Data Breach Prevention: How do you protect your business from a Cyberattack?

several locks on a fence

“I didn’t know.” That’s a common response from employees who just clicked on the latest malicious email and interrupted your business. But it doesn’t need to happen that way.

An ounce of prevention …

Education and preparation are the most important tools to protect against a data breach. Phishing emails and cyberattacks touch an entire company. Can you think of anything more paralyzing than an employee realizing they just imperiled the entire company by clicking on “that email?”

Set your team up for success by taking the proper steps to prevent a data breach or cyberattack.

Zac Wilcoxen runs Pretect managed IT services. He helps companies manage their risk and equip employees for cyber security. Zac sat down for an interview and answered the following questions. You can jump to his answers by clicking on the links below.

Cyber Liability Self-Assessment

How do you train employees for cyber security?

We equip companies with policies including escalation policies, password policies, and just general education. Most breaches happen due to phishing, and phishing happens because people are uneducated. Put in place educational resources that pertain to cybersecurity – specifically phishing. This will be very valuable because the end users of this education, the employees, would be the reason a compromise happens. Nine times out of ten, when I see a breach, it’s because of phishing.

Use a cloud-based knowledge base, such as Zendesk. A SaaS (Software as a Service) application like this is separate from your internal infrastructure and is highly available. In the event of a compromise, you will still be able to access your policies and procedures from another device such as your phone.

That knowledge base can cover escalation policies, password policies, and general education. When ransomware hits, it can hit a single computer or an entire organization, so you want to make sure you can access your recovery policies. Some of the big breaches are specifically designed to crawl across your network and make a simultaneous attack before it drops the payload1.

The most important thing an organization can do is put together educational resources pertaining to cybersecurity, specifically phishing, before an attack occurs. Uneducated end-users are likely to be the reason that your company gets compromised.

How do you train employees to recognize phishing schemes?

We schedule company-wide phishing cybersecurity awareness sessions so we can dive into each type of phishing scenario. During these sessions, we educate them on the things they need to look out for and be aware of.

Then we perform faux phishing attempts. We will send out phishing emails to see whether or not employees are clicking on these emails and falling for the scams. If they are clicking on them, we go back and show them how it happened. When your employees get phishing emails from us, or they get real phishing emails, they should report them immediately. To encourage reporting, whoever reports the most phishing emails within a certain timeframe will get a $50 gift card.

We do these things to create an incentive to be vigilant. It is a motivation for the teams and a kind of game. It provides a way for employees to look at emails, analyze them and ask themselves, “is this phishing?”

If you don’t provide the awareness and are just hoping your employees don’t click on anything… that is not a good way to protect your business. Use a VPN (Virtual Private Network) and educate your employees on phishing.

How do access restrictions help protect company assets?

Restrictions help to minimize levels of access. An end-user, or employee, that only updates social media does not need to have admin-level access on their computer. A user that has admin access, that doesn’t need it, can go to a website and download something that they’re not supposed to. When they go to install what they think is Adobe Acrobat Reader, for instance, they accidentally compromise their computer because there are a lot of fake Adobe Acrobat Reader programs out there.

If you revoke their admin privileges before they can make a download, then they don’t have the ability to install things unless they contact their IT department. The IT department is the one who will go in and verify that it is the right software installation. Do periodic audits of your employees’ access levels and verify they are appropriate for their role.

How frequent are cyberattacks?

Everybody will be compromised at some point. It’s important to keep in mind that it’s when you get hit with a cyberattack, not if. It’s an inevitability. It’s just a matter of when and how bad it’s going to be. So, ask yourself, when it happens, are you okay with the worst-case scenario? I often get calls from people being hit with ransomware who were not prepared, at which point it is too late. There will be some level of infiltration, and the key is to be ready by implementing cyber security technology, education, and invest in business continuity.

How do I create password policies that are effective?

People are bad about password management, and they don’t understand proper password protection. If you use the same password across multiple platforms, you’re asking for trouble. If you use the same password for Google, Facebook, and Twitter, and you get compromised on any of those platforms, the first thing the hackers will do is use that password across the rest of your infrastructure.

Never use the same password twice on any one infrastructure or use that password on other software throughout the internet. Most folks don’t realize they’ve already been compromised. But here’s a site you can check to see if you have a risk.

