Skip to content

Techinnovar Support

You have until July to Install SSL or Google will mark your site “Not Secure”

A secure web is here to stay

For the past several years, we’ve moved toward a more secure web by strongly advocating that sites adopt HTTPS encryption. And within the last year, we’ve also helped users understand that HTTP sites are not secure.  By next month Google will be marking a larger subset of HTTP pages as “not secure”. Beginning in July 2018 with the release of Chrome 68, Chrome will mark all HTTP sites as “not secure”

In Chrome 68, the Omnibox will display “Not secure” for all HTTP pages.

At Techinnovar we have been transitioning our clients’ sites to HTTPS and making the web safer for everyone. In conjunction with Google, we are dedicated to making it as easy as possible to set up HTTPS. Mixed content audits are now available to help companies migrate their sites to HTTPS in the latest Node CLI version of Lighthouse, an automated tool for improving web pages. The new audit in Lighthouse helps companies find which resources a site loads using HTTP, and which of those are ready to be upgraded to HTTPS simply by changing the subresource reference to the HTTPS version.

Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default. HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.

What do I need to do?

Worry not, Techinnovar is here for you.  We install an SSL certificate and migrate your website to HTTPS. Before you order one though, take stock of what you need to secure. You may just have a single domain or you may have something more complicated like sub-domains or even multiple domains, in which case you’ll want to find the right certificate. Don’t worry, there’s a diverse set of offerings that cover just about every use case. Next, we migrate to HTTPS, by changing the protocol in your URLs to HTTPS, then using 301 redirects.

The 10 things you must NOT do on Company’s computer.

Sadly, we live in a world where people are preyed on by hackers for simply being human.

Our online behavior determines the risk and exposure of privacy invaded or even getting hacked. This, in turn, requires an understanding of why people fall victim to any sorts of attacks and exactly how attacks take advantage of the weaknesses in people’s online behaviors. It’s called the Suspicion, Cognition, Automaticity Model (SCAM). (will discuss this in the next blog post)

Another often-ignored factor involves the habitual ways people use technology. Many individuals use email, social media and texting so often that they eventually do so largely without thinking. And in turn media use becomes routine, people become less and less conscious of which emails they opened and what links or attachments they clicked on, ultimately becoming barely aware at all. It can happen to anyone, even the president.

Work computers are for work, though sometimes the lines blur just a little bit, so let us take a moment to help clarify what you should never be doing on a work computer.

10 Things You Should Never Do on Your Work Computer

  1. Don’t Use Your Personal Email

Personal email is risky when it comes to company’s computers. Do your best to keep your personal activities innocuous, as a mail could contain something inappropriate for work or a virus that could infect the entire office.

  1. Don’t apply for Jobs at Other Companies

This is very common in our “working-class society” nowadays whereby we spend half the expected working time to search for other jobs online. If you’re restless at work, job search on your own time on a personal computer. I urge you to respect the company and its policies as this is not only a breach of contract but also a data protection breach.

  1. Don’t check or update your social media accounts

Your social status is personal and therefore at all times avoid using any public device to access them as most of the ae very vulnerable and therefore upsetting the security protocols for your company.

Protect your personal information by being careful what websites you leave your personal details and ensure your social networking profiles are set to private (Facebook, Twitter, LinkedIn etc.)

  1. Never Save Personal Files to Your Desktop

It may seem harmless to keep a few documents of your own saved to your work desktop but just don’t do it. At the end of the day, the company owns the content that’s on the computer, this means that legally, you may come across serious issues if any security-related issues are connected to your files.

  1. Don’t visit any Sites that against company Policies or watch disapproved content.

This seems obvious, especially since people are fired all the time for inappropriate searches, but there’s one thing you may not realize. It doesn’t take insane software to have websites flagged to HR with your name saying that you’re looking at this and it’s inappropriate.

Also, often than not there are valid reasons why companies deem some sites unworthy of their time as some possess a threat or breach of security (e.g. pornography sites).

