Table of Contents

3 Overlooked Attack Vectors in Business

Preventable Human Errors That Compromise Your Business

How to do a Cybersecurity Risk Assessment

3 Overlooked Attack Vectors in Business

Image credit: Rawpixel.com/Shutterstock

The next big data breach is always lurking around the corner, but businesses
don’t have to live in fear of losing critical data. Protect these three vectors to stay
on top of ever-evolving security threats.

If you’re a business leader, you’ve heard, read or thought about it more than you
probably want to: the ceaseless war to protect your company’s network and data
from a hacker underworld that’s increasingly sophisticated and ambitious.

Major breaches are a PR nightmare that no company wants to experience. Recall

when ride-sharing giant Über belatedly announced it had suffered a breach that
exposed the personal information of 57 million people. Of those affected, 25
million lived in the United States, and more than 4 million were Über drivers. In
this case, the hacker agreed to destroy the data in exchange for a “bug bounty”
payment from Über, which was far less than the cost of the damage to the brand
when details surrounding its mishandling of the breach were revealed.

If the hacker had more malicious intentions than monetary gain, there’s no telling
how bad it might have been for Über. Most companies that suffer such breaches
aren’t as lucky.

2
When hackers hold data for ransom, their threats are usually for real. Just ask
victims of the WannaCry virus or Sony hacks, which forced several major
companies to lose time, money, credibility and irreplaceable data when they
refused to give in to the hackers.

Businesses today must understand how hackers operate and stay on top of the
ever-evolving threats in our digital world.

3 security vectors you may not have considered

Security breaches often occur where we least expect them, and many areas still
fly under the radar. Here are three lesser-known attack vectors and ways to
mitigate the risk they pose to your company.

1. Lock down your office printers and secure your documents.

You might not consider your office printers a serious security threat, but several
recent incidents have called attention to the fact that modern printers are more
than just paper pushers. They’re sophisticated network computers, which means
they deserve the same levels of security attention and protection as servers and
employee workstations.

To lock down your office printers, start by implementing firewalls and using
strong passwords. When manufacturers push updates to cover new security risks,
download them quickly. Stay current with industry best practices, and make sure
your printers are included in your organization’s security policy and procedures.

It’s also critical that you deploy secure pull-printing technology: This allows
employees to submit their print jobs to a single secure queue and use their access
cards or login credentials to release (pull) their documents from any printer on
the network. This simple workflow prevents unauthorized access to sensitive
documents and provides the added benefit of reducing waste and resource costs.

3
2. Protect employee devices.

The BYOD (bring your own device) trend is still going strong, as companies small
and large let employees use their personal smartphones for work. And according
to Gallup, the number of remote workers has grown from 39 percent to 43
percent in just four years. While many of these people claim using their own
devices makes them more efficient, the added security risks should not be
overlooked.

When everyone is operating a unique device connected to the company network,

the opportunities for hackers multiply. One hacked personal account can lead
attackers into other accounts, which might store sensitive company information.
Then there’s the added risk of offsite theft: If a smartphone is stolen, the thief
could obtain your intellectual property or financial information and publish or try
to sell it.

To help stop thieves and hackers from turning personal invasions into company
crises, you can use one of many firewall-as-a-service offerings. These cloud
services work from anywhere, freeing employees to use their smartphones while
reducing risk and giving employers peace of mind. The technology prevents
thieves from accessing protected data and gives companies greater control of
their networks.

3. Beware of social engineering.

Hackers don’t always have to be elite programmers – not when employees

inadvertently tell them what they need to know.

Social hackers, for example, use social media profiles to gather information on
their targets, then pretend to be their victims so employees reveal sensitive
information. WHMCS, an online company that stores credit card data, fell victim
to this scheme when members of a hacker group stalked a database administrator
online and later called in for a password reset. Because the administrator’s social
media profile had revealed answers to his security questions – hometown,
important dates, family names – the group was able to impersonate him, gain
access to the network, download over a gigabyte of credit card numbers, and
wipe the company’s databases clean.

4
Encourage employees to always use strong passwords, and educate them about
the increasing use of fake social media accounts among identity thieves. Regular
employee training will create a culture of informed vigilance and help protect
your company from social engineering threats.

Two-factor authentication is another best practice to follow. Secure passwords

aren’t enough these days; adding a second factor – such as biometrics
(thumbprint or facial recognition) or code verification via text message – provides
an important extra layer of security. Many people consider additional
authentication methods a nuisance (only 10 percent of Gmail accounts use it, for
example), which again points to the critical role of employee education. A vigilant
workforce might be the single best defense against hackers.

The next big data breach is always lurking around the corner, but businesses
don’t have to live in fear of losing critical data. By including these and other
threats in a comprehensive security program, you’ll have done more than many
companies do to secure your network and data.

5
Preventable Human Errors That
Compromise Your Business

Image credit: Mikhail Grachikov/Shutterstock

Human errors take many forms and shapes and are often, at least partially, the
source of accidental data breaches and successful cyberattacks. Here are five of
the most common types of errors employees make and how companies can
protect their users and IT systems.

