Posts

Debunking 5 Cyber Security Myths for SMBs

Data Protection & SecurityAs owners and leaders of small and midsize businesses (SMBs), we have limited resources for IT and cybersecurity.  We should not be surprised, therefore, that SMBs face the biggest threat from ransomware and other cyber attacks.  Beyond the cost and risk of ransomware and encryption attacks, SMBs face business email compromise (BEC) attacks and threats to disclose regulated information.  Recovery costs, fines, and legal actions resulting from a successful attack can destroy your business. And yet, many SMBs remain unaware of the risk and/or lacking reasonable data protections and security.  This post intends to debunk five (5) cyber security myths for SMBs.

1My company is too
small to be a target

While note every attack is successful, one global report states that 86% of SMBs have been hit by ransomware attacks, with 20% attacked more than six times. With fewer resources and less focus on cyber security, SMBs represent an attractive target for attackers.  The increase in remote work and use of remote desktop protocols creates additional opportunities for attackers. Securing and managing these services requires time and attention.

The impact of a successful ransomware attack continues to increase.  According to Verizon’s 2020 Data Breach Investigations Report, the average cost of a successful ransomware attack grew from an average of $34,000 to just under $200,000.

2I cannot afford to protect
against cyber attacks

Cyber attacks are inevitable. Protecting your business does not require expensive solutions.  Your cost for endpoint protection for your devices, advanced threat protection for email, and security awareness training is pennies per day per person.  You can deploy multi-factor authentication (MFA), local disk encryption, and the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols for free. You can deploy cloud-based business continuity and disaster recovery (BCDR) for less than traditional backup/recovery solutions.

3I have backups,
so I am safe

Not all backup solutions are equal.  Many backup/recovery solutions for SMBs run on the same servers and networks as your business systems. Ransomware and other cyber attacks will seek out and encrypt/damage backup servers to render your backups useless.  Your backup/recovery solutions should be segregated from your production network and systems to shield them from attack.  Business Continuity/DR solutions offer the additional ability to bring systems back on line in an alternate cloud data center while you recover your primary systems.

4Technology alone
will save me

As with most security protocols, people are your first line of defense.  As many as 93% of cyber attacks begin with a phishing attack. People click on links, unwittingly downloading malware or sharing usernames and passwords.

Security awareness training should be a standard practice within your business.  The training is a proven way to reduce risk, decrease infections and help desk requests, reduce the chances of a security breach and strengthen the overall security posture.

5Cyber resiliency is
too hard to achieve

Cyber Resilience is the ability to withstand security attacks and land on your feet, no matter what happens. Cyber resilience protects your business, customers, and employees from ransomware, business email compromise, and other potential issues and attacks.

While some gaps in security will always remain, you can affordably improve your cyber resiliency.

To overcome these 5 small business cyber security myths, review your security footprint, and improve your resilience, please contact us by email, via our website, or by scheduling time directly with one of our Cloud advisors, with any questions or concerns regarding this service update.

IT Security for Small Businesses

Security, Privacy, & ComplianceStreamlining IT Security for SMBs

Streamlining IT security is a more balanced message about why and how to protect your business. Over the past year, we have covered the on-going, and increasing, threats to small businesses.  We often highlight the scope and severity of the risk, including how security trends will affect small business.  Hopefully this information, along with cost-effective solutions, prompts you to act. At times, we may appear to be fear-mongering.

Sound business practices, not fear, should be your motivation to protect against cyber attacks.

The market is awash with cyber security solutions. These range from single-protection products to complex advanced security monitoring and response services.  The number of options, and competing claims, is overwhelming.

Our Recommendations on IT Security for Small Businesses

Focus protections on the most common, and most damaging, types of attacks.

1. Focus on Risks

We know that:

  • More than 80% of cyber attacks start with, or involve email via phishing and other social engineering tactics
  • Ransomware is the most common type of attack
  • Business email compromise (BEC) is the most costly type of attack
  • Attacks via DNS and web content are becoming more of a risk

As such, small and midsize businesses should focus on preventing these types of attacks. Plan to limit your security approach and spending to prevention and recovery from these risks.

2. Use our CPR model as a guide

Communication and Education

Make sure your team knows how to spot an attack and what to do if they suspect an attack.  They should know the risks and steps you are taking to protect your business.

Periodically sharing articles or updates may be sufficient to strengthen your business.  Subscribing to a security awareness training service is an affordable way to provide this education. Your cyber insurance policy may require this service.

