8 Spooky Cybersecurity Statistics To Help You Prepare For The Worst

A cyberattack is a scary event. It can shut down a business, cripple a government, and even incapacitate an entire country if the right measures aren’t taken to prevent it from happening.

THIS HALLOWEEN, WE BRING YOU EIGHT SPOOKY CYBERSECURITY STATISTICS THAT EMPHASIZE THE DANGERS OF CYBER THREATS AND URGE YOU TO PREPARE FOR THE WORST.
  1. 54% of small and medium-sized businesses (SMBs) say their I.T. departments are not sophisticated enough to handle advanced cyberattacks. (Sophos)
  2. As of February 2022, there were 8.77 million new pieces of malware circulating the Internet of Things (IoT) and mobile app stores. (AV-TEST)
  3. A ransomware attack takes place against a business every 14 seconds. (Cybersecurity Ventures)
  4. 91% of SMBs haven’t purchased cyber liability insurance, despite awareness of risk and the likelihood that they would be unable to recover from an attack. (Cybersecurity Magazine)
  5. Almost 89.7% of US businesses saw at least one successful cyberattack within a 12-month period. (CyberEdge Group)
  6. 53% of business leaders agree that remote work has made it much easier for hackers and cybercriminals to take advantage of them. (Norton)
  7. 50% of data breach incidents involve phishing and social engineering. (Trustwave)
  8. On average, only 5% of companies’ folders are properly safeguarded. (Varonis)

A large number of organizations still remain unprepared for a cyberattack – please be proactive and prepare now by contacting us – we can implement multi-factor authentication, roll out company-wide security training campaigns, and implement policies and procedures to help you keep your business and sensitive data protected.

What to Expect When Applying for Cyber Insurance

Several years ago, cyber insurance was just an add-on to larger policy discussions, but with the rise of malicious online attacks, it’s jumped to the forefront and has become one of the most expensive policies under a company’s insurance coverage. Here’s how to ace your application and get the best rates.

Cybercrime is a multibillion-dollar industry. Even with careful security measures in place, it remains a constant struggle for businesses to stay one step ahead of hackers looking to extort them. Phishing emails, malware, security breaches, network security issues, and computer system breakdowns are just a few examples of the kinds of cyber risk that can cause serious liability or revenue loss. That’s why proper cyber liability insurance remains a vital risk-transfer tool for organizations of all sizes.

For businesses attempting to acquire cyber insurance, the application process itself can be daunting. Application forms aren’t standard and can be very complex — what used to be a seven-question application has evolved over the last few years into a multi-page document broken out into various categories. Truth be told, it can read less like an application and more like an audit questionnaire. (Check out a sample cyber insurance application here.)

Insurers want to be as thorough as possible when evaluating an organization’s cybersecurity infrastructure and deciding their level of risk. They depend on the detail contained in the application to determine how well the people, processes, and technology can protect and respond to cyber threats. Any vagueness or incorrect information can create major issues later on if (or when) a claim is filed.

If you’re planning on applying for cyber insurance, it’s important to identify your company’s cyber risks prior to submitting the application. Specifically, insurers will ask for:

  • The basics — What industry you operate in, as well as how much and what type of information your organization stores, processes, and transmits. In addition, underwriters want to see how you manage data security and who oversees cyber-related matters.
  • Information security — Do you have a formal program in place to test and audit security controls? Underwriters also typically look to see if you have basic controls in place, including firewall technology, anti-virus, and intrusion detection software.
  • Breach history — Have you been breached before? Is the data you house vulnerable? How effective are your data security techniques moving forward?
  • Data backup — Underwriters want to know if you back-up all your valuable data on a regular basis, if you utilize a redundant network, and if you have a disaster recovery plan in place.
  • Company policies and procedures — What type of cybersecurity and incident response policies do you have in place? For example, how do you handle password updates, the use of personal devices, and revoking network access to former employees?
  • Compliance with legal and industry standards — Failing to comply with cyber-related legislation can be incredibly costly, and insurers want to know how you handle compliance. Specifically, whether you are compliant with applicable regulatory frameworks, are a member of any outside security or privacy groups, or utilize out-of-date software and hardware.

Although the cyber insurance application is more rigorous than most insurance applications, you can secure the best rate by doing your due diligence and prepping ahead of time. Being honest about the risks and vulnerabilities your company may face from cyber threats will also help you get the right policy coverage.

Need help applying for cyber insurance or meeting specific criteria? Talk to an expert at Back To Business I.T. today!

CMMC 2.0 Updates

WHAT IS CMMC 2.0?

The Cybersecurity Maturity Model Certification (CMMC) was introduced by the U.S. Department of Defense (DoD) on January 31, 2020 to ensure the protection of sensitive unclassified information or controlled unclassified information (CUI).

