CarefreeIT is doing our part to help spread the word, about that The Government of Canada has declared the month of October as “Cybersecurity Awareness Month”.
For any business, employees are both the biggest risk AND the best defence against cybercrime. Knowledge and training make all the difference.
1. Protect your business from unsecured personal devices.
In the office, at home and on business travel, work data on personal devices may not be secure. Limit personal device and public Wi-Fi use for work, or have employees follow a security policy. Check out CarefreeIT's Cybersecuriy as a Service
2. Provide training on cyber threat.
Staff training should include updates on the latest online threats such as email scams, phishing, viruses, and malware. If your employees understand these threats, they can avoid them. Check out CarefreeIT's Cyberesecurity Training
3. Encourage smart clicking.
Your employees should be suspicious of unknown links, or familiar ones with odd forms. Signs that a link is not to be trusted could include hyphens, numbers, spelling mistakes and symbols in place of regular characters.
4. Promote strong passwords.
Tell employees to use strong passwords and avoid writing them down on scraps of paper, where they can be taken or copied by anyone. Make sure work passwords are secure and can be accessed by someone trustworthy (senior employees or your tech expert) in case an employee leaves.
5. Plan ahead for departing employees.
Before an employee leaves your company, make sure their account is closed, and change passwords. If not, an open and unused account can be exploited by hackers.
Last week I attended the FireEye Cyber Defense Summit in Las Vegas. For those of you not familiar with FireEye, they are one of the premier cybersecurity companies in the world. FireEye provides cybersecurity services, consulting, and tools to organizations in both the public and private sectors. The conference brings together cybersecurity experts from government and industry as well as FireEye customers to discuss emerging cybersecurity threats, lessons learned, tactics, and the latest tools for protecting IT networks and the assets contained therein. In this post I’ll summarize the latest threat information and provide a few useful tidbits that you and your company can take to secure the data residing in your network.
Who are the bad guys?
From a global perspective, four nations - Russia, China, Iran and North Korea - are the primary culprits attempting to wreak havoc in order to further their geopolitical aims but, also, for purposes of industrial espionage. Cybercriminals are very active as well but, for them, financial gain is the primary motivator. Unfortunately, the lines between cyber criminals and state actors is blurring as many of the state-sponsored actors are moonlighting in order to fatten their bank accounts. In short, the threats are varied and are coming from many sources.
Aren't I too little for them to care about?
But, you may say: "Why would a cyber criminal be interested in my company? I don't have a high profile." The answer is two-fold. First, there is gold in the customer data you have stored in your systems. Maybe you have credit card information but, even if you don't, you have customer identity information that could be stolen and used for fraudulent financial transactions. Second, they may seek to use your network as a springboard into the networks of larger target companies with whom you partner. So, to answer the question at the start of this paragraph, yes, we're all targets! Imagine, for a moment, the repercussions to your business if it was revealed that your customer data was suddenly exposed on the Internet. Would your business survive such a hit to its reputation? Many don't.
So, what to do? Here are a few starting points.
Email is still the primary attack vector by far. Between 85 to 90% of all attacks originate via email - either malware attachments or embedded malicious links. You can go a long way to protecting yourself from this threat by:
Implementing an email filtering service so that all incoming email is checked for phishing attacks and malware as well as spam.
Access through compromised user accounts is used in virtually all attacks. Some things you can do:
Password policies that force complexity and regular password changes are essential.
Limit who has administrative access - users should only have the access they require.
Training! Provide training so your team knows how to manage passwords.
Delete unused accounts. Be sure you have a process for removing access when employees or contractors leave.
Consider implementing "two factor authentication" (2FA). 2FA is based on a user getting authenticated because of something he knows (e.g. password) and something he has (e.g. a smartphone). 2FA is commonly available and not terribly expensive anymore.
