Cyber security myths you should stop telling yourself

Cyber secuirty

Cyber security myths you should stop telling yourself

While many cyber security myths persist, some are more damaging than others, here are four common cyber security myths and their impact on risk.

Cyber security preparedness is one of the major obstacles facing businesses today, and due to its importance, it can be a magnet for myths. Attacks emerge and cripple systems availability or swipe data quickly and unexpectedly. It happens so fast that the myths so many businesses hold onto as facts are only apparent in the aftermath of an attack.

Myth 1: Small organisations are low-value targets for hackers.

Thinking you’re not a target is one of the biggest mistakes a company can make. According to data collected from more than 2,200 confirmed data breaches, 58 per cent of security event victims were small businesses. But why would malicious actors target small companies?

Compute resources are valuable – malicious actors seek out available computing resources as network nodes to expand their bot networks, which they use to initiate DDoS attacks, for crypto-jacking, to propagate ransomware and spam or for numerous other crimes. Malicious actors build their networks by leveraging free resources, and your systems might be among them.

No matter the size of an organisation, data is valuable and power. Every organisation stores some data that’s critical to its business but holds little value to others. Malicious actors exploit this by unleashing ransomware that cuts off data access, availability, or both, crippling the organisation. Malicious actors then generate revenue through ransom payments.

Small businesses can be an indirect victim and used as a stepping stone into other targets. Malicious actors might target seemingly innocent, low-risk third-party vendors to get to those vendors’ customers. This has been evidenced by the cyber-espionage group known as Dragonfly, which successfully “trojanised” legitimate industrial control system (ICS) software. To do so, the group first compromised the websites of the ICS software suppliers and replaced legitimate files in their repositories with their own malware infected versions. Subsequently, when the ICS software was downloaded from the suppliers’ websites it would install malware alongside legitimate ICS software.

Myth 2: There’s no reason to invest in security when organisations with tight security controls still experience security breaches.

Some organisations rationalise a small cyber security budget by arguing that investing in security is a losing game. They hear about security breaches at large organisations, with presumably large cyber security budgets, and assume if these organisations can fall victim, then what chance does their organisation have?

Tools are just one pillar of a solid security strategy, people and process are equally important. An organisation allocating budget toward security might not be focussing it to the most effective areas. An organisation can have a big budget for tools but if it lacks the right cyber security talent or its processes are faulty, it can still get hit.

Research has illustrated how long it can take before an intrusion is detected. The time taken by firms to detect breaches increased by 40 per cent from 2016 to 175 days on average in 2017, according to the latest M-Trends report by security firm FireEye. Organisations that invest in reactive security controls, in combination with proactive security controls such as Intrusion Prevention Systems (IPS), may identify suspicious behaviours earlier and limit the damage.

Organisations that shrug off tight security controls are focusing solely on the immediate effects of infiltration, not on the total cost of the security incident. Granted, security controls are not 100 per cent effective at detection and prevention, but they can save significant time and money during each of the subsequent incident response stages: analysis, containment, eradication, recovery and post-incident activities.

Myth 3: Our organisation has not been breached before, so we’re still safe.

Often, organisations incorrectly assume their security risks remain relatively static, when they don’t have a way to effectively evaluate those risks. Projecting future risks based on historical events can be dangerous.

Defining the scope of what to secure requires identifying exactly how many applications, servers, network devices, storage devices and more are within an organisation. When faced with either insufficient or overwhelming amounts of data, the scope may be simplified, and assumptions drawn that can lead to vulnerabilities.

Organisations might assume a particular server doesn’t contain sensitive data and is less likely to be the target of an attack. But it might not be data that malicious actors are after, as mentioned; servers might be valuable as a foothold into another environment. Lastly, people often underestimate risk due to future aversion – the problem of assuming that because the future is unknown it cannot be tested.

Myth 4: Security is an expense, not a revenue generator.

