What is Threat Modeling?

Threat modeling is a simple, cost-effective way to ensure cybersecurity does not become an afterthought in the SDLC or a set of strictly reactive countermeasures. This practice makes apps and systems secure by design, which leads to fewer vulnerabilities in production, less risk for the business, and lower IT remediation costs.

This article is an intro to threat modeling and the positive effects early flaw detection and removal have on security posture. Read on to learn how threat modeling works and see what your business stands to gain from adopting this proactive practice.

What is Threat Modelling?

Threat modeling is the practice of systematically identifying and addressing flaws within an IT asset before someone gets a chance to exploit the vulnerability. The procedure relies on various techniques (risk criticality, brainstorming sessions, hypothetical scenarios, flow charts, diagrams, etc.) and requires input from both business and technical stakeholders.

A "threat" is a broad term that stands for someone or something that tries to perform one (or more) of the following:

Compromise or alter critical business functions.
Steal data or compromise its integrity.
Destroy business systems.
Use a system as an attack platform (e.g., turning a device into a DDoS bot).

Every threat modeling process has the following objectives:

Get a clear picture of the asset in question (database, network, business process, infrastructure, etc.).
Determine security, business, and technical requirements.
Pinpoint all probable risks and threats.
Analyze the nature of each threat, its likelihood, and the danger it poses to the asset.
Specify threat actors, their motives, and TTP (tools, techniques, and procedures).
Determine threat criticality (which helps prioritize remediation).
Assess the company's current readiness to respond to each threat.
Suggest optimal fixes and improvements.

Analysts store these findings in a threat model, a "living" document that requires regular reviews and updates. Creating threat models and keeping them up to date requires a cross-team effort that involves inputs from:

Business stakeholders.
Project managers.
Security architects.
The operations/infrastructure team.
Software developers.

Ideally, threat modeling occurs during the design stage of a new app or feature. A team can build a model from three different perspectives:

Asset-centric (take stock of valuable assets and analyze their vulnerabilities).
Attacker-centric (take on the role of an attacker and see how a would-be hacker might try to compromise an asset).
Software-centric (focus on system design and look for flaws on an architectural level).

Large companies and enterprises are not the only ones that should invest in threat models. Criminals prefer going after targets they presume have fewer cybersecurity measures, which makes SMBs prime candidates for threat modeling adoption.

Threat Modelling Benefits for DevOps Security

Introducing threat modeling into a DevOps culture provides the following benefits:

The team "injects" security by design principles into the system architecture.
You cut down on the number of bugs and exploits that end up in production.
The team adopts a proactive approach to security that does not wait for something to go wrong before intervention.
Threat models raise security awareness on a company-wide level due to the multi-team approach to security planning.
You improve security posture at every stage of the DevOps pipeline.
The company gets an in-depth overview of every mission-critical and valuable IT asset, plus a deep understanding of network security and app architecture.
The team no longer makes security-related decisions based on a hunch or without supporting evidence.
Security experts become ready both for external and insider threats.
You improve the chance of discovering risks that fly under the radar of standard code reviews.
The company reduces remediation costs since every threat model includes in-depth incident response plans.
The testing costs go down as code leaves development with more quality.
The team lowers the number of typical omissions (failing to validate input, weak authentication, inadequate error handling, failing to encrypt data, etc.).
In-depth threat prioritization helps better allocate people and budget resources.
The business ensures more reliable compliance with industry-specific regulations.
The security team and its defenses stay up to date with the latest cybersecurity best practices and types of cyber attacks.

Threat modeling is a natural part of any security-first IT strategy, which makes the practice an essential aspect of both SecOps and DevSecOps teams.

Threat Modelling Process: How to Make a Threat Model

Here's a step-by-step look at how to create a threat model:

Set the scope: Decide what asset requires threat modeling (an app, service, intellectual property, etc.) and narrow the focus to a specific system.
Initial evaluation: Create an inventory of the asset's components. Map the architecture and create high-level data flow diagrams to analyze the asset's role in the company.
In-depth asset analysis: The team requires a deep understanding of every event or action that takes place in the system. How does the business use the asset? What makes it a worthwhile target for an attack? How does the system interact with users and other systems? What are its entry and exit points? Are there any external dependencies? Who has access to the asset?
Determine likely threats: This step requires the team to list as many potential threats to the asset as possible.
Analyze each danger: Analysts create step-by-step scenarios that outline exactly how each threat would unfold (e.g., ransomware attack, data exfiltration, SQL injection, etc.).
Create a threat ranking: The team determines the level of risk each threat poses. The most common method is to multiply the damage potential of a threat by the probability of the incident occurring.
Suggest mitigations: The team now decides the best course of action to deal with each threat. A mitigation plan either removes the threat entirely or reduces the risk to an acceptable level. Common fixes include firewall updates, the addition of multi-factor authentication, code changes, operating system updates, etc.
Document results: Document all findings and share them with a decision-maker. The threat modeling team should periodically inspect the model and see whether there's a need for an update. Good times for review are when an asset goes through a massive change or when a new strategy emerges on the cybercrime landscape.

One of the key metrics of every threat model is the work factor. Work factor evaluates how much work an attacker would need to compromise a system. The higher the work factor, the more likely the criminal will move on to an easier target.

Threat Modeling Methodologies

Let's look at the ten threat modeling frameworks companies use to boost cybersecurity. Every framework focuses on one aspect of threat modeling, so remember that a well-rounded analysis requires a combined use of multiple methodologies we discuss below.

STRIDE

Developed by Microsoft in the late 1990s, STRIDE helps analyze all potential threats within a system. The team must first decompose an app to identify system entities, events, and boundaries before evaluating each component's proneness to the following threats:

	Threat type	What it violates	Threat description
S	Spoofing	Authentication	When someone assumes a false identity
T	Tempering with data	Integrity	Unauthorized modification of data
R	Repudiation	Non-repudiation	An intruder's ability to deny malicious activity due to a lack of evidence
I	Information disclosure	Confidentiality	Providing access to data to someone who has no authorization
D	Denial of service	Availability	Exhausting resources needed to provide service to users
E	Elevation of privilege	Authorization	The execution of commands or functions beyond the jurisdiction of account privileges

STRIDE is among the most mature threat-modeling methods on the market. The framework evolved to include several new threat-specific tables (most notably STRIDE-per-Element and STRIDE-per-Interaction).

PASTA

PASTA (Process for Attack Simulation and Threat Analysis) is a risk-centric framework that aims to align security requirements with business objectives. This framework involves a seven-step analysis:

Define objectives.
Set the technical scope.
Perform app decomposition.
Analyze possible threats.
Identify vulnerabilities and flaws.
Create attack models.
Perform risk and impact analysis.

The PASTA framework also includes documentation for dynamic threat identification, enumeration, and a scoring process.

Attack Trees

Attack trees are among the oldest and most widely applied techniques for threat modeling. This framework works in the following manner:

Each root node represents an attacker's goal (e.g., cause data leakage or hijack an email address).
Each leaf node denotes the possible means of reaching the attacker's goal (these often include "AND" and "OR" conditions).
Analysts associate each node with a vulnerability score and potential impact.

Attack trees are a simple method ideal for high-level threat modeling and teams comfortable with brainstorming sessions.

CVSS

The Common Vulnerability Scoring System (CVSS) is a risk estimation framework that provides a standardized scoring system for vulnerabilities. An analyst assigns a severity score (ranging from 0 to 10) to each threat based on the three broad metric groups:

Base (includes exploitability metrics (vectors, attack complexity, required privileges, user interactions, etc.) and impact metrics (the effect on availability, data integrity, etc.)).
Temporal (exploit code maturity, remediation level, etc.).
Environmental (base metrics such as requirements for confidentiality or availability).

Once all flaws have a numerical score and a category, the team assigns a qualitative representation (low, medium, high, and critical) and begins prioritizing mitigation tasks.

The combined use of CVSS, STRIDE, and attack trees is known as the Quantitative Threat Modeling Method.

Security Cards

Security cards are the go-to option for teams trying to identify new attack vectors. This brainstorming technique requires the use of a specialized deck of 42 cards that represent threat-related activities, including:

Attacker motivations (13 cards).
Human impact (9 cards).
Hacker resources (11 cards).
Adversary's methods (9 cards).

Each card contains a topic, questions to jump-start thinking, and a few examples. Team members take out two or more cards and discuss whether the random combos might pose a realistic attack scenario.

Security cards are excellent for identifying out-of-the-box strategies that generally fly under the radar with regular threat modeling.

OCTAVE

OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a risk-based assessment with three broad phases:

Create asset-based threat profiles.
Identify and evaluate infrastructure vulnerabilities.
Develop an appropriate security plan for each discovered risk.

This framework focuses solely on assessing organizational risks, so the framework does not consider or address technological risks.

Persona non Grata

Persona non Grata (PnG) is the ultimate attacker-centric threat modeling. PnG enables a team to develop a detailed picture of a hypothetical attacker, including their:

Psychology.
Motivations.
Goals.
Capabilities.
Go-to tools and techniques.
Thinking processes during an attack.

PnG helps get into the mindset of a potential intruder, which is vital to the early stages of threat modeling. Also, when you combine PnG with Security Cards and SQUARE (Security Quality Requirements Engineering Method), you get the Hybrid Threat Modeling Method (hTMM).

TRIKE

TRIKE is a security audit that looks at threat modeling from a risk-management perspective. This framework relies on a defensive viewpoint rather than trying to understand the mindset of a potential attacker.

TRIKE starts with a matrix chart that summarizes the relationships between actors, actions, and assets. The columns represent assets, and the rows denote actors present in the system. The analyst divides each cell into four parts, one for each action of the CRUD (creating, reading, updating, and deleting). Analysts assign one of three values in each action cell:

Allowed action.
Disallowed action.
Allowed with rules.

The team uses the matrix to build a data flow diagram (DFD) to map each element to actors and assets. The goal is to assign each actor a score based on risk level (from 0 to 5) for each action or asset interaction.

VAST

VAST (Visual, Agile, and Simple Threat) is a type of threat modeling that focuses on development and infrastructure safety. The framework requires a team to analyze two model types:

App threat models (process-flow charts that analyze threats that come from interacting with users and other systems).
Operational threat models (data-flow diagrams that analyze an app from an infrastructure point of view).

VAST is a popular choice for DevOps and agile teams due to the framework's highly scalable nature.

DREAD

DREAD is a quantitative risk analysis that rates, compares, and prioritizes threats based on severity. Initially developed as an add-on for the STRIDE model, DREAD stands for six questions the analyst asks about each potential threat:

Damage potential: How great is the damage if an attacker exploits a vulnerability?
Reproducibility: How easy is it to reproduce the attack?
Exploitability: How hard is it to start an attack?
Affected users: How many users would feel the effects of an attack?
Discoverability: How easy is it to discover the threat?

The threat modeling team answers these questions and assigns a rating between one and three. The sum total represents the severity level of a threat.

Unsure whether threat modeling resulted in a safer system? Consider running a few pen tests—penetration testing is a form of ethical hacking in which you perform simulations of real-life attacks to check the system's readiness for breach attempts.

Threat Modeling Tools

While a team can perform basic threat modeling on a sheet of paper, larger companies with a high count of vulnerabilities should use software to simplify the process.

Tools reduce the complexity of threat modeling and let a team visualize, design, plan for, and predict different types of potential dangers. Some top tools also offer suggestions for remediation. Here are a few worthwhile options:

Microsoft Threat Modeling Tool (MTTM): This free-to-use software focuses on detecting threats and flaws during the design phase of software projects. The tool aligns with various Microsoft services and follows the STRIDE methodology.
Cairis: This open-source, web-based tool enables users to elicit, describe, and evaluate system risk. Cairis offers one of the most comprehensive features of all threat modeling tools (attacker personas, in-depth attack breakdowns, pattern analysis, mitigation recommendations, etc.)
OWASP: This open-source tool (which runs as a web or a desktop app) produces threat model diagrams that align with the development lifecycle. OWASP offers similar features to MTTM but with less focus on Microsoft-centered services.
ThreatModeler: This automation-driven tool enables users to make proactive security decisions and reduce risk across a broad attack surface. ThreatModeler supports several regulatory standards, including GDPR and PCI.
IriusRisk: This diagram-centric system asks analysts questions about the system and uses the info to create a list of potential threats and suggested mitigation strategies.

As with methodologies, you can use more than one threat modeling tool. You get the most robust and insightful analysis by relying on several platforms for gathering, visualizing, and organizing threat-related info.

Take a Proactive Stance Against Cybercrime

Being stuck in a reactive security cycle is a recipe for operational and financial disaster. Threat modeling presents an alternative based on a simple calculation: the price of being prepared far outweighs the cost of remediation (especially when caught off guard). Some basic threat modeling requires no upfront investments at all, so stop focusing on putting out fires and instead start planning how to lower risks.

16 Types of Cyber Attacks

In 2021, there were an average of 270 cyber attacks per company, which is a 31% increase from 2020. That figure is not going down in 2022 (if anything, it's more likely to go up), so preparing for cyber threats must be at the top of your to-do list. So, what are the different types of cyber attacks you should be ready to face?