  1. Suppress the Urge to Shop Online

Shopping online might seem as the most convenient modern technology has offered us. But while you may enjoy scouring the Web for cheap deals in the comfort of your office, your shopping accounts, and financial transactions could be compromised by countless prying eyes.

Now that data breaches, incidents of hacking and identity theft etc. are becoming more common, I, therefore, urge you to not use the company’s computer as this possess as a huge threat to it Information privacy.

  1. Don’t Have Personal Conversations Over Office Chat

We all love a good “hangout” channel office gossip or dishing on what’s going on with those two love-birds in accounts, but make sure to remember that everything you type is logged—so keep it all professional always.

  1. Lend it to a friend or family member.

Remember when you got the job you agreed to adhere to the company policies, this includes IT security policies. By sharing your work device, you are exposing the company to the potential risk of attack.

  1. Never download any software’s without IT admin approval

Keep your computer configuration current with the latest patches and updates and report suspicious activity to your  IT  administrator.

     10. Never open any suspicious email.

Emails and online deals that look too good to be true, usually are! If you receive emails from unknown sources, then do not open them especially if they have attachments.

 

 

 

 

IT Security Audit and its Relevance in business.

What is IT Security Audit?

Information systems audit refers to assessing an information system to set forth a qualified opinion regarding the conformity between the system and the regulating standards, as well as over the information system’s capacity of achieving the organization’s strategic objectives, by efficiently using the informational resources and by ensuring the integrity of the processed and stored data.

IT security auditing has become popular in our business community because of value-addition to an organization. At Techinnovar we have an audit department which is deployed with a clear perspective on its role in an organization.

Primary security and control issues for cybersecurity audits are:

  • Protection of sensitive data and intellectual property
  • Responsibility and accountability for the device and information contained in it
  • Protection of networks to which multiple information resources are connected

The scope of a cybersecurity audit includes:

  1. Data security policies relating to the network, database, and applications in place
  2. Software applications, web services
  3. Data loss prevention measures
  4. Effective network access controls implemented
  5. Detection/prevention systems
  6. Security controls established (physical and logical)
  7. Incident response program implemented
  8. Operating systems
  9. Telecom infrastructure

The standard auditing starts with identifying risks. After this, assessing the design of controls takes place. Finally, we test the effectiveness of the controls. We at Techinnovar make it our business to add value to your organization, and the quality and depth of a technical audit is a prerequisite to adding value in the following ways:

 Improve IT Governance
IT Governance is the responsibility of executives and board of directors of any company. It consists of the leadership, organizational structures, and processes that ensure that the organization’s IT sustains and extends the strategies and objectives of that organization. The in-depth network penetration testing also improves the IT governance of any company.

Reduce risk
The planning and execution of an IT audit consist of the assessment and identification of IT risk in any organization. Usually, IT audits cover risks related to integrity, confidentiality, and availability of information technology infrastructure and processes. Some additional risks include efficiency, effectiveness, and reliability of IT.
If risks are assessed, there can be a clear vision on what path to take to transfer the risk through insurance, to reduce the risks through controls, or to simply accept the risk as part of the operating environment.

Facilitate communication between business and technology management
IT auditing can have the positive effect of opening channels of communication between technology management and an organization’s business. We observe and test what is happening and in practice. From an audit, the final deliverable is valuable information in written reports and oral presentations. The senior management of any organization can get direct feedback on how their organization is functioning.

 Strengthen controls (and improve security)
After assessing the risks, controls can then be assessed and identified. Ineffective or poorly designed controls can be redesigned and/or strengthened. The auditors can use various frameworks to get assurance on:
The effectiveness and efficiency of operations
• The reliability of financial reporting
• The compliance with applicable laws and regulations

Comply with regulations
Various regulations at the central and state levels include specific requirements for the information security. The IT auditor plays an important role in ensuring that all the specific requirements are met, risks are assessed, and controls are implemented.

