According to IBM researchers, 95% of all cybersecurity breaches involve human error. It is well known that criminals can easily infiltrate a business by using social engineering tactics that trick employees into sharing sensitive data or clicking on malicious links. This is why The Government of Canada recommends Cybersecurity Awareness Training for small and medium-sized businesses (SMBs); this is also why CarefreeIT has developed the first Cybersecurity Training Centre in Southwestern Ontario that is specifically designed to equip SMB owners and their employees with the knowledge they need to recognize and prevent social engineering attacks.
As new cyber threats continue to emerge with each passing day, it has never been more critical for businesses to work in partnership with IT security experts to implement a comprehensive cybersecurity strategy that safeguards all levels of their organization. CarefreeIT provides a necessary start to this process by offering Cybersecurity Awareness Training for everyone in your company, from frontline employees to C-Suite executives.
These half-day sessions provide interactive workshops and testing to help business owners and their employees better understand their roles and responsibilities in protecting their organization from current cyber threats. This training empowers employees to be security-conscious computer users, while business owners gain peace of mind in knowing their team is ready to actively defend their information assets. Simply put, Cybersecurity Awareness Training is the most cost-effective way to begin protecting your business’s IT systems and sensitive data from the ever-evolving cyber threat landscape.
Businesses of all sectors and sizes use digital technologies to store confidential information, from employees’ personal credentials to customers’ credit card numbers—and that’s just the beginning. Unfortunately, handling sensitive data always poses a security risk, since business owners and their employees are responsible for protecting it from leaks and breaches. What’s more, the tools and expertise needed to safeguard this information can be both expensive and difficult to implement, leaving many organizations wondering where to begin.
Luckily, a professional Cybersecurity Assessment can provide a helpful starting point by outlining a detailed picture of your business’s security posture. These evaluations highlight your organization’s key strengths and vulnerabilities, so you know exactly where to focus your time and resources to achieve optimal security, as well as how to equip your employees to recognize and respond to cyber threats.
Of course, as more technology companies continue to add cybersecurity to their list of services, it’s important to know exactly what to look for in a professional Security Assessment. The CarefreeIT Total Protection Plan begins with a comprehensive Cybersecurity Assessment that evaluates every aspect of your business’s digital infrastructure, including network, firewall, software, policies, information, and physical security reports. It further recommends the technologies and procedures needed to address current vulnerabilities, as well as to protect your business from future threats.
As new cyber threats continue to emerge with each passing day, along with increasingly stringent legal, financial, and reputational ramifications for businesses that do not adhere to up-to-date security regulations, it has never been more pressing for organizations to work closely with certified cybersecurity professionals. Simply put, in our digitized and interconnected corporate climate, operating without a comprehensive cybersecurity strategy, is a risk that no business can afford to take.
Next in the CarefreeIT Cybersecurity Blog Series, we will take a look at what happens after your Cybersecurity Assessment is completed.
CarefreeIT has invested money and manpower into our various IT solutions to help service our clients; but we are VERY proud to be investing in our employees too!
We just wanted to let you know that our team recently attended the largest “Advanced Information Technology Conference in North America!” In addition to that, we have attended several other conferences over the past several months and participated in numerous workshops, webinars, training courses and seminars to increase our knowledge and professional development in Cybersecurity, Leadership, Business Management, new technology and more!
Continuous education and professional development is what keeps the CarefreeIT team running at peak performance. I was honored to have the opportunity of attending some EXCELLENT Leadership Training & Professional Development Conferences, Courses, Workshops and Seminars this past year. My favorite one, was a Conference held in Philadelphia af few months ago. It was a deep dive into Leadership, Customer Service, Marketing & Business Development. This Conference was geared specifically towards B2B leaders in the IT Industry, and it was filled with brilliant insights and valuable golden nuggets of information!
As a valued client, you will immediately gain all the advantages that we learned at these conferences. Check out some of these photos!
