Trends and Technology
Defend Your Business from Cybersecurity Attacks and Learn About Possible Threats
January 18, 2022 |
The C2FO Team
It’s a wild, wild world out there when it comes to computer hackers, cybercrime, software vulnerabilities and system breaches. Here is a short checklist for a basic cybersecurity audit, rising threats to watch out for, plus resources for prevention and awareness.
Cybercriminals have expanded their targets to include not only countries and large corporations but also small to mid-sized businesses (SMBs) in recent years. They have become ripe targets because they don’t garner the news headlines and enforcement scrutiny that an attack on, say, General Motors or Alibaba would generate, and they don’t often have the resources or staff a big company or organization would have at its disposal, according to Threat Post, a cybersecurity news website.
“With government and big companies pouring cash into cybersecurity, underfunded and understaffed SMBs are prime targets,” states the article.
With the start of the new year and rising threats on the horizon, it’s a good idea to reassess the resilience and vulnerability of your front-end and back-end computer operations. A cybersecurity audit would be useful in preventing any attacks. We lay out below a short checklist to include in a cybersecurity audit in order to make sure you are in the best position for 2022, whatever your budget or the size of your IT department.
We also write about trending threats to watch out for plus a helpful list of websites and resources that you should check out in order to keep up to date on the ever-changing cybersecurity space.
Cybersecurity Audit Checklist
There are a lot of different ways to conduct an audit. The list below covers broad actions that can be tailored to your specific situation, staff capabilities and budget. We cover data, systems and device management; education and training to curb human error; monitoring and testing; and lastly physical security. It’s not an exhaustive list, but hopefully you can use it as a jumping-off point to secure your data and vital infrastructure.
Data, Systems and Device Management
- Determine all possible sources in your digital processes or vulnerable points in your computer infrastructure that can pose a cybersecurity risk. These soft points could include processes that use proprietary or customer data and payment systems. Look for shared passwords, which can pose a vulnerability. See what software or tools are available to patch those holes or harden your existing systems.
- Have standardized cybersecurity policies and procedures in place. Have them written down and enforced in training.
- Go over your personnel list and see what kinds of data, systems and devices that staffers are responsible for or deal with during their work. Establish a chain of ownership after making this list.
- Audit and classify your data and systems by usage and sensitivity.
- Create a software and hardware asset list. Keep it regularly updated.
- Have encryption technologies in place where you need them. This may be data involving your payment system and customer data.
- Deploy a system where lost or stolen devices are automatically and quickly wiped of data. Widely known programs you can use include DriveStrike. But you can also read CNET, PC Mag or ask an IT professional for a recommendation on which software to use.
- Have an emergency cybersecurity response plan. Have insurance as part of this plan in case there is loss/damage of equipment, infrastructure or data.
- Have computer software continuously and automatically run updates and patches.
- Deploy password management software for your systems and devices. There are many password management programs like LastPass and 1Password, but see what’s right for you.
- Have in place multifactor authentication requirements for your devices, systems, networks and precious data files.
Education and Training
- Implement approved, standardized cybersecurity training to make sure everybody is on the same page. Ensure every staff member knows they need to be active participants to protect the security of the company’s data and infrastructure.
- Educate and raise awareness on phishing scams, how to handle suspicious emails and safe use of the internet.
- Train staff and implement enforcement of proper password management and usage.
- Make sure staff know and deploy best practices on physically securing company desktops, laptops and mobile devices. Also ensure they know how to properly secure the data on these devices.
- If employees use personal devices for work purposes, make sure they follow proper and approved security procedures and tools/apps for their equipment.
- Raise awareness on the dangers of talking to strangers or acquaintances on the internet or in person about your company’s computer operations. Discuss the pitfalls of letting people outside work use company devices. These points seem like no-brainers, but it’s important to remind people about these possible security lapses. Cybercriminals are smart and will exploit crumbs of information or any vulnerability.
Monitoring and Testing
- Regularly monitor all aspects of security.
- Perform regularly scheduled security testing, with timing determined by your situation and advice from an expert.
- Conduct external penetration testing of your cybersecurity system.
- Install anti-virus software on all devices with automatic updates.
- Keep abreast of developments in cybersecurity by reading our list of recommended resources.
- If you have servers/networking equipment on the premises, keep them secured under lock and key. Allow only authorized access to these locations or devices.
- Make sure companies you use for data, networking and other computer infrastructure have tight security. Have a member of your team or an IT professional perform due diligence on this aspect.
- Make sure you have remote backup solutions for your computer infrastructure and data in case there is a cybersecurity attack.
- Secure dumpsters and paper shredders.
- Deny access to unsecure devices, systems and websites unless they have security safeguards and meet your security criteria.
Cybersecurity Trends and Resources
The information age is fast and dizzying. Coupled with the ingenuity of bad actors in the technological space, it's hard to keep up with all the potential threats and trends in computer defense. We put together a short guide below on the latest risks that experts are saying we should watch out for plus resources you should tap.