This article examines the most common types of cyber attacks you are most likely to encounter in the current cybercrime landscape. We offer an overview of each threat type, explain how victims fall prey to these tactics, and provide tips for ensuring you are not an easy target for would-be hackers.

What Is a Cyber Attack?

A cyber attack is a malicious attempt by an unauthorized third party to breach an IT system. Attacks vary in sophistication and tactics, but every effort to "break into" a system has one of the following goals:

Steal valuable files (personal identifiable information, passwords, financial records, etc.) and ask for a ransom under the threat of data leakage.
Collect valuable data and sell it to the highest bidder (typically on the Dark Web).
Disable computers or disrupt the victim's network (often to form a launch point for other attacks or get a short competitive edge).
Expose business secrets (such as a patent or code).
Destroy systems and delete data as a form of "hacktivism."
Steal personal data and commit identity theft (typically with the idea of pulling off an unauthorized money transfer).

A successful cyber attack has a long line of negative effects, including:

Financial losses (a single successful attack costs companies an average of $200,000).
Data breaches.
Permanent data loss or corruption.
Loss of user trust.
Bad press.
Potential legal fines and lawsuits, both common if you lost customer data during an attack.

Companies are increasingly investing more in security as criminals get more creative and aggressive with their tactics. Recent reports reveal that 69% of US-based firms are expanding their cybersecurity budgets in 2022 (over 85% expect allocated budgets to increase by up to 50%). The current top areas of investment are:

Cyber insurance.
Digital forensics.
Incident response.
Security awareness training.

Learn the difference between an attack vector and surface, two overlapping security concepts you must firmly understand to make reliable preparations for malicious activity.

Types of Cyber Security Attacks

A criminal rarely decides to re-invent the wheel when trying to hack a way into a network. Instead, attackers draw upon tried-and-tested techniques they know are highly effective. Let's take a close look at the most common types of cyber attacks a third party might use to breach your company.

1. Malware-Based Attacks (Ransomware, Trojans, Viruses, etc.)

Malware is malicious software that disrupts or steals data from a computer, network, or server. The malware must install on a target device to become active, after which a malicious script moves past the security measures and performs one (or more) of the following actions:

Deny access to a critical system or data.
Steal files.
Damage data integrity.
Spy on user activity.
Disrupt or even render the system inoperable.
Hijack control of the target device (or multiple systems on the same network).

While some malware exploits system vulnerabilities (for example, an issue with UPnP), these programs typically breach a system through human error, such as when the victim:

Clicks on a dangerous link.
Opens an infected email attachment.
Plugs in a corrupted USB or portable hard drive.
Visits an infected website that runs a drive-by download (unintentional download of malicious code onto the visitor's device).

Malware is one of the most common types of cyber attacks and has multiple variations. Let's look at all the most prominent ones.

Spyware

Spyware is a type of malware that spies on the infected device and sends info to the hacker. Most attackers use this tactic to silently spy on user data and browsing habits.

If the target accesses valuable data on a spyware-infected device (e.g., logging into a bank account), the criminal gathers sensitive info without the victim knowing something's wrong.

Keyloggers

Keyloggers are similar to spyware, except that this type of malware spies on what you type into your keyboard. That info enables a criminal to gather valuable data and later use it for blackmail or identity theft.

Viruses

A computer virus is a malicious program capable of replicating itself by across programs on the target device. If you activate a virus-infected file, the malicious software self-replicates across the device, slowing down performance or destroying data.

Worms

A worm is a standalone malware that replicates itself across different computers. Worms move around via a network, relying on security failures to spread and steal data, set up backdoors, or corrupt files.

Unlike a virus that requires a host computer or operating system, a worm operates alone and does not attach to a host file.

Trojans

Trojans "hide" inside a seemingly legit piece of software (hence the Greek mythology-inspired name). If you install a trojan-infected program, the malware installs on your device and runs malicious code in the background.

Unlike a virus or a worm, a trojan does not replicate itself. The most common goal of a trojan is to establish a silent backdoor within the system that enables remote access.

Adware

Adware is malware that displays marketing content on a target device, such as banners or pop-ups when you visit a website. Some adware also monitors user behavior online, which enables the malicious program to "serve" better-targeted ads.

While adware may seem relatively innocent compared to other malware, many criminals use this tactic to display ads hiding files with malicious code.

Fileless Malware

Fileless malware does not rely on executable files to infect devices or directly impact user data. Instead, this type of malware goes after files native to the operating system (like Microsoft Office macros, PowerShell, WMI, and similar system tools).

Fileless malware is difficult to detect as there are no executables, which are the go-to scanning target for network security tools. Recent studies indicate that the fileless approach is up to 10 times more successful than traditional malware.

Ransomware

Ransomware is a type of malware that encrypts files on a target system. Once the program encrypts data, the hacker demands a ransom (usually requested in cryptos) in exchange for the decryption key.

If the victim declines to pay the ransom, the criminal destroys the decryption key, which means there's (usually) no way to restore data. However, many who opt to meet the demands never receive the promised key. Ransomware code also often corrupts data beyond repair during the infection process, which means the key you receive from the criminal is sometimes useless.

Ransomware is a threat to both individual users and organizations. More tech-savvy criminals prepare malicious packages that attack multiple computers or go after a central server essential to business operations.

Want to learn more about ransomware? Check out these articles:

Our ransomware protection enables you to use various cloud-based solutions to ensure you never end up in a situation where paying a ransom is the only way to get your data back.

2. Phishing Attacks

A phishing attack happens when someone tries to trick a target with a fraudulent email, text (called SMS phishing or "smishing"), or phone call (called voice phishing or "vishing"). These social engineering messages appear to be coming from someone official (like a colleague, bank, a third-party supplier, etc.), but the imposter is actually trying to extract sensitive info from the recipient.

Some criminals do not ask for info directly. A hacker might try to get the victim to click on a link or open an email-attached file that:

Downloads and installs malware on the device.
Leads to a phishing website (typically a fake login page) that steals data if you type in credentials.

Phishing is among the most popular types of cyber attacks. Simple to pull off and highly reliable, recent reports reveal that phishing tactics were a part of 36% of data breaches in 2021.

Many phishing attacks go after as many targets as possible, but some focus on a specific team or person. Let's take a closer look at these more targeted tactics.

Spear Phishing Attacks

Spear phishing goes after a specific individual. The attacker uses personal info about the target (gathered on social media, bought on the Dark Web, or collected via other phishing attacks) to make a more credible message tailored to that person.

Email is by far the most common attack vector for spear phishing. If criminals decide to use an email, they have two choices:

Hack someone's email and reach out to the target from a real account.
Use email spoofing to make a new address that is almost identical to the email they're trying to impersonate.

Hackers usually time spear-phishing emails to make a more compelling message. For example, a criminal may wait for the target to go away on a business trip or make a new hire, and create a strategy centered around those unique circumstances.

Angler Phishing Attacks

An Angler attack happens when a phishing imposter targets someone on social media and attempts to steal their credentials outside a corporate network. There are no strict firewall rules or custom IDSes to stop spam messages, which is why this relatively new phishing tactic has had much success in recent years. People also tend to be more off guard on social media than when viewing a message on an official email address.

Whaling Attacks

Whale phishing happens when an attacker goes after a high-profile employee, such as the CEO, COO, or CFO. The idea is to target someone who has the authorization to make major money transfers.

While harder to pull off than trying to trick a lower-ranking employee, whale phishing is the most profitable form of phishing. Profits often reach millions of dollars, so C-level executives must always be on guard for such tactics.

Phishing is a typical first step to CEO fraud. These scams are now a $26-billion-a-year industry, so check out our article on CEO fraud for an in-depth look at how to counter this threat.

3. Password Attacks

Passwords are the most common method of authenticating users when accessing a computer system, which makes them a go-to target for cyber attacks. Stealing someone's credentials enables a hacker to gain entry to data and systems without having to fight through cybersecurity measures.

Recent studies reveal that 20% of data breaches start with a compromised credential. Criminals rely on a variety of methods to get their hands on an individual's passphrase, including using:

Social engineering.
Hacking a password database or a company's password management platform.
Spying on an unencrypted network transmission.
Guessing the password (usually with a bot).
Paying one of the employees to share their password.

Let's explore the most common password-based types of cyber attacks.

Brute-Force Attack

A brute-force attack relies on a program that systematically goes through all the possible combinations of characters to guess a password. The easier the password is, the quicker the program does its job.

This simple method is time-consuming, which is why hackers always use a bot to crack the credentials. Here are the most popular programs attackers rely on to brute-force a passphrase:

Aircrack.
Cain.
Abel.
John the Ripper.
Hashcat.

Hackers often use basic info about the target to narrow the guessing process, "feeding" the bot with personal data (such as job titles, school names, birthdays, family and pet names, etc.). The program then tests combinations of that data to speed up the deciphering process.

Preventing a brute-force attack does not boil down to using unique passwords. A top-tier program can crack a seven-character password in under 30 seconds. Using lengthy, alphanumerical passwords is the most reliable way of preventing brute-force attacks.

Dictionary Attack

A dictionary attack is a strategy in which a hacker uses a list of common passphrases to gain access to the target's computer or network. Most hackers purchase previously cracked passwords in a bundle on the Dark Web, but some dictionary attacks rely solely on common words and phrases.

Password Spraying

Password spraying is a strategy in which a hacker attempts to use the same password across as many accounts as possible. For example, a bot might crawl across the Internet and try to log into every profile with a "password1" credential.

While not too reliable a tactic at first glance, spraying takes on a new light when you consider over 3.5 million U.S. citizens use "123456" as a password.

Our guide to strong passwords explains a multitude of simple ways to create passwords that are easy to remember and impossible to crack.

4. Man-in-the-Middle Attacks

A man-in-the-middle attack (MitM) occurs when a hacker intercepts in-transit data moving between two network points. An attacker hijacks the session between a client and host, which creates an opportunity to view or edit data. A more common name for the MitM is an eavesdropping attack.

The main problem with MitM attacks is that this breach is very challenging to detect. The victim thinks the info is traveling to a legitimate destination (which it does), but there are often no indications that data made a "pitstop" along the way.

There are two common points of entry for a MitM attack:

Unsecured public Wi-Fi that does not have sufficient network security.
Pre-installed malware that works in the background of the sender's or the recipient's system (or the network as a whole).

For example, let's say you're using the Wi-Fi at a local coffee shop and decide to check your bank account balance. You log in and send info to a bank's server, but a hacker intercepts data and captures your username and password. There's no VPN to protect info, so the hacker gathers everything needed to log into your account and drain all funds.

Want to learn more about the MitM threat? Our article on man-in-the-middle attacks goes through everything your security team needs to know about this strategy.

5. SQL Injection Attacks

An SQL injection enables a hacker to "trick" a website into revealing info stored within its SQL database (login data, passwords, account info, etc.).

Injections are a bit more technical than an average brute-force attack or a phishing strategy, but even a novice hacker knows how to pull these attacks off. The attacker types in predefined SQL commands into a data-entry box (such as a login field). Once injected, commands exploit a weakness in database design and can:

Read sensitive data.
Modify or permanently delete stored files.
Trigger executive functions (like causing a system shutdown or changing user permissions).

Our article on SQL injections explains precisely how these attacks work and presents the most effective ways to prevent injection attempts.

6. DoS and DDoS Attacks

Denial of Service (DOS) and Distributed Denial of Service (DDoS) are cyber attacks that aim to overwhelm a system, server, or network with fake requests. The attackers spam the target until they exhaust all resources or bandwidth, rendering the system unable to fulfill legitimate requests.

Here's the difference between DOS and DDoS:

A DOS occurs when a hacker uses false requests or traffic to overwhelm a system until it fails or goes down.
A DDoS is the same type of attack, except the hacker relies on multiple malware-infected devices to crash the system with more speed. IoT devices are a common choice for hackers building these "bot armies."

The most common types of DoS and DDoS attacks are:

Teardrop attack.
Smurf attack.
Botnets.
The TCP SYN flood attack.
Ping-of-death attack.

The goal of DOS and DDoS is not to steal data but to slow down operations. Sometimes, a hacker uses a DDoS attack to distract the security team and create a window of opportunity to perform other malicious activities.

Learn about the most effective methods of preventing DDoS attacks and see how the pros ensure hackers cannot overwhelm a system with illegitimate requests.

7. Advanced Persistent Threat (APT)

An APT is a cyber attack in which an intruder maintains a long-term presence within a system without the victim's knowledge. The goal of these attacks varies, but the most common objectives are to:

Steal large amounts of business data.
Establish a source of corporate espionage.
Sabotage infrastructure.
Cause a long-term service outage.
Perform a total website or app takeover.

An APT is more complex than other types of cyber attacks. Criminals often form a full-time team to maintain a months-long presence within the target system. These attacks rarely rely on automation as criminals develop custom programs and tactics for breaching a specific tech stack.

Our article on APT attacks offers an in-depth look at this potentially business-ending threat.