Conclusion

We can assert that only by permanently investing into a complex security model we will be able to have safer IT systems. Therefore, the security solutions and the security policy should be considered globally, and not just punctually. There must not be neglected the fact that security level of the entire system is represented by its weakest link, and that is why the security policy should be updated periodically.

 

 

 

Ways to handle cyberbulling in the society

STOP CYBERBULLYING

Cyberbullying is becoming a major concern to not only parents but also society. We as Techinnovar we are ready to tackle this problem by all means necessary. Should you encounter any cyber harassment, please, feel free to contact us.

Below is a list of practices that we should all adopt for internet safety. Note, there are various ways to tackle the issue of cyberbullying in our day to day society. I have listed only but a few not limited to this list.

Create anti-bullying strategies for your school:

In school, ambassadors/prefects are should be appointed to come up with ideas to prevent bullying and present them to the school in groups of four to six. Recently I saw an idea of having a bench with cushions in the playground where pupils can sit and talk to ambassadors. They also talk to parents about their work.

Understand what’s not bullying :

As Techinnovar we run several campaigns Against Bullying, we also offer training which is attended by the whole school community, including parents. We talk about everything regarding online safety, dos and don’ts on the internet, bullying, including what is not bullying, such as a difference of opinion, a fight or an argument.

Teach your child at a tender age:

We need to educate pupils about cyberbullying as soon as we expect them to start using technology. Nowadays children below six years know how to download games ways better than some millennials.  We also must educate parents. There is the assumption that cyberbullying won’t affect their child until secondary school. We run workshops for parents of children in reception about staying safe online, primarily to highlight areas they wouldn’t even think of – cyberbullying doesn’t just happen on Facebook.

Empathy is the key to cyberbullying:

Let it be known that we cannot always hide behind a screen, computer, tablet or phone and bully others. The cyber world is part of the real world and should not be being separate. The approach we adopt is for perpetrators to develop their empathic skills. It is so important for young people to be able to imagine the effect their words and actions may have on their victim.

Run workshops for parents/teachers/tutors and Educators:

We talk about the definition of cyberbullying, the type of young person that may become a perpetrator or victim, different types of online harassment and what to do if your child is affected. We also run specific e-safety workshops, where we look at the different ways children cyberbully and how parents can help protect their child online.

Understand the law when it comes to cyberbullying:

If the school suspects that an indecent image has been shared, particularly in a

cyberbullying context, the device may be confiscated. In general, such images should not be viewed unless there is a clear reason to do so, such as checking the device to see if any offense has been committed. teachers or parents should not go on a fishing expedition through a pupil’s device and should always act within the school’s protocols, safeguarding and child protection policies.

Involve higher authority within the community:

One of the things we have found to be powerful is involving authority whenever necessary. A bullying incident may not involve prosecution, but it helps parents and students gain a better understanding of the legal dimensions involved. It’s particularly important when it comes to addressing issues that arise when students are in possession of an indecent image or video of another child, where discussions are also an issue of child protection.

Words of wisdom to youths:

My advice to the young people, treat your online passwords like your toothbrush, don’t share them with anyone, not even your best friend, and change them regularly. And keep your tweets sweet and your status gracious.

Let’s raise children as a society :

An interesting perspective is how bullying affects other people, causing reactions that impact the victim even more. Getting bystanders to empathize is key and their role in bullying is something that a school’s e-safety curriculum should cover. This is not only a teacher/parent obligation but rather a social concern and therefore should you see any evil blow the whistle.

 

Valentine’s Day Tips to Avoid Being Hacked

Image result for keyboard and love image

This is the season we all look forward to, Valentines! However, not everyone has the same interest as you lovebirds.  Hackers will use any kind of bait to infect as many users as possible through social engineering techniques. These attacks are usually aimed at:

–  Drop a malware on the computer in order to steal the user’s confidential information.

