Cybercriminals are driven by a simple goal: exploit data for personal gain. In pursuit of this, they’ll leverage a range of tactics. To successfully combat the attacks, Arizona businesses need to know what they’re up against. In 2019, 2 very different breaches affected Arizonans. To keep you secure, we’ve broken each into lessons and detailed how you can protect your business against similar threats.
Lesson 1: Cybercriminals Don’t Care Who You Are
Recently, we read about a cyberattack on Camp Verde Unified School District (CVUSD). The cause was never stated in the article, but the description of the breach reminded us of phishing scams. Easy for hackers to execute, this type of attack is increasingly common.
Phishing attacks are a numbers game
Cybercriminals aren’t researching your company before they send phishing emails because only a small fraction of their emails will be successful. So, they buy a list of emails or scrape websites for employee email addresses to target many people at once and increase their chances.
It isn’t until someone responds to the scam that the criminal starts to investigate your organization. At that point, the hacker has your employee’s credentials and is making demands.
Two-factor authentication prevents data breaches and is free with Office 365
Many businesses have Office 365 licensing, which comes with two-factor authentication built in – for free. But most organizations don’t turn the feature on. Here’s how it works: After entering a password, you’re asked for a unique way to verify you are the account owner – like a code sent to your phone. We recommend you turn the feature on for all your users because it eliminates the threat posed by hackers who gain access to credentials. Even if the bad guy has your password, they can’t access your email remotely because they don’t have the second factor.
Lesson 2: Choose Your Vendors Wisely
Phishing scams aren’t the only way hackers look to reap the largest financial award for the least amount of work. Criminals also target companies – like vendors – who have access to other organizations’ networks. This was the case when, in early 2019, customer information from 50 Arizona businesses, like credit card numbers, was potentially exposed. The businesses, including Chompie’s and Zipps, were breached because they used the same vendor. When the vendor was hacked, the cybercriminals were able to access businesses the vendor worked with.
We’ve seen this security threat before
In 2013, an outside partner was the vulnerable link in the chain that lead to the Target breach. In that case, cybercriminals first hacked an HVAC company the retailer had used. From there, the hackers found their way into Target’s network and gained access to consumer data.
Don’t have blind faith in your partners
Your advanced security tools and robust systems won’t matter if you give vendors full access to your network. Malicious actors will be able to march in and stay undetected for weeks, months or even longer.
Before partnering with any third-party (even IT providers!) ask for documentation detailing their security practices and procedures. Then, only give individuals you’re working with the most basic level of access they need to effectively accomplish their job. If Target had limited the HVAC company to only being able to send invoices, the retailer wouldn’t have suffered a costly data breach.
2 Actions You Can Take Now to Improve IT Security and Stay Out of the Headlines
Data breach notoriety can be avoided if you act now, and it only takes 2 steps to get started:
- Foil cybercriminals with 2-factor authentication
- Do your due diligence on partners
As we said above, if you have Office 365 you have access to 2-factor authentication for free; the feature simply needs to be turned on. Due diligence will take a bit longer – especially if security checks have not been part of your process of evaluating partners. Think through permissions and ask detailed questions about how and where they’ll store credentials you provide. Are they storing passwords in an Excel file? Who within the company has access? Take the time to find out now. It could protect your company in the future.
Looking for advanced solutions?
Basic multifactor authentication may be enough for your company to combat credential theft, but there are advanced tools available for organizations that need to meet compliance or are concerned about security. At itSynergy, we regularly prepare regulatory documentation for clients. Additional services, like email encryption and employee training, will further increase your security posture.
Give us a call (602.297.2400) or send us an email and build better business protection today.