8. Zero-Day Exploits

A zero-day exploit is a security flaw within a piece of software that exists without the admin's knowledge. For example, a company might release a new version of an app with a yet unidentified weakness a hacker can exploit.

Once the team discovers the flaw, they have "zero days" to fix the issue as hackers are likely already working on exploits.

A zero-day exploit is an umbrella term that covers any malicious activity that relies on a still unpatched system weakness. Companies must be wary of zero-day vulnerabilities whenever they update apps or services, so invest in proactive flaw detection and agile threat management.

Learn more about zero-day exploits and see the most effective ways your company should plan for these kinds of vulnerabilities.

9. Watering Hole Attacks

A watering hole attack is a strategy in which a hacker infects a website or sets up a malicious copy of a page a specific user group is likely to visit. This strategy goes after a particular group of end users, so attackers always profile their targets to determine what websites they like to use.

Once the target interacts with the malware-infested website, the intruder gets an opportunity to perform malicious activities (steal login details, inject malware, gain access to the network infrastructure, set up remote controls, etc.).

10. Cryptojacking

Cryptojacking is a cyber attack that enables a hacker to secretly use a computer's processing power to mine for cryptocurrencies (most commonly Bitcoin or Ethereum). Most infections occur when the target:

Visits an infected website.
Opens a malicious link.
Clicks on a malware-infected ad.

Cryptojacking severely slows down the system, but it also causes other vulnerabilities. The malicious program often tempers with firewall settings, which creates more space for other threats.

Cases of cryptojacking nearly quadrupled from 2020 to 2021. Recent reports suggest that one in 500 Alexa sites hosts mining malware.

11. URL Manipulation

URL manipulation (or URL rewriting) happens when an attacker changes the parameters in a URL address to redirect the victim to a different website. This tactic typically happens via a malicious script and leads the victim to a phishing or a malware-infected page.

URL manipulation is not URL poisoning (also known as location poisoning). Poisoning an URL means tracking Web visiting behavior by adding an ID number to the URL line when a user goes to a particular site. Hackers then use the ID to track the visitor's browsing history.

12. DNS-Based Attacks

Domain Name System (DNS) protocol often has exploits that enable a hacker to attempt a cyber attack. Let us look at the two most common ones: DNS tunneling and spoofing.

DNS Tunneling

DNS tunneling uses the protocol to tunnel malware and data through a client-server model while bypassing the firewall and other security measures. Once a malicious program enters the system, it latches onto the server and gives the hacker remote access.

Inbound DNS traffic carries commands to the malware, while outbound traffic enables a hacker to steal data or respond to malware requests (change code, install new access points, etc.).

DNS Spoofing (or "Poisoning")

DNS spoofing enables an attacker to send traffic to a fake (or "spoofed") website and gather data from unwitting visitors. These websites are an identical replica of the legitimate site (typically a copy of a login page for a bank or a social media account) that send info directly to hackers once you type in the credentials.

Hackers also use DNS spoofing to sabotage a business by redirecting visitors to a poor-quality page, often with mature or obscene content. Some companies use this tactic as an underhanded method of taking cheap shots at a competitor's reputation.

Learn about the DNS security best practices and see the best proactive ways to keep your DNS-powered systems healthy.

13. Cross-Site Scripting (XSS)

A cross-site scripting (XSS) attack exploits vulnerable websites and enables a criminal to set up malicious executables on web pages and apps. A hacker injects a payload with malicious JavaScript into a website database which executes as a part of the HTML body when someone requests to open a page in their browser.

When the malicious script executes, the hacker bypasses access controls and hijacks the account. Tech-savvy hackers also use XSS to exploit and create additional security flaws, such as laying the groundwork for malware, taking screenshots, or collecting network data.

15. Rootkits

Rootkits are malicious programs that give an intruder unauthorized admin-level access to a computer or other software. A criminal often uses a rootkit to:

Remotely access the target computer.
Edit system files and data.
Install keyloggers and other malware.
Exfiltrate data without the victim knowing about the breach.

Rootkits are notoriously hard to detect as they "hide" deep within the operating system. Top-tier programs also impact anti-virus settings, making the detection process even more challenging. Most rootkit infections spread through email attachments and drive-by downloads on unsafe websites.

16. Session Hijacking

Session hijacking is an advanced form of a MITM attack in which an imposter takes over a session between a client and the server instead of only spying on the communication. The hacker steals the client's IP address, and the server continues the session because it has already formed a trusted connection with the device.

Once intruders hijack a session, they are free to do anything within the permissions of the victim's account. For example, if a criminal hijacks a session while an admin is accessing a company's database, the attacker can view, edit, or destroy files.

Most security teams focus on external threats when preparing for cyber attacks. In actuality, an insider could do just as much if not more damage than a third-party hacker—learn how to prepare for insider threats and see how smart companies deal with dangers from within the organization.

How to Prevent Cyber Attacks?

Let's look at the most effective ways to prevent the different types of cyber attacks discussed above:

Use strong, alphanumeric passwords that are unique for every account.
Change passwords every few weeks.
Do not include everyday phrases, personal info, or simple number sequences in credentials.
Disable password hints on your apps and websites.
Keep all apps, browsers, OSes, and devices up to date with the latest patches.
Rely on an anti-virus protection tool for threat detection.
Boost network security with strict access controls, firewalls, segmentation rules, traffic analysis, and instruction prevention systems (IPS).
Perform regular network security audits.
Never click on links or attachments in an email from an unknown sender.
Scrutinize emails for loopholes and grammatical errors, especially when confronted with an unsolicited message.
Use VPN when accessing the corporate network outside of the office.
Stay clear of public Wi-Fi networks.
Perform daily data backups.
Organize regular employee awareness training.
Use account lockout and two-factor authentication to prevent password attacks.
Ensure employees know how to keep their BYOD devices safe.
Never download or install anything unless you're interacting with a verified source.
Enforce zero-trust security policies.
Keep data safe with at-rest encryption, in-transit encryption, and confidential computing (protecting data during processing). Also, ensure your key management has no exploitable flaws.
Know how to recognize warning signs (network slowdown, website crashes, etc.).
Form a Cyber Incident Response Team (CIRT) that prepares response strategies, disaster recovery, and cyber kill chains.
Limit the info your company shares on its official website and social media.
Use an ad blocker when browsing the Internet.
Create a cloud security policy to ensure your use of cloud computing does not lead to weaknesses.
Organize penetration tests to see how systems and staff respond to realistic simulations of different types of cyber attacks.

Do you rely on in-house hosting? Then your security plan must also include hardware protection—refer to our article on server room design to learn how companies keep on-site infrastructure safe.

The Best Way to Counter Different Types of Cyber Attacks Is to Understand How They Work

Is the goal of this article to make you paranoid? No, but we are trying to make you aware of the different types of cyber attacks you will likely encounter at some point. Once you know how an average hacker thinks, creating an effective protection strategy becomes easier. Use this article to stay a crucial step ahead of would-be criminals looking to make a quick buck off your company.

What Is High Availability?

Availability is among the first things to consider when setting up a mission-critical IT environment, regardless of whether you install a system on-site or at a third-party data center. High availability lowers the chance of unplanned service downtime and all its negative effects (revenue loss, production delays, customer churn, etc.).

This article explains the value of maintaining high availability (HA) for mission-critical systems. Read on to learn what availability is, how to measure it, and what best practices your team should adopt to prevent costly service disruptions.

What Is High Availability?

High availability (HA) is a system's capability to provide services to end users without going down for a specified period of time. High availability minimizes or (ideally) eliminates service downtime regardless of what incident the company runs into (a power outage, hardware failure, unresponsive apps, lost connection with the cloud provider, etc.).

In IT, the term availability has two meanings:

The period of time a service is available.
The time the system requires to respond to a request made by a user.

High availability is vital for mission-critical systems that cause lengthy service disruption when they run into a failure. The most effective and common way to boost availability is to add redundancy to the system on every level, which includes:

Hardware redundancy.
Software and app redundancy.
Data redundancy.

If one component goes down (e.g., one of the on-site servers or a cloud-based app that connects the system with an edge server), the entire HA system must remain operational.

Avoiding service interruptions is vital for every organization. On average, a single minute of service downtime costs an enterprise $5,600 (the per-minute figure is in the $450 to $1000 range for SMBs), so it is not surprising companies of all sizes invest heavily into the availability of their IT infrastructure.

While there is overlap between the two terms, availability is not synonymous with uptime. A system may be up and running (uptime) but not available to end users (availability). Availability is also not disaster recovery (DR). Whereas HA aims to reduce or remove service downtime, the main goal of DR is to get a disrupted system back to a pre-failure state in case of an incident.

PhoenixNAP's high-availability solutions enable you to build HA systems and rely on cutting-edge tech that would cost a fortune on an in-house level (global deployments, advanced replication, complete hardware and software redundancy, etc.).

How High Availability Works?

A high availability system works by:

Having more hardware and software assets than needed so that you have backups capable of taking over if something happens to the primary component.
Performing regular checks to ensure each component (both primary and the one in reserve) works correctly.
Creating an automatic failover mechanism that switches operations to a backup component if the primary system goes down.

A HA system requires a well-thought-out design and thorough testing. Planning requires all mission-critical components (hardware, software, data, network infrastructure, etc.) to meet the desired availability standard and have:

No single point of failure (a component that would cause the whole system to go down if it fails).
Reliable, ideally automatic failover (switching from the primary component to the backup without losing data or affecting performance).
Dependable failure detection (so that the system reliably identifies an issue and starts the failover on time).

The more complex a system is, the more difficult it is to ensure high availability. More moving parts mean more points of failure, higher redundancy needs, and more challenging failure detection.

Achieving high availability does not only mean keeping the service available to end users. Even if an app continues to function partially, a customer may deem it unusable based on performance. A poorly performing but still online service is not a highly available system.

What Are High Availability Clusters?

A high availability cluster is a set of hosts that operate as a single system to provide continuous uptime. Companies use an HA cluster both for load balancing and failover mechanisms (each host has a backup that starts working if the primary one goes down to avoid downtime).

All hosts within the cluster must have access to the same shared storage. Connection to the same database enables virtual machines (VMs) on a given host to fail over to another host in the event of a failure.

A HA cluster can range from two to several dozens of nodes. There is no limit to this number, but going with too many nodes often causes issues with load balancing.

Importance of High Availability

High availability is vital in use cases where a mission-critical system cannot afford downtime. A HA system going down or below a certain operational level severely impacts a business or end user safety. Here are a few examples:

Autonomous, self-driving vehicles.
Monitoring devices in healthcare.
Pressure monitors in oil pipelines.
Electronic health records (EHRs).
Hosting equipment in a data center hosting cloud services.

Avoiding downtime is just one of several reasons why high availability is essential. Here are a few others:

Frequent service disruptions lead to unhappy end users and increase customer churn.
High availability is a vital indicator of Quality of Service (QoS). Investing in HA means ensuring your brand reputation does not take performance-related hits.
Minimizing system downtime also reduces the chance of losing critical business data sets.
Apps with HA tend to have better architectures, which naturally boosts performance and scalability.

Feel like achieving high availability is too big of a task for your in-house team? You might be a prime candidate for outsourced IT - learn all you need to know about offloading computing tasks in our article on managed IT services.

How to Measure High Availability?

The general way to measure availability is to calculate how much time a specific system stays fully operational during a particular period. You express this metric as a percentage and calculate it with the following formula:

Availability = (minutes in a month - minutes of downtime) * 100/minutes in a month

Other metrics used to measure availability are:

Mean time between failures (MTBF): The expected time between two system failures.
Mean downtime (MDT): The average time that a system stays nonoperational.
Recovery time objective (RTO): Also known as estimated time of repair, RTO is the maximum tolerable time a system can stay down after a failure.
Recovery Point Objective (RPO): The maximum amount of data your company can tolerate losing in an incident.

The most common way to measure HA is with the five-nines availability system in which every level guarantees somewhere between 90% and 99.999% uptime. The table below shows the maximum daily and yearly downtime of every grade:

Availability level	Maximum downtime per year	Average downtime per day
One Nine: 90%	36.5 days	2.4 hours
Two Nines: 99%	3.65 days	14 minutes
Three Nines: 99.9%	8.76 hours	86 seconds
Four Nines: 99.99%	52.6 minutes	8.6 seconds
Five Nines: 99.999%	5.25 minutes	0.86 seconds

The cost increases the higher you go on the "nines" scale. Achieving anything higher than 99% availability in-house requires expensive backups and a dedicated maintenance team. The high price is why most companies that aim for high availability prefer to host at a third-party data center and guarantee the lack of downtime in a Service Level Agreement (SLA).

Note that there is no 100% availability level. No system is entirely failsafe—even a five-nines setup requires a few seconds to a minute to perform failover and switch to a backup component.

How to Achieve High Availability? Eight Best Practices

Below is a list of the best practices your team should implement to ensure high availability of apps and systems. Ideally, you'll apply these tips at the start of your app design, but you'll also be able to use the best practices below on an existing system.

