You are closer than you think.
Someone in your office is a ticking time bomb, and it’s impossible to predict when it will go off. It is not a matter of IF – it’s a matter of WHEN.
This is not about an actual explosive device, but about the weakest link in the chain that holds your business together: your employees.
Let’s take a hypothetical employ who we’ll call Debbie:
Everybody loves Debbie. She does an excellent job – always on time, well-dressed and her work is perfect. She’s outgoing and encouraging to her coworkers. When you see her husband and kids at company outings, you’re impressed with how lovely and polite they are. She’s the first to bring in cookies for an office treat. She’s a model employee in a small, close-knit business.
One day, Debbie doomed the company to bankruptcy.
She didn’t mean to do it, and she certainly didn’t plan to do it. She didn’t even know what she did until the entire network locked up and a screen appeared that looked something like this:
Just what did Debbie do? She clicked on a link or attachment in an email that she should have been trained to view with suspicion. Perhaps she had a slight inkling that something was odd about the email, but it didn’t trigger a reasonable amount of concern. Unfortunately, her management had no Security Awareness Training regimen in place. She didn’t know that she should have been suspicious.
The Phishing email she fell for looked innocent enough – at first glance, they usually do. These malware-bearing messages range from a spoofed (copied) logo and message from a trusted source like FedEx – providing a link to track a package on its way to her. Maybe it was from her husband’s hacked email address sending what purports to be a new photo of one of their kids at daycare (“Hey, check this out - Suzie is so cute in her Halloween outfit!”).
Regardless of what the Phishing email looked like, the damage had been done. As a small business, the owners chose to pay as little as possible for IT Support. Maybe they were relying on an employee’s kid when they needed help, or maybe they were using the obsolete ‘Break/Fix’ model: Wait until something breaks, then hire an ‘IT guy’ by the hour to fix it. The company had no data backups and were forced to pay the ransom for a decryption key.
That’s when the company began to unravel. They became one of the 24% of companies that paid the ransom but did NOT get a decryption key to recover their data. All customer info such as projects and invoices were gone forever. Later, they joined the 60% of small companies that go out of business within six months of a successful cyber-attack.
Fear Mongering?
No. Unfortunately, this is a reality that is all too common.
Can you protect yourself from a cyber attack?
To an extent, data breaches and malicious intrusions can be thwarted, slowed, and quickly resolved, but no IT Support expert worth your consideration should ever claim that they can be completely stopped.
These are the two most fundamental steps in providing your network with the best protection:
1) Competent IT – A Managed IT Services Provider is best.
This is all-encompassing: A Managed Services Provider (MSP) will set up a wide range of protections. Hourly rate ‘Break/Fix’ IT people rarely do this – or do it well. Some protections, like Next-Generation Firewalls and Anti-Virus (AV), will stop or stem many intrusions, but for those new malware strains designed to get around those protections, the ultimate solution is a tiered backup solution – from local to offsite.
When malware like Ransomware gets through, IT simply shuts down the infected devices, wipes them clean and reinstalls the data from secure backups – usually within a couple of hours. Your backup system should include these three types:
Local Backup
Cloud Backup
Cloud to Cloud Backup
2) Employee Security Awareness Training.
This is the best prevention: Recurring security training raises your employees’ ‘situational awareness.’ It reminds them to ask “Why did I get this email from FedEx? I’m not expecting a delivery and I don’t deal with shipping and receiving matters.” Or: “Why is he/she suddenly sending me attached photos – they don’t usually do that.” Training teaches employees to look twice at anything unusual and ask questions. IT doesn’t need to fix what never gets in.
In Conclusion
Spend the money on both of the above. Your sister’s ‘IT savvy’ kid dropping by now and then is not going to cut it – an MSP will.
Make sure your employees know how to spot a threat and have an Incident Response Plan (IRP) in place so your IT team can act immediately.
These are two simple, but huge steps in protecting your business. Do them both.
Now.
Frequently Asked Questions
Why do we need security awareness?
A: You hired your employees because you felt they were smart, but there is a difference between intelligence and knowledge. If your employees do not possess the knowledge that enables them to spot red flags that may indicate a malicious email, they can easily fall into a Phishing trap.
This goes for all areas of Cybersecurity. Do your smart employees know how to create strong passwords? Are they aware of the simplest ‘security hygiene’ steps that need to become second nature as they work with emails and websites?
If you answered either of those questions with “No” or “I don’t know” – your employees need security awareness training. This is not just an issue for your IT Support – it’s a team effort.
What should be included in a security awareness training?
A: Security awareness needs to cover more than what happens on a computer, with email, or websites. Sensitive information like passwords left on post-a-notes in an easily accessible office is an issue, as are patient charts left unattended at the reception desk in a medical office, and devices such as laptops or cell phones left at an unattended reception desk in any type of office. These topics must be covered:
Local Physical Security
Email scams
Malware
Password security
Removable media
Safe internet habits
Social networking dangers
Physical security and environmental controls
Clean desk policy
Data management and privacy
BYOD (Bring Your Own Device) policies
How often should you conduct security awareness programs?
A: Unfortunately, for businesses that even do it, the norm is once a year. It is recommended to provide ongoing training every three months. Users need regular reinforcement and updates on the latest scam trends. ‘One and Done’ doesn’t work. Think of that old joke:
A man in New York City asks somebody “How do you get to Carnegie Hall?” The person replies, “Practice, practice, practice!”
Your IT service should be involved in these training sessions. In between trainings, the company you contract with for training, or your IT vendor should run the Cyber War Games.
How do you test employees’ security awareness?
A: The standard ways to measure the effectiveness of a security awareness training range from actual testing to playing safe ‘Cyber War Games’ on your staff. There are professional companies that do nothing but security training, typically for a nominal fee per employee. Some of the testing methods:
Quizzes – people hate pop-quizzes, so keep them short
Workplace Security Review - Ongoing
Dumpster Diving – Is important information showing up in the trash?
Pretext Phone Calls – Can a slick phone caller get info from your employees?
Physical Impersonation – Send in an imposter.
Flash Drive Drop Attack Test – Drop a flash drive on the floor and see who plugs it in to see what it is (guess what? It’s a simulated virus).
Phishing Attack Simulation – See who clicks or opens a suspicious link or
attachment in an email.
How secure is your network?
As a longstanding, reputable member of the Charlotte IT Support community, ITFirm.com offers a FREE, no-risk network and Cybersecurity assessment. We perform a non-intrusive scan that allows us to deliver a comprehensive report of the state of your system and its vulnerabilities that is yours to keep. There are no strings attached, and you are under no obligation ever to use our IT services.
The two best defenses are next-generation Cybersecurity to protect your data from theft, and a top-notch Managed Services Provider to ensure continued reliability and defenses against newly emerging threats.
We put our 100% Money Back Guarantee in writing, so there is no risk in trying us out. Because we do not require a ‘hard’ contract, our clients can fire us at any time with 30 days’ notice. We have to be good.
Among the Managed IT services we provide:
IT HelpDesk Service
Onsite IT Support
Cybersecurity
Cloud migration and management
Email migration services
Backup and disaster recovery
VoIP phone systems
IT disposition and recycling
Office moves
White label services (IT to IT)
Planning an Office Move?
We have the experience to ensure a seamless transition. Your employees will arrive at the new location to find their IT infrastructure ready and open for business! For more information, or to receive your FREE no-risk network and Cybersecurity assessment, just fill out the form on this page or call us at:
704-565-9705