Protect and Prevent

To protect your business from the greatest risks, put the following solutions in place:

  • Multi-Factor Authentication (MFA)
  • Encrypt data at rest, including on servers, desktops, and laptops
  • Use advanced threat protection (ATP) on all email accounts for inbound messages
  • Ensure your endpoint protection (local anti-virus) is a next-gen solution
  • Use DNS/Web protection to prevent harmful downloads

Specific to business email compromise attacks and ensuring your legitimate emails are not flagged as dangerous, ensure your domain configuration include the following protocols and services:

  • An accurate and complete Sender Policy Framework (SPF) record
  • DomainKey Identified Mail (DKIM) for all sources of email (including marketing tools)
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC)

Respond and Recover

Even with protections in place, cyber attacks can be successful.  Ensure that you can return to operations quickly, even as a full recovery may take time. Your ability to recover and respond should include:

  • Backup/Recover data stored in the cloud (Microsoft 365, Google Workspace, etc.), as well as on local servers, desktops, and laptops
  • Continuity services so you can run images of key servers, desktops, and laptops if they are damaged by an attack

Note that continuity services also protects you from the impact of hardware issues, theft, and other losses.

Start with an Assessment to See Where Your Small Business Stands with IT Security

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

To learn more, please join us on May 17th at 3:00 PM ET for Streamlining Security, our May 3T@3 Webcast or schedule a no-obligation call with one of our cloud advisors.


Service Update: Advanced Threat Protection

Service Update Announcement

Beginning July 1, 2022, Cumulus Global is adding Advanced Threat Protection services to all clients using Microsoft 365 and Google Workspace.

With more than 40% of cyber attacks targeting small businesses and two thirds of attacks using email, Advanced Threat Protection is no longer an option. The stakes are too high. Recovery takes an average of 21 days and 60% of small businesses fail within six months of a successful attack.

To minimize the impact, we are waiving the standard setup fee and discounting the service by 20% for customers with an annual commitment. The fee will be reflected on your annual invoice or monthly invoices, as appropriate.

You may opt out of the Advanced Threat Protection service. To opt-out, please notify us by email prior to May 25, 2022. If you elect to opt-out, please review the terms of our Service Level Agreement as posted on our website.

Please contact us or schedule time with one of our cloud advisors if you have any questions.

Business Email Compromise – The Costliest Type of Cybercrime

Email, Communications, & MobilityBusiness Email Compromise

While the massive number and scale of ransomware attacks get the most media attention, Business Email Compromise (“BEC“) attacks are the costliest type of cybercrime.

What is a Business Email Compromise (BEC)?

In a BEC attack, the criminal impersonates you and convinces somebody who trusts you to send money. While successful attacks often begin with unauthorized access to your email account, savvy criminals use email and domain impersonation techniques. They trick others into thinking that you are asking for, or instructing them to complete, a money transfer.

As we noted in a recent post, real estate agents and brokers are prime targets of Business Email Compromise attacks because they regularly discuss transferring large amounts of money with their clients. As noted in this recent email scam article from the Associated Press, however, BEC attacks are hitting a wide range of small businesses, nonprofits, and schools.

Business Email Compromise attacks succeed when cyber criminals are able to collate enough information about you to gain access to your account or impersonate you.  Here is how they do it:

  • Given that you use your email address to log into many systems, a third party breach can provide attackers with your email address and enough information to calculate your password.
  • Third party breaches often provide hackers with enough personally identifiable information (PII) about you to launch a successful phishing attack that captures your username and password.
  • Scanning social media posts can also provide hackers with enough PII to successfully phish for your identity.
  • Malware, known as an Advanced Persistent Threat (APT), that makes it past your endpoint protections can gather usernames, passwords, and other information while running undetected on your computer.

How to Prevent Business Email Compromise

Protect Your Identity

To keep your email account secure, you need to protect your identity.

  • Understand the risks and follow practical advice for safe online hygiene. Use unique, complex passwords across systems; avoid oversharing personal information; and learn to recognize phishing and impersonation attacks.
  • Use “Next-Gen” endpoint protections to prevent zero-day attacks, APTs, and more traditional forms malware.  These solutions use heuristics, AI, and behavioral analysis of files to identify an attack. They can also “roll back” changes to stop an attack.

Secure Your Email Service, and All of Your Services

Even as you protect your identity, you still need to secure your email service through proper data protection and security services.

