The Meridian Blog: Tech News, Tips & More for SMB and Enterprise Environments

Best Practices to Help DC SMBs Fight Phishing and Next-Generation Malware

Trent Edwards

Posted by Trent Edwards
Tue, Jun 09, 2015

On Sundays, I try to relax and not think about IT security, but an interesting story on the front page of theWashington Post got my attention. In 1969, the Pentagon’s Advanced Research Projects Agency pioneered a computer network linking about 100 universities and military sites. It was called ARPANET, and it was the beginning of what later became the Internet. Fast forward, and the Internet permeates the business world, which would look very different without that Pentagon military project over 46 years ago.

From the beginning, some computer scientists warned that the Internet and its data transmission standard — Transmission Control Protocol/Internet Protocol (TCP/IP) — was vulnerable to hackers if it did not incorporate encryption. For this reason, the military created its own encrypted network, still using TCP/IP, but the civilian Internet kept its fundamentally open nature. Encryption, and the hardware needed to support it in the early days of the Internet, would have been very costly, perhaps even preventing the nascent Internet from succeeding.

RELATED: Why and When Email Encryption is Important for SMB Security

Malware_Threats_Statistics

Of course the Internet did succeed, and the first worm appeared in 1988, created by a Cornell University graduate student. Today, over 10,000 new malware threats are discovered every hour, a quarter million a day.

Billions of dollars are spent each year on anti-phishing, anti-malware, anti-spam and other security solutions, yet threats still find their way into many small-to-midsized businesses (SMBs). What can be done? What is the antidote to this epidemic of phishing, next-generation malware and other threats? Unfortunately, there is no magic solution, but enterprises can take some recommended steps. SMBs without an IT department can consult with a managed service provider (MSP) for help in implementing these security best practices:

  1. effective training for users to detect phishing attempts

  2. detailed and thorough company policies that encourage acceptable user behavior

  3. enterprise-grade alternatives to less secure consumer-focused tools

  4. layered security solutions that better thwart malware, phishing attempts and other threats.

1. Train Proactively

Cybercriminals are getting more sophisticated, and are even banding together and sharing techniques via social media. In some cases, they have launched coordinated attacks against a single, high value target. This has made some organizations more vulnerable to phishing attacks and other threats. Plus, malware is getting “smarter” and harder to detect and eradicate.

Users are the first line of defense in any security infrastructure, and they should be adequately trained. Approaches to security awareness training vary substantially, from the informal lecture and slide show “break room” approach, to intensive drills where simulated phishing attacks are sent to everyone in an organization.

Employees should receive thorough training about phishing and other security risks, and how to detect phishing attempts. Emphasis should be placed on the importance of being skeptical about suspicious emails and content. Email attachments and links should be automatically scanned before being opened. Email is the most common enterprise entry point for malware.

Above all, make sure that all network users understand the risks presented by phishing and malware, and how important each employee is to the organization’s IT security.

RELATED: (Anti)Social Engineering – The Hacker's Simplest Weapon

2. Clear and Detailed Policies

Employees should use passwords whose complexity matches the sensitivity and risk associated with the data assets they protect. Sensitive data should be protected and made available only on a need to know basis. Passwords should be changed on a rigidly enforced schedule, and they should be managed by IT.

Clear policies need to be established and communicated to all employees regarding remote connecting, telecommuting, and using personal devices for work (BYOD). A policy should be set for acceptable tools that employees may employ for file sync and share, and for social media. Caution workers about sharing too much information on social media, and educate them on how cybercriminals use social engineering to trick gullible victims.

RELATED: Your Biggest Threat to BYOD Security Could Be Your Employees

3. Use Enterprise-Grade Tools

If possible, deploy enterprise-grade security solutions in place of employee-managed solutions. For example, there are viable, easy to use enterprise-grade alternatives to widely used consumer-grade file sync and share solutions like Dropbox, Google Docs, and Microsoft OneDrive. There are file-sharing systems available to organizations that accommodate very large files, which some business email systems cannot handle.

Consider implementing business continuity solutions such as backup enterprise email options to be used during outages, instead of employees’ personal Webmail accounts.

RELATED: Business Continuity Planning for SMBs – How MSPs Can Help

4. Layered Solutions

IT departments, or the MSP, should implement robust, layered security solutions based on threat intelligence. While the employee is the first line of defense in IT security, they are by no means the only element. A layered security infrastructure, based on analytics and good threat intelligence will greatly lessen the chances of a data breach.

However, the human component is really the first layer of security because an alert and properly trained employee can often thwart potential incursions like phishing attempts before they get detected by technology. The best security solution is only as good as the people behind it.

 

Click here to download our white paper: 4 key elements to consider when building your technology road map

Trent Edwards

Trent Edwards

Trent Edwards oversees all things technology-related—which encompasses the IT needs inside Meridian’s ever growing operation, as well as the technology needs of Meridian’s clients. Since returning to Meridian, Trent has been instrumental in the launch and significant growth of the professional services arm of the company. Constantly on the lookout for emerging technologies, Trent carefully monitors industry trends and objectively evaluates the newest products and applications. As Vice President of Technology, he manages Meridian’s technology team, builds partnerships with industry-leading vendors, and serves on the company’s leadership panel. Trent’s most recent accomplishment was the unveiling of a world-class data center initiative.

Ready to Become a Pro?

 Our White Paper can help.

whitepaper-4-key-elements-for-building-your-technology-road-map-thumbnail-3Subscribe to our blog and get your copy of "4 Key Elements to Consider When Building Your Technology Road Map"

You'll learn:

  • What role people play in determining your road map
  • How to build a plan in a multi-device world
  • What types of applications need to be considered
  • How data plays a key role in success

 

Subscribe to get your copy

Leave A Comment

About this blog

News, best practices and more to help you get the most out of your office technology. Whether you're an SMB owner who wears a lot of hats, or an enterprise IT director, facilities manager or just someone who wants to work smarter — this blog has the resources you need to maximize the business impact of all your tech investments. Be sure to subscribe to receive email updates about new posts!

Download our eBook

 
DM_Workbook_Cover_Page.jpg

Download

Sort Posts by Topic

see all