if needed and appropriate.
  4. Shop your policy for the best plan and price with our partner, DataStream.

As always, our Cloud Advisors are ready to help. Contact us or schedule time for a quick online consultation.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

Cloud Computing Trends, Challenges & Provider Insights in 2023

Cloud Computing Trends

Earlier this month, CRN published a story covering Flexera’s 2023 State of the Cloud Report.  Flexera provides software and systems to manage enterprise private and public clouds.  The report on cloud computing trends originates with an annual survey of 750 technology leaders across sectors, geographies, and size of the business.  While the report classifies small and midsize businesses as those with under 1,000 employees, we still find the results interesting and relevant.

As small businesses, our concerns are spending, security, compliance, and managing cloud services. The cloud model hits our income statements and balance sheets differently than historical IT services. The need to protect our businesses, and our customers, has never been greater. And, we find it difficult to understand if we are spending efficiently and effectively.

We take a look at the top 3 cloud challenges, discuss managing clouds, and explore cloud waste.  Understanding these issues, you will better understand how to create better cloud solutions. You will also be better able to set expectations from those providing cloud solutions and related services.

Top 3 Cloud Computing Challenges

For 2023, SMB respondents identify the top three cloud computing challenges as:

  • Managing Cloud Spend (80%),
  • Security (73%), and
  • Compliance (71%).

These concerns make sense. The spending model for managed cloud services, based on subscriptions or usage, is an operating expense.  Most smaller companies are used to making capital expenditures and paying for service contracts and managed services.  Additionally, many of the IT firms working with small businesses will replicate on-premise networks and servers in a public cloud service. They may lack the expertise and tools to actively manage costs.

Concerns about security and compliance reflect the increasing need and demands of protecting sensitive business and personal information.  We face the same increased regulations and expanding industry standards as larger enterprises. But we do not have the in-house resources or the same access to experts. We place our trust on local or regional IT service firms.

Latest Trends and Developments in Cloud Computing

Undefined Cloud Management

Following closely behind the top 3 cloud challenges, governance (67%) and subscription management (61%) indicate that small businesses are not sure how to best manage their cloud services.  As cloud infrastructure matures, the number of options expand.  To make simple decisions, such as whether to subscribe monthly or make an annual commitment at a lower per unit price, we need to understand the operating cost models.  We need standard operating procedures, such as on/off-boarding and access controls, in place.

Cloud is still new. We need our IT service firms and managed service providers to guide, if not lead, our cloud management efforts. Co-management is a viable strategy, provided it includes policies and procedures as well as products and services.

Cloud Waste

On average, the survey results show that businesses spent 18% more than budgeted on public cloud services last year.  The greatest contributor to the overspend appears to be Cloud Waste.

Cloud waste is spending on cloud services that go unutilized or are under-utilized.  Reducing cloud waste can be as simple as

  • Shutting down unused resources after hours
  • Selecting lower cost regions / data centers
  • Periodically right-sizing systems and resources

Policies that scale resources in real-time based on usage will increase efficiency, but require expertise and planning during the solution design process, monitoring, and refinement over time.

How to Pick a Cloud Computing Provider

Traditional managed service providers, or MSPs, are experts in buying, monitoring, and managing things. They focus on network components, servers, systems software, and end user devices.  To get the most value from our cloud services, we need partners that understand service and cost management.

Managed cloud service providers, or MCSPs, understand how the “as-a-Service” model is different. Security, compliance, and cost management only work when they are built into the requirements, design, and management of your cloud services.

Before picking your cloud provider, ask about their management and co-management models. Understand if they actively work to monitor and manage security, compliance, and costs. Ask them to explain how.

Call To Action

Get a copy of our recent eBook, Cloud Strategies for Small and Midsize Businesses. In this eBook, we: set the stage by looking at how small and midsize businesses acquire and use technology and IT services; explore the challenges we face moving into the cloud; and map out four strategies for enhancing your use and expansion of cloud services.

