We live in the highest state of Cybersecurity alerts in history. Attacks were growing quickly before the COVID pandemic, but since then, they are growing exponentially. Due in a major part to the often-vulnerable remote network connections serving the new hybrid workforce – some in the office, some working remotely. The advice to institute regular Security Awareness Training, still falls primarily on deaf ears among the CEOs and administrators of Small and Mid-size Businesses (SMBs).
The government defines a ‘small business’ as an enterprise with 500 or less employees, but that number is somewhat out of touch with reality. Those in the trenches of IT services, especially in the Charlotte IT Support community, don’t generally consider a company with an employee base of over 100 to 150 to be a ‘small’ client, but then again, once a company has even 100 end-users, there is a good chance that they will institute ‘in-house’ IT. It’s all a matter of perspective.
Massive corporations take Security Awareness Training seriously, so why not the little guys? Huge business conglomerates can better withstand the losses involved in a successful cyber breach than SMBs can. Common sense tells us that huge corporations like Amazon, Walmart, and Berkshire Hathaway have deep pockets, but most SMBs need to be judicious about how and where to spend resources. CEOs need to understand that Security Awareness Training is not a luxury, but a necessity.
According to the IBM Cyber Security Intelligence Index Report, human error is responsible for 95% of network breaches – 91% as a result of an email phishing attack, the most common error causing breaches, This is where a malicious link or attachment is presented with an enticement to click on it. Far too many untrained users click on these. When they click, it’s akin to opening the door, and the best security measures in the world will not keep the malware out.
Good security of all types, from a stone fortress to a network, depends on NOT opening the door for the enemy.
What are cyber wargames?
While governments around the world play entirely different Cyber Wargames, the focus here is on business. These are not about teams trying to capture each other’s flags. These should be performed AFTER your staff has undergone security training. It’s a series of simulations that test both your IT support’s readiness and your employees’ awareness - and whether they have retained and implemented what they learned in security training.
Testing is crucial. Life is a continuing test of what we’ve learned. If you engage in Cyber Wargames without first undergoing Security Awareness Training, the most you could expect is to be horrified at how unknowledgeable about scams your employees are. In the military, no serviceperson engages in Wargames without at least having undergone basic training.
The games are comprised of simulated attacks which will determine awareness and readiness. They serve several different purposes: Education, and Research & Analysis. They expose vulnerabilities by subjecting the staff and the IT crew to the same conditions that exist in a real cyber-attack, but without the real-world consequences.
In the world of international diplomacy, the stakes are the highest, and the Wargames the most complex. For business enterprises, the stakes are high enough, but a more simplistic approach is the standard.
It is important to view these tests as informative rather than punitive. You do not want fearful employees to worry about every email they receive. The end result should be a staff that is mindful, but not worried. These games are here to help – to inform and educate. Ideally, there should be no reprimand (short of a ‘tsk tsk’) for falling for the scam.
Simulations/Tests:
End-user focused attacks
Phishing Test
Phony but legitimate looking emails are sent out with some type of ‘bait’ – a seemingly good reason to share sensitive information, open an attachment, or click on a link.
Password Quality Test
This test is not interactive – it just checks your Active Directory for weak and easy to break passwords like ‘Password’ or ‘123456’ (the most common password in the world in 2022 – breakable in less than a second).
Password Enumeration Test
Typically, this test is performed by a 3rd party skilled professional who plays the role of a hacker to see how easy it is to break employee passwords using a variety of methods from basic knowledge of the employee (using a birthday for a password, etc.) to computer programs.
There are also tests for password exposure – using the same password for everything – and Dark Web scans to see how many employee passwords are for sale (You WOULD be surprised).
Lost USB Flash Drive Test
Simply drop a flash drive in a common area and see who plugs it into their computer to see what’s on it. They should know to turn it over to the IT Department or to a manager to send to your outsourced Managed IT Services provider for examination. If this flash drive contained a virus, it could easily cripple your network.
IT support focused attacks
There are many types of simulated attacks that will test both your network defenses and your IT Services Team’s ability to respond. They can range from simple or Distributed Denial-of-Service (DOS and DDOS), where hackers flood a system with so much traffic that they cannot operate, to Man-in-the-Middle (MitM) attacks, wherein a hacker intercepts a two-party transaction and places themselves in between, responding to the parties as each other, gleaning confidential information.
Frequently Asked Questions
How regularly would you perform tests to ensure data privacy?
A: Security testing should be done every 6 to 12 months, while Security Awareness Training should be done every 4 to 6 months at a minimum.
What are the elements of security awareness?
A: There are 5 main categories:
1) Education: Identifying the various and most common types of cyber threats.
2) Threat recognition and response training: What to look for and what to do when a threat is spotted.
3) Institution of policies controlling privacy, internet, social media, and email.
4) Regular testing – Wargame simulations.
5) Multifactor authentication and strong password policies.
How can we maintain information security in testing?
A: 1) Prioritize information according to sensitivity.
2) Masking: Used only for sensitive information during testing. Using a standard set of rules, replace characters with other characters – much the same method used in creating strong passwords: A becomes @, S becomes $, 8 becomes & - and so forth. Automatically encrypt all data.
3) Use the appropriate test management tools: the testing software must integrate with the data and masking, provide accurate reporting and tracking, and maintain Cybersecurity protections.
How can you identify phishing?
A: 1) The main indication is that it ‘just doesn’t feel right’. Contacts or businesses doing unusual things.
2) Inconsistency: In the email address, domain names, links, greetings, and subject lines.
3) If an offer seems ‘too good to be true’ – it probably is.
4) Suspicious links or attachments.
5) The message asks to ‘confirm or verify’ information they should already have.
6) Digging for info of any kind.
7) Bad spelling and grammar. Most crooks just can’t spell (They are getting better about this).
How Secure is Your Network?
Also, as a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation to ever use our Managed IT Services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
Contact us today! We have the experience to ensure a seamless transition. After the move, your employees will arrive at the new location to find their IT infrastructure ready and open for business!
For more information on office moves, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705
