Jan 27, 2023
By: Chris Riani, CISSP, CASP
Cybersecurity & Compliance Manager, TSI
CMMC Registered Practitioner
With 2023 now underway, we wanted to share what we believe to be the two most significant cybersecurity threats to your organization: Phishing attempts and users without routine end user cybersecurity awareness training.
Every breach that we saw in 2022 from our clients was from phishing. Unfortunately, cyber threat actors are always one step ahead, and the way that email traverses from one server to another, is defined by standards that are slow to change which provides a lot of opportunities for an attacker to figure out how to overcome them. As a business, there's only so much you can do, and only so many cybersecurity solutions that you can implement to help mitigate the frequency and impact of these types of cyber threats. However, the good news is that the most effective and proven method to combat phishing attempts simply comes down to conducting routine, end user security awareness education and training. With that in mind, here are 3 critically important take aways that we hope you’ll consider for 2023 to help combat the increased frequency of phishing attempts:
Takeaway Number 1:
Every business needs a cybersecurity security awareness training and education program. Unfortunately, there are no cybersecurity tools that can do it all for you; They can help you recover from a breach, they can even help you contain the threat, but no tool will stop your employees from exposing your network to a cyberthreat, so every business should have an employee education plan in place. At TSI, we can provide a comprehensive end user cybersecurity training program that can be tailored based on your specific industry, role type or compliance requirements to help ensure you’re able to address these all too common threats. To learn more about our end user cybersecurity awareness training programs please visit our page here:
TSI End User Security Awareness Training Page
Takeaway Number 2:
All businesses- regardless if they have an employee education plan in place or not- should have an incident response plan and practice that plan.
We see more and more of our forward-leaning clients interested in developing and building upon their existing incident response strategies. They understand that it's not a matter of “if”, but “when” they will encounter a cyber incident, and they want to be prepared with a plan to contain it so they're not reactively addressing the issue when the inevitable occurs. As part of any incident response strategy, it’s critically important to routinely conduct ‘fire-drill’ simulations to ensure that all the players within your organization understand their roles in the event of a breach. At TSI, we conduct breach simulation exercises with our clients and walk them through how these incidents might happen from beginning to end so that they're not caught unprepared and that they’re able to address these critical- yet oftentimes overlooked- questions:
- What's your plan?
- What are your legal requirements?
- If you find out that PII was stolen by the hacker (eg. personal information from your employees or customers) who do you have to call?
- Do you know the number for the FBI field office in your area?
- Do you know the cybercrime division in Massachusetts?
- Do you know your legal requirements to inform those people that their data was stolen from you?
Takeaway Number 3:
The best defense is a good offense- consider implementing all three of the most critically important cybersecurity solutions to help augment your end user cybersecurity awareness training program:
- MFA (Multi-factor authentication)
- Network Security Monitoring & Alerting (SIEM)
- End User Security Awareness Training & Simulation Phishing Attacks
With 47% of targets of cyber-attacks being focused on small businesses and the cost of a single incident nearing $200,000, it’s of the utmost importance to take these emerging threats seriously and to make the use of today’s cybersecurity best practices to safeguard your organization’s assets from these threats.
We hope we were able to help bring awareness to the biggest threat we identified in 2022 and if you’re concerned about your organization’s security posture, please reach out to us any time to schedule a cybersecurity strategy call to help combat which will undoubtedly be an even more challenging 2023. As always, we’re here as your trusted IT and cybersecurity partner, so please always feel welcome to also reach out with any questions or concerns you may have.