Check for breaches at: https://haveibeenpwned.com/

If a site with your login has been breached, then your password is most likely being tested against other websites on the internet. If you reuse passwords, you’ve got a problem. Use a password management system like LastPass, 1Password, or Dashlane. These systems can create randomly generated passwords and include security challenges.

They will indicate and / or prevent reused passwords. These password managers can also mandate policy password policies. Examples include that you use at least fifteen characters alphanumeric with special characters randomly generated. If a malicious person were to acquire that password, they would only have access to one asset since you can’t reuse passwords for other assets.

Most password managers require only one password, your Master Password. These platforms do a good job of protecting access to your vault, though it is still suggested you layer in 2FA (2-Factor Authentication) in order to keep your Master Password safe.

How cyber security requires keeping software and systems up to date.

Patch management makes sure that all your applications, including your operating system, are fully up to date at all times. Some people think that they do not need to update because they don’t care about the new features. It’s not about new features. It’s about security. Most patches are released to address security vulnerabilities.

Windows is full of vulnerabilities. Every single week they’re producing new patches to address different vulnerabilities. Yes, every week there are new vulnerabilities discovered. It’s imperative to keep your devices up to date. If you don’t have an IT team internally or an IT firm externally that manages patches remotely, the likelihood of your security vulnerabilities being open is much higher than they would be otherwise.

How a VPN improves security.

A Virtual Private Network (VPN) keeps your private data private. If you connect to a public network like a coffee shop, then use a VPN. Without a VPN, you’re visible to others connected to that network. A VPN creates a private tunnel that keeps prying eyes away from your data.

Once you are connected to a VPN, all your web traffic starts to filter through that tunnel. It’s encrypted and remains private. The VPN can also connect to your business infrastructure, protecting your connection and making those resources available remotely. The bottom line is you shouldn’t use an open network without a VPN in today’s world filled with malicious actors.

Are some email platforms more secure than others?

When it comes to email systems or platforms and susceptibility, there are only two email infrastructures I would personally recommend. These are Google’s G Suite or Office 365. They invest the most time, money, and effort into their infrastructures, which makes them the safest.

I would strongly recommend you avoid basic email providers such as GoDaddy or HostGator. Their spam filters are not well trained to filter viruses and phishing emails when compared with Google. Google has great phishing identification and spam filtration. If you are using GoDaddy or HostGator, you are likely to see an influx of phishing emails, which can result in a breach.

Final Thoughts

Create opportunities for success for your employees. Make that happen through education, training, infrastructure, and documented procedures. Hoping your employees figure it out on their own is a plan for failure.

Protecting assets and keeping customers happy means being prepared. Your employees can have the training and tools to avoid seductive traps. Invest in infrastructure including firewalls and business continuity. Money you invest in prevention is money well spent.


Bio

With a lifetime spent in IT, Zachary Wilcoxen has seen it all. He started young as an agent doing on-site service calls for Computer Nerdz, before taking a position at a data center in the network operations center. There he maintained the infrastructure most people refer to as “the cloud”. Honing his craft, and studying computer science, he eventually took a software engineering position working on a popular cloud storage platform.

After a number of years in the workforce, building a skill set, Zac set off to start his own business which today is known as Pretect Managed IT Services. We offer 24/7 help desk support, proactive asset monitoring, cyber security, and automation.


Disclaimer

Daniels-Head Insurance Agency (DHIA) seeks thoughts and insights from a variety of individuals and organizations in the industry. The guest content on this blog represents the individual opinion of the author and not that of DHIA. Nor is it the opinion of DHIA’s underwriters and business partners. Neither DHIA nor DHIA’s business partners are recommending, endorsing, or sponsoring any companies, or third parties mentioned in this blog.

More Articles

View All Articles

Cyber Liability vs. Data Breach Insurance: Key Differences to Know Before You Buy

Understanding the key differences between Data Breach Insurance and Cyber Liability Insurance can help you make smarter, more confident decisions. Whether you're considering standalone policies or filling gaps in your current coverage, knowing what each policy offers is important to choosing the protection that is most suited for you and your business.

Defending Against Ransomware Attacks Today

Explore the history of ransomware attacks, the tactics used today, and the proactive measures you can take to protect your law firm from this growing cyber threat.