To discuss how your business can better utilize a broader range of cloud services, please contact us or schedule time with one of our Cloud Advisors at your convenience.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

A Notable Shift in Cyber Attacks

As we proceed into 2023, we begin receiving reports and analysis of 2022, the year that was.  Now is a time when we gather data and perspectives on the past year. This new information helps guide us to better decisions in the year ahead. With respect to Cyber Attacks, the information is definitely both positive and negative in nature.

Mixed News

As reported recently in CRN, SonicWall reports in their 2023 annual Cyber Threat Report that ransomware attack volume dropped by 21% worldwide last year. In the US, the volume dropped by 48%.  While this is good news, we see some serious caveats in the data.

  • 2021 was the worst year on record for ransomware attacks, with more than 600 million worldwide.
  • Even with the 21% drop, 2022 still had the second largest number of ransomware attacks in history.
  • Ransomware attack volume in 2022 was 50% more than in 2020, and more than 2019 and 2022 combined.
  • SonicWall also reports that the last quarter of 2022 had a spike of attacks with an increase over Q4 in 2021.

What does this mean?  Ransomware attack volumes have dropped, but they are still at historical highs.  It is too soon for us to predict a change that would alter how we protect and respond these attacks.

Shifting Landscape

Related data suggest the cyber attack landscape is shifting. This information suggests that cyber criminals are focusing on other types of attacks. In 2022,

  • Cryptojacking attacks jumped by 43%
  • IoT malware attacks increased by 87%

Similarly, CRN reported that security vendor CrowdStrike noted a 20% increase in data theft and data extortion attacks that did NOT deploy encryption. More attackers are avoiding the protections against ransomware and simply threatening to expose or release sensitive data.

What does this mean? Businesses with solid cyber security and business recovery solutions in place can avoid paying ransoms. Collecting ransoms to decrypt files has become less attractive.  By quietly identify and collecting sensitive information, cyber attackers regain the upper hand.  They can release portions of the data if the victim hesitates to pay.

The Impact on Your Business

While we may see some encouraging signs, your business remains at risk. Our Security CPR model guides decisions on cyber security solutions. The model offers a holistic approach that begins with communication and education, ensures protection and prevention, and includes your ability to restore and recover.

To ensure your business has the resiliency it needs, focus on threats most likely to impact your business and those that will be the most damaging if successful. We have a number of blog posts, webcasts, and whitepapers in our Resource Center.

Call To Action

For a look at your cyber security, complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

Contact us or schedule time with one of our Cloud Advisors to discuss your cyber security protections and/or your broader security needs, priorities, and solutions.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

The Cloud, Shared Responsibility, and You

The vast majority of small and midsize businesses (SMBs) understand — or have learned the hard way — that the ability to recover lost or damaged data is critical to your IT services and business resiliency.  You need to be able to recover and restore files, databases, servers, and workstations from loss due to disasters, hardware failures, software errors, or human action. In the cloud, it is your shared responsibility to protect your data.

The Cloud

As we move data, services, and servers, we rely on infrastructure and security built into the services.  Google and Microsoft operate industry-leading, sophisticated services designed for security as well as performance, features, and functions.  The capabilities do three things:

  1. Continuity: Ensure the clouds run with little or no disruption
  2. Recovery: Enable the restoration of services without loss of failure do to hardware, network, or other issues
  3. Capability: Provide us with the ability to secure and protect our data based on our usage

Microsoft, Google, and other cloud services do not, however, protect us from how we use their services.

You

Microsoft and Google do not control how we use Microsoft 365 or Google Workspace services.  We, as subscribers, control how we manage and protect our data, including:

  • Who can access the services
  • Which applications can connect and integrate
  • Which other applications and services will share user identities
  • Which users can manage, edit, suggest, or view files and folders
  • Which users can access various services within each of the productivity suites

With these controls comes great responsibility.  You are responsible for how your data is stored and used.  You are responsible if that use causes data loss or damage.

Shared Responsibility

Microsoft and Google  both use a “Shared Responsibility” model for security and data protection. The model defines which aspects of the cloud service security and data protection are your responsibility and which are the responsibility of the service provider.

