As cyber threats continue to increase, businesses must take proactive steps. They need to protect their sensitive data and assets from cybercriminals. Threats to data security are persistent and they come from many different places.  

Today’s offices are digitally sophisticated. Just about every activity relies on some type of technology and data sharing. Hackers can breach these systems from several entry points including computers, smartphones, cloud applications, and network infrastructure.

It’s estimated that cybercriminals can penetrate 93% of company networks.

One approach that can help organizations fight these intrusions is threat modeling. Threat modeling is a process used in cybersecurity that involves identifying potential threats and vulnerabilities to an organization’s assets and systems.

Threat modeling helps businesses prioritize their risk management and mitigation strategies. The goal is to mitigate the risk of falling victim to a costly cyber incident.

Here are the steps businesses can follow to conduct a threat model.

Identify Assets That Need Protection

The first step is to identify assets that are most critical to the business. This includes sensitive data, intellectual property, or financial information. What is it that cybercriminals will be going after?

Don’t forget to include phishing-related assets. Such as company email accounts. Business email compromise is a fast-growing attack that capitalizes on breached company email logins. Some hackers are even known to use reply-chain phishing attacks after gaining access to a businesses email.

Identify Potential Threats

The next step is to identify potential threats to these assets. Some common threats could be cyber-attacks such as phishing. Others would be ransomware, malware, or social engineering.

Another category of threats could be physical breaches or insider threats. This is where employees or vendors have access to sensitive information.

Remember, threats aren’t always malicious. Human error causes approximately 88% of data breaches. So, ensure you’re aware of mistake-related threats, such as:

• The use of weak passwords
• Unclear cloud use policies
• Lack of employee training
• Poor or non-existent BYOD policies

Are your employees trained to spot real world threats such as phishing and business email compromises? Visit us here to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

Assess Likelihood and Impact

Once you’ve identified potential threats, take the next step. This is to assess the likelihood and impact of these threats. Businesses must understand how likely each threat is to occur. As well as the potential impact on their operations, reputation, and financial stability. This will help rank the risk management and mitigation strategies.

Base the threat likelihood on current cybersecurity statistics as well as a thorough vulnerability assessment. It’s best this assessment is by a trusted 3rd party IT service provider, such as Databranch. If you’re doing your assessment with only internal input, you’re bound to miss something.

Prioritize Risk Management Strategies

Next, prioritize risk management strategies based on the likelihood and impact of each potential threat. Most businesses can’t tackle everything at once due to time and cost constraints. So, it’s important to rank solutions based on the biggest impact on cybersecurity.

Some common strategies to consider include implementing:

• Access controls
• Firewalls
• Intrusion detection systems
• Employee training and awareness programs
• Endpoint device management

Businesses must also determine which strategies are most cost-effective. They should also align with their business goals.

Continuously Review and Update the Model

Threat modeling is not a one-time process. Cyber threats are constantly evolving. Businesses must continuously review and update their threat models. This will help ensure that their security measures are effective. As well as aligned with their business objectives.

Benefits of Threat Modeling for Businesses

Threat modeling is an essential process for businesses to reduce their cybersecurity risk. Identifying potential threats and vulnerabilities to their assets and systems is important. It helps them rank risk management strategies. As well as reduce the likelihood and impact of cyber incidents.

Here are just a few of the benefits of adding threat modeling to a cybersecurity strategy.

Improved Understanding of Threats and Vulnerabilities

Threat modeling can help businesses gain a better understanding of specific threats. It also uncovers vulnerabilities that could impact their assets and identifies gaps in their security measures and helps uncover risk management strategies.

Ongoing threat modeling can also help companies stay out in front of new threats. Artificial intelligence is birthing new types of cyber threats every day. Companies that are complacent can fall victim to new attacks.

Cost-effective Risk Management

Addressing risk management based on the likelihood and impact of threats reduces costs. It can optimize company security investments while ensuring that businesses divide resources effectively and efficiently.

Business Alignment

Threat modeling can help ensure that security measures align with the business objectives. This can reduce the potential impact of security measures on business operations. It also helps coordinate security, goals, and operations.

