Has Your Company Secured These Overlooked Attack Vectors?

To keep company and client information safe, you need more than just the right tech. You also need your staff to understand and follow cybersecurity protocols at all times, especially since human elements — such as social attacks, errors and misuse — are behind 82 percent of successful data breaches, according to Verizon’s Data Breach Investigations Report.

But being cybersecure is easier said than done. Changes in tech and work practices constantly present new opportunities for cybercriminals. We’ll examine three attack vectors you need to know about to protect your business against cyberattacks.

3 security vectors you may not have considered

Security breaches often occur where we least expect them to, and many areas still fly under the radar. Be aware of these three lesser-known cybersecurity threats:

Office printers 

You might not consider your office printers a serious security threat, but they’re often weak points in company networks. Hackers don’t target printers to print documents; they use printers as a general point of access to your company’s IT system. The same goes for security cameras, entry systems (including employee attendance systems) and more.

That’s why it’s important to lock down your office printers and other connected devices. To do this, start by implementing firewalls and using strong passwords. When manufacturers push updates to cover new security risks, download them quickly. Stay current with industry best practices, and make sure your devices are included in your organization’s security policy and procedures.

For connected printers, in particular, consider deploying secure pull-printing technology, in which employees submit their print jobs to a single secure queue and use their access cards or login credentials to release (pull) their documents from any printer on the network. This simple workflow prevents unauthorized access to sensitive documents and provides the added benefit of reducing waste and resource costs.

You can also try these approaches to secure your printers:

• Allow printing jobs only through your network router.
• Turn off the printer when it’s not in use.
• Secure your printing ports and turn off lesser-used protocols, such as SNMP, FTP and Telnet. You should also disable the Server Message Block, IPP port 631, and ports 515, 721-731 and 9100.
• Choose a hard-to-guess password (and don’t rely on the default password).

Employee devices

The bring-your-own-device (BYOD) trend grew by 58 percent during the COVID-19 pandemic as companies small and large sought ways to allow employees to continue working using their personal smartphones or other devices, Zippia reported. (This development happened despite employees’ overwhelming preference to use separate devices for work and personal use.)

Almost 40 percent of the employees surveyed said their employers don’t employ BYOD cybersecurity protocols. This is a major problem, because when everyone is operating a unique device connected to the company network, the opportunities for hackers multiply. One hacked personal account can lead attackers into other accounts, which might store sensitive company information. Then there’s the added risk of off-site theft; if a smartphone is stolen, the thief could obtain your intellectual property or financial information and publish or sell it.

To help stop thieves and hackers from turning personal invasions into company crises, you can use one of many firewall-as-a-service offerings. These cloud services work from anywhere, freeing employees to use their smartphones while reducing risk and giving employers peace of mind. The technology prevents thieves from accessing protected data and gives companies greater control of their networks.

Consider these additional approaches:

• Create an acceptable-use policy covering BYOD devices.
• Insist that any remote (out-of-office) connection to your IT network be made via cell phone data or a VPN-protected Wi-Fi network.
• Require employees to register their devices before they can connect to your network.
• Make it a condition of connection for a BYOD device to have highly rated antivirus software installed and activated.
• Back up company data regularly on all devices in case of a breach or loss. [See our picks for the best cloud storage and online backup services.]
• Introduce a zero-trust policy for your company. Zero-trust protocols require users to identify themselves more often when they access apps or data.

Many cybersecurity experts now recommend the banning of BYOD policies. Instead, they advise allocating part of company IT budgets to purchasing authorized devices for staff members. This way, IT managers can ensure that these devices have the necessary protections to keep the wider network secure because they are the property of the company.

Social engineering

Hackers don’t always have to be elite programmers — not when employees inadvertently tell them what they need to know. Social hackers, for example, use social media profiles to gather information on their targets. Then, they can guess their victims’ passwords based on what they have posted online, such as their children’s names, the sports team they support, the name of their spouse or partner, their hometown and important dates in their lives. 

During highly organized spear phishing attacks, hackers pretend to be CEOs or chief financial officers. They then call and email junior account staff, exerting high levels of pressure to get them to pay bogus invoices (so-called business email compromise attacks or “CEO fraud”). While many business owners understandably worry about ransomware, losses from business email compromise attacks are 50 times greater in value, CSO reported.

To protect against social engineering attacks, encourage employees to use strong passwords. Educate them about the increasing use of fake social media accounts among identity thieves. Regular employee training will create a culture of informed vigilance and help protect your company from social engineering threats. Alternatively, you could use PowerShell scripts to securely manage passwords at your company.

Two-factor authentication is another best practice to follow. Secure passwords aren’t enough these days. Adding a second factor, such as biometrics (thumbprint or facial recognition) or code verification via text message, provides an important extra layer of security. Many people consider additional authentication methods a nuisance, which again points to the critical role of employee education. But two-factor authentication does work: Since Google introduced it for all Gmail and YouTube creator accounts, the number of successful hacks has halved, according to Google.

A vigilant workforce might be the single best defense against hackers. In addition to training, you might wish to take the following steps:

• Create policies covering the level of information that an employee can include in a social media profile.
• Encourage staff to report unusual requests to a line manager, which is a particularly effective strategy for dealing with business email compromise or CEO fraud attacks.
• Tell co-workers to double-check the legitimacy of all websites before logging in, especially if an email prompts them to do so.
• Check that the “From” address contained in an email matches the email address in the header.
• Warn employees not to answer sensitive questions if a supplier or financial institution calls out of the blue. Instead, they should call that supplier or financial institution back to verify that the inquiry or request is genuine.

The consequences of a security breach

A recent study published by cybersecurity provider BullGuard reported that, following a breach, about one-quarter of the small businesses surveyed had to spend at least $10,000 to put things right.   

Breaches can have these costly consequences:

• Expensive fixes: Some businesses may have to pay expensive outsourced IT teams to root out the problem and get systems up and running again. 
• Loss of customer trust: Future revenue is also at stake following a data breach. Seventy percent of consumers would stop buying from companies affected by a data breach, Thales Group reported. 
• Loss of employee trust: Just as worrying, 54 percent of employees would consider working for another firm following a data breach, a study by Encore found.
• Exposure to client lawsuits: Class action lawsuits against companies affected by data breaches have jumped 44 percent in the past year, JD Supra reported. Complaints can be heard by courts as little as four weeks after a breach.
• Risk of fines: Individual states, the Consumer Financial Protection Bureau and the Federal Trade Commission regularly target companies that have been breached.

The next big data breach is always lurking around the corner, but businesses don’t have to live in fear of losing critical data. By including these and other threats in a comprehensive security program and following the best practices described above, you’ll be on your way to securing your network and data.

Kevin Pickhardt contributed to this article.