Microsoft

Microsoft Shared Responsibility ModelMicrosoft discusses Shared Responsibility as a component of its terms of service.  A recent Microsoft Learning article notes the following:

“In an on-premises datacenter, you own the whole stack. As you move to the cloud some responsibilities transfer to Microsoft. The following diagram illustrates the areas of responsibility between you and Microsoft, according to the type of deployment of your stack.”

For Microsoft 365, a “Software as a Service” (SaaS) offering, Microsoft expects you to take responsibility for protecting and recovery of your information and data; devices; accounts and identities; and portions of your identity and directory infrastructure. Microsoft has a detailed white paper covering shared responsibility for Azure services.

Google

Google Shared Responsibility ModelThe Google Workspace Data Protection Guide includes a section dedicated to the Shared Responsibility model. Google states:

“Data protection is not only the responsibility of the business using Google Workspace services; nor is it only that of Google in providing those services. Data protection on the cloud is instead a shared responsibility; a collaboration between the customer and the Cloud service provider (CSP).”

“As a Google Workspace customer, you are responsible for the security of components that you provide or control, such as the content you put in Google Workspace services, and establishing access control for your users.”

As a SaaS offering, Google warns that you are responsible for the access control, security, and protection of any and all content you place in the Google Workspace service. The Google Cloud Platform: Shared Responsibility Matrix provides a detailed overview of shared responsibility for Google Cloud Platform.

Back to You

Understanding your shared responsibility, you can meet your data security and protection obligations.

First and foremost, configure and use the security and data protection features included within your Microsoft 365 or Google Workspace subscription. These services range from multi-factor authentication to secure user identities and access to advanced data loss prevention services in enterprise level subscriptions.

Your next step is to add additional services to cover aspects of data protection not provided with your Microsoft 365 or Google Workspace subscriptions.  These services may include:

  • Advanced threat protection for inbound email
  • Backup/recovery of all user content in Google Workspace (including shared drives) and Microsoft 365 (including Teams)
  • Archive/eDiscovery services to meet internal data policy, industry guidelines, or regulatory requirements
  • Backup/recovery for data located on end user devices and on-premise or hosted servers
  • Continuity services for mission-critical servers and end user device
  • Message-level and file-level encryption for compliance with industry or regulatory requirements

Your business may or may not need all of the services listed.  Which services you deploy should be part of a larger assessment of your cyber security and data protection needs.

Call To Action

Contact us or schedule time with one of our Cloud Advisors to discuss how you are meeting your shared responsibility and/or your broader security needs, priorities, and solutions.

For a broader look at your cyber security, complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

About the Author

Chris CaldwellChristopher Caldwell is the COO and a co-founder of Cumulus Global.  Chris is a successful Information Services executive with 40 years experience in information services operations, application development, management, and leadership. His expertise includes corporate information technology and service management; program and project management; strategic and project-specific business requirements analysis; system requirements analysis and specification; system, application, and database design; software engineering and development, data center management, network and systems administration, network and system security, and end-user technical support.

Understanding a Third Party Data Breach & How to Prevent One

Understanding Third Party Breach AlertsWhat is a Third Party Data Breach?

A third party data breach occurs when an individual’s login identity and/or personally identifiable information (PII) has been disclosed by a third party system or service. A third party system or service is one that is unrelated to your business.

Third party data breaches are a security risk to your business and your employees. To understand this risk, we look at human behavior and the nature of modern cyber attacks. Knowing the risks, we look at ways to identify and respond. We discuss methods to ensure you are properly protecting your employees and your business.

The Risks of Third Party Data Breaches

The Risk of Human Nature

Multiple studies show that between 65% and 70% of humans will use identical or similar passwords across systems. The practices of “patterning” and “mimicking” passwords is more common across accounts using the email address or username as the account identity, whether or not the login is for a business system or some other system or service.

Think about employees using their work email for business-related services, such as video conferencing services, LinkedIn, or file sharing services. Some employees may have accounts to online stores for purchasing materials or supplies.  A breach in any of these systems, which are out of your control, poses a risk to your business.