It’s like the California Gold Rush but with computer equipment. Mining for Bitcoin and other cryptocurrencies is seen as a big moneymaker. Cryptominers have been pouring expensive computer infrastructure into mining for digital currency because it’s a resource-heavy process to extract. But there have been enterprising, malicious hackers who don’t want to use their own equipment and instead secretly infect people’s computers with cryptomining malware. This is called cryptojacking — your computer is unwittingly enslaved for its computing power in order to mine for digital currency. No one is really safe from cryptojacking, which has impacted both ordinary computer users and governments. Computers are usually infected via malware on websites. Signs of being a victim include your device not working as well, overheating and increased fan activity.
Deepfakes are sophisticated, artificial intelligence-driven technologies that fake real people’s actions and news events — akin to an image doctored with Photoshop. For example, imagine watching a very convincing video of U.S. President Joseph Biden breakdancing and it’s going viral on Facebook. Problem is, he does not breakdance (as far as we know). That video is an example of a deepfake. While journalists have been mostly reporting on deepfakes when it comes to celebrity video spoofs, deepfakes have even infiltrated social media networks like LinkedIn in the form of AI-created people masquerading as important government and business officials. Another thing to watch out for: the rise of “cloned” audio, according to the Guardian. A few years ago, scammers pretended to be a German CEO during a phone call, mimicked the CEO’s voice with deepfake software and bilked a German energy firm of £200,000.
Internet of Things
“Alexa, are you safe to use?”
It’s a question worth asking because the number of Internet of Things (IoT) devices is expected to grow exponentially over the next several years, and yet these devices can open you up to various kinds of cybercrime, according to Hacker News. Many IoT devices come with the veneer of safety in the form of password protection, but there are still many others, “cheap and low-capacity Internet of Things devices,” that don’t even have this basic security. The news outlet reported that an IoT device with flimsy security in 2019 could be compromised in less than 3 minutes. And last year, “an IoT device is attacked on an average of 2,814 times every single day by more than 100 different botnets trying to hijack it.” There have been attempts to lock down security on IoT in the form of network providers and device manufacturers collaborating on security protocols, among other remedies.
In December 2021, the Apache Software Foundation, an important tech organization, disclosed to much worry that one of its applications, Log4j, has a huge vulnerability called Log4Shell. The name Log4j may sound obscure, but it’s a tool that “is used worldwide across software applications and online services, and the vulnerability requires very little expertise to exploit,” according to the UK’s National Cyber Security Centre. “If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software. This makes Log4shell potentially the most severe computer vulnerability in years.” Cybersecurity staff across the world spent a good chunk of December looking for this vulnerability and locking down their systems, but government officials say Log4Shell will continue to be a problem for years to come, according to CNET news.
Ransomware is malicious software that steals your data or blocks you from accessing your website, networks, computer files and other tech systems. The malicious actors behind the malware then demand you pay them or they will release your private data or prevent you from ever accessing your tech infrastructure. The FBI states that “you can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that's embedded with malware.” Ransomware has been a problem since the dawn of the internet, but it has become probably one of the top cyber threats in recent years, according to many experts. Yahoo News reported that ransomware victims paid nearly $600 million in the first half of 2021. What’s been especially troubling is how ransomware is now targeting software-as-a-service (SaaS) applications, open-source projects and remote technology as many companies move to cloud applications, according to DARKReading, a cybersecurity news website.
Cybersecurity News and Resources
CNET not only provides reviews on the newest and coolest tech gadgets but also has a team of journalists devoted to reporting on the latest in cybersecurity for a general audience. Recent articles cover VPN trackers, security vulnerabilities such as Log4Shell, privacy concerns over tracking devices and more.
If you want even more in-depth knowledge of cybersecurity, we can’t recommend enough the website for the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. federal government organization that “leads the national effort to understand, manage, and reduce risk to our cyber and physical infrastructure.” The website portal has a bevy of information on essentials, but we recommend starting with the CISA Cybersecurity Awareness Program and the CISA Cybersecurity Awareness Program Toolkit, which both dip into general education on cybersecurity and tips for defense.
Brian Krebs is a longtime watcher and investigative reporter of all manner of techno malfeasance and software vulnerabilities, both big and small. He was a Washington Post tech reporter for many years until branching out with his eponymous blog on cybersecurity, which he started about 12 years ago. We think it’s an essential website when it comes to the latest in tech security such as the newest software patches, breaches, privacy concerns, cybercrime of the week and more. We also recommend his Twitter feed for real-time news.
Do you need to talk to an expert or get advice on cybersecurity and you are operating on a relatively tight budget? The National Cybersecurity Society (NCSS) is a professional membership organization specially geared to the small to medium-sized business community. It provides education, advocacy, advice, a small business toolkit on cybersecurity and other valuable resources.
Are you feeling intimidated in regard to cyber defense and the wealth of tools out there? PC Magazine has a great section on security reviews that is continuously updated. It has articles on VPN options, spyware protection, ransomware defense, password managers, antivirus software and other tools.
Going Forward on Cybersecurity
People have reaped rewards from advances in technology, from fast mobile payments to remote work and education becoming doable, but the advances come with attendant dangers such as cybersecurity concerns. The COVID-19 pandemic has also complicated matters with the increased use of insecure telecommuting devices and networks. Balancing security concerns while also maintaining and increasing the efficiency of operations is a dual concern for many businesses in the present and future. What’s essential to all of this is cultivating a strong cybersecurity mindset where security is already baked into your business computing infrastructure and process. This requires knowledge and awareness, and we hope this primer sets you up for success.