Thought leadership. Threat analysis. Cybersecurity news and alerts.
Top 3 Worst Cybersecurity Practices
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently listed three cybersecurity practices as dangerous practices that can give rise to enhanced damages to technologies accessible from the internet.
Below are the three practices that CISA has deemed as “dangerous” practices. The presence of these bad practices in organizations, CISA said, “is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.”
1. Use of Unsupported (End-of-Life) Software
Security vulnerabilities in software are but normal. Software vendors, within a specified timeframe, are always on the lookout for these software security vulnerabilities. During this specified period, regular or unscheduled security updates, also known as patches, are released by security vendors to fix known security vulnerabilities.
After the specified timeframe, also known as the software’s end-of-life (EOL), software vendors will stop releasing patches. Attackers love to exploit software that have reached their end of life on the premise that many users still use software that have reached their EOL.
An example of software that has reached its end of life is Windows 7 operating system. On January 14, 2020, Microsoft ended its support for the Windows 7 operating system. Customers who purchased an Extended Security Update (ESU) plan can still receive support or security updates from Microsoft. In this case, the continued use of Windows 7 without ESU is a dangerous practice.
“In 2017, roughly 98 percent of systems infected with WannaCry employed Windows 7 based operating systems,” the Federal Bureau of Investigation (FBI) said in its Private Industry Notification (PDF File). “After Microsoft released a patch in March 2017 for the computer exploit used by the WannaCry ransomware, many Windows 7 systems remained unpatched when the WannaCry attacks began in May 2017. With fewer customers able to maintain a patched Windows 7 system after its end of life, cyber criminals will continue to view Windows 7 as a soft target.”
2. Use of Known/Fixed/Default Passwords and Credentials
The use of known/fixed/default passwords is another bad practice that’s disastrous in technologies accessible from the internet.
In July 2021, Microsoft Threat Intelligence Center reported that it observed new activity from the NOBELIUM threat actor using tactics such as password spray and brute-force attacks.
In the blog post "Protecting your organization against password spray attacks," Diana Kelley, Microsoft Cybersecurity Field CTO said that adversaries in password spray attacks “acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords.”
The Microsoft Cybersecurity Field CTO, meanwhile, said that brute-force attacks are targeted compared to password spray attacks, with attackers going after specific users and cycles through as many passwords as possible using dictionary words, common passwords, or conducting research to see if they can guess the user’s password, for instance, discovering family names through social media posts.
In July 2021 as well, UK’s National Cyber Security Centre reported that it observed an increase in activity as part of malicious email and password spraying campaigns against a limited number of UK organizations.
3. Use of Single-Factor Authentication
The use of single-factor authentication is another bad practice that’s disastrous in technologies accessible from the internet. Single-factor authentication is the simplest form of authentication. With single-factor authentication, a user matches one credential to verify oneself online. The most common credential is the password to a username.
“The use of single-factor authentication for remote or administrative access to systems supporting the operation of Critical Infrastructure and National Critical Functions (NCF) is dangerous and significantly elevates risk to national security, national economic security, and national public health and safety,” CISA said. “This dangerous practice is especially egregious in technologies accessible from the Internet.”
Cybersecurity Best Practices
Below are the cybersecurity practices that best counter the above-mentioned bad practices:
"There are over 300 million fraudulent sign-in attempts to our cloud services every day,” Maynes said. “By providing an extra barrier and layer of security that makes it incredibly difficult for attackers to get past, MFA can block over 99.9 percent of account compromise attacks. With MFA, knowing or cracking the password won’t be enough to gain access.”
MFA, however, shouldn’t be your organization’s only defense against malicious actors as there are a handful known ways of bypassing MFA.
. Practice network segmentation. In network segmentation, your organization’s network is sub-divided into sub-networks so that in case of a disaster in one network, the other networks won’t be affected.
How to Raise Awareness of Cybercrime in Your Workplace
In February 2019, the Canadian Centre of Cyber Security claimed most Canadianswould be affected by cybercrime in one form or another.
This is unnerving for a number of reasons.
First:it applies to all Canadians, not just business-owners. That means everyone using a computer, smartphone or tablet for any online activity could be at risk.
Second:many people (sadly) lack the awareness to take proper security measures and protect their sensitive data from criminals.
