#1. Anti-virus programs are generally ineffective

#2. Your firewall faces the wrong way

#3. You are the weakest link in the Cloud

#4. Advising your employees not to open emails from “strangers” is counter-productive

#5. Encrypting your company’s portable devices isn’t enough

Many small-to-medium (SMB) sized businesses believe that they aren’t important or large enough to be targeted by hackers. Unfortunately, that’s not the case. Smaller companies in general have fewer resources to spend on defending their networks, yet they have substantial assets that hackers can take. As larger organizations adopt better cyber defenses, many hackers specifically target SMBs as easier targets.

If a hacker targets an SMB, the risks are great. When a hacker intrudes into a business network, they may be able to steal and illegally use customer data, lift employee information (including social security numbers and payroll information) and empty the company’s bank account. In addition to these direct losses, a hacker can use the SMB’s network to attack other targets such as the SMB’s business partners and customers. These consequential third party losses can obliterate goodwill and expose the SMB to costly litigation.

Hacking is becoming an increasingly serious threat to every type of business. Computer virus source code is readily available on the Internet, sometimes for free, making new malware easier to create by professional cyber criminals and “wannabe” hackers alike. New malware is appearing at an estimated rate of 80,000 instances per day.

To learn more read the full white paper.  We’ll talk about the five things hackers don’t want SMBs to know.  We’ll pinpoint what hackers look for when choosing a company to attack. We’ll reveal the damage that they can do. Then, we’ll offer some practical steps that SMBs can take immediately to protect their organizations from outside intrusion.

In yet another laptop data breach incident, Riverside County Regional Medical Center in Riverside, California reported that a lost laptop containing Personally Identifiable Information (“PII”) and Protected Health Information (“PHI”) for about 7,900 patients went missing in December 2014. According to a letter filed with the California State Attorney General, potentially exposed PII and PHI information may have included Social Security Numbers, demographic information (such as name or date of birth), medical record number, diagnosis, treatment, and other medical information. Ironically, breaches involving laptops are highly preventable with the use of encryption technology.

Encryption is the conversion of electronic data into another form, called ciphertext, which cannot be easily understood by anyone except authorized parties. To read the data, you need to use a key or password to unencrypt the data. Crucially, under the California Breach Notification Law SB 1386, and most other state breach notification laws, the fact that lost data was properly encrypted will avoid the need for public notification.

It’s therefore highly important to confirm that any device in use by an organization is actually encrypted.

Encryption typically operates in the background

On laptops or desktops, installed encryption products typically function in the background. For example, a billing analyst using an encrypted desktop may interact with billing software, Microsoft Excel and email throughout a business day to complete work. This analyst may only encounter encryption while logging in at the beginning of a day and may not realize encryption is present. While some products such as Microsoft BitLocker employ a lock symbol next to a drive icon to indicate the presence of active encryption, most encryption products bury the status of encryption in an operating system menu or within software. Determining whether encryption is present and active are two distinct steps that require knowledge about a computer’s operating system and the ability to search a computer.

BitLocker Enabled in Microsoft Windows
BitLocker Enabled in Microsoft Windows

How to Tell Whether Encryption is Present?

Ideally, encryption should be installed so that it protects an entire hard drive—“whole disk encryption” — and not just specific folders or email — “file-level encryption”. In newer computers, encryption is often integrated in the operating system (such as the encryption products built into Apple’s new operating system Yosemite or Microsoft’s Windows 7 and up). Encryption may be set-up for default installation (i.e., a user has to de-select encryption during computer set-up).

1. Determine the version of operating system (“OS”).

OS Type: Microsoft Windows 8.1

OS Type: Microsoft Windows 8.1

Kivu_Identify_Encryption_3
OS Type: Apple OSX Versions

2. If native OS encryption is available, locate built-in encryption and review status.

  • Windows. In computers running Microsoft Windows 7 Ultimate and Enterprise (as well as Windows 8 versions), BitLocker encryption is installed and provides whole disk encryption capability. There are caveats to the use of BitLocker (such as configuration with or without hardware-level encryption ), but the presence of BitLocker can be confirmed by searching for BitLocker in the Control Panel. More details are available at http://windows.microsoft.com/en-US/windows7/products/features/bitlocker.

Kivu_Identify_Encryption_4
Windows with BitLocker Activated

  • Apple. In Apple computers, FileVault 2 provides whole disk encryption capability. To determine the status of FileVault 2 whole disk encryption in Apple Yosemite, go to the Security & Privacy pane of System Preferences. For older Apple OSX versions with FileVault, encryption is limited to a user’s home folder rather whole disk encryption. More details are available at http://support.apple.com/en-us/HT4790.


