Protecting your business-cybersecurity
Protecting business technology Information
and data security
By Mike Danahey
Ray Kim
Ransomware
www.sicons.net
Ray Kim, Director of IT Strategy at Simplified IT Consulting in Woodland Hills, explained that ransomware is malicious software that renders Word, Excel, PDF, photo and other common files unusable by encrypting them. The only way to make the files usable again is to pay the attacker a ransom to decrypt the files, or restore the files from backup.
Ransomware attacks are typically delivered through phishing, where the recipient is tricked into clicking a link that potentially installs the malicious software, or by downloading “free” media or software that contains an installer for the malicious application, Kim said. Sometimes phishing senders are a known contact whose account has been compromised and is being used to send malicious links in emails.
The attackers are no longer satisfied with just demanding a simple ransom for unlocking encrypted files. They can also copy and examine the data to see if it contains sensitive information and threaten to release the data to put more pressure on the victim to pay, or sell the information on the dark web if it has applicable value.
“And of course, there is never any assurance that the data will not be sold or released even if the ransom is paid,” Kim stated.
Kim said those most prone to ransomware attacks are the gullible, businesses using email without advanced phishing protection, people downloading “free” media or mysteriously-discounted versions of expensive software, and extremely busy professionals who click email links in haste.
To lessen the likelihood of a ransomware attack, Kim recommended the following:
● Outside of very obvious scenarios (such as using the “forgot password” feature for a website), never click any links in emails; instead, visit the website of the supposed sending party to verify the contents of the email.
● Businesses using Microsoft 365 or Google Workspace can contact Microsoft or Google for help with subscribing to and enabling their advanced phishing protection systems.
● Businesses working with IT services firms should contact them to see what options they provide for phishing protection.
If a company does fall victim to a ransomware attack, Kim said these steps should be taken:
● Disconnect the affected computer(s) from the internet.
● If a business has cyber insurance, contact the insurance company immediately. The insurance companies typically provide remediation services as part of the policy, though the scope of included services varies.
● If a business works with an IT services firm, contact them immediately.
● In a worst case scenario, many information security companies have emergency incident response services available for a fee.
For more information, see www.sicons.net.
Paratus Paratus Insurance Services president and owner, Laine Caspi, says she first became aware of cybersecurity insurance coverage while networking with some IT people and hearing some horrible stories.
“Then, about eight years ago, the company my husband works for was breached, and it shut the office down for three days. They had to pay a ton of money to get everything fixed. When it hit that close to home, I started taking a deeper dive,” Caspi said.
Caspi learned that cybersecurity insurance has been around since the late 90’s. Over the last few decades, it has evolved tremendously.
“At its inception, cybersecurity insurance covered pretty basic data breaches. The coverage on these policies has since expanded the scope of what’s covered and now includes ransomware attacks, business interruption, and more,” Caspi noted. “Many general liability policies will offer some sort of cyber insurance as an add on. There are separate stand-alone policies that are more comprehensive.”
Caspi added any business that keeps clients’ personal information in a database should have a cybersecurity policy. So should e-commerce sites, which are often targeted because they keep personal and payment information on file.
“Healthcare providers are another often hit business. They are required to have cyber insurance to protect them from breach of privacy for their patients. Really, any business can be targeted,” Caspi commented.
Depending on the policy there can be variations in coverage:
● Data Restoration covers the cost of lost or damaged data as well as recovery efforts.
● Business Interruption covers loss of income during the time the business can’t operate.
● Ransomeware payments are not covered in all policies. However, some may cover the cost to unlock data.
● Privacy and Notifications covers the cost to alert all of the end users that their information was breached.
● Cyber Extortion and Cyber Liability will cover investigating any threats, negotiations with the cybercriminals, and legal costs, if any.
If cyber insurance is added to an existing business owner’s liability policy, it can be a few hundred dollars a year but with limited coverage, Caspi said. For a stand-alone policy with all the bells and whistles, the premium could be in the thousands, depending on the size of the company, annual revenues and the risk.
Caspi suggests that anyone looking for any type of insurance do their homework. It’s always best if the client knows what they need or want and can then be guided by an insurance professional, she said.
“If a business already has a general liability policy in place, it’s worth adding the endorsement for cyber insurance. It’s usually very inexpensive and could save lots of headaches and heartaches,” Caspi said.
Website: https://www.paratusinsurance.com/
The Americans with Disabilities Act was signed into law in 1990 by President George Bush to prohibit discrimination against those with disabilities, making sure such people have access to places and opportunities afforded to the general public.
The World Wide Web was in its infancy then, and not the dominant form of communication across the globe that it is today.
And while the Internet continues to grow and change on an almost daily basis, the ADA was never modified to reference online businesses.
However, in 2018 the Department of Justice (DOJ) issued an opinion that Title III of the ADA, which applies to commercial entities, also applies to commercial websites. And the following year the U.S. Supreme Court supported the DOJ’s opinion by refusing to hear an appeal of a lower court ruling favoring a blind person who couldn’t order a pizza from the Domino’s Pizza website.