Reduced Risk of Cyber Incidents

By implementing targeted risk management strategies, businesses can reduce risk. This includes the likelihood and impact of cybersecurity incidents. This will help to protect their assets. It also reduces the negative consequences of a security breach.

Get Started with Comprehensive Threat Identification

Wondering how to get started with a threat assessment? Our experts can help you put in place a comprehensive threat modeling program. Give us a call today at 716-373-4467 x115 or [email protected] to schedule a discussion.

Article used with permission from The Technology Press.

Read More

In today’s fast-paced and digitally driven world, the demands placed on the IT infrastructure of businesses like yours are ever-increasing. To meet these challenges head-on, embracing outsourced IT services and entrusting your technological needs to an experts, such as Databranch, is the best option. By partnering with our team, you can tap into a wealth of knowledge, experience and cutting-edge technologies that might otherwise be challenging to obtain in-house.

Outsourced IT acts as a beacon of relief, enabling you to offload the burdensome responsibilities of managing IT. With dedicated professionals and advanced tools at their disposal, outsourced IT providers can implement robust security measures, ensure seamless data backups and monitor systems 24/7, all while adhering to industry best practices and compliance standards.

However, amid the promise and potential of outsourced IT, lingering myths can hold you back from embracing this transformative approach. In this blog, we’ll dispel the popular myths and shed light on the truths related to outsourced IT.

Debunking Common Outsourced IT Myths

Myth #1: It only focuses on technical issues.

Contrary to popular belief, outsourced IT encompasses much more than just technical support. It goes beyond resolving everyday glitches and delves into critical areas that drive business success.

Leading IT service providers offer comprehensive and advanced solutions, including robust cybersecurity measures, reliable backup and recovery systems, and efficient cloud computing services.

By partnering with Databranch, you gain a strategic ally who aligns technology with your unique needs, boosts productivity and offers proactive support.

Myth #2: It’s only for large enterprise companies.

The truth is that businesses of all sizes and across industries can benefit immensely from outsourcing their IT needs. Even smaller organizations, often constrained by limited resources, can gain a lot.

Databranch is a committed IT service provider capable of handling diverse technological demands, meaning you can tap into our resource pool rather than struggling to build and maintain an in-house IT team. This allows you to gain an edge over the competition.

Myth #3: It’s too expensive for my budget and resources.

Cost considerations often fuel doubts about outsourced IT. However, when carefully evaluated, outsourcing proves to be a cost-effective solution.

Investing in an internal IT department entails substantial expenses, ranging from recruitment and training to salaries and benefits. On top of that, the ever-evolving technology landscape demands constant investments in infrastructure upgrades and software licenses.

That’s why Databranch provides access to specialized expertise and eliminates the financial burden of maintaining an internal team. With economies of scale at play, you can access cutting-edge infrastructure and security measures at a fraction of the cost.

Databranch offers two main service programs for you budget, both designed for full network coverage: Proactive and Comprehensive Care. Visit our website here to learn more about each one and to contact us with any questions.

Myth #4: It leads to a loss of control over IT operations.

A common fear associated with outsourced IT is the perceived loss of control. However, the reality couldn’t be further from the truth. By partnering with the Databranch team, you gain enhanced visibility into your IT operations, leading to better decision-making and outcomes.

Detailed reports, analytics and performance metrics offer valuable insights that empower you to align your IT strategies with your objectives. Moreover, we aim for a collaborative relationship that fosters transparency, open communication and meaningful decision-making.

Partner for success

Ready to revolutionize your business with the remarkable benefits of outsourcing your IT operations? Look no further! Get in touch with us today at 716-373-4467  x115 or [email protected] to embark on a transformative journey toward streamlined efficiency and accelerated growth.

We know managing your IT infrastructure can be complex and time-consuming, diverting your attention away from your core business objectives. That’s where our expertise comes into play — armed with extensive experience and cutting-edge solutions to seamlessly handle all your IT needs.

Read More

Is there still room to improve your remote team’s productivity? 

Databranch has helped many businesses add remote work capabilities to their technology environment over the past year, always keeping security top-of-mind throughout.

However, we also offer a productivity monitoring software solution that can monitor web and desktop application use across all your company’s computers – whether in-office or remote.