Implement a SIEM System
Consider implementing a "Security Information and Event management" (SIEM) system. A SIEM will gather information on security-related events from many points in your network (e.g. firewall, antivirus, server event logs, other sensors) and correlate the data to paint of picture of network activity. Malicious activity on your network is detected more quickly and defensive action can be taken.
Conduct a Risk Assessment
It's very difficult, if not impossible, to completely protect everything on your network. So, classify your data by sensitivity level. If you have credit card, medical, financial or personal information on your clients then classify that at the highest level and then work your way down. Determine where the most critical data resides and focus your time and money on protecting that first. A Cybersecurity Assessment provides a complete analysis and report on your risks and vulnerabilities, for a one-time fee.
Develop and Test Response Plans
Don't wait for a breach to occur before figuring out what you'll do. Develop policies and response plans - know who does what and who communicates to the outside world - and test them.
To wrap up, the threats for any business with an online presense are varied and continually evolving. The good news is that there are ways to mitigate the risks and protect your business from the threats. The bad news is that it will take some focus and money on your part in order to protect yourself properly.
At CarefreeIT, we have designed services and plans to help you along the way to doing business securely in today's enivronment. Contact us for more information.
We will be LIVE on the air, on the Tech Spotlight Radio Show, this afternoon from 1:30-2pm! Business owners in the Region of Waterloo, will be eager to learn about the CarefreeIT Cybersecurity Centre (the first of it's kind in all of Southwestern Ontario, as it is specifically designed to assist small and medium sized business owners and their employees). We will also be discussing the threats that local businesses face, and what CarefreeIT can do, to help minimize risks!
CarefreeIT Cybersecurity Blog Series: The Internet of Things
Wednesday, July 12, 2017
It’s no secret that the spaces in which we live and work are becoming increasingly connected and digitized. A key aspect of this transformation has been the ever-growing slew of “smart devices” in our homes and businesses, whether they be televisions, thermostats, digital assistants, or fitness trackers—among many others. Current estimates indicate that there are 8.4 billion networked devices in use across the globe, and this number is expected to increase to 21 billion by 2020.
Together, these connected gadgets with data sharing capabilities comprise the Internet of Things (IoT). In addition to making our domestic lives more convenient, IoT devices are fundamentally changing how businesses operate, notably those in the utility, manufacturing, and healthcare sectors. Just as significantly, they are blurring the boundaries between our work and home lives by enabling a Bring Your Own Device (BYOD) corporate culture in workplaces across all industries.
Simply put, the new norm for employees and executives alike is to check email, hold conference calls, and perform any number of other work tasks remotely using their personal laptops, tablets, and smartphones. Nearly 80% of professionals currently work outside the office at least once a week, and 1.55 billion more are expected to do so by 2020.
While this increasingly mobile workforce has the potential to boost employee productivity and provide greater work flexibility, all the while cutting technology costs for employers, the convenience of working from any location on any device ultimately raises a numberofcybersecurityconcerns. Without the oversight of a qualified IT support team, it is unlikely that personal devices will meet the same security standards as company-owned computers that are managed in-house. Without these protective measures in place, personal devices may inadvertently leak company data, including private and confidential information, as well as provide a trove of opportunities for cybercriminals to launch successful attacks.
For instance, company data may be easily breached if personal devices are lost or stolen, especially if they are not protected by strong passwords and two-factor authentication. Likewise, laptops, tablets, and smartphones can be compromised by Man-in-the-Middle (MitM) attacks if employees use them to connect to unsecured public WiFi networks.
Cybercriminals are also using malicious applications to target smartphones, some of which can hide covertly in official app stores like Google Play. On the whole, it is estimated that attacks on smartphones accounted for 85% of all networked device infections in the latter half of 2016, illustrating that these devices constitute a key component of the IoT threat landscape.
Needless to say, it is essential that businesses establish clear security protocols and standards of use for personal devices that have access to company networks and data. This is why The CarefreeIT Cybersecurity Centre provides small and medium-sized businesses (SMBs) with their own virtual Chief Information Security Officer (vCISO) to implement a BYOD policy that is tailored to address their unique organizational needs. Our Security Awareness Training and testing also provides employees with the knowledge they need to use their devices safely and responsibly.