Eliminate Single Points of Failure

Remove single points of failure by achieving redundancy on every system level. A single point of failure is a component in your tech stack that causes service interruption if it goes down.

Every mission-critical part of the infrastructure must have a backup that steps in if something happens to the primary component. There are different levels of redundancy:

The N+1 model includes the amount of equipment (referred to as "N") needed to keep the system up, plus one independent backup for each mission-critical element. The components are usually active and passive (backups are on standby, waiting to take over when a failure happens) or active and active (the backup is working even when the primary component functions correctly).
The N+2 model is like N+1, but this strategy ensures the system would withstand the failure of two same components. N+2 is enough to keep most organizations up and running in the "high nines" levels of availability.
The 2N model contains double the amount of every component necessary to run the system. There's a fully operational mirror backup of the entire setup, like the one you'd prepare for a DR site.
The 2N+1 model provides the same level of availability and redundancy as 2N with the addition of an extra component for another layer of safety.

Another way to eliminate single points of failure is to rely on geographic redundancy. Distribute your workloads across multiple locations to ensure a local disaster does not take out both primary and backup systems. The easiest (and most cost-effective) way to geographically distribute apps across different countries or even continents is to rely on cloud computing.

Different data centers provide different levels of redundancy. Learn what each facility type offers in our article on data center tiers.

Data Backup and Recovery

A high availability system must have sound data protection and disaster recovery plans. Data backup strategy is an absolute must, and a company must have the ability to recover from storage failures like data loss or corruption quickly.

Using data replication is the best option if your business requires low RTOs and RPOs and cannot afford to lose data. Your backup setup(s) must have access to up-to-date data records to take over smoothly and correctly if something happens to the primary system.

Use PhoenixNAP's backup and restore solutions to create cloud-based backups of valuable data and ensure resistance against cyberattacks, natural disasters, and employee error.

Rely on Automatic Failover

Redundancy and backups alone do not guarantee high availability. You require a mechanism for detecting errors and acting when one of the components crashes or becomes unavailable.

An HA system must almost instantly redirect requests to a backup setup in case of failure. Failover of both the entire system or one of its parts should ideally occur without manual tasks from the admin.

Whenever a component goes down, failover must be seamless and occur in real-time, and the process looks like this:

The setup has two devices: Machine 1 and its clone Machine 2, usually called Hot Spare.
Machine 2 continually monitors the status of Machine 1 for any issues or errors.
The primary Machine 1 fails or shuts down after encountering a problem.
Machine 2 comes online, and every user request now automatically goes to Machine 2 instead of Machine 1. This process happens without any impact on end users.
When the admin resolves the root of the problem, Machines 1 and 2 go back to their initial roles.

Early failure detection is vital to improving failover times and ensuring high availability. One of the software solutions we recommend for HA is Carbonite Availability, software suitable both for physical and virtual data centers. For fast and flexible cloud-based infrastructure failover and failback, check out Cloud Replication for Veeam.

Set Up Around-the-Cloud Monitoring

Even the best failover mechanism is not worth much if it does not launch quickly enough. Your HA system requires a tool that provides:

Around-the-clock monitoring.
Real-time alerting capabilities.
Automated remediation that reacts to problems via agent procedures (scripts).
Remote control and endpoint protection management to troubleshoot issues.
Support for routine server maintenance and patching.

Our articles on the best server and cloud monitoring tools present a wide selection of solutions worth adding to your tool stack.

Proper Load Balancing

Load balancing is necessary for ensuring high availability when many users access a system at the same time. Load balancing distributes workloads between system resources (e.g., sending data requests to different servers and IT environments within a hybrid cloud architecture).

The load balancer (which is either a hardware device or a software solution) decides which resource is currently most capable of handling network traffic and workloads. Some of the most common load balancing algorithms are:

Round Robin: This load balancer directs requests to the first server in line. The balancer moves down the list to the last one and then starts from the beginning. This method is easy to implement and widely used, but it does not consider if servers have different hardware configurations.
Least Connection: In this case, the load balancer selects the server with the least number of active connections. When a request comes in, the load balancer looks for a server with the fewest current connections. This method helps avoid overloading web servers when end user sessions last for a long time.
Source IP Hash: This algorithm determines which server to select according to the source IP address of the request. The load balancer creates a unique hash key using the source and destination IP address.

While load balancing is essential, the process alone is not enough to guarantee high availability. If a balancer only routes the traffic to decrease the load on a single machine, that does not make the entire system highly available.

Like all other components in a HA infrastructure, the load balancer also requires redundancy to stop it from becoming a single point of failure.

Test HA Systems Frequently

Your team should design a system with HA in mind and test functionality before implementation. Once the system is live, the team must frequently test the failover system to ensure it is ready to take over in case of a failure.

All software-based components and apps also require regular testing, and you must track the system's performance using pre-defined metrics and KPIs. Log any variance from the norm and evaluate changes to determine the necessary changes.

Hight Availability Is a No-Brainer Business Investment

No matter what size and type of business you run, any amount of downtime can be costly. Each hour of service unavailability costs revenue, turns away customers, and risks business data. From that standpoint, the cost of downtime dramatically surpasses the costs of a well-designed IT system, making investments in high availability a no-brainer decision if you've got the right use case.

Data in Transit Encryption Explained

Encryption is the process of converting data into ciphertext to hide its meaning from unauthorized viewers (i.e., anyone who does not have a correct decryption key). This technique is among the most effective ways of protecting both static ("at rest") and moving data ("in transit"), which makes encryption a must-have for any data security strategy.

This article is an intro to encryption in transit, one of the fundamentals of cybersecurity that protects data at its most vulnerable—while moving between two network points. Learn why keeping in-motion data safe is a priority and see the best practices your team must keep in mind when creating encryption in transit strategies.

Our article on encryption at rest explains how careful companies ensure their static data does not fall into the wrong hands.

What Is Data in Transit?

Data in transit (also known as data in motion or flight) is a piece of data actively moving between two network locations. Being in transit is one of the three primary states of data (the two others are at rest and in use). Here are a few examples of a file in transit:

Sending an email over the Internet.
Two employees exchanging files over a corporate network.
Sending a message over an instant messenger (like WhatsApp or Viber) or a collaboration platform (like Slack or Microsoft Teams).
Uploading a file from local storage to a cloud computing environment (or vice versa).
Transferring data from a USB to a coworker's BYOD laptop.
IoT data traveling between the cloud and an edge server.
Data moving between a web app and a browser.
Data traveling between different cloud deployment models within a multi-cloud strategy.

There are two broad categories of data in transit:

Data flowing over public or untrusted networks (the Internet being the most common example).
Files flowing within the confines of a private network (such as a corporate local area network (LAN)).

Data in transit is more vulnerable than static data you keep in an offline database due to the exposure in-motion files suffer during the route to the new location. Traveling data faces some unique risks that do not apply to stored data sets, such as:

Man-in-the-middle and other eavesdropping attacks (also known as snooping or sniffing) that intercept data as it travels across the network.
The chance one of the employees sends data to the wrong recipient(s), which often leads to data leakage.
Someone accidentally transmitting data to a malware-infected device or website, which opens the door to advanced threats like ransomware or an APT attack.

Learn about data breaches, potentially business-ending threats that often start with an intercepted in-transit data packet.

Importance of Encryption in Transit

Encryption in transit turns in-motion data into ciphertext before transmission. If a third-party intercepts traffic (accidentally or with malicious intent), the unauthorized user cannot open, edit, or decipher the data to its original state. Once data reaches the intended destination, endpoint authentication occurs, and the recipient's device decrypts files with a decryption key.

Here are the reasons why encrypting in-motion info is a priority:

You ensure all data employees send and receive is safe from prying eyes.
You must protect data at every point of its lifecycle. No matter how strong the at-rest encryption is, a cryptography strategy is incomplete without in-transit protection.
Data in flight is a prime target for a cyberattack. Intercepting data packets is much easier than breaching a database tucked behind a corporate firewall.
It is much harder to detect in-transit interception than when a hacker passes an IDS and "breaks" into an on-site data storage. Not knowing about compromised data is a recipe for corporate espionage or CEO fraud attempts.
Using encryption in transit is often a requirement for compliance. Strict regulations like PCI and GDPR make this form of cybersecurity non-optional for businesses in specific industries (namely in finance and healthcare).

Encryption in transit is not vital only for big companies. Enterprises are an ideal target from a profit standpoint, but hackers often go after SMBs and family-owned businesses because they know these entities often lack adequate security policies and tools.

Our Data Security Cloud enables you to store data in a cloud-based platform and rely on security measures most companies cannot afford in-house (micro-segmentation, advanced threat scanning, MDR, end-to-end encryption, etc.).

Data in Transit Encryption Best Practices

Here are the best practices to keep in mind if you're looking to add encryption in transit to your cybersecurity strategy.

Use TLS Encryption for Emails

Email communications are a go-to attack vector for hackers looking to intercept outbound and inbound communications. Encryption in transit is a standard email precaution and is provided by all major providers (Google, Yahoo, Outlook, etc.).

Still, there's a catch—both the email sender and recipient must enable Transport Layer Security (TLS) for the encryption to take place. Enable TLS encryption on the email platform of your choice, plus only allow employees to exchange emails with recipients who turned TLS encryption on their end.

Using in-transit encryption is only a small part of protecting corporate emails. Learn what else your team must cover in our article on email security.

Rely on Smart Key Management

If you want to deploy an in-house encryption strategy (whether at rest or in transit), you must get your key management procedures spot-on. Establish a business-wide policy that dictates the entire lifecycle of an encryption key, including strict rules for its:

Creation.
Storage.
Use and rollover.
Backup.
Rotations.
Destruction.

The goal of key management is to centralize your cryptography efforts and enforce encryption key management best practices.

Our Encryption Management Platform (EMP) offers an all-in-one solution that lets you control all company keys and usage rules from a single pane of glass.

Combine Encryption in Transit and Confidential Computing

An excellent way to boost encryption in transit is to use confidential computing. This cloud computing security feature isolates data during processing (editing, viewing, analyzing, etc.) by placing it in a protected, separate CPU enclave.

Everything within the dedicated CPU enclave, including the data and the programs that process files, remain secret. Access to the CPU enclave is only available to the user with an authorized programming code.

Combining encryption in transit and confidential computing guarantees end-to-end data security during transmission.

Interested in improving the safety of data and workloads during processing? PhoenixNAP's confidential computing enables you to adopt this cutting-edge tech and ensure airtight protection of valuable files.

Be Proactive (Not Reactive) with Security

Use proactive security measures and robust network security to protect data in motion. Firewalls, anti-malware tools, strict access, and authentication controls help proactively secure networks that transmit data, so you'll boost the efficiency of encryption in transit.

Your team must also ensure proper visibility of all data in motion. Security tools that ingest and analyze network data help:

Detect anomalies in data access behavior.
Identify potential threats and breach attempts.
Determine the extent of the damage and limit further data loss in case of an interception.

You should also use a cloud access security broker to monitor data going to and from the cloud.

Our article on network infrastructure security offers an in-depth look at how top-tier companies keep networking devices and software safe.

Keep Employees Off Unsafe Wi-Fi and Use VPN

The growth of remote work increased the likelihood of employees using unsafe Wi-Fi connections to access and send data.

Ensure employees know that public Wi-Fi networks with secure WPA (Wi-Fi Protected Access) and WPA2 networks are not inherently secure. While some of these networks encrypt user data from outside observers, they do not protect the data from other users within the same network. A malicious party could connect to the same public Wi-Fi and view sensitive corporate data.

Instruct your employees to rely on secure Wi-Fi connections from mobile phone hotspots and avoid insecure networks altogether. Even if all data transmissions have encryption, there's no reason to use unsafe Wi-Fi. Team members should use a VPN whenever accessing data from an off-site network. When you connect to the Internet via a VPN, it is almost impossible for someone to track your location or IP address by simply following it through the Internet.

Share Data Only with Websites That Have SSL Encryption

Ensure your employees visit and give data only to SSL-protected sites. SSL certification (identifiable via padlock symbol at the top of the address bar on an internet website) means that the website encrypts any info it exchanges with the visitor.

An SSL-protected website also has a URL that begins with HTTPS instead of just HTTP. HTTPS is a standard encryption approach for browser-to-web host and host-to-host communications. The lack of HTTPS is a massive red flag, and avoiding contact with such websites is a cybersecurity best practice.

Employees must never give sensitive data (passwords, login credentials, payment info, PII, etc.) to a website without SSL. If a site does not have SSL protection, a hacker can intercept data going to a server and view, edit, or even destroy files.

TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are vital processes for encryption in transit. Learn the difference between the two technologies in our TLS vs SSL article.

Encryption in Transit: A Non-Optional, Cybersecurity 101 Practice

Encryption in transit is the only way to ensure the integrity and security of file transmissions. Failing to protect in-motion data leads to permanent file loss, hefty legal fines, data breaches, and loss of user trust. Since all these scenarios have the potential to end a business, investing resources and time into setting up encryption in transit is a no-brainer for any security-aware company.

