Our next topic for Nation Cyber Security Awareness Month (NCSAM) focuses on another area of concern for business security. With around 235 million people using a smartphone in the United States, it is important to have a Bring Your Own Device (BYOD) Policy in place to help protect your IT infrastructure. Allowing employees to use their personal devices – such as cell phones, tablets and laptops – to access work-related data in the office or out in the field boosts productivity and cuts costs for businesses by not having to purchase the devices themselves. But it also opens your network up to all forms of cyber attacks.

Read more

The Equifax Data Breach exposed 145.5 million people’s sensitive data – social security numbers, birth dates, street addresses and some drivers licenses – and was one of the worst breaches in history. The breach could have been avoided had Equifax applied a known web-application patch that was released two months prior. The attack is believed to have begun in mid-May of 2017 and was not discovered until July 29th, allowing the hackers a month and a half to steal consumer information.

Also in May of 2017, the WannaCry ransomware cryptoworm made headlines across the world as it infected more than 200,000 computers throughout 150 countries, causing damages from the hundreds of millions to billions of dollars. It targeted PCs that were running older versions of Windows and exploited vulnerabilities in systems that didn’t have the latest software updates. WannaCry affected many organizations – large and small – as well as individual home users.

Patching and updating your IT software and hardware is critical. Failure to do so will leave your organization vulnerable to viruses and ransomware. Many SMBs (small and medium businesses) think that hackers only go after large corporations since those stories typically make the news headlines. But actually, small business are targeted more than half the time (58%) and a single breach can cost an average of $690,000. Cyber criminals realize that smaller companies oftentimes do not have the resources needed to protect them from breaches.

Keep Software and Applications Updated
It’s easy to ignore those pesky popups that say “a software update is available” and think ‘I’ll just finish what I’m working on and install the update later’, but the truth is most people won’t. Software updates, however, often include critical patches to security holes that hackers use to infect your systems and steal valuable data. By ignoring those messages, you are leaving your computer and network open, allowing cybercriminals to cause major damage.

Software updates need to be checked and performed at least once a month for:
• Operating Systems (i.e. Windows, Mac OS)
• Productivity Software (i.e. Microsoft Office)
• Accounting and Customer Management Software (i.e. Quickbooks, Sage, Salesforce)
• Custom Applications (such as legacy software that was custom written for your organization)
• Industry-Specific Software
• Web Browsers (i.e. Explorer, Chrome, Firefox, Safari)
• Plugins (i.e. Adobe Flash, Java, Microsoft Silverlight)
• Website Content Management Systems and Plugins (i.e. WordPress, Joomla, Magneto and Drupal)

Don’t Forget Your Other Hardware!
Not only is it imperative to apply software updates to your PCs, laptops and servers, but also other IT hardware devices, such as switches, firewalls, routers and access points. Once equipment is deemed end-of-life (EOL), the manufacturers no longer support or maintain them, which can lead to security risks. That is why we recommend for companies to budget replacing IT equipment before they reach their end-of-life.

What To Do If You Are Not Sure You’re All Patched Up
There are several patch management softwares that help organizations discover vulnerabilities and stay on top of updates. If you need further assistance, give us a call! All of our Texas Systems Group BrightStar Managed Service packages include automated patching. Monthly and quarterly audits help find vulnerabilities within your network so they can be addressed before a data breach occurs. Our CyberSecure Team is constantly looking out for the latest threats and solutions to protect our customers. Our vCIO will work with you on budgeting to replace aging equipment which decreases the chance of hackers exploiting unpatched and out-of-date hardware. All of these components together drastically decrease your risk of becoming the next victim of a cyber attack.

Last week, we discussed the importance of employee education and awareness to help minimize your organization’s cyber security risks. This week’s article in our National Cyber Security Awareness Month Series will focus on another major security risk for businesses – PASSWORDS. Password security is oftentimes forgotten, leaving organizations open to attacks.

Hackers hijack or crack passwords to steal identities, access sensitive data and infect your systems with ransomware or viruses. In fact, cracked or stolen passwords are to blame in 81% of hacking-related breaches.