Now more than ever, organizations across all sectors require comprehensive protection from the inherent security risks that come with having an increasingly mobile workforce. This is why our team of experts works in strategic partnership with businesses to ensure they benefit from the greater flexibility and productivity that connected workplaces offer, while safeguarding their valuable information assets along the way.
CarefreeIT Cybersecurity Blog Series: Social Media
Wednesday, July 5, 2017
There’s no question that social media platforms have transformed how we share information about ourselves and our businesses. It is estimated that 2 billion people worldwide have at least one social media account, with the average web user spending two hours per day browsing networking websites such as Facebook, Twitter, Instagram, and LinkedIn. In addition to helping us connect with family and friends from all over the world, establishing a brand presence on these websites has become an integral part of consumer outreach, business networking, and marketing operations for industry professionals across all sectors. In fact, it is expected that chief marketing officers (CMOs) will be spending over 20 percent of their budgets on social media marketing in the next five years.
While social media platforms provide endless opportunities for forging valuable personal and professional connections, the sheer breadth of data available on these websites raises just as many concerns about privacy and security. Individuals and organizations alike have become increasingly comfortable with posting information such as full names, birthdays, e-mail addresses, and employment histories online. Unfortunately, many people don’t realize that this information can be used by cybercriminals to execute social engineering attacks.
This ultimately raises concerns for business owners who utilize social media platforms to expand and engage with their customer base. For instance, LinkedIn provides a trove of information for cybercriminals, with account holders in marketing and public relations at the highest risk of being victimized due to the expansive size of their social networks. Similarly, businesses may not realize that their own corporate websites can make them vulnerable to attacks, especially if employee contact information is listed along with job description details.
For instance, this information could allow a cybercriminal to launch a successful Business E-mail Compromise (BEC) attack, an increasingly common social engineering tactic that has conned businesses out of millions of dollars. By hijacking the e-mail credentials of a co-worker or supervisor, an attacker can target a specific employee by asking them to share passwords and account numbers, or requesting that they wire money. Simply put, the greatest cybersecurity risk to businesses in our age of online oversharing is an employee mistakenly providing the wrong information to the wrong person.
In many ways, social media platforms are a necessary evil for today's businesses. By not establishing an online presence, companies are missing out on vital opportunities to raise brand awareness and expand their customer base. It can also leave them vulnerable to brand jacking, where unauthorized persons impersonate an organization online. At the same time, the more information that cybercriminals have about a business and the people who work there, the more vulnerable they are to attacks—and this is only aided by the mistaken belief held by most Canadian companies that social media use does not pose a cybersecurity risk.
This is why the CarefreeIT Cybersecurity Centre works in partnership with small and medium-sized businesses (SMBs) to protect them from common social engineering tactics. In addition to educating employees about how to recognize and respond to cybersecurity threats, our Security Awareness Training specifically addresses best practices for using social media safely and responsibly. Our comprehensive cybersecurity service also provides a virtual CISO (vCISO) to develop clear policies for data classification, thus ensuring that employees understand the proper procedures for storing and sharing private, sensitive, and confidential information. Each day we enact our “total care” philosophy by helping businesses reap the benefits of social media platforms, while mitigating the security risks that are inherent in online information sharing.
As if we needed another reminder that the ransomware threat is massive and growing, last month the now-infamous WannaCry attacks claimed over 200,000 victims in 150 countries, including schools, hospitals, transit agencies, and private businesses of all sectors and sizes. Beyond the sheer breadth of its attack landscape, WannaCry provides a revealing glimpse into the future of ransomware development and distribution, as it is justoneexample of Ransomware-as-a-Service (RaaS).