Apple OSX FileVault 2 Menu

3. Look for a third-party application.

There are several third-party software applications that provide whole disk encryption (examples listed below). These applications can be found by searching a computer’s installed applications. To determine whether encryption is active, the application will need to be opened and reviewed. Many encryption applications will use a visual symbol or term such as “active” to indicate that encryption is functioning. (For a comparison of encryption products, review the following discussion: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software.)

Software

Windows

Mac OSX

1. Built into Operating System (“OS”) BitLocker FileVault 2
2. Third-Party Software Products
Symantec PGP X X
Dell Data Protection Encryption (DDPE) X X
Check Point Full Disk Encryption Software Blade X X
Pointsec (Check Point) X
DriveCrypt X
  • Finding third-party software on a Windows computer.

i. Locate and open the Control Panel by clicking on the Start menu (not available in Windows 8) or using Windows search. (To learn more about the Control Panel, refer to the link http://support.microsoft.com/search?query=control%20panel.)

Windows Search
Windows Search

ii. Navigate to the Programs section of the Control Panel.

Windows Select Programs Section
Windows Select Programs Section

iii. Click on Programs and Features.

Windows Select Programs and Features
Windows Select Programs and Features

iv. Scroll through the installed software applications to determine whether third-party encryption software is installed.


Windows Review Installed Programs

  • Finding third-party software on an Apple computer.

i. Apple computers are configured with Spotlight — an Apple-native search utility that catalogues and organizes content. (See the following URL for information on Spotlight: http://support.apple.com/en-us/HT204014.)

ii. Spotlight can be found by clicking on the magnifying glass symbol in the upper right-hand corner of Apple’s menu bar.

iii. Enter the name of the third-party software into the Spotlight search box and review search results. (See the “quicktime” search example in the screenshot below.)


Apple Spotlight Search

Caution with the Use of Encryption

  1. User Versus IT (Information Technology department) Installation.

    In Apple FileVault 2 user guidance, three scenarios are identified for the installation of encryption — IT only, user with IT support or user only. These scenarios apply to the installation of any encryption and software product. While it is less expensive to have end users configure devices, encryption is the type of activity that can render a laptop useless if improperly deployed. As a rule of thumb, IT should direct installation and configuration of encryption to protect corporate assets.

  2. Properly Set Up Users.

    When encryption is deployed, there is often a requirement to set up “approved” users for access. If a user is not set up, then access is denied. If IT does not have user-level access, then IT may be locked out.

  3. Key Control.

    IT should maintain control of encryption keys. IT should have keys for each device with deployed encryption. Further, all encryption keys should be backed up to a source NOT controlled by IT. With tight control and access over encryption keys, an organization minimizes the chance that encryption will lock an organization out of corporate assets. Providing IT with access to each computer’s encryption keys also prevents a disgruntled employee from locking an organization out of their own computers.

  4. Fully Document IT Encrypting Devices.

    If a device is lost or stolen, it may be crucial to prove that the device was encrypted in order to avoid the need for a costly notification of any persons whose PII has been compromised. Make sure that IT has fully documented the encryption process and specific serial numbers of devices so protected.

  5. Don’t Forget Other Sources Such as Cloud Applications.

    Document and control cloud data storage of corporate assets. For each computer where cloud-based applications are running (including email), digital assets should be evaluated as to whether encryption is required locally and in the cloud. Many cloud storage applications offer encryption for stored data and data being transmitted.

Other References

The enduring onslaught of data breach events such as the theft of 4.5 million health records from Community Health Systems or the recent staggering loss of information for 76m JP Morgan accounts continues to highlight the need for robust information security and the ability to proactively prevent and redress potential security incidents. In response, organizations have increased investment in better information security programs and supporting technologies. However, while more organizations may be better positioned to cope with data breach events, information security continues to lack appropriate coverage of cloud and mobile device technology risks.

Lags in InfoSec Deployment:

According to the 2014 Global State of Information Security® Survey of information, executives and security practitioners, organizational leaders expressed confidence in their information security activities (nearly three-quarters of study respondents reported being somewhat or very confident). However, the survey reveals gaps in the application of information security for cloud and mobile technologies. Nearly half of respondents reported that their organizations used cloud computing services but only 18% reported having governance policies for cloud services. Furthermore, less than half of respondents reported having a mobile security strategy or mobile device security measures such as protection(s) for email/ calendaring on employee-owned devices.

