Every month I spend money on insurance for my car, house, and health care. And every time I need it, I am so happy I do! It is peace of mind. How peaceful is your mind when you think about your business cybersecurity?
You most likely have some sort of business insurance, maybe general liability insurance. That will not cover your losses from cyber-attacks, including targeted attacks as well as the occasional misplaced laptop containing confidential material. And that might be what puts you out of business.
Cyber insurance (also called cyber-risk insurance or cyber-liability insurance) protects businesses and individuals from Internet-based security incidents. It protects your privacy, data, and network exposures.
Why should I get Cyber Insurance?
Hackers keep getting more innovative and the amount of private information shared online is increasing. The list of regulations, statutes, and compliance requirements regarding the use and protection of cybersecurity information continues to lengthen. A breach may result in major fines and legal fees.
Does your business…
How do I know what kind of Cyber Insurance should I get?
Like any insurance, you need to do your research. Find out what your specific risks are, and which policies will protect you. By shopping around and evaluating your needs, you can avoid overpaying or getting coverage you don’t need.
Cybersecurity best practices are continually being updated as cyber attacks grow and change. You will want to check in often to make sure your cyber insurance is adapting and providing the coverage you need.
In part 1 of this 2-part blog on ransomware, we talked about what it is and how you can be infected. In this blog we will cover how to prevent attacks through layered security steps, and how to recover if you are attacked.
Three very important layers to protecting yourself from malware:
What antivirus should I use?
Not all AVs are created equal. You need to do some research to make sure you are using a software that is going to do everything you need it to. Some things to think about:
How do I securely backup my important files and data?
You should make sure to have your files backed up in two formats.
There are many, many places to get free training on what the best practices are to protect you and your family. Some of these resources are listed at the end of this blog. There are also some great video lessons on YouTube.
OTHER LAYERS OF PROTECTION
Even if you have a great antivirus utility, there is still a chance ransomware might get through.
If you get ransomware...
I know it seems like a lot to do, but the upfront research you do to insure you’re cybersecure is easier than dealing with a malware infestation. It will save you time, money, and your important data.
We covered a lot, but there is more. Check out these other resources.
Well, time, money, and important information and data.
Ransomware is a type of malware. It is what it sounds like. Someone hijacks your system, encrypts your data, and won’t give you the key to unlock it until you pay up.
Why would someone target me for ransomware?
There are many reasons why you might be attacked. It could be money; the hackers use artificial intelligence (AI) to attack mass amounts of systems hoping enough will fall for it that they can profit. It could be that you have paid a ransom in the past and are now a “known target” for other hackers. And maybe the scariest reasons - a grudge or revenge.
If someone really wants to ruin your day, they can pay criminals to do the dirty work for them - targeting people or groups. The service is called Ransomware as a Service (RaaS). Cybercriminals provide a compact malicious kit capable of launching a ransomware attack. This empowers anyone to target you. They may want access to your information, to leak your information, or just to create a crisis for you.
How do I know if I have been attacked with ransomware?
It is hard to know when you have been infected until you get a ransom demand, or your computer locks up. There are many ways that a hacker can “get in.” The goal is to prevent any malware from penetrating your system, but if it does, you need to act fast and make sure to clean your machine to avoid future attacks. Here are some red flags to watch for:
If you start to see any of the suspicious activities, you want to scan for malware and your overall cybersecurity practices. You might want to consult a technology expert if you are not sure how to do that.
How did my computer get ransomware?
This is the part that can get a little overwhelming; however, recovering from an attack will be a much bigger headache. Precautions are worth every bit of time and extra steps. It can happen to you. Your most valuable resource to prevent malware is you.
Almost all malware is installed by victims themselves unknowingly.
Your mission if you choose to accept… follow good cybersecurity best practices.
PASSWORD & LINK ATTACKS
I know, you have heard this before. The problem is people aren’t listening. Here is a quick reminder.
Check out the different Password Mangers out there and check to make sure they are trustworthy. Multi-authentication Factors (MFA) add extra layers of protection.
Links / Downloads / Texts
SOCIAL MEDIA ATTACKS
With the rise in people using social media and so many different platforms, hackers are taking advantage of this avenue of attack.