Originally, the CMMC framework had five levels of cybersecurity maturity (basic to advanced/progressive) and affected more than 300,000 defense contractors. However, on November 4, 2021, the DoD formally announced the CMMC 2.0 framework. This updated version seeks to simplify the model and reduce compliance costs by streamlining the program and scaling back the requirement that all defense contractors obtain third-party certification of their cybersecurity capabilities. Under CMMC 2.0, about 80,000 contractors will have to undergo third-party assessments while contractors at non-critical CUI levels are able to self-certify. Additionally, contractors who are not yet in full compliance with applicable cybersecurity requirements will be permitted to perform less sensitive contracts if they make a Plan of Action & Milestones (POA&M) and commit to completing the remaining requirements within specified dates. These changes are reflected in the diagram below (published by the DoD):

WHAT ARE THE NEW LEVELS?

1️⃣ Level 1 (Foundational) only applies to companies that focus on the protection of federal contact information (FCI). It is comparable to the old CMMC Level 1. Level 1 will be based on the 17 controls found in FAR 52.204-21, Basic Safeguarding of Covered Contractor Information, and focus on the protection of FCI. These controls look to protect covered contractor information systems and limit access to authorized users.

2️⃣ Level 2 (Advanced) is for companies working with controlled unclassified information (CUI). It is comparable to the old CMMC Level 3. CMMC 2.0 Level 2 (Advanced) requirements will mirror NIST SP 800-171 and eliminate all practices and maturity processes that were unique to CMMC. Instead, Level 2 aligns with the 14 families of security requirements and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI. Accordingly, the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped, meaning that the new Level 2 (Advanced) is in complete alignment with NIST SP 800-171.  Identified within DoD contracts under DFARS 252.204-7012 clause.  DoD is still working to define the “critical” CUI information.

3️⃣ Level 3 (Expert) is focused on reducing the risk from Advanced Persistent Threats (APTs). It is designed for companies working with CUI on the DoD’s highest priority programs, estimated to be about 600 companies. It is comparable to the old CMMC Level 5. The DoD is still determining the specific security requirements for the Level 3 (Expert), but has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls.

WHEN WILL CERTIFICATION BE REQUIRED?

The DoD is in the rulemaking process and negotiations with the CMMC Accreditation Body, which is expected to take an additional 9-24 months. While these rulemaking efforts are ongoing, the DoD is suspending mandatory CMMC certification, however, it is strongly recommending defense contractors act now and get CMMC assessed/certified to minimize the risk of DIB companies exposing sensitive unclassified information.

HOW TO GET STARTED

Defense contractors looking to start their CMMC compliance journey should look into meeting the 110 controls in NIST 800-171 as soon as possible, as preparation and implementation can take up to 18 months or more.

Not only can we help you achieve NIST-SP 800-171 compliance, but we can also perform a comprehensive gap analysis and determine your current SPRS score.  Then work with you on a plan to resolve areas of non-compliance. As a full-service I.T. firm, we can also implement solutions to address gaps so you are ready for CMMC certification and future audits.

CONCLUSION

CMMC 2.0’s cybersecurity standards will better arm the DoD in its efforts to defend against cyberattacks that threaten U.S. critical sectors. But it’s clear that the DoD cannot wait for CMMC 2.0 formalized assessments to improve cybersecurity in the Defense Industrial Base. While the CMMC 2.0 requirements work their way through the federal rulemaking process, enforcement of federal cybersecurity regulations governing defense contractors has stepped up. If you’re seeking future business with the Department of Defense, it’s important you get started on the compliance path right away.

Cloudy with a Chance of Data Loss

What would happen if your company lost all of its email data? If you’ve yet to implement a backup solution for your Microsoft 365 data, you could be faced with that question if a cyber-incident occurs.

Over a million businesses use Microsoft 365 – chances are, you do too! By far the most popular productivity suite, this Microsoft product includes apps such as Outlook, Word, Excel, PowerPoint and others, depending on your configuration. But did you know that Microsoft is not responsible for backing up the data on in your Microsoft 365 suite?

Why Microsoft 365 Customers Need a Backup Solution

Many business owners using Microsoft 365 believe that their data is totally secure. The reality, however, is a different story. Although Microsoft offers many benefits in productivity, efficiency, and collaboration with Microsoft 365, the company doesn’t provide users with a comprehensive backup system for their underlying data.

Mechanical malfunctions and physical damage, hacking and theft, user error, and power outages all put user data at risk in the cloud. Protecting data has never been more important – hackers are now attacking computers and networks at a rate of one attack every 39 seconds. While companies do their best to prepare for these problems, no plan is foolproof, and stories of data loss are far from rare, with the average data breach costing small businesses $149,000. Furthermore, 60% of small businesses close their doors within 6 months of a data breach.