Real Issue is Lack of Knowledge

Gaps in cloud and mobile information security represent a broader trend that even exists in regulated industries. For example, in the 2013 Ponemon report, “The Risk of Regulated Data on Mobile Devices & in the Cloud”, 80% of IT professionals could not define the proportion of regulated data stored in the cloud and on mobile devices. The gap in information security does not appear to be limited to the deployment of polices and controls. Instead the potential issues with cloud and mobile information security stem from lack of knowledge concerning storage and use of data. As noted in the study “Data Breach: The Cloud Multiplier Effect” their organizations as having low effectiveness in securing data and applications in the cloud.

Reducing Cloud and Mobile Technology Risks

Developing an appropriate security posture for cloud and mobile technologies should begin with the realization that information security requirements for these technologies differ from traditional IT infrastructure. For example, the responsibility for storage and use of data in the cloud is shared by a greater number of parties—organization, employees, external vendors, etc. Additionally, contracts and written policies for cloud applications must specify more granular coverage for access, use, tracking and management of data. In the event of a potential security incident, possible sources of evidence, such as security logs, are stored externally and may require the assistance of specific employees or service providers.

The following considerations provide a starting point for the development of information security practices that are relevant to cloud and mobile technologies.

1. Identify security measures that are commensurate with cloud and mobile technologies.

a. Use security features that are built into cloud and mobile technologies. This includes access controls and encryption. Frequently, security features that would have prevented major cloud-based breaches (such as multi-factor authentication and text-to-cellphone warnings of suspicious activity) are already made available by cloud service providers. However, users of these services, whether individuals or large corporate clients, are frequently delaying full implementation of available security options due to cost or organizational concerns.

b. Implement additional security tools or services to address gaps in specific cloud and mobile technologies. For example, software-based firewalls to manage traffic flow may also provide logging capability that is missing from a cloud service provider’s capabilities.

2. If possible, use comprehensive solutions for user, device, account, and data management.

a. Manage mobile devices and their contents. Mobile device management (MDM) solutions enable organizations to coordinate the use of applications and control organizational data across multiple users and mobile devices.

b. Use available tools in the cloud. Cloud service providers such as Google Apps provide tools for IT administration to manage users, data and specific services such as Google Drive data storage. Unfortunately, many organizations do not utilize these tools and take risks such as losing control over email account access and content.

3. Maintain control over organizational data.

a. IT should control applications used for file-sharing and collaboration. Cloud- based tools such as Dropbox provide a robust method of sharing data. Unfortunately, Dropbox accounts often belong to the employee and not the organization. In the case of a security incident, IT may be locked out of an employee’s personal account.

b. Users should not be responsible for security. Organizations often entrust employees and business partners with sensitive data. This includes maintaining security requirements such as use of encryption and strong passwords. The organization that owns the data (usually its IT department) should have responsibility for security, and this includes organizational data stored outside of an organization’s internal IT infrastructure.

c. Encryption keys should be secured and available to IT in the case of a potential incident. With the advent of malware such as ransomeware that holds data captive and employees who could destroy encryption keys, securing encryption keys has become becoming a vital step in the potential recovery of data. If IT does not maintain master control over encryption keys, important organizational data could be rendered inaccessible during a security incident.

4. Actively evaluate InfoSec response and readiness in the cloud.

a. IT should have a means to access potential sources of organizational data. If data is stored on an employee’s tablet or at a third-party data storage provider, IT should have a vetted plan for access and retrieval of organizational data. Testing should not occur when a potential security incident arises.

b. Important digital assets should be accessible from more than one source and should be available within hours and not days. IT should have backup repositories of corporate data, in particular for data stored in cloud environments. This may include using a combination of cloud providers to store data and having an explicit agreement on the timing and costs required to retrieve data (in the event of an incident).

c. Audit systems should be turned on and used. Cloud providers often have built-in auditing capability that ranges from data field tracking (e.g., a phone number) to file revision history. The responsibility for setting up audit capability belongs to the organization. As part of using a cloud provider’s technology, the use of auditing should be defined, documented and implemented.

d. IT staff should have the knowledge and skills to access and review log files. The diversity and complexity of log files have grown with the number of technologies in use by an organization. Cross-correlating logs files across differing technology platforms requires specialized knowledge and advanced training. If an organization lacks the skill to analyze logs files, the ability to detect and investigate potential security events may be severely compromised.