It offers a balance of providing your management team with insights without extensive policy documentation. Meaning it is a smart fit if you want visibility without heavy-handed intrusion.

This includes:

• Monitoring: You will be able to monitor all employee desktop apps and web use whether in-office or remote
• Visibility: Provides an overview of workforce productivity without the hassle of looking over each employee’s shoulder
• Timelines: In the instance of malware detection, you can track back to specific events to view the history
• Reporting: View robust reports to identify productivity trends and optimize workflow. This helps determine which web-based applications provide the most business value.

This software will allow you to monitor active tabs, desktop apps, and idle time. You can then store up to 6 months of your data for instances such as legal compliances or auditing purposes. 

The program makes filtering through these logged events easy and fast. Simply type into a search box and the event filter will automatically scan your data, compiling records from specific endpoints. 

This means you’ll have visibility into which endpoint was browsing certain websites or using a specific application.

Reach out to Databranch today at 716-373-4467 x115 or [email protected] if you’d like to learn more.

Read More

Databranch has been named as one of the world’s premier managed service providers in the prestigious 2023 Channel Futures MSP 501 rankings.

For the past 17 years, managed service providers around the globe have submitted applications for inclusion on this prestigious and definitive listing. The Channel Futures MSP 501 survey examines organizational performance based on annual sales, recurring revenue, profit margins, revenue mix, growth, innovation and supported technologies.

MSPs that qualify for the list must pass a rigorous review conducted by the research team and editors of Channel Futures. It ranks applicants using a unique methodology that weighs financial performance according to long-term health and viability, commitment to recurring revenue and operational efficiency.

Channel Futures is Pleased to Name Databranch to the 2023 MSP 501

“We are honored and delighted to be recognized as a top Managed Service Provider in the 2023 Channel Futures MSP 501 Awards!” said Mike Wilson, President of Databranch. “This accolade is a reflection of our unwavering commitment to not just serve, but truly partner with our clients to meet their unique technology needs. We believe in a collaborative approach, working side by side with our clients to deliver innovative solutions and deliver an exceptional support experience.”

This year’s list is one of the most competitive in the survey’s history. Winners will be recognized on the Channel Futures website and honored during a special ceremony at the Channel Futures Leadership Summit, Oct. 30-Nov. 2, in Miami, Florida.

Since its inception, the MSP 501 has evolved from a competitive ranking into a vibrant group of innovators focused on high levels of customer satisfaction at small, medium and large organizations in public and private sectors. Many of their services and technology offerings focus on customer needs in the areas of cloud, security, collaboration and hybrid work forces.

“The 2023 Channel Futures MSP 501 winners persevered through challenging times to become the highest-performing and most innovative IT providers in the industry today,” said Jeff O’Heir, Channel Futures senior news editor and MSP 501 project manager. “The MSP 501 ranking doesn’t award MSPs solely on their size and revenue. It acknowledges the business acumen, best practices and trusted advice they deliver to customers every day. They deserve the honor.”

“We extend our heartfelt congratulations to the 2023 winners, and gratitude to the thousands of MSPs that have contributed to the continuing growth and success of the managed services sector,” said Kelly Danziger, general manager of Informa Tech Channels. “These providers are most certainly driving a new wave of innovation in the industry and are demonstrating a commitment to moving the MSP and entire channel forward.”

The data collected by the annual NextGen 101 and MSP 501 drive Channel Futures’ market intelligence insights, creating robust data sets and data-based trend reports that support our editorial coverage, event programming, community and networking strategies and educational offerings.

Background

The 2023 MSP 501 list is based on confidential data collected and analyzed by the Channel Futures research and editorial teams. Data was collected online from February to May, 2023. The MSP 501 list recognizes top managed service providers based on metrics including recurring revenue, profit margin and other factors.

About Databranch

Databranch, Inc., is an IT consulting and outsourcing provider serving local, national and international businesses in Western New York and Northwestern Pennsylvania since 1985. We help our clients use information technology to cut costs, increase efficiencies and enhance customer service across three main areas: managed services, networking and security.

The Databranch staff is made up of highly skilled, experienced, and certified professionals. Our clients look to us to provide technology solutions that work. We offer consulting services that provide organizations with the best possible solutions for the most affordable price that are executed with a personal touch. Contact us today to see what we can do for you.

