Security is becoming a bigger and bigger issue for small to mid-sized businesses in the Seattle area. While you may think your architecture firms is too small to be a target, there’s a good chance that you’ve got data that someone wants.
Chances are that you’ve heard stories about some of the big security breaches. And while the Sony or the DNC hacks might not keep you up at night, on a smaller scale, IT security threats are increasing at an alarming rate.
Dynamic Computing manages the IT systems for around 100 different companies in the Puget Sound region. Inside of our client base, we’ve seen a roughly 200% increase in security incidents year over year for the past two years. In plain English, the problem is growing exponentially and it’s impacting smaller companies every year.
Here are six of the most common IT security threats that most small to mid-sized architecture firms don’t do a good job of protecting against:
A phishing attack is when someone sends you a message (usually via e-mail) with the intent of either getting your credentials (username/password) or installing malicious software on your device. It’s becoming an ever more common occurrence. In fact, it’s now nearly as common as traditional viruses inside of our client base (comprising almost one-third of the security incidents we saw in 2018).
Ways you can protect yourself:
Spam Filtering & Management. Since most spam filters scan for malicious e-mails and senders, having a good quality spam filter that’s managed effectively can help to prevent phishing attacks. You might not already be aware, but chances are that your spam filter has a ton of options and settings that can be customized (we're constantly tweaking ours). By carefully (and regularly) reviewing the options and selecting the settings that fit your firm’s needs the best, you’ll do a better job of blocking unwanted messages.
E-mail Link & Attachment Scanning. This is usually an add-on or separate product from your spam filter, and it’s designed to run a separate scan on any link you click on and/or any attachments you receive via email (before you open them). It’s such an effective deterrent that we’ve opted to make it mandatory for our clients and include it in the Basic Level of our Advanced Security package.
Centrally Managed Endpoint Protection Software. It’s included in our IT Security 101 article and something that every business should have. It's got a higher level of protection than traditional anti-virus software because of the central management features. Rather than leaving it to end-users to self-report issues, your IT security team has a central portal and automated alerting that allow them to see threats in real-time and make sure they're dealt with quickly and comprehensively.
Web Content Filtering. This can be done on a firewall-level and/or endpoint-level and both ways have their plusses and minuses (which is why you should do both!). Web content filtering adds a separate layer of scanning to ensure that website you’re visiting is safe and secure before you accidentally download malicious content.
2. Compromised Credentials
Compromised credentials are when your username and password are collected by an outside party (who you’d prefer didn’t have them). The most common ways this happens are either through a phishing attack, or through using the same username/password combination on another website that has been hacked.
This is often combined with some sort of ransom request. One of the more common ones we see specifically calls out you and your password in an e-mail and suggests that they’ve hacked your accounts and will publish embarrassing information online unless you pay them $X in Bitcoin by Y date.
Ways you can protect yourself:
Multi-Factor Authentication. This involves using a second source to verify your identity - usually via a text message to your cell phone or an authenticator app installed on another device. This is important enough that we’ve added it as a required security measure for all of our clients and included it in our Basic Level of our Advanced Security offering.
Compromised Credential Alerts. There are specialized tools that enable companies like ours to scan your company's domain for any compromised credentials that are published on the dark web. There are also a number of companies that offer this service directly to small businesses for a pretty reasonably monthly fee. It's also included in the Enhanced Level of our Advanced Security package.
We’re referring to the physical variety - the good old fashioned smash and grab job (ever had your car broken into in Seattle? If so, you're not alone.... ) or a thief snagging it on your bus ride home when you’re not looking. It’s increasingly common, and we’re also regularly seeing theft from leasing offices in the multi-family buildings that we manage the IT for. Sadly, that theft often includes stealing the DVR system that was supposed to be used to record the theft.
If someone steals your computer, they can’t get into anything on it without your password, right? Not quite. Unless you’ve followed the steps below, that is.
Ways you can protect yourself
Drive Encryption & Monitoring. Nearly every mobile device in use is encrypted, but very few laptop or desktop PCs are. That’s because encryption isn’t enabled by default on the Windows or Mac OS. Yet it’s available as an option and it’s pretty easy to do. By encrypting your device, you’ll protect your data from unauthorized access in the case that your device is lost or stolen.
STOP Plates. This is something new we’ve been doing for the past year or so, and involves putting a specialized metal sticker on laptops that leaves a warning tattoo on the device if the sticker is removed. Since the #1 motive for theft is to sell the device for cash, this removes the ability to monetize the theft, therefore reducing the incentive to steal.
Centralized Monitoring. Having centralized monitoring software gives your IT vendor or personnel the ability to remotely control and run commands on a PC that’s online. A few years ago when a client of ours had their office broken into and laptops stolen, we were able to script a series of actions - we collected the thief’s name, e-mail address, Facebook account, picture (we hacked the webcam), and finally, remotely installed software to triangulate his location and supplied it all to the police. It was quite the win for the Dynamic Computing team!
This seems to be a near-daily occurrence these days, especially if you’re the CEO, Owner, or Principal of your firm. Spoofing is when someone sets up a fake e-mail address and sends e-mails out pretending to be you. Often times, these e-mails are sent to members of your team with the hope of getting you to wire money, buy gift cards, Bitcoin, or something similar.
