Cybersecurity Services

The effectiveness of a cybersecurity program is not based on how you answer the question of ‘Can we be hacked?’ but rather on your organization’s ability to manage the ever-evolving risks and threats that it faces.  The ability to manage risk begins with your organization’s leaders taking a proactive role in cultivating conversations and creating a culture that puts risk management as a priority.  From this vantage point you can determine your biggest risks and what assets are most critical.  Only then can you decide if your current cybersecurity program is meeting those risks and dealing with them in an effective manner.

Actual costs of an attack or data breach vary widely based on the type and size of your organization as well as the sensitivity of your data.  For example, a breach of 6,000 records containing health information on patients and employees might cost upwards of $700,000. This doesn’t include costs related to loss of productivity, litigation, or reputational damage, which can be immeasurable.  Recent studies put the average cost of a breach for an organization with less than 500 employees at $2.74M. You can estimate the cost of a data breach for your organization.

The short answer is yes. Cybercrime is a lucrative business that is outsourced, automated, and streamlined so it doesn’t require a specific skill set to implement.  This makes it much easier for a wider group of people to execute attacks.  Attackers have also realized that small businesses, such as clinics, law firms, and even schools do not have sophisticated security, but do have the resources to pay if an attack happens.  Small businesses are huge targets for cybercrime due to these two factors combined, with one study showing 43% of cybercrime victims were small business victims. “Seemingly, no matter what defensive measures security professionals put in place, attackers are able to circumvent them.  No organization is too large or too small to fall victim to a data breach.” (Source:  Verizon 2019 Data Breach Investigations Report)

Phishing is an attempt to acquire sensitive information such as passwords, credit cards details and usernames by appearing to be from a legitimate source.  The goal of a phishing attack is to get the potential victim to click a link, open an attachment, provide their credentials, wire money, change direct deposit information, etc. There are multiple techniques used by bad actors to obtain personal information.  A few examples are:

• Spear Phishing
  • Targeted phishing to specific organizations or people. Example would be a bad actor compromising your vendor’s email account and sending an invoice with a wire transfer request to your Accounts Payable department requesting payment with a sense of urgency.
• Malware
  • Ransomware (bad actors deny access to the device(s) or file(s) until the ransom is paid.)
  • Keylogger (bad actors log all inputs from the keyboard)
  • Malvertising (Malicious advertising that is downloaded and forces unwanted content onto your computer.)
• Vishing (Voice phishing ) and Smishing (SMS/Text phishing)

(Source: Knowbe4)

MFA stands for multi-factor authentication and is used to provide additional security for a traditional username/password login.  Essentially, MFA adds another step to the login process after a person enters in their username and password.  This step can come in a few different forms including a verification code sent to a phone or authenticator app, use of a smart card, or even a biometric like a fingerprint scanner.

MFA is particularly useful at hindering account compromise by adding an extra layer of protection since all your password controls will be meaningless if you hand the attacker your password.  This would include external applications, remote access (VPN), cloud-based email such as O365 or Gmail.

• It’s almost impossible to verify that employees are using different passwords for each third-party service. Why does this matter? As an example, an employee’s insurance credentials are compromised and they change their password, but they also use the same credentials for their O365 account. The bad actor that has the compromised credentials will attempt to log into their email account and without MFA in place, will be able to compromise their account without that additional security.
• A bad actor can attempt to brute force the password without controls and MFA in place.
• When a bad actor gains VPN access without an additional layer of security and is inside your organization, they can attempt to move laterally within your organization.
• An organization-wide password reset due to email compromise is complex and can be taxing on support to implement. Having MFA in place would dramatically decrease the likelihood that an organization wouldn’t need to reset passwords for all accounts.

“…the sobering reality is that if multi-factor authentication (MFA) is not in place, all your other security measures can be bypassed.” (Source: TechBeacon)