by Felicien | Jun 29, 2017 | Education
Non-compliance with Canada’s anti-spam legislation could cost businesses $10 million. Now legislators are seeking a balance between communication and spam.
Canada is known by marketers to have some of the most comprehensive anti-spam laws in the world, making it challenging to safely navigate communication that is sent in connection with “commercial activity”. However, those regulations recently came under fire when the government under Prime Minister Justin Trudeau decided to relax some of the rules that currently allow Canadian citizens to sue organizations who send them communication that is classified as spam. While some individuals are lambasting the decision stating that it is a “major victory for the business lobby groups”, business owners and marketers appreciate the relief from what many perceive would have led to frivolous lawsuits.
Current Canadian Anti-Spam Legislation
Canada’s current anti-spam legislation, known as CASL, is quite vigorous and requires that all electronic communication receive full consent from individuals before the message is sent — and that applies to messages that originate within and outside Canada as well as those that travel within the country’s borders. CEM, or Commercial Electronic Messages, are any message that encourages individuals to take commercial activities such as utilizing a coupon or taking advantage of a sale. Organizations are required to receive express consent from individuals before the message is lawful, but consent can be challenging to obtain and retain. Canada’s laws consider that consent has been gained when you have documentation of the following, either orally or in writing (electronic copy is acceptable):
Name of organization or individual
Physical mailing address
Contact information such as a voice messaging system, phone number, or email address
Statement of identification from the individual
Contact information and identity of any third-party affiliates
The good news is that organizations are able to wiggle through a few little loopholes because consent can be implied instead of expressly stated, and published electronic information is also fair game even without consent.
CASL Exemptions
There are extensive exemptions for Canadian and other organizations under the CASL regulations. For example, individuals who are related by marriage or friendship are exempted, organizations with an existing business relationship will not be penalized and contacts that originated as part of a request, inquiry or complaint are also exempt from the strict CASL standards.
CASL Non-Compliance
Just as the requirements for CASL are among the strictest in the world, the penalties for non-compliance are also quite rigorous. As of July 1, 2017, the regulations were set to take full effect, but the government has paused full implementation for the time being for a parliamentary committee review. There are three Federal agencies in Canada tasked with jointly enforcing the stringent requirements: the Office of the Privacy Commissioner of Canada, the Competition Bureau and the Canadian Radio-television and Communications Commission (CRTC). The fines that these organizations can levy against offending organizations can go into the millions of dollars, with organizations facing fines of up to $10 million. While the laws haven’t yet gone into full effect, the CRTC executed its first warrant under the Privacy policies against a computer service based in Canada that was delivering spam software.
Preparing for CASL
While the legislation is currently on hold, there’s no guarantee that the hold will stick — so it’s important to ensure that your business is fully compliant with the updated standards when they take full effect. There are a variety of steps that you should take to become compliant, including:
Define any CEMs that you may be sending
Outline whether CEMs are going via email, SMS text messaging or other direct digital communication methods
Determine whether the level of consent is express or implied and that all the required contact information is being properly captured
Post-compliance audit, define next steps to gather required information before additional CEMs are sent
Ensure that any CEMs that would be subject to CASL rules contain the legally required information
Determine impact of CASL on your customer relationship management software, marketing automation tools and other digital mechanisms for content dissemination
Update procedures and policies to capture audit trail and all required information
As Canada’s government seeks to determine the right balance between allowing organizations access to Canadians and protecting the rights of those living in the country, the rules around CASL are likely to shift. However, the compliance requirements have already been through a full three-year holding period, and have been public knowledge since July 1, 2014. For the time being, businesses and non-profits are still able to send digital communications without limits to Canadians, but that could change at a moment’s notice with the reversal of this temporary hold on CASL.
While these general standards are good to keep in mind, it’s important to note that each organization will have slightly different requirements for capturing and maintaining a database that easily allows you to filter out individuals who have not indicated full compliance with CASL. If you have questions, or need assistance in {city} determining if your business practices are fully compliant, contact {company} today at {phone} or via email to {email}. Our security and communication professionals will work with you to determine any steps necessary to avoid the massive fines imposed by Canada’s Anti-Spam Legislation.
by Felicien | Jun 29, 2017 | Education
This a simple breakdown of the new ransomware attacks spreading globally. The attack is quite different to anything that has been spread in the past. The intention may not even be money.
Recently, a new and viral malware has been spreading throughout Europe. News organizations such as the Washington Post and The New York Times have been talking about it quite a lot. However, no one seems to have much information about it.