IOT / WEBCAMS / SECURITY CAMERAS
Internet of Things (IOT) refers to anything in your home that is connected to the Internet (thermostats, smart lights, etc.). These are endpoints into your system. Have you checked their privacy settings? Are they all kept updated with patches?
Be especially concerned if your webcam or security camera is behaving abnormally.
Who doesn’t like a good deal? Shopping online is convenient, but you need to be vigilant.
These are not the only way you can be infected with ransomware, but these are common, easy, and best of all… the easiest to avoid by following good cybersecurity policies and take preventative steps.
How can I prevent malware on my computer?
There are many important steps (some listed above). In our next blog we will talk about what tools you can use to offer more layers of protection, specifically backups, antivirus, and education.
You have probably read about larger companies (health care facilities, universities, large chain stores, etc.) being attacked, but hackers are equal opportunity bad guys. They can target businesses of all sizes. The National Cyber Security Alliance has estimated that 60% of small businesses hit by cyber attacks end up going out of business.
How can I protect myself from ransomware?
The most important answer is to train your employees. (KnowBe4 is an excellent source to help with this.) If employees don’t open the door, the ransomware can’t get in. Create a Culture of Cybersecurity (learn more here). No matter what other precautions you put in place, it is the people who pose the most risk. Spending money on training is a wise investment and can save you money and time.
Here are some other ways to make it more difficult for the attackers to get in. It is best to have a multi-faceted security solution.
Pick a trusted software - Many retailers have agreements with other companies and get kickbacks for recommending their software. They aren’t looking out for your best interest; they are looking for profit. Look into tamper protection that prevents malicious software from turning off the antivirus application.
BACKUP DATA & SYSTEMS
Ransomware can encrypt your backup drive as well. You need to be backing up to a location you can then disconnect from your system. If your backup is connected to your network and the network becomes infected, your backups will too. Update often and keep incremental backups. Think about what data you have accumulated since your last backup. Can you afford to lose that? You should talk to your IT department or support team to make sure your backup system is as secure as you can make it.
UPDATES AND PATCHES
When software and hardware come out with new patches, it is to fix something. They may have become aware of a vulnerability and are updating to protect you from it. Make sure that your updates are being managed.
Only give your employees access to the information they need. You should also whitelist safe websites, plug-ins and add-ins for your browser and email. Instead of blocking what you feel might be dangerous, avoid the risk by only allowing already known safe sources.
The earlier you become aware of a problem, the less damage it is likely to cause. Have someone tasked to manage your cybersecurity and watch for clues of attempted and active attacks.
OTHER LAYERS OF PROTECTION
What do I do if I am attacked with ransomware?
There are many important steps to take if you are attacked. You should work with your IT department or IT support team to create a plan for protection and remediation.
One thing you should make sure all your employees know if a ransomware screen does appear on their workstation:
DO NOT shut down the machine. Instead the employee should unplug the network cable from the machine or disconnect from Wi-Fi immediately.
Should I pay the ransom when attacked by ransomware?
This is often debated, but the FBI recommends you do not. The hackers are looking for a payday. They can either sell the information they access on the dark web, leak it to hurt your company, or just want the ransom money.
IF YOU DO NOT PAY
IF YOU DO PAY
On a final note… ALWAYS report it. There are too many reasons why this is important to go into in this blog. Here are some great links to give you more information on the why and how of reporting attacks.
BUT WAIT, THERE’S MORE
Leeward Business Advisors can help you do all of these things no matter how big or small your business is.
Isn’t that the worst feeling? That fear of valuable personal information being in the hands of someone else is scary! You would most likely check all your financial accounts and notify them of the loss - as you should. But there are many other ways the bad guys can get that personal information and more that you may not be aware of or monitoring.
You may feel that you won’t be a target because you aren’t a company or think your information isn’t valuable. Wrong! Your info is extremely valuable on the dark web. (learn more here)
One of the newest trends in cybersecurity is two-factor authentication (2FA) and multi-factor authentication (MFA). Most of us are guilty of using the same password across multiple accounts. In fact, password hacking is one of the easiest ways for hackers to access your personal data. To combat this, many websites, apps, phones, and accounts require MFA.
I know what you are thinking... “Oh great, another step. I just want to log in.”
Why do I have to enter another code?
Here is some entry level information explaining what 2FA and MFA are and why you need to enter that additional code.
