Cyber Security

Phishing Attacks

These deceptive emails or messages aim to trick you into revealing sensitive information like passwords or financial data. They often impersonate legitimate companies or individuals and can be very convincing. Be wary of unexpected emails, urgent requests, and suspicious links.

How aware are my employees about phishing?

  • Do they know how to identify common phishing tactics like urgency, typos, and spoofed sender addresses?
  • Have they received training on how to handle suspicious emails and messages?
  • Do they understand the potential consequences of falling for a phishing attack?

There are many free resources to train employees to identify possible phishing emails or messages. There are simple online training tools like https://phishingquiz.withgoogle.com/, videos like this one from CISA.gov https://www.youtube.com/watch?v=JlQovysQBn0, or this one from IBM https://www.youtube.com/watch?v=gWGhUdHItto.

There are also many paid services that will send your employees fake phishing emails to try and get them to click on links. If they do, then it presents them with some information about why they should not have clicked on that kind of link. Some of these services include https://www.phishingbox.com/ and https://www.knowbe4.com/.

What security measures do we have in place to filter phishing emails?

  • Do we use a spam filter with strong anti-phishing capabilities?
  • Do we have email authentication protocols like SPF, DKIM, and DMARC implemented?

If you are using a major email provider like Gmail, Outlook.com, or iCloud Mail, these things are probably covered with your service already. If not, ask your provider about what they provide related to these questions.

Malware

This malicious software can infect your systems through various ways, like clicking infected links, opening spam attachments, or using unprotected devices. Malware can steal data, disrupt operations, and even hold your files hostage for ransom. Use Next-Gen Antivirus software, update your systems regularly, and be cautious about clicking on unknown links.

Endpoint Protection

  • Do all devices (laptops, desktops, mobiles) have up-to-date antivirus and anti-malware software installed?
  • Are these solutions configured for automatic updates and real-time scanning?

Network Security

  • Does our firewall filter incoming and outgoing traffic to block suspicious activity?
  • Do we regularly update firewall rules and firmware to address vulnerabilities?
  • Are intrusion detection/prevention systems (IDS/IPS) in place to monitor network traffic for malware signatures and malicious behavior?

Training and Awareness

  • As for Phishing above, do employees receive regular training on cybersecurity best practices, including how to identify and avoid malware?
  • Are there clear policies in place regarding acceptable use of technology and internet access?
  • Do employees feel comfortable reporting suspicious activity without fear of repercussions?

Ransomware

This type of malware encrypts your files, making them inaccessible, and demands payment for decryption. Ransomware attacks can cripple your business and cause significant financial losses. Regularly back up your data, use strong passwords, and avoid downloading software from untrusted sources.

Prevention

  • Do we have a strong backup and recovery plan in place?
  • Do we have endpoint security software installed on all devices?
  • Do employees receive regular security awareness training?

A strong backup plan should include air-gapped backups of all the data that is critical to the operation of your business. Air-gapped backups are physically disconnected from any network, including the internet, internal networks, and Wi-Fi. This isolation prevents attackers from remotely accessing and compromising backup data. There are many ways to maintain air-gapped backups. However, the better the system, the more it can cost. The basic premise is to temporarily connect an external device like a physical hard drive and perform a backup to that device. Then disconnect the device and store it in a safe location. At H&H, we use an A/B backup system. We maintain two sets of air-gapped backups (system A and system B) so that when one of the backup systems (A) is temporarily connected to our network to perform a backup, the other system (B) is still disconnected and safe. Then for the next backup cycle, we use the B system, keeping the A system safe. Each backup cycle, we rotate which backup system is used. You can also look into backup strategies such as “Grandfather-Father-Son backups” or “3-2-1 backups”.

For endpoint security (Antivirus software and Malware detection software), we recommend using a NGAV product (Next-Generation Antivirus). NGAV products like CrowdStrike.com Falcon or Malwarebytes.com ThreatDown. These products use a combination of technologies like machine learning, behavioral analysis, and sandboxing to detect and block even unknown and zero-day threats that haven’t been previously identified.