Organisations prioritise investment in services that generate revenue, especially when budgets are tight. This can leave cyber security, viewed as an expense, on the back burner, when it should be considered a revenue generator.

Data breaches continue to rise globally, and cyber security will influence buying decisions. Organisations that store personal, financial and other sensitive data need to ensure that it is secure. So, businesses can influence customers’ perception of security by proactively marketing the high level of security they adhere to, differentiating their company from their competitors.

Data breaches are only one impact from an adverse security incident. Another is downtime. Consumers can’t purchase products or pay for services if a web site, or the infrastructure that supports web transactions, is unavailable. When the global ransomware WannaCry attack crippled the NHS, hit international shipper FedEx and infected computers in 150 countries in 2016, NHS staff in the UK were forced to revert to pen and paper and use their own mobiles after the attack affected key systems, including telephones.

During the same attack, operations of FedEx’s TNT Express unit in Europe were disrupted by the attack and the company’s following published earnings revealed the cost of falling victim to the attack to be an estimated $300 million in lost earnings.

Whether it’s assuming that an organisation is not a target or that security spend is only ever an expense, buying into these common cyber security myths can set a business up for serious disruption, unhappy customers, a tarnished reputation, not to mention the cost of recovery.

Want some help? Download our free tools and see how your company compares!

By  Security 


Cyber hygiene

Do you have good cyber hygiene?

 

It is cyber security month. Here are the habits that every computer user needs to maintain for good cyber hygiene.

We know it’s important to have good habits in many parts of our lives, from our work to our daily hygiene. However, quite a few of us forget that we need to have good computer habits, too. Developing wise practices in connection with our computers and smartphones can make our lives much easier and help us to stay much safer on the internet.

Back Up Your Files

One thing that many people fail to do is back up their files. All it takes is one catastrophic computer crash and days or even months of work can be lost. Priceless family photos, fun videos with friends, key work files, and important school assignments that were a work in progress can be lost. Backing up your files isn’t that hard nor is it expensive. And, to make things even better and easier, you have many different options from cloud-based backups (such as GoogleDrive, OneDrive, or DropBox), convenient USB thumb drives, portable hard drives, and even specialized backup drives. A good practice is to make sure your files are backed up daily, or at least weekly.

Keep Your Software Updated

Software updates can be a pain, but they are vital to ensuring that your computer and software runs smoothly. In fact, one of the major reasons that updates are released is to fix bugs and issues that could make your computer vulnerable to cyber threats. Hackers know about these bugs and vulnerabilities. If you don’t allow your system to install the patches and fixes, then you are making yourself a prime target for a cyber attack.

Keep in mind that you don’t have to perform updates in the middle of your work anymore. Most software (and smartphones) will give you options for when the update should take place, so you can choose times when you aren’t busy on your computer.

Be Smart When Using Public Wi-Fi

Public Wi-Fi in places like fast food restaurants and coffee shops can be tempting to use when you need an internet connection, but they can also be dangerous. These public Wi-Fi networks are a common target of hackers, and even hackers with minimal skill can quickly figure out things like your social media credentials and more.

If you do have to use public Wi-Fi, take safety precautions such as turning off network discovery, file sharing, and printer sharing and make sure your firewall is turned on. Don’t be an easy target for hackers.

Make Use of Antivirus Software and Passwords

Would you leave your front door unlocked if you lived in a high-crime neighborhood? Well, the internet is a high-crime neighborhood. Failure to use updated anti-virus software and good passwords is the same as leaving your door unlocked. You can’t afford to make it easy for the wrong people to access your personal and financial information.

Your first line of defense lies in the passwords you choose. Don’t use easy to guess passwords, and don’t use the same passwords for everything. Include letters and symbols with your passwords to make them harder to crack, and add some numbers for good measure.

Your second line of defense, much like a deadbolt for your front door, is anti-virus and firewall software. They don’t have to be expensive in order to do a good job of protecting your computer. It is also vital that you keep your anti-virus and firewall software updated and don’t ignore alerts they provide.