A second aspect of human nature that works against us: humans are social creatures.  People, at different levels, want and need to interact with others.  In general, humans are trusting and we want to be helpful.  We will share information if and when it fits within typical interactions and when we think we are helping ourselves or others.

The Risk of Cyber Attack Methods

Currently, sophisticated criminal organizations (sometimes backed by hostile nation-states or terrorist groups) execute the vast majority of cyber attacks. They often sell and trade methods, malware, and data on the dark web, as different organizations build specialized expertise. Modern cyber attacks reflect the sophistication and expertise of the cyber criminals. Most cyber attacks involve indirect and direct methods.

Indirect Attacks

We define indirect attacks as those intending to gather information. Cyber criminals collect useful information in order to conduct direct attacks and to sell to other criminals. Phishing, social media “clickbait”, and third party data breaches are three common examples of indirect attacks that provide personal information for further attacks.

Direct Attacks

We define direct attacks as those intending to gain access to your systems and information. These include compromised user identities or credentials, ransomware, activity/keystroke monitoring, business email compromise attacks, and other attacks where your data is exposed or altered.

Direct attacks are more successful if they use data gathered from previous, indirect attacks.  And while cyber attackers may manage the complete attack, it is more common for those interested in direct attacks to buy data from those that specialize in conducting indirect attacks.  Your answers to quizzes and games on Facebook are being sold to cyber criminals that will use that information against you in a future attack. Indirect attacks also gather information that allow the attackers to impersonate you, organizations, or those around you.

Maybe the information lets them craft a surprisingly real-looking email asking you to log into a fake website, or to transfer money to a vendor using incorrect banking information.  Or, you are asked to share the MFA code you received by text. And with enough information, the attackers pretend to be you and ask your customers to make a payment by wire or ACH transfer using their banking information, not yours.

Tracking Third Party Data Breaches

The best method of tracking third party data breaches is subscribing to a monitoring and alert service.  Use the service to scan and monitor the dark web for data breaches related to any email address from your business domain(s).  The service should send you alerts that include:

  • Email address of the breached account
  • Origin of the breach, if known and disclosed
  • The Source of the breached data (where was the data posted/visible)
  • The type of the compromise
  • When the data was found
  • If a password was compromised, and if the password is visible or encrypted
  • Any PII disclosed in the breach

Using this information, you can assess the risk and take appropriate actions in response.

At Cumulus Global, we partner with DarkWeb ID for third party data breach monitoring and alerts.  Our eBook, Understanding Third Party Breach Alerts, covers how to analyze alerts, assess risks, and respond accordingly.

Protecting Your Business From a Third Party Data Breach

To fully protect your business from a third party data breach, your security strategy needs to ensure you have three things in place:

  1. You and your team should understand your security risks and how your behaviors can help or prevent an attack.
  2. Have procedures and technologies in place to protect you from successful attacks
  3. Have security services in place to prevent the disclosure or loss of data and/or system access.
  4. Capabilities and services in place to respond should an attack be successful, and to help your business recover.

We developed our Security CPR Model specifically to help small and midsize businesses create, deploy, and manage an appropriate security strategy. If you follow this model in addition to other cyber security best practices, you’ll be well positioned to prevent a third party data breach.

Communicate & Educate

    • Communicate with your team that Cyber Security is a priority and educate them on cyber security risks, the need for everybody to be vigilant, and the behaviors/actions they can use to help prevent successful attacks.
    • Develop policies and procedures to establish clear expectations for how your organization will maintain cyber security and how your team will use security technologies and services

Protect & Prevent

      • Select, deploy, and maintain security technologies and services that match and support your cyber protection needs and priorities.
      • You can simplify your security services by focusing on the most likely threats and those that would have the greatest impact if successful (see: How Can SMBs Streamline IT Security?)

Respond & Recover

    • Put systems in place to recover lost or damaged data and systems; consider business continuity solutions that enable you to continue operating your business while restoring your primary systems.
    • Pre-arrange resources to help you respond to the technical, regulatory, legal, reputation, and customer service impacts of a successful cyber attack

You can learn cyber security tips and key information about third party data breach prevention by viewing Security CPR, our 3T@3 Webcast from January 2023.