Simply put, the malware business is big and booming, accumulating more talent, resources, and money with each passing day. Crimeware-as-a-Service has made it possible for virtually anyone with an internet connection to execute successful cyberattacks—no technical expertise required. Whereas yesterday’s hackers had to build and maintain their own malware, aspiring cybercriminals can now pay a fee to developers to purchase customizable and user-friendly ransomware toolkits. In return for providing these services, ransomware developers claim a percentage of the profits from successful attacks launched with their product.
In this sense, RaaS operates in much the same way as any business that provides an ongoing service for a fee. The plethora of ransomware for purchase on the Dark Web means the industry has become very competitive, with developers constantly upgrading their products to ensure their customers have access to the most sophisticated and profitable malware tools. Commonly, these ransomware service packages include:
1) A user-friendly dashboard that allows cybercriminals to monitor the progress of their campaigns, including the number of attacks launched, the number of victims who have paid the ransom, and the amount of profit generated
2) The ability to execute attacks in different languages
3) A variety of pricing options to launch different scales of attack
4) Technical support from the RaaS provider
5) An online marketplace where customers can review the ransomware packages they have purchased
With so many ransomware tools readily available for criminal use, it's not surprising that the global victim count continues to grow—and small and medium-sized businesses (SMBs) are no exception. One study revealed that 1 in 5 SMBs was hit by a ransomware attack in the previous 12 months. More concerning is the fact that 40% of SMBs that fell victim to ransomware attacks paid the ransom amount, but only 45% of those who did actually got their data back.
This raises the question as to how SMBs can protect themselves from ransomware and other common cyberthreats. The CarefreeIT Cybersecurity Centre recommends Security Awareness Training and testing for all employees as a crucial first step. It is necessary to teach staff how to recognize the social engineering tactics that are commonly used to execute ransomware attacks, as well as educate them about proper incident response protocols in the event of a data breach. Furthermore, our vCISO works with business owners to implement the technologies, procedures, and controls that are needed to safeguard critical IT systems and protect valuable data. Each day we enact our “total care” philosophy by empowering business owners and their employees with the knowledge and tools they need to protect themselves—as well as their valued customers—from cyberthreats.
It’s no secret that new cybersecurity threats are emerging every day, while familiar ones wreak new kinds of havoc for businesses and individual web users. In response, governments from across the globe have been implementing regulations, such as the far-reaching European Union General Data Protection Regulation (GDPR), that prescribe uniform cybersecurity standards for organizations across all sectors. In short, the future of cybersecurity defense has arrived, and legislation is proving to be one of its key components.
One sector that has received special attention in this capacity is financial services, which is 65% more likely to be targeted by attacks than other industries. This is because cybercriminals can easily access vast financial resources and a trove of consumer data if they successfully breach a banking system. In recognition of this precarious reality and the risk it poses for customer privacy, New York State has begun implementing 23 NYCRR 500, which stipulates that all businesses in the financial services industry must have (among other things):
A cybersecurity program that is equipped to respond to and recover from a breach
In Canada specifically, The Digital Privacy Acthas introduced new amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). These legislative changes are expected to be in full force by the end of 2017, at which point Canadian businesses will be legally required to report cybersecurity breaches to the Office of the Privacy Commissioner of Canada. Importantly, they must also inform consumers if their information has been compromised, and those that fail to comply with these standards will be subject to a fine of up to $100,000.
As new threats and breaches come to light with each passing day, Canadian companies across all sectors can expect legislative bodies to develop increasingly comprehensive cybersecurity regulations that impact all aspects of their business operations. While these measures are necessary to ensure that Canadian companies have the proper controls and procedures in place to safeguard sensitive consumer data, they ultimately pose a challenge for small and medium-sized businesses (SMBs), who may not have the budgetary and technical resources needed to align their business practices with up-to-date cybersecurity standards. SMBs are less likely to have their own in-house IT department to proactively manage their technical infrastructure. Likewise, businesses from across the globe are learning that cybersecurity professionals who are qualified to fill the crucial CISO role are hard to find and costly to keep.
