Cybersecurity attacks are on the rise in New Hampshire, with twice as many cyberattacks on local governments recorded last year versus the previous year, and identity-based attacks were deemed the fastest-growing cyber threat against New Hampshire’s businesses.
Phishing scams, in particular, are becoming all too common, especially for K-12 schools statewide. In August, cybercriminals stole approximately $2.1 million from the Keene School District through a series of fraudulent electronic bank transfers. The district discovered the breach using an anti-fraud monitoring system that flagged the unauthorized transactions.
Unfortunately, this was far from the only cyberattack against New Hampshire schools. Last fall, a hacker posed as a financial vendor to scam the Community College System of New Hampshire out of $130,000. Around the same time, the Nashua School District was hit by a sophisticated cyberattack, where an undisclosed amount of data was compromised.
A week later, a school district in the Upper Valley region was the victim of a cyberattack. When hackers targeted the Concord school system, they stole W-2 and tax forms for all the district’s employees, gaining access to their names, addresses and Social Security numbers, and putting all staff at risk for identity theft.
Schools, municipalities and other local companies may think they’re “too small” to be the target of a cyberattack, but today’s hackers aren’t just focusing on large organizations. Smaller businesses are often ideal targets for cybercriminals, because they may lack robust cybersecurity measures and their network vulnerabilities make them easy to infiltrate.
The good news is there are actionable steps that every business can (and should!) take to elevate their cybersecurity and reduce their vulnerabilities and risks.
Train employees. The single most effective way to safeguard your business from cyberattacks is through employee training. Since 85% of breaches involve a human element, prioritize education and awareness-building. Employees often unknowingly allow cybercriminals to infiltrate the company’s network by clicking on malicious links, using weak passwords, falling for phishing scams or sharing sensitive information that can compromise your network. Proper training can help prevent this.
Understand common threats. Employees should understand the most common types of cyberthreats, including phishing, ransomware, malware and social engineering. Provide training that includes real-life scenarios and case studies to illustrate how these attacks happen and how damaging they can be.
Create incident response protocols. Cyberattacks can happen to any business at any time, so have a response plan in place. Explain exactly what employees should do if they suspect a data breach, including how to mitigate the impact. The plan should include procedures for notifying colleagues, customers, authorities and other key stakeholders.
It should also designate an internal media spokesperson to handle press inquiries about the incident. Regularly conduct cyber resilience reviews and vulnerability scans to test operational resilience, identify potential vulnerabilities and assess your organization’s cybersecurity protocols.
Look for configuration vulnerabilities. Many companies’ IT pains and vulnerabilities are driven by poor design, so you may need to refresh your hardware, cycle out on-site equipment to the cloud, identify and fix other vulnerabilities, etc. Additionally, keep your operating system, essential software (including antivirus software), web browsers and other applications updated. Software vendors regularly provide patches and updates to improve security. Concerningly, half of internal IT experts aren’t performing regular testing and maintenance, which could leave their organizations vulnerable.
Control physical access and data access. Work to prevent access to your company’s computers from unauthorized individuals. Recognize that laptops and mobile devices are easy targets for theft, so lock them up when they’re unattended. And since these devices can get lost or misplaced, ensure that employees use strong passwords and multifactor authentication on their computers, iPads and smartphones. Implement reporting protocols for lost or stolen equipment. Regularly audit data, including files your company is hosting in the cloud. And ensure that employees only have access to the information they need. It’s also important to frequently perform access audits to be certain that former employees are removed from your IT systems and that they return all company-issued devices when leaving the organization.
Know that cybersecurity is an ongoing process, not a one-time fix. Cyberthreats are emerging rapidly, exposing new vulnerabilities and attack vectors, so continuously update security protocols, monitor unusual activities and adapt to new threats. It’s not enough to simply install antivirus software or a firewall — proper cybersecurity requires constant vigilance and proactive measures.
Geoffrey Ness is president and CEO of Nessit, a managed IT services provider in Somersworth, NH, and Nashville, Tenn.