Types of Password Attacks

• Brute Force – An attack method in which the hacker tries various combinations of user names and passwords repeatedly until they are able to login. This can be done either manually or by using an automated software.
• Keylogging – A type of spyware that logs your keystrokes and where you type them. The information is then analyzed by a hacker to determine passwords and other data.
• Phishing – An email technique used to trick employees into providing sensitive information such as login credentials. (Read more about phishing by clicking here.)

Password DOs and DON’Ts

Having a hard to crack password is the first line of defense against data breaches. But even with all the widely-known risks involved in weak passwords, people still use the most common offenders. According to SplashData, the top 5 worst passwords of 2017 were:

123456

password

12345678

qwerty

12345

Businesses need to implement good password policies so employees don’t leave the organization susceptible to cyber attacks.  Below is a list of DOs and DON’Ts to consider.

Two-Factor Authentication

Two-Factor Authentication (2FA) adds another layer of password protection by making users go through an additional step before being able to log in. This provides another form of evidence that you are who you say you are, typically by entering a security code or pin that is sent to you via email, mobile text message or phone call. 2FA makes it harder for attackers to login to your account because they would also have to have access to your email account or another device to provide the code. And the security codes are usually only valid for a short amount of time and can only be used once.

Other Best Practices to Consider

Aside from having strong passwords and using multiple forms of verification, organizations can still be at risk. When employees resign or are terminated, it is best to deactivate their user accounts and disable any access they may have to the network (including wireless) right away. This will help safeguard your business against disgruntled employees who may have been let go and are looking for vengeance.

If you use an external IT Service Provider to support your business, another thing to consider is what their password policies are.  Does the provider use the same administrator username and password for all of their clients? Does the administrator account password get changed when their technicians leave? Do they store any passwords pertaining to your business in a password management system or secure file?

Texas Systems Group has multiple safeguards in place to protect our BrightStar Managed Service clients’ passwords. Two-factor authentication, a password management system and tight security policies ensure that your passwords are secure and help deflect cybercriminals from hacking your user accounts. To find out more information, contact us.

October is National Cyber Security Awareness Month (NCSAM) and like Halloween, cyber threats can be pretty scary. This month, we will post a series of articles to help minimize IT security risks through end-user awareness and training.

What is National Cyber Security Awareness Month?

Started in 2003, National Cyber Security Awareness month is a collaborative effort between the Department of Homeland Security the National Cyber Security Alliance. Each year, NCSAM highlights different themes with a strong focus on helping consumers avoid becoming victims of cyber attacks.

Because we are a Managed IT Service Provider for businesses and organizations, we wanted to focus on how cybercrimes affect companies. Cyber attacks are the biggest threat to organizations today, and they don’t just prey on large corporations. Cybercrimes targeting companies with less than 250 employees have steadily increased over the last five years, affecting 61% of SMBs in 2017.

Biggest Security Risk

EMPLOYEES are the weakest link for organizations when it comes to cybersecurity. Even if your business has deployed all the security tools possible – anti-virus and anti-malware software, firewall, email, and web filtering, etc. – an action by a single employee can cost your business thousands of dollars or compromise customer and employee data. If attackers can bypass all of these methods, you can bet they are sophisticated enough to trick your employees into opening an attachment, clicking on a link or even transferring money to a fraudulent bank account!

So what are the most common ways these cybercriminals are using your employees to infect your network?

Social Engineering

Social Engineering is a term used to describe the psychological manipulation of people into performing actions or divulging confidential information. There are several different ways cybercriminals use social engineering to attack business. Below are some examples, but we will talk about the most common type of scams more in-depth.

• Phishing, spear phishing, and vishing – Most common form. See below.
• Watering hole – Attackers set traps in websites their target victims are known to frequent.
• Pretexting – Cybercriminals create a fabricated scenario to obtain privileged data.
• Baiting – Attackers leave physical forms of media (CDs, DVDs or USB drives) with legitimate-looking and curiosity-piquing labels in public places that are infected with malware.
• Tailgating – An attacker follows a person into a restricted area by simply walking behind them.
• Quid pro quo – The cybercriminal offers a service or benefit in exchange for information or access.