CEO Fraud Attacks: All You Need to Know

Using a fake email to trick employees into fraudulent money transfers is a relatively simple way to rob a company with unsuspecting staff members. This tactic is also highly efficient—the FBI attributes more than $26 billion worth of losses to CEO fraud, which makes these attacks the highest-grossing type of cybercrime.

This article is a complete guide to CEO fraud that goes into all you need to know about this cyber threat. We explain how these attacks happen, go into different scam strategies, offer prevention tips (both for employees and C-level executives), and show what to do if you become a victim of CEO fraud.

What Is CEO Fraud?

CEO fraud is a type of scam in which a criminal uses email to impersonate an executive and fool a lower-ranking employee into performing an unauthorized wire transfer. The scammer pretends to be someone with the power to ask workers to make payments, such as the CEO, COO, CFO, or Head of HR.

A CEO fraud email does not always ask for a direct money transfer. A criminal can also order an employee to:

Change an existing invoice's payment address.
Share the business' bank or payroll info.
Make gift card purchases.
Disclose sensitive data that enables a criminal to blackmail or dig deeper into the company (such as client PII, tax statements, or company secrets).

CEO fraud caused $2.4 billion in losses to US businesses in 2021, equating to a third of the year's total cybercrime costs. Here's why these attacks are so effective:

The pandemic and the restrictions on in-person meetings caused an increase in email use, creating a fertile ground for CEO fraud.
The perceived difference in the hierarchy clouds the judgment of a lower-ranking employee. No one wants to upset or disappoint their boss, so people often do not second-guess requests coming from superiors.
If a scammer tricks a human, the criminal bypasses all cybersecurity best practices, tools, and policies the company has in place.
Compared to other types of cyberattacks, CEO fraud is relatively easy to pull off and (usually) does not require much IT skill.

While the $26 billion figure is frightening, the actual all-time cost of CEO fraud is likely higher. Many attacks go unreported as organizations often decide not to report scams that cost them small amounts of money.

Do not confuse CEO fraud with whaling, a phishing attack in which a scammer targets—rather than impersonates—a company executive.

How Does CEO Fraud Happen?

Every CEO fraud starts with extensive research. The attacker gathers identity details for (at least) two individuals:

The executive they plan to impersonate.
The person they plan to target.

The attacker researches employees by:

Scrapping info from the company's official website, social media accounts, YouTube channel, etc.
Gathering the info via social engineering tactics (e.g., pretending to be a salesperson over the phone and asking to speak to whoever's in charge of budgeting).
Visiting the office in person (e.g., acting as a courier or attending a job interview).

The research phase sometimes lasts for weeks or even months while the scammer devises a plan. Once criminals spot a perfect opportunity, they approach the target via an email with a "fitting" request. Some common tactics are:

Instructing the financial department to transfer money for a late invoice or fake merger.
Asking HR to purchase gift cards and write them off as bonus expenses.
Getting whoever's in charge of wages to pay an invoice to a fake account, typically for an employee who allegedly did not receive the previous paycheck.
Contacting an accountant as a supplier and claiming that they changed their bank account.

Criminals use various tactics to fool employees, pretending to be executives, vendors, lawyers, etc. Most scams use urgency to pressure the recipient, like in this example:

Scammers did their homework in this imaginary example:

The executive probably is currently in Florida.
The "TCCO" might be a genuine supplier whose invoice is really due tomorrow.
Fraudsters are using the sender's unique writing style, picked up by scraping social media or analyzing previous emails on a hacked account.

Attackers rely on various techniques to gather the necessary info and pull off CEO fraud. Let's look at the most common ones.

Domain Spoofing

Spoofing an email means creating an email name almost identical to the address of the person you are trying to impersonate. Typically, the criminal alters the domain name slightly to mimic the corporate email (such as using "johndoe@betsbuy.com" instead of "johndoe@bestbuy.com").

The goal is to create a lookalike domain that causes visual confusion. If the recipient is not careful, these little changes easily go unnoticed.

Spoofed emails help an attacker perform research before launching a CEO fraud, but this technique also often enables a criminal to pull off the attack. If the scammer cannot hack or gain access to a legitimate email (which is a considerably more challenging approach), they will use a spoofed email to contact their target.

Planning for spoofed domains is only a small part of keeping business emails safe. Learn what else you must account for in our article on email security best practices.

Phishing

Scammers send phishing emails to employees to "fish out" sensitive info by posing as legit sources, such as:

Banks.
Credit card providers.
Delivery firms.
Colleagues.
Law enforcement agencies.
The IRS.

Phishing helps a scammer to gather helpful intel for the upcoming CEO fraud. Alternatively, the phishing email can contain malware that infects the system and enables the criminal to hack the email account. The scammer then uses the address to either launch an attack or dig deeper into the organization.

If the phishing campaign succeeds, an intruder gains access to company accounts, calendars, hierarchy, and other data that gives the details needed to carry out the scheme.

Learn about different types of phishing attacks and see what your team should do to keep the business safe.

Spear Phishing

Whereas regular phishing campaigns target multiple users, spear phishing goes after one specific employee. The criminal uses this calculated attack to mislead the employee with a personalized storyline and either:

Asks the target to reveal confidential info.
Prompts the victim to click on a malware-infected link or attachment, after which the criminal hacks the account.

If a criminal manages to hijack an executive's account, there is no longer a need to use a spoofed email. The intruder then tricks employees by using the actual address, giving an apparent legitimacy to any request.

Email Account Compromise

Phishing is not the only method of hacking someone's email account. A scammer looking to pull off a CEO fraud can also get email credentials from:

Brute-forcing the password with a specialized tool.
Luring users to fake login pages through their private social media accounts.
Guessing easy-to-crack passwords.
Purchasing previously cracked credentials on the dark web.
Stealing BYOD devices from employees while they are not at work.
Hiring more tech-savvy criminals that offer Business Email Compromise (BEC) services.

Once scammers get their hands on an email account, they start sending credible scam messages to employees. They also get access to all previous emails, enabling hackers to analyze how the manager communicates and imitate their tone of voice or incorporate commonly used catchphrases.

Our guide to strong passwords explains how to create credentials that are easy to remember and impossible to brute-force.

Who Is at Greatest Risk of Being the Target of CEO Fraud?

Cybersecurity studies suggest that almost 77% of CEO frauds involve employees outside financial or executive roles, so "building a wall" around staff members who authorize money transfers is not a sufficient defense.

Organizations of all sizes will experience CEO fraud attempts at some point. Many times have CEO fraud attackers tried to fraud phoenixNAP employees by impersonating Ron Cadwell, the CEO and founder of phoenixNAP. That's why employee education should be the top priority of any organization.

Every employee is a potential victim of CEO fraud, either as the final target or a means to an end during attack setup. Here are employee groups considered valuable targets given their roles and access to funds or info:

Finance department: Staff members who handle finances are prime candidates for CEO fraud. Criminals often target companies with sloppy policies that only demand an email from a senior position to initiate the transfer.
Human resources: HR has access to every person in the organization and manages the employee database, so this department holds all the info necessary for successful CEO fraud. Criminals often include spyware inside a CV, send the infected doc, and hope that the recipient accidentally grants access to company data.
C-level executives: Every executive team member is a high-value piece of a CEO fraud plan. These people hold financial authority within a company, making their accounts the go-to targets for anyone looking to trick employees into money transfers.
IT department: The IT personnel with authority over access controls and password management are also common targets. If criminals steal the credentials of an IT manager, they gain entry to every part of the organization.

Did you know that an average corporation experiences over 700 social engineering attacks every year? Learn how to protect your organization in our social engineering prevention article.

Examples of CEO Fraud

Let's take a look at a few of the biggest CEO frauds to help you get a sense of how these scams happen:

Toyota: On August 14, 2019, a scammer convinced an employee at the accounting department of Toyota's European subsidiary to transfer $37 million to a fake account. The criminal pretended to be a high-ranking executive and allegedly claimed that the company was not able to continue production without the funds.
Pathé: France's independent film group lost $22 million in an internet scam in March 2018. Criminals sent several emails from the personal address of the company's CEO and asked targets to transfer funds to four different accounts. Allegedly, the scammer told victims that the funds were necessary for an acquisition of an unnamed Dubai-based company.
FACC AG: In January 2016, Austria's biggest aerospace company announced that fraudsters stole $50 million from the company. The crook targeted the financial and accounting department with a compromised CEO account.
Crelan: In May 2016, Crelan Bank became a victim of scammers who used CEO fraud to trick employees into unlawful money transfers. The company did not reveal the exact strategy used to fool the target, but the bank reported over $70 million in losses.
Puerto Rican government: Corporations are not the only victims of CEO fraud. On January 17, 2020, Puerto Rico's Industrial Development Company lost over $2.6 million in a phishing scam. A crook posed as a beneficiary and asked the target to change a bank account tied to remittance payments.

Once cybercriminals make their way into your system, CEO fraud is not the only thing to worry about. A data breach is another likely scenario, which is just as dangerous to your bottom line.

CEO Fraud Prevention

Below are the most effective methods for countering the threat of CEO fraud.

Tips for companies

Educate the staff about fraud tactics via regular training sessions.
Require authorization for all transactions (plus double verification for any transfer over $5000).
Create strict guidelines for changing payment details.
Prepare a disaster recovery plan to ensure you react quickly in case of successful CEO fraud.
Limit the info you share on official websites, job descriptions, and social media profiles.
Run periodic penetration testing to see how the team reacts to realistic scam simulations.
Ensure employees use two-factor authentication on email accounts.
Enforce strict, zero-trust security policies and review them regularly.
Ensure everyone uses strong, unique passwords and that they update credentials every few weeks.
Set up anti-malware tools, firewalls, intrusion detection systems (IDS), and email filters.
Use protocols to control email activity (domain keys identified mail (DKIM) and sender policy framework (SPF)).
Impose extra safeguards on high-risk users (C-level executives, HR, Accounting, and IT staff).
Register as many domains as possible that are similar to your company's domain.

Tips for individual employees

Verify every payment and purchase request in person.
Check out the sender of every email by seeing their full address.
Scan every email attachment with an anti-malware tool before you open anything.
Contact the security team whenever something looks off or suspicious.
Do not share info on social media that help scammers figure out passwords (e.g., pet names, birthdays, high school names, etc.).
Know how to recognize phishing red flags in an email.
Hover over every link to examine the URL before clicking.
Never download anything from an email sent by an unknown party.

CEO fraud relies on human mistakes to succeed. Organize regular cybersecurity awareness training to ensure the staff knows how to recognize online threats.

How to Report CEO Fraud?

Here's a step-by-step instruction on what to do if you've been a victim of CEO fraud:

1. Contact your bank ASAP

Inform the bank of the fraudulent wire transfer.
Give them full details of the amount and where the money is going.
Ask whether they can recall the transfer or intervene in some fashion (e.g., contact the bank on the receiving end and have them prevent the withdrawal or further transfers).

2. Contact attorneys

Reach out to your legal team and inform them of the incident.
Share all the facts related to the attack so that they start dealing with potential legal consequences.

3. Reach out to law enforcement

Prepare a report for the officials with all relevant info (transaction details, date and time, email and IP addresses, accounts of previous phishing activity, etc.).
If you operate in the US, contact your local FBI office and identify the incident as BEC. If you're in Europe, call Europol. Otherwise, reach out to the local police department.

4. Brief your senior management

Call an emergency meeting of all executives.
Brief the board on the incident, what steps you already took, and any planned further actions.
Notify any third party that might face risk, such as a supplier or companies whose data you store.

5. Conduct IT forensics

Have the security team investigate the breach and find the attack vector.
Ensure the staff recovers control of all accounts and eliminates malware.
After addressing the immediate concern, create a plan to prevent the same incident from reoccurring.

Unfortunately, companies recover less than 4% of fraudulently transferred funds. Consider taking out an insurance policy that covers you in case of CEO fraud (typically regarded as coverage for internal negligence or email impersonation, not as cyber security insurance)

Are Your Employees Ready for CEO Fraud Attempts?

No one solution guarantees 100% protection against CEO fraud. You must rely on a mix of technologies, employee awareness, and sound internal policies to combat this threat effectively. You also require an incident response plan to ensure the team is ready to react to a scam attempt. Otherwise, you risk getting caught off guard, which is a sure-fire recipe for suffering losses from CEO fraud.

Attack Vector vs. Attack Surface: All You Need To Know

A hacker uses several types of cyber attacks to gain access to a network. Cyber attacks use different attack vectors to identify and exploit network vulnerabilities. This way, hackers access a wide range of sensitive data and personal information.

This article shares a detailed overview of attack vectors and discusses the differences between them and attack surfaces. Besides offering a head-to-head attack vector vs. surface comparison, we also provide recent examples and discuss the most common ways criminals breach systems.

Attack Vector vs Attack Surface: What Are They?

An attack vector is a cyber attack that exploits system vulnerabilities so a hacker can illegally access a network to obtain sensitive information and use it to their advantage. The primary purpose of a cyber attack is financial gain.

Attack surface relates to the total number of attack vectors a hacker can use to access or extract data from a network or a computer system. The total number of vulnerabilities a hacker can exploit limits an attack surface - for example, the number of access points, data extraction points, or exposed system elements.