The stories began on the morning of June 27, 2017. While its method of infection has not been discovered, it is known that this malware in behaving like a worm. That means when one node is infected, it tries to spread to other nodes. When the virus infects a computer, it shows a “Chkdisk” screen that is meant to entice the user not to power off. This attack has been touted to be even worse than the Wannacry attack.
Kaspersky Discovered in First.
Kaspersky actually discovered this Ransomware a while back. Since then, they have noted that it has been spreading for weeks. The reason why it has become such a big issue in recent days is that it has started to affect huge organizations, especially government organizations.
What is Known About it.
Some researchers have christened it PetyaWrap. It uses a potent mix of techniques to enter a network and from there spread to all computers in that network. As with other attacks from ransomware such as WCry, it made use of EternalBlue. This advanced exploit was developed by the NSA to snoop on unwitting users of the Windows OS.
The new attack used a new exploit called the EternalRomance, which was developed by the NSA. Microsoft developed a patch for the vulnerabilities. However, many computers remain quite vulnerable. People with basic technical skills now have a powerful method to deliver any kind of digital warhead that they wish to install in a computer. It is especially so for those who had not installed the updates from Microsoft.
However, EternalRomance was not the only exploit that it used. The recent attack showed that it was a major improvement over past attacks. The new attack also used Mimikatz, which is a tool used to extract passwords from computers on a network. With that ability, they could use PSExec, which is a legitimate component of Windows.
That means even computers that had updated their OS and were immune to EternalRomance and EternalBlue could be hacked. Some of the Ransomware is also using a vulnerability of Ukrainian software called MeDoc. The result is that MeDoc is being used to send updates to the end users.
MeDoc Could be Patient Zero.
Kaspersky just fell short of saying MeDoc was the reason this ransomware attack spread so fast. Others are also fingering MeDoc as being the source of the weakness. MeDoc only indicated that their server made a virus attack in an update on their site. Most analysts have interpreted the post as MeDoc admitting guilt.
How it Works.
When the malware creeps into a computer, it waits for about 10 minutes before it reboots the computer. After that, the hard disk is encrypted, and a $300 ransom is demanded when the computer restarts. If someone switches off the computer before it reboots, he or she could save their computer if they allow a professional to restart their computer.
Ukraine Was Hit Hard.
Many news organizations globally report that Ukraine was hit hard. The malware hit metro networks, power companies, government sites, banks, airports, media organizations, and state corporations. Even the radiation monitors at Chernobyl were not spared.
One of the reasons WCry was killed off was that its developers hard-coded a kill switch into it. However, researchers are concerned that there may be no simple solution to stopping the spread this time.
Reports of Windows 10 Attacks.
Some reports indicate that it was able to attack an updated Windows 10 computer. Besides that, it is said that the computer had a working anti-virus installed and had the SMBv1 protocol switched off.
It is also Stealing Credential.
This new strain is targeting the master boot record of computers. It is an important file, which allows the computer to locate the OS and other important components. However, it also delivers a payload that steals usernames and passwords and sends it to a server under the control of the attackers. That means the attackers could be in possession of high-value data.
The attack was initially limited to Ukraine and Russia. However, it soon spread to Poland and then to Italy, Spain, France, US, and India. Major law firms and other companies in the UK said that their systems were under attack.
Peculiar Attack.
Victims of the attack were told that they had to email payment details. Within a few hours, the email went down. That made it impossible for those who had paid the money to recover data. The result was that it led to speculation the aim of the attack was destruction, not money.
What Can You Do to Stay Safe.
There are a few Steps, which computer users can take to stay safe. They are actually quite effective.
· Question All Attachments.
In a world where digital spoofing is so easy, do not trust anything. Do not open an attachment unless you were expecting it to arrive. If you feel you must open it, use your phone to call the person so that you can verify they sent an email to you.
· Do not click Links in an Email.
Before opening a link, position the cursor over it. If the URL is different from the text over it, avoid opening it. Besides that, use your phone to confirm any link sent to you.
· Be Attentive.
If an email uses language that suggests urgency, you should be quite cautious about clicking on it. If an email offers something to you for clicking the email, avoid it. Additionally, any email that seeks to generate some emotional response from you needs to be watched carefully.
· Stay Focused on Your Work.
Avoid receiving funny cat videos from your friends all the time. It is possible to receive a video that has bugs encoded into it. Unless your job involves studying cats, avoid unnecessary downloads at all times.
