Posts tagged Cybersecurity
Cybersecurity and the Workforce: Strengthening Weak Links

Cybersecurity Awareness Month, annually observed in October in the U.S., is an excellent time to reflect on cybersecurity practices, training, business risks, and strategies to manage this risk for companies. Annually, cyber incidents (intrusions, breaches, and similar security gaps) cost U.S. businesses disproportionately more than the costs associated with active cybersecurity risk management. For example, cybercrime is up 600% due to the COVID-19 pandemic, as more people work from home and are online more hours each day.

The COST:

Cybercrime estimates top $10.5 trillion – TRILLION – annually by 2025.  The average cost of a data breach to a U.S. business or organization is about $2.98 million, and phishing costs, on average, $14.8 million per successful attack. Some of these costs can be avoided and risks mitigated for businesses and organizations through investment in cyber defense capabilities and kit, smart employment policies, effective training integrating applicable ISO standards, and enforcement of cyber hygiene practices.

Can’t Tools Fix This:

Cybersecurity hygiene and risk management primarily come down to the end user. Security is a journey, not a destination. The tools, patches, systems, and networks are helpful. Still, effective cybersecurity postures depend disproportionately on the conduct and cyber discipline of the end user, their training, personal and professional restraint, and instincts. Purchasing a full security stack of tools does not finish the job. It’s just the beginning.

Personal cyber hygiene practices are almost always the number one risk for organizations. Hollywood portrays complex hacking efforts that can penetrate networks without help – which is true – but most intrusions and hacks start with a virtual invitation by a network insider through phishing, spoofing, or similar techniques. One good analogy is that a thief can steal money by cracking a safe in a bank vault, or he can walk right into an open door at the bank where the cash drawers have been left unguarded, and the safe deposit boxes have the keys unattended.

Who is affected:

Companies ranging from publicly traded multinational corporations to privately held C and S corporations, small business LLCs and partnerships, to nonprofits and public institutions have scaled cybersecurity interests. These different business and corporate organizations are not neatly binned, because cybersecurity is matrixed – multinational corporations often make grants to nonprofits; university research foundations frequently exchange data with companies, hospitals, and grant sponsors.

Cybersecurity risk is not wholly reliant on a company’s hygiene and employee practices but also on the cybersecurity posture of partners with which organizations do business. Moreover, for federal contracts, cybersecurity standards can be imposed on subcontractors via flowdown clauses. Organizations should also consider negotiating cybersecurity incident indemnification clauses into contracts and ensuring adequate insurance coverage. Considering partner cyber hygiene practices is an essential consideration in engaging in transactions, pricing, and regulatory/compliance planning.

This factor is markedly true in mergers and acquisitions. Organizations must actively assess and manage risk when deciding in whom to entrust the keys to the cybersecurity kingdom

Culture:

Security culture can also be generational.  Generation Z are digital natives – that is, a person born and matured during the information age of digital technology from birth, rather than having had to learn it as adults – yet the National Cybersecurity Alliance has been found to “have higher cyber incident victimization rates” than older generations.[1]  Why?  First, they’re more immersively connected – with tech familiarity comes more ubiquitous connectivity, and thus more opportunities for mischief or mistakes through “security fatigue.”  Another reason is that cybersecurity is often taught in the workplace, but seldom is taught in schools.  New high school and college graduates entering the workforce may present a particular vulnerability until effective organizational training and policy enforcement takes hold.  Finally, younger people may be more open to the proposition that information is a public good, and therefore efforts to protect and segregate it are bad.  This may be philosophically appealing, but commercially naïve in an era of foreign intelligence lurking, ransomware, denial of service attacks, and economic espionage.  The Massachusetts Air National Guardsman who leaked a trove of Top Secret documents in 2022 until his arrest in April 2023 did so by posting them in Discord chat rooms to benefit his online gaming activities, not any nefarious activity related to espionage.  According to the charging documents, he may have been simply too inexperienced to understand the consequences of his actions.