We’ve been learning new skills, new tactics and new security measures that will give our team the advantage of all the technological advances that are coming into play for 2018. We are keeping each one of our clients in mind as we look for new strategies that will address your specific needs and beginning this week, we will be integrating new strategies, new technologies and tactics into the work we do for you. With a boost in motivation and inspiration, we are ready to help make a difference for our clients. Thank you for being a valued client or business partner of CarefreeIT and if you haven't started working with us yet, what are you waiting for?
Call us today! (519) 883-7815
Whether you're interested in learning more about IT Support or
Cybersecurity protection for your buisness, CarefreeIT can help!
Staff training should include updates on the latest online threats such as email scams, phishing, viruses, and malware. If your employees understand these threats, they can avoid them. Check out CarefreeIT's Cyberesecurity Training
3. Encourage smart clicking.
Your employees should be suspicious of unknown links, or familiar ones with odd forms. Signs that a link is not to be trusted could include hyphens, numbers, spelling mistakes and symbols in place of regular characters.
4. Promote strong passwords.
Tell employees to use strong passwords and avoid writing them down on scraps of paper, where they can be taken or copied by anyone. Make sure work passwords are secure and can be accessed by someone trustworthy (senior employees or your tech expert) in case an employee leaves.
5. Plan ahead for departing employees.
Before an employee leaves your company, make sure their account is closed, and change passwords. If not, an open and unused account can be exploited by hackers.
Last week I attended the FireEye Cyber Defense Summit in Las Vegas. For those of you not familiar with FireEye, they are one of the premier cybersecurity companies in the world. FireEye provides cybersecurity services, consulting, and tools to organizations in both the public and private sectors. The conference brings together cybersecurity experts from government and industry as well as FireEye customers to discuss emerging cybersecurity threats, lessons learned, tactics, and the latest tools for protecting IT networks and the assets contained therein. In this post I’ll summarize the latest threat information and provide a few useful tidbits that you and your company can take to secure the data residing in your network.
Who are the bad guys?
From a global perspective, four nations - Russia, China, Iran and North Korea - are the primary culprits attempting to wreak havoc in order to further their geopolitical aims but, also, for purposes of industrial espionage. Cybercriminals are very active as well but, for them, financial gain is the primary motivator. Unfortunately, the lines between cyber criminals and state actors is blurring as many of the state-sponsored actors are moonlighting in order to fatten their bank accounts. In short, the threats are varied and are coming from many sources.
Aren't I too little for them to care about?
But, you may say: "Why would a cyber criminal be interested in my company? I don't have a high profile." The answer is two-fold. First, there is gold in the customer data you have stored in your systems. Maybe you have credit card information but, even if you don't, you have customer identity information that could be stolen and used for fraudulent financial transactions. Second, they may seek to use your network as a springboard into the networks of larger target companies with whom you partner. So, to answer the question at the start of this paragraph, yes, we're all targets! Imagine, for a moment, the repercussions to your business if it was revealed that your customer data was suddenly exposed on the Internet. Would your business survive such a hit to its reputation? Many don't.
So, what to do? Here are a few starting points.
Email is still the primary attack vector by far. Between 85 to 90% of all attacks originate via email - either malware attachments or embedded malicious links. You can go a long way to protecting yourself from this threat by:
Implementing an email filtering service so that all incoming email is checked for phishing attacks and malware as well as spam.
Access through compromised user accounts is used in virtually all attacks. Some things you can do:
Password policies that force complexity and regular password changes are essential.
Limit who has administrative access - users should only have the access they require.
Training! Provide training so your team knows how to manage passwords.
Delete unused accounts. Be sure you have a process for removing access when employees or contractors leave.
Consider implementing "two factor authentication" (2FA). 2FA is based on a user getting authenticated because of something he knows (e.g. password) and something he has (e.g. a smartphone). 2FA is commonly available and not terribly expensive anymore.
Implement a SIEM System
Consider implementing a "Security Information and Event management" (SIEM) system. A SIEM will gather information on security-related events from many points in your network (e.g. firewall, antivirus, server event logs, other sensors) and correlate the data to paint of picture of network activity. Malicious activity on your network is detected more quickly and defensive action can be taken.