Be Careful with Email

Going back to our analogy of living in a high crime area: if your doorbell rang in the middle of the night, would you fling the door open and invite whoever it was inside? You would probably want to make sure who it was, and even check their ID if they claimed to be some kind of official demanding access to your home. Strangely enough, far too often we inadvertently provide access to individuals with malicious intentions when we click on links in emails without making sure where those emails are really from.

In short, don’t open an email unless you have a good idea of who it is from, and beware of clicking links in emails even if they seem to be from friends. Be cautious about opening attachments, too. In short, be as careful with your email as you are with your front door.

Conclusion

You work hard to keep yourself safe from physical dangers such as criminals and disease. It makes sense that you should work just as hard to keep your electronic devices safe, too. Backing up files (including documents, photos, and videos), keeping your software updated, and being smart when on public Wi-Fi is a good start. Add to that antivirus and firewall software, robust passwords, and the careful use of email and you are on the road to developing excellent computer habits that will keep your files, data, and personal information safe.


UCaaS in Chicago

3 Ways to Increase Laptop Security While On-The-Go

  1. Physical Security

There are ways to lock your laptop down from outside of the machine. First, be sure that your laptop bag is always on your person, or that you use a padlock to keep the zipper securely closed. Most work benches at the airport have legs that you can easily secure the carry strap to. Or you can utilize a cable lock to secure it to something like a chair fastened to the ground or a building pillar.

Second, always keep a Kensington lock in your bag, and break it out every single time that you use your laptop in a public area. These are inexpensive, and you can always ask your IT provider if they have any spares. Trust us, if you’re showing initiative to protect company assets, your company will listen.

If you are in a hotel, a good way to keep your belongings safe is to put the ‘Do Not Disturb’ sign on the door. If that is posted, then the only foot traffic that should be in your room is your own. If something turns up missing and you and the Hotel are the only people with keys to your room, then this helps narrow down the search for the thief.

  1. Software Security

We’re not talking about McAfee or Norton here, but something more along the lines of location software. Some examples of this may be Lojack for Laptops if you have a Windows machine, or Find My Mac if you are an Apple user. To help protect your information, these applications will setup passcodes that the thief will have to hack to bypass. Also, they can provide the location of your device if it’s missing or stolen.

  1. Backup Solution
    If, in fact, your device does go missing, you know as well as we do that your work can’t be put on hold. It will continue to pile up – causing a mess of inconveniences – but the world doesn’t stop, even if your laptop is stolen. You need to be able to back up your most valuable data and recover it at a moment’s notice with a legitimate backup solution. And we’re not just talking about a file backup like Dropbox or Google Drive. A truly reliable backup solution allows for virtualizations of your laptop, so you can login to this virtual copy of your machine and it’s just like you’re sitting in front of it again.

Airport computer use

Airport Travelers BEWARE of Data Security

This article appeared in Tech Republic. Since the summer is when a lot of people travel, a re-post and share is necessary.

Business travelers beware: Connecting your company device to airport Wi-Fi networks could open up a host of cybersecurity issues. While this is a risk on any insecure Wi-Fi network, some airports have more vulnerabilities than others, according to a Wednesday report from Coronet, and professionals should take extra caution when traveling through them.

It’s much easier for attackers to access and exploit data from devices connected to airport Wi-Fi than to do so within the confines of a well-protected office, the report noted. Hackers can use the poor cyber hygiene and insecure Wi-Fi at many airports to inject advanced network vulnerabilities like captive portals, Evil Twins, ARP poisoning, VPN gaps, honeypots, and compromised routers.

Any of these network vulnerabilities could allow an attacker to access credentials for Microsoft Office 365, G Suite, Dropbox, and other cloud apps, or to deliver malware to the device and the cloud, the report found. The attacks could also potentially give adversaries access to the entire organization, leading to damages like operational disruption and financial losses.