Cloud Backup Saves Data, Time, and Money

The fact is that having only one copy of important data is asking for trouble, whether it’s stored in the cloud or elsewhere. If your data isn’t backed up, you could be facing not only a loss of productivity as you scramble to rebuild, but also a loss in revenue and reputation.

Microsoft 365 is an excellent service that gives you access to your data from virtually any place at any time — and across many devices. As a software-as-a-service (SaaS) built on the industry-leading Azure public cloud, Microsoft 365 offers users high reliability, geographic redundancy, and secure connectivity.

This should not, however, be confused with a comprehensive data protection solution. Microsoft does not back up Microsoft 365 user data, so it recommends that customers use third-party solutions. Furthermore, Microsoft doesn’t protect data from common issues like file corruption or everyday human error. Nor does it offer a way to easily revert to older versions if something goes wrong beyond their normal data retention policy.

Back To Business I.T. can help you evaluate your options in addressing these shortcomings and specifically discuss how implementing a backup solution can be cost-effective and seamless and offer peace of mind.

Our Cloud Backup Service Is Easy to Use, and Recovery Is Fast

Not all backups are created equal, however. When looking into a solution that can protect your data stored in the cloud, there are a few fundamental questions you should be asking your vendor:

  • What data is actually being backed up?
  • How is the backup data being stored and protected?
  • How often is data backed up, and for how long?
  • How easy is the data restoration process?

Our Cloud Backup Service is a flexible, agile, and reliable solution that offers comprehensive data protection across the full Microsoft 365 tenant, unlimited storage and retention of user data, and a hassle-free setup and run experience. Better yet, data-recovery means you can have peace of mind that your company can be up and running with minimum downtime.

There are several things to consider when selecting a cloud backup solution – and our team of experts can help with that! Our team can customize an approach that works for the company data that should be protected as well as other business and budgetary needs.

Contact our team today to learn about our Cloud Backup solution for your Microsoft 365 data!

Create a Game Plan for Protecting Your Data

Your company’s most precious business resource is its data. What is your game plan for protecting it?

Data loss cripples businesses – studies show that over 50% of businesses hit by a cyber-criminal close their doors within 6 months. What measures are you taking while cyber-criminals step up their game? If your game plan doesn’t include backups, you’re effectively planning to lose when (not if) a cybersecurity breach occurs. Don’t like losing? Let’s go over some game plan essentials to get that win.

Consider the elements

Even with strict information controls and excellent maintenance of technology, avoiding data loss incidents is all but impossible. You can account for what you can control – and that’s about it. Aside from the usual suspects – ransomware, human error, and technology failure – there are other forces that could destroy your business if you don’t have proper backups. Don’t let other variables, such as natural disasters, structural fires, and theft, derail your business success. Create a DR (Disaster Recovery) Plan to use as your playbook for succeeding in less-than-ideal conditions, and position yourself to recover that data quickly.

A strong lineup

Not all backups are the same. Businesses have different needs and budgets and every backup strategy needs to consider both. Think of this as your line up. How long can your business afford to be “down” in the event of a disaster? What players need to stay in as long as possible? What data is affordable to lose? Priority should be given to the data essential to carry out your essential business functions. In the event of a breach, recovering that data quickly could spare you big losses.

Use a long term strategy

A winning game plan takes you all the way, right? Backups protect your data by ensuring you have a ‘copy’ of everything you need in case of compromise. How long should you keep those copies? The compliance and regulatory requirements for your industry should guide how long you keep data backups. A good long-term strategy accounts for not just unexpected events, but also compliance requirements to ensure your data is there whenever you need it.

Plan for the wildcard

People are a constant variable in the biggest upsets. In times of emotional distress, employees often make poor decisions. Almost 75% of departing employees admit to taking company data in some form. 70% of intellectual property theft occurs within 90 days of an employee’s resignation. Worse yet, even more malicious activity can occur and hostile actors inside the workplace, unfortunately, purposefully delete data. Plan for the wildcards by having timely backups and enjoying peace of mind knowing you can get back to normal after a compromise.

The competitive advantage

If a disaster were to hit your area, how quickly would your business recover? How quickly would your competitors recover? Implementing a disaster recovery plan through effective backups ensures quick restoration and minimizes down time. Make backups your competitive advantage by ensuring you can get back on your feet faster and more effectively than your competitors.

A strong game plan accounts for all known and unexpected factors. It includes an aggressive offense for the things we can predict, and a solid defense for the sudden and unexpected. Plan for the win – backup your data and get Back To Business.

Want to secure a win for your business?

Our team will work with you to create a custom disaster recovery plan that fits your business needs, the data you need to protect, and your budget. Click here to call or here to send us a note today!

