Users: Your largest and weakest attack surface

October is Cyber Security month! When you exclaim that this month’s focus is security to most admin and IT stakeholders, you’re likely to receive a chuckle or an eye roll. They know the truth of the matter. Our mindfulness of security can’t be limited to a singular month. 

It’s an ongoing process that literally never ends.

Who then is Cyber Security month for? I’ll give you a hint. They interface with your organization’s data, devices and services daily and often don’t regard security as their first or even third priority. You got it; Cyber Security month is all about making your users more aware of the threats your organization faces.  

We often spend a lot more time discussing our plans to harden servers, implement new identity security policies or protect our users’ credentials with MFA. Don’t get me wrong, those things are essential in today’s world, but it’s hard not to notice a gap in those strategies. That gap is the users.  

Most experts estimate that 70% – 90% of malicious breaches start with or include some form of social engineering. Our users are every organization’s largest attack surface and softest target. Bad actors know this and are increasingly aggressive and cunning in their attempts. Every user holds something a bad actor would like to get their hands on. 

Take a user who doesn’t need access to any data or systems but needs email to communicate. If that user leaks credentials, it can still be a treasure trove for a bad actor in the form of a global address list harvest or intel derived from exfiltrated emails that allows them to refine and target spear-phishing attempts. When we read about a large breach in the news, we often picture a group coordinating an attack to launch all at once when it’s far more likely that attack started very small and happened over time.

So how do we go about hardening our users? It would be nice if we could just apply a patch or update their firmware, but a more tactful approach is needed. We believe that process is three-pronged.

Communication

Your organization culture around communicating anything IT-related is very important and often overlooked. 

Simply making your users aware of the current threats and where to report them can go a long way to thwarting social engineering. Be consistent with your communications. Set up a shared mailbox so multiple crafting IT-related messages can appear as one unified voice. Apply templates to your emails, so the appearance is consistent. Be concise; not enough or too much information can be harmful. Stick to the who, what, why, and how of the threat. Don’t forget to include where a user should go to report social engineering attempts.

Training

This can mean different things depending on the size of your organization. In smaller organizations, it may mean taking 10 minutes during a company meeting to show examples of social engineering attempts. In larger organizations, it may mean contracting a professional trainer to speak to individual business units or even training leaders in those units to talk about threats to their teams.

Attack Simulation

The benefits of a simulated penetration test against our networks are obvious, but we can also apply this approach to our users. An attack simulation targeting your users with social engineering or a fake malware payload will not only give your organization an idea of its vulnerabilities but is also one of the best ways to raise your users’ awareness. The approach of an attack simulation with training and communication as a fast follow can grab your users’ attention far better than any of these components on their own.

How do I simulate attacks? 

Just like network penetration testing, there are plenty of tools to help you launch attack simulations and parse the data you receive.  

  • Microsoft 365 Defender P2 – If you happen to have Defender P2 or an M365/O365 A5/M5/E5 plan, you have a very robust set of tools for simulating attacks.
  • Choose from a wide variety of templated attacks that help target specific business units, just like a seasoned spear-phisherman.
  • Simulate malware payloads and malicious links with a variety of different delivery methods.
  • Automatically assign pre-built training modules to users that click malicious links or input their credentials.
  • Robust after-action reporting to help you know where to invest in training.   
  • Now Micro Security Awareness Training – If you don’t have Microsoft Licensing, you’re not out of luck, Now Micro has the tools to simulate attacks against your Microsoft or Google environments.
    • Phishing Security Tests
    • Automated Security Awareness Program
    • Security Hints & Tips
    • Automated Training Campaigns
    • Phish Alert Button (Ability to report & delete phishing emails)
    • Phishing Reply Tracking (Track if a user replies to a simulated phishing email & what information)
    • Industry Benchmarks
    • Monthly Email Exposure Check: Monthly reports show which email addresses are exposed on the Internet and are a target for phishing attacks

Recognizing the growing need to protect all your endpoints, including your users, is our focus at Now Micro.  If you have any questions or would like our help, visit our Managed Services page on our website.

Are you prepared for IT threats?

Many things cause a business owner to have nightmares — at the top of the list is a computer failure that stops operations in its tracks. Unfortunately, no company is immune to the threat of data failure. Recently, for retail giant Target, the fear became a reality as nearly every register in all stores throughout the United States went down.

Fortunately, the system outage only lasted two hours. But, that two hours of downtime cost Target roughly $50 million in lost sales and caused their stock shares to drop by two percent. In reality, Target’s ability to go from a catastrophic outage to getting back online in such a short time is a huge accomplishment. With significant IT infrastructure in place to respond, the company could investigate the problem, determine that there had been no data breach, and reboot all systems to full operation quickly. For the company, assuring that no data had been compromised was vital. In 2013, a data breach affected 41 million customers and resulted in a legal settlement costing them millions.

How you protect your data is critical to the success of your business — no matter your size. For a health organization, your data includes detailed medical and insurance information. There are endless client files and records for law offices, financial planners have high-level access to sensitive financial portfolios, the list goes on. No matter the industry, data is critical. In many cases, data security methods are heightened by legally mandated regulations like HIPAA and PCI.

Be Prepared

So, how do you protect your company from cybersecurity threats and data failure? Target spends hundreds of millions of dollars each year. The key is to find an affordable technology partner who you can trust. As seen in the Target event, data issues and cyber attacks don’t only happen during business hours. You have to be prepared to respond 24/7. At Now Micro, we make it a priority to be available when the need for help arises. Our service desk technicians answer the phone live 24 hours a day. But that is only a tiny piece of your Cyber Security response plan. Most of our work occurs before disaster strikes. We help ensure that you have up-to-date systems needed to prevent an attack or data failure and back-ups in place when an attack occurs.

Your Industry Needs

Although all industries need comprehensive data and cybersecurity infrastructure, the needs vary depending on the types of data stored and industry-specific regulatory requirements. Here is a shortlist of how Now Micro customizes our services to serve the cybersecurity needs of different industries:

 Manufacturing

We protect your intellectual property — the core of your ability to be profitable for the long term — and put in place processes to ensure the reliability of manufacturing operations.

 Healthcare

HIPAA and other compliance requirements are critical in the healthcare industry. We address these needs and ensure brand protection, secure connectivity, and offer a unified security platform.

Small and Midsize Businesses

Each small and midsize business has its own unique needs, with expense management a key factor. Therefore, we provide affordable options, giving you access to the same level of expertise that large companies have at their disposal.

Retail

In a retail operation, the ability to continually process transactions without hiccups is critical. We help you ensure the reliability of your POS system while also assisting with compliance needs.

Law & Finance

Legal and financial institutions/advisors need to secure sensitive data and are subject to intense compliance regulations. We help ensure all needs are met and a backup system in place to allow recovery in the event of a data attack or failure.

Ready to Serve

Information technology and cybersecurity are overwhelming topics, but they don’t have to be. Click here to learn more about our comprehensive IT and Cyber Security services. Give Now Micro a call today, and we can work together to define a plan that meets your needs so that you can relax knowing that your business is well cared for.