An attack vector data breach is when an unauthorized individual or a group of individuals access sensitive, protected, or confidential data. A data breach costs organizations over $4 million on average, which is why investments in the cybersecurity industry are on the rise.

Digital forensics prevents the information stolen from being used for illegal activity. At the same time, IP attribution attempts to identify the user or device that committed the attack, or at least the geographical location. However, IP attribution techniques are becoming increasingly ineffective, as hackers easily cloak IP addresses, use a shared IP address, or commit attacks from public networks.

Read our article about the differences between public and private IP addresses.

Attack Vector Explained

Attack vectors enable hackers to commit a wide range of malicious activities. There are two types of attack vector exploits:

Passive attack vector exploits.
Active attack vector exploits.

Passive vs. Active Attack Vectors

A passive attack vector exploit aims to create an access point on a network. This allows hackers to steal information, but no other malicious or damaging activity occurs.

An active attack vector exploit, however, makes changes to a network or system as part of a longer-term strategy.

Active attack vector exploits include:

Malware.
Ransomware.
Email spoofing.
Man-in-the-Middle (Eavesdropping) attacks.
Domain hijacks.

Common Types of Attack Vectors

A simple attack vector targets an organization’s network to steal personal information that has monetary value. This includes credit card numbers and banking details.

However, many attacks are much more complex and include sophisticated methods for gaining unauthorized access.

Unauthorized Remote Access Using Malware

One highly sophisticated attack vector is tricking users into downloading malware. Once executed, this software grants remote access to the victim’s computer or network. Groups of cybercriminals can conduct this attack vector on a large scale to gain remote access to thousands of devices and establish a Robot Network (or BotNet).

Once established, a BotNet can conduct all kinds of cybercrimes, from phishing scams to illegal mining of crypto tokens.

Distributed Denial of Service (DoS) Attacks

Another type of attack vector is a Denial of Service (DDoS) attack. DDoS attacks aim to overload a website or network with countless requests, ultimately causing the network to crash, resulting in downtime.

Other types of attack vectors include:

Cross-Site Scripting (XSS).
Session hijacking.
Trojans.
SQL injections.
Brute force attacks.

Example of an Attack Vector

Symbiote, a Linux malware designed to target the financial sector in Latin America, was discovered in November 2021. This malware was said to be “almost impossible” to detect. The malware granted attackers remote access to networks, provided rootkit functionality, and allowed them to steal credentials.

This attack vector differed from other known Linux malware. Instead of a standalone executable file, Symbiote is a shared object (SO) library that infects all running processes on a machine.

How to Prevent Attack Vectors

We are witnessing a continual growth in the variation of cyberthreats posed to global networks. Hackers easily identify unpatched vulnerabilities via dedicated resources on the Dark Web or by checking Common Vulnerabilities and Exposures (CVE) databases.

Unfortunately, each threat poses a unique challenge, and a one-size-fits-all cyber security solution is not viable. Attack vectors are also becoming more advanced and frequent, requiring constant monitoring and prevention.

Most large organizations across all sectors employ cybersecurity services to protect their and their client’s data. Traditional security measures, such as firewalls, are ineffective against most modern attacks. Therefore, many businesses have moved towards cloud security, hybrid environments, and using intrusion detection systems.

Organizations are also using VPNs to help protect themselves. According to Forbes, the VPN market was worth $16 billion in 2016 and is expected to grow by 18% in 2022.

Attack Surface Explained

An attack surface refers to the number of entry points on an IT network that hackers can target to gain access to data. To combat this, many organizations have heavily invested in attack surface monitoring and analytics to identify how large their network’s risk level is.

Below is a closer look at the three types of attack surfaces.

Physical Surface

This attack refers to a malicious threat actor entering buildings, such as offices or data centers, and physically performing illegal activities on a device.

For example, this method includes installing malware on a machine or accessing databases to obtain sensitive information.

Digital Surface

A digital attack surface relates to entry points accessible via the internet - servers, databases, remote devices, etc. The growth of remote working and cloud systems has increased the number of potential vulnerabilities. Therefore, it is crucial to limit your organization’s attack surface to be in a better position to fend off attacks.

Human Surface

Finally, a human attack surface relates to targeting individuals within a business, most commonly, employees of the organization. Social engineering attacks, such as phishing, are a common form of a human attack surface. Therefore, it is very important to train and educate employees to identify malicious activities easily.

Attack Vector vs Attack Surface: Conclusion

The article explained that an attack vector is a cyber attack that targets vulnerabilities on a network. On the other hand, an attack surface refers to the number of potential vulnerabilities and access points. Attack vectors are becoming increasingly more advanced and have led to a significant rise in cybersecurity funding to help keep information safe.

Constant monitoring, employee training, and using the latest endpoint protection is the best way to defend against cybercrime. However, as attack vectors become more sophisticated, so must preventive measures.

Backup and Disaster Recovery (BDR) Guide

A vital (yet often overlooked) aspect of building a successful company is preparing for potential disruptions. Backup and disaster recovery (DR) help deal with incidents that disrupt operations, so the two practices are crucial to business continuity. Without backups and DR, events such as data breaches and power outages can lead to permanent data loss, reputation hits, and loss of revenue.

This article is an intro to backup and disaster recovery (BDR), two related practices that help businesses respond to and overcome unfortunate events. We outline what your company stands to get from BDR and provide all the resources you need to start developing an effective business continuity strategy.

What are Backup and Disaster Recovery?

A backup is a copy of data you can use to restore a file if something happens to the original. Creating a data backup protects against most incidents that jeopardize data integrity and safety, such as:

Accidental deletion or failure to save progress.
Losing a device with a valuable file.
A software bug.
An infrastructure or service-based issue.
Data theft (either by an external or insider actor).
Database corruption.
Faulty patching.
A crashed hard drive.

On the other hand, disaster recovery is a step-by-step plan for quickly regaining the use of apps and IT resources after an incident. Companies create a DR plan for two types of incidents:

Natural disasters that cause physical damage and disrupt power grids (earthquakes, tornadoes, floods, wildfires, tsunamis, etc.).
Man-made disasters, which can either be intentional (malware, theft, sabotage, a terrorist attack, hacks that disrupt a power grid, etc.) or unintentional (accidental explosion, system failure, app bug, etc.).

A DR plan typically requires a second set of servers and storage systems (either in-house or rented) that you can use if something or someone takes out the primary IT setup.

While the two are different practices, there is a lot of overlap between backup and disaster recovery. Most DR plans rely on some form of backup. However, backups alone are not enough to ensure business continuity. Only a robust DR strategy can guarantee your company can continue operating in case of a disaster.

PhoenixNAP offers state-of-the-art yet highly affordable backup services and disaster recovery solutions that help protect data and critical operations from unplanned disruptions.

Why Do We Need Backup and Disaster Recovery?

Let us look at the main reasons businesses of all sizes decide to invest in backup and disaster recovery.

Why do you need backup and disaster recovery?

The Cost of Downtime is Too Great

Downtime happens when apps and data become unavailable to end-users (e.g., because of a natural disaster or DDoS attack). When you suffer downtime, the effects echo throughout the entire company:

Employees cannot do their jobs.
Transactions do not go through.
Customers turn to competitors.
Business revenue comes to a halt.

Here are some facts and numbers that clearly show the importance of avoiding downtime:

Around 66% of companies report that unplanned downtime hinders their digital transformation.
For a small business, the per-event cost of downtime sits between $82,000 and $256,000.
The cost of IT network downtime currently averages at $300,000 per hour ($5,600 per minute).
The average price of downtime is becoming more expensive each year by 36%.

Disaster recovery planning is the recipe for preventing high amounts of unplanned downtime. The ability to switch operations to a secondary set of IT resources means you can keep services online during a disaster and avoid downtime even if the primary data center is down.

Your data center's tier level also impacts how much downtime you can realistically expect to face. Our article on data center tiers compares different facility types and shows what they offer in terms of uptime guarantees.

Avoiding Permanent Data Loss

If someone or something deletes a file that has no backup, that data is gone forever. Unfortunately, there are many ways you can lose a piece of data, such as:

Accidental or malicious deletion.
Hardware failure.
Cyberattack.
Data corruption.
Physical damage to a storage unit.

A proper data backup enables you to return the file to the last known good point in time before the problem. The strategy does not protect data from theft but guarantees that you never lose a valuable file permanently.

Damage Control in Times of Crisis

Unfortunate events always cause damage, but backup and disaster recovery enable a company to control the extent of the damage. Here are a few examples:

If you fire someone and the angry employee decides to delete files out of spite, a backup enables you to restore any data deleted by the ex-worker.
A backup failover site in a different region can keep you operational if the primary data center is in the midst of a region-wide power outage.
If you lose some of your infrastructure in a fire, you can restore all data on lost devices from a cloud backup.
A DR plan to move all equipment off the floor and into a windowless room can save the entire IT setup in a hurricane scenario.
When an intruder makes their way into your network, a disaster recovery plan ensures a swift response that limits lateral movement and controls the blast radius.
If you suffer a ransomware attack, a proper DR plan helps stop the attacker from spreading to new devices, while backups ensure you can restore encrypted data.

Ransomware is among the most dangerous attacks your business can face. Learn how to prevent ransomware and read about 18 easy-to-implement strategies for countering this cyber threat.

Protecting Your Brand's Reputation

Being known as a company that lost customer data in the past does no favors to your business. Once you lose the trust of current customers, they start to discourage others from using or working for your company.

Unhappy users also leave negative comments about your business online, giving poor ratings that can hinder customer acquisition for years. Ultimately, you lose revenue simply because you did not have a backup and disaster recovery plan.

Both business continuity and disaster recovery are vital to company safety. Learn more about their differences in our article Business Continuity vs Disaster Recovery.

Cyber Threats Are a Matter of When, Not If

While you should take a proactive approach to cybersecurity with robust firewalls and intrusion detection systems, it is unwise to assume your business is safe. Preparing a response plan for a successful cyberattack is as vital as setting up prevention measures.

Proper DR planning ensures the team knows how to:

Quickly identify different types of threats.
Respond promptly and correctly to each threat type.
Follow through on the process of removing the attacker from the network.

On the other hand, backups mitigate data loss and ensure you can recover from an attack without long-term problems.

Our article on cybersecurity best practices presents 19 actionable tips you can use to improve your company's resilience to cyber threats.

Protecting Your Remote Workforce

While remote work and BYOD have a range of benefits, these strategies also have certain risks:

The business has limited visibility into how an employee uses and protects the device.
A personal device typically has weak security and easy-to-crack passwords.
Out-of-office work means more chances for someone to steal or lose a device with access to sensitive data.
A home network is typically far less secure than its corporate counterpart.
An employee also uses a BYOD device for personal reasons, creating a broader attack surface.

Remote work and BYOD devices can easily lead to permanent data loss without a proper backup. Likewise, a DR plan ensures the security team is quick to disable a lost device or wipe the data to prevent an outsider from accessing business info.

Our article on BYOD policies explains how to ensure Bring Your Own Device becomes a competitive edge and not an exploitable weak point in your security strategy.

Lowering the Human Error Factor

Everyone makes mistakes, and your workforce is no different. Employees forget to save changes, type in incorrect dates, accidentally delete files, and press the wrong buttons all the time.

A continuous backup system ensures your workforce does not accidentally lose data. Likewise, a DR plan lowers the chance of costly mistakes during the crucial phases of discovering and responding to a threat.

You Need to Stay Compliant

Some companies must have an always-on infrastructure to comply with government regulations, while others need regular data backups to comply with local laws. In those cases, the lack of backup and disaster recovery plans can lead to severe penalties and legal expenses.

Remember that a business does not get an exception for regulations such as HIPAA and PCI when disaster strikes. You need to maintain compliance even when things get messy. The good news is that you can use backup and DR to ease the compliance burden. Here is how:

Data backups ensure you do not lose sensitive data due to data leakage or a breach, which is a requirement of most data regulations. You still have to worry about someone stealing files, so consider using at-rest encryption for all sensitive data sets.
You can tailor your DR plan to ensure emergency response prioritizes securing regulation-tied databases.
DR planning requires continuous reviewing of IT systems to stay up to date with current threats. Regular reviews mean the team has more chances to spot failures to comply.

When choosing a provider, always look for a vendor with third-party compliance certifications (such as HIPAA, PCI-DSS, GLBA, and SSAE 18).

How Does Backup Differentiate from Disaster Recovery?

Backup and disaster recovery typically work in tandem, but the two are separate practices. The table below offers a high-end comparison of the two strategies:

Point of comparison	Backup	Disaster recovery
Practice description	Making a physical or digital copy of a file at a specific point in time	Defining a step-by-step plan for recovering critical services, apps, and systems from an unplanned event
Goal	Ensure you cannot permanently lose a piece of data	Ensure the business maintains normal operations in times of crisis
Main countered risks	Host failures, small-to-midsize online attacks, accidental data deletion, and basic hardware failures	Region-wide disasters and large-scale cyberattacks
Scope	Individual files and virtual machines	Per-department or business-wide level
Pricing	Even the best backup options are affordable	Expensive as you need to secure access to a secondary set of IT resources (unless you opt for Disaster-Recovery-as-a-Service)

The two practices are not mutually exclusive. In fact, one without the other will often result in a failure of both.