Policy:

Finally, businesses, nonprofits, and public organizations must build cybersecurity training and compliance policies into employment handbooks and contracts. Organizations must be willing to enforce these policies through progressive discipline where warranted and consider more drastic measures where an employee or contractor’s conduct, willful or negligent, exposes the company or nonprofit to increased cybersecurity risk. In the right circumstances, an employee’s error can pose a catastrophic or even existential threat to a company.

Halloween ends Cybersecurity Awareness Month, and while this commentary has been a bit of a parade of horribles, it is not intended to be scary – only to inspire organizational leaders and managers to be wary. No cybersecurity risk management plan is foolproof, but organizations can manage risk through well-planned and resourced cybersecurity infrastructure, hiring, training, policy development, business processes, and enforcement of standards.

[1] Claire Nuñez, How to Embed Gen Z in Your Organization’s Security Culture, Security Intelligence, December 15, 2022, available at https://securityintelligence.com/x-force/gen-z-cybersecurity-culture

Need Help With Your Cyber?

Troy McCollum is the founder and CEO of Layer 9 IT,  Virginia full service outsourced IT company focused on the legal, financial and medical verticals.

Butch Bracknell is a cybersecurity and business law attorney with the Norfolk law firm of Crenshaw, Ware and Martin PLC.  Crenshaw Ware & Martin has been providing business counsel for Hampton Roads, Virginia, and Eastern North Carolina businesses for 100 years.  www.cwm-law.com 

For a free consultation, call us at 757-644-3291. Or schedule a call by sending us a message.

Let’s work together and remove your IT barriers.

Protecting Your Business From Data Disasters

Data is everything to a small business – which means if you lose access or control, you’re facing an emergency.

It sounds dramatic, but the research backs it up.

According to several sources, 93% of companies go out of business within one year if they suffer a major data disaster without having first created a combat strategy.

And since 68% of businesses lack a plan for that worst-case scenario, losing data would be a death knell.

Fortunately, your business doesn’t have to be one of them. With the following steps, you can have a rock-solid disaster recovery plan.

Step 1:
Know How A Disaster Recovery Plan Differs From A Business Continuity Plan

The main difference: business continuity plans are proactive, while disaster recovery plans are reactive.

A business continuity plan ensures that, no matter what disaster, your business can continue to operate and provide for customers.

A recovery plan ensures your business can back up and recover critical data should it get lost or held for ransom.

Step 2:
Gather Information And Support

For your plan, start with executive buy-in.

This means everyone, from the CEO to entry-level employees, needs to execute the plan if you suffer a data disaster. When staff members are aware of the high stakes, it allows for cross-functional collaboration – a necessary step to prevent system breaches.

When creating your disaster recovery plan, account for all elements in your applications, data, and tech systems.

Look for any issues involving server security and physical access to your systems. If these are compromised, you’ll be thankful for your plan.

Also, determine the critical processes you need during a worst-case scenario when you have limited capability.

Step 3:
Create Your Strategy

Photo courtesy of John Schnobrich @johnschno

When creating the game plan, you’ll need a good grip on your budget, resources, tools, and partners.

If you’re a small business, consider your recovery timeline.

This is where you start, and it should also give you a customer communication plan as your business returns to full operating capacity.

Step 4:
Test The Plan

To know if you’re fully prepared, you must test the disaster recovery plan.

Familiarize your employees with the practical steps in the event of an emergency. Working through scenarios will help you detect weak areas.

If an actual data disaster befalls your business, your systems and employees will spring into action.

To review, these are the quick actions for a robust disaster recovery plan:

  • Get executive buy-in for the plan

  • Research and analyze how your business systems could be impacted

  • Prioritize the most necessary systems to the functioning of your business

  • Test your disaster recovery plan for effectiveness

With these steps, your business can survive any data disaster.