Since then there has been an exponential rise in lawsuits against businesses by those claiming that their websites aren’t ADA compliant. Then, In 2022, the DOJ issued more strongly worded guidance, again reinforcing the requirement that government and commercial websites be accessible to those with disabilities.
While many of the lawsuits are legitimate attempts to bring web access to the disabled, others have been filed by “professional plaintiffs” who scour the web, looking to make money from businesses of all shapes and sizes by filing lawsuits.
All the above points to two key reasons why business owners should make sure that their websites are ADA compliant — because it’s the law and to avoid potentially costly lawsuits.
So says Mark Widawer, owner of West Hills Web, one of the Los Angeles area’s longest-running website development businesses. In fact, West Hills Web has a division, Web Compliance Pro, devoted to making sure websites are ADA compliant.
Of course, there are other, more benevolent reasons to make sure your website is ADA compliant.
“It’s the right thing to do,” Widawer said.
Making websites ADA compliant gives people with visual, auditory, cognitive and other disabilities the help to live as normal a life as possible, particularly in an age where so much commerce is done, and information and life are shared over the internet, he said.
Widawer also noted that making websites more accessible gives businesses the opportunity to serve millions of people that they might not otherwise be able to reach.
Another benefit of making sure your website is ADA compliant is it may help improve your website’s search engine ranking.
Google and other search engines depend on proper HTML coding in order to be able to read a website, understand what it’s about, and rank it properly. If your website isn’t coded with proper HTML, Google can’t read it properly, which means it won’t rank as high as it should.
The Web Content Accessibility Guidelines (WCAG) — the standards by which “ADA Compliance” is measured for websites — also require that websites be coded with proper HTML. So making your website ADA compliant also makes your website better for SEO, which means you may rank better on Google and get more visitors and customers.
Thus, Widawer said, when building or maintaining a website, a business should make sure the developer it uses is experienced with WCAG 2.1, its most current guidelines.
He cautions those who decide to build their own websites using do-it-yourself products available online.
“Just because such sites offer DIY tools for building websites, doesn’t necessarily mean your site will be ADA compliant,” Widawer stated.
For more information, see webcompliancepro.com.
Battling the ever-widening and sophisticated array of threats from cybercriminals is a challenge everyone who goes online now faces.
Businesses, institutions and individuals can have their information held hostage for crippling sums of money. At the same time, data breaches can potentially make anyone’s private information available across the internet.
With the above in mind, here are some cybersecurity tips for businesses from Randy Martinez, Vice President Technical Services at IT Pros Management in Burbank and Maksim Avrukin, President and CEO at Digital Uppercut in Sherman Oaks.
Start with an analysis as to where your business is when it comes to cybersecurity.
It is best that this is done by an outside, unbiased firm. A thorough review will give a clear view of what your business is already doing, what needs to improve or be done and allow for coming up with a plan past the analysis.
While an analysis will involve a good deal of automated review, that should undergo human validation.
Your business is on a security journey, an ongoing process to keep operations safe. (RM)
Use a business with experience to help.
Well-established companies can use their experience to provide solutions beyond their analysis, solutions that can be implemented internally and/or with outside assistance - and provide a checklist of what to prioritize and to proceed. (RM)
Work with those who understand threats, preferably with firms that are accredited by the Cybersecurity and Infrastructure Security Agency. (MA)
Establish a cybersecurity program.
Past the analysis, if a program isn’t in place already to address matters, one needs to be put in place.
As cyber threats constantly change, that program should be looked over at least once a year with a focus on what else might need to be done and how to execute that work.
The goal should be to improve cybersecurity every year, if not sooner. (MA)
Make sure you and all your employees are made cybersecurity aware.
When it comes to cybersecurity, employees are the first and last line of defense, which can be good, if they are well-trained on what to look for, but bad if they are unaware and thus more susceptible to cyber attacks.
Training employees and keeping them updated on cybersecurity makes them a force multiplier in the battle against cyber criminals.
Make sure you know what you know, as knowing is half the battle. (RM)
To that point, have cybersecurity training as part of your business’s onboarding process.
Periodically quiz workers on cybersecurity and even send fake phishing emails to see who might be susceptible and to better educate them. (MA).
Get insurance that covers issues that can come up related to breaches of cybersecurity.
When looking for such policies, always be sure to know what is and isn’t covered.Also make sure you know what’s required of your business when it comes to measures it must take to ensure cybersecurity and to make sure it qualifies for the coverage being offered.
Remember that ransomware attacks have become very sophisticated.
Cyber hostage takers are using AI tools. They are also researching companies to learn how much that any particular business can afford to spend in ransom and adjusting their demands accordingly, so no size business is safe and negotiations are typically nonexistent. (RM)
Criminals also use attacks on smaller companies as gateways to the larger companies with which the smaller companies do business. They don’t discriminate by size, so all businesses need to be aware. (MA)
Always double check phone numbers and URLs sent in emails and texts.
Be careful with web links and phone numbers sent in emails and texts. It’s best to double check them through a search engine. (MA/RM)
Websites:
https://www.itprosmgmt.com/
https://www.digitaluppercut.com/