Factors - The things you use to prove you are who you say you are and have permission to access the information you are trying to get to.
Multi-factor Authentication - Using more than one factor to prove your identity
Two-factor Authentication - Using specifically two factors to prove your identity
Identity - A unique label given to each individual (an email, username, etc.)
Authentication - The process proving ownership of an identity
Let’s say you want to set up an account on a website or app. They are going to have you set up a username/log in (your identity) and a password (one factor of authentication). It is now common that they will also ask for a cell phone number to text you a code to enter on the site (an additional factor).
THREE KINDS OF FACTORS
There are three kinds of factors. Multi-factor authentication requires you use factors from two or more of the categories. If a hacker gets your password, chances are they don’t have your phone (or vice versa). By requiring you to have something you know and something you own, it reduces the chances of a hack.
After you provide the correct factors (proof of who you are), the site authorizes your access. Sometimes you need to provide your proof factors each time you log in; sometimes the authorization times out and you must re-enter it. This is a precaution to protect you if you walk away from your computer or phone.
What are the safest factors to use for MFA?
Something you know is the easiest to hack. Your password maybe something easy to find out. Something you are is the safest. Something you have strikes a balance between those two.
The National Cybersecurity Alliance defines some of the most common 2FA methods:
One-time passwords are sent via SMS (text message) and once received, the code can be copied and pasted into an application. Because of phone number porting scams and SIM swapping, this method has a poor security rating.
An authenticator app such as Google Authenticator is downloaded to your mobile device, and once you scan a QR code in your account’s security settings, the app stores one-time codes that are only valid for a limited amount of time. Although this method is more secure than SMS, it still relies on a mobile device, which isn’t always available or convenient.
A hardware security key is the most secure and convenient 2FA option. In fact, a recent Google study found that security keys were the only method to prevent account takeovers 100% of the time. Security keys, such as a YubiKey, require physical access to the device to log into an account, preventing sophisticated breaches and remote attacks. When prompted during login, you simply need to touch the device to verify your identity. Think of the security key as if it were a physical key to protect your digital world.
How do I protect my personal information from hackers?
It may seem like one more time-consuming step, but you will spend a lot more time (and probably money) if you are hacked.
More helpful resources
Images provided by KnowBe4
What is 2FA and MFA?
There is a lot of buzz around 2 Factor Authentication (2FA) and Multi-factor Authentication (MFA). Factors are the “keys” used to unlock access to your valuables. Anyone with the right keys can open the door and make themselves at home. If you require more than one authentication factor, things get more difficult for the bad guys.
FIRST, SOME VOCABULARY
The token is the golden ticket. The computer doesn’t know or care who holds the token. In other words, if a hacker gets your token, they are as good as you in the eyes of the computer and will open the door.
A company needs to be very careful that the people who are accessing information are the people who have the permissions to do so. MFA is a great way to increase your security; however, it is not a guarantee. To protect your business, you need to understand what MFA is, how it works, and how to minimize the risk of a security breach when using MFA.
The Identity and proof factors are stored in at least one database. That storage is often not on the server directly involved in the authentication. MFA solutions are offered by hundreds of third-party vendors. These third-party storage locations are a possible point of compromise in your security. Companies need to know where authentication proofs are stored, who has access to the locations, and how trustworthy that storage is.
Always make sure your authentication storage is being aggressively monitored and restricted to just a few essential administrators. The authentication process can not be trusted if the storage is not secure.
Of course, like everything with cybersecurity, it is the user that is the weakest link. Learn more about how to get your employees to embrace cybersecurity protocols and creating a Culture of Cybersecurity.
(Blatant self-promotion - Leeward Business Advisors is an amazing IT resource!)
It is if you have nothing in your home that is connected to the Internet. So basically, no. Think about all the devices you use every day that is connected online. Each one of those endpoints is a door that opens to your information.
Whether you are working from home or just like to play Candy Crush on your smart phone while streaming a movie, you are vulnerable to cyber-attacks. In fact, hackers know that you don’t have an IT department in your house watching out for you, making you an even more desirable target. Every endpoint you have is an entryway for cyber predators.