Recovery

  • How quickly can we restore systems and data from backups in case of an attack?
  • Do we have a communication plan for informing employees, customers, and stakeholders in case of an attack?

Passwords

Weak, short, easy-to-guess passwords are a major security vulnerability. Especially for remote access to workstations or NAS devices in your studio. Hackers can easily crack these passwords and gain access to your systems. Use strong, unique passwords for each account and consider using a password manager to help you create and remember them.

How secure are our login credentials?

  • Does anyone have passwords stored in an open document on their phone or computer (like a text file, spreadsheet, notes program, or document)? If so, this is a major risk. Replace these types of unsecured password storage with an encrypted password manager application like 1Password, Bitwarden, Dashlane, LastPass, NordPass, Proton Pass, or something similar. Even using Google Chrome (with 2 factor authentication set up on your Google account), or Apple’s Keychain is a good minimal start.
  • Do we enforce strong password policies that require regular updates?
  • Do we require the use of multi-factor authentication for access for any of our online systems?

Although it can feel like a hassle, the use of MFA (multi-factor authentication) or 2FA (two-factor authentication) is a MUST. Any extra layer that can be added when it comes to security should be considered essential.

If you have many passwords, the use of a password management application is extremely helpful. There are many options available. Some work great for individuals and others can allow you to share passwords with teams of people.

VPN Access

A high percentage of all cyber attacks leverage VPN access into a business. Reports/studies vary on exact percentage. But whether a threat actor uses phishing or some other approach to get credentials from one of your users, or they leverage a 0-day exploit directly on your VPN tech, around 50% of them ultimately utilize a VPN to get into your network(s).

  • Minimize the number of people you grant VPN access into your business
  • Enabling 2 factor authentication is a must for anyone who has VPN Access
  • Keep your firewall software and firmware up to date so it has the latest protections against known threats.
  • Consider a VPN alternative like Zero Trust Network Access (ZTNA) or Secure Access Service Edge (SASE)

Insider Threats

Employees with access to your systems can unintentionally or intentionally compromise your security. Provide security awareness training and/or testing for employees.

Are my employees aware of Phishing and Malware?

Training employees on the types of Cyber threats can go a long way. Employees, and more specifically related to the emails they receive, are the leading cause of data breaches. Also see Phishing Attacks above.

Can my employees recognize a Phishing attack?

Since the most common way security is violated is by an employee inadvertently giving a legitimate looking link permission to install software onto the computer, it is critical to ensure that they can recognize these types of attacks. Also see Phishing Attacks above.

Bank Account Security

ACH – If you pay others using ACH consider the following measures:

  • Regularly monitor your bank accounts.
    • Is the amount of money in your account what you expect?
    • What checks or ACH payments are pending? Do you recognize them?
  • As shocking as it sounds, if someone has your bank account number and routing number (information that exists on each paper check) then they have the ability to withdraw money from your bank account.
  • Work with your bank to implement “ACH filters and blocks” sometimes called “Positive Pay” which allows you to designate who is authorized to make account debits.
  • Use a separate account for ACH payouts where you periodically manually transfer the amount of money into that account that is needed to cover your payments. This way, if someone gets access to your bank account, they can only take what you had designated for that block of payments (make sure your bank will not honor any overdraft protection on your separate ACH account).
  • For additional information, https://stripe.com/resources/more/ach-fraud-101-how-these-scams-work-and-how-to-prevent-them.

Credit Agencies

By prioritizing these concerns and taking proactive steps, you can significantly reduce your risk of cyberattacks and better protect your business.

For more advanced information on Cybersecurity, here are some miscellaneous links to external:

There’s no business too small to be targeted by cyberattacks or fraud. The information we share here reflects good general practices designed to strengthen your awareness and reduce risk.

Every business and system is unique. These suggestions are for educational purposes and shouldn’t be taken as a guarantee against cyberattacks or fraud. We encourage you to review your own security setup and to seek advice from qualified IT or cybersecurity professionals.

Our goal is to help you stay informed, make wise decisions, and keep your business safe.