“Far too many U.S. airports have sacrificed the security of their Wi-Fi networks for consumer convenience,” Dror Liwer, Coronet’s founder and CISO, said in a press release. “As a result, business travelers in particular put not just their devices, but their company’s entire digital infrastructure at risk every time they connect to Wi-Fi that is unencrypted, unsecured or improperly configured. Until such time when airports take responsibility and improve their cybersecurity posture, the accountability is on each individual flyer to be aware of the risks and take the appropriate steps to minimize the danger.”

The report collected data from more than 250,000 consumer and corporate endpoints that traveled through the 45 busiest airports in the US over the course of five months, and analyzed the device vulnerabilities and Wi-Fi network risks to assign each airport a threat score. Coronet classified any score above 6.5 as unacceptable exposure.

Here are the least cybersecure airports in America, according to the report:

  1. San Diego International Airport, San Diego, CA (Score: 10)
  2. John Wayne Airport-Orange County Airport, Santa Ana, CA (Score: 8.7)
  3. William P Hobby Airport, Houston, TX (Score: 7.5)
  4. Southwest Florida International Airport, Fort Myers, FL (Score: 7.1)
  5. Newark Liberty International Airport, Newark, NJ (Score: 7.1)
  6. Dallas Love Field, Dallas, TX (Score: 6.8)
  7. Phoenix Sky Harbor International Airport, Phoenix, AZ (Score: 6.5)
  8. Charlotte Douglas International Airport, Charlotte, NC (Score: 6.4)
  9. Detroit Metropolitan Wayne County Airport, Detroit, MI (Score: 6.4)
  10. General Edward Lawrence Logan International Airport, Boston, MA (Score: 6.4)

In terms of the most secure airports, Chicago-Midway International Airport, Raleigh Durham International Airport, Nashville International Airport, and Washington Dulles International airport topped the list, the report found.

Do you want to see if your email credentials have been compromised? Get a free Dark Web scan from us!


This week in Breach

This week’s Breach Report

Highlights from The Week in Breach:

– You’d better reboot your router… NOW!

– Nation states injecting malicious apps into play stores to steal your stuff.

– Malware infects healthcare system impacting 500,000 Marylanders.

– Time from detection to acknowledgment and response getting slower and slower and slower. 

It’s back to business as usual in the world of breach, and we are seeing no signs of it slowing down this summer. This week’s headlines have been dominated by targeted attacks of SOHO Routers.  “SOHO” was coined to describe “small office – home office” routers used to set up local area networks by small businesses. According to DHS, “The size and scope of this infrastructure impacted by VPNFilter malware is significant. The persistent VPNFilte malware linked to this infrastructure targets a variety of SOHO routers and network-attached storage devices.” The initial exploit vector for this malware is currently unknown. Here is the link to US-CERT’s alert TA18-145A detailing the threat and what you should do the protect yourself from exploit!   


What we’re STILL listening to this week!

Security Now – Hosted by Steve Gibson, Leo Laporte

Defensive Security Podcast – Hosted by Jerry Bell (@maliciouslink) and Andrew Kalat (@lerg)

Small Business, Big Marketing – Australia’s #1 Marketing Show!


TeenSafe (Update)

Small Business Risk: High: App server hosted on AWS accessible by anyone without a password.
Exploit: AWS/Suspected Misconfiguration
Risk to Exploited Individuals: High: Even though less than 10,000 individuals were impacted, this is a highly vulnerable segment of the population. 

TeenSafe: The TeenSafe app allows parents access to their children’s web browser history, text messages (including deleted SMS and iMessages and messages on WhatsApp and Kik), call logs, and device location, plus lets them observe which third-party apps have been installed.

