Many small businesses make the mistake of skipping policies. They feel that things don’t need to be so formal. They’ll just tell staff what’s expected when it comes up and think that’s good enough.
However, this way of thinking can cause issues for small and mid-sized business owners. Employees aren’t mind readers and things that you think are obvious, might not be to them.
Not having policies can also leave you in poor legal standing should a problem occur. Such as a lawsuit due to misuse of a company device or email account.
Did you know that 77% of employees access their social media accounts while at work? Further, 19% of them average 1 full working hour a day spent on social media. In some cases, employees are ignoring a company policy. But in others, there is no specific policy for them to follow.
IT policies are an important part of your IT security and technology management. So, no matter what size your business is, you should have them. We’ll get you started with some of the most important IT policies your company should have in place.
Do You Have These IT Policies? (If Not, You Should)
Password Security Policy
About 77% of all cloud data breaches originate from compromised passwords. Compromised credentials are also now the number one cause of data breaches globally.
A password security policy will lay out for your team how to handle their login passwords. It should include things like:
- How long passwords should be
- How to construct passwords (e.g., using at least one number and symbol)
- Where and how to store passwords
- The use of multi-factor authentication (if it’s required)
- How often to change passwords
Click here to learn more about how Databranch can help you setup a password manager.
Acceptable Use Policy (AUP)
The Acceptable Use Policy is an overarching policy. It includes how to properly use technology and data in your organization. This policy will govern things like device security. For example, you may need employees to keep devices updated. If this is the case, you should include that in this policy.
Another thing to include in your AUP would be where it is acceptable to use company devices. You may also restrict remote employees from sharing work devices with family members.
Data is another area of the AUP. It should dictate how to store and handle data. The policy might require an encrypted environment for security.
Cloud & App Use Policy
The use of unauthorized cloud applications by employees has become a big problem. It’s estimated that the use of this “shadow IT” ranges from 30% to 60% of a company’s cloud use.
Often, employees use cloud apps on their own because they don’t know any better. They don’t realize that using unapproved cloud tools for company data is a major security risk.
A cloud and app use policy will tell employees what cloud and mobile apps are okay to use for business data. It should restrict the use of unapproved applications. It should also provide a way to suggest apps that would enhance productivity.
Bring Your Own Device (BYOD) Policy
Approximately 83% of companies use a BYOD approach for employee mobile use. Allowing employees to use their own smartphones for work saves companies money. It can also be more convenient for employees because they don’t need to carry around a second device.
But if you don’t have a policy that dictates the use of BYOD, there can be security and other issues. Employee devices may be vulnerable to attack if the operating system isn’t updated. There can also be confusion about compensation for the use of personal devices at work.
The BYOD policy clarifies the use of employee devices for business. Including the required security of those devices. It may also note the required installation of an endpoint management app. It should also cover compensation for business use of personal devices.
Wi-Fi Use Policy
Public Wi-Fi is an issue when it comes to cybersecurity. 61% of surveyed companies say employees connect to public Wi-Fi from company-owned devices.
Many employees won’t think twice about logging in to a company app or email account. Even when on a public internet connection. This could expose those credentials and lead to a breach of your company network.
Your Wi-Fi use policy will explain how employees are to ensure they have safe connections. It may dictate the use of a company VPN. Your policy may also restrict the activities employees can do when on public Wi-Fi. Such as not entering passwords or payment card details into a form.
Click here to read more about choosing the right VPN for your company.
Social Media Use Policy
With social media use at work so common, it’s important to address it. Otherwise, endless scrolling and posting could steal hours of productivity every week.
Include details in your social media policy, such as:
- Restricting when employees can access personal social media
- Restricting what employees can post about the company
- Noting “safe selfie zones” or facility areas that are not okay for public images
Get Help Improving Your IT Policy Documentation & Security
We can help your organization address IT policy deficiencies and security issues. Contact Databranch today at 716-373-4467 x 15 , [email protected], or fill in the field below if you would like to schedule a consultation to get started.
Article used with permission from The Technology Press.
Read More
How many text messages from companies do you receive today as compared to about two years ago? If you’re like many people, it’s quite a few more.
