m.a.collins

Are You Gambling with Your Business Continuity?

As security professionals, we’ve been saying this so long that it’s become a bit cliché:  Users are your biggest threat to security and therefore business continuity.  Nevertheless, it remains true.  Sometimes, an employee’s desire to prove helpful is exactly what a malicious actor will use to gain access to sensitive information.  Other times, the gullibility of users provides useful.  Then again, the desire to keep security simple and convenient (remembering passwords) can lead to an opportunity to exploit.  All this being the case, why is it then that so few companies choose to invest in educating their users on what’s at stake and how to reduce the odds of becoming a cybersecurity victim?

There are many reasons for this, but most commonly it’s the business owner’s ignorance of the threats posed and what’s at stake for their business.  According to Inc Magazine, nearly 60% of all small businesses close within 6 months of falling victim to a cyberattack.  Yes, cybersecurity poses an existential threat to small and medium sized businesses. 

One cliché that proves false regarding cybersecurity is “If it isn’t broke, don’t fix it.”  Many businesses are playing digital roulette with their cybersecurity stature.  Business owners think that since they haven’t been attacked yet, they aren’t at risk of falling pray to an attack.  The truth is, though, that every company is one click away from a successful attack.  All it takes is an errant click on one email attachment or malicious banner ad on a website to open the gates for a successful attack. 

Some business owners think they have a firewall and other protections in place, so they are covered.  What makes the user so critical in securing the network, is that users are easier to “hack” than networks. Users are now the front line of digital security – they are the target, because the malicious actors know that the internal user is a trusted agent on networks and Cloud platforms.  By default, and generally for good reason, actions that originate from an internal user within the boundary of a network or application platform are trusted actions.  Thus, if a malicious actor can get behind that trusted perimeter, they will generally have free reign to launch their attack.  Most companies don’t even have the ability to perform a post-mortem on an attack, because they don’t have audit trail capabilities enabled.

What happens next?  Often, once behind the secured perimeter, the attacker lays low and surveils.  They will often siphon sensitive data, disable data protections, and plan out their attack to have the greatest negative impact upon your business.  They realize that you must be desperate if you are going to pay a lot of money to regain access to your information or to avoid public embarrassment.  Even if you can get your information back, many times the reputation hit your company takes from getting breached is enough to pose an existential threat to a company.  The bad actors know this, and they will look to exploit every way possible in order to get paid.

So what can you do to protect your business?

  1. Invest in security awareness training for your users.

This is a very simple and first step to take.  You can vary your tactics to ensure you get the best coverage across all employees/users.  You can use written forms of training and documentation, video training, or even simulations that will give feedback on which users are most susceptible to posing a security threat to the company.  Speak with your trusted security adviser for details on how best to engage your employees with security training.

  1. Invest in products and services that can mitigate the impact of a successful attack.

So many times, we have seen or studied instances where companies had a backup system, but their backup was not ransomware proof (for a variety of reasons).  Due to this, they were forced to pay thousands of dollars to recover their data from ransomware, either by paying for technical labor to find a way to decrypt it or by paying the bad actors to get their data back.  Discuss your backup plan with your trusted security adviser to ensure you are completely protected, and that you have everything in place to mitigate the loss of data in a ransomware attack scenario.  Also, verify with your security advisers that you have tools in place to identify and mitigate attacks as quickly as possible, as well as provide an audit trail for permissions use.  Your business needs vary depending on your attack surface, which differs from company to company.  There’s no good one-size-fits-all approach to security.

  1. Start writing policies and procedures for responding to an attack.

Just like anything else in business, whenever you invest the time to plan ahead for a security event, you’ll be more prepared to cope with a security incident.  Even if the plan isn’t perfect, you will fair better than those who are “winging it” with no plan at all.  The race to the South Pole between Roald Amundsen and Robert Falcon Scott, about which numerous books have been written, highlights the necessity of planning even when reality plays out differently, which inevitably it will. 

The reason we use language like “start writing” is because as quickly as technology is evolving and changing, there will always be a need to refine and expand your policies/processes.  It is imperative to commit to maintaining an updated plan for how to respond to a security event within your organization.

  1. Build protections in your finance department and bank for any transaction above a specified amount.

Your banking or trusted financial institution can put policies in place to authorize the transfer of funds above certain amounts.  This can protect you from unauthorized wire transfers and other large payouts of funds, should a hacker gain access to your financial accounts.  Your banking institution wants you to avoid losing money as much as you do, as their reputation is at stake in such an instance.  Be sure to discuss best practices with your trusted finance adviser for how to avoid such scenarios.

  1. Discuss cybersecurity insurance options with your trusted insurance provider.

Cybersecurity insurance is fairly new in the insurance industry, so it is still evolving and adjusting to ensure viability and sustainability.  Many insurance providers now require a security audit and other protections are in place to mitigate risk on their end.  Nevertheless, if you put too much stock in your insurance plan over against taking actions to embolden security in your organization, you could find yourself in a situation where the insurance provider claims willful negligence and decides not to pay out in a security breach.  In order to protect yourself from such a claim, you must be able to demonstrate good faith efforts to protect yourself from security incidents.