Call To Action

Complete our Rapid Security Assessment (free through June 2023) for a review of your basic security measures.

Or, contact us or schedule time with one of our Cloud Advisors to discuss your security needs, priorities, and solutions.

About the Author

Allen Falcon is the co-founder and CEO of Cumulus Global.  Allen co-founded Cumulus Global in 2006 to offer small businesses enterprise-grade email security and compliance using emerging cloud solutions. He has led the company’s growth into a managed cloud service provider with over 1,000 customers throughout North America. Starting his first business at age 12, Allen is a serial entrepreneur. He has launched strategic IT consulting, software, and service companies. An advocate for small and midsize businesses, Allen served on the board of the former Smaller Business Association of New England, local economic development committees, and industry advisory boards.

 

 

Lessons from the Rackspace Attack

ransomware

Cyber Security Ransomware Email Phishing Encrypted Technology, Digital Information Protected Secured

On December 2, 2022, a ransomware attack on Rackspace disrupted email services for thousands of businesses.  The attack encrypted files throughout Rackspace’s Hosted Exchange environment, one of the largest in the world.  The outage impacts mostly small and midsize businesses (SMBs).  While Hosted Exchange is only 1% of Rackspace revenue, the incident was large enough to warrant a filing with the Securities and Exchange Commission. We can all learn lessons from the Rackspace attack with respect to cybersecurity and response.

Lessons from the Rackspace Attack

1 Incident Response Must Be Quick

In their SEC filing, Rackspace noted that their “… information security team had strong incident response protocols in place that led to the quick containment of the ransomware attack.”  They were able to limit the damage to the Hosted Exchange service, protecting other aspects of the company’s operations and other services.

For SMBs like ours, speed is also necessary. Quickly identifying an attack and isolating effected devices is critical. An infected laptop can spread the infection to servers and through files sync’d into cloud storage (ie, OneDrive, Google Drive, Dropbox). From there, every connected device is vulnerable.

2 Recovery is Not a Sure Thing

Rackspace is NOT recovering customers’ Hosted Exchange service. The company is moving these customers to Microsoft 365.

Paying the ransom is not always possible. Paying a ransom does not guarantee that your get your data back.

3 Recovery is Difficult

As of December 12, 2022 — a full 10 days after the attack, Rackspace disclosed that about two thirds of its customers have been transitioned to Microsoft 365. Nearly one third of customers remain without email service. Rackspace is effectively abandoning its Hosted Exchange service.

The logistics of identifying recoverable data and understanding interdependencies is complex. Managing data restoration across multiple devices, systems, and data sets is challenging. Some data will be lost. Understanding which data, and how much data, has been lost is challenging.

4 Recovery is Big and Slow

Rackspace has hired staff and contracted with many Microsoft Fast Track service providers.  Even so, call wait times are still averaging about 30 minutes.  Rackspace is setting expectations, repeatedly telling customers that data recover will “necessarily take significant time”.

Starting with a clean system gets your systems up and running. How effectively can your run your business without your data?  Data recovery takes time, even from backups. While emails may be relatively easy to live without, what is the impact if your accounting system is unavailable for days or weeks?

5 Recovery needs Expertise

While Rackspace is a leading technology firm, they have hired outside firms to investigate the attack and remediate the incident.

Most IT firms servicing SMBs do not have the expertise or staff to respond to a cyber attack. Expertise and resources will be needed for investigations and forensics, data recovery, systems restoration, communications, regulatory reporting and compliance, and customer service.

6 Recovery is Expensive

Rackspace is actively promoting that it maintains sufficient cybersecurity insurance to cover the costs of the incident. Their SEC filing, however, does not indicate if or how they plan to compensate customer for their losses.

You will spend money … lots of money … beyond the cost of getting your data back, your systems restores, and your business back up and running. Regulatory filings, communication, legal services, and litigation can be a crushing burden that threatens. More than half of SMBs fail within six months of a significant cyber attack.