This is because retailers have begun bypassing bloated email inboxes. They are urging consumers to sign up for SMS alerts for shipment tracking and sale notices. The medical industry has also joined the trend. Pharmacies send automated refill notices and doctor’s offices send SMS appointment reminders.
These kinds of texts can be convenient. But retail stores and medical practices aren’t the only ones grabbing your attention by text. Cybercriminal groups are also using text messaging to send out phishing.
Phishing by SMS is “smishing,” and it’s becoming a major problem.
Case in point, in 2020, smishing rose by 328%, and during the first six months of 2021, it skyrocketed nearly 700% more. Phishing via SMS has become a big risk area. Especially as companies adjust data security to a more remote and mobile workforce.ng
How Can I Text Myself?
If you haven’t yet received a text message only to find your own phone number as the sender, then you likely will soon. This smishing scam is fast making the rounds and results in a lot of confusion. Confusion is good for scammers. It often causes people to click a malicious link in a message to find out more details.
Cybercriminals can make it look like a text message they sent you is coming from your number. They use VoIP connections and clever spoofing software.
If you ever see this, it’s a big giveaway that this is an SMS phishing scam. You should not interact with the message in any way and delete it instead. Some carriers will also offer the option to delete and report a scam SMS.
Popular Smishing Scams to Watch Out For
Smishing is very dangerous right now because many people are not aware of it. There’s a false sense of security. People think only those they have given it to will have their phone number.
But this isn’t the case. Mobile numbers are available through both legitimate and illegitimate methods. Advertisers can buy lists of them online. Data breaches that expose customer information are up for grabs on the Dark Web. This includes mobile numbers.
Less than 35% of the population knows what smishing is.
It’s important to understand that phishing email scams are morphing. They’ve evolved into SMS scams that may look different and be harder to detect.
For example, you can’t check the email address to see if it’s legitimate. Most people won’t know the legitimate number that Amazon shipping updates come from.
Text messages also commonly use those shortened URLs. These mask the true URL, and it’s not as easy to hover over it to see it on a phone as it is on a computer.
You need to be aware of what’s out there. Here are some of the popular phishing scams that you may see in your own text messages soon.
1. Problem with a Delivery
Who doesn’t love getting packages? This smishing scam leverages that fact and purports to be from a known shipper like USPS or FedEx. It states that there is a package held up for delivery to you because it needs more details.
The link can take users to a form that captures personal information used for identity theft. One tactic using this scam is to ask for a small monetary sum to release a package. Scammers created the site to get your credit card number.
2. Fake Appointment Scheduling
This scam happened to a community in South Carolina. They had recently had an installation of AT&T fiber internet lines in their neighborhood. Following the installation, AT&T did a customer drive to sign people up for the service.
During this time, one homeowner reported that he received a text message. It pretended to be from AT&T about scheduling his fiber internet installation. He thought it was suspicious because the address they gave was wrong. The scammer had wanted him to text back personal details.
3. Get Your Free Gift
Another recent smishing scam is a text message that doesn’t say who it’s from. It says, “Thank you for your recent payment. Here is a free gift for you.” It includes a link at the bottom of the message.
This is a widespread scam that many have noted online and it’s an example of a scammer using a common fact. The fact that most people would’ve paid some type of bill recently and mistake the text to be from a company they know. It also lures people in with the promise of giving them a free gift.
Is Your Team Trained in Cybersecurity Safety?
Company cellphones are no exception when it comes to receiving smishing attacks. Keeping your employees current with cybersecurity training will improve cyber hygiene across multiple platforms. Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.
Article used with permission from The Technology Press.
Read More
On average, a business is infected with ransomware every forty seconds. That is shorter than the approximately time it will take to read this article.
Ransomware is a nasty form of malware that viciously and unapologetically infects your computers and servers. It can spread like wildfire across your network environment in a matter of seconds, leaving your data and files encrypted, inaccessible and held hostage until you pay the attacker a ransom of their choosing.
How can information be held hostage? By encrypting it. The ransomware will encrypt hard drives and files until a ransom is paid in exchange for the decryption key.
The ransom is arbitrary and defined by the hacker. The payment method is always a type of digital currency, such as Bitcoin, which allows the hacker to remain anonymous.