Most importantly, never pay any ransom. There is no guarantee you will receive the decryption key.
by Felicien | Jun 28, 2017 | Education
Don’t let a phishing spear take your automotive dealership down. Make sure your employees know that cyber attacks lurk in email and social media, too.
Back when cyber security was in its infancy, IT departments regularly warned employees against the dangers of clicking on links in an email address from an unknown sender. While most people can now spot a phishing email with ease, the focus from hackers is shifting to social media. Think about it, where else do you store a mass quantity of personal information with relatively minimal security? Many social media users don’t realize exactly how much information they are sharing with individuals who may mean them harm. Today, cyber security professionals agree that the biggest threat to your organization’s security may be an employee or a vendor who is “harmlessly” browsing social media at work.
Spear Phishing Attacks
With the rise of social media comes a new form of attack, called spear phishing. This attack is a play on the original phishing attacks that spread a broad net looking for someone to take a nibble — while spear phishing is targeted directly at a person of interest to the hacker. The cyber criminal spends time online getting to know the target — getting details about their posting habits, where they like to visit, where they work, members of their family — before launching a very targeted attack. These incursions are often to someone close to the person of interest, such as a spouse or significant other. The hacker then creates a special offer that may seem too good to be true to encourage the target to click through to get more information, and then use that new relationship to gather personal information such as login names and passwords. These details are then used to break into the auto dealership’s networks to hit the mother lode of personal information found there.
Personally Identifiable Information
The key target for many phishing attacks is personally identifiable information (PII) and bank account numbers. Since auto dealerships have to gather much of this information in order to complete a sale, they are now prime targets for cyber criminals. Once criminal gains access to the organization’s network, they are able to plow through enormous amounts of data in a very short period of time — making it difficult to stop the incursion before the damage is done.
Limitations of Liability
Unfortunately, if an auto dealership or any other organization is infiltrated, that company is potentially liable for damages from the attack. Perhaps the best way to prevent this from happening is to stop the attack in the first place by adequate training of team members and a solid security infrastructure that includes regular testing. Ensuring that all Microsoft and other hardware and software security patches are in place may also help prevent or lessen the damage from attacks. In addition, dealerships and other organizations may purchase cyber liability insurance, to cover the organization’s liability in the event of a widespread cyber attack.
Preventing Cyber Attacks
Aside from mentoring staff members to never click on social media ads while they’re at work or on any machine or device that can connect to the company network, there are several things you can do to limit the possibility of a cyber attack.
Counsel your teams to never respond to requests for their password or user information, regardless of where the question comes from. This includes phone, email, social media and websites.
Institute an aggressive schedule for updating passwords within your network, and add stringent standards around employee password creation.
Keep all firewalls, security patches and updates and network security software up-to-date. While this may not keep spear phishers completely out of your organization, it may slow them down and will stop some of them.
Notify staff members of the dangers of having a public profile on social media. While it may be fun to connect with people from around the world, it’s important to educate your staff about how personally identifiable information is gathered on social media.
Once one individual within your network is compromised, the attack will quickly spread between computers and networks. People tend to trust information that comes from family or a close friend, but it’s important to educate staff that this type of attack is very wily and can fool even the wariest individuals.
Catching Problems Early
Many organizations will suffer some type of cyber attack, but what are the steps that can prevent further damage? Early warning signals are critical to ensuring that the majority of your business stays protected even during an attack and that the duration and extent of the attack is limited as much as possible. Technology firms excel at creating specialized detection and notification systems that, along with user education, can be utilized to help counter the damage caused by spear phishing. Unfortunately, these attacks can happen very quickly, and once you click on an enticing ad within social media, you may have already infected your system. It’s important that auto dealerships and other organizations do not bury their heads in the sand and ignore the problem — because it is only growing in size and scope. Without adequate safeguards in place to detect or deter attacks, businesses of all sizes are vulnerable to these unscrupulous individuals.
After the massive cyber attack on Target’s personal customer information in 2013 that was caused by one of the organization’s refrigeration vendors, cyber security professionals are much more cautious about the possibility of a repeat performance by hackers. While the security attacks that get the majority of the national media attention are the widespread attacks that target anyone who will listen and click, the spear phishing attacks are much more insidious and personalized. By utilizing the personal information of the target, hackers are constantly looking for ways to slide under the defenses of the host organization.
