As many of you have heard, there was one of the largest cyber-attacks on our country that happened a couple weeks ago. The fallout from which will probably be going for some time. If you haven’t heard about it, that rock you’re leaving under might need to be upgraded with at least some windows. No, but really, if you haven’t heard about it, I recommend you look it up and follow this story as it unfolds.
The big details are that multiple branches of our government were breached by a cyber-attack. There were also multiple enterprise level businesses that also were breached. This includes Fire Eye, one of the largest Cyber Security firms in the US, Microsoft, as well as multiple Fortune 500 companies.
This was a very sophisticated attack, which took many months and a lot of patience by the attackers to infiltrate these networks and eventually gain access to the systems and information they wanted. It is reported that they were inside these systems for the better part of a year! As I mentioned, the fallout from this will be unfolding for quite a while.
Luckily, for small businesses, this specific attack does not carry any risk, at least from what we know so far. Also, for assurance to our clients, we do not use those platforms, so there are no risks to any of our tools or platforms we use from this recent incident. However, this is an ongoing threat to all our businesses, for which we must stay vigilant.
The past few years, these types of high-level sophisticated attacks have been on the rise, and all indicators say that this trend will continue in 2021. Therefore, many of the conversations we’ve been having with clients loop back around to cyber security. Todays networks need to be imagined from a security perspective. If one of the top cyber security firms in the US was hacked, I would expect there to be questions about how a small business can protect itself against these types of attacks.
Let me be clear: The days of ignoring your businesses cyber security are over. In fact, the days of putting your technology as the last priority in your business are over.
Technology has become the main tool we use every day. It’s in our hands, we utilize it almost every waking hour of the day. Even when we are not directly using it, it’s assisting us in some way. For most of our clients, every department, every system utilizes technology in some way. It’s so much so that if your technology all stopped working today, your business would as well…. There is probably no other single thing you can point to that could have that effect on your business.
Even though we all know this, we often see technology and cyber security put on the back burner. It’s historically been a risk that many companies were willing to take. Now, that posture must change.
Here’s a couple stats that scare the hell out of me. I’m hoping I’m not the only one:
- More than 99.9 percent of hacked accounts didn’t use Multifactor Authentication
- 8-character passwords can be hacked in under 8 minutes. If you use special characters, it goes up to a whopping 96 hours. However, if you even move to 10 characters with upper case, lower case, and special characters, it goes up to 10 years!
- The average cost of a ransomware attack on businesses is $133K.
- The average cost of a data breach is $3.92 million as of 2019.
- 62% of businesses experienced phishing and social engineering attacks in 2018
- IoT devices experienced an average of 5200 attacks per month. That’s your Amazon Alexa and smart home devices.
- 48% of malicious email attachments are office files.
- 65% of groups used spear-phishing as primary infection vector.
- 94% of malware was delivered by email.
- Almost a third of all data breaches involved small businesses.
Okay, I’ll just stop there. The stats go on and on, but I chose these to make a few specific points:
- If your company experiences a data breach, you must notify law enforcement, other affected businesses, and any affected individuals.
- These threats need to be taken seriously by businesses and organizations of all sizes.
- These attacks are largely coming through our most common application, email.
- Your end users are often your first line of defense.
- Many attacks can be stopped just by using multifactor authentication.
- Make sure to involve IT in any decisions that will affect the network. This includes new devices on the network, new cloud accounts, remote workers, as well as decisions about using new vendors or new software systems.
- Encrypt your systems to reduce your level of risk.
- Employ better credential policies company wide. Enforce those policies. Only use vendors that also enforce those policies.
- Have Cyber Security insurance.
- Have an incident response plan.
- Have a disaster recovery plan.
The good news about this is that most of these items don’t even require an IT persons or company. These are things that almost every business can do today. The first step is to set a goal to get these things done. Set a date, plan, and just do it. And if you’re not able to do it yourself, reach out to Pacific IT Support, or anyone that can help you implement these basic security measures.