Obtaining the digital currency to pay the ransom is not as easy as one would think. The buyer must have a digital wallet, must trust an untrustworthy transaction (there are no actual banks involved) and is subject to a very dynamic and unpredictable digital currency market. Ransom fees range from a few thousand dollars to a few hundred thousand dollars.
Lastly, paying the ransom does not guarantee the hacker will actually provide the decryption key. Remember this is a transaction with a criminal. In fact, the FBI officially recommends that ransoms are not paid to hackers for a number of reasons:
- One, you may pay for a decryption key and never get one in return.
- Two, if provided with a decryption key, it may or may not work.
- Three, once a hacker knows that you are willing to pay a ransom, they will likely re-infect your computer / network again and again until the technical vulnerabilities are actually remediated. Paying ransoms will encourage more attacks and prioritizes you as a great target.
Unfortunately, the ransom itself is not the only expense associated with the attack. Many ransomware attacks lead to downtime and some even lead to total loss of data and / or hardware. The real expense is associated with the outage caused by the ransomware and the effort to eradicate the malicious code and then recover system functionality. Click here to calculate the cost of downtime and recovery for your business.
To make matters more challenging, the vast majority of ransomware attacks are executed by highly sophisticated criminal organizations with the intent of financial gain. The attackers are smart and motivated. They are not launching ransomware attacks just for fun, it is big business and business is booming. Year after year we see more variations of ransomware created, more infections occur and more ransoms get paid.
The threat and impact of ransomware infection is real and there are essentially two things one can do to address it. The first is put effective cyber-security controls in place to prevent the infection. The second is to have recovery methods in place if an infection is detected..
Steps to Address the Threat of Ransomware
Prevention
1. Awareness Training – The vast majority of ransomware infections are the result of phishing scams. An unsuspecting user clicks on a link or opens an attachment and unknowingly downloads the malicious code. Security awareness training can teach people how to use technology in a secure fashion, thus preventing a huge source of malware and ransomware outbreaks. Contact Databranch today to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.
2. Vulnerability and Patch Management – Unpatched computers and systems are often the cause of ransomware infections. Routine vulnerability scanning should be used to detect Common Vulnerabilities and Exposures (CVE). Scan results will identify systems and computers that need operating systems and applications updated with current patches. Neglected systems are incredibly easy to compromise. Vulnerability Scanning and System Patching should occur on a regular basis because new vulnerabilities are discovered daily and software patches are released weekly, if not immediately by vendors to fix security flaws. It is important to implement a formal vulnerability and patch management program to keep systems current and secure. Databranch offers a free baseline security assessment here.
3. Anti-Virus / Anti-Malware – Anti-virus / Anti-malware software provides critical protection against all types of malware, including ransomware. Not all ransomware will be detected by Anti-virus software, but most of it will be detected and either quarantine or removed before it has a chance to do any material damage. It is imperative to install Anti-virus software on all computers and servers. It is equally important to keep the Anti-virus software current. The latest version of the software should always be in production.
4. Email & Web Content Filtering – Many email and web filtering content technologies have the ability to scan inbound transmissions to detect malicious code. Consequently, ransomware can be detected and quarantined before the end user accidently clicks on a link, downloads a document or runs and executable containing malware.
5. Secure Remote Access Technologies – Secure remote access technologies such as a Virtual Private Network (VPN) should be used to access an internal, or private, network from an external, or public, location. There are many insecure remote access technologies such as Remote Desktop Protocol (RDP) that are effortlessly compromised, allowing ransomware attacks to succeed.
Recovery
1. Incident Response Plan – An incident response plan provide an organized approach to detect, eradicate and recover from cyber security incidents, including a ransomware outbreak. The plan offers structure and reassurance during the most chaotic and stressful situations. Creating an incident response plan is a fundamental component of being prepared to recover from a ransomware infection.
2. Network Segmentation – Computer networks that are logically or physically segregated from each other are very useful in containing a ransomware outbreak. Assuming that computers reside on one logical network and all servers reside on a different network; if a PC is infected with ransomware it will not spread to infect servers and vice versa. This makes recovery much more practical and obtainable. If all assets reside on the same network, the likelihood of the ransomware infection spreading and encrypting everything is very high.