Conduct a Risk Assessment
It's very difficult, if not impossible, to completely protect everything on your network. So, classify your data by sensitivity level. If you have credit card, medical, financial or personal information on your clients then classify that at the highest level and then work your way down. Determine where the most critical data resides and focus your time and money on protecting that first. A Cybersecurity Assessment provides a complete analysis and report on your risks and vulnerabilities, for a one-time fee.
Develop and Test Response Plans
Don't wait for a breach to occur before figuring out what you'll do. Develop policies and response plans - know who does what and who communicates to the outside world - and test them.
To wrap up, the threats for any business with an online presense are varied and continually evolving. The good news is that there are ways to mitigate the risks and protect your business from the threats. The bad news is that it will take some focus and money on your part in order to protect yourself properly.
At CarefreeIT, we have designed services and plans to help you along the way to doing business securely in today's enivronment. Contact us for more information.
We will be LIVE on the air, on the Tech Spotlight Radio Show, this afternoon from 1:30-2pm! Business owners in the Region of Waterloo, will be eager to learn about the CarefreeIT Cybersecurity Centre (the first of it's kind in all of Southwestern Ontario, as it is specifically designed to assist small and medium sized business owners and their employees). We will also be discussing the threats that local businesses face, and what CarefreeIT can do, to help minimize risks!
CarefreeIT Cybersecurity Blog Series: The Internet of Things
Wednesday, July 12, 2017
CarefreeIT Cybersecurity Blog Series:
The Internet of Things
It’s no secret that the spaces in which we live and work are becoming increasingly connected and digitized. A key aspect of this transformation has been the ever-growing slew of “smart devices” in our homes and businesses, whether they be televisions, thermostats, digital assistants, or fitness trackers—among many others. Current estimates indicate that there are 8.4 billion networked devices in use across the globe, and this number is expected to increase to 21 billion by 2020.
Together, these connected gadgets with data sharing capabilities comprise the Internet of Things (IoT). In addition to making our domestic lives more convenient, IoT devices are fundamentally changing how businesses operate, notably those in the utility, manufacturing, and healthcare sectors. Just as significantly, they are blurring the boundaries between our work and home lives by enabling a Bring Your Own Device (BYOD) corporate culture in workplaces across all industries.
Simply put, the new norm for employees and executives alike is to check email, hold conference calls, and perform any number of other work tasks remotely using their personal laptops, tablets, and smartphones. Nearly 80% of professionals currently work outside the office at least once a week, and 1.55 billion more are expected to do so by 2020.
While this increasingly mobile workforce has the potential to boost employee productivity and provide greater work flexibility, all the while cutting technology costs for employers, the convenience of working from any location on any device ultimately raises a numberofcybersecurityconcerns. Without the oversight of a qualified IT support team, it is unlikely that personal devices will meet the same security standards as company-owned computers that are managed in-house. Without these protective measures in place, personal devices may inadvertently leak company data, including private and confidential information, as well as provide a trove of opportunities for cybercriminals to launch successful attacks.
For instance, company data may be easily breached if personal devices are lost or stolen, especially if they are not protected by strong passwords and two-factor authentication. Likewise, laptops, tablets, and smartphones can be compromised by Man-in-the-Middle (MitM) attacks if employees use them to connect to unsecured public WiFi networks.
Cybercriminals are also using malicious applications to target smartphones, some of which can hide covertly in official app stores like Google Play. On the whole, it is estimated that attacks on smartphones accounted for 85% of all networked device infections in the latter half of 2016, illustrating that these devices constitute a key component of the IoT threat landscape.
Needless to say, it is essential that businesses establish clear security protocols and standards of use for personal devices that have access to company networks and data. This is why The CarefreeIT Cybersecurity Centre provides small and medium-sized businesses (SMBs) with their own virtual Chief Information Security Officer (vCISO) to implement a BYOD policy that is tailored to address their unique organizational needs. Our Security Awareness Training and testing also provides employees with the knowledge they need to use their devices safely and responsibly.
Now more than ever, organizations across all sectors require comprehensive protection from the inherent security risks that come with having an increasingly mobile workforce. This is why our team of experts works in strategic partnership with businesses to ensure they benefit from the greater flexibility and productivity that connected workplaces offer, while safeguarding their valuable information assets along the way.
