The Top 9 Cyber Security Myths and the Top 9 Cyber Security Truths

You might think your business is too small for a cyberattack, your security is too strong or your data is too insignificant. Unfortunately, we have some bad news: no organization is safe from the continually growing threat of a cyberattack regardless of size, industry or best efforts. Here are the top nine cyber security myths, and the harsh realities behind them.

  1. Cyber Security Myth: Only big organizations are at risk of a cyberattack.
    Reality: Half of all data breach victims are SMBs.

According to the 2018 Verizon Data Breach Investigations Report, 58% of data breach victims are small businesses. That’s because SMBs are often seen as more vulnerable than bigger businesses and as having fewer security protocols in place. A recent study by the Poneman Institute, The 2018 State of Cyber Security in Small and Medium Size Businesses, revealed that 70% of small businesses have experienced a cyberattack in the last 12 months. According to the report, only 28% of small businesses rate their ability to mitigate threats, vulnerabilities and attacks as “highly effective.”

  1. Cyber Security Myth: Hackers aren’t interested in my industry.
    Reality: Any organization with sensitive information is vulnerable.

Malware and viruses don’t discriminate; any machine or network can pick up a Trojan Horse or face a ransomware scheme. While financial services and healthcare are among those industries hit by the most cyberattacks, wide nets are cast and can land anywhere. Across the world, ransomware attacks are up 350% and IoT attacks are up 600%. If your business has a network or a computer, it’s at risk.

  1. Cyber Security Myth: I’m only at risk from outside cyberthreats.
    Realty: Insider threats are frequent and often harder to detect.

From rogue employees to careless ones, from third-party contractors to business partners, research suggests insider threats account for up to 75% of all security breaches. According to a recent article from Security Magazine, 32% of companies can’t even determine the root source of a data breach after 12 months–so that 75% could be even higher.

  1. Cyber Security Myth: Cyber security is the IT department’s responsibility.
    Reality: Cyber security is the responsibility of every member of your team.

According to some reports, more than 90% of malware is installed over email. If your employees aren’t trained on cyber security best practices, such as how to identify phishing emails and the risk of clicking on unsafe links, they could be leaving your organization in peril. Some email hacking ploys are quite sophisticated, and employees are not always on guard. Regular cyber security awareness training is critical.

  1. Cyber Security Myth: You’ll know immediately if your network is infected.
    Reality: Modern malware is stealthy and hard to detect.

It takes an average of 191 days for a business to detect a data breach, and then another 66 days to fully contain it. The longer a breach occurs, the more files may be compromised, the more data can be stolen (and perhaps sold on the black market) and the more likely your organization is to suffer irreparable harm.

  1. Cyber Security Myth: My anti-virus and anti-malware software keeps me safe.
    Reality: Software can’t protect against everything.

In 2016, the cybersecurity company McAfee says it found four new strains of malware every second. Who knows how many they never detect? There is no way updates can keep up with the evolution of cyberthreats. Making matters worse, many businesses don’t immediately install security patches, either due to ignorance of difficulty. As reported by online security site CSO, “People aren’t too dumb or lazy to install patches. They want to do the right thing. But patching can be difficult for a multitude of reasons, and those roadblocks explain why patching is performed so poorly in most organizations.”

  1. Cyber Security Myth: My passwords are strong enough.
    Reality: You need two-factor authentication.

When multiple employees have access to the same system, that system is only as strong as the weakest password. But even a strong password isn’t without risk: an employee can be duped into sharing a password via a phishing scheme, or re-use a password that is compromised somewhere else. Two-factor authentication can reduce much of this risk.

  1. Cyber Security Myth: Our organization has never faced a cyberthreat, so we’re safe.
    Reality: That’s what everyone says right before they go out of business.

Are you familiar with the Identity Theft Resource Center (ITRC) breach list? Every month this list is updated with newly reported business data breaches, most of which never make the front page. You won’t have to look long to find an organization like yours, whether it’s a business your size, in your industry, in your state, or all of those. This list also details how the breach occurred and what was affected. It can be eye opening for many small businesses, especially with 60% of small businesses folding within six months of a cyberattack.

  1. Cyber Security Myth: Complete cyber security is achievable.
    Reality: No, never. Which is why you need a partner like Single Path.

In 2017, a cyberattack cost small-to-medium sized businesses an average of $2,235,000 per attack. Keeping your business safe from cyberthreats is a critical job; it can also be a full-time one. That’s why you need a partner like Single Path. We have helped thousands of organizations like yours protect themselves. From employee training to managed cloud services, from hardware procurement to our full slate of security solutions, we can implement the protocols you need to have a safer, more cybersecure organization. Because the biggest cyber security myth of them all is that your organization is safe.

Ask us how to get started now.

How to Create Your School Cyber-Threat Strategy

Cyber-threats are on the rise in our school districts, which often lack the resources to protect themselves, the training to use the resources they have effectively, and even the knowledge to identify which resources are needed.