End of the Road for Microsoft Server 2008 and 2008 R2 Support

Moving information to “the cloud” might be the popular thing to do right now, but surveys show that 98% of companies still rely on physical, on-site servers. If you’re in that 98% of businesses, there’s a good chance you have at least one Microsoft 2008 or 2008 R2 server. Microsoft has been pushing their Azure cloud platform since announcing the end-of-life date for these two servers effective January of 2020. But what if moving to the cloud isn’t the right move for your business technology?

As a small business, we’ve been down this road before. Dealing with big one-time expenses is never easy, but it can be more palatable with careful planning and a good team by your side. Our team of project engineers can help you find the best way forward for your business. Is there hardware you can continue using? How many systems are “must-upgrade” and how many are “should-upgrade”? What is a realistic time lime for your business? We can help find the answers to these questions.

Microsoft is by far the most popular OS, so you can be sure that hackers are constantly working on malware to release after each end-of-support deadline passes. With crucial security updates for these servers no longer released as of January 2020, not making plans to upgrade your business technology could have potentially disastrous results. Contact us or give us a call at 937-490-5600 and let’s figure out the right solution for your business.

7 Cybersecurity Tips for Small Businesses

Antivirus and Filters

Scanning your systems regularly to detect malware and potential vulnerabilities should be at the top of the list when it comes to cybersecurity measures. Putting web and email filters in place can help block nefarious traffic and messages from ever reaching your systems.

Restrict Access

Along the same lines of defense as Antivirus and Filters, use restrictions to limit staff access. The same way you restrict departmental access depending on where a person works, it’s a good idea to implement internet restrictions. This way employees are limited to the websites they can access on company computers – and thus lessen the risk that they’ll wander into some dark alley on the internet.

Train Your Staff

One of the biggest cybersecurity risks any company faces is its people. To err is human, right? And err we do. Phishing emails are the most common cyberattack, and how over 90% of successful breaches begin. Educate your staff on best cybersecurity practices. Our cybersecurity awareness training offers not only educational materials, but simulated training exercises to test employees’ preparedness in a safe sandbox environment. Contact us to learn more.

Step Up Your Authentication Game

Setting up multi-factor authentication means that system access has a two-layer protection. Requiring both a password and a pin, for example, will likely reduce your risk of unauthorized access. Much like having biometric and pin or pattern access on your phone protects your data from prying eyes – two-factor authentication on your systems can keep your data safer.

Patch and Update, Faithfully

Clicking that ‘update later’ button is usually a bad idea. Updates ensure your system has the latest information on potential vulnerabilities. Patching does just that – patches certain ‘holes’ or fixes bugs in the system. This is part of why it’s critical to use up to date hardware/software – so you can be sure the manufacturer is working constantly to keep it as secure as possible. 

Back Up Your Data

In the case of a breach, having your data backed up can make the difference between paying the ransom or not. Cybercrime isn’t the only reason to back up your data though – as other events can affect system functionality and disrupt your business.  In the context of cybersecurity, it can give you the upper hand. If your data is securely backed up, there’s usually less down time in the event of an attack.

Have a Cybersecurity Policy in Place

All the good intention in the world won’t take the place of a solid information security policy. Make sure your staff is aware of the processes and best practices for cybersecurity in your company. You’ve worked hard for your business, protect its future.

Here at Back To Business I.T., we’re a business too. We have the same concerns and face the same challenges. Our customizable solutions are meant to change as your business grows – fitting your needs, and your budget. Take your business to the next level with a technology partner you can trust. Contact us today!

Managing Your Digital Presence

Do you still have a MySpace, or a Xanga? There are probably a few accounts out there that you no longer use – and probably didn’t remember you had. But they are still part of your digital presence and should be monitored. How do these old accounts pose a cybersecurity threat? 

Easy Targets: Well, old accounts usually have outdated privacy settings. That means cyber-criminals could be using your personal information to build a social-engineering profile for you, making it easier to target you in phishing or spearphishing attacks. If they have info on your subscriptions, memberships, likes, affiliations, etc. they can make their phishing bait emails much more believable.

Data Leaks: Let’s say your privacy settings on those old accounts are locked down tight. How robust is that website’s security? How easy is it for cyber-thieves to break in and steal it? Chances are, websites or services that aren’t widely used anymore aren’t going to have the most up to date information security measures in place. Do you really want to risk it?

Optics: Another reason to clean up your old accounts may be simply to moderate the content that’s out there. As we all know, the internet is forever. When we post a comment, publish an article, or share a photo, our name is tied to that media until we delete it. Do you have accounts with NSFW photos, comments, or content? A quick search on any search engine should reveal content tied to your digital identity. Is there something you don’t want shared?

So go ahead, take a stroll down your memory lane on the internet and see what you find. Deactivate accounts you no longer need, manage old content and how it’s shared, and enjoy the peace of mind.

Back To Top