The Russian invasion of Ukraine is a human tragedy on a scale that many of us have never experienced; the news is filled with horrifying scenes of senseless violence. The events unfolding will also have ripple effects, economically and politically, across the globe. Although the traditional fighting is taking place in Europe, a new aspect of modern warfare — cyberattacks — could impact businesses of all sizes in the U.S. and elsewhere.
Recently, the White House warned businesses in the United States to prepare for imminent Russian-based cyberattacks. The Department of Homeland Security identified 16 different infrastructure-related industries that are likely targets of cyberattacks, including transportation, energy, public health and communications. Companies that do business in Ukraine are seeing more attacks, and those that take steps to limit their interaction with Russia may also be putting a target on their back.
Cybercrime isn’t a new phenomenon, but it has recently worsened. Since the invasion began in late February 2022, the number of these types of cyberattacks against U.S. defense contractors has increased 800 percent. Likewise, Russian-based efforts to harvest usernames and passwords have also jumped dramatically, from about 50 a day to 400 a day since February 27.
Thwart Russian Hackers With These 4 Cybersecurity Tips
- Create a culture of security.
- Follow a basic set of best practices.
- Make it easy for your team.
- Measure your program’s effectiveness.
Why Cybersecurity Matters for Your Business
Your company may not fall into one of the high-risk industries identified by DHS, but that doesn’t mean you shouldn’t be more prepared for attacks. Small businesses are often particularly vulnerable to cyberattacks for two reasons. First, they often lack the time, space or resources to devote to IT management and security. Covid-19 exacerbated this challenge thanks to the shift to remote work, which dramatically expanded the attack surface outside of a company’s infrastructure. Second, cybercriminals looking for easy targets often attack small businesses, like the car thief who searches for the vehicle with its windows open and doors unlocked.
Hackers will exploit weak passwords and use phishing emails to gain control of a business’s computers and networks. Once they have gained access to the small supplier, they use connected networks and leverage established, trusted relationships to send their malicious payloads up the supply chain until they reach their intended targets.
These threats can be daunting; as a result, many businesses fail to address them, leaving themselves unnecessarily vulnerable. Although threats will always exist, businesses can do a handful of very basic things to significantly reduce their vulnerability.
1. Create a Culture of Security
Cybersecurity involves a lot of technology, but many of the risks are really human ones. In fact, more than 80 percent of cyberattacks occur due to compromised passwords or credentials, mostly due to human behavior. Educating your organization and employees about security awareness is critical. Everyone should understand their role in protecting the company’s data and resources.
Educating employees and creating a strong cybersecurity culture needs to come from the top down and be rolled out throughout the entire organization. The most effective way to build a positive culture is by helping people understand the role they play in your company’s security, moving away from scolding and punishment for poor security practices and making sure people have the tools necessary to be part of the final outcome: creating a business that can focus on its strategic goals rather than the security risks lurking around the corner.
A successful cybersecurity education, training, and awareness program should answer why security matters to your company. It should communicate to employees why they should care about security. Additionally, it should explain how cybercriminals target and attack businesses and what actions employees can take in the course of their day to enhance security. Find ways that motivate employees to follow policies and strong security habits. For example:
- Don’t instill fear in employees with threats of termination for repeatedly falling for simulated phishing.
- Do implement a buddy system that appoints a peer to be a team or department’s cybersecurity expert.
- Don’t require employees to reuse or write down their passwords.
- Do provide appropriate resources and tools, such as password managers, so employees can use and manage strong passwords.
2. Follow a Set of Basic Best Practices
Once your team understands the importance of security, put best practices in place for how they can minimize security risks. These include basic password hygiene: using strong passwords, rotating them often, not reusing them, and not sharing them in ways in which they can be stolen. Using multifactor authentication adds another important layer of protection.
In addition, managing access rights within your organization and limiting access to critical systems to smaller teams helps reduce exposure. Tools that help filter phishing attacks or prevent compromised devices from accessing your network are additional steps that can be taken as an additional layer of security if passwords do get compromised, but the best defense is to minimize the likelihood of that compromise.
3. Make It Easy for Your Team
Those best practices seem obvious, but getting your company to adopt them can be challenging because you’ll be asking people to change their behavior. Using a password manager (like Dashlane) can make this transition easy on your teams, managing every aspect of access and authentication in one place. Use a single sign-on solution (SSO), which is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems, in conjunction with your password management tool. This can make managing access both easier on your IT team and seamless for your employees.
4. Measure Your Program’s Effectiveness
As the saying goes, you can’t manage it if you can’t measure it. Start with a baseline and measure improvements in your company’s security. One way to do that is by using a password health feature that tracks your company-wide password security scores over time. A security test/audit can also be useful to help you track and improve on metrics such as how many employees are reusing the same password or how many are using weak passwords.
Harden Your Defenses
Cyberattacks are increasing, and events like the horrific Ukraine invasion only make it more likely that you could be next. The cyber threat can be intimidating for any business, but especially for smaller businesses that don’t have the resources or expertise to deal with security vulnerabilities.
Fortunately, every business can take some simple precautions that will significantly reduce their exposure. By focusing on a culture of security, making security-conscious behavior easy on employees, and measuring progress, companies can make security simple.