Check out our backup vs. disaster recovery article for an in-depth comparison of the two security practices.

What to Look After When Choosing a Backup and DR Provider?

Successful backup and disaster recovery start with making the right vendor choice. Unfortunately, there is no one-size-fits-all provider—while some companies find mega-cloud vendors to be an ideal choice, others benefit the most from a smaller provider with affordable managed services.

Below are five tips that will help you identify a worthwhile partner:

Find the right backup offering(s): What are you trying to back up? On-prem systems, virtual machines, client OSes, cloud apps, structured data? And what backup frequency do you need (hourly, daily, whenever someone makes an edit, etc.)? Ensure every vendor you consider supports the unique backup needs of your team.
Consider storage locations: You should not store data backups in areas where a disaster can affect both you and the off-site backup storage. You also do not want backups too far away from the primary data center as great distances can lead to latency issues.
Closely inspect each candidate: Only consider providers with a proven track record of quality service. Look for customer references and, if possible, talk directly to current clients to learn more about the vendor's operations.
Take compliance into consideration: Most vendors are compliant with standard privacy and security protections like CCPA and GDPR. However, if you must adhere to some other mandate that involves backups, find a vendor that can help meet those requirements.
Look for transparent pricing: Some vendors needlessly complicate fee calculation (storage costs, ingress, egress, deletion, retrieval and query fees, various pay-as-you-go models, etc.). Look for a partner that provides a transparent, predictable monthly cost.

Disaster-recovery-as-a-service enables you to rely on a cloud-based infrastructure you can switch IT operations to in times of crisis. This alternative to in-house DR is ideal for companies looking to ensure resilience to disasters without heavy investments in a secondary IT setup.

Hope for the Best, Plan for the Worst

No matter how big or small, every company should have a plan to mitigate the effects of natural disasters, server failures, data breaches, and accidental file deletion. Backup and disaster recovery ensure these events do not have long-term business consequences, so putting these strategies in place should be a priority for any careful organization.

Backup vs Disaster Recovery: What's the Difference

Should your business invest in disaster recovery (DR), or are data backups enough to keep you safe? Backups and disaster recovery overlap in methods and objectives, but these practices serve different purposes. Understanding the difference between a data backup and DR (and, more importantly, how the two work in tandem) is vital to creating a well-rounded, effective security strategy.

This article outlines the main differences between backups and disaster recoveries, two distinct practices that protect a business from data loss and unwanted downtime. We examine both concepts in detail, explain your options when deploying them, and show how companies use the two practices to avoid data and revenue losses.

Difference between backup and disaster recovery

Backup vs Disaster Recovery

Both disaster recovery and data backups protect you in the event of failure, but these are two different practices:

Backup is an extra physical or virtual copy of data on another storage device (hard drive, CD/DVD, flash drive, cloud storage, etc.). If you lose a piece of data, you can use its backup to restore the original file.
Disaster recovery (DR) is a step-by-step plan for responding to a major incident by switching to a secondary IT infrastructure. DR ensures critical functions keep running seamlessly during a natural or human-made disaster.

While backing up data is integral to security, having backups is not the same as having a disaster recovery plan. Data copies are not enough to ensure business continuity if you experience a region-wide outage or large-scale cyberattack.

Backup vs Disaster Recovery (Table Comparison)

The backup vs disaster recovery table below offers a head-to-head comparison of the two practices:

Point of comparison	Backup	Disaster recovery
Purpose	Provide a copy of valuable data in case something happens to the original file	Ensure the business can restore functions and avoid downtime during an unforeseen event
End-result	A copy of the original data	A functioning copy of the IT system on standby
Main countered risks	Host failures, small cyberattacks, accidental data deletion, and hardware failures	Region-wide failures (tornados, fires, power outage, etc.) and large-scale cyberattacks
Target devices	Servers, workstations, mobile devices	Critical servers, virtual apps
Scope	You back up individual files and VMs	A DR plan operates either on a per-department or business-wide level
Guarantee of business continuity	No guarantee	Aims to provide continuity in all scenarios
Mutual exclusivity	You can have backups without a broader DR plan (it will not be a sufficient defense, though)	Every DR plan includes some form of backup
Automation	Typically relies on a mix of automatic and manual processes	Usually as automated as possible
Average RTO	Speed is not decisive, so RTOs are typically long	Speed is paramount, so RTOs aim to be much shorter
Resource allocation	Backups usually sit in a compressed state and do not require much storage space	A DR plan requires a separate site with fully operational IT infrastructure (either hot, warm, or cold)
Complexity	All backup processes are relatively simple	Complex (setting up additional resources, prioritizing business apps, preparing for different scenarios, etc.)
Data replication intervals	From time to time (hour, day, week, once per month, etc.)	The replication of critical data happens continuously, ideally in real-time
Investment level	Even top-tier backups are highly affordable	Top DR plans require investing in a secondary IT infrastructure unless you go with DRaaS

What is a Backup?

Backup is a physical or virtual copy of data that enables you to restore a file if something happens to the original. Having a data backup is vital to preventing data loss in cases of:

Data theft (office break-ins, data breaches, ransomware attacks, stolen laptops, etc.).
Employee accidents (accidental file deletion, lost device, data leakage, etc.).
Technical issues (crashed hard drive, database corruption, failed software updates, etc.).
Natural disasters (fires, hurricanes, earthquakes, etc.).

Companies typically create data backups at regular periodic intervals (every few hours, once per day, weekly, etc.) to ensure backups stay up to date. You can keep these "data save points" on various media and locations, both on-prem and in the cloud.

Setting up the backup process is relatively simple as your security team needs to:

Identify sensitive data.
Choose a backup type.
Decide how long you need to keep the backups and how often you need to back data up.
Define the optimal backup interval.
Identify incidents in which a company can lose data.
Ensure backups comply with data storage requirements.
Train the staff on the correct backup procedures.

PhoenixNAP's backup and restore offering presents a range of solutions you can use to ensure you retain valuable business data and maintain availability and business continuity even in case of a disaster.

Types of Backups

The table below presents the different types of data backup available to your company:

Backup type	Description	Pros	Cons
Full backup	Copies the entire data set	A full copy of data set; simple to set up; highly reliable	Requires the most storage; uses a lot of network bandwidth
Differential backup	Backs up only the files that changed since the last full backup (e.g., if you have 50,000 lines of code and make changes to 50 of them, this backup type only affects those 50 changed lines)	Efficient use of storage capacity; quicker than full backups; faster restoration than an incremental backup	Uses more network bandwidth and space than incremental backups (still less than a full backup)
Incremental backup	Only updates the changes made to a file since the last incremental backup	Takes the least amount of space; fastest backup type; uses relatively little network bandwidth	Time-consuming restoration; complete restore is impossible if one of the incremental backups is missing

There is no reason not to use different backup types at the same time to improve resilience. You should follow the 3-2-1 rule of backup, a formula that stands for three copies of data on two types of media with one off-site copy. You can store data in three ways:

Local backup (on-prem backup): Backing up to a local device close to the data source (tapes, disks, hard and flash drives, CDs, etc.).
Off-site backup: A copy of data stored in a geographically different location than the original.
Online backup: The use of a third-party service to back up data remotely over the Internet, typically on a cloud-based server.

Our in-depth comparison of full, incremental, and differential backups explains the differences between the three main backup types. You can also check out our immutable backups article to learn how databases immune to changes can protect you from ransomware attacks.

Snapshot vs Replication vs Backup

Data backups, replications, and snapshots are commonly confused, but the similarities between the three processes do not make them interchangeable:

A backup creates a replica of original data and enables you to restore files to a specific point in time, to one of the "save points" you take at periodic intervals.
Replication means making copies of data while also synchronizing and distributing files among the company's sites (servers, data centers, clouds, or hybrids). Replicated data ensures uninterrupted operation of mission-critical apps in case of an incident.
A snapshot is a metadata-based record that saves the entire architectural instance of a virtual app, disk, or system. These "photos" enable you to restore servers and virtual machines in the event of data loss or corruption. Snapshots are not data copies, so they do not take up much space (but their total volume can grow, so always place a cap on the number of stored snapshots).

Backups, snapshots, and data replicas are not mutually exclusive, so you can use all three to keep your data safe. However, you should know the difference between these practices to create an effective data recovery strategy.

Our backup vs replication article discusses the differences between backing up and replicating data. You can also check out our snapshot vs backup post for a detailed comparison of those two practices.

What is Disaster Recovery?

Disaster recovery (DR) is a set of policies and procedures that enable a company to quickly regain the use of IT systems during a natural or human-made disaster. Whereas a backup only creates restorable save points of data, DR is a comprehensive strategy for ensuring business continuity in different scenarios that can disrupt (or completely stop) critical operations. Here are some examples of unforeseen events:

Cyberattacks (malware, DDoS, ransomware, APT attacks, etc.).
Sabotage (both from an external and insider threat).
Power outages.
Equipment failure.
A terrorist attack.
Loss of valuable data.
Network crashes.
An industrial accident.
A natural disaster (hurricane, tornado, earthquake, flood, wildfire, etc.).

A disaster recovery plan involves the ability to switch over to a redundant set of servers and storage systems. This backup infrastructure steps in and supports operations in times of crisis until the primary data center is functional again. There are three types of backup facilities based on how fast you can get a site going:

Hot site that contains all the needed equipment, tech, and up-to-date data.
Warm site equipped with the necessary equipment and tech but without up-to-date data.
Cold site that only hosts the IT infrastructure.

Not having a DR plan in times of disaster can negatively impact an organization and lead to:

Interrupted service.
Permanent data loss.
Lost sales and revenue.
High recovery costs.
Supply chain disruptions.
Hits to employee and customer satisfaction.
Loss of reputation.

PhoenixNAP's disaster recovery offers top-tier yet affordable DR solutions that provide all you need to create an effective disaster recovery plan.

RTO vs RPO

Recovery time objective (RTO) and recovery point objective (RPO) are two critical metrics in disaster recovery. Here is what these metrics stand for:

RTO is the max amount of time that can elapse before a system must be back online. For example, a company's voice control systems can have an RTO of ten minutes, which means the system must be back online within ten minutes of going down.
RPO is a time-based measurement of the max amount of data loss you can tolerate in a disaster. For example, if a database has an RPO of four hours, the system must back up at least every four hours. The RPO determines how frequently you must back up data for disaster recovery purposes.

A company determines RTOs based on how much time they can afford for a system to stay offline in case of a disaster. This metric differs between businesses as, for example, a brick-and-mortar library has much more tolerable RTOs than an e-commerce website. RPOs also vary as each business must estimate its:

Industry-specific factors (such as fines for losing financial transactions or health records).
How data storage types affect the speed of recovery.
Maximum tolerable data loss.
The cost of data loss.
Data availability needs.

While disaster recovery (DR) and business continuity (BC) have similar goals, these are two separate strategies. Get a head-to-head comparison (as well as valuable tips for both) in our business continuity vs disaster recovery article.

Disaster Recovery Plan

A disaster recovery plan is a formal, business-wide document that outlines the company's approach to dealing with an unfortunate event. A DR plan should include:

A DR policy statement and plan overview.
All recovery goals (including RTOs and RPOs).
A step-by-step guide to disaster response actions for each incident type.
Sketches and diagrams of the entire network and recovery site.
A list of all staff members responsible for DR.
Contacts of go-to DR team members.
An asset map.
A list of systems needed for disaster recovery.
Technical documents.
Directions for reaching and activating the recovery site.
Actions for dealing with legal issues.

Each business has a unique disaster recovery plan, but there are some common traits in every strategy. Here are a few general tips:

Risk evaluations: Start building a strategy with a risk assessment and business impact analysis. This first step helps pinpoint threats you are likely to face.
Map your assets: Every plan should have a list of assets (hardware, software, cloud, critical data, etc.) and their dependencies. Order assets by how likely they are to disrupt business operations if they were to go down.
Create a dedicated disaster recovery team: The DR team is an assigned group of staff members responsible for designing and implementing the disaster recovery plan.
Test your DR procedures: Regular tests ensure the plan stays efficient and that the staff knows how to act in case of an incident.
Keep updating your DR plan: A disaster recovery plan should be a living document that evolves alongside your organization. Adapt the strategy whenever you add new devices, expand infrastructure, or discover better backup options.

Ready to write a DR plan? Our disaster recovery plan checklist ensures you cover all the bases and create a sound strategy.

Disaster-Recovery-as-a-Service (DRaaS)

Disaster-Recovery-as-a-Service (DRaaS) is a managed approach to DR in which you outsource a third-party provider to host and manage the backup infrastructure. DRaaS plans are typically available on a subscription or pay-per-use bases.

DRaaS is an excellent alternative to in-house DR as the strategy eliminates the expense of setting up and running a standby hosting environment. You also free up the in-house staff and get to rely on top-tier recovery times defined by a service level agreement (SLA).