3. Effective Data Backup Strategy – Reliable and current data backups allow one to recover from ransomware attacks by simply restoring systems, applications and files to a previous and non-infected state of operation. Backup jobs should be configured in accordance to system criticality, monitored for success and routinely tested for recovery assurance. It is also good practice to have multiple copies of backup files stored on different types of media and in different locations.
4. Disaster Recovery Plan – A disaster recovery plan has several key components, one of the more important ones being a step by step recovery procedure. Reliable and current data backups are only useful if they can be used in a successful recovery effort. Be sure to document this procedure and test its effectiveness at least annually. If you would like to learn more about Databranch’s disaster recovery solutions, click here.
How Databranch Can Help
Ransomware is an incredibly popular, effective and profitable cybersecurity attack. It is a real menace. The good news is that the right prevention and recovery tactics will prepare anyone to address the threat of ransomware with confidence and success.
Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.
Article used with permission from CyberStone.
Read More
There is a reason why phishing is usually at the top of the list for security awareness training. For the last decade or two, it has been the main delivery method for all types of attacks. Ransomware, credential theft, database breaches, and much more all launched via a phishing email.
Why has phishing remained such a large threat for so long? Because it continues to work. Scammers evolve their methods as technology progresses. They use AI-based tactics to make targeted phishing more efficient, for example.
If phishing didn’t continue working, then scammers would move on to another type of attack. But that hasn’t been the case. People continue to get tricked. They open malicious file attachments, click on dangerous links, and reveal passwords.
In May of 2021, phishing attacks increased by 281%. Then in June, they spiked another 284% higher.
Studies show that as soon as 6 months after training, phishing detection skills wane. Employees begin forgetting what they’ve learned, and cybersecurity suffers as a result.
Want to give employees a “hook” they can use for memory retention? Introduce the SLAM method of phishing identification.
What is the SLAM Method for Phishing Identification?
One of the mnemonic devices known to help people remember information is the use of an acronym. SLAM is an acronym for four key areas of an email message to check before trusting it.
These are:
S = Sender
L = Links
A = Attachments
M = Message text
By giving people the term “SLAM” to use, it’s quicker for them to check suspicious email. This device helps them avoid missing something important. All they need to do use the cues in the acronym.
Check the Sender
It’s important to check the sender of an email thoroughly. Often scammers will either spoof an email address or use a look-alike. People often mistake a spoofed address for the real thing.
In this phishing email below, the email address domain is “@emcom.bankofamerica.com.” The scammer is impersonating Bank of America. This is one way that scammers try to trick you, by putting the real company’s URL inside their fake one.
Doing a quick search on the email address quickly reveals it to be a scam. This is a trap used in both email and SMS phishing attacks.
It only takes a few seconds to type an email address into Google. This allows you to see if any scam warnings come up indicating a phishing email.
Hover Over Links Without Clicking
Hyperlinks are popular to use in emails. They can often get past antivirus/anti-malware filters. Those filters are looking for file attachments that contain malware but a link to a malicious site doesn’t contain any dangerous code. Instead, it links to a website that does.
Links can be in the form of hyperlinked words, images, and buttons in an email. When on a computer, it’s important to hover over links without clicking on them to reveal the true URL. This often can immediately call out a fake email scam.
When looking at email on a mobile device, it can be trickier to see the URL without clicking on it. There is no mouse like there is with a PC. In this case, it’s best not to click the URL at all. Instead go to the purported site to check the validity of the message
Never Open Unexpected or Strange File Attachments
File attachments are still widely used in phishing emails. Messages may have them attached, promising a large sale order. The recipient might see a familiar word document and open it without thinking.
It’s getting harder to know what file formats to avoid opening. Cybercriminals have become savvier about infecting all types of documents with malware. There have even been PDFs with malware embedded.
Never open strange or unexpected file attachments. Use an antivirus/anti-malware application to scan all attachments before opening.
Read the Message Carefully
We’ve gotten great at scanning through text as technology has progressed. It helps us quickly process a lot of incoming information each day. But if you rush through a phishing email, you can miss some telltale signs that it’s a fake.
Look at the phishing example posted above in the “Links” section. There is a small error in grammar in the second sentence. Did you spot it?