Date Occurred
Discovered
 Unknown, but accounts from past three months were compromised.
Date DisclosedMay 21, 2018
Data CompromisedHighly personal data including Apple IDs. The compromised data did not include photos, messages, or location data. The server stores parents’ email address used for their TeenSafe account and their child’s email address, the child’s device name, and the device’s identifier.
How it was CompromisedAt least one of the app’s servers, which are hosted by Amazon’s cloud service, was accessible by anyone without a password. The data, including passwords and user IDs, were reportedly stored in plaintext, even though TeenSafe claims on its website that it uses encryption to protect user data. TeenSafe requires two-factor authentication to be switched off for the app to work, so anyone with just a password can easily gain access to compromised accounts. The app is available for both iOS and Android and doesn’t require parents to seek their child’s consent for access to their phone.
Customers Impacted
Around 10,200 accounts from the past three months were compromised, though that number also includes duplicates.
Attribution/VulnerabilityUndisclosed at this time.

https://www.theverge.com/2018/5/21/17375428/teensafe-app-breach-security-data-apple-id

https://www.zdnet.com/article/teen-phone-monitoring-app-leaks-thousands-of-users-data/

Google Play

Small Business Risk: Low: Targeted nation state exploit.
Exploit: Mobile Device Malware Exploit
Risk to Exploited Individuals: High: Nation-state exploit targeting defectors.

North Korean Defectors / Google Play malware

Date Occurred
Discovered
The apps had been live in the Google Play store for three months — from January to March.
Date DisclosedMay 2018
Data Compromised
Google Play store has allegedly hosted at least three apps designed to collect data from specific individuals. Two of these apps were posing as security apps, while the third claimed to provide food ingredient information. But what they really did was steal information from devices and receive a certain code that allowed them to further access data like photos, contact lists, and even text messages.
How it was Compromised
A North Korean hacking team was recently able to upload three Android apps to the Google Play Store that targeted people who escaped from the authoritarian country, according to a report from McAfee. The malware campaign, nicknamed RedDawn, involved the hackers contacting the targets through Facebook to invite them to install seemingly innocent apps from the Google Play Store.
Customers Impacted
By the time McAfee privately notified Google as to the existence of these apps, 100 folks had already downloaded them.
Attribution/VulnerabilityBack in January, McAfee noted that it had found malicious apps intended to infect North Korean journalists and defectors’ devices. The group behind these apps was subsequently named Sun Team and is apparently the same group behind these latest apps. The apps were all linked to the same developer email address. McAfee found that the words used in the control servers were common in North Korea. There was also a North Korean IP address discovered in a test log file of some Android devices connected to account used to send out the malware.

https://www.digitaltrends.com/mobile/mcafee-malware-google-play/

http://www.techtimes.com/articles/228100/20180520/north-korea-hackers-use-android-apps-with-malware-to-harass-defectors.htm

LifeBridge Health
Small Business Risk: 
Extreme: Malware designed to inject healthcare systems and extract PHI/PII.
Exploit: Server/Security Exploit with Malware Injection
Risk to Exploited Individuals: Extreme: Although data has not been validated for sale on the Dark Web, the extracted data included “lifelong” PII & PHI that can be used to profile and/or exploit an individual for decades.

Lifebridge Health 

Date Occurred
Discovered
The breach occurred more than a year ago; discovered May 18.
Date DisclosedMay 2018
Data Compromised
The breach could have affected patients’ registration information, billing information, electronic medical records, social security numbers and other data.
How it was CompromisedAn unauthorized person accessed the server through LifeBridge Potomac Professionals on Sept. 27, 2016. Malware infected the servers that host LifeBridge Potomac Professionals’ electronic medical records, and LifeBridge Health’s patient registration and billing systems.
 

Attribution/Vulnerability

Outside actors
Customers ImpactedMore than 500,000 Maryland patients.

https://healthitsecurity.com/news/data-on-500k-patients-exposed-in-lifebridge-healthcare-data-breach

T-Mobile
Small Business Risk: High: Website configuration error revealing customer data for anyone to exploit.
Exploit: Website, Database & Security Misconfiguration
Risk to Exploited Individuals: Moderate: A threat actor would really have to develop a targeted threat plan to fully exploit the exposed population.

