carbonite logo

Commonly searched topics:

backupcloud backupaccount sign in

Article · Aug 13, 2018

Suspicious minds: Don’t get caught in a trap

Color illustration of a key.

Midmarket CISOs are faced with the same cyber threats as their larger counterparts. Plus, they typically have a much tighter budget. There are some ways CISOs can take immediate action without large investments, though. I’ve outlined three here. Consider them defensive moves—they focus on preventing attacks before they happen.

Tip 1: Foster a mindset of suspicion, especially when it comes to email

Be suspicious. And foster a mindset of suspicion among employees, so they are less likely to fall for phishing attacks. The vast majority of both opportunistic and targeted attacks are conducted via email.

According to recent research conducted by IT security vendor Trend Micro, business email compromise attacks are projected to exceed $9 billion in 2018. So, it is important to train employees how to identify questionable emails. One way to do this is to use an employee awareness training platform that offers web-based exercises in identifying fraudulent emails.

It’s critical to incorporate email security into your strategy. Look for software that not only filters obvious spam, but also features impersonation protection, attachment scanning, and url rewrites. Additionally, set up a dedicated mailbox where employees can forward questionable emails. Then, your IT team can leverage a free tool like VirusTotal to gain a cursory understanding of the intent of the attachment/url.

It is worth noting that phishing emails have evolved. They are no longer filled with typos, and scammers have improved their techniques. So, many of these emails seem credible. Cyber criminals typically perform some level of reconnaissance on the business and its employees when crafting their messages. So, a phishing email might come from a co-worker and contain details that are a contextual, such as a reference to traveling when they are actually out of town.

Tip 2: Reduce reliance on passwords by adding multi-factor authentication

‘Securing the human’ and eradicating all employee cybersecurity mistakes is impossible. Despite all the best efforts by company executives to provide security training, chances are that someone will click on a bad link. Or, someone will inadvertently enter their user credentials into a fake dialog box, giving an attacker exactly what they want. Deploying multi-factor authentication (MFA) is one of the best, and cost-effective, ways to reduce the negative impact of stolen credentials. Using a solution which offers token based authentication greatly increases security.

A successful MFA strategy accounts for all your SaaS applications, public cloud presence, as well as remote access into the business’ environment. Look for solutions that offer adaptive authentication. This provides some flexibility, so you aren’t burdening employees who are in the office, for example.

Tip 3: Don’t let criminals walk right in.

Finally, strengthening physical office security is one of the simpler InfoSec problems to solve because office walls aren’t half as porous as cyber perimeters. Office entrances act as single points of aggregation. That means a properly enforced badge-in policy can help avoid someone “piggybacking” into your office—walking in without credentials or permission.

Several studies have shown that laptop/mobile device theft  frequently occurs in offices, as well as the more common losses reported at airports and subway stations. For example, a recent survey conducted by California-based electronics accessory vendor Kensington pointed to transportation as a hotbed for device loss. The category “Cars and Transportation” took the top spot at 25 percent. However, the number two response was “The Office” at 23 percent.

By training employees to be on the lookout for anyone trying to gain unauthorized access to the building or office where they work, you’re encouraging them to take part in your security processes and emphasizing the importance of security.


Jeannine Gaudreau

Jeannine Gaudreau is Director of Information Security at Carbonite. She blogs about the threat landscape and cyber defense.

Related content