  • Advanced Threat Protection (ATP) protects your account from phishing attacks, bad links, infected attachments, and other risks. ATP verifies sender information and test links and attachments in a “sandbox”, allowing safe messages to arrive in your inbox.
  • Two-Factor Authentication (2FA), or Multi-Factor Authentication (MFA), can prevent access to your accounts if your username and password are compromised.
  • Ensure that all of your information is encrypted at-rest and in-motion. Your email service should use Transport Layer Security (TLS) to encrypt messages between sending and receiving services.  Encrypt files on your local disk, on any file servers, and in the cloud.

Prevent Email and Domain Impersonation

As noted in a recent blog post, you can use three (3) different levels of email security to prevent email and domain impersonation.

  • Sender Policy Framework (SPF): Authenticates addresses you use to send email.
  • DomainKeys Identified Email (DKIM): Digitally signs messages to ensure emails are not altered en-route.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): Authenticates email origin and instructs recipients how to process bad messages. A DMARC service will track and report any potential issues.

These protocols and a DMARC monitoring service offer the best protection against BEC and impersonation attacks. They also help improve the deliverability of your email. Our ebook, Email Security: Good, Better, Best, dives deeper into this topic.

For a limited time, our Rapid Security Assessment is free of charge. Complete a 3 minute survey and receive a detailed report benchmarking your basic security services with respect to the most common cyber attacks against small and midsize enterprises.  

 

Expect an Increase in Cyber Attacks

Data Protection & SecurityThe U.S. Cybersecurity & Infrastructure Security Agency, part of the U.S. Department of Homeland Security, is warning businesses to be prepared to defend against cyber attacks originating from Russia. “Every organization—large and small—must be prepared to respond to disruptive cyber activity,” the agency says in its warning.

Our security vendors, analyzing aggregate data, are starting to see a definitive increase in the number and frequency of attacks.

Fortunately, you have a range of tools at your disposal to protect you business:

  • Next-Gen endpoint protection
  • Advanced threat protection
  • Multi-factor authentication
  • Cyber-awareness training
  • DNS/Web protection
  • Third party breach monitoring

These services, paired with recovery and continuity services, can prevent your business from succumbing to an attack. And, if you do fall victim, ensure your business can be back up and running on hours, not days or weeks.

Please contact us if you have any questions or would like a no-obligation review of your security footprint.  You can also schedule a call with one our Cloud Advisors, below.


4 Pillars for Integrated Security

All of us have data and services in the cloud and on-site. Whether we have local servers or just our laptops, securing your business means applying an integrated security solutions strategy.

What is Integrated Security?

An integrated security system is a centralized platform that typically combines or “integrates” two or more electronic security systems such as access control devices, video surveillance, or wireless alarm systems. This integration makes it easier to manage all of these seemingly disparate components and adds a layer of security to the organization.

An integrated system enables all of the company’s apps and tools to work in unison. It can improve sales while improving customer service and increasing efficiencies.

The following 4 pillars for integrated security solutions create a foundation that can be applied and adapted for your business.

4 Pillars of Integrated Security Solutions

1. Identity and Access Management (IAM)

IAM protects users’ identities and controls access to valuable resources based on user roles and responsibilities, risk levels, and regulatory (or policy) requirements. IAM solutions are often a collection of logins, each with their own requirements and processes, such as multi-factor authentication.  Integrated IAM solutions simplify the user experience, improve security, and lower hard and soft costs.

2. Advanced Threat Protection (ATP)

ATP protects against advanced threats and, if done well, helps you recovery quickly when attacked.  ATP is more than “next gen” email protection.  ATP applies to threats from infected websites and human behavior exploits. Integrating ATP into your security architecture helps prevent increasingly sophisticated attacks from succeeding.

3. Information Protection (IP)

Information Protection shares the same acronym, IP, as intellectual property.  This fits well as Information Protection ensures your documents, emails, and other communications are seen only by those authorized to do so. IP uses encryption, advanced access controls, recipient validation, and other services to manage data visibility. Integrated Information Protection is key to security hybrid cloud/on-site environments effectively.

4. Security Management

Security Management gives you visibility and control over your security tools, processes, and activities. As part of an integrated security architecture, Security Management empowers you to assess risk and compliance, manage services, and respond effectively.

How to Include Integrated Security Services

How do you know if your integrated security solutions architecture is up to stuff?  Do you have opportunities to simplify security for your team?  To save money?  Here is a roadmap.

ASSESS

Assess your current security architecture against your regulatory, industry, and business requirements. Ensure you have the necessary components, policies, and procedures. Assess the “user experience” and look for ways to simplify. If security is a burden, users will finds ways to sidestep the data protections.