–  Turn users’ PCs into zombie computers later used to increase traffic to a specific website, crash a website, etc.

“I Love you”, “Happy Valentíne” or “I miss you” are among the worms most often used at this time of the year.

Here are 6 tips to avoid Valentine’s Day cyber scams

Here are some tips to prevent your Valentine’s Day from becoming a nightmare.

1. Do not run attached files that come from unknown sources. Stay on alert for files that claim to be Valentine Day’s greeting cards, romantic videos, etc.

2. Do not click any links included in email messages, or received through Facebook or Twitter, even though they may come from reliable sources. If you do click on any such links, take a close look at the page you arrive at and if you don’t recognize it, close your browser.

3.  Even if the page seems legitimate, but asks you to download something, be suspicious and don’t accept the download 

4.  If you make any purchases online, type the address of the store in the browser, rather than going through any links that have been sent to you. Only buy online from sites that have a solid reputation and offer secure transactions.

5. Do not use shared or public computers, or an unsecured WiFi connection, for making transactions or operations that require you to enter passwords or other personal details.

6.  Have an effective security solution installed, capable of detecting both known and new malware strain. Keep it up to date.

 Have you received any suspicious emails lately? Kindly contact us for further information! 

Make employees care about cyber security with this 10 tips

Did you know your employees are your best assets, and you need to invest in them continually? If you did not know, now you know. Get them patched frequently, else you’re always going to have vulnerabilities. Even in a company with one employee or thousands, it’s worth training them as opposed to taking on the risk of a breach and this is because they represent a large potential attack surface in every organization. Take it from Techinnovar.

Here are 10 tips for best cyber risk practice for all employers.

  1. Perform “baptism by fire” training exercises

The best training today is “baptism by fire” training, in which the users undergo a simulated attack specific to their job, I would say.

Let them become a victim to an attack that’s arranged by a security department or an outside cybersecurity company, and then they’re asked to understand the lessons they’ve learned from that attack, and the implications on the business, on their personal lives and how they could have prevented it. And then they’re asked to share that experience with their peer group through a report.

By performing regular phishing tests, in which the IT team sends out a fake phishing email to all employees across the organization, and gauge how many people click on it. Then, they can break that data down by departments and types of messages, to tailor training to problem areas. It also allows the company to show progression.

  1. Top management involvement.

The IT team need to make the rest of the team aware of the ramifications of a potential breach. Typically, to have a good cyber plan, you have to have a lined item in the budget for people, hardware, or software, year after year. That means getting the CFO, and CEO of the company involved.

  1. Start cyber awareness training for every new employee

Every first-time employee joins the company, start building the mindset as all new hires go through security training from day one. That way they learn from day 1 that cybersecurity is important and that they are going to get continuous training.

  1. Frequent system evaluations

Make a timetabled plan for performance evaluations of both employees and systems to find out how vulnerable your organization is to attack. Until you do that, you won’t know how bad or good your security posture may be. Like we say here at Techinnovar, we detect to protect!

  1. Communication flow

Create a good communication culture for cybersecurity information to all employees, to get all departments on board with training and learning best practices. This will help break down the topic creating alignment, and this helps people work on it together.

  1. Have a handy formal plan

IT teams should develop a formal, documented plan for cybersecurity training that is reviewed and updated often with the latest information on attack vectors and other risks that are bound to occur.

  1. Appoint cybersecurity culture ambassadors.

Tech leaders should appoint a cybersecurity culture ambassador in every department at their organization. These representatives can act as an extension of the IT team and keep employees trained and motivated. That’s something that’s often overlooked—use the resources you already have in the company beyond the IT team.

  1. 8. Training, training and more training

Do not shy away from Cybersecurity training. You should make it a continuous process throughout the year, at all levels of the organization, specific to each employee. If you’re an end user, there must be training associated with the types of attacks you might receive—for example, attacks on your email or attacks that are oriented on the type of job you hold. If you’re in IT, the attacks may be more technical in nature in terms of the attacks you might be seeing.

