I am sure that most people today are simply tired with the consistent news about hacking the election, a financial services firm who has been compromised, or worse your PII (Personally Identifiable Information) and PHI (Protected Health information) is being sold on the Dark Web.
A majority of computer users suffer from “security fatigue” — a weariness of or reluctance to engage with cybersecurity — that leads them into risky behavior online, according to a new study by scientists from NIST (The National Institute for Standards and Technology). In short, they found that users’ weariness led to feelings of “resignation, loss of control, fatalism, risk minimization, and decision avoidance, all characteristics of security fatigue.” In turn, that made them prone to “avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules” both at work and in their personal online activities including banking and shopping.
The report’s authors write, “Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security. All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”
These findings have direct implications for businesses that are legally required to protect personal and financial data, including retailers, financial and healthcare businesses, law and other professional services firms.
Cybercrime activities like phishing, spear phishing, business email compromise and social engineering all rely on innocent but unwary employees being led to do the cyber criminal’s dirty work.
If the US Government, Fortune 500 companies, High Tech firms, Financial Institutions, Health Care Organizations and Universities with all of their resources were unable to stop the attacks...
What possible chance can a small/medium business have?
The answer is: more than you would think.
Digital4nx Group, Ltd. recognizes that the greatest vulnerability in most organizations comes from their own people.
We have been providing fixed fee "ethical hacking" Security assessments, which we define as, a service where we attack your network and computer systems using real-world tools and techniques in order to find security weaknesses. The goal of an ethical hack security exercise is not to reveal deficiencies in the performance of your IT team, but rather to support them. We often find that IT teams are pressured to make things easy-to-use and functional, maintain software updates and patches, and keep the users up and running.
Our ethical hacking assessment aids the IT team, giving them a road-map for making their networks much more secure, identify the sensitive information which the organization maintains, and improve the best reasonable security measures for that organization.
Having an independent team of experts audit your security is a valuable tool that is guaranteed to uncover vulnerabilities and greatly increase your level of security.
Even small businesses can interrupt this chain of events at several points, making it much more difficult for a cyber criminals to gain a foothold.
We commonly find that we gain some of the initial access to a companies systems by tricking users into providing their passwords. Once we have those passwords, we can leverage them to gain additional access to other systems.
The below techniques are simple and inexpensive:
- Make sure everyone in your company understands phishing schemes and how to recognize them. A phishing scam is an attempt to trick someone into providing username and password information to a hacker. Spearphishing is a phishing attack customized to a particular individual.
- Do not allow people to have administrative privileges on their computers. This prevents them (or viruses acting under their credentials) from installing hacking tools on a computer.
- Change passwords regularly and use different passwords for different accounts. In other words, the password to your work computer should be different from the one you use on, say, your Yahoo account. Password manager software (such as LastPass, KeePass, Dashlane,...) makes it easy to track and change passwords.
- Ensure your computers install security updates from Microsoft, Apple, and Adobe automatically.
- Install antivirus software on your computers
- Install a firewall if you don’t have one, and review your firewall to tighten it up as much as possible. A firewall is a device that stands between your network and the rest of the world, blocking unauthorized access.
- Configure spam filters to be as restrictive as possible and use Sender Policy Framework (SPF) records to reduce the likelihood of phishing messages.
- Confirm backups run regularly and periodically test those backups.
Questions? Concerns? Want some help conducting a cyber security risk assessment? Give us a call, we’re happy to help.
PS- For those who are not cyber fatigued and interested in reading about the Department of Homeland Security report detailing Russian civilian and military efforts to hack organizations, companies, and educational institutions in the United States, you can read it here.