CarefreeIT Cybersecurity Blog Series: Social Media
Wednesday, July 5, 2017
There’s no question that social media platforms have transformed how we share information about ourselves and our businesses. It is estimated that 2 billion people worldwide have at least one social media account, with the average web user spending two hours per day browsing networking websites such as Facebook, Twitter, Instagram, and LinkedIn. In addition to helping us connect with family and friends from all over the world, establishing a brand presence on these websites has become an integral part of consumer outreach, business networking, and marketing operations for industry professionals across all sectors. In fact, it is expected that chief marketing officers (CMOs) will be spending over 20 percent of their budgets on social media marketing in the next five years.
While social media platforms provide endless opportunities for forging valuable personal and professional connections, the sheer breadth of data available on these websites raises just as many concerns about privacy and security. Individuals and organizations alike have become increasingly comfortable with posting information such as full names, birthdays, e-mail addresses, and employment histories online. Unfortunately, many people don’t realize that this information can be used by cybercriminals to execute social engineering attacks.
This ultimately raises concerns for business owners who utilize social media platforms to expand and engage with their customer base. For instance, LinkedIn provides a trove of information for cybercriminals, with account holders in marketing and public relations at the highest risk of being victimized due to the expansive size of their social networks. Similarly, businesses may not realize that their own corporate websites can make them vulnerable to attacks, especially if employee contact information is listed along with job description details.
For instance, this information could allow a cybercriminal to launch a successful Business E-mail Compromise (BEC) attack, an increasingly common social engineering tactic that has conned businesses out of millions of dollars. By hijacking the e-mail credentials of a co-worker or supervisor, an attacker can target a specific employee by asking them to share passwords and account numbers, or requesting that they wire money. Simply put, the greatest cybersecurity risk to businesses in our age of online oversharing is an employee mistakenly providing the wrong information to the wrong person.
In many ways, social media platforms are a necessary evil for today's businesses. By not establishing an online presence, companies are missing out on vital opportunities to raise brand awareness and expand their customer base. It can also leave them vulnerable to brand jacking, where unauthorized persons impersonate an organization online. At the same time, the more information that cybercriminals have about a business and the people who work there, the more vulnerable they are to attacks—and this is only aided by the mistaken belief held by most Canadian companies that social media use does not pose a cybersecurity risk.
This is why the CarefreeIT Cybersecurity Centre works in partnership with small and medium-sized businesses (SMBs) to protect them from common social engineering tactics. In addition to educating employees about how to recognize and respond to cybersecurity threats, our Security Awareness Training specifically addresses best practices for using social media safely and responsibly. Our comprehensive cybersecurity service also provides a virtual CISO (vCISO) to develop clear policies for data classification, thus ensuring that employees understand the proper procedures for storing and sharing private, sensitive, and confidential information. Each day we enact our “total care” philosophy by helping businesses reap the benefits of social media platforms, while mitigating the security risks that are inherent in online information sharing.
As if we needed another reminder that the ransomware threat is massive and growing, last month the now-infamous WannaCry attacks claimed over 200,000 victims in 150 countries, including schools, hospitals, transit agencies, and private businesses of all sectors and sizes. Beyond the sheer breadth of its attack landscape, WannaCry provides a revealing glimpse into the future of ransomware development and distribution, as it is justoneexample of Ransomware-as-a-Service (RaaS).
Simply put, the malware business is big and booming, accumulating more talent, resources, and money with each passing day. Crimeware-as-a-Service has made it possible for virtually anyone with an internet connection to execute successful cyberattacks—no technical expertise required. Whereas yesterday’s hackers had to build and maintain their own malware, aspiring cybercriminals can now pay a fee to developers to purchase customizable and user-friendly ransomware toolkits. In return for providing these services, ransomware developers claim a percentage of the profits from successful attacks launched with their product.