  1. Insist on the importance of security both at work and at home.

IT teams should help employees appreciate the importance of cyber hygiene not just in the workplace, but also at home. Teach users about privacy, security, and how the lessons learned at work can apply at home and in their personal lives to give them a ‘what’s in it for me’ they can apply all the time, not just at work.

  1. Reward employees

Make it a fun-fair by rewarding employees that find malicious emails and share stories about how users helped thwart security issues. IT leaders should also empathize with employees who make mistakes: Many employees send or receive hundreds of emails per day, so asking them to avoid one of those can be difficult.

While these training tips can help, education is not a permanent solution but, just one aspect of defending the environment from advanced attacks.

Stay up to date on all the latest cybersecurity threats. Click here to subscribe to the Techinnovar newsletter.

 

 

 

Child Online Protection pt 2

Having discussed the general definition and history of C.O.P in there earlier blog. We continue with the various topics so as to understand what exactly why children/youth need to be protected online.

COP GUIDELINES AS PROVIDED BY ITU

 For children:

The guidelines advise them on possible harmful activities online, such as bullying and harassment, identity theft, and online abuse. They also include advice to children seeing and experiencing harmful and illegal content online, or young people being exposed to grooming for sexual purposes, the production, distribution and collection of child abuse material.

For parents and educators:

the guidelines provide recommendations on what they can do to make their child’s online experience a positive one.

For industry:

provides guidance on protecting children’s rights online for those companies that develop, provide or make use of information and communication technologies (ICT). The Guidelines have been developed to align with the UN Guiding Principles on Business and Human Rights, and explain not only what companies can do to protect children’s safety online, but also how they can enable the positive use of ICTs by children. The Guidelines also include sector-specific checklists that recommend actions for mobile operators; Internet service providers; national and public service broadcasters; content providers, online retailers and applications developers; user-generated content; and hardware manufacturers.

For policy makers:

the guidelines will help individual countries plan for their strategies for child online protection in the short, medium and longer term. In order to formulate a national strategy focusing on online child safety, policy makers need to consider a range of strategies, including establishing a legal framework; developing law enforcement capabilities; putting in place appropriate resources and reporting mechanisms; and providing education and awareness resources.

WHAT CHILDREN DO ONLINE AND SOCIAL NETWORKING

Children and young people go online to connect with friends, and make new ones, to browse the internet for information, chat with others and play games. They may:

  • search for information or content on search engines like Google and Bing
  • share images and watch videos through websites or mobile apps like Instagram, Pinterest, Vine and YouTube
  • use social networking websites like Facebook and Twitter
  • write or reply to messages on forums and message boards
  • play games alone or with others through websites, apps or game consoles
  • chat with other people through online games, BBM (Blackberry Messenger), game consoles, webcams, social networks and tools like WhatsApp

When online, children and young people can learn new things, get help with homework, express themselves creatively and connect with friends and family.

ONLINE RISKS

Evidence is growing that the internet is becoming part of the offline risks and negative experiences that may harm children. Risks associated with the Internet and ICT devices include:

  • Contact or conduct risks: Cyberbullying
  • exposure to pornography
  • violent (User Generated Content)
  • sexual exploitation, child abuse images or child pornography
  • Sexting
  • other potentially harmful experiences
  • Cyberstalking

To be continued…Next week will expound more on the  Online Risks

Child Online Protection

What is Child Online Protection?

The internet is one of the most powerful communication and education tools ever invented, and has grown so fast with rapid changes that at time the users/audience find it had or challenging to keep up with.

Child/Youth Online Protection aims to tackle cybersecurity holistically, addressing legal, technical, organizational and procedural issues as well as capacity building and international cooperation.

Children are among the most active – and most vulnerable – participants online. Techinnovar’s motto is “We detect to protect“, but we are also committed to protecting the world responsibly. That means working together to ensure cyber security, enable cyber peace, and – perhaps most importantly – protect children online.