  1. Finally, make your security mandates as convenient for the user as possible. 

If your security measures are too inconvenient for the end user, they will find ways to circumvent them and expose your company to unnecessary risk. For instance, there are much easier ways to enforce multi-factor authentication for users today.  A lot of users were frustrated by the cumbersomeness of multi-factor authentication in its early phases.  Today, with authentication apps and the coming technologies surrounding password-less authentication, it is easier than ever to ensure the identity of your users and protect your organization from the vast majority of attacks. Again, users will find creative ways to circumvent annoying security requirements and expose the company to risk, so this is a vital component in today’s marketplace.

In conclusion, don’t gamble with your company’s existence.  There are ways to protect your business from these bad actors that won’t break the bank.  Most industries require less than 5% of gross revenue to ensure their business is protected against the malicious hackers of the world.  While there is no silver bullet that will protect you completely, you can mitigate the effects and ensure business continuity despite a successful attack.  If you need some assistance with knowing where to start with business security and continuity planning, feel free to reach out to TCS for assistance.  We can assess where you are, where you need to be, and roadmap a plan to get there over a timeframe that works best for your organization.

/by
m.a.collins

5 Ways to Harden Your CyberSecurity

We’ve all heard the latest security mantra these days: it’s not a matter of if you will face a Cybersecurity event – it’s only a matter of when.  We at TCS have seen a marked increase in the number of successful attacks recently.  Unfortunately, some of them didn’t need to happen.  Very simple things could have been done to mitigate the effectiveness of the attack, and those things were ignored despite our warnings.  Here are a list of things you can do to help secure your business from malicious attacks:

#1:  End User Security Awareness Training

The number one rule in all Cybersecurity is that your users are your #1 security vulnerability.  After all, good businesses usually train their employees to be super helpful and accommodating.  Malicious actors use that good-natured helpfulness to help themselves right into your network. 

Since the #1 security threat is your end user, the #1 thing you can do to is train your users to identify both low-tech and high-tech phishing attacks.

Low-tech phishing attacks:  Using the phone, letters in the mail, or other forms of low technology to attempt to gain information that they can use as an exploit.

High-tech phishing attacks:  Using email, banner ads, social media posts, etc. to dupe unsuspecting users into giving them access to information or systems that they can exploit.

#2:  Multi-factor Authentication (MFA or the older 2FA)

These days multifactor authentication can be built into just about any login.  There are different types of MFA, though.  Some applications of MFA and 2FA in the past have been very cumbersome to say the least.  However, just as with anything, progress has been made over time to streamline some of those historic barriers to MFA.  For instance, now with most MFA applications, you have the option to save trusted devices.  By using trusted devices, end users don’t have to use multifactor authentication every time they login from their trusted device.  The only time MFA is required is if someone tries to login from a new, untrusted device.  This type of scenario would be handy for someone who primarily uses a single device that is secured behind a next-generation firewall in an office with limited access.

Why is this so important, though?  Because phishing attacks have become so convincing that they sometimes get even the most well-educated user.  In this case, even if a malicious actor was able to obtain login credentials, those credentials would only be effective from the single trusted computer.  This provides your next-generation firewall and endpoint security software the opportunity to detect the malicious actions before they can do any harm.  If those actions are taken from a non-trusted computer, the malicious actors will not have the information needed to complete the login process, even though they have the correct username and password.

#3:  Anti-phishing Protection for Your Email Server

While phishing attacks occur through both low- and high-tech media, the easiest and most common is through email.  Having a scanner sitting on your email server that filters out phishing attempts before they get to your end-user’s Inbox is another layer of protection you can employ that doesn’t cost a lot of money.  Most Anti-phishing scanners can also provide banners to warn users of external emails, to raise the end-user’s suspicion of using any links opening any attachments.

#4:  Proper Microsoft 365 Domain and DNS Setup

Most people don’t realize that Microsoft provides several ways to help protect against another common form of attack – impersonation.  A lot of malicious actors have found if they can make their email look like it’s coming from someone from within your organization by impersonating and copying their email signature, mimicking the sender’s name, and sometimes even relaying the email through your email transfer server, that they can trick users into doing things they otherwise wouldn’t.  Properly setting up those Microsoft protections can help you guard against those phishing attempts via impersonation attacks.

#5:  Password Policies

Yes, it’s 2021 and we shouldn’t even have to cover password policies.  However, Nordpass.com (https://nordpass.com/most-common-passwords-list/) reports that the Top 10 passwords uncovered for 2020 were 123456, 123456789, picture1, password, 12345678, 111111, 123123, 12345, etc.  Yes, it’s enough to make the security expert lose all respect for society at large!  But apparently the message hasn’t gotten across yet.  So we’ll keep on saying the same thing we’ve been saying for over 20 years:  stop using simple passwords!

  1. Passwords need to be at least 8 characters long.
  2. Passwords need to include uppercase, lowercase, numbers, and special characters.
  3. Passwords need to be unique across all logins.
  4. Password history needs to be enforced to keep users from recycling old passwords.
  5. Passwords need to be changed at least twice a year and ideally once a quarter.
  6. A little fairy dust and unicorn blood couldn’t hurt, either. No, just kidding – but not kidding about 1-5.