Steps You Can Take

Looking at the lessons from the Rackspace Attack informs how we should think about protecting our businesses and ensuring we can return to normal operations quickly and efficiently. Here are resources for you to learn more.

Earlier this year, we blogged about how Streamlining Security for SMBs can protect you from the most common and the most expensive types of cyber attacks without breaking your budget.  We held a webinar on the same subject.

Our Security CPR model outlines the three critical aspects of cyber security communication/education, protection/prevention, and recovery/response.  Our eBook, 15 Best Practices for Cyber Protection, dives into the model.

To discuss your security footprint, risks, and options, contact us by email, via our website, or by scheduling time directly with one of our Cloud Advisors.

Debunking 5 Cyber Security Myths for SMBs

Data Protection & SecurityAs owners and leaders of small and midsize businesses (SMBs), we have limited resources for IT and cybersecurity.  We should not be surprised, therefore, that SMBs face the biggest threat from ransomware and other cyber attacks.  Beyond the cost and risk of ransomware and encryption attacks, SMBs face business email compromise (BEC) attacks and threats to disclose regulated information.  Recovery costs, fines, and legal actions resulting from a successful attack can destroy your business. And yet, many SMBs remain unaware of the risk and/or lacking reasonable data protections and security.  This post intends to debunk five (5) cyber security myths for SMBs.

1My company is too
small to be a target

While note every attack is successful, one global report states that 86% of SMBs have been hit by ransomware attacks, with 20% attacked more than six times. With fewer resources and less focus on cyber security, SMBs represent an attractive target for attackers.  The increase in remote work and use of remote desktop protocols creates additional opportunities for attackers. Securing and managing these services requires time and attention.

The impact of a successful ransomware attack continues to increase.  According to Verizon’s 2020 Data Breach Investigations Report, the average cost of a successful ransomware attack grew from an average of $34,000 to just under $200,000.

2I cannot afford to protect
against cyber attacks

Cyber attacks are inevitable. Protecting your business does not require expensive solutions.  Your cost for endpoint protection for your devices, advanced threat protection for email, and security awareness training is pennies per day per person.  You can deploy multi-factor authentication (MFA), local disk encryption, and the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols for free. You can deploy cloud-based business continuity and disaster recovery (BCDR) for less than traditional backup/recovery solutions.

3I have backups,
so I am safe

Not all backup solutions are equal.  Many backup/recovery solutions for SMBs run on the same servers and networks as your business systems. Ransomware and other cyber attacks will seek out and encrypt/damage backup servers to render your backups useless.  Your backup/recovery solutions should be segregated from your production network and systems to shield them from attack.  Business Continuity/DR solutions offer the additional ability to bring systems back on line in an alternate cloud data center while you recover your primary systems.

4Technology alone
will save me

As with most security protocols, people are your first line of defense.  As many as 93% of cyber attacks begin with a phishing attack. People click on links, unwittingly downloading malware or sharing usernames and passwords.

Security awareness training should be a standard practice within your business.  The training is a proven way to reduce risk, decrease infections and help desk requests, reduce the chances of a security breach and strengthen the overall security posture.

5Cyber resiliency is
too hard to achieve

Cyber Resilience is the ability to withstand security attacks and land on your feet, no matter what happens. Cyber resilience protects your business, customers, and employees from ransomware, business email compromise, and other potential issues and attacks.

While some gaps in security will always remain, you can affordably improve your cyber resiliency.

To overcome these 5 small business cyber security myths, review your security footprint, and improve your resilience, please contact us by email, via our website, or by scheduling time directly with one of our Cloud advisors, with any questions or concerns regarding this service update.

IT Security for Small Businesses

Security, Privacy, & ComplianceStreamlining IT Security for SMBs

Streamlining IT security is a more balanced message about why and how to protect your business. Over the past year, we have covered the on-going, and increasing, threats to small businesses.  We often highlight the scope and severity of the risk, including how security trends will affect small business.  Hopefully this information, along with cost-effective solutions, prompts you to act. At times, we may appear to be fear-mongering.

Sound business practices, not fear, should be your motivation to protect against cyber attacks.

