7 Key Cyber Security Questions
How do you know when a salesman is lying?
His lips are moving.
It’s cliché and a joke I don’t personally find fair, because I am a salesman, but we’ve all been burned or oversold at some point. So I get it. Whether you want to admit it or not we’re all selling something, and what I’m about to tell you is not a sales pitch, it’s the truth.
3 Types of Business Owners
When I talk with potential clients these days about their IT and Cyber Security Support, they all tend to fall into one of three categories:
- They’re unhappy.
- They’re happy, and they should be.
- They’re happy, and really shouldn’t be.
Just a few weeks back I was talking with multiple prospects at the same time who had all been recently hacked in various ways. They were dealing with the FBI, insurance companies, ransomware, Bitcoin wallets, and having the lovely pleasure of notifying their customers.
These business owners were in category number 1, very unhappy. And they wished they had been in category number 2 with a company like Infinity providing them with a dedicated Security Team, multiple layers of protection, and processes and procedures in place to backup, verify, and restore data.
Companies in category number 3 are what I call Sitting Ducks.
And I don’t want you to be one.
Key Questions to Strengthen Your Cyber Security
No company is hack proof; just read the headlines. Given enough money and time, criminals can break into anything.
Cyber security is a lot like protecting your home. You have a front door with a lock, probably a deadbolt. You might have a fence, with a gate, an alarm system, and security cameras. When you’re home, you may feel comfortable with just a screen door. If you go on vacation, you may lock up your storm door. But at the end of the day, if someone wants to break in your house, they’ll find a way in.
The same idea applies to your business. All someone needs anymore is a credit card to hire a hacker on the dark web who will create a custom piece of ransomware to blast straight to your Inbox. You’ve seen some of the phishing and malware emails. They’re never-ending.
So when we give presentations and talk about cyber security posture with potential clients, there are some key questions we always ask, and you should ask yourself.
1. Is my data backed up? Are my backups verified daily? Are the backups accessible to an intruder?
Your data is the lifeblood of your business. If it’s not backed up offsite and it becomes accessible to an intruder, what will you do? If you try to restore your data from your backups, but you have not verified that your backups work as you expect, what will you do? What will it cost your business in downtime, lost productivity, remediation, and your reputation if your data gets compromised?
2. Do I have firewalls in place to manage network traffic? Are they kept up to date?
Firewalls are appliances that monitor and filter your internet traffic. They are your first layer of network security. You’d be surprised how many companies have them but have no idea if they’re updated with the latest patches and threats.
Patches are often issued in response to known bugs or vulnerabilities. So simply having a firewall is not enough. It needs to be kept up to date.
3. Am I using enterprise-quality behavior-based antivirus to catch zero-day threats?
Most off-the-shelf antivirus software is fingerprint based. That means a hacker creates a virus, it gets discovered, patched, and the fingerprint goes into a database. This process can take weeks or months.
Modern antivirus, on the other hand, is behavior based and designed to catch brand new, or “zero day” threats. It’s designed to catch the virus that hasn’t been documented yet. For example, using anomaly detection, this kind of protection will sense that a program or process is suddenly accessing memory and trying to write to a registry key to install new software at 11:00PM on a Friday night. Since that is unusual behavior, the tool flags it and shuts the action down.
4. Am I using multi-factor authentication to log in?
In the past year or two, most insurance companies have begun requiring multi-factor authentication (MFA) to underwrite cyber policies. Companies that don’t have MFA enabled are seeing their premiums doubled or even refusal of coverage.
In simple terms, MFA adds a verification step to your logins to help prove you are the one trying to gain legitimate access, not someone else. You can learn more about MFA here.
The bottom line is that having a second device or account to verify your logins to critical company data should be a no-brainer. You’re most likely already using it with your personal bank accounts and credit cards, so why wouldn’t you use it to protect your own business?
5. Do I have password management policies and procedures enforced for everyone?
Let’s admit we’re probably all guilty of using the same password on more than one account somewhere. They’re just plain hard to keep up with and remember. You might be using the same email address login and password on your Amazon, Facebook, Netflix, and Bank of America account. But here’s a tip: Make sure, if anything, that your email account passwords are unique.
Breaches with big companies like LinkedIn, Experian, Target, and T-Mobile illustrate that millions of passwords are now available to criminals. And if a hacker acquires your email and password from any of those breaches or others, and you’re using the same login to access your email for multi-factor authentication, the hacker can log in and approve purchases and bank transfers without you even knowing it.
Any password tied to financial data should be unique. And there are tips and tools to make password management simple. But if you don’t enforce good password hygiene in your business, it’s like leaving your front door wide open.
6. Do I have an end-user phishing training program for my employees?
The old adage still applies: If it looks too good to be true, it probably is. If it looks suspicious, don’t click on it. But email scams are getting more and more sophisticated and realistic.
So if you’re not giving your employees the information to identify them, they’re going to get tricked and your business will pay the price. And once-a-year training won’t cut it.
We use tools to send real-time tests to our clients. These tools provide immediate feedback and education so customers can understand and improve their protection.
7. Do I have cyber insurance? Is it sufficient for a real-world incident?
You’d have a tough time blaming Apple or Samsung or Google if they lost all the pictures and data on your phone. Remember, you agreed to their terms and conditions.
But things happen. No one is hack proof and that’s why backups are so critical. It’s also why we get insurance policies to cover the things important to us. And insurance companies now have 5- to 10-page cyber security checklists you’re required to fill out before they will quote and underwrite a policy.
We’ve got a blog covering the basics of cyber insurance so you can make sure you get the coverage you need. And I’m happy to talk through it with you.
Are you still with me? Are your eyes glazing over? I hope not. These are all questions you should be able to talk about with your IT services provider. And it’s important that you do. Feel free to reach out to us for a quick assessment of your strategy and options.
Please, be very careful what you click.
And don’t be a Sitting Duck.
Call me at (912) 629-2426.