Small business owners have a lot on their plate, including finding ways to protect
their data and IT systems from hackers and scammers. Surprisingly, the most
effective way to deal with malicious outsiders might well be to pay closer
attention to what’s happening on the inside of your business.

A recent ComputerWeekly survey that polled security experts reported that 55

percent said their organization had suffered a cyberattack. Of those who said
their company was victim to a cyberattack, 84 percent could trace back the
attack, at least in part, to internal human errors.

Hence cybercriminals rarely succeed in executing fraud on their own and rely on
deceitful tactics to dupe targets and push them to act irrationally. In other cases,
the responsibility falls entirely on insiders’ shoulders who inadvertently disclose

6
confidential details in emails and other communications.

In both cases, human errors may go unnoticed for weeks or months while the
probability that disastrous consequences will occur – e.g., broken consumer trust,
expensive lawsuits, and bankruptcy – is slowly and silently increasing.

So what are the most common types of human errors taking place in small
companies and how can business owners prevent them? Let’s take a closer look.

1. Sending wrong attachments

What are the odds that sensitive attachments could fall into the wrong hands?
Think about how many documents are repetitively sent, received, forwarded and
stored by each department. Multiply this number by the average number of
recipients in your contact list and annual work days.

Over, let’s say, a week or a month, imagine that the file has been confusingly
renamed, edited, duplicated or replaced by something else and transmitted
mistakenly. If you’re lucky, an incorrectly attached document doesn’t contain
anything to worry about; if you’re not fortunate, it could be the beginning of a
very bad data breach.

2. Adding the wrong recipients to an email

Autocomplete is a double-edged sword. The ability to select recipients after typing

one or two characters saves time, but that functionality can also cause a user to
include someone with a similar name and email address (e.g.,
jane.smith@abccompany.com, jim.smith@abccompany.com, and
jane.smith@abdcompany.com) in an email with information they should not be
privy to.

What happens next is hard to predict. Unintended recipients may let you know
that they should not be included and ask to be removed from the email thread. Or
they could decide to say nothing and gather information for their own profit.

3. Creating weak passwords

Have you ever felt like it would be easier to use the same password everywhere?
Likewise, your employees might do this for convenience.

It represents a golden opportunity for cybercriminals who can take advantage of

7
poor password-setting and resetting practices to break into IT systems, steal data
and conduct fraud. And it works: 81 percent of hacking attacks performed are due
to stolen and/or weak passwords according to Verizon’s 2017 Data Breach
Investigations Report.

4. Lost or stolen devices

Laptops, smartphones, and BYOD initiatives have empowered today’s workforce

to be increasingly mobile. That’s great for small business owners who can then
reduce office and administrative costs while providing employees with the
flexibility to work offsite.

However, this creates potential risks for both data and hardware from a
cybersecurity standpoint. A member of your staff may, for example, leave his or
her devices unattended while quickly getting lunch or a coffee, offering a window
of opportunity for cybercriminals to strike.

5. Falling into a phishing trap

Is it still even possible to spot fraudulent emails nowadays? Forty-eight percent of

small businesses report being the victim of phishing or social engineering scams
in 2017, and hackers always seem to be one step ahead. As a result, employees
are prone to make a cybersecurity faux pas – downloading and opening a
malicious attachment, clicking on a suspicious URL or not checking for spoofed
email addresses and inadvertently revealing data.

How can small business prevent human errors?

Before addressing solutions, let’s examine the circumstances in which human

errors are most likely to happen. These include:

Stressful situations, e.g., when a deadline is approaching or after prolonged

periods of mental strain
Multitasking; employees with multiple job responsibilities may get
overwhelmed faster
Lack of awareness about the dangers of cyberthreats and how to identify and
stop them
A poor security tech stack, with IT security systems failing to detect

8
 abnormal activity

Build a cybersecurity culture

All employees play a role in keeping small businesses safe, and they should be
aware of it. Drafting security guidelines on acceptable and dangerous behaviors
regarding, among other things, the use of passwords and what data can be stored
on private devices is a good start.

You may also find it useful to create an informal newsletter that contains some
high-profile cases of human errors so your staff learns more about common
mistakes.

Manage devices proactively

It has become much easier and cheaper to keep track of how devices are used
outside the office and enforce best practices in security. For instance, you can
require employees to go through an additional authentication step if they want to
access emails on their phone. Additionally, you may install a mobile device
management software application that allows you to wipe hardware that was lost
or stolen.

Install error-prevention applications

Everyone in your business might be fully aware of the dangers of human error,
but staff members may still let their guard down when the pressure is high.

You can use technology to flag situations where potential errors are likely to
occur, e.g., large recipient lists, attachments containing credit card or Social
Security numbers, senders using spoofed email addresses and weak or inexistent
passwords.

Bottom line

While many cyberattacks originate from the outside, there is often one or more
human errors at play that result in a data breach or financial loss. Business
owners can combine awareness, device management, and technology to
safeguard customers, employees, and other stakeholders.

9
How to Do a Cybersecurity Risk
Assessment

Image credit: LeoWolfert/Shutterstock

Risk assessment should be a routine process, regardless of your businesses size

or industry.