Third:the Canadian Centre of Cyber Security specified how ransomware attacks are one of the most common cyber-threats. And anyone who knows anything about ransomware will recognize why this is such a frightening prospect.
Ransomware attacks may be triggered by opening an infected link in an email or downloading an attachment. Hackers hold your computer or entire system hostage until you either pay the money demanded or find another solution.
This is terrifying enough if your home computer is affected. But in the workplace, ransomware has the potential to wreak havoc on your business — and bring it screeching to a halt.
That’s why every employee should be empowered with the knowledge and tools to stay safe. Especially when more than one-fifth of Canadian companieshave been targeted by cybercriminals.
What can you do to raise awareness of cybercrime in your workplace?
Staying Vigilant Against Cybersecurity Threats
One of the first steps is encouraging staff to be vigilant.
An uninformed, unprepared team can introduce an infection into your system without realizing until it’s too late. And even then, the individual responsible may still not understand what they did wrong.
But a well-informed, well-prepared workforce will find recognizing potential threats far easier.
A key component of this is motivating staff to report any and all suspicious activity, no matter how unnecessary it may seem. Risks should be addressed quickly to ensure no concerns are raised in vain.
Employees must undergo effective education to minimize their chances of bringing harmful infections into your system. Working with cybersecurity experts and organizing training sessions will help.
Emphasize the Impact Cybersecurity Breaches Make
A cybersecurity attack in the workplace doesn’t just affect the employee responsible.
It affects their colleagues. It affects your clients. It affects your reputation. Prospective new customers may fear for their own data’s security when they learn your company was targeted.
This is why it’s so vital to show employees the impact cybercrimes can have. They need to understand they’re part of a group and one mistake could mean serious problems for everyone involved.
This is easier if your company culture already leans towards collaboration and teamwork. Otherwise, you may need to incorporate more elements of this into everyday processes. Encourage staff to consider themselves one cog in a machine.
Highlight Common Cybersecurity Threats
You can increase awareness of cybercrimes in your business by drawing employees’ attention to the most common risks.
Provide them with accessible (read: not packed with jargon or technical terms they don’t need to know) resources on:
These are just some of the most common types of cyber-attacks. Help your team understand:
You may want to bring an expert in to discuss this with employees or compile your own knowledge bank. A combination of both may even be the right choice for you.
But whichever option you settle on, your workforce will be more aware of cybercrimes and know how they can reduce your business’s risk.
Cultivate a Security-focused Culture
We touched on company culture briefly earlier, but now let’s delve a little deeper.
Adopting a security-focused culture may reinforce your business against cybercrimes. At the very least, employees are less likely to make common mistakes that cost money down the line.
Introduce checks on employee computers to ensure all their security software is up to date across the board. Make sure any tools they download, and use are clean too.
And don’t forget about passwords. You may want to introduce a password policy that stipulates employees change theirs every two weeks or every month.
This can make a positive difference, but only if they know how to choose strong passwords in the first place.
What does this mean? Good passwords include a mix of numbers, letters, and symbols. Workers should never use the same passwords across different accounts or platforms, especially if they’re easy to guess.
That’s why just using your child’s, pet’s or partner’s name is a no-no. This information may be easy to find online — and hackers could cause a data breach without much effort at all.
Making your team more aware of general security in the workplace can feed into their drive to take effective precautions. Welcome their input too.
What do they think can be done to increase their knowledge of cybersecurity? How would they like to see more changes introduced? Don’t be afraid to take their best ideas on board.
Create a Clear Incident Response Plan
If the worst happens and your business is struck by a cyber-attack, who does what?
Your employees must know what steps to take in the event of an incident. Perhaps they need to call a local expert in to help immediately. Maybe they’re required to inform clients about the potential data breach.
Whatever their role, employees should know what is expected of them. Everyone should be able to work together as a team and minimize the damage as best they can. This could make a big difference to your business’s future.
Want to find out how secure your business is against cybercrimes? Curious how cybersecurity professionals can help you stay safe online?
Justget in touchwith our experts today and we will be happy to help.
Cybersecurity Training Tips for Every Business
As a business-owner or manager, you want to believe your employees are the best at what they do.
You trust them to work hard. To take their role seriously. To follow standard policies and safeguard the security of your company.
But, sadly, employees can — and do — make serious mistakes. One tiny accident or oversight may lead to costly cyber-attacks that disrupt your operations, chase clients away to your competitors and damage your reputation for years to come.