We wrote about the cyber-threats facing schools in our last blog post. But these problems are epidemic to school districts across the country. As reported by technology and digital learning news source Edscoop.com, “A recent trend in cybercrime indicates that online attackers are increasingly targeting a demographic they know people will rush to protect: K-12 students.” The article details more than three dozen large-scale breaches of student data from cybercriminals from January through October, 2017.

The risk of a cyberattack will only continue to grow, so establishing a holistic cyber-security strategy is critical. Any strategy should include the following elements. Many of these are highlighted in a recent document published by the Council of the Great City Schools, an organization comprised of 70 of the nation’s largest urban public school systems.

1. Physical Security and End-Point Security

On-premises security isn’t only needed to protect students, but the network and computer devices housed inside the school. Using a school-owned computing device is often the easiest way to get access to confidential information. Data centers and control rooms need be locked and monitored. Classroom or office equipment may also be vulnerable to theft, so modern, video surveillance can be a powerful tool, as is locking away machines when not in use, and carefully tracking equipment and reporting lost devices promptly.

2. Employee Training and Network Security

Your network is only as secure as the staff who uses it; an unsecured password can be all a cybercriminal needs to get into your network and see, abuse or share sensitive information. Employee training for proper security protocols is critical for network security, especially for staff who use personal devices in 1:1 environments.

Monitoring who has access to information is also a critical component of network security. As reported by the online security and risk management magazine CSO, “Given the high volume of users entering and exiting a school’s network, establishing the means to identify who can and can’t gain access and which resources they have access to is crucial. For effective cybersecurity, schools should use solutions that can easily identify users and then dynamically assign access to network segments accordingly.

3. Application Security

Hackers can also gain access to your systems directly through your software applications. Downloading and installing regular updates and patches are critical, as we reported in a recent blog post detailing a Cisco networking hack that cut off Internet access and infected more than half a million devices. In that case, those who did not download security patches were left considerably more vulnerable. For that reason, your staff should only use software from trusted sources.

4. Cloud/Data Center Security

With schools moving more and more towards cloud-based solutions, the security of their cloud-based data is a critical component to security. We have touched on the advantages of using cloud computing in a number of past blog posts, including “12 Reasons to Move Your Business to the Cloud”. Cloud computing makes accessing information easier, but demands strict security processes and protections. Still, the benefits far exceed the risks (for many of those risks please see our post, “9 Facts to Know About the Risks of Moving to the Cloud and How To Manage Them”) as cloud computing provides significant back-up security should your data be destroyed or become inaccessible due to disasters both natural and hacker-made.

At Single Path, we are well versed at working closely with school districts to determine their vulnerabilities, providing solutions, and even training staff to ensure policies and protocols are understood and followed. We’re always eager to discuss our many products and services, including Security Solutions and all our Managed/Cloud Services. Let us help you chart a more secure and safer path for your organization.

Ask us how to get started!

Cyber Incidents for K-12 are Rising. Is Your Student Data Vulnerable?

Data leaks are becoming so commonplace it seems like we’re almost becoming immune to them. Another ransomware attack on a business. Another virus crippling a network. Another identity theft scam. But then something happens that shakes us up and reminds us … this is not okay. Such as when an attack hits a little too close to home. For example, this—hackers are now specifically targeting schools.

CNN reported that a school district in Montana was forced to shut down more than thirty schools for three days after hackers infiltrated their network. The hackers sent threatening text messages to staff and students. School Superintendent Steve Bradshaw explained, “The messages weren’t pleasant messages. They were ‘splatter kids’ blood in the hallways,’ and things like that.” The messages also included disturbing references to “Sandy Hook.” But the hackers weren’t done. They also demanded up to $150,000 in bitcoin or they would release stolen school records. At least three other states were hit with similar school data extortion attempts.

Malicious hackers are going after schools because of a combination of weak data security and available information that is ripe for exploitation. As schools rush to incorporate technology in their schools, security protocols are sometimes afterthoughts. Vulnerable information can include social security numbers, birth dates, medical records and financial information.

An attack leaves one school district $10,000 poorer

Can your school afford to send ten grand to a hacker? Leominster Public School district officials recently had to ask themselves that question. A hacker attack left this Worcester County, Massachusetts school district unable to access email, health services, food services, library services, help desk and file services, backup services and more. The attackers demanded $10,000 to decrypt the files. Despite FBI warnings to never pay ransomware, the district felt they had little choice but to pay up. “If we had not used the option of paying the ransom for the decryption of our files, we would most assuredly be in for a much longer recovery at a much higher cost,” said Leominster Superintendent of Schools Paula Deacon. “In the case of one of the file servers, there were over 237,000 files which were encrypted, covering all departments in Central Office.”

According to an article in the Leominster Champion newspaper, the school is now making changes to their network to remove vulnerabilities including replacing old computers. The cost of this overhaul? More than $435,000. 

It’s a bigger problem than you think

How many school cyber incidents do you think have occurred in the last two years? Ten? Twenty? Try more than 330 (and growing)! In an attempt to categorize, defend and combat these threats, EdTech Securities has published a map that includes all manner of school-related cyberattacks including data breaches, phishing attacks and “other occurrences that lead to school and personal information being exposed.”