T-Mobile

Date Occurred
Discovered
Research done by ZDNet indicates that this T-Mobile.com web data breach was likely active as far back as October of last year.
Date DisclosedApril, 2018
Data Compromised
Allowed people to access the following info easily by attaching a cell phone number to the end of the web address:

  • Customers’ full names
  • Their mailing addresses
  • Account PINs used as a security question for customer service phone support
  • Billing account numbers
  • Past due bill notices
  • Service suspension notices
  • Tax identification numbers (in some instances)

 

How it was Compromised
A website bug on T-Mobile.com allowed anyone with access to a web browser to run a phone number and determine the home address and account PIN of the customer to whom it belonged.
Attribution/VulnerabilityOutside actors / undisclosed at this time.

https://www.statesman.com/business/personal-finance/mobile-website-data-breach-exposed-customer-addresses-pins/Ht3PZSdXMJkEKlDnggh3EL/


What is Spear Phishing?

Spear Phishing is an email targeted at a specific individual or department within an organization that appears to be from a trusted source. It’s actually cybercriminals attempting to steal confidential information.

A whopping 91% of cyberattacks and the resulting data breach begin with a “spear phishing” email, according to research from security software firm Trend Micro. This conclusively shows that end-users really are the weak link in IT security.

You may be wondering what it takes to send this type of attack. This is not trivial, and can only be done by someone trained in advanced hacking techniques. We will first take a look at the steps required to send an attack, and then we’ll look at steps to mitigate this threat. For the (simplified) attack steps I am freely borrowing from a great blog post by Brandon McCann, a well-known pentester.

I will try to keep this as non-technical as possible, but there will be a few terms you may have to look up. Here are the steps to begin with. We will go into all of these one by one and explain what they mean.

  • Identify Email Addresses
  • Antivirus Evasion
  • Egress Filtering
  • Spear Phishing Scenario
  • Sending The Emails
  • Harvesting Treasure

Identify Email Addresses

There are two ways you can send phishing campaigns: the first is ‘spray-and-pray’ which is a shotgun approach. Get as many email addresses from the organization you can, and send them all an email that they might click on. The second approach is decide what data you are after, then figure out who has access to that data, and specifically target those people. That is the spear phishing approach, and for instance LinkedIn is extremely useful during this targeting step.

There are several ways to get your hands on the email addresses from an organization. The one favored by the bad guys is using scripts to harvest email addresses from the large search engines. You’d be surprised how many emails you can get your hands on and how big your phishing attack surface is. KnowBe4 has a free service called the Email Exposure Check that provides your list of exposed email addresses as a one-time free service. Once you have the email addresses of the few people you are targeting you are ready for step two.

Egress Filtering

You need to make sure that you can get the information out of the organization you are attacking, so the payload you are sending with your attack needs to allow traffic to exit the organization. A popular payload is called ‘reverse_https’ because it creates an encrypted tunnel back to the metasploit server, which makes it very hard for security software like intrusion detection or firewalls to detect anything. For those products your exiting phishing data all looks like normal https traffic.

Spear Phishing Scenario

There are many articles written about this by now, and it’s the essence of social engineering end-users. If they haven’t had high-quality security awareness trainingthey are easy targets for spear phishers. The attacker does research on their targets, find out who they regularly communicate with, and sends a personalized email to the target that uses one or more of the 22 Social Engineering Red Flags to make the target click on a link or open an attachment. Just imagine you get an email from the email address of your significant other that has in the subject line: Honey, I had a little accident with the car, and in the body: I made some pictures with my smart phone, do you think this is going to be very expensive?”

Sending The Emails

You can raise a temporary mail server and blast away, but that mail server will not have a reputation score which will block a lot of email from getting in. A better solution is going to GoDaddy, purchase a valid domain name, use the free email server that comes with the domain and set it up, so that you automatically have an MX record created for you by GoDaddy. While you are at it, also do a Whois lookup and change the GoDaddy Whois information for your phishing domain. All that helps mail getting through, which you can send with any email client, or with a script.