The good news is there are tons of resources out there to help you protect your devices and you. You can take self-assessments and scan for vulnerabilities (Bitdefender is a great place to start). If your employer has an IT department, they may have more advice for you. Make sure to keep up on what is new and trending. Hackers adapt their methods quickly and each new technology brings its own vulnerabilities.
How do I protect my home network from hackers?
Start paying attention and think like a hacker. Hackers are crafty and gather your information in very clever ways.
Have you ever filled out one of those fun questionnaires on social media? You know, the ones that provide all kinds of fun little facts about you like where you went to elementary school, your pet’s name, your favorite color…. Guess what? Those are often the questions used to verify you are who you say you are when you log in or change a password.
Some basic “must do” steps to make you less of a target:
Check out these other helpful resources
The Dangers of Hacking and What a Hacker Can Do to Your Computer
Internet Safety: How to Protect Yourself Against Hackers
National Security Agency Central Security Service
The concept of cybersecurity isn’t a new one. Unless you have been too busy playing Oregon Trail on your Commodore 64, you have probably heard about malware attacks, viruses, ransomware, phishing… the list goes on. Whether you are a huge company with hundreds of employees, or your only employee, it must be addressed.
So, if we are all aware of it, why do so many cyber-attacks and breaches still occur? Because your cybersecurity is only as good as the people who use it. The human element is the weakest link in your cybersecurity plan. While cybersecurity may be a priority for you and your IT department, your employees might be more focused on wading through their inbox, meeting deadlines, and balancing their work/home lives. Once you have cybersecurity plans, procedures, and policies implemented, you need to engage all your employees in following them.
How do I get my employees to care about cybersecurity?
Successful cybersecurity requires every part of your organization being concerned and on the same page. Understanding the why is as important as understanding the how. Each department plays a role in building and maintaining the culture.
Senior leadership is not only responsible for monitoring the culture and making changes for organization-wide collaboration; they are visible to the entire organization and need to model good cybersecurity behavior. HR should help employees understand the importance of cybersecurity procedures, gather feedback to inform changes, ensure reporting and accountability. The IT staff bridge the business, operational, security, and technology requirements necessary to create and maintain the culture. They can help simplify policy adoption and ease of use, as well as assess risk, and develop strategy. All these steps help users understand the importance and take ownership of their part in the plan.
Cybersecurity training isn’t something you do once a year and check off your list. Threats are fluid and you need to be continually revising your plan to make sure you are not only addressing each issue one at a time, but continue to use each situation to adapt and build a stronger wall of protection.
Many businesses continue to invest in hardware and software to protect them from cyber-attacks, but do not budget for training. If you do not train your employees how to use the security plans you have in place, you are not getting the most out of those investments.
How do I manage my cybersecurity?
What if you don’t have an IT department or other employees tasked with monitoring and developing an action plan? There are many IT service providers (Hey, how about checking out how Leeward Business Advisors can integrate into your team to support your IT needs?) and cybersecurity training programs (KnowBe4 is excellent) that can help you manage your cybersecurity needs.
An investment in a sound cybersecurity action plan can save you the expense of remediation and attacks.
Here are some helpful resources to continue learning about how to develop a cybersecurity action plan to protect your business and customers.
National Institute of Standards and Technology U.S. Department of Commerce
KnowBe4 Security Culture Survey
PWC’s Workforce Pulse Survey
TechRepublic Article on Employee Engagement
A successful leader needs to meet people where they are at, invest in their holistic development, and be fully committed to mutual success. Anything less is likely to put your organization on a path to a degraded culture that can lead to an unnecessarily high turnover rate.
A poorly performing culture and consistently high rate of exodus will hit your bottom line hard and fast. Over time, it can start to impact your top line revenue as unhappy employees tend to create unhappy customers. One need not look any further than bi-partisan politics to see that when mutual success is not a priority, calamity and frustration can ensue.
Early in my management career I was introduced to Maslow's Hierarchy of Needs through the lens of leadership. If you are not familiar with Maslow’s theory, here is a quick overview.
It seems quite commonplace for people to assume only they themselves have complicated and sometimes messy lives. We tend to look upon others and assume they are happy and whole. We glean this assumption from minimal evidence gathered while observing their emotional facade. Our opinion of their life comes from our observation of their smile, happy social media posts, and that one afternoon we spend at their house watching the Superbowl.