Don’t let these insider threats damage your business and reputation. Instead, work with {company} to fully define a security structure that works for your business. Contact us today by calling {phone} or sending an email to {email}, and our cyber security professionals will work with you to ensure your organization is well-protected from spear phishing and other advanced cyber threats.
by Felicien | Jun 28, 2017 | Education
Work/life balance isn’t just about wellness: Here’s how data systems are an integral part of the puzzle.
The work/life balance used to be primarily about wellness benefits – what sort of health perks to offer at work, how to encourage people to take time off, and more. But now that the concept of a work/life balance has become more integrated into company strategies, we’re seeing that a surprisingly important part of the balance is the data systems that you and your company use: IT is an integral part of your wellness strategy! Here are the top ways that new data solutions and applications can impact your current workspace in stress-reducing ways.
1. Setting Personal Goals
Personal goals are surprisingly important for work/life balance and has become a common piece of advice for busy professionals who are looking at ways to reduce their stress and help clear up their schedules. While it may seem odd to write down more goals as a way of relieving stress, it certainly appears to work: Writing new goals, especially at night, allows you to get rid of worries you’ve accumulated throughout the day, and often leads to be better sleep and more confident morning preparations. Of course taking time to write a few goals every night can get tiresome, which is where technology steps in to help. Why not use an app like Microsoft To-Do that makes goal-creation and lists easy while also tying into Outlook and other common business software? List apps and calendars aren’t just there for organization, they also play an important role in stress relief.
2. Locking Away Distractions
A few years ago a new category of apps gained a lot of popularity – apps that blocked distractions from people who really needed to get work done instead of surfing Facebook for the 15th time or composing the perfect message on Reddit. These anti-distraction apps still have a place, and are now quite versatile, allowing you to add a surprising amount of productive time to your day – and isn’t that what everyone wants? Incorporate smart, selective blocking at work (which most modern companies need to be doing anyway, and not just with the X-rated content), and you can also see productivity rise among your employees. It’s also easy to find more personal, customizable apps for limiting time spent on specific sites based on your own habits.
3. Automating Email Replies to Reduce Stress
Even the simplest email clients available these days offer automation features, from Gmail’s mobile ability to create short automatic responses to categorization options that allow you to apply complex filters based on sender or subject. We highly advise you to take advantage of these tools and make them a common part of the workplace. One of the common work stressors is a long list of unanswered emails: It’s a feeling everyone hates, and it frequently leads to avoiding your inbox or ignoring emails for far too long, both at work and at home. Bringing in some automated tools and voice assistants like Cortana can make a huge difference when dealing with busy email inboxes.
4. Remote Work and Scheduling Options
Remote work and flexible scheduling have been vital parts of work/life strategies, allowing employees to plan their work life around the immovable parts of their personal lives, leading to a lot less worry and a lot more flexible thinking when completing projects. Data systems are one of the most important tools available for making flexible and remote work options available to employees. It just isn’t possible to easily schedule and reschedule or monitor teams no matter where they are working from without modern management software (Microsoft Teams is currently one of the top examples).
5. Digital Spaces for Workplace Fulfillment
It is understandable – and productive – if you block something like Facebook at the workplace. But that doesn’t mean employees cannot benefit from a social space: Indeed, a shared digital space can be very valuable when it comes to quick discussions, feeling like part of the company community, and keeping interested in the latest news and developments. We suggest adopting a company social space like Yammer so that employees understand their connection to the company and adopt better workplace relationships.
6. Reminders for Breaks, Meals, and Healthy Living
Speaking of scheduling and communication systems, it’s also a good idea to update these systems with broad types of company reminders. Those 10-15 minute breaks, lunches, and health benefits work a lot better if you move them from orientation into the workplace itself with a set of wellness alerts to remind employees to, well, take a break. Many of the tools we have already talked about all you to set up these types of alerts.
7. Metrics that Encourage Goal-Oriented Work
What do your current metrics study? If they focus primarily on hours and overtime worked, then you may want to rethink your goals. A number of companies are beginning to move more to a results-focused model that seeks to measure how much work employees are actually accomplishing rather than how much time they are spending at work – time that may or may not be spent working. The rise of the gig economy has helped this trend a lot, and it’s a great way for companies to check on productivity while also ensuring that employees are rewarded for completing goals and have the flexibility they need at work.
8. Automated Management of Benefits
Wellness perks can provide real help to employees – if employees know they exist, and how they work. If it’s been a while since HR has updated benefit systems, then some of the best wellness benefits may be languishing because people don’t really know how they work, how to sign up, or how it will affect their workflow. Data systems can easily automate and provide quick web forms, alerts, and other features for benefits including maternity leave, childcare, time off, yoga classes, and much more. Take advantage of technology!
