Front-line defense against cyber attacks

Last month’s column about cybersecurity explored the idea of viewing your IT infrastructure in layers. The idea is to establish cybersecurity protections for each layer of your systems: the human layer, perimeter, network, endpoint, application, data, and the mission-critical layer.

The human layer is the most vulnerable one and usually where cyber intruders are most likely to find their way into your business. Once inside, they are able to attempt to penetrate each layer until they reach the grand prize—a place where they can hold your data or even your entire IT environment ransom and demand payment for restoring the data or system operability. So, what are the best practices for avoiding penetration of the human layer?

Most businesses these days at least have basic rudimentary protections, so hackers have turned to others ways to trick us into bypassing them. Phishing is one of the most common techniques. Email Phishing and its counterparts (HTTPS phishing, whaling/CEO fraud, pharming, clone phishing, etc.) are social engineering techniques that attempt to make us believe we are being asked to do something by a trusted friend, vendor, or business partner.

How many times have you been asked to change your password via an email that appears to be from PayPal, and you don’t even remember the last time you used PayPal? Many of us have been asked to provide our Microsoft credentials to open a document and learned that it’s simply an attempt to gain access to our email contacts or OneDrive files and folders. Again, those are obvious examples, but unfortunately, hackers have become more advanced. The latest social engineering techniques are far more advanced and insidious, and they are changing daily. We need more protection.

Security Awareness Training

This is a great front-line defense against social engineering. The idea is to continuously stay aware of the latest techniques being used by hackers, how to identify them, and what to do when they are recognized for what they are. Employees are routinely tested on their awareness and defensive actions. Ask your MSP or IT manager about this, and if your budget allows, sign up for it. Your investment will likely be on the order of a few dollars and a few minutes of your employee’s time per month, which is well worth it for most businesses.

There will probably be a time when even the most well-trained of us will get fooled and give away our credentials to log onto our computer, network, or websites that contain our private information or data or somehow otherwise expose our user name and password.

Multi-factor Authentication (MFA)

Multi-factor authentication is a valuable tool. It’s essentially an electronic authentication method that requires the user to provide two or more forms of identity verification before they’re allowed access to a website, network, or application. There are three main types of MFA.

1. The first is something you know. This includes passwords, PINs, and even secret knocks.
2. The second type is something you have. This is a physical object, such as a key or smart card.
3. The third type is something you are: biometric verification. This could be a fingerprint, retina scan, or voice recognition. 

In March of 2021, Microsoft engineers said that 99.9% of the account compromise incidents they deal with could have been blocked by a multi-factor authentication solution. MFA, like security awareness training, is a very cost-effective defense tool; depending on the provider, an investment in MFA can be less than $10/month for each user.

These two relatively inexpensive tools, security awareness training and multi-factor authentication (MFA) can go a long way in protecting your valuable assets and improving productivity. Remember, experts say it’s not a matter of if your organization will experience a cyber-attack; it is really a matter of when. Helping to fend off those attacks can save you from loss of precious data, expensive downtime, and a damaged reputation. Ask your MSP or IT manager about these tools and other ways to keep your IT systems safe and secure and your employees more productive.