5. Incident response plans and investigation practices should cover scenarios where data is stored in the cloud or on mobile devices.

Hackers have become more aggressive in seeking out data repositories. As organizations continue to adopt cloud and mobile technologies, information security must keep pace and extend the same internal focus on information security to external sources of organizational data. In particular, incident response plans should cover an increasing phenomenon—where attackers infiltrate an organization’s physical network solely to gain the keys to its cloud data repository.

The financial industry has long been known for “repackaging risk” – slicing and dicing investments to lessen their aggregate risk. During the 2008 subprime mortgage crisis, the repackaging process eventually reached the point where no one knew the real financial risk, who exactly was exposed to it, and where and how the risk was concentrated.

A similar process is happening today for cyber risk. Known as “Cyberization,” organizations are unknowingly exposed to cyber risk outside of their own organizations because they have outsourced, interconnected or otherwise exposed themselves to an increasingly complex network of networks. Their cyber risk starts with their internal corporate network and security practices and expands outward to their counterparties and affiliates, their supply chain and outsourcing partners. This blog post from Kivu will help explain what Cyberization is and the aggregate risk that organizations face.

How Leveraging Technology Leads to Increased Cyber Risk

Organizations today are relying more and more on technology to increase efficiencies and lower costs, making it possible to be more profitable while deploying fewer resources. This trend makes global cyberization more likely because the Internet is a tightly coupled system with extensive aggregations, societies and economies. With so much interdependency, any disruption in the system is likely to have a cascading effect.

Cyber risk management often assumes that risk is simply the aggregation of local technology and procedures within an organization. In general, risk managers focus mostly on what is going on inside their own walls. Today’s cyber risk managers need to understand, however, that cyber risk is not self-contained within individual enterprises. They must expand their horizons and look far beyond their boundary walls.

Factors to Consider in Cyber Risk Management

Internal IT Enterprise

Risk associated with an organization’s IT.

Examples: hardware, software, people and processes.

Counterparties & Partners

Risk from dependence on or direct interconnection with outside organizations.

Examples: Partnerships, vendors, associations.

Outsourcing

Risk from contractual relationships with external suppliers of service.

Examples: IT and Cloud providers, HR, Legal, Accounting and Consultancy.

Supply Chain

Risk to the IT sector and traditional supply chain and logistics functions.

Examples: Exposure to country, counterfeit or tampered products.

Disruptive Technologies

Risk from the unseen effects of or disruptions from new technologies – those already existing and those due soon.

Examples: Driverless cars, automated digital appliances, embedded medical devices.

Upstream Infrastructure

Risk from disruptions to infrastructure relied upon by economies and societies, electric, oil or gas infrastructure, financial systems and telecom.

Examples: Internet Infrastructure, Internet governance.

External Shocks

Risk from incidents outside the control of an organization that are likely to have cascading effects.

Examples: International conflicts, malware pandemic, natural disasters.

About Kivu

Kivu is a licensed California private investigations firm, which combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide. Author, Elgan Jones, is the Director of Cyber Investigations at Kivu Consulting in Washington DC. For more information about cyber risk management and mitigating the effects of cyberization, please contact Kivu.

Cyber incidents and data breaches are often the result of computer security misconfigurations in a system’s network or software. We have found at Kivu Consulting that many of the same misconfigurations have allowed an intrusion to happen, an exploit to be executed or data to be extracted from a particular system. Security misconfigurations can also hamper an incident analysis by limiting the availability of important artifacts needed for a data breach investigation.

Listed below are the top 10 common computer security misconfigurations and how to avoid them:

1. Logging left at default or turned off

Many system logs, especially ones found in the Windows operating system, have a default size limit or a limit to the number of days that historical logs are kept. Many times, due to budget or storage constraints, standard system logging is left at the default setting or is disabled. This includes: account login/logout, failed login attempts, software installed and logs cleared. Unfortunately, when logs are disabled from collecting data, there is no record of what is happening to a computer system.

When an intruder guesses passwords or accounts, without system logs a business has no way of knowing if they are or were under attack. If an intrusion isn’t detected until several months later, important system records may be unavailable. Kivu recommends that every organization review its system logging procedures and ensure that critical information is stored for a sufficient amount of time.

