by Felicien | Feb 12, 2020 | Education
Bolster Cybersecurity Readiness with Strategic Investments
Protecting your organization from cybercriminals is gaining complexity and requiring more resources than ever before. Do your leaders understand the implications of a lack of cybersecurity funding?
Every day, your organization’s digital assets are under attack from cyber criminals around the world. Many of these individuals will never even know the name of your corporation — they are simply attacking at random and hoping that their wide net will haul in big treasure. Other hackers are laser-focused on bringing down your company, looking up unique details about your officers on LinkedIn and other social media platforms while testing the waters with small breaches to determine access available access levels. Safeguarding your innovation and valuable customer data may come down to your organization’s ability to strategically invest in the right cybersecurity tools . . . and gaining the support of knowledgeable individuals that are continually enhancing their knowledge of security procedures. See how these strategic investments in the future may be all that stands between your business and the devastation that can occur during and after a cyberattack.
Helping Executives Navigate the Cybersecurity Landscape
Perhaps one of the largest challenges facing IT leaders is helping executives across the organization understand the dangers inherent with a lack of cybersecurity without requiring deep levels of technical knowledge. When technical professionals become passionate about a particular topic, bringing the focus back to the business impact can be difficult. Creating a direct correlation between specific cybersecurity incidents and corporate results provides a method of framing the conversation that helps ensure IT receives the necessary funding for strategic investments in cybersecurity. Helping translate the results of cybersecurity spending into real terms allows this type of project to be weighed objectively against other strategic initiatives under consideration for the same budget dollars.
Aligning Resource Allocation with Cybersecurity Realities
How many individuals do you have focused solely on cybersecurity within your organization? One? Ten? None? Whatever the number, it is unlikely to be enough to handle the response needed in the event of an attack. Even an all-hands-on-deck effort by all your technicians and engineers will require scaling up and education before these individuals can be effective at staving off the aftereffects of a massive attack. Working with IT managed services providers to create a holistic approach to cybersecurity not only provides access to advanced tools but also offers a more expansive skill set in terms of cybersecurity. Making an early investment in prevention includes everything from active monitoring to web-based content filtering, all activities aimed at reducing the possibility of an attack — and limiting the negative impact to your organization in the event of an incident. When you align internal resources around managing external cybersecurity assets as opposed to attempting to build that internal infrastructure, you are gaining flexibility and scalability that would be extremely difficult to grow organically in an affordable fashion.
Creating a Culture of Cybersecurity Awareness
As you’re sharing this information with senior leadership, one important topic to consider is how to create a culture of cybersecurity awareness. Each time your employees open an email, navigate to a website or fill out a form online is a potential danger to your organization, but are staff aware of the risks they are taking on a daily basis? A strategic investment in training and ongoing education could be the detail that stops a wayward employee from inadvertently providing information to hackers, allowing them to infiltrate your cybersecurity net. A recent study by The Aberdeen Group found that you can reduce the risk of socially engineered cyber threats by up to 70% when you launch an aggressive cybersecurity awareness training that includes a component of ongoing education.
Investing in cybersecurity protection requires an ongoing commitment from senior leadership and a firm focus on the benefits of this investment from technology directors without bogging executives down with the technical details of individual tactics. From advanced cybersecurity tools to active defense and training solutions, finding partners that are able to provide cohesive strategies to protect your organization is going to be an integral component of your success in the security realm.
by Felicien | Feb 6, 2020 | Education
Modern Phishing Email and Article Headlines That Even Fool Savvy Tech Professionals
Learn more about the kind of email phishing headlines that end up fooling the smartest tech professionals, and how you can better protect your business.
Any tech professional worth their salt understands the damage wrought by unsuspecting users clicking on links inside “phishing” emails. It’s not surprising when tech-challenged individuals end up getting sucked in by today’s social engineering attempts. However, some of the headlines used by hackers manage to fool a lot of experienced IT pros.
Emails aren’t the only place where tech professionals show their vulnerability. Messaging portals in spaces like Facebook and LinkedIn have become prime targets for scammers, especially as traditional email providers step up their protections. In fact, both platforms had the highest success rate for phishing scams when they were included in an email subject line at 28 percent and 55 percent, respectively.
How Do Experienced Tech Professionals End Up Getting Fooled?