Of course, your {city} workplace also has unique work/life balance challenges and goals. To find out more about what services {company} offers and how we can help you, contact us at {phone} or {email} to discuss our services.
by Felicien | Jun 28, 2017 | Education
Discover four tried and proven ways to keep your company’s computer systems and data safe and secure from cyber-criminals
A high standard of cybersecurity can mean the difference between a thriving, successful business and one that is crippled by lost data and/or customer lawsuits stemming from hacked information that is subsequently leaked or misused. Fortunately, securing important data and keeping it out of reach of hackers is not as complicated as it may seem. After working with numerous companies from a large variety of industries, I have come to the conclusion that there are really only four vital things you need to do to protect yourself from a cyber-attack.
Provide Employee Training
Both industry and government reports make it clear that over 90% of all cyber-attacks start with a hacker either successfully stealing access credentials or tricking an employee into providing access to a company computer system. Given this fact, it is clear that providing clear, ongoing cyber security training to employees is a must. Naturally, those who handle sensitive information will likely need more detailed training than those who don’t regularly use the company computer; even so, every single employee should know how to spot phishing attacks such as:
Email requests asking for log-in information, a request to transfer money or any other email that would require one to divulge important information online. Even requests from a boss’ email address are suspect and should be verified in person or over the phone.
Pop-up messages with interesting links that seem too good to be passed up
Emails from an email server asking for log-in information
Each person should have a personal username and password to access the company system. Passwords should never be typed in a text file or written on a piece of paper. Furthermore, employees should not be permitted to access personal email or social media accounts on company computers during work hours.
Continually Update Security Software
New viruses, Trojans, malware, worms and other malicious programs are created and disseminated all the time. Thankfully, a good security software program will keep up with new threats and provide regular software updates to thwart new types of attacks. However, these updates won’t do you any good unless you install them. Have someone in charge of making sure the security system on a company’s computer is always up to date. If there is no one in your company that can handle this task, consider outsourcing it to a reliable third party. At {company}, we have many years of experience with not only updating security software but also providing custom security software solutions to meet your specific needs.
Protect Mobile Devices
Ideally, it is best for employees not to use a personal mobile device for company business. Many personal mobile devices are not fully password protected and hackers can easily steal information by either stealing the phone itself or accessing information when a user is on a public network. Furthermore, many people use a mobile device to check personal emails, increasing the risk of a phishing or Trojan horse attack.
To prevent this problem, provide company employees who need a mobile device to use for company purposes with a company mobile phone. All data on such a device should be encrypted at all times and the device itself should be protected with a unique password that is different from an employee’s company account password. Additionally, employees should never install new apps on a company mobile device without express permission from a superior.
Make it clear to employees using a company mobile phone that the loss or theft of a company mobile device should be reported not only to the police but also your company. If such a device is stolen, immediately secure all information that could be compromised even if the device itself is recovered.
Backup Your Data
Ransomware is fast becoming one of the most common types of cyber-attack. Unlike other cyber attacks that are often conducted in secret, ransomware is in your face and you can’t miss it. All information will be immediately encrypted and you won’t be able to access it unless you pay the cyber criminal the amount of money that he or she is demanding.
To prevent this and other types of data loss stemming from cyber attacks, it is important to back up your data on a regular basis. Even so, be aware that not all data backup plans are equal; some are far better than others. A backup device that is always connected to your computer and regularly backs up data as it changes is convenient and helps you keep your backup system up to date; however, it is also vulnerable to ransomware attacks. Such devices will automatically backup encrypted versions of your files if you are hit with a ransomware attack, leaving you without access to any of your data.
Backing up data onto the cloud can be a good option but only if the cloud service provider offers a secure account that will not only protect your files while on the cloud service provider but also encrypt your files as they are sent to and from your company server. An external backup device that is only plugged in once a day to back up your data is a good option as hackers can’t access the device while it is disconnected.
Naturally, it will take time and money to fully secure your company computers to avoid cyber attacks; however, the effort is more than worth it as even a single serious attack can wipe out years of hard work. If you don’t have the time or feel you are tech-savvy enough to protect your valuable company data from malicious third parties, get in touch with us at {email} or {phone}. Our {company} has all the tools and experience you need to keep your systems secure both now and in the future.