The legal, technical and institutional challenges posed by the issue of cybersecurity are global and far-reaching and can only be addressed through a coherent strategy taking into account the role of different stakeholders and existing initiatives, within a framework of an international collaborative network.

HISTORY OF CHILD ONLINE PROTECTION

In 1998, the United States enacted the Child Online Protection Act] (COPA) to restrict access by minors to any material defined as harmful to such minors on the Internet. In 1999, the United States Court of Appeals for the Third Circuit upheld the injunction and struck down the law, ruling that it was too broad in using “community standards” as part of the definition of harmful materials. In May 2002, the Supreme Court reviewed this ruling, found the given reason insufficient and returned the case to the Circuit Court; the law remained blocked. On March 6, 2003, the 3rd Circuit Court again struck down the law as unconstitutional, this time finding that it would hinder protected speech among adults. The government again sought review in the Supreme Court.

Notably, the court mentioned that “filtering’s superiority to COPA is confirmed by the explicit findings of the Commission on Child Online Protection, which Congress created to evaluate the relative merits of different means of restricting minors’ ability to gain access to harmful materials on the internet.” The court also wrote that it was five years since the district court had considered the effectiveness of filtering software and that two less-restrictive laws had been passed since COPA, one prohibiting misleading domain names and that given the rapid pace of internet development those might be sufficient to restrict access by minors to specific material. The court referred the case back to the district court for a trial, which began on October 25, 2006.

ITU launched the Child Online Protection (COP) Initiative in November 2008 as a multi-stakeholder effort within the Global Cybersecurity Agenda (GCA) framework. The initiative brings together partners from all sectors of the global community to create a safe and empowering online experience for children around the world. COP was presented to the ITU Council in 2008 and endorsed by the UN Secretary-General, Heads of State, Ministers and heads of international organizations from around the world.

Protecting children online is a global challenge, which requires a global approach. While many efforts to improve child online protection are already under way, their reach has been more national than global.

CHILD/YOUTH ONLINE PROTECTION IN KENYA

Improved telecommunication infrastructure, fiber optic cables connecting the country to the rest of the world and massive investment in fiber connectivity have cut Internet charges, enabling many Kenyans to access cheap and high-speed Internet.

Google Kenya launched an online child safety campaign in February 18,2015 to promote responsible and positive use of digital technology for young people.

The Communication Authority of Kenya launched a campaign dubbed the “Be the Cop” The campaign seeks to protect children besides providing avenues for redress in the event of a cybercrime.  The campaign was launched during the Kenya Primary Schools Head Teachers Association (KEPSHA) Annual Conference in partnership with various stakeholders among them service providers Google, Orange, Airtel and Safaricom. The Department of Children Services, United Nations Children Fund (UNICEF), ChildLine Kenya are also other partners involved in the project.

Protecting children online is now a global challenge. In Kenya, protecting children online, is a concern of many parents, government, parents and multinational firms.

INTERNET

The internet is a connection of computers. Its a global system o interconnected computer networks that uses the standard internet protocol suite (TCP/IP) . It serves billlions of users globally.

According to Communication Authority of Kenya, research shows the tremendous growth of internet users from 3 million users in 2008 which was followed by a larger number gain in 2014, that added up to 23.3 million users and now 29 million Kenyans are able to access the internet representing close to 70% of the Kenyan population. More users are using mobile devices to access the internet amounting to 18.8 million users of the 29 million.  A total of 34.8 million Kenyans are mobile subscribers representing 85.5% of the population.

With a huge number of the users being youths, they have unprecedented access to the cyber space thus higher exposure to cybercrime, particularly due to the present uncontrolled nature of Internet access.

 

To Be continued…

SMEs Beware: Hackers Targeting Small Businesses

Many hackers are shifting their focus from large enterprises to small businesses.

