7 Lessons learned from completing 8,239 Cybersecurity Audits!
That’s right, since launching CybersecurityReportCard.org we have completed 8,239 cybersecurity audits in less than 3 months. Not a bad achievement for the team, but here are the lessons we’ve learned from the data so far.
- Business owners are unaware of public domain data that are available for hackers.
- Protecting the inside of your company is great, but pointless if you leave the keys in the front door.
- Website security is a real weakness for many companies because they outsourced their website design and didn’t create requirements for security. Most website builders and designers don’t consider data security at all!
- Email impersonation due to missing DMARC records is a major security hole.
- Passwords are not being changed enough.
- Social media is a social engineer’s dream!
- Data privacy liabilities are going to hurt many business owners.
These are simple lessons that if you apply their secrets you will reduce your cybersecurity risk of attack. Let me dive into these 7 lessons in more detail.
Business owners are unaware of public domain data that’s available for hackers.
Cybersecurity is about detecting and preventing fraud. When you understand that there are over 50 different types of frauds that can occur against a business on a daily basis. You will start to approach and respect cybersecurity differently.
Our world today is full of data and everything you do online and offline is converted into data. Sometimes it’s easy to forget this fact considering how digitally connected everyone is from smart homes to smartphones. Just like people having a digital footprint business also has a digital footprint. This includes everyone that has been connected or is connected to your business.
Think of the data associated with your business as a line of dominos. One piece of data by itself may be meaningless, however, when you connect the domino chain it tells a story. Cybercriminals use different machine learning to identify which companies to target for a cyberattack in bulk.
For example if your WordPress website has a plugin vulnerability because it has not been updated. This would make you a target for attack over the companies that updated their websites. If your email security is configured with DMARC records to prevent domain impersonation attackers will target someone else.
Business owners are really unaware of how the game of cybersecurity is played. Therefore they become victims of attack rather than playing to win.
Protecting the inside of your company is great, but pointless if you leave the keys in the front door.
IT teams seem to focus on internal company network protections. However, they forget to understand the different types of cyberattacks. For example, a VPN and or Firewall does not make you immune from attack. This is what most people believe and it’s a myth.
90% of cyber attacks today are against the person and not the network. This is because people are always the weakest link. For example if you are sharing one password with your team that is the weak link.
There are 5 types of cybercriminals you should be protecting yourself against and validating your systems against each of these types of attackers. Most IT professionals are not understanding the different types of attackers, nor do they understand the different types of attack vectors.

Cybercriminals will always assess your vulnerabilities and exploit a weakness to give them leverage. Ask your IT Team how you are protecting yourself these 5 types of attackers and you will start new conversations.
Website security is a real weakness for many companies because they outsourced their website design and didn’t create requirements for security.
Most website builders and designers don’t consider data security at all!
General basic website security seems to be not a factor when companies are building their websites. Many websites don’t consider how to protect their website or protect the data in transit from their website during the redesign.
When we present the results of cybersecurity report cards we always hear the phrase “well our website is currently getting redesigned”. The issue with this thought process is that if you have vulnerabilities now they already may be getting exploited and you don’t even know. Plus how are you not transferring your current website security issues into the new design?
Email impersonation due to missing DMARC records is a major security hole.
There is an option during the email setup stage of installing DMARC records into your domain MX records. The problem with this step is it usually requires the domain to propagate before you can complete this step. Most people just forget to come back and apply these settings.
By not configuring your DMARC and SPF records you make it possible for companies to impersonate your domain name when sending emails. Hackers exploit this vulnerability all the time.
Just imagine if someone started sending emails to your customers or to anyone from your domain about anything other than your product?
Imagine if attackers started sending invoices to people that had the attacker’s bank account instead of yours. This is called invoice fraud and happens all the time.
Passwords are not being changed enough.
Passwords are the biggest weakness in any security defense. If you are still using passwords you already have an issue. You should be using passphrases that are at least 12 characters and you should enable 2FA (two-factor authentication) on everything that allows you to enable it.
30% of passwords are reused. Plus with new data breaches happening every day it easier than ever before to find your username and password. If a cybercriminal can compromise your email account they can usually gain access to your entire digital world!
Social media is a social engineers dream!
Social media is how people are documenting their world. This may also be a bad thing for companies when staff is posting photos online from within the workplace. Maybe data breaches have occurred because cybercriminals scan the photos for relevant data. Like that post-it note with a password attached to a monitor.
Simple data points are connected in amazing ways and social media tells us who you like, where you eat, what you eat, your habits and even when you are not online.
Data privacy liabilities are going to hurt many business owners.
There is a title wave of data privacy laws changing right now. It started with GDPR, now we have CCPA and 14 other states are passing laws around the use of data. These laws are also creating a liability for business owners that they are unaware of.
Even if you use cloud-based solutions in your business you still have a liability for how the data is processed and used. Many companies are not obtaining the correct consent for data usage. This is going to create massive issues for small and large businesses as the litigation starts.
There are simple steps companies should be taking to assess their current liability and applying standards like GDPR, CCPA, ADA, and Cookie consent permissions to their websites will reduce future liability. Yes, these may not all apply to your site but prevention and starting to undersand your liability is much bettter than waiting for a claim.
Gain the Hacker’s View of your Cybersecurity Risk in Seconds with your Free Cybersecurity Assessment!
Discover How Hackers Exploit Your Business… If you had a no cost quick and easy way to check the safety of your business from cyber-attacks, would you do it?
Helping Business Owners start conversations about their cybersecurity culture. Cybersecurity does not have to be like chasing Bigfoot. Quantify your cybersecurity risk and instantly understand your vulnerabilities with ChatFortress Cybersecurity Report Cards.

Discover Your Cybersecurity Risk in Minutes for FREE!
Nothing to Install, Nothing to Download, Anyone Can Do It!
Enter a website URL below to claim your report card instantly!
Your Cybersecurity Report Card will be automatically generated within seconds… tell us your website URL and let us amaze you!
Who is ChatFortress
ChatFortress is a leading cybersecurity company helping business owners protect their assets from cybercriminals. We provide companies with access to the latest technologies, social engineering and human behavioral strategies, and user education to create a proactive cybersecurity culture. Helping you fortify your business against cyberattacks.
Detect and Remove BAD Emails in 3 Seconds!
ChatFortress Email Guardian is the Ultimate Anti-phishing Program as it Detects and Mitgates Email Phishing Attacks in 3 seconds using A.i Real-Time Inbox Scanning for Phishing Prevention!
We support Small Business and have released the Small Business Cybersecurity Scholarship Program.
Providing Small Business with enterprise cybersecurity protection without the enterprise price tag! You can save over $699/month if you qualify for one of our Small Business Scholarships.