About Channel Futures

Channel Futures is a media and events destination for the information and communication technologies (ICT) channel community. We provide information, perspective and connection for the entire channel ecosystem, including solution providers (SPs), managed service providers (MSPs), managed security service providers (MSSPs), cloud service providers (CSPs), value-added resellers (VARs) and distributors, technology solutions brokerages, subagents and agents, as well as leading technology vendor partners and communication providers.

Our properties include many awards programs such as the Channel Futures MSP 501, a list of the most influential and fastest-growing providers of managed services in the technology industry; Channel Partners events, which delivers unparalleled in-person events including Channel Partners Conference & Expo, Channel Futures Leadership Summit, Women’s Leadership Summit, the MSP Summit and Channel Partners Europe; and a DEI Community Group, our initiative to educate, support and promote diversity, equity and inclusion (DE&I) in the ICT channel industry. Channel Futures is where the world meets the channel; we are leading Channel Partners forward. More information is available at channelfutures.com.

Channel Futures is part of Informa Tech, a market-leading B2B information provider with depth and specialization in ICT sector. Every year, we welcome 14,000+ subscribers to our research, more than 4 million unique monthly visitors to our digital communities, 18,200+ students to our training programs and 225,000 delegates to our events.

What’s the Value of Managed IT Services?

Here at Databranch, our Managed Network Services provides your company with the security of knowing that your network is being monitored and maintained on a 24/7 basis. 

It’s designed to keep your network functioning seamlessly by utilizing a suite of cost-effective computer managed services that proactively monitor and support your network and Technology infrastructure.

See how much better your business can operate when a professional is handling your tech.

Questions about costs and services? Contact Databranch today at 716-373-4467 x 115, [email protected], or visit us here to learn more.

Read More

What is Ransomware?

Ransomware is a type of malware that encrypts data on a computer or network into an unreadable format until a sum of money, or ransom, is paid.

How does Ransomware Work?

When run, ransomware will scan the file storage disk for files to encrypt – typically documents, spreadsheets, etc. The files are encrypted with a key that only the attackers know, thus preventing your access to the files. Then, threat actors hold you files hostage, demanding a ransom to be paid for you to get your access back.

How do Hackers Sneak into an Environment?

Hackers are stealthy and can sneak in using many different approaches. Here are a few of the most popular ways that hackers gain access:

• Phishing: This is when a threat actor tricks someone into handling over their sensitive, personal information, such as a credit card or Social Security number. The victim believe they’re handing over their information to a trustworthy resource when in reality, they’re giving their information to threat actors.
• Public-Facing Vulnerabilities: Threat actors scour the internet looking for systems with known vulnerabilities. Then, they exploit them to gain access to the environment.
• Drive-By Downloads: This is when someone navigated to a malicious webpage and unknowingly downloads malicious code to their computer – all by visiting the webpage.
• Purchased Access: There’s a marketplace for everything these days, and cyberattacks are no exception. The dark web is a treasure trove of hackers for hire and deployable ransomware for download.

Ransomware Prevention

1. Keep your computer updated and patched.
2. Verify, then trust.
3. Make sure your connection to a site is secure before submitting any personal information.
4. Stay up-to-date on the latest cybersecurity education.

Ransomware Detection

Prevention is only part of the puzzle. Some attacks are virtually impossible to prevent. It all comes down to fast detection and response times, which help you combat tomorrow’s threats that may not be detectable today.

The most efficient way to detect ransomware is to leverage the tools in your security stay. 

Secure your business with a cybersecurity platform that secure your business and detects hackers. To protect our managed clients, we deploy a suite of cybersecurity tools that are backed by a 24/7 Threat Operations Center that worked to protect your assets and evict malicious actors.

Reach out to Databranch today at 716-373-4467 x115 or [email protected] to learn more.

Read More

Cloud account takeover has become a major problem for organizations. Think about how much work your company does that requires a username and password.

Employees end up having to log into many different systems or cloud apps.

Hackers use various methods to get those login credentials. The goal is to gain access to business data as a user as well as launch sophisticated attacks, and send insider phishing emails. 

How bad has the problem of account breaches become? Between 2019 and 2021, account takeover (ATO) rose by 307%.