As such, SMBs are increasingly turning to Managed Service Providers with the expertise to design and implement a cybsersecurity program that meets their unique organizational needs. This is why our “total care” approach to IT support for SMBs prioritizes security. The CarefreeIT Cybersecurity Centre delivers the technologies, procedures, and controls needed to safeguard business networks and protect sensitive data. Our comprehensive security service package also provides our clients with their very own virtual CISO (vCISO), who works in partnership with businesses to ensure they are operating in compliance with the most current and industry-specific cybersecurity regulations. We recognize that business owners have enough on their plates without having to worry if their IT systems are properly shielded from cyberthreats. This is why our team of experts is dedicated to making your protection our priority.
Similarly, the fact that these headlines often cover high-profile corporations may instill a false sense of security in small and medium-sized businesses (SMBs), believing that they do not have enough money or valuable information to be targeted by cyberattacks. However, what many people don’t realize is that cybercriminals are increasingly going after smaller organizations, including those in the non-profit, education, and healthcare sectors.
It may also come as a surprise that many of today’s cybersecurity breaches are not caused by technical flaws or network vulnerabilities. The mass distribution of malware has become a multi-billion dollar industry, which means cybercriminals actually require very little technical knowledge to execute successful attacks. Instead, they rely on social engineering tactics, which exploit human weaknesses in the cybersecurity chain of command through the powers of persuasion, influence, and manipulation. While e-mail is a common vehicle for social engineering attacks, they can also occur over the phone, through text messages, and in person.
Simply put, social engineers understand that we are inundated with messages from countless sources every day, and are unlikely to take the time to scrutinize e-mails, links, or attachments before opening them. They know how difficult it is for us to pass up promotional offers that appear to come from our favourite coffee chain or clothing store, or how difficult it is for us to ignore a phone call claiming to come from our bank or a government agency. They take advantage of our tendencies to trust and appease other people—which ultimately means the weakest cybersecurity link in any organization is the people who work there.
Phishing is one of the most common types of social engineering schemes, cited as being involved in 97% of all cyberattacks. Phishing attacks target organizations of all sectors and sizes, as well as individual web users. They frequently appear as e-mails from a legitimate business, such as a popular social media website or courier service, and can be surprisingly sophisticated in their appearance and techniques. Often, they will advise you to click on a link or open an attachment, which will unleash malware that can damage your device, cripple your networks, and steal your identity.
One increasingly common type of malware that has been grabbing international headlines is ransomware. After it has infected your computer or smartphone, ransomware encrypts your data so that you cannot access it until a set ransom amount has been paid, most often in the form a crypto currency called Bitcoin. It is estimated that ransomware attacks grew by 600% in 2016, costing businesses and individuals in excess of $1 billion to retrieve their data. While large-scale corporate breaches are more likely to be featured in the news, the reality is that SMBs are more likely to be targeted by ransomware attacks.
But it doesn’t stop there. Increasingly, social engineers are using targeted spear phishing attacks that appear to come from a friend, family member, or work colleague. A popular type of spear phishing is Business E-mail Compromise (BEC), where a message that seems to come from the head of a company asks an employee to wire money or share sensitive information—such as account numbers and passwords—that can be used to infiltrate the organization. At the end of the day, it only takes one momentary lapse in judgement to do irreparable financial and reputational harm to your business, and the strongest firewalls cannot protect your data if someone in your organization falls for a social engineering attack.
Ultimately this raises the question as to what business owners can do to safeguard their IT systems, financial resources, and sensitive data. The CarefreeIT Cybersecurity Centre provides Security Awareness Training for all our clients' employees as a critical first step. Our experienced instructors hold training sessions at our Waterloo office, as well as onsite at client locations. This training aims to create human firewalls by addressing the most pressing security issues facing SMBs today, such as password and data sharing policies, how to recognize and respond to cybersecurity threats, and safe web browsing practices. While it’s true that the cyberthreat landscape continues to evolve with each passing day, we believe that knowledge can transform employees from security liabilities to empowered champions of their organization’s cybersecurity defense strategies.