Need Help With Your Plan?

When you’re running day-to-day business details, a disaster recovery plan is a lot to think about.

Is it thorough enough? Do you have the expertise? Is your equipment sufficient?

An unreliable network will hold your business back — that’s why you need a trusted technology partner. Our proactive approach keeps you ahead of security breaches and downtime.

Layer 9 helps business leaders just like you.

For a free consultation, call us at 757-644-3291. Or schedule a call by sending us a message.

Let’s work together and remove your IT barriers.

 
Waking Up To The Reality Of Cyber Security

Photo credit: Petter Lagson @lagopett

All across the world, hackers exploit security weaknesses and hold data hostage.

You may remember how Colonial Pipeline suffered a cyber attack which disrupted fuel supplies along the East Coast. The company – and the FBI – paid hackers $4.4 million in Bitcoin to regain control of the system.

Colonial Pipeline wasn’t the only corporation that paid hackers a huge amount of money. Cyber-attacks victimized the NBA, Kia Motors, and JBS Foods with demands in the millions of dollars.

While these are big organizations, it doesn’t mean your small business is safe. When a small or mid-size business (SMB) gets attacked, they can’t pay millions of dollars to recover stolen information.

Instead, hackers focus on customer and employee information, as well as financial records and statements. Unfortunately, when a hacker attacks an SMB, it often ends in the business permanently closing their doors.

The year 2021 set a record for cyber attacks, and 2022 looks no different. If you’re a business owner, you need to understand the reality of cyber threats and cyber security before it’s too late.

Hire A Managed Services Provider For Your IT Needs

Cyber security awareness has grown over the past five years, but many SMB owners ignore preventive measures. There’s a prevalent mindset of, “It’s too expensive.”

Cyber attacks hit every type and size of business. Hiring a Managed Services Provider (MSP) is one of the most cost-effective ways to protect your network and information.

MSPs offer incredible benefits to your business. They recognize and fix weak points in your IT infrastructure, and this proactive work ensures your business is fully protected in the cyberworld.

MSP’s provide around-the-clock monitoring, data backup and recovery, firewall & network protection, and real-time threat prevention.

Create A Cyber Secure Culture

Photo credit: LinkedIn Sales Solutions @linkedinsalesnavigator

Many cyber-attacks stem from employee error. That’s why your entire team should be aware of cyber attack risks. When you hire an employee, train them about cyber security procedures and provide a reminder course at least once a year.

It’s critical to inform them about the dangers of phishing e-mails and texts, downloading malware, social media scams, and password protection. And if you have employees working remotely, their devices require security measures.

When your employees know the risks, they can spot potential threats. The ultimate goal is having your entire team committed to a cyber secure culture.

Find Peace of Mind Through Layer9

It’s time to take preventive action and protect your business from becoming another cyber attack statistic.

If you’re not sure where to begin, SCHEDULE A FREE CONSULTATION BY CALLING 757-644-3291 OR FILL OUT THIS SIMPLE FORM.

 
How Your Compliance and Security Go Hand-In-Hand

Compliance serves a critical role for every business.

A failure to remain compliant can spell trouble for any organization, regardless of size. And many business owners fail to understand how compliance and security go hand in hand.

Compliance prevents security breaches and offers guidelines for what to do if a breach occurs. Your company won’t become compliant on its own, though.

It takes time and effort to ensure your business stays compliant, especially with rapid technological advances.

Staying Flexible and Compliant

Twenty-five years ago, many of these issues didn’t exist. But then along came the internet, and it upended everything.

As times change, your business must remain flexible or you will fall victim to cyber attacks. To determine if your business is compliant or not, ask yourself key questions:

  • Does my business have antivirus software and is my network protected by a firewall?

  • What data is my business encrypting?

  • Do I have a system in place to manage network-connected devices?

  • Are there disaster recovery plans in place, and do I use backup solutions?