Doesn’t Multi-Factor Authentication Stop Credential Breaches?

Many organizations and individuals use multi-factor authentication (MFA). It’s a way to stop attackers that have gained access to their usernames and passwords. MFA is very effective at protecting cloud accounts and has been for many years.

But it’s that effectiveness that has spurred workarounds by hackers. One of these nefarious ways to get around MFA is push-bombing.

How Does Push-Bombing Work?

When a user enables MFA on an account, they typically receive a code or authorization prompt of some type. The user enters their login credentials. Then the system sends an authorization request to the user to complete their login.

The MFA code or approval request will usually come through some type of “push” message. Users can receive it in a few ways:

• SMS/text
• A device popup
• An app notification

Receiving that notification is a normal part of the multi-factor authentication login. It’s something the user would be familiar with.

With push-bombing, hackers start with the user’s credentials. They may get them through phishing or from a large data breach password dump.

They take advantage of that push notification process. Hackers attempt to log in many times. This sends the legitimate user several push notifications, one after the other.

Many people question the receipt of an unexpected code that they didn’t request. But when someone is bombarded with these, it can be easy to mistakenly click to approve access.

Push-bombing is a form of social engineering attack designed to:

• Confuse the user
• Wear the user down
• Trick the user into approving the MFA request to give the hacker access

Ways to Combat Push-Bombing at Your Organization

Educate Employees

Knowledge is power. When a user experiences a push-bombing attack it can be disruptive and confusing. If employees have education beforehand, they’ll be better prepared to defend themselves.

Let employees know what push-bombing is and how it works. Provide them with training on what to do if they receive MFA notifications they didn’t request.

You should also give your staff a way to report these attacks. This enables your IT security team to alert other users. They can then also take steps to secure everyone’s login credentials.

Need help enhancing your employee training? Contact Databranch today or visit us here to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

Reduce Business App “Sprawl”

On average, employees use 36 different cloud-based services per day. That’s a lot of logins to keep up with. The more logins someone has to use, the greater the risk of a stolen password.

Take a look at how many applications your company uses. Look for ways to reduce app “sprawl” by consolidating. Platforms like Microsoft 365 and Google Workspace offer many tools behind one login. Streamlining your cloud environment improves security and productivity.

Adopt Phishing-Resistant MFA Solutions

You can thwart push-bombing attacks altogether by moving to a different form of MFA.

Phishing-resistant MFA uses a device passkey or physical security key for authentication. 

There is no push notification to approve with this type of authentication. This solution is more complex to set up, but it’s also more secure than text or app-based MFA.

Visit our website here to learn more about passkeys along with the other 2 main forms of MFA.

Enforce Strong Password Policies

For hackers to send several push-notifications, they need to have the user’s login.

Enforcing strong password policies reduces the chance that a password will get breached.

Standard practices for strong password policies include:

• Using at least one upper and one lower-case letter
• Using a combination of letters, numbers, and symbols
• Not using personal information to create a password
• Storing passwords securely
• Not reusing passwords across several accounts

Put in Place an Advanced Identity Management Solution

Advanced identity management solutions can also help you prevent push-bombing attacks. They will typically combine all logins through a single sign-on solution. Users, then have just one login and MFA prompt to manage, rather than several.

Additionally, businesses can use identity management solutions to install contextual login policies. These enable a higher level of security by adding access enforcement flexibility.

The system could automatically block login attempts outside a desired geographic area. It could also block logins during certain times or when other contextual factors aren’t met.

Do You Need Help Improving Your Identity & Access Security?

Multi-factor authentication alone isn’t enough. Companies need several layers of protection to reduce their risk of a cloud breach.

Are you looking for some help to reinforce your cybersecurity? To learn more about how we can help take this off your IT plate, call 716-373-4467 x 115 or email [email protected].

Article used with permission from The Technology Press.

Read More

You wouldn’t think a child’s toy could lead to a breach of your personal data. But this happens all the time. What about your trash can sitting outside? Is it a treasure trove for an identity thief trolling the neighborhood at night?