In this sense, RaaS operates in much the same way as any business that provides an ongoing service for a fee. The plethora of ransomware for purchase on the Dark Web means the industry has become very competitive, with developers constantly upgrading their products to ensure their customers have access to the most sophisticated and profitable malware tools. Commonly, these ransomware service packages include:
1) A user-friendly dashboard that allows cybercriminals to monitor the progress of their campaigns, including the number of attacks launched, the number of victims who have paid the ransom, and the amount of profit generated
2) The ability to execute attacks in different languages
3) A variety of pricing options to launch different scales of attack
4) Technical support from the RaaS provider
5) An online marketplace where customers can review the ransomware packages they have purchased
With so many ransomware tools readily available for criminal use, it's not surprising that the global victim count continues to grow—and small and medium-sized businesses (SMBs) are no exception. One study revealed that 1 in 5 SMBs was hit by a ransomware attack in the previous 12 months. More concerning is the fact that 40% of SMBs that fell victim to ransomware attacks paid the ransom amount, but only 45% of those who did actually got their data back.
This raises the question as to how SMBs can protect themselves from ransomware and other common cyberthreats. The CarefreeIT Cybersecurity Centre recommends Security Awareness Training and testing for all employees as a crucial first step. It is necessary to teach staff how to recognize the social engineering tactics that are commonly used to execute ransomware attacks, as well as educate them about proper incident response protocols in the event of a data breach. Furthermore, our vCISO works with business owners to implement the technologies, procedures, and controls that are needed to safeguard critical IT systems and protect valuable data. Each day we enact our “total care” philosophy by empowering business owners and their employees with the knowledge and tools they need to protect themselves—as well as their valued customers—from cyberthreats.
It’s no secret that new cybersecurity threats are emerging every day, while familiar ones wreak new kinds of havoc for businesses and individual web users. In response, governments from across the globe have been implementing regulations, such as the far-reaching European Union General Data Protection Regulation (GDPR), that prescribe uniform cybersecurity standards for organizations across all sectors. In short, the future of cybersecurity defense has arrived, and legislation is proving to be one of its key components.
One sector that has received special attention in this capacity is financial services, which is 65% more likely to be targeted by attacks than other industries. This is because cybercriminals can easily access vast financial resources and a trove of consumer data if they successfully breach a banking system. In recognition of this precarious reality and the risk it poses for customer privacy, New York State has begun implementing 23 NYCRR 500, which stipulates that all businesses in the financial services industry must have (among other things):
A cybersecurity program that is equipped to respond to and recover from a breach
In Canada specifically, The Digital Privacy Acthas introduced new amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These legislative changes are expected to be in full force by the end of 2017, at which point Canadian businesses will be legally required to report cybersecurity breaches to the Office of the Privacy Commissioner of Canada. Importantly, they must also inform consumers if their information has been compromised, and those that fail to comply with these standards will be subject to a fine of up to $100,000.
As new threats and breaches come to light with each passing day, Canadian companies across all sectors can expect legislative bodies to develop increasingly comprehensive cybersecurity regulations that impact all aspects of their business operations. While these measures are necessary to ensure that Canadian companies have the proper controls and procedures in place to safeguard sensitive consumer data, they ultimately pose a challenge for small and medium-sized businesses (SMBs), who may not have the budgetary and technical resources needed to align their business practices with up-to-date cybersecurity standards. SMBs are less likely to have their own in-house IT department to proactively manage their technical infrastructure. Likewise, businesses from across the globe are learning that cybersecurity professionals who are qualified to fill the crucial CISO role are hard to find and costly to keep.
As such, SMBs are increasingly turning to Managed Service Providers with the expertise to design and implement a cybsersecurity program that meets their unique organizational needs. This is why our “total care” approach to IT support for SMBs prioritizes security. The CarefreeIT Cybersecurity Centre delivers the technologies, procedures, and controls needed to safeguard business networks and protect sensitive data. Our comprehensive security service package also provides our clients with their very own virtual CISO (vCISO), who works in partnership with businesses to ensure they are operating in compliance with the most current and industry-specific cybersecurity regulations. We recognize that business owners have enough on their plates without having to worry if their IT systems are properly shielded from cyberthreats. This is why our team of experts is dedicated to making your protection our priority.