The client is a leading financial services organization that delivers a broad range of money management which includes expense tracking, investment, budgeting, banking and taxes, also referred to as investment management; these solutions save their customers time and money.
The client had plans for a major business expansion project that would grow the company from 21 locations within Southwestern Ontario to 110 locations spanning throughout the entire province within a five-year timeframe. This plan required a true partnership with an experienced IT service provider who specializes in business development. CarefreeIT partnered with the client to help them manage the expansion, upgrading and streamlining their IT infrastructure, thereby ensuring that all new and existing business locations would operate at peak efficiency and deliver consistent standards of service to new and existing customers. Throughout this five-year period, we provided up-to-date hardware and software installations, network connections, server and firewall configurations, as well as Help Desk IT support, across all locations.
CarefreeIT managed every aspect of the client’s IT infrastructure expansion and integration during this period of rapid organizational growth. Every time a new location opened, we went onsite to install new devices and integrate existing ones, set up network connections, as well as configure servers, firewalls, and backup appliances. Since the client’s business requires reliable internet connectivity to serve its customers, we installed dual internet connections in each location to ensure that point of sale systems remain functional in the event of a network failure. As part of their business continuity plan, we also installed redundant server capacities at two data centres, which jointly serve all 110 business locations. In addition, we streamlined major software upgrades for the client’s point of sale systems, ensuring that all locations are equipped with up-to-date, secure programs that run efficiently and protect sensitive customer data. Similarly, we recommended and oversaw the organization-wide transition to high-speed receipt printers, which substantially increased customer service efficiency ratios.
We continue to provide complete IT support to the client in accordance with our Total Care Plan. Each year we work in collaboration with the client to review and map out new IT strategies which align with their business goals. These strategies include the implementation of new technologies, policies and procedures which safeguard their critical IT systems and confidential data from ever-evolving cyber threats. We have also developed service templates and documentation processes which allow staff to easily report and record technical issues when they arise. In addition, we host a support website designed specifically for the client, which employees can access as a computer desktop application to quickly find answers to common troubleshooting questions, or contact our technical services team directly. We are proud to see how our support and expertise continue to help this valued business partner to maximize their organizational maturity, efficiency, and competitive advantage.
The client is a leading manufacturer that builds standard parts and ships them to customers all across North America and abroad; they also design and build customized parts for customers who require unique solutions. With innovative design & engineering skills and reliable, quality controlled manufacturing processes, their experts love design challenges that result in highly customized solutions that solve problems in many different industries, around the world for their customers.
The client was concerned about their current IT support no longer working and the increasing risk cyber threats, they had 4 old servers which were due for updating and this would require the implementation of updated data backups, secure storage solutions and presented a perfect opportunity for new software upgrades and implementation as well, so their entire system would be overhauled, updated and refreshed. They required the guidance and advice of a professional IT support Executive who could make recommendations, provide options and help them choose ultimately what would fit best for the future growth of the company, based on their slow but steady growth plans for the future, while ensuring that all their existing records would remain safe and secure during the upgrade. The client, being a local manufacturer could also not afford any downtime in the Production line during the upgrade project, which would require IT work to be done during off hours and the client was delighted to hear that Carefree IT was capable of providing solutions to all these concerns, in addition to pointing out hidden areas of concern as well. The hidden concerns were the misconception of having to replace all 4 old servers with 4 new servers.
CarefreeIT simplified the solution plans and streamlined the upgrade project for this client which made them very happy as it saved them a great deal of work, time and money. In fact CarefreeIT was able to find that the company would be extremely efficient and able to replace all 4 servers by condensing to 2 new ones that would operate at peak efficiency, therefore saving the company thousands of dollars in unnecessary project costs, had they chosen another IT support company.