Also, companies often record only failed login attempts. Logging failed attempts is a great way to detect if a computer system has been attacked, but what happens if the intruder actually gets in? If a company is not tracking successful logins, it might not know if an attack was successful. Tracking all logins is particularly important if a security breach has occurred from an unrecognized IP address (e.g. an IP address in China.)

2. 50 servers, 50 log locations!

In today’s environment of virtualized and cloud based computing, a system administrator may have to monitor dozens of servers across the globe. To simplify this task, Kivu recommends that companies collect logs from all of their servers into a single, centralized logging system, preferably one that indexes their logs, scans them for security events and alerts the appropriate staff member if an event is detected.

A centralized logging system that provides easy search and retrieval of historical log data is crucial for an incident investigation. Kivu has sometimes lost days while investigating a security incident, when every minute is critical, because important log data was stored in as many as 50 individual servers.

3. Former employee accounts not disabled or deleted

When an employee leaves an organization and has security credentials that allow remote connection or login from a workstation located on a trusted internal network, the ex-employee’s accounts should be immediately disabled. Kivu has seen many times that an old and still enabled VPN/administrative account has been used for intrusion.

4. Same root or local administrator password for all public facing computers

We see this system misconfiguration more often than any other problem. Many organizations’ servers have their root account (if Linux), Administrator, or super user account set with the same password across all systems, including: web servers, cloud based servers, and servers in the DMZ. If an intruder should compromise the root password, they may be able to log in to all of of a company’s servers, including the server that may be acting as an identity manager (e.g. SSH key master or domain controller).

Kivu recommends that organizations follow the simple practice of treating their public facing (untrusted) servers with the mindset that they will be compromised. We advise creating a different set of account credentials for the servers that reside on their trusted internal networks.

5. Root or administrator accounts can connect from the Internet or DMZ

The convenience of being able to troubleshoot and perform system and network administration remotely often comes with a cost. SSH, by default, does not allow the super user account root to log in remotely. Yet in many security incident investigations, Kivu has found that the system administrators have been ONLY logging in as root and have enabled root login from remote locations. This convenience also allows anyone from outside the organization to brute force the root password.

We recommend requiring system administrators to log in to a VPN before connecting to perform administrative or systems work. With cloud located servers, a VPN may not be an option. In that case, companies can lock down administrative access to only a few IP addresses. They can combine this action with a security appliance or snort on the host to detect and drop IP address spoofing. They can also consider an RSA certificate solution.

6. Default password on [insert network device name here]

A simple search on the Internet for “default password on insert network device vendor name here” will return all known default passwords for the admin or manager accounts on an organization’s network firewalls, routers and wireless access points. Any device setup manuals available online will also have the default passwords listed. Kivu recommends that companies change these defaults at configuration time and before deployment to avoid security incidents.

7. Administrative accounts using simple passwords

We continue to see easily guessed passwords used for administrative accounts. Dictionary words can be brute forced, even when vowels are swapped out with symbols, for example: “honeybadger” becomes “H0neyB@dger.” We have found that using a randomly generated 16-character password for root and other administrative accounts is beneficial for reducing an organization’s attack surface.

8. Remote desktop, public facing, default ports, no firewall or VPN

There are numerous exploits and vulnerabilities for many popular remote access software services. Kivu often sees no firewall or VPN between the computer offering remote access and the Internet. To reduce an organization’s risk, we recommend that companies implement remote access with multiple layers of security, preferably in a DMZ, where remote traffic is forced through an intrusion detection system.

9. No access control lists – EVERYONE group is granted access to everything

This issue is often common in smaller companies, non-profits and the education sector. Everyone in the organization has full access to all of the data. If an employee account is compromised, the account may have access to HR and Financial information, even though the employee does not work for those departments. Kivu recommends that organizations classify their data for different levels of confidentiality or access. Once data is classified, access can be controlled with security groups.

10. Absence of a regular software patching routine

Many security exploits that lead to an intrusion or data breach can be avoided by simply keeping up on software updates and vulnerability patches. If your company is not keeping up with software vulnerability patching, your public webserver or your customer database server is a security breach waiting to happen. We recommend that organizations have procedures in place to ensure that timely updates are performed.

Conclusion

While many of the above computer security misconfigurations are well known, they continue to occur on a regular basis. Kivu recommends that organizations regularly monitor their system logs and check with their software vendors for security recommendations particular to their computer environment. We also recommend that companies keep up-to-date by reading security blogs and checking in with the SANS Internet Storm Center.

For more information about Common Computer Security Misconfigurations, please contact Kivu Consulting.