  • Is there a business continuity strategy?

  • Do I have employee training regarding security?

The Most Important Compliance Step: Educating Your Team

After answering these questions, you may be tempted to quickly buy the technology needed to fill the holes. But the first step may surprise you… more than anything else, focus on your team.

According to an IBM study, 95% of cyber-security breaches stem from human error. Here’s the reality: employees who resist a cyber secure culture are putting your business at risk. That’s why it’s critical to offer ongoing employee training.

After training your team, the right technology and equipment must plug the lapses in your compliance plan. If you don’t have antivirus software or firewalls, invest in them before anything else.

The Importance Of Email Filters and Passwords For Compliance

One of the most important strategies is using an email spam filter. Even with trained employees, mistakes can still happen. Cyber criminals use email-based phishing attacks to gain access to your company’s valuable information. One click on the wrong link can compromise your entire network.

With a filter, you won’t worry about employees accidentally clicking on a sketchy email because it will never make it to their mailbox.

You should also introduce strong security password practices as well as multifactor authentication. A portion of your employee training should include password tips and strategies.

Oftentimes, people use the same passwords for every account, which leaves your business vulnerable when one account is compromised.

Multifactor authentication takes this step to the next level since your employees will also receive a text message authorizing their login. It’s a simple way to ensure your information stays protected.

The Next Step: Talk To The Layer9 Compliance Experts

Staying compliant requires a willingness to implement these practices. If you lack the time or expertise to enact your cyber security measures, we’re here to help.

To schedule a free consultation with Layer9, call us at 757-644-3291.

The 7-Step Checklist To Protect Your Law Firm's Data

The analog days vanished years ago. Gone are the overstuffed folders, large filing cabinets, and mountains of paper documents.

The digital world arrived, and it’s here to stay. There’s no turning back, but that’s a good thing, especially with the benefits of technology advancements.

The Danger of The Digital World

However, the digital path carries risks. Challenges appear with ever-changing equipment, learning curves, and compliance issues.

But there’s also the danger of criminals.

Hackers look at legal organizations and lick their lips. Law firms hold a treasure trove of data, including intellectual property, personally identifiable information, and private attorney-client info.

Criminals will do anything to weave their way into your system and steal your files.

This can result in:

  • Failure to access your data because of ransomware

  • The demand of a large payment to regain access

  • Leaks of personal and business data

  • Compromised email accounts

  • Damaged agency reputation

  • Allegations and legal issues

To protect your firm requires both an ongoing knowledge of threats and a strong IT plan.

The 7-Step Law Firm IT Checklist

1. Create an IT security policy

  • Does you have an easy-to-follow data security plan?

  • Is it shared with everyone at the firm?

2. Train your staff on cyber security risks

  • Do you offer training for new employees?

  • Is training offered periodically?

3. Limit access

  • Are you intentional about who can view specific data?

  • Do you ensure former employees no longer have access?

4. Update security software

  • Have you patched any security holes?

  • Are you protecting critical information?

5. Audit your network regularly

  • Is your equipment up-to-date?

  • Have you checked authentication requirements and security layers?

6. Plan for an emergency

  • Do you know what to do in case of a data breach?

  • Do you regularly test the plan?

7. Backup your firm’s data

  • Do you back up your data to a secure location?

  • How often do you back it up?

Here’s the hard truth: most law firms are too busy to think through their cyber security issues. This leaves the firm, its equipment, and all stored data vulnerable to criminals.

Your Cyber Security Experts

At Layer9, we’re your IT experts. We monitor your hardware and software while keeping you up-to-date on threats. Our expert team reacts quickly and decisively against any detected issues.

A weak network will hold your law firm back. But we’ll help you build a reliable infrastructure, avoid downtimes, and protect your information.

To get started, SCHEDULE A FREE CONSULTATION BY CALLING 757-644-3291 OR BY FILLING OUT THIS SIMPLE FORM.