Running a risk assessment on your business’s cybersecurity should be a routine

process, no matter how big you are or what industry you’re in. Security incidents
can happen to any business, especially small businesses, either because hackers
believe they’re an easy target or they’re trying to breach a larger company by
going through their small partners. While self-assessment and monitoring should
be a continuous process, a comprehensive security risk assessment should be
conducted at least once every two years, according to the Information Systems
Audit and Control Association.

There are different levels of risk assessment, and, fortunately, it’s possible to
perform a comprehensive analysis of your security on your own. There’s no short
supply of cybersecurity companies that specialize in vulnerability and risk
assessment testing for clients. These services can be pricey, and may not be
cost-effective if you’re a small business working with a small network.

10
Running your own risk assessment is much more affordable. The only trade-off is
that you’ll need to use your own time and resources to perform it.

Doing your own risk assessment is for your own self-awareness and benefit to
improve security, but if you’re in an industry that requires professional
assessments and audits from a certified entity, you’ll have no choice but to use a
third-party provider to earn an official certification. Those groups seldom accept
self-assessments.

It’s important that you know what you’re doing and what you’re looking for when
performing a risk assessment. Having a glancing knowledge of cybersecurity
won’t be enough when trying to find vulnerabilities that attackers can exploit. If
you have an IT staff, it’s best to work with them when coming up with a plan to
perform a risk assessment. In some cases, it may offer more advantages for you to
do your own risk assessment because you know how your network operates, and
because you may have built it.

“If businesses don’t have the experience, the tools, or the team to conduct a
thorough and accurate risk assessment, and are just trying to save costs by doing
it themselves, they can experience increased costs in the future when a hack or
data breach that could have otherwise been prevented occurs,” said Keri
Lindenmuth, marketing manager for Kyle David Group. “Many small businesses
don’t recover from a data breach because of the financial implications and end up
closing their doors forever.”

If you’re confident that you and your staff have the collective expertise to conduct
a risk assessment, the next thing you need to keep in mind is that you must be
objective when looking at your system. Often, companies overlook certain aspects
of security, because changing those things would cause too much of a disruption
or it would cost too much to fix. You need to be willing to make big changes if
your results point to major holes in your network.

How to run your risk assessment

When performing a risk assessment, your goals are to identify risks and
vulnerabilities in your network, rating how severe they are, determining the
effectiveness of your current security resources and calculating these factors into
an overall risk.

There are several automated tools, such as the paid application Nessus

11
Professional and the free tool OpenVAS, that run vulnerability scans several
aspects of your network to detect risks.

According to Ryan Zlockie, global vice president of authentication at Entrust

Datacard, the three main areas small businesses should focus on when doing a
risk assessment are their employees, web pages and physical devices that connect
to the internet.

One of the biggest causes of data breaches is unintentionally caused by

employees who haphazardly click on suspicious links or download attachments
from phishing emails. Vulnerability testing on employees’ responses and online
practices can be useful before initiating specialized cybersecurity training.

Online phishing simulators allow you to set up emails disguised as colleagues with
the goal of convincing employees to download an attachment or submit
credentials. Negative results shouldn’t result in any punitive action but, instead,
should allow you to determine how much additional training your staff needs in
cybersecurity practices. This can also help you determine if you should implement
two-factor authentication on network access.

Securing your network from web attacks is an important front for protecting your
business. If you have a web page where you sell merchandise and accept
payments from customers, determining if it’s secure is paramount to not only
protecting yourself but also your customers. Lots of tools exist online to help you
determine if attackers can easily strongarm their way into your network through
your website. For instance, Pentest Tools is a paid service that scans your
websites, web applications and network to determine if vulnerabilities exist.
Common problems with websites are a lack of SSL/TLS certificates and HTTPS,
which are factors in securing a domain.

In the office, it’s important to make sure your physical devices are secured as
well. Attackers often gain access through internet-enabled devices and access
your network through unpatched exploits. Devices such as wireless printers,
Wi-Fi routers and mobile devices can be exploited to give hackers access to the
rest of your network.

An easy way to avoid problems is to make sure your devices’ firmware are all
up-to-date. Microsoft has a free tool to help you detect if your Microsoft products
on your network are all up-to-date.

12
Having a professional cybersecurity consultant perform a risk assessment for you
is an extra expense, but they will likely find several weaknesses and risks that you
may have overlooked. A comprehensive risk assessment done by a service
occasionally can help you avoid massive data breaches caused by some of the
newest and most subtle exploits, but doing your cybersecurity assessment can at
least help you discover some of the most glaring and immediate risks to your
network. Another advantage is that doing your own risk assessment can help you
become more acquainted with your network and how it works.

13
We Are Purch

Purch is a rapidly growing, constantly evolving digital content and services company
that helps millions of people make smarter purchases. We bring together 350
employees from around the globe who share a commitment to serve our customers
with integrity, collaborate to deliver better results, and shape the future of digital
publishing.

To view more content like this, visit www.business.com

To learn more about Purch, visit www.purch.com/about