And don’t assume being a small business means you’re not a valuable target for hackers — 43 percent of cyber attacksare aimed at enterprises like yours.
That’s why effective cybersecurity training is paramount for your workforce. Yet actually finding programs that deliver the right education in an engaging way can be difficult. You don’t want to send your employees on a course only to discover they failed to absorb anything they were taught.
We’ve put together four great cybersecurity training tips to help you protect your business from attacks.
#1. Identify Your Business’s Weakest Points
Every company or organization has its weak points, no matter how high-profile it is or how impenetrable it should be.
For example, FEMA (Federal Emergency Management Agency) recently leaked the personal and banking detailsof more than two million people affected by major hurricanes. This was due to the actions of an outside contractor, with a small program error sharing important data.
One would expect FEMA to have processes in place to safeguard against such simple-yet-devastating mistakes, yet this major breach still occurred.
Avoid the same (or similar) errors happening in your business by evaluating your current cybersecurity setup. Ask questions, such as:
Determine which aspects of your employees’ work demands the most attention. This makes finding or devising the most effective training easier. You’ll also know what cybersecurity experts can do to reinforce your systems.
#2. Embrace Interactive Exercises
Simply sitting employees in a conference room and lecturing them on cybersecurity may not be enough on its own. We all know how easily the mind wanders when it’s not stimulated for long periods. But you can make training more engaging and easier to absorb by hosting interactive training exercises, simulating an actual cyber-attack.
One way to do this is to distribute a fake phishing email to your entire workforce and note how people react. Hopefully, the majority of your employees will recognize the signs and take the appropriate action (deletion, reporting it to a supervisor etc.).
But if even one person clicks on a link or downloads an attachment, they could be starting your business along a dangerous road.
Obviously, in an exercise there would be no actual hazard, but keep the scenario as realistic as possible — don’t tell employees about it until after the fact. You’ll be able to gauge which employees or departments are up to speed on external threats, making it easier to determine who training should be aimed at.
You can try other exercises too. For example, consider a ransomware attack in which workers become locked out of certain programs and see how well they follow standard procedure. Can they still perform aspects of their job without access to all their usual tools? How do they notify clients of the issue?
Knowing how your team copes in any cybersecurity crisis is vital. You don’t want to realize you’ve made serious strategic mistakes during the real thing.
#3. Make Training a Regular Part of the Job
Cultivate a cybersecurity-focused company culture. Make sure all employees at all levels understand the importance of being aware and vigilant every single day.
Small training sessions or exercises here and there can make a lasting impact with employees. They’re likely to find a quick 20-minute quiz on common signs of a phishing scam much easier to digest than a five-hour block of training in a stuffy office.
Encourage group training and collaboration too. Your workforce should focus on what they’re being told and take it onboard if they’re able to get involved with others: their minds could wander during long lectures or presentations, but not so much when they’re actively interacting with their colleagues.
#4. Create Reward Schemes and Incentivize Vigilance
Another effective way to make cybersecurity training more impactful is to implement a reward scheme.
Workers may feel more motivated to stay alert and watch out for potential cybersecurity threats if they know they’ll receive a tangible reward for extra efforts. Bringing a reward program into your business can encourage everyone to embrace a stricter cybersecurity policy.
Survey your workforce first to discover which rewards would make the best incentives, within reason. For example, if someone were to spot a malicious email and raised the alarm, they could be given a bonus in their next salary or a ticket to their favorite sports team’s next game.
This may only be a minor expense for the business but will save a huge amount of money down the line.
This program could include more than just spotting potential attacks, too. Consider rewarding employees for attending training and completing quizzes afterward, motivating them to pay close attention.
How to Protect Your Business
Cybersecurity training is paramount for all businesses in all industries. Any employees using a computer or device with internet access must be made aware of the potential risks they face, and effective training will do just that.
But investing in weak training that fails to engage your workers is a waste of everyone’s time and money. Follow the tips explored above and bring in cybersecurity experts to help you get your company protected against common threats.
Remember: your clients’ data, finances and routines could all be affected by an error on your part. Their trust is worth the cost of good training.
At The Driz Group, we can help you understand where you’re going wrong and protect your business. How? Contact us today!
Steve E. Driz, I.S.P., ITCP