Cyber Security on a budget


Over 88% of businesses in the United States are considered small businesses and have less than 20 employees. These businesses often do not have a robust IT department or the technical expertise to put complex Cyber security protocols in place. However, every organization is at risk from Cyber criminals and malicious Cyber attacks. Every organization can take small actions that have a major impact in reducing the risks associated with vulnerabilities. It doesn’t take a huge budget.


Basic steps to take to minimize your risk:


Phishing awareness training: 91% of all Cyber attacks begin with a phishing campaign. Teaching staff to recognize a phishing (or spear phishing) email will significantly reduce the likelihood of a successful attack. On a recent red team engagement a spear phishing email was sent to less than 100 employees at a large firm. More than 200 clicked on the link and provided an opportunity for infiltration. Sent to 100 and 200 accessed the link? How? Well, the outdoors sale paper was not recognized as phishing and was forwarded to more people in the organization, who said “Wow. That’s a great price on a kayak” and clicked. Recognizing phishing emails has gotten harder over time, but there are a few things that every employee should look for:

  • Legitimate sender – I received an email that looks like it is from my bank, but the sender was from a gmail account. It is probably not legitimate.

  • A sense of urgency for something that is not urgent. (I need the attached invoice signed and returned by noon today)

  • Unusual request – If you boss wants you to go pick up 10 Wal-Mart gift certificates and send the numbers immediately, give the boss a call and ask questions.

  • Poor grammar – If the email has poor word choices or misspellings, question it.

  • Unexpected emails – If you receive an unexpected email that is out of character for the person it appears to be from, make a call and ask the question “Did you really send this?”


End Point Protection: Make sure every endpoint (PC, Mac, Chromebook, etc) has some type malware, virus protection installed and it is up to date. There are some good ones available, and there are some bad ones. A little research can help you make a good selection.


Update software: Check systems often to update to the most current versions. When your PC or Mac or Chromebook etc. tells you there is an update available, do not delay in updating. Very often security patches are included in the updates and implementing the updates quickly will eliminate a vulnerability and a potential risk to your business.


Suspicious activity: If you start seeing random pop-ups when on your PC, be suspicious. A number of years ago, a friend told me his home computer would sometimes “have a mind of its own and the mouse would start moving by itself.” We sanitized his PC to remove the malware that had infected his machine.


Password Protection: Teach the staff to use passwords that are complex enough to be protective, but simple enough to remember. I recommend using 4 unrelated words such as FishLiftAfterPaper. Four words are easier to remember than a string of random letters. If you want extra protection place a special character like !,@,#,$ or & between the words. DO NOT use any common passwords or keyboard progressions such as password123, or abc123, or qwerty789 or 1qazxsw23edc (if you dont get that one, just type it, you will see what I mean).


Social Media Awareness: Do not fill out social media request like “10 things you did not know about me”. I see these regularly. The questions seem innocent enough but giving out information about yourself that is used in common challenge questions like what high school I graduated from or what city I was born in, or when I got married, gives Cyber criminals a better chance of pretending to be you. It gives Cyber criminals a better chance of gaining access to your accounts, work or personal.


Of course there are many additional steps that can be taken, but implementing these few steps will provide you and your business a level of protection that will ward off most intruders. However, if your business has grown to the point of thinking about adding a Chief Information Officer (CIO) or a Chief Information Security Officer (CISO), make a plan now. If you believe you are nearing that point, consider a “CIO on demand” or “CISO on demand”. Trulight offers a Virtual CIO or a Virtual CISO as a flexible way to grow into a full time CIO/CISO. A vCIO or vCISO can be available from a few hours a month to a few hours a day in order to provide you with technical expertise to help you realize you potential as a business.


Using sensible precautions is the best defensive action you can take in order to make yourself and your organization less of a target for cyber criminals. Cyber defense does not have to be a deteriment to your business, if you do some small things to protect yourself, but a major breach, will definitely impact you and your business.