Small business owners frequently assume that hackers have little interest in attacking their organizations – “after all,” they reason, “what data do I have that a hacker could consider valuable?”

They are terribly wrong.

In fact, today, about half of all cyberattacks target small businesses.

Information security often takes a backseat to other issues that small business owners face,business owners can likely dismiss information security concerns as applying only to larger organizations. That is because small business owners frequently hear news reports about huge data breaches like those that happened at Yahoo   they may incorrectly assume that hackers only pursue companies with huge volumes of valuable data; such a notion is simply not true.

When it comes to information security, no business is too small. Small businesses increasingly find themselves the focus of attacks directly targeted against them and designed to steal funds, information and customers.Furthermore, the trend towards targeting small businesses is likely to continue – small businesses have become, in the eyes of many hackers, more attractive targets than larger enterprises. Here are some of the reasons:

1. SME have valuable data.

Contrary to many people’s perceptions, the majority of small businesses store either financial information that can be used for fraud, or personal details that can be used for identity theft – i.e., they have data that criminals want.

2. SME can provide hackers access into many other small businesses.

Small businesses often use services from other small business – and those offerings may not be secure. In some cases, competing small businesses may even utilize the same service from the same provider – which, can lead to all sorts of security problems.

3. SME owners pay ransoms.

Nearly every small business has computer-based data that it needs in order to operate, and few have the capability to independently recover from a ransomware attack, so small business owners are likely to pay ransoms if hackers encrypt critical data and demand money to restore access to it.

4. SME often lack adequate cyber-defenses.

Small businesses rarely have the defenses that large businesses have – so while the reward to a hacker may be smaller if he or she breaches the “little guy” than if he/she hacked a major corporation, the odds of actually achieving a reward are often much greater. To put it simply, smaller businesses are frequently much easier to hack than larger enterprises.

5. SME provide hackers access into larger enterprises.

Small businesses supply larger enterprises with goods and services – information gradually collected from small business systems may be a hacker’s golden ticket into a larger enterprise. The massive Target breach of just a few years ago, for example, began when a hacker exploited the access that the retail giant provided to an HVAC contractor.

6. It is likely a lot easier to get away with hacking a SME than a large enterprise.

Small businesses are far less likely to have security personnel and technology in place to detect an attack as it occurs, and are less likely to have technology creating and protecting audit logs and other data needed to both perform forensic analysis and establish admissible evidence. As a result, someone attacking a small business is much less likely to get caught, arrested, and punished than someone who attacks a large business. Criminals know this – and some who would never risk trying to attack Amazon.com, for example, might have no qualms about trying to hack a mom-and-pop retail outlet. The likelihood-of-being-brought-to-justice imbalance is further exaggerated by larger firms having much greater political clout and access to law enforcement than smaller businesses, coupled with the fact that small businesses are far more likely to fail as the result of a breach – meaning that some folks who might otherwise have pursued legal action against hackers simply do not have the time and resources to do so, or may “move on” to other jobs and not “dwell on the past.”

TACKLING THE THREAT

  1. Knowledge is the most effective weapon any small business can wield against cybersecurity risks. In the great linen hack of our times, companies could easily  protect itself by as simple changing the vendor default password. That simple precaution might prevent the breach of more than 1,000 clients records and avoided a drawn-out legal battle with their competitor.
  2. Small businesses should complement education-training efforts with a strong array of technical controls designed to minimize risk.
  3. At a minimum, small businesses should ensure that they leverage strong passwords, automatic updates for applications and operating systems, hardware firewalls, and encryption for their wireless network. This simple array of controls will go a long way toward defending against many cybersecurity threats.
  4. Similarly, small business owners and employees must be aware of the risks posed by social engineers, who use highly targeted spear phishing attacks to fool employees into revealing sensitive information. Modern attacks are quite sophisticated and leverage internal information, branding, and industry knowledge to manipulate unwitting targets into believing the legitimacy of an attack message.