The market is awash with cyber security solutions. These range from single-protection products to complex advanced security monitoring and response services.  The number of options, and competing claims, is overwhelming.

Our Recommendations on IT Security for Small Businesses

Focus protections on the most common, and most damaging, types of attacks.

1. Focus on Risks

We know that:

  • More than 80% of cyber attacks start with, or involve email via phishing and other social engineering tactics
  • Ransomware is the most common type of attack
  • Business email compromise (BEC) is the most costly type of attack
  • Attacks via DNS and web content are becoming more of a risk

As such, small and midsize businesses should focus on preventing these types of attacks. Plan to limit your security approach and spending to prevention and recovery from these risks.

2. Use our CPR model as a guide

Communication and Education

Make sure your team knows how to spot an attack and what to do if they suspect an attack.  They should know the risks and steps you are taking to protect your business.

Periodically sharing articles or updates may be sufficient to strengthen your business.  Subscribing to a security awareness training service is an affordable way to provide this education. Your cyber insurance policy may require this service.

Protect and Prevent

To protect your business from the greatest risks, put the following solutions in place:

  • Multi-Factor Authentication (MFA)
  • Encrypt data at rest, including on servers, desktops, and laptops
  • Use advanced threat protection (ATP) on all email accounts for inbound messages
  • Ensure your endpoint protection (local anti-virus) is a next-gen solution
  • Use DNS/Web protection to prevent harmful downloads

Specific to business email compromise attacks and ensuring your legitimate emails are not flagged as dangerous, ensure your domain configuration include the following protocols and services:

  • An accurate and complete Sender Policy Framework (SPF) record
  • DomainKey Identified Mail (DKIM) for all sources of email (including marketing tools)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Respond and Recover

Even with protections in place, cyber attacks can be successful.  Ensure that you can return to operations quickly, even as a full recovery may take time. Your ability to recover and respond should include:

  • Backup/Recover data stored in the cloud (Microsoft 365, Google Workspace, etc.), as well as on local servers, desktops, and laptops
  • Continuity services so you can run images of key servers, desktops, and laptops if they are damaged by an attack

Note that continuity services also protects you from the impact of hardware issues, theft, and other losses.

Start with an Assessment to See Where Your Small Business Stands with IT Security

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

To learn more, please join us on May 17th at 3:00 PM ET for Streamlining Security, our May 3T@3 Webcast or schedule a no-obligation call with one of our cloud advisors.


Business Email Compromise – The Costliest Type of Cybercrime

Email, Communications, & MobilityBusiness Email Compromise

While the massive number and scale of ransomware attacks get the most media attention, Business Email Compromise (“BEC“) attacks are the costliest type of cybercrime.

What is a Business Email Compromise (BEC)?

In a BEC attack, the criminal impersonates you and convinces somebody who trusts you to send money. While successful attacks often begin with unauthorized access to your email account, savvy criminals use email and domain impersonation techniques. They trick others into thinking that you are asking for, or instructing them to complete, a money transfer.

As we noted in a recent post, real estate agents and brokers are prime targets of Business Email Compromise attacks because they regularly discuss transferring large amounts of money with their clients. As noted in this recent email scam article from the Associated Press, however, BEC attacks are hitting a wide range of small businesses, nonprofits, and schools.

Business Email Compromise attacks succeed when cyber criminals are able to collate enough information about you to gain access to your account or impersonate you.  Here is how they do it:

  • Given that you use your email address to log into many systems, a third party breach can provide attackers with your email address and enough information to calculate your password.
  • Third party breaches often provide hackers with enough personally identifiable information (PII) about you to launch a successful phishing attack that captures your username and password.
  • Scanning social media posts can also provide hackers with enough PII to successfully phish for your identity.
  • Malware, known as an Advanced Persistent Threat (APT), that makes it past your endpoint protections can gather usernames, passwords, and other information while running undetected on your computer.

How to Prevent Business Email Compromise

Protect Your Identity

To keep your email account secure, you need to protect your identity.