PLAN

Plan you updated security integration. Understand the impact on your systems, and your people, and how you will make the changes. Communicate your needs and plans, as communications is key to success.

EXECUTE

Make the changes.  Too often, needed solutions get delayed or dropped as other issues arise.

Next Steps for Integration Security Solutions

Security, Privacy, and Compliance is a cornerstone of what we do. Contact us to speak with a Cloud Advisor; we are here to help.

Phishing Attacks Spike Amid COVID-19 Crisis

Cyber AttackIt should be no surprise to you that we are seeing a surge in phishing and other cyber attacks, as criminals look to take advantage of the COVID-19 crisis. A sample of recent news reports illustrates the scope of the problem.

  • In April, the FBI issued a warning about COVID-19 stimulus package scams (CNET).
  • In mid-April, Google reported the daily volume of malware and phishing attack emails jumped to more than 18 million per day (The Verge).
  • Last week, TechRepublic reported a surge in phishing emails trying to exploit DocuSign and COVID-19.
  • Hackers are impersonating Zoom, Microsoft Teams, and Google Meet for phishing scams (The Verge 5/12/20).

Understand the Risk

The risk to your business, employees, and customers is greater at time when your systems may be less secure.

If your employees are using home computers while following stay-at-home orders and guidance, your risk of falling victim to an attack is significantly greater.  Most home computers do not have commercial-grade, next-generation endpoint protections and many run outdated versions of the consumer-grade products installed.

CPR is Still the Best Practice

Our model remains the best, holistic method of avoiding attacks at the human and tech levels, and for responding should something slip through.

Communicate & Educate

  • Remind your employees to be on the look out for suspicious emails, phone calls, web links.
  • Encourage your team to get help and verification if a message or interaction appears or feels suspicious in any way (better safe than sorry).
  • Consider testing employees with simulated attack messages and identify those that may need additional training and guidance.

Prevent & Protect

  • Deploy multi-factor authentication (MFA) and, optionally, single sign-on (SSO) services to prevent the use of compromised accounts.
  • Install Advanced Threat Protection solutions for inbound and outbound email to catch phishing, ransomware, and other illegitimate message.
  • Deploy “next generation” endpoint protection on computers and mobile devices to detect, prevent, and undo damage from dangerous files and applications.
  • Put Web and DNS protection services in place to prevent downloading attacks from hacked websites and identity impersonation.
  • Monitor the “dark web” for direct and third party breaches that may compromise your employees’ business accounts.
  • Take advantage of data loss prevention features built into G Suite and Microsoft 365, and consider tools to identify and prevent unauthorized access, permission errors, and data loss.
  • Eliminate the use of “shadow IT” services, particularly free or consumer-grade services by providing those capabilities to employees and making sure they know how to use them.

Restore & Recover

  • Ensure that you back up and can recover your data, regardless of location.  Your data is not just on your physical or virtual servers, it resides in your Microsoft 365 or G Suite environment, in SaaS applications like Salesforce, on desktops and laptops, and on mobile devices.
  • Put business continuity systems in place with affordable services that let you spin up and run images of your servers and workstations in a cloud data center while you recover your primary systems.
  • Have a breach response plan and service in place as an increasing number of attacks are stealing information, as effective data breach response involves:
    • Forensic analysis and recovery
    • Legal compliance with reporting requirements
    • Legal strategies to minimize liability
    • Increased customer service demand
    • Communications with customers, stakeholders, and the media
    • A potential need to provide consumer protection services
    • Cyber Insurance claims management

Fortunately for most businesses, putting these protections in place is affordable and can be done with minimal impact on your employees and their productivity.  Understand your needs, assess the value proposition (include the risks and costs of doing nothing), and deploy a solution that is the best fit for your business.


Please contact us for assistance as you evaluate your risks, needs, priorities, and solutions.


 

Customer Notice Update: Email Advanced Threat Protection

Data ProtectionGiven the demand and need to improve your protection from the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks we are extending the Advanced Threat Protection Priority Opt-in discount period through March, 2020. We understand that adding a service, even a critical service, impacts your budget and costs. Our Priority Opt-In discounts, and other measures (see below), intend to minimize the impact.

Email Advanced Threat Protection (ATP) and Multi-factor authentication (MFA) are necessary, baseline services for protecting your business

Beginning April 1, 2020, we require Advanced Threat Protection for all of our customers’ email service, unless you specifically opt out. Opting out is appropriate if you already have an advanced threat protection service in place.

