You set your out of office message and changed your voicemail to let everyone know you are on vacation. Finally, you can lay out on the beach with your family and relax. Then you get a call from your IT provider with the worst possible news—your email account has been hacked.
Yes, what I described has really happened. It’s happened more than once and to more than one person. Attackers compromise their victim, look at the calendar, and notice the victim is planning to be out of town, and they wait. They wait because they know if you are out of town, there is less of a chance they will get caught.
The average security breach in the United States, as reported by IBM, costs an average of $8.19 million to recover from. This is alarmingly high, yet day in and day out, many firms ignore necessary steps they can take to protect themselves better. Below are five steps you can take to help your firm’s vacation cybersecurity:
- Have a good password policy – This is your first line of defense and should not be taken lightly. While many security folks may argue over complexity, length, and how frequently you should change your passwords, one thing they can agree on is that you need a policy, and it should be robust.
- Use Multifactor Authentication (MFA) – Multifactor authentication is exactly what it sounds like: multiple ways to authenticate or verify who someone says they are. An example of MFA is your bank debit card. When you use an ATM, you have to put in your pin authentication (something that proves who you are), and you put in your card authentication (something you have that shows you are you). Likewise, MFA exists in the computer world and can be tied to things such as your cell phone. According to Microsoft, accounts with MFA are enabled to have a 99.9% chance to block an attack EVEN when the attacker knows your password.
- Implement Conditional Access – Conditional access, in simple terms, is a tool that allows you to set up intelligence around your account. This tool works similarly to “If-Then” statements. For example, if a user wants to access their email, then the user must be inside of the country. The idea is to set up rules that only allow your users to access their resources if the conditions you layout (Geographic, security software, time of day) are met. Given that many attackers log in from outside of the United States, this can reduce who is capable of even attempting an attack.
- Implement Updated Security Software – This includes products like antivirus software, malware prevention software, DNS filtering, firewall inspection, etc. The list of options in this category are endless, and every product has its merits. Choose one, or several, that have a proven track record and work well in your environment.
- Security Awareness Training – This is probably the most critical thing you can do for your firm. Place priority in routine training for your users on how to securely use the technology available to them. You can even go a step further and have a security firm assist with “testing” your users to see who may need additional training.
No one wants to be breached, and no one wants to find out that it happened while they were trying to enjoy their vacation. Do yourself and your firm a favor and give us a call today! We are happy to set up a security plan that will keep you and your firm safe!
This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.