It says, “We confirmation that your item has shipped,” instead of “We confirm that your item has shipped.” These types of errors can be hard to spot but are a big red flag that the email is not legitimate
Get Help Combatting Phishing Attacks
Both awareness training and security software can improve your defenses against phishing attacks. Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about what options are available to improve your organizations cybersecurity. Our Foundation Security Plan offers a wide variety of benefits such as increasing malware/ransomware protection, reduces phishing compromises, and helps prevent data theft/loss.
To request a free Baseline Security Assessment, click here.
Article used with permission from The Technology Press.
Read More
You’ve completed your annual phishing training. This includes teaching employees how to spot phishing emails. You’re feeling good about it. That is until about 5-6 months later. Your company suffers a costly ransomware infection due to a click on a phishing link.
You wonder why you seem to need to train on the same information every year. But you still suffer from security incidents. The problem is that you’re not training your employees often enough.
People can’t change behaviors if training isn’t reinforced. They can also easily forget what they’ve learned after several months go by.
So, how often is often enough to improve your team’s cybersecurity awareness? It turns out that training every four months is the “sweet spot.” This is when you see more consistent results in your IT security.
Why Is Cybersecurity Awareness Training Each 4-Months Recommended?
So, where does this four-month recommendation come from? There was a study presented at the USENIX SOUPS security conference recently. It looked at users’ ability to detect phishing emails versus training frequency. It looked at training on phishing awareness and IT security.
Employees took phishing identification tests at several different time increments:
- 4-months
- 6-months
- 8-months
- 10-months
- 12-months
The study found that four months after their training scores were good. Employees were still able to accurately identify and avoid clicking on phishing emails. But after 6-months, their scores started to get worse. Scores continued to decline the more months that passed after their initial training.
To keep employees well prepared, they need training and refreshers on security awareness. This will help them to act as a positive agent in your cybersecurity strategy.
Tips on What & How to Train Employees to Develop a Cybersecure Culture
The gold standard for security awareness training is to develop a cybersecure culture. This is one where everyone is cognizant of the need to protect sensitive data. As well as avoid phishing scams, and keep passwords secured.
This is not the case in most organizations, According to the 2021 Sophos Threat Report. One of the biggest threats to network security is a lack of good security practices.
The report states the following,
“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.”
Well-trained employees significantly reduce a company’s risk. They reduce the chance of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training. It’s better to mix up the delivery methods.
Here are some examples of engaging ways to train employees on cybersecurity. You can include these in your training plan:
- Self-service videos that get emailed once per month
- Team-based roundtable discussions
- Security “Tip of the Week” in company newsletters or messaging channels
- Training session given by an IT professional
- Simulated phishing tests
- Cybersecurity posters
- Celebrate Cybersecurity Awareness Month in October
When conducting training, phishing is a big topic to cover, but it’s not the only one. Here are some important topics that you want to include in your mix of awareness training.
Phishing by Email, Text & Social Media
Email phishing is still the most prevalent form. But SMS phishing (“smishing”) and phishing over social media are both growing. Employees must know what these look like, so they can avoid falling for these sinister scams.
Credential & Password Security
Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a steep increase in credential theft because it’s the easiest way to breach SaaS cloud tools.
Credential theft is now the #1 cause of data breaches globally. This makes it a topic that is critical to address with your team. Discuss the need to keep passwords secure and the use of strong passwords. Also, help them learn tools like a business password manager.
Mobile Device Security
Mobile devices are now used for a large part of the workload in a typical office. They’re handy for reading and replying to an email from anywhere. Most companies will not even consider using software these days if it doesn’t have a great mobile app.
Review security needs for employee devices that access business data and apps. Such as securing the phone with a passcode and keeping it properly updated.
Data Security
Data privacy regulations are something else that has been rising over the years. Most companies have more than one data privacy regulation requiring compliance.
Train employees on proper data handling and security procedures. This reduces the risk you’ll fall victim to a data leak or breach that can end up in a costly compliance penalty.
Need Help Keeping Your Team Trained on Cybersecurity?
Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program. One that helps your team change their behaviors to improve cyber hygiene. Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.
Article used with permission from The Technology Press.
Read More