If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.
  • We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Customer Notice: Email Advanced Threat Protection

Data Protection

(Updated January 20, 2020)

We continue to witness the devastating impact of ransomware, crypto attacks, and other forms of cyber attacks on our customers.  The recovery cost and frequency of attacks are increasing at alarming rates. The average cost for a small or midsize business (SMB) to fully recovery from a cyber attack has increased to between $145,000 and $180,000. This includes loss of direct business, remediation costs, damage to reputation, and employee downtime.  At the same time, the number of ransomware attacks so far in 2019 has doubled when compared with the same period in 2018.

As a managed cloud service provider, you have heard from us that you “should” have more protections in place. Our position is changing: these protections are a “must”.

Multi-factor authentication (MFA) and email Advanced Threat Protection (ATP) are necessary, baseline services for protecting your business. 

Beginning April 1, 2020, we will require and will begin adding Advanced Threat Protection to all of our customers’ email service unless you specifically opt out. If you opt out, the cost of our data recovery efforts will not be covered under our unlimited support plans (See our Support Services SLA). When we add ATP to your service, we will discuss with you when we can add MFA.

We will mitigate the cost.

We are sensitive to your budget.

  • ATP requires a technical setup and typically incurs a setup fee along with the monthly or annual subscription.  We are discounting both the setup and subscription fees for all customers. For customers requesting Priority Opt-In, we will waive the ATP related setup fees completely.
  • MFA implementation is covered by our support plans as an administrative change.  If you do not have on of our support plans, we will provide an affordable, discounted quote for the project.
  • For customers without an unlimited support plan and/or those that choose to Opt-Out, we will discount our hourly fees for recovery work.

For more information on specific discounts and pricing, and to let us know if you want to Opt-In, to have Priority Opt-In, or to Opt-Out, please visit this web page and complete the form.

We realize that this is a significant change for most of our customers.  We also understand the importance of these protections.  Please contact us with questions or concerns

Thank you for being part of our community,
Allen Falcon
CEO & Pragmatic Evangelist

Phishing and Spear Phishing

This post is part of our Cyber Threat Series.

The Challenge:

Cyber criminals prefer Phishing attacks. Phishing and Spear Phishing remain the primary vector for Malware attacks. Hackers evenly distribute attacks between two variants: Malicious Email Attachment (39.9%)  and Malicious Link (37.4%).

Leveraging human nature, phishing attacks look and feel like legitimate emails. Recipient often miss the cues that the email is fraudulent. We respond by clicking links to malicious websites, opening pictures or videos with hidden downloads, or opening infected attachments.

Advanced phishing attacks correlate public information from social media and pirated information from compromised systems to further personalize the attacks. These advanced attacks do a better job of hiding the malicious intent. As such, even savvy users fall prey.

What to Do:

The best protection is multi-level and multi-vector:

  • Teach your users about the risks and how they can help prevent attacks. User awareness leads to smart decisions on when to trust and when it’s safe to click.
  • Protect your devices with “Next Gen” endpoint protection. This includes your desktops, laptops, and mobile devices. Phishing attacks are usually platform independent and, therefore, trigger from most any email client or application.
  • Protect your email with an independent advanced threat protection (ATP) service. ATP covers inbound and outbound traffic.  ATP uses pre-analysis and testing of links and attachments for mismatched domains, copycat content, and malicious behavior. This “sandboxing” lets the ATP service block attacks from reaching your inbox.
  • Add a DNS and Web Protection solution to your environment.  Web protection blocks infected or fraudulent web sites, including blocking malware on infected sites we trust. DNS protection prevents hackers from corrupting and using your domain identities.
  • Deploy backup/recovery and continuity services that protect your on-premise and cloud data. Should an attack make it through your protections, you should be able to keep your business running while you clean up the damage.

Contact us to discuss your cyber threat protections. The Cloud Advisory session is complimentary and without obligation.


 

Webcasts

Email Security and Reliability

(8/17/2021) – A deep dive look at email security and reliability, with a focus on how DMARC prevents business email compromises, spoofing, and phishing attacks. In addition to protecting you from inbound attacks, DMARC protects your domain’s reputation and helps ensure reliable email deliverability.

Email Security and Compliance

(7/20/2021) – An updated look at email security and compliance. Summarizing risks and trends, we dive into a tiered approach to ensuring your business, data, employees, and reputation are protected.  We also discuss emerging compliance requirements and steps you can take to ensure you operate within regulatory, industry, and policy expectations.