Let us look at an example to see what DRaaS can offer. Let us say that you run an e-commerce business and that a ransomware attacker targets your website:

Your staff starts reporting that the website is acting up when you realize someone used encryption to scramble several databases.
You declare a disaster, reach out to your provider, and instigate a DRaaS failover.
The provider moves your system to its cloud infrastructure in minutes, allowing you to continue operations from a preset environment.
Your in-house team searches for the source of the attack and eliminates the threat. Meanwhile, the website operates without issues, and end-users are unaware of what is going on behind the scenes.
Once the security team restores control, you start the failback and switch operations to the on-prem infrastructure.

PhoenixNAP's Disaster-Recovery-as-a-Service provides an industry-leading DRaaS solution that ensures you do not suffer prolonged downtime even in the worst scenarios.

Backup vs Disaster Recovery: Do Not Wait for Incidents to Strike

Data backups alone do not mean you can keep your business running in case of an incident. Any company that hopes to survive a major unexpected event should also have a disaster recovery plan. Without DR, there is no way to guarantee business continuity when disaster strikes—and, unfortunately, statistics clearly show that disasters are a matter of "when," not "if."

Email Security Best Practices You Must Follow

Emails continue to be one of the most exploitable attack vectors criminals use to target companies. A single employee opening a malicious link in an email is enough to enable a hacker to bypass all cyber defenses, which is why preventing email-based threats should be a top priority.

This article covers 15 effective yet easy-to-implement email security best practices you should follow to improve your email security. We also go through the most common email-based threats your workforce can face, so read on to learn how to keep would-be hackers out of your company's inboxes.

Best Email Security Practices

Below is a list of the most effective email security best practices you should follow to improve general cybersecurity and ensure your workforce is ready for email-based threats.

Use Strong Email Passwords

The easier the password is to guess, the more likely it is that someone will breach the email account.

Even if you do not rely on a password like "123456" or "password123" (which, unfortunately, too many people do), hackers have access to top-tier brute force attack tools that can crack even moderately complex passwords. For example, a password like "Pa$$word2211991" may look secure, but a high-end tool could crack that password in under a minute.

Each staff member in your company should have a solid and unique password for their email account to prevent brute force attacks (or someone simply guessing the password). A reliable password should:

Have at least 12 characters.
Rely on a mix of upper and lowercase letters, numbers, and special symbols.
Be random and unique.
Not include common phrases.
Not contain any personal info (names of family members or pets, companies, places of birth, birthdays, or any other info a hacker can discover by googling your name or spying on social media).

Our article on strong password ideas presents 11 methods for coming up with reliable yet easy-to-remember passwords.

Prepare for Phishing Emails

A phishing email attempts to trick one of the employees into either providing helpful info or clicking on a malicious link. An attacker typically uses phishing to scam the target into:

Downloading malware.
Providing sensitive data (typically login details).

Phishing tactics are among the most common social engineering methods criminals use to exploit emails. Some of the standard strategies include:

Pretending to be a service provider and asking the target to "log in" via a link that leads to a fake website.
Imposing a superior and asking for sensitive data.
Pretending to be a part of the security team and asking the victim to "update" one of their passwords.
Sending an email with a malicious file that has a hidden program.

Unfortunately, there is no way to stop phishing emails. Your employees are bound to receive one from time to time, which is why educating the workforce is the primary way to protect your company.

The golden rule of preventing phishing is to not respond to, click links, or open attachments in emails that look suspicious. Employees should use common sense before interacting with an email and must be able to:

Recognize suspicious files and links.
Assess the reasoning behind the request within the message.
Inspect the sender's address.
Assess the general state of an email (grammar, business context, the tone of voice, the lack of an email signature, etc.).

You can also run regular phishing simulations to keep employees alert and test their real-life ability to identify suspicious emails.

Learn about spear phishing, a highly targeted type of phishing that focuses on tricking a specific employee instead of going after as many victims as possible.

Use 2FA to Verify Email Logins

Two-factor authentication (2FA) requires an employee to provide an additional credential besides typing in a username and password. Another verification factor adds an extra layer of defense and is a vital counter to brute-force attacks and password cracking.

Besides providing a username and password, 2FA requires the employee to provide one (or more) of the following:

A unique item (token, card, etc.).
A PIN received via SMS, email, voice call, or a time-based one-time password (TOTP) app.
Biometric data (eye, fingerprint, face, or voice scans).
A barcode generated on a mobile device.
A prompt on a mobile phone that confirms the user is currently trying to log in.

Even if an attacker steals the email credentials of one of your employees, the use of 2FA will prevent the intruder from logging in to the email account.

Luckily, deploying 2FA is not as technical as it sounds. Most email platforms offer two-factor authentication by default, so there is no reason not to use 2FA to protect your company's inboxes.

Train Employees on How to Handle Email Attachments

Attackers typically use email attachments to hide executable files or programs that inject malware into the system. Before opening an attachment, educate your employees to ask themselves the following questions:

Is the sender someone within my organization or someone I can trust?
Is the format right for this type of attachment (look out for .exe (executable program), .jar (Java application program) and .msi (Windows Installer))?
Does the email itself mention anything about an attachment?
Am I expecting this email attachment?
Is the sender's address legit?
Is the person behind the attachment sending your emails regularly?

If there is even the slightest doubt, the employee should not open the attachment. Instead, they should first confirm the content with the sender to make sure that the email is real.

You can also use endpoint email security to aid your employee's battle with malicious files. These tools include anti-malware and virus programs that scan email content for dangerous links and attachments.

Ensure Employees Never Access Emails from Public Wi-Fi

If you allow employees to take office devices home or open work emails from personal devices, you must ensure workers do not access emails on public Wi-Fi.

A cybercriminal only needs basic skills to discover data passing through publicly accessible Wi-Fi, so both sensitive data and login credentials are at risk.

Employees should only access their email when they are confident in network security. A much safer option (although not as secure as opening emails only when using office Wi-Fi) is to use mobile internet or internet dongles for out-of-office use.

Ensuring employees do not use public Wi-Fi is only a single aspect of your Bring Your Own Device security strategy. Our article on BYOD policies explains what else you need to cover.

Have Periodic Password Changes

One of the simplest (and most effective) email security best practices is to ensure employees change their passwords regularly. You should:

Ensure each worker has a new email password every 2 to 4 months.
Use devices to force password changes instead of leaving it up to employees to update credentials.
Prevent employees from adding one or two characters to the current password to create a new one.
Prevent workers from using passwords they already had in the past.

Of course, each new password should follow the standard rules for strong passphrases (mix of lower and upper cases, numbers, symbols, etc.).

Never Give Away Personal Info in an Email

If an email asks you for any personal info (birthday, social security number, credit card number, password), the chances are that the message is a scam.

If an email asks for private info, you should call the company in question by finding their contact info online and not by following the instructions in the email. In all likelihood, you will discover that the company knows nothing about the email, and they will caution you not to send private data over email.

Never Reply to Scammers and Spammers

Some employees like to respond to phishing emails and spam messages, but you should ensure workers do not reply to scammers.

Sending a response to a scammer or spammer verifies that your email address is valid. While there is no immediate danger, letting a scammer know that you use that address opens the door to more attacks in the future.

Keep scammers out of your company's inboxes

Train Employees to Check Email URLs

Another simple but effective email security best practice is to train employees to inspect URLs when they get a link within an email (especially when the message comes from an unfamiliar source).

Before clicking on a URL, the employee should hover the mouse over the link. If the address does not contain the HTTPS extension, the chances are that the URL does not lead to a safe website. Scammers often try to lure a victim into clicking on a link that leads to a download page for malware. These unsafe websites typically have the HTTP extension.

Also, the URL may look like a familiar link, but is it? For example, a scammer can replace one domain letter to fool the employee into thinking the URL is legitimate (such as goggle.com instead of google.com).

Do Not Reuse Passwords Across Accounts

Every employee should have a unique password for every account. Their email password should not match any passphrase they use for other purposes (backend logins, tool credentials, HR software passwords, etc.).

The match between passwords also applies to private accounts. For example, a worker's Facebook or bank account password must not be the same as their credentials for work email. That way, if the bank's credentials were ever a part of a data leak, your company's email account would not be in danger.

Since having a unique password for each account is among the most tedious email security best practices, you should use a password management tool like 1Password or LastPass. These platforms automatically create complex passwords and store them while an employee only needs to remember one master password.

Here are 11 password management solutions you can use to simplify everyday operations and protect your company from unsafe and reused passwords.

Use a Spam Filter

Most email services providers have a built-in spam filter. A filter helps:

Separate legit emails from malicious messages.
Lower the likelihood of phishing and spamming.
Keep the inbox tidy and more manageable.

As an added benefit, a spam filter makes the number of emails less overwhelming. Employees will be more focused when navigating their inboxes and alert to suspicious messages.

While most associate spam with onslaughts of ads, a spam message can also contain malware or, even worse, ransomware. If a spam filter stops a ransomware email from entering an employee's inbox, turning the feature on was worth the effort.

Wish to learn more about ransomware? Check out these articles:

PhoenixNAP's ransomware protection services can help you counter this cyber threat with immutable backups and strategic disaster recovery measures.

Prevent Employees from Using Business Emails for Private Purposes (or Vice Versa)

Workers should use business emails only for company-related issues and updates. There is no reason for an employee to:

Use the email for private purposes (such as subscribing to newsletters, making gaming accounts, etc.).
Send work-related stuff to a private email address.
Shop online with a professional email.
Use the address to exchange personal messages.
Post the address anywhere online (social media, forums, chat rooms, etc.).

Whenever an employee shares their email, they increase the chance of the address falling into the wrong hands. Hackers scan public websites to collect info they sell or target later, so every exposure of the address adds risk.

Another reason for stopping an employee from sending work-related stuff to a private email is that anyone who hacks the personal address (which is likely not as protected as a company email) will have access to whatever the employee sent from the business address.

Educate Employees About the Value of Email Security

Educating employees instead of just enforcing email security best practices is vital. Without awareness building, an employee might perceive demands for complex passwords and strict rules as pointless and unjust.

You should organize mandatory email security awareness sessions that explain:

All relevant email security best practices.
The latest trends in email-based attacks.
How to recognize signs of phishing.
The importance of using work emails only for job-related purposes.
How to inspect email addresses.
The traits of legitimate and illegitimate email requests.
How to create strong passwords.
Where employees can find the company's email and password-related policies.
How employees should react to suspicious emails.

No matter how many security measures you deploy, spam and phishing emails will occasionally fall through the cracks. When they do, your workforce's understanding of email threats is what makes the difference between a failed and successful breach attempt.

Our article on security awareness training offers tips and tricks for getting the most out of any educational program you are preparing for your workforce.

Ensure Employees Log Out of Email Accounts at the End of the Day

Another effective yet simple email security best practice is to ensure employees log out of their email platforms at the end of the workday. You can encourage workers to log out on their own, or you can use the email platform to log everyone out at a particular time automatically. This practice is beneficial when an employee uses an unfamiliar device or a network to check their email.

Use Email Encryption

Every email is at risk of being intercepted by an attacker or going to the wrong address. You can use data encryption to counter both threats.

Encryption scrambles the original email content and turns the message into an unreadable mess. The recipient can reveal the text with a unique decryption key, so any in-transit interception or a wrong recipient cannot lead to a data leak.

Our article on encryption at rest explains the basics of using cryptography to protect data from unauthorized users.

Common Email Security Risks

Unfortunately, there is no shortage of email-based threats. Some of the most common email security risks you can encounter are:

Social engineering emails: Social engineering tactics attempt to earn the target's trust to steal info. Phishing is by far the most common email-based social strategy.
Malware-armed emails: These emails try to inject malware into your system. The attacker typically "arms" the malware in an attachment or on a fake website the victim is supposed to open. If the malware makes it into your system, the attacker can take control of devices, steal data, or set up spyware.
Spam: Spam involves various unwanted messages that can overwhelm an inbox with ads and trojan-infected messages. As around 60% of the world's email traffic volume is spam, you should not overlook this threat.
Ransomware: If a malicious email contains a ransomware program, a single employee opening the wrong email can enable an attacker to encrypt your data or devices.
Botnet messages: An infected email can turn your company's devices into a part of the botnet used to target other victims with DDoS attacks.
Business Email Compromise (BEC): A BEC is a type of spear phishing in which a hacker pretends to be one of the company's high-level executives.

Unfortunately, cyberattacks (email-based and otherwise) are constantly evolving, so staying ahead is challenging. Hackers can be very clever and creative, so protecting your company's inboxes requires keeping up with the latest threats.

Signing up for our monthly newsletter will ensure your team stays up to date with both the latest cybersecurity dangers and the security strategies to counter those threats.

Use Email Security Best Practices to Keep Your Team's Inboxes Safe

A single malicious email can be enough to enable an attacker to bypass your company's entire security strategy. Luckily, the email security best practices above will improve resistance to email-based threats, so start protecting your company with a mix of proactive measures and timely employee education.