While you might hope that your employees catch these fake e-mails before they become a problem, you shouldn’t rely on hope as your strategy. There are good ways to prevent spoofing and ensure that your controller doesn’t wire $100k to "your" account in the Bahamas.
Ways you can protect yourself
E-mail Link & Attachment Scanning. The tool we use to scan e-mail links and attachments also has anti-spoofing technology. It ensures that any e-mails that supposedly come from “the CEO” actually originate from within your organization and it’s web domain. It’s simple to turn on and manage, and it ensures that your employees don’t have to determine whether something you’re sending them is real or not.
Employee Education & Reporting. One of the key features of the Enhanced Level of our Advanced Security package is the combination of tools and training that all of your users participate in. It sends a series of fake e-mails to your users to track how often they click on them. It does a great job of identifying your weakest links and enables you to offer training to your team on how they can prevent IT security issues. There are a number of vendors that offer this directly to end customers, so it's worth investigating how you might be able to integrate this into your current employee training program.
5. Second Degree Hacking
Ever heard of a second degree connection (eg: on LinkedIn)? Similarly, there’s second degree hacking. It’s when you or your firm get hacked, even when you’re not the ultimate target. And it’s becoming more and more common. If you don’t believe us, then read this WSJ article that explains how the US power grid was hacked through subcontractors working on their systems.
If you’re an architect specializing in high-end residential or commercial buildings, there’s a good chance that you’ve got some fairly high-profile clients. It’s worth considering whether there’s information contained in your IT systems that might be relevant to hackers looking to gain access to something your clients have.
Ways you can protect yourself
Pretty much every one of the items in our IT Security 101 article help protect against hacking attempts. If you’re not familiar with the basics of IT security, reading this article is a great way to familiarize yourself with the basics.
Multi-Factor Authentication. This may be a repeat from above, but it’s really, really important. MFA involves using a second source to verify your identity - usually via a text message to your cell phone or an authenticator app installed on another device. This is important enough that we’ve added it as a required security measure for all of our clients.
E-mail Link & Attachment Scanning. Another repeat from above but similarly important. It’s usually an add-on or separate product from your spam filter, and it’s designed to run a separate scan on any link you click on and/or any attachments you receive before you open them. It’s such an effective deterrent that we’ve opted to make it mandatory for our clients.
6. Shadow IT
Shadow IT is a thing, and quite frankly, it’s a big problem. You should trust your IT vendor or staff to act in your best interest, yet all too often, things happen without them knowing about it, approving it, or taking actions to secure it.
Take Dropbox usage for example. Dropbox has multiple different offerings - two aimed at individuals (Basic/Plus), one aimed at individuals or small teams (Professional) and finally their fully featured Business plan aimed at companies with more complex IT needs. Only the Business plan allows for centralized administration, single sign-on, and auditing - important security features that every firm should be using.
Yet in a recent review of Dropbox usage for Architecture firms in the Seattle area, less than 2% of the Dropbox accounts that had been registered were Business accounts. That means that over 98% of the Dropbox usage by these firms wasn’t visible to their IT vendors or staff! As a result, if one of these accounts was compromised, it would require the end-user to notify their IT team in order to remediate the breach. It’s an example of Shadow IT as it’s finest.
Ways you can protect yourself
Employee Empowerment. At the end of the day, the solution to prevent Shadow IT involves giving your employees good tools and empowering them to use them. One of the most common things we see in small companies (of all types) is a focus on containing costs when it comes to IT spending. Yet for almost every business, their largest cost is their people. Those people would love better tools to be able to do their jobs more efficiently.
IT Standards. Behind every great IT organization is a set of great IT standards. You're unlikely to find this with smaller and/or less sophisticated IT solutions or small internal IT teams. If you're looking for a firm that does IT standards well, you should make sure you select a top-performing Managed IT Services Provider unless you're large enough to build a fully functioning IT team internally.
Employee Survey. One of the key components of our Foundational IT Assessment is an employee survey. One of the questions we ask the teams at our prospective client meeting is, "How much more could you get done if you had the best IT systems, software, and support available?" The average answer? About 25%. Think of the impact that would have on the bottom line!
Want to talk about IT security and how you can better protect your company?
Drop us a line at email@example.com to start a conversation about IT security and how we can help.
A little about us: Dynamic Computing provides managed IT services, IT support, IT consulting, & cyber security services to top performing small to mid-sized businesses in the greater Seattle area. We're focused on being the premier managed IT services firm in the Pacific Northwest, and we act as a complete IT solution for companies who don't have internal IT departments. Our clients typically range from 10 to 200 employees and we work primarily with professional services firms in the Puget Sound Region.
About the author: Kevin Gemeroy is the President & CEO of Dynamic Computing, a company he founded while in Business School at the University of Washington. He's was recognized as a 40 under 40 honoree by the Puget Sound Business Journal in 2018 and as Washington State's Mr. Future Business Leader by FBLA in 1998. He resides in Seattle, Washington.