There are a lot of Cybersecurity threats to be aware of when trying to protect your business. One of these threats being brought to the light is called smishing. Like phishing emails, smishing texts are social-engineering scams that aim to manipulate people into turning over sensitive data such as Social Security numbers, credit card numbers and account passwords or providing access to a business’ computer system. They rely on persuading you that the sender is a familiar or trusted source and that urgent action is needed to secure a benefit, resolve a problem or avert a threat. It is important to have a plan in place to avoid such attacks.
Welcome back to Whiteboard Wednesday, folks. Mike Cromwell, co-host.
And we’re here today to talk about third episode in our Cyber security posture series. Today we’re going to dive deep into end users, which represents really the biggest threat that we talked about Brian.
So walk us through what a great posture looks like as it relates to end users and mitigating the risks on that front.
The reason end users represent so much risk is because you have that you’re introducing the human element, right? They have to make a decision about what they do, an action that they take, if something that represents harm is introduced to them. So these are things like phishing emails, social engineering schemes, smishing, fishing by text, and those types of things. So really, what you want to do is have a multi pronged approach towards how you approach the end user aspect of your cybersecurity posture. And so with ours, we take this approach where we’re assessing our current situation.
So we use a product shameless plug for KnowBe4 we’re a partner for them, Netrio implements their solutions and they walk us through a lot of these components. I’ll point out which ones. So you have tools that help you assess what your end user aptitude is when it comes to cybersecurity. So prior to implementing anything, you want to assess where you are because you really want to say, okay, here’s current state here’s, desired state. And then how do I get a path to get there?
Right? So you assess your current aptitude, you understand your business risk, right? I have different business risks if I’m a financial advisory firm than I do if I’m a hospital, right. Or if I’m a lawyer. So my business risks are different based on the industry that I’m in and how my industry does business. For instance, if you work in the real estate industry and 99% of financial transactions operate via wire, would be hackers are going to try to attack that by saying, wire me some money, right?
So just understand what the threats are to your organization and then train your end users. Use a training program. They’re very mature platforms out there KnowBe4 is one. They have video based training that keeps it interesting, some have the have the gamification built into them. But you can test. And afterwards you can test your users to make sure that they understood the video content that they watch and that they learned something from it. Right? And then evaluate where you stand. Right? Here was my starting state.
Here’s my desired state. Here’s my current state. How do I get there? Right? And you get there through education. And train your users, teach them about social engineering schemes where I call you like, I can look at anybody’s website and figure out who’s on the executive leadership board. I can pick up the phone and call somebody and say, and misrepresent who I am and ask them for a piece of information that would then in turn, allow me to do something malicious. Right? So you got to train people on all the threads and the types to be expecting.
And then lastly, you’ve got to introduce some multi factor authentication for your end users. Just a password these days is no longer sufficient. You’ve got to have some other piece of data that they can enter into an app or an Authenticator or a UB key or something like that that allows them to verify who they are.
And let’s talk about as it relates to the end user. What are the top risks?
It’s software embedded in email. Right. And phishing attempt. So phishing attempt is when someone sends you an email with the intent of you clicking a link and then entering a password or another piece of personal identifiable information that then allows them to do whatever they need to do. So those are probably the top two threads.
Alright, well, thanks for tuning in, folks. See you next week.
Prior to implementing any type of plan, you want to assess where you are with your current state of business, figure out what your desired state is, then set a path to get there. It is important to understand the different threats you are up against depending on what type of business you work for.
Mid-Market companies could be targeted more, as they have more valuable assets than small businesses, but fewer IT security resources than enterprises. While all companies, regardless of size, mostly face the same types of risks, small and midsize businesses are more susceptible to them due to a combination of factors, most of which involve a lack of resources combined with a lack of focus on cybersecurity issues. Understand what type of business you work for and you will have a better understanding of what threats you need to be looking for, so it will be easier to avoid them.
It can seem impossible to prevent a cyber attack, but the majority of them can be prevented, either by endpoint security tools like endpoint detection and response (EDR) software and next-gen antivirus applications, or strict security policies and compliance guidelines. NETRIO partners with a company called KnowBe4 which can be very helpful for your business. KnowBe4 is the world’s most popular integrated platform for security awareness training combined with simulated phishing attacks. They help thousands of organizations to manage the continuing problem of social engineering. Their mission is to train business’s employees to make smarter security decisions.
One of the most important concepts to grasp with cybersecurity is that maintenance is a constant job. New attacks develop monthly, if not daily, and your approach to guarding against them can’t be limited to annual training. If you only updated your network devices once a year, your security would be a nightmare.
As the number of data breaches and hacks continue to rise, it’s vital for your business to take steps to ensure you don’t find yourself in the headlines. Just like with any organizational transformation project, that means getting your team to buy in and build habits. Training is the key here, as well as constant reminders that there are threats out there and maybe even a “live fire” exercise to show how easily you can fall victim to an attack. Remember that cybersecurity is a team effort, and you need to put your employees in a position to succeed.
Multi-Factor Authentication (MFA)
Over the past few years there has been a revolution in the way that business works. Businesses now rely on cloud applications to utilize their powerful features, be more productive and collaborate with virtual teams. This has become even more important during the Covid-19 pandemic as, for many teams, remote collaboration has become absolutely essential for continued business success. As we rely more on these accounts, it’s critical that organizations ensure they are secure.
Adding a second factor makes it significantly much harder for malcontents to cause damage, since attackers now must have two objects in their possession to move forward with their actions. Additionally, MFA is becoming more ubiquitous and easier to use, which creates less friction with end users. This makes multi-factor authentication attractive for organizations looking to boost their security policies without creating much additional overhead. One other key point to add – many end users are now concerned about their online security and what it can mean to them, which means they are motivated to protect themselves and their accounts.
Multi-factor authentication guards against account compromise by ensuring there is an extra level of security attached to every single log-in attempt. If an attacker is able to compromise an account password and there is no additional MFA in place, they will be able to change the account password and effectively freeze the legitimate user out of the account. Sometimes, it can take months before compromised accounts are even identified. With MFA in place, users are alerted to all suspicious log-in attempts, and attackers are effectively blocked from access, even if they have the account password. It’s highly unlikely that a cyber-criminal will also possess your smartphone or fingerprint as well as your account password, and so MFA massively improves account security.