It’s hard to imagine how the people charged with keeping company systems safe end up ensnared in these schemes. Security-minded individuals become so comfortable in their knowledge of suspicious emails and technology in general that it makes them less careful. They’re prone to quickly scanning and clicking emails and messages without absorbing the information. It’s already too late by the time they realize their error in judgment.
What Makes a Phishing Headline Successful?
Phishing email headers that include words like “Request,” “Follow-Up,” and “Urgent/Important” tend to have a higher click rate, especially if it seems they come from a colleague or high-level executive. Victims often feel compelled to respond quickly out of fear of not delivering on job expectations. They also worry about costing the company money by failing to follow through on requests related to finance and payments.
The manipulation of that social element can have the same effect on tech workers. They’re more likely to respond quickly to a request that seems to come from a company vice-president. No one wants to be the person preventing them from getting back to company business.
Let’s look at some of the headlines used to fool regular users and IT professionals.
Requests for password changes
Deactivation of Microsoft Office email service
Setting up employee raises for HR
Document sharing using a secure server
Lack of internet service due to scheduled server maintenance.
Address needed for FedEx delivery
Locked company twitter account
Complete steps for Google service
Error with Coinbase
Closed company bank account
How Can Businesses Upgrade Their Current Phishing Protections?
There’s no one step a business can take to prevent someone from falling for a phishing scam. It pays to use a multi-pronged approach to blocking and dealing with suspicious emails and websites targeting company workers.
Tools like SPAM filters, mock phishing practice scenarios, and web filters to block malicious websites should be a priority. It also pays to encrypt sensitive company information, making it harder for employees to share the data with anyone. That goes double for telecommuters who must log into company systems remotely from different devices.
Businesses should initiate company-wide security initiatives and enforce them consistently. Make sure IT employees understand that their knowledge doesn’t leave them immune to these types of attacks.
by Felicien | Feb 3, 2020 | Education
‘Conversation hijacking’ Seeks Sensitive Business Intelligence
Your employees probably know not to open unexpected file attachments or click on random links, but what if an attachment arrives as part of an email conversation with trusted colleagues?
Sophisticated hackers are using a technique known as “conversation hijacking” to insert themselves into business operations, gain insight into sensitive details, and exploit the information for financial gain. What should you know about this insidious form of cyberattack on businesses?
Conversation Hijacking: Infiltrating Business Communications
New research indicates that the incidence of conversation hijacking increased by more than 400 percent in the second half of 2019 alone.
In a conversation hijacking attack, a hacker uses various methods for gaining access to business credentials — for instance, an email login. By using the phished information, the hacker then may join an existing email conversation by posing as someone already involved in the conversation.
Conversation hijacking attacks are mounted by hackers willing to invest significant time to gain access to sensitive information. The hacker may read through numerous emails and conduct research online to learn about business deals in progress or other potentially valuable information.
By gaining the trust of other people in the email thread, the hacker then can use a variety of techniques for gaining access to banking information and financial assets.
Forms of Conversation Hijacking
Conversation hijacking can take a number of different forms, with information coming from a range of different sources. Hackers may compromise email accounts through phishing or data breaches and use the stolen account information to stage account-takeover attacks.
A hacker then may spend time monitoring an email account — including ongoing message threads — to gain information about sensitive business details or financial arrangements. An attack may involve a hacker creating a fake domain similar to the real domains used by a company. In the case of domain impersonation, the goal is to create a domain similar enough to the real domain that unsuspecting employees click or download files without realizing the error.
Hackers also may impersonate the domain of a client, vendor or business partner to gain the trust of employees for the ultimate purpose of accessing financial accounts and information.
Protecting Your Business
Conversation hijacking can be more difficult to detect than other types of hacking, but you can take steps to protect your business, your employees and your clients and partners.
The most important step you can take is ensuring that your team members understand how conversation hijacking attacks work. They should always use caution when downloading files or clicking on links and take time to ensure that all information — including domain names — matches their expectations.
In addition, any requests for financial information or immediate payment should raise red flags and should be reported to your company’s accounting department. If an employee doubts the authenticity of an email, they can contact the sender by phone or by starting a new email thread with an email address known to be accurate. Employees also should report to your IT team any email conversations or other incidents that seem suspicious.
Additional security measures — including robust email filtering and inbox rules — also can help, and restricting macros within documents can limit the means for hackers to gain access to account information. Multi-factor authentication also can provide extra protection against sophisticated conversation hijacking attacks.
by Felicien | Jan 28, 2020 | Education
Data Privacy Day commemorates the anniversary of the signing of the first international treaty focused on data protection. Here’s how you can get involved.