Phishing

Phishing is still one of the most common methods cybercriminals use to trick employees, and the emails are getting better and more legitimate-looking. Gone are the days of phishing emails being easily spotted due to bad grammar, suspicious sender email addresses and low-resolution graphics. The new phishing emails are extremely convincing and oftentimes look exactly like the company they’re trying to emulate.

While phishing emails are usually general and sent out to a larger group of people in hopes of tricking a small percentage of the overall target, spear phishing attempts are mostly sent to 10 or fewer mailboxes. With spear phishing, attackers already know information about the victim or the company they work for, making the email all the more convincing. This information is sometimes gleaned from social media posts by the individual or company. Successful spear phishing is the cause for 95% of all attacks on enterprise networks, according to the SANS Institute.

Vishing, or voice phishing, happens when the victim is called and manipulated into giving up sensitive information over the phone. Typically, the attacker pretends they are with a bank, government organization or trusted company and requests account credentials to verify the victim’s identity.

CEO Fraud

CEO Fraud, also known as Business Email Compromise (BEC), is a type of spear phishing attack and continues to increase year over year.  This threat targets employees and involves the attacker spoofing an email from the CEO or other top-level positions within the company to request a funds transfer or private personnel or customer information. The FBI reports that BEC attacks caused $5.3 billion in losses between 2013 and 2016.

Here is a CEO Fraud scam scenario:

A cybercriminal learns that John, the CEO of XYZ Corp, is out of town at a conference through a post on XYZ Corp’s Facebook page. The attacker checks xyzcorp.com for a list of employees and is able to get the name and email address of Jane in the accounting department. He then spoofs John’s email address and sends the following email:

“Jane, are you busy? I need you to process a large wire transfer for me as I will be tied up at the conference all day. Let me know when you’re available and I can send the recipient’s details.  Thanks, – John.”

Jane responds “Sure, I can help. Please send me the information and I will take care of it as soon as possible.”

The attacker emails the amount of the transfer and account details and Jane transfers the money.

Cybercriminals have also used this method of attack to trick HR employees into sending W-2s and other sensitive information.  Over 200 employers were attacked in 2017, leading to hundreds of thousands of employees who had their identities compromised.

How to Reduce Your Risks

The most effective way to reduce your cyber risks is educating the employees in your organization so they know what to be aware of. Yearly and quarterly security awareness training is A MUST for every company, big or small, and especially for healthcare, government agencies, financial institutions, manufacturing, and legal companies.

It is your entire organization’s responsibility to be vigilant when receiving electronic and phone communication. Here are a few steps to help mitigate your cybersecurity risks:

• Raise awareness – Make sure all employees know what to look out for and receive yearly and quarterly security awareness training.
• Be on the lookout for fake emails – Carefully check the domain names on emails, watch out for spelling and grammar mistakes and review logos and graphics in the message.
• Avoid clicking links and attachments – Confirm with the sender when you receive attachments to make sure they actually sent you something. Hover over links in emails to display the destination URL before clicking to make sure you will be taken to a legitimate website.
• Do not give personal or sensitive information – Most companies will not ask for sensitive data over the phone or through email. Go to the company’s website by doing a web search any time you need to log into your account or to find the correct Customer Support phone number.
• Have internal processes in place to avoid CEO Fraud – Require that employees go through a 2-step verification process (verbal or in-person) when requested to wire funds or provide sensitive data via email.

Texas Systems Group uses a Layered Security Architecture to protect our BrightStar Managed Service clients’ IT infrastructures, which includes employee security awareness training. Check with your IT staff or service provider to see what they recommend for your organization. Or if you’d like to contact us, click here.

To learn more about National Cyber Security Awareness Month, visit the linked National Cyber Security Alliance and the Department of Homeland Security pages.