After I give a presentation on cyber security, I'm usually mobbed by the attendees who want to share horror stories of having their business or personal data wiped out and held for ransom, or wire transfers redirected to a thief. These are the same people that thought the information store on their computers or in the company cloud was safe.
Business owners and the C-suite do not realize is how susceptible their systems are to being hacked because of human error. That is why several people have asked me to share their stories in the hope that someone will avoid the same calamities they've experienced.
Everyone leaves with 1-2 actionable things they can do right now to improve their cyber security. I’m going to do the same for you. Below are the two most important things your business should implement to protect your company’s most critical information including your client’s data.
Dark Web is Big Business
First, what is the Dark Web? I wrote about it recently, but to recap, it' a digital black market trading in your secrets. Stuff like usernames and passwords, client lists, social security numbers, banking information... you name it.
It's big business and its target is your company’s information including your client data! Here's a few factoids:
- 91% of successful data breaches started with a spear phishing attack
- Ransomware was a 1 billion-dollar criminal business in 2016, and continues to grow
- Cybercrime as a whole is larger than a 1 TRILLION dollar business in 2020
- CEO Fraud (aka Business Email Compromise) causes $5.3 billion in annual damages
The amazing thing is there are a couple of critical things a business can do to prevent (or at significantly minimize) damage.
How Employees Can Sink Your Business
I'm not talking death by PowerPoint... or the boring lecture of Do's & Don'ts that are often given and then ignored. You can't teach proper "cyber hygiene" in one lecture, and let's face it, we've all got bad habits that we are blind to. The bad habits around cyber security can sink a business!
Here's a snapshot of the approaches to cyber security training a company could take. Think of them as levels of operational maturity.
- Do Nothing: Rely on tech solutions only.
- The Break Room: Death-by-PowerPoint, coffee and donuts, usually in-house created.
- The Monthly Security Video: Employees view monthly short security awareness training videos.
- The Phishing Test Approach: Pre-select high risk groups of employees, send them a simulated phishing attack, and train them if they fail.
- The Human Firewall Approach: Train all employees online and send frequent phishing attacks.
So where do you fit? If you are like many firms, it's the first two categories.
"OK" you say, "tell me more about this 'Human Firewall Approach'". I'm glad you asked!
Simply put, the lecture or PowerPoint doesn't work. What does work is a regular "drip" of cyber security training along with awareness campaigns in your business. We use a phishing test (where we send a phishing email to your team) to establish a baseline, and then test again throughout the year to measure performance and identify weak areas that need attention.
Want proof of how well this can work? Take a look at another industry that turned around. The construction industry had a bad history of workplace accidents. It is estimated that in 1970 around 14,000 workers were killed on the job. That number fell to approximately 4,340 in 2009. At the same time, U.S. employment has almost doubled and now includes over 130 million workers at more than 7.2 million worksites. What brought about this change? It's due in large part to the "safety talk" at the start of every shift, and the signage on the workplace saying, "XX days since the last accident".
So we aren't doing anything "new", we are just applying what works for your business... training your team to be Human Firewalls.
Implement Dark Web Monitoring
So your people are trained, and you are sure they won't make a mistake (don't bet on it!). But how do you protect yourself when a vendor leaks your data? Remember the 2013 Experian breach that exposed 200 million records or the breach at Target, Best Buy, etc.
But that is a big box retailer. Nobody will target my smaller business, right? Wrong. Hacker bots are working 24/7 to find vulnerabilities on any computer or server regardless of the size, type or location of your business. The fact is, you can't control your data when it is in someone else's hands.
But you have an easy way to see when your data shows up on the Dark Web and take immediate steps to mitigate the use of it.
Here's how our Dark Web monitoring service works. We have a search engine that monitors the websites used by the digital black market of the Dark Web. When you subscribe to our service, we'll look for ANY email address and password combination associated with your email domain that comes up for sale. When we get a hit, we'll immediately notify you of the specific user and their password, and often times the site where it was stolen from.
When you are armed with this information, you can simply have your employee change their password for the site in question. Of course, users often use the same password on multiple sites, so make sure they change their password on every site they've used that password on. (Now would be a good time to implement a good password manager too!).
Since you've secured those credentials, you can laugh quietly at the criminals who buy your now bogus information and attempt to use it to crack into your data.
Get Your Free Dark Web Scan and Report
If you'd like to have us run a one-time report that will show your current exposure on the Dark Web, including usernames and passwords, we'd be happy to do that for you.