A few main things you want to look at when protecting data is having a good security and security practice for your business in place. Your users are just as important as backend security. People over think user education when it comes to cyber security. As John our service manager always says,
“you can buy all these fancy security systems and put expensive locks on your door, but the user that leaves all of those on unlocked is the problem.” -John Harte CIO at Skycomp Solutions
The biggest thing right now is phishing and cryptocurrency. The industry of selling private information and account passwords has become a billion of dollar industry. This industry 5 years ago was limited in the kind of scams people could produce. It was more malicious trying to infect people systems. Now it's a lot more intelligent. This industry has now started targeting attacks against people. Using social engineering to know people's job roles, names. Learning how to find out a company structure. There's more of a purpose to these attacks they're trying to gain information, steal data or get you to purchase something for them via a wire transfer. The world of phishing emails and hacking has become much more sophisticated. These attacks are getting very believable and very real-looking.
The scary but very real problem is that you're as insecure as one vulnerability.
You can have all this great protection. But if you don't lock on your door anyone can walk in and steal that data. One of the biggest security measures that people miss is user training and knowledge. Users are humans they make mistakes. Something that Skycomp does and many other companies do is their own internal fishing campaigns. What this does is it sends these simulated fishing campaigns out to employees and tries to get them to follow links and enter passwords and then we can see the results of all of that and provide clients reports on users that have fallen for these scams. From there you can educate your users we have training available online. Skycomp provided training as well, going with the approach of showing people that the made an honest mistake and it's more just training and educating that user on a mistake and making sure they don't make it again. Enforcing two-factor authentication using unique passwords across all these different tools is another layer to this. If you use that same password, one two three dollar sign for your banking your Facebook your work email your personal email now not only that one exploited site they have your contact you or your login information. Phishing emails now have it for your entire online persona which they could figure out quickly how-to login all these different services
Social engineering is a hot topic in IT work. We live in such a social media world. All this information is out there. Bad actors can figure out information about your business just buy all the public information available to them on different channels. Bad actors are external person or company that is trying to either steal something from you or get you to provide something like finances or gift cards. They can try a couple different things they can use it to guess people's passwords. They can look up your Facebook account and they know the name of your kids and where you live and where you grew up, what school you go. You can see it adds up quickly and bad actors can come up with a few common passwords you might use. This could become even more targeted where they can look up a business website find out who the main financial controllers are and who their boss might be. Then in an email try to impersonate the boss and figure of that kind of hierarchy of a business just from all the information that's on your website or LinkedIn or Facebook or whatever might be.
But then there is also your internal security practices as a business so you have an IT company or an IT person that does your antivirus and firewall security they might have web filters on your firewall to prevent users from going to like known bad sites or malicious sites. Users should be creating unique passwords for every different website or device that they use. Passwords should be rotated they shouldn't be anything common to that person like your kids names or town you grew up in school you went to because again, those are things that are all public knowledge.
A domain is easy to gain access to that and something often were pushing now is having two Factor authentication or multi-factor authentication on as much as many services as possible. This would be so anyone to gain access to an account for example. Office 365 your mail is hosted the cloud. So, someone is one password away from getting into your mail account and doing whatever malicious activity they want. Two Factor authentication would require knowing your password as well as some sort of token. It can be physical hard token like a USB key option or a soft token on your smartphone as an app. This token would generate a one-time password for every single time you log into that specific service. Just an extra layer of security.
Most companies have physical security as well that have cover-up in locks on doors some accompanied by some sort of alarm system. Also, in the world of security we have what is known as a keyless digital system. This allows you to set up different zones within your office or building. Maybe you have a filing room or something like a records room. You don't necessarily need every employee to get in there so you could have card access to control. Physical hardware such as desktops and laptops are also at risk. Not because of the cyber security risks. Many people are using laptops, these are high theft items. They get stolen from vehicles or out of your home. A good practice is having lots of security on that system where has good passwords possibly two-factor authentication as well not storing sensitive data. Having a cloud-based solution like SharePoint or using a server with file shares is great. Even if a machine gets lost or stolen there's not actually any sensitive data on it
Long story short, you have many ways of being attacked or having data stolen. Having training, and many layers of security measures is important. Don’t think it won’t happen to you. For the full conversation with a IT professional about cyber security give the video at the top of this article a watch. John Harte from Skycomp Solutions Inc. tell you everything you need to know about security. Also, giving helpful advice on what makes sense for your company.