“But I can’t remember all those passwords!”, you might be thinking.  Neither can I.  That’s why we have password managers, like LastPass or Roboform.  Even if you forget your password, there are easy ways to get it reset securely in a matter of minutes using your email recovery options.  You don’t have to actually remember the passwords anymore.

Bonus Tip:  We always try to overdeliver our promises at TCS.  In that vein, here is a bonus tip – employ geo-filtering on your Microsoft 365 accounts!

When I discuss security with business owners, I generally like to ask this simple question:  Do you want your company to be able to communicate with Russia, North Korea, and other countries known for their malicious internet activity?  I already know the answer to the question for 99% of small and medium sized businesses, but I like to ask it for effect.  With our next generation firewalls and advanced configurations within Microsoft 365, we have the ability to block intercommunication with countries known for their malicious actors.  This is often a simple way to render potential attacks ineffective, as many of those attacks are dependent upon some server operating in a remote country.  By limiting your communications only to those countries with which you need to interact, you harden yourself against attacks coming from those countries known for their malicious activity.

Action Item:  Please take a moment to place a reminder on your calendar to address at least one of these tips above within the next week!  Make this article count!

/by
m.a.collins

There’s Something Phishy About This Email!

I’m sure you have all received an email with an urgent matter that needs to be settled today or you could lose money FAST!!! Yes, those emails should raise some serious red flags in your mind; because the sender is hoping to catch someone in a desparate situation and take advantage of them. 

These emails are known as Phishing scams, and they are not limited to emails. They occur on low-tech platforms in the form of phone calls, and they come in higher tech forms like games, social media and webpage ads, emails and texts. Here’s what you need to know about them:

How do phishing attacks work?

Phishing attacks work by presenting some sort of bait to a consumer in the hopes of scamming them for money or information. In emails, they tend to present an urgent situation where if not acted upon immediately will exact some level of harm or inconvenience. Check out this example:

Notice how the email presents an urgent situation – an important delivery was missed. The bait is presented in the form of a link – click this link to confirm delivery notice. HOWEVER, the link is fake!!! The link NOT will direct me to the UPS as suggested, but it will take me to an alternate Vietnam-based website in this example.

How can I protect myself?

You need to take the following steps to protect yourself (we’ll start with the obvious):

  1. Keep Windows updated with the latest security updates.
  2. Install an active malware protection suite on all your smart devices – YES, even your Apple devices. Contrary to popular lore, Apple devices can get viruses and malware.
  3. Be alert and learn to identify the bait! The bait can come in various forms, and these scammers are getting really clever! Sometimes, they will even deliver on the content or offer they presented, but in the process they obtained an important login credential or installed some bit of malware encoded in the delivery process. Remember: anything that looks too good to be true probably is, especially on the Internet.
  4. Don’t give out any important information over the phone, by email or text. 
  5. Don’t open attachments you haven’t personally requested. Even then, it’s not the best idea. It’s easy to share files from cloud accounts like OneDrive, Dropbox, DattoDrive and the like; and that’s safer than using attachments.

Note: Neither Microsoft nor Apple will call you and request control of your computer! That is a popular phishing scam.

Yield not to temptation!

Those ads can be so tempting, right? No, I’m not referring to girly ads, though they would apply. You know…those ads that offer you the latest unclassified intel on JFK’s murder, or behind-the-scenes Woodstock photos never before seen, or Marilyn Monroe secrets revealed (how old does FB think I am?!!!). It’s not worth the risk! Don’t click on those ads. At best, they will disappoint. At worst, you just got baited and hooked!

But you don’t understand, this could be REAL!!!

OK, so yesterday you didn’t buy local like you were supposed to and ordered something off of Amazon. Today, you get an email from Amazon (supposedly) stating your recent order didn’t process properly, and you are going to miss out on that new pair of boots without which you absolutely cannot live! 

Yes, I realize the importance – here’s what you DON’T DO: for the love of all that is good, DO NOT click on any links in that email! Instead, open a new browser session and navigate to Amazon’s website directly.  From there, you can look at your order history. That’s the safest way to know for sure you are not taking the bait.

Report scams!

Microsoft has provided these excellent options for reporting scams (a direct link to all this information is provided below):

How to report a scam

You can use Microsoft tools to report a suspected scam.

  • Outlook.Live.com – If you receive a suspicious email message that asks for personal information, click the check box next to the message in your Outlook inbox. Click the arrow next to Security Options and then choose Phishing.
  • Microsoft Office Outlook – If you have a business email account and need next-level Anti-Phishing protection, contact TCS on how we can provide the best protection. We can also perform security awareness training drills that will help you score your employee security awareness levels with recommended training for those who need it.

You can also download the Microsoft Junk E-mail Reporting Add-in for Microsoft Office Outlook.

How to report tech support scams

Whenever you receive a phone call or see a pop-up window on your PC and feel uncertain whether it is from someone at Microsoft, don’t take the risk. Reach out directly to one of our technical support experts dedicated to helping you at Total Computer Solutions.

/by