In short, very much so. Most cyber-attacks today focus on small businesses because of the relatively few defenses they have in place. While it's true that you are less likely to suffer a targeted attack, you still likely have a lot of data that you need to protect, such as personal records, finances, and client communications.
This is a question that even experts don't fully agree on. The simple answer is that you can prevent a large number of "drive-by attacks" or attacks of opportunity, simply by following best practices and applying system hardening techniques. However, with enough time and effort any system can be broken, so unless you are actively monitoring it and adapting with the times, your protection will only be effective at the point in time when you implement it. In short, something is better than nothing, but it's not everything.
A cyber attack can vary in cost depending on many elements including but not limited to the attack vector, severity, and industry regulations regarding disclosure of the attack. The way to estimate your cost is to add up the main parts.
- Incident Response - this typically only covers removing the threat and ensuring the attackers are locked out from re-entry.
- The cost of recovery of your systems and data. If you have good backups in place this really help with this step, but you will likely still have labor costs.
- The cost of downtime during the attack and recovery. An attack may make your systems unavailable for days or even weeks. If you are unable to use your normal operating technology how well can your business function. Estimate the impact in a percentage and multiply that by your average daily revenue to get an approximation of the impact.
- Legal - if you have been compromised you need to make a disclosure about the attack. With more regulation coming to this area of business, it is a good assumption you will be covered under this soon if you are not already. Some common regulations include the SHIELD ACT, PCI-DSS, 23 NYCRR 500 from NYSDFS, HIPPA, and if you deal with European residents GDPR.
Cyber Insurance provides financial coverage from some of the damage that is incurred during a cyber attack. This includes the cost of legal representation, disclosure, incident response and recovery. It usually does not include regulatory penalties for non-compliance that may or may not have led to the attack. It also usually does not include coverage for the cost of business interruption or lost wages.
That is easy, our plans include cyber insurance as part of our bundled protection. These plans combine the right mix of proactive, reactive and disaster recovery protections to provide a comprehensive risk management strategy designed specifically for startups and small businesses.
An incident is defined as any activity that can not immediately be determined as authorized. Minor incidents include user lock out events that are not attributed to users entering their passwords incorrectly for example. Another example is a malware infection. Malware commonly causes secondary infection and may leave behind traces of itself long after the initial infection has been cleaned.
Incident Response is the investigation, clean up and recovery from an incident. Depending on the incident severity, an incident response may include gathering logs and reviewing authorized activity to determine what else the attackers may have done. The incident response process also includes recommendations for next steps to ensure that this type of incident does not reoccur.
A risk assessment is a tool used to measure the level of exposure from a particular risk. An example is a risk assessment of a 3rd party. That assessment may be a questionnaire, developed specifically to address risks associated with the data or resources shared with this 3rd party. Based on the results of a risk assessment, a company may implement risk mitigation techniques on their end, limit data sharing with this 3rd party, ask the 3rd party to increase security, or in edge cases, even stop doing business with this party altogether.
Phishing is a stealthy attack vector in which the attacker attempts to deceive the user into thinking they are interacting with a trusted source, when in reality they are interacting with the attacker. Phishing can present itself as an Email, a malicious link, SMS message, phone call, or any other communication method. The most common source of phishing is email with a link or attachment. The goal is to get the user to open the link or attachment, at which point the attacker can run malicious code on the users machine or prompt them for credentials for follow up attacks.
You can't really avoid phishing attacks, but you can avoid being phished by being careful with where you browse and not opening any attachments which you are not expecting.
The most recent attacks with phishing are related to the compromise of a 3rd party or co-worker and using that degree of trust to get other users to interact with malicious content. So if the email or other communication looks like it's coming from your friend or colleague but the language is not usual, there are typos, or something just feels off, give them a call on the phone to confirm they meant to send you this.
You can't really avoid phishing attacks, but you can avoid being phished by being careful with where you browse and not opening any attachments which you are not expecting.
The most recent attacks with phishing are related to the compromise of a 3rd party or co-worker and using that degree of trust to get other users to interact with malicious content. So if the email or other communication looks like it's coming from your friend or colleague but the language is not usual, there are typos, or something just feels off, give them a call on the phone to confirm they meant to send you this.
2FA or MFA as it frequently called is a second way to authenticate users. The traditional approach to 2FA is something you know plus something you have. Something you know is usually a password, and something you have can be a phone (SMS based 2FA), a USB key (hardware fob), or something you installed on your phone like an authenticator app.
Active 2FA requires a 2 way interaction with the system to prove the user is authorized and also makes an attempt to verify the user is human.
One example is an application installed on your smartphone that communicates with the service you are trying to authenticate.
When you successfully pass the first layer of authentication (username and password), the service will send a "push request" to your phone. On your phone, not only will you see that an authentication attempt has been made on your account but from where. For example, it may show your IP address and the city and state that is corresponds to. If you were trying to sign in to your account this provides you with a high degree of certainty that the approval request you received is from you.
With passive 2FA, the authentication attempt is much easier for an attacker to forge by using phishing techniques to capture the static code and reuse it immediately on the real site.
One example is an application installed on your smartphone that communicates with the service you are trying to authenticate.
When you successfully pass the first layer of authentication (username and password), the service will send a "push request" to your phone. On your phone, not only will you see that an authentication attempt has been made on your account but from where. For example, it may show your IP address and the city and state that is corresponds to. If you were trying to sign in to your account this provides you with a high degree of certainty that the approval request you received is from you.
With passive 2FA, the authentication attempt is much easier for an attacker to forge by using phishing techniques to capture the static code and reuse it immediately on the real site.