Check out the Interactive Map

The amount of exposure and consequences of those incidents vary widely. The Wall Street Journal recently reported on a number of cyber incidents including: 

  • Hackers in Iowa’s Johnston Community School District released school and parent information along with threats to kill the children. A hacker claimed the information was released to help child predators.
  • Hackers stole $56,000 worth of paychecks being sent via direct deposit to Atlanta Public School employees
  • Hackers stole $75,000 from employees of the Fulton County School district in Georgia

One state gets ahead

Many school districts are realizing the threats of a cyberattack are all too real, and are proactively working to protect themselves. Schools in Indiana are leading the way. As reported by Indiana Public Media, the Indiana Department of Education has targeted thousands of dollars in cyber funding for certain schools. Schools can apply for matching grants of up to $25,000 to build up their cybersecurity systems and improve 24-hour system monitoring. Says Chief Technology Officer John Keller, “Cybersecurity is a layered concern that goes across really all sectors. I mean, it’s not just a teacher thing or a school administrator thing, it’s our students, our staff.”

What you can do

Waiting until a cyberattack hits can be costly to schools and devastating to the families or staff whose information is breached. Fortunately, there are many resources available. For example, the U.S. Department of Education provides a number of cyber-resources and documents related to Security Best Practices, from a Data Breach Response Training Kit to a Data Security Checklist. But it can be daunting to read and figure out exactly what you need to do, especially without a partner to help guide you.

At Single Path, we work with schools across the country to help them uncover and tighten up weaknesses, implement security measures, and create recovery plans if the worst happens. We can help overhaul your entire system, as we did for Great Lakes Academy in Chicago, provide training like we did for Saint Anne Parish School in Barrington, Illinois, and offer any or all of a full range of security offerings.

Ask us how to get started!

 

What the Equifax Breach Teaches Us

identity-theftAs nearly everyone knows, Equifax recently reported a data breach, which has put more than a hundred million people at risk. As the Federal Trade Commission puts it bluntly, “If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.”

The facts are undisputed. The breach lasted from mid-May through July. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. Yet Equifax didn’t inform the public until September 7th. Within a week of that announcement, both Equifax’s Chief Security Officer and Chief Information Officer were fired, Equifax became a source of anger from the public, a source of investigation by the U.S. government, and a source of ridicule on late night television.

As Wired Magazine stated in an article dated September 14 titled Equifax Officially Has No Excuse, “Capping a week of incompetence, failures and general shady behavior in responding to its massive data breach, Equifax has confirmed that attackers entered its system in mid-May through a web-application vulnerability that had a patch available in March … As the security community processes the news and scrutinizes Equifax’s cybersecurity posture, numerous doubts have surfaced about the organization’s competence as a data steward.”

Even Worse, It was Entirely Preventable

According to Equifax itself, the data breach was due to a flaw in the Apache Struts Web Framework, a widely used enterprise platform. Equifax discovered the bug months before the breach occurred, yet did nothing to fix it. This decision is surprising, as the remedy to fix it was a relatively simple procedure. Equifax was provided clean and simple instructions on what to do. Instead, they chose to do nothing.

At best, the refusal to fix this major flaw was negligent. At worst…well, that’s still to be determined.

Once Trust Is Gone, It’s Gone

Since this ongoing fiasco was first made public, how many people are excited about the immediate prospects of Equifax? Its stock lost more than 35% of its value within days of the news coming out, and has remained significantly lower than its pre-breach levels. Meanwhile, the Department of Justice is looking into criminal charges against high-level Equifax executives who sold nearly $2 million in stock before Equifax released the data breach information.

While it is too early to determine the long-term future of Equifax, if it has one, individuals and municipalities have filed numerous lawsuits (including one by the city of Chicago on September 28 of behalf of its citizens, following in the footsteps of San Francisco which filed suit just two days earlier; more cities are expected to follow) and politicians are calling for more investigations. As the lawsuits go through the system and people’s lives are disrupted—this breach affects nearly everyone who has had a credit report run—the news of Equifax’s lax security standards and insufficient response will only linger, as will public outrage.

Are You the Next Equifax?

While it’s true a breach can affect any business at any time, arrogance and a refusal to protect your data will only hurt your business’s rebound and make the prospects for its success questionable. Recent and well-publicized data breaches from Target, Home Depot and others have demonstrated that open communication can go a long way to restoring public trust; a path that Equifax has so far seemed reluctant to follow, at its own risk.

But openness after the fact is only one step—the best step is to be proactive and do all you can to avoid a breach in the first place. That means not only ensuring appropriate safeguards, but also backing up data in case you are hit by a malicious cyber attack that compromises, erases or prohibits access.

As we detailed in a recent blog post about cypersecurity attacks, “formulating a multi-layered plan including continual back-ups and implementing best practices, such as employee education, is of paramount importance.” This includes back-up protection, strong email security, artificial-intelligence-based security and more. In short, you not only need to protect your customers, but yourself. Safeguarding information rewards your customers’ trust but also ensures your company doesn’t miss a beat in the event of a cybersecurity breach.

Learn more about how Single Path’s Security Offerings can help you create a cyber strategy and protect your data and your reputation.

Ask us how to get started!