Harvesting Treasure

Let’s assume that your target clicked on the link, and you were able to place a keylogger on their machine. Now it’s a matter of waiting for the hourly burst of keyboard data back to your server, and monitoring for the credentials you are after. Once you have those, it’s a matter of getting into the workstation, get all network password hashes, crack them and get elevated to administrator access to the whole network.

Preventing Successful Spear Phishing Attacks

Now, how to mitigate against attacks like this? First of all, you need all your defense-in-depth layers in place. Defending against attacks like this is a multi-layer approach. Make sure you have in place the following: an Email Gateway Spam Filter and/or a spam filter in your Exchange Server. Turn on the Outlook ‘Junk Email’ Filter, run different antivirus products on the workstation and the mailserver, have an active Intrusion Prevention Systems, use Web Proxy Servers, and ideally have deep-packet inspection Egress filtering, plus there are some more things you could add. The trick is to make it as hard as possible for the attacker to get through.

And now let’s look at some other tactics that will help prevent a successful attack:

  • Do not have a list of all email addresses of all employees on your website, use a web form instead.
  • Regularly scan the Internet for exposed email addresses and/or credentials, you would not be the first one to find one of your end-user’s username and password on a crime or porn site.
  • Enlighten your users about the dangers of leaving all kinds of personal information on social media sites.
  • Last but not least, you could go through all the steps above and start sending simulated attacks to all your end users, but why not use our fully automated service and let us help you with that? We provide security awareness training combined with pre- and post simulated phishing testing to make sure end users stay on their toes with security top of mind. Since 91% of successful attacks use spear phishing to get in, this will get you by far the highest ROI for your security budget, with visible proof the training works!

phishing / a fish hook on computer keyboard with email sign / computer crime / data theft / cyber crime

Data breach. Customer information stolen.

 

Prime Telecommunications in cooperation with ID Agent is excited to offer this guest blog post from Megan Wells. Megan is a data journalist and content strategist at InvestmentZen who has written content on how data theft impacts Americans, technological interventions for personal and commercial finance and content for IBM and NASDAQ. With her examination of costs and the impact of Data Breaches, she shares how detrimental identity theft can be for businesses and their employees.

Data breach. Customer information stolen. Identity theft. Those words are enough to cause panic to a small business owner or manager. However well protected they think they are, they fail to realize that criminals on the Dark Web are one step ahead.

Many don’t understand what a data breach is and think it only happens to big companies like Equifax, Target and Home Depot. Yet, employee errors account for 30% of data breaches as the following examples show and small businesses have employees, right?

  1. A medical office employee emails patient data without encrypting the email.
  2. An employee attaches a document to an email that contains a customer’s SSN and account number.
  3. Malware enters a company’s servers through an internet download and steals customer and business data.
  4. A hacker breaks into the business network and downloads credit card data.
  5. A company laptop with customer information on it gets stolen.

Any company that stores customer information, regardless of size, is vulnerable and at risk for a data breach. And data breaches lead to identity theft for business owners and customers.

The negative press to a business from a data breach is bad enough. The risk of identity theft to customers and owners takes it to another level. Over $16 billion was stolen from consumers in 2016, roughly $1,300 per victim. While that amount may seem low (in perspective), the time involved is not. Theft caught early might take eight hours to resolve; for many, however, hundreds of hours are spent reclaiming their identity. Then there’s the person that never fully restores his or her identity–one in four victims faces this reality.
It’s in a business’ best interest to do everything possible to reduce its exposure to data breaches and the high cost of damage control (negative press, lost revenue, customer reparation). Businesses and consumers must work together to safeguard nonpublic, personal information. All our identities and millions of dollars are at stake.


Click hear fool

Request your Free Network Evaluation