  • Understand the risks and follow practical advice for safe online hygiene. Use unique, complex passwords across systems; avoid oversharing personal information; and learn to recognize phishing and impersonation attacks.
  • Use “Next-Gen” endpoint protections to prevent zero-day attacks, APTs, and more traditional forms malware.  These solutions use heuristics, AI, and behavioral analysis of files to identify an attack. They can also “roll back” changes to stop an attack.

Secure Your Email Service, and All of Your Services

Even as you protect your identity, you still need to secure your email service through proper data protection and security services.

  • Advanced Threat Protection (ATP) protects your account from phishing attacks, bad links, infected attachments, and other risks. ATP verifies sender information and test links and attachments in a “sandbox”, allowing safe messages to arrive in your inbox.
  • Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA), can prevent access to your accounts if your username and password are compromised.
  • Ensure that all of your information is encrypted at-rest and in-motion. Your email service should use Transport Layer Security (TLS) to encrypt messages between sending and receiving services.  Encrypt files on your local disk, on any file servers, and in the cloud.

Prevent Email and Domain Impersonation

As noted in a recent blog post, you can use three (3) different levels of email security to prevent email and domain impersonation.

  • Sender Policy Framework (SPF): Authenticates addresses you use to send email.
  • DomainKeys Identified Email (DKIM): Digitally signs messages to ensure emails are not altered en-route.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Authenticates email origin and instructs recipients how to process bad messages. A DMARC service will track and report any potential issues.

These protocols and a DMARC monitoring service offer the best protection against BEC and impersonation attacks. They also help improve the deliverability of your email. Our ebook, Email Security: Good, Better, Best, dives deeper into this topic.

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

 

Real Estate Cyber Security

Cyber Attacks on Real Estate Agents and Brokers Victimize Clients

As cyber attacks on real estate agents and brokers increase, clients are paying the price.

Security, Privacy, & ComplianceMost of the country is facing high demand for housing with extraordinarily low supply.  This creates a highly competitive sellers’ market in which buyers compete to have offers accepted. The urgency and need to move fast makes real estate agents, and their clients, prime targets for cyber crime. As noted in a recent bulletin from CRES Insurance, brokers and agents need to protect themselves and their businesses from cyber attacks, which can include adding cyber insurance for real estate organizations.

The Scenario of Cyber Security for the Real Estate Industry

Imagine being a real estate agent and receiving a call from client excited that their offer was accepted and confirming that they have wired the deposit, only to realize that their offer was not accepted.  They share the email with you with the instructions.  The email looks like is from you, your assistant, or your firm.  The message uses words and phrasing that you and others at your firm regularly use.  Without close inspection, the message appears to be legitimate.

Your email domain and/or your identity has been successfully impersonated. Your client has lost thousands of dollars. Your reputation is damaged. You may be facing legal action. All reasons to pursue proper data protection and security services to prevent real estate cyber attacks.

Real Estate Cyber Attacks

This form of attack, a Business Email Compromise (BEC), is on the rise and real estate agents and brokers are the target.  Attackers compile information about you, and how you work, from public sources and social media.  In some cases, you may be an unknowing victim of an advanced persistent attack. In these attacks, hackers install software the sits quietly on your computer, tracking your activity, and sending information back to the attacker’s servers. The attackers then use this information to impersonate you and/or your business.

Once an attacker can impersonate you or your business, your clients become the financial victims. You face a loss of clients and reputation, and potential legal action.

Real Estate Cyber Security Solutions

Like any business, agents and brokers need to ensure their systems are safe and secure with proper real estate cyber security best practices.  They should also take steps, specifically, to prevent domain and email impersonation. Here are three cyber security steps you can take to protect your real estate business from attacks.

  • Ensure you and your team understand cyber risks and how to minimize your risk of attack.
  • Use protective technologies:
    • Next-gen endpoint protection to prevent malware and ransomware on your computers
    • Email advanced threat protection to prevent phishing and other email-based attacks
    • Multi-factor authentication to protect your identity.
  • Configure different email security solutions that prevent domain and email impersonation

Feel free to contact us to discuss your security profile or for a security assessment.