From data breaches to ransomware attacks, the landscape of cyber threats is ever evolving, demanding proactive measures and resilient strategies to safeguard sensitive information and maintain operational continuity. To help business owners navigate that landscape, Biz spoke to a few local experts about some of the best ways to understand and mitigate those challenges.
To grasp the cybersecurity challenges confronting businesses, we first need to understand the nature of the threats. Darrin Piotrowski, CEO of Courant, said one of the biggest challenges is the lack of buy-in from both employees and business owners. Many small and medium-sized businesses erroneously believe they are too insignificant to be targeted by cybercriminals. However, trends indicate the opposite: Smaller businesses are often prime targets.
“Most of the threats we see are now at the identity level — think email, not on the endpoint — think antivirus,” Piotrowski said. “All trends show that small businesses are the most likely target of cybercriminals because they’re low-hanging fruit and less likely to invest in the tools necessary to offer protection. Police involvement is also less likely on smaller incidents. A cybercriminal organization does not want to draw attention to themselves by attacking Fortune 500 companies.”
Ransomware poses a significant threat as well. That’s where cybercriminals breach systems, encrypt data, and extort money from businesses. Phishing — a tactic involving the sending of malicious messages that appear legitimate — remains a pervasive threat. Social engineering, insider threats and email compromises further compound the cybersecurity landscape, highlighting the multifaceted nature of the challenges businesses face.
As far as best practices, Piotrowski said that end-user training helps employees better understand and recognize malicious emails. He advises businesses to forward emails they are unsure of to their IT provider. “This has been very helpful with our clients, and it makes the end-user more aware and conscientious of strange emails,” Piotrowski said.
It’s also important to make sure that multi-factor authentication is being used on every account that requires a username and password. That includes Instagram and Facebook accounts.
And whatever you do, do not use the same password more than once.
“Use a password manager to keep track of and create your passwords,” Piotrowski said. “I use one, and I can tell you that I don’t even know the passwords to the sites and applications that I use on a daily basis.”
Piotrowski also advises businesses to take care in answering cyber insurance questionnaires and work with their IT provider to make sure they have the correct answers. Also keep in mind that vendors may require a company have certain protections in place.
“We have seen cases where the client doesn’t have the correct cyber protections in place and their vendor will request said protections in order to do business with them,” Piotrowski said.
Ralph R. Russo, director of information tech programs at Tulane University School of Professional Advancement, echoed Piotrowski’s threat concerns about ransomware and phishing, and added social engineering and insider threats to the list.
Social engineering refers to manipulating people into taking actions that allow them to compromise security — so giving out information to an email that seems safe. Insider threats involve employees who have legitimate access and use it to steal or leak a company’s data.
Russo warns against the inadvertent disclosure of personal information on social media platforms, which can be exploited by cybercriminals to orchestrate targeted attacks. He urges individuals to exercise caution and refrain from sharing sensitive details that could compromise their security.
Chief among Russo’s best practices are using multi-factor authentication, keeping software updated, and never clicking a link in an email.
“Even if it appears to come from someone or a company you know,” Russo said. “Go to the site that the email is purportedly linking to by typing into your address bar or googling the company and selecting the ‘official page,’ and then login there.”
Both Russo and Piotrowski also recommend that companies receive periodic outside assessments of their cybersecurity in order to stay on top of a landscape that is changing on a near-daily basis.
Drew Hawkins is a writer and journalist in New Orleans. He’s the health equity reporter in the Gulf States Newsroom, a collaboration among public radio stations in Louisiana (WWNO and WRKF), Alabama (WBHM) and Mississippi (MPB-Mississippi Public Broadcasting) and NPR. He’s also the producer and host of Micro, a LitHub podcast for short but powerful writing.