Every now and then, we get a glimpse into another personal reality and only then realize how many hurdles they must clear every day, just to make it to work. The online world of social media and blogging even has a word for it, sonder.
The best employees, the most successful people, are self-actualizing. They develop a drive and desire within them to be better, do better, and often lift up those around them. These are often the people among us that have great ideas, drive innovation, seem to effortlessly tackle that big project and then do not brag about it.
In my personal experience, co-workers and good leaders, that were self-actualizing, did all those things and then still found time to help and mentor me, and were happy to do so! There simply is no book, college course, or weekend seminar to achieve self-actualization overnight. It is, instead, a journey. Often the path is riddled with derailments, resets, and setbacks. The journey never really ends.
As with any journey, most of us need a guide. While Google Maps has made many great advances, they still have not quite figured out a GPS feature for our lives. The role of guide can, and in my opinion should, be filled by a good leader.
Given the simplicity of meeting people where they are at, it perplexes me that so few leaders and companies pursue this approach within their corporate culture. It is even further baffling when, as I have, you see firsthand the benefits of this approach and still do not commit to it. To be fair, I slip up from time to time and catch myself failing to follow my own advice in some situations. Regardless of my human fallibility, it is always my intention to meet people where they are at and it is also a skill that must be in continual development.
Granted, the details of this framework are much easier to type than it is to practice its practical application. The good news is you need not be an expert day one. The biggest hurdle I see most leaders face is making the time to ask someone how they are doing and then commit to the conversation to work past the happy facade. Some of the worst managers I ever worked for intentionally took an opposite approach. If anyone has ever told you to ‘check your baggage at the door’, and you were not standing at the jetway of a plane, you have experienced the negativity of that tactic.
An employee with a less than ideal attendance record gets called into their manager’s office.
Do you see any reason this manager was not justified in their approach or any reason to not support firing the employee? They violated the attendance policy, they were warned, they re-offended, they were fired. Seems pretty cut and dry by any employee handbook standards. However, let’s try a different approach, let’s explore sonder and Maslow’s hierarchy of needs this time around.
An employee with a less than an ideal attendance record gets called into their leader’s office.
This fictitious scenario is based on a number of very similar situations I have helped my employees navigate. Listening with a commitment to hear, can uncover a number of viable solutions that provide a mutual benefit. Just because you as an experienced leader can think of several solutions, it does not mean your employees have the same knowledge or experience to help them navigate.
If you have the mentality of a manager, you may read this and think, this is not my job, I do not have time to waste on employees that cannot show up on time, why don’t they just have someone else deal with his dad, and so on. If you have the mentality of a leader, and meet this employee where they are at, your reaction will be much different.
A quick recall of the Maslow Hierarchy will remind a leader, that at this moment of life, your employee is operating at the very low end of the needs pyramid. They are worried about their “safety needs” and might even have some ongoing concerns in the “physiological needs”. A rather simple, and brief, check in with this employee and few supportive suggestions, could quickly move this employee up a few levels.
An amazing, and frequent outcome of this approach is a corporate culture that prioritizes the well being of each other. A team guided by a leader that consistently meets them where they are at can form a strong culture within the team. As that grows, peers will invest in each other’s success and increase their personal commitment to their team and the entire company. Additionally, time spent helping an existing employee overcome life’s challenges it less expensive and less time consuming than hiring a replacement and repeating the cycle.
MEET THEM WHERE THEY ARE AT
In our company this element of our culture is very strong. Employees have helped each other overcome housing challenges, coordinated car pools to resolve transportation issues, back each other up when babysitters fall through, and much more. It has not stopped there. Our employee’s treat our customers with the same "meet them where they are at" approach and listen with a commitment to hear them. Instead of serving our customers at arm’s length, our team becomes a part of their team and a partnership is built and nurtured with every interaction.
There will be bad actors. It seems to be an unfortunate inevitability. Putting this approach in practice can expose your organization to the risk that someone will take advantage of your support. The best counter measure is to ensure your company policies and employee handbook have a complementary framework. If an employee repeatedly misses agreed upon remediation goals and their performance is still missing the mark, dismissal may still be the best outcome for both parties. As a leader, you will know you did everything possible to help the employee be successful, even if the final outcome means they need to find their success elsewhere, they will still be better off for your guidance and demonstration of compassion.