January 28th, Data Privacy Day 2020, is here. First introduced in January of 2008, Data Privacy Day commemorates the anniversary of the signing of Convention 108, one of the first international treaties focused on data protection. Here’s what you can do to get involved.
Ways to participate at home
Visit with your family about online privacy and safety. Discuss what information is private information and consider together the risks associated with sharing confidential information online. Take a look at the online accounts of any children in the home to identify breaches, risky behavior, and connections with strangers. Remedy any problems identified and use the opportunity to share information and teach.
Now is also a good time to go through old papers, files, and devices, and schedule safe destruction to protect your information before it lands in the wrong hands. Remember, never throw away bills, bank statements, check blanks, or devices without destroying them first.
How you can participate at work
There are a number of ways you can use this opportunity to promote data security at work:
designate this as archive week, encouraging all staff to identify electronics that are no longer in use so they can be destroyed appropriately
use games and activities to refresh staff knowledge of the risks of security breaches and internet best practices
take a moment to ensure all corporate computers have the safest web browser, operating system, and security software installed and working as expected
review your policies and procedures to ensure they’re still compliant with best practice; we learn and evolve every day so a periodic review is critical to achieving the best results
share current news surrounding data breaches and lead a discussion exploring what went wrong and how similar crises can be avoided in your organization and industry
Involving your community
Data Privacy Day provides a great opportunity for community outreach and involvement. Include clients, stakeholders, and community members in your commitment to privacy. Host an open house, where you share materials encouraging safe internet practices at home and sharing what your organization is doing to protect client information. Send out client emails celebrating the occasion and summarizing all of the steps that go into maintaining their protected information (and the results of your hard work). You might even consider launching a survey to learn more about stakeholder satisfaction with your commitment to privacy and data protection program.
by Felicien | Jan 24, 2020 | Education
Cybersecurity education is essential in order to keep businesses one step ahead of this evolving space. Learn about types of attacks and preventative actions.
Cyber solutions are the future of business, with innovation such as the Internet of Things (IoT) gaining increasing popularity. Accordingly, focus on the protection and recovery of networks, devices and programs from cyberattacks is no longer a luxury, but a very basic necessity to remain competitive in today’s landscape. Here is a basic overview of cybersecurity:
Things to know
Data breaches are intended to access proprietary information, usually for financial gain. These activities can result in damaged corporate reputations, significant downtime and even the cessation of business viability
Hackers are becoming much more sophisticated, and traditional anti-virus software programs may not be sufficient to prevent attacks
As more devices and gadgets are connected to networks via IoT, they provide backdoors for hackers to access proprietary data
Despite the rising prevalence and notoriety of data breaches, they can be prevented. Cybersecurity often relies less on high-end technology than on common sense and solid security practices /protocols, such as:
Restricting employee access to sensitive data
Employing strong password controls
Educating employees on e-mail security
Encrypting data
Appropriately secure mobile devices – smartphones, tablets
Investing in IT professionals with current cybersecurity knowledge and skills
Types of Attacks
Malware is any type of malicious software utilized to gain unauthorized access to a computer
Ransomware is a form of malware that locks owners out of their devices/data until a ransom is paid
Spyware is a form of malware that spies on users in order to acquire sensitive information
Fileless malware attaches to existing programs running on the computer, thereby embedding inside the computer’s memory
Viruses are malicious programs usually sent as attachments, and which infect devices once downloaded
Watering holes are when a known website is hacked either directly or via a third-party service hosted on the site. In this way, anyone who visits the site is infected
Phishing is the act of sending e-mails that trick people into revealing sensitive information
Spearphishing is related to phishing but is more focused to prey on specific targets by including relevant details about the individual (usually obtained via research), thus luring them to click on the link
Pharming is the act of directing users to illegitimate websites under the guise of a legitimate link
Hacking is the act of accessing a network or device without appropriate authorization to do so
Types of Cyber Security
Network Security: These are defenses implemented to prevent hackers from gaining access to organizational networks and systems. Examples would be password controls and two-factor authentication
Application Security: This is when software and/or hardware is employed to protect against threats from malicious programs. An example would be antivirus programs
Information Security: This is the protection of data via restricted access or encryption
Cloud Security: These are tools utilized to monitor and protect corporate data stored in the cloud