Many small-to-medium (SMB) size business owners believe that they aren’t important or large enough to be targeted by hackers. Unfortunately, we have found at Kivu Consulting that’s not the case. Smaller companies in general have fewer resources to spend on defending their networks, yet they have substantial assets that hackers can take. As larger organizations adopt better cyber defenses, many hackers specifically pursue SMBs as easier targets.

Hacking is becoming an increasingly serious threat to every type of company. Computer virus source code is readily available on the Internet, sometimes for free, making new malware easier to create by professional cybercriminals and “wannabe” hackers alike. Kivu recommends that all businesses have an Incident Response Plan in place, outlining the steps they’ll follow if a breach is suspected. With an Incident Response Plan, the SMB will be prepared to mitigate the damage and stop a bad event from turning into a business destroying disaster.

Here’s how a small business can get hacked and what hackers don’t want you to know:

#1. Anti-virus programs are generally ineffective

Malware is relatively easy to develop, and new malware is disseminated every minute, at an estimated rate of 80,000 instances per day. Often malware is targeted against a particular business or business sector, making it harder to discover because it is designed to avoid detection in specific environments. When malware is targeted against a particular victim, it will almost certainly get through.

Most anti-virus programs use the principle of “signature recognition”. A piece of code is recognized as a virus, the anti-virus company develops a remedy and a software update is disseminated to consumers. This process can take weeks, while malware today is often designed to last just minutes or seconds. According to a 2013 study by FireEye, 82% of malware disappears after just one hour and 70% of malware is designed for a single use. A 2014 three-month study by Redsocks Malware Research Labs found that 30% of malware in circulation was not detected or caught by common anti-virus products.

What can business owners do?

  •  Limit the data that employees and systems have access to
  • Lock every system down and make software uploads the exclusive role of the IT department
  • Get data offline to reduce the risk of it being stolen

#2. Firewalls face the wrong way

Hackers have developed tools to bypass firewalls, such as reverse shells, that can create an encrypted tunnel directly through a firewall. They can then have full, undetected access to a network, as if they were sitting at an employee’s workstation. Since firewalls are often set up to monitor only incoming traffic, they won’t see these outward illicit communications or catch valuable data being stolen.

What can business owners do?

  • Make full use of current network defenses, such as firewalls with built-in Intrusion Detection Systems
  • Ensure that their firewalls are set up to detect suspicious outgoing traffic as well as incoming traffic
  • Maintain logs (going back at least one month) of all outgoing, incoming and internal traffic

#3. The small business itself is the weakest link in the Cloud

More and more SMBs are transferring part or all of their IT infrastructure and data to the Cloud, including email, file storage and applications. Cloud-based solutions inevitably have better security than an SMB’s internal systems, but that security disappears if a hacker can pretend to be someone from within the SMB’s organization. When an intrusion occurs, it is often more difficult to identify and monitor the extent of the damage with Cloud computing, since security safeguards are no longer the role of the internal IT department.

What should SMBs do?

  •  Limit the likelihood of a hacker accessing a Cloud-based account by implementing a multi-factor authentication process for every user
  • Ensure that the Cloud service provider creates useful logs for traffic monitoring and auditing

#4. Advising employees not to open emails from “strangers” isn’t enough

Hackers can easily use social media like LinkedIn, Facebook and company websites to identify specific targets within an organization and then develop an email that looks as if it is coming from a trusted colleague. A 2013 report by Symantec found a 91% increase in this type of “spear phishing” over previous years. Once a hacker compromises one email account, a virus can be spread from employee to employee, until the hacker has access to an SMB’s finances or its most valuable customer data.

What should SMBs do?

  • Train employees to be cautious about what they publicly post online so that they are less of a target to hackers
  • If there’s the slightest doubt about an attachment or link to an online document site, encourage employees to pick up the phone and call the sender

#5. Encrypting only your company’s portable devices isn’t enough

The hard drive of a desktop computer can be worth thousands of dollars to hackers and can be removed in less than a minute. Even when a computer hard drive is encrypted, some forms of encryption take effect only when the computer is powered down and may be ineffective when the device is placed in “sleep” or “power saving” mode.

What should SMBs do?

  • Continue to encrypt all portable devices and select devices with built-in layers of safety
  • Encrypt all computer hard drives, or ensure that no sensitive data can be stored on them
  • Teach employees not to place their laptops in sleep mode while unattended, or when they take a laptop off-site

Click here to read the full white paper.