Cyber Security

Phishing Attacks

These deceptive emails or messages aim to trick you into revealing sensitive information like passwords or financial data. They often impersonate legitimate companies or individuals and can be very convincing. Be wary of unexpected emails, urgent requests, and suspicious links.

How aware are my employees about phishing?

• Do they know how to identify common phishing tactics like urgency, typos, and spoofed sender addresses?
• Have they received training on how to handle suspicious emails and messages?
• Do they understand the potential consequences of falling for a phishing attack?

There are many free resources to train employees to identify possible phishing emails or messages. There are simple online training tools like https://phishingquiz.withgoogle.com/, videos like this one from CISA.gov https://www.youtube.com/watch?v=JlQovysQBn0, or this one from IBM https://www.youtube.com/watch?v=gWGhUdHItto.

There are also many paid services that will send your employees fake phishing emails to try and get them to click on links. If they do, then it presents them with some information about why they should not have clicked on that kind of link. Some of these services include https://www.phishingbox.com/ and https://www.knowbe4.com/.

What security measures do we have in place to filter phishing emails?

• Do we use a spam filter with strong anti-phishing capabilities?
• Do we have email authentication protocols like SPF, DKIM, and DMARC implemented?

If you are using a major email provider like Gmail, Outlook.com, or iCloud Mail, these things are probably covered with your service already. If not, ask your provider about what they provide related to these questions.

Malware

This malicious software can infect your systems through various ways, like clicking infected links, opening spam attachments, or using unprotected devices. Malware can steal data, disrupt operations, and even hold your files hostage for ransom. Use Next-Gen Antivirus software, update your systems regularly, and be cautious about clicking on unknown links.

Endpoint Protection

• Do all devices (laptops, desktops, mobiles) have up-to-date antivirus and anti-malware software installed?
• Are these solutions configured for automatic updates and real-time scanning?

Network Security

• Does our firewall filter incoming and outgoing traffic to block suspicious activity?
• Do we regularly update firewall rules and firmware to address vulnerabilities?
• Are intrusion detection/prevention systems (IDS/IPS) in place to monitor network traffic for malware signatures and malicious behavior?

Training and Awareness

• As for Phishing above, do employees receive regular training on cybersecurity best practices, including how to identify and avoid malware?
• Are there clear policies in place regarding acceptable use of technology and internet access?
• Do employees feel comfortable reporting suspicious activity without fear of repercussions?

Ransomware

This type of malware encrypts your files, making them inaccessible, and demands payment for decryption. Ransomware attacks can cripple your business and cause significant financial losses. Regularly back up your data, use strong passwords, and avoid downloading software from untrusted sources.

Prevention

• Do we have a strong backup and recovery plan in place?
• Do we have endpoint security software installed on all devices?
• Do employees receive regular security awareness training?

A strong backup plan should include air-gapped backups of all the data that is critical to the operation of your business. Air-gapped backups are physically disconnected from any network, including the internet, internal networks, and Wi-Fi. This isolation prevents attackers from remotely accessing and compromising backup data. There are many ways to maintain air-gapped backups. However, the better the system, the more it can cost. The basic premise is to temporarily connect an external device like a physical hard drive and perform a backup to that device. Then disconnect the device and store it in a safe location. At H&H, we use an A/B backup system. We maintain two sets of air-gapped backups (system A and system B) so that when one of the backup systems (A) is temporarily connected to our network to perform a backup, the other system (B) is still disconnected and safe. Then for the next backup cycle, we use the B system, keeping the A system safe. Each backup cycle, we rotate which backup system is used. You can also look into backup strategies such as “Grandfather-Father-Son backups” or “3-2-1 backups”.>

For endpoint security (Antivirus software and Malware detection software), we recommend using a NGAV product (Next-Generation Antivirus). NGAV products like CrowdStrike.com Falcon or Malwarebytes.com ThreatDown. These products use a combination of technologies like machine learning, behavioral analysis, and sandboxing to detect and block even unknown and zero-day threats that haven’t been previously identified.>

Recovery

• How quickly can we restore systems and data from backups in case of an attack?
• Do we have a communication plan for informing employees, customers, and stakeholders in case of an attack?

Weak Passwords

Short, easy-to-guess passwords are a major security vulnerability. Especially for remote access to workstations or NAS devices in your studio. Hackers can easily crack these passwords and gain access to your systems. Use strong, unique passwords for each account and consider using a password manager to help you create and remember them.

How secure are our login credentials?

• Do we enforce strong password policies that require regular updates?
• Do we encourage the use of multi-factor authentication for critical accounts?
• Do we avoid storing sensitive information like passwords in plain text?

Although it can feel like a hassle, the use of MFA (multi-factor authentication) or 2FA (two-factor authentication) is a MUST. Any extra layer that can be added when it comes to security should be considered essential.

If you have many passwords, the use of a password management application is extremely helpful. There are many options available. Some work great for individuals and others can allow you to share passwords with teams of people.

Insider Threats

Employees with access to your systems can unintentionally or intentionally compromise your security. Provide security awareness training and/or testing for employees.

Are my employees aware of Phishing and Malware?

Training employees on the types of Cyber threats can go a long way. Employees, and more specifically related to the emails they receive, are the leading cause of data breaches. Also see Phishing Attacks above.

Can my employees recognize a Phishing attack?

Since the most common way security is violated is by an employee inadvertently giving a legitimate looking link permission to install software onto the computer, it is critical to ensure that they can recognize these types of attacks. Also see Phishing Attacks above.

By prioritizing these concerns and taking proactive steps, you can significantly reduce your risk of cyberattacks and better protect your business.

For more advanced information on Cybersecurity, here are some miscellaneous links to external:

• National Institute of Standards and Technology (NIST) Cybersecurity Framework: https://www.nist.gov/cyberframework
• Cybersecurity & Infrastructure Security Agency (CISA): https://www.cisa.gov/
• Small Business Administration (SBA) Cybersecurity Resources: https://www.sba.gov/blog/protect-your-small-business-cybersecurity-attacks