Many everyday objects can lead to identity theft. They often get overlooked because people focus on their computers and cloud accounts. It’s important to have strong passwords and use antivirus on your PC. But you also need to be wary of other ways that hackers and thieves can get to your personal data.

Here are six common things that criminals can use to steal your information.

Old Smart Phones

People replace their smartphones about every two and a half years. That’s a lot of old phones laying around containing personal data.

Just think of all the information our mobile phones hold. We have synced connections with cloud services. Phones also hold banking apps, business apps, and personal health apps. These are all nicely stored on one small device.

As chip technology has advanced, smartphones have been able to hold more “stuff.” This means documents and spreadsheets can now be easily stored on them. Along with reams of photos and videos.

A cybercriminal could easily strike data theft gold by finding an old smartphone. Make sure that your company is properly cleaning any old work phones by erasing all data. You should also dispose of them properly. You shouldn’t just throw electronics away like normal garbage.

Wireless Printers

Most printers are wireless these days, this means they are part of your home or work network. Printing from another room is convenient, but the fact that your printer connects to the internet can leave your data at risk.

Printers can store sensitive documents, such as tax paperwork or contracts. Most people don’t think about printers when putting data security protections in place. This leaves them open to a hack. When this happens, a hacker can get data from the printer and they could also leverage it to breach other devices on the same network.

Protect printers by ensuring you keep their firmware updated. Always install updates as soon as possible and you should also turn it off when you don’t need it. When it’s off it’s not accessible by a hacker. 

How does your company handle patching their devices? If you don’t know, chances are it’s performed nearly enough. All Databranch Comprehensive Care and Foundation Security clients have scheduled automatic patching and Windows updates on their devices. Visit us here to learn more about how we can help take this off your IT plate.

USB Sticks

Did you ever run across a USB stick laying around? Perhaps you thought you scored a free removable storage device. Or you are a good Samaritan and want to try to return it to the rightful owner. But first, you need to see what’s on it to find them.

You should never plug a USB device of unknown origin into your computer. This is an old trick in the hacker’s book. They plant malware on these sticks and then leave them around as bait. As soon as you plug it into your device, it can infect it.

Old Hard Drives

When you are disposing of an old computer or old removable drive, make sure it’s clean. Just deleting your files isn’t enough. Computer hard drives can have other personal data stored in system and program files.

Plus, if you’re still logged into a browser, a lot of your personal data could be at risk. Browsers store passwords, credit cards, visit history, and more.

Need help disposing of your old office devices? Reach out to Databranch today for assistance, we can help clean your computer to make it safe for disposal, donation, or reuse.

Trash Can

Identity theft criminals aren’t only online. Thieves are known to sort through trash in search of documents containing personal information. Be careful what your employees throw out in the trash.

It’s not unusual for garbage to enable identity theft. It can include voided checks, old bank statements, and insurance paperwork. Any of these items could have the information thieves need to commit fraud or pose as you.

A shredder can be your best friend in this case. Your company should shred any documents that contain personal information, for yourself and your clients. Do this before you throw them out. This extra step could save you from a costly incident.

IoT Devices

Smart lightbulb, thermostats, and security cameras… all toys that hackers love. Even Mattel’s Hello Barbie was found to enable the theft of personal information and a hacker could also use its microphone to spy on families.

These futuristic gadgets make life easier and can be found in many offices. Owners might think they’re cool, but they might also forget to consider their data security. After all, it’s just a smart printer. But that often means they can be easier to hack, so cybercriminals will zero in on these IoT devices knowing they aren’t going to be as hard to breach.

You should be wary of any new internet-connected devices you bring into your office. Install all firmware updates and do your homework to see if a data breach has involved the toy. 

Schedule an IT Security Audit

Don’t let the thought of identity theft keep you up at night. Contact us today at 716-373-4467 x115 or [email protected] to schedule a chat about IT security audit. Databranch also offers Dark Web Monitoring where we scan the dark web based on your domain and find all accounts that have been involved in a breach. Request a free Dark Web scan below to get started.

Article used with permission from The Technology Press.

Read More

It’s common belief that people are the last line of defense during a cybersecurity attack. Wrong. In many instances people are in fact the first line of defense. If your employees are (1) aware and (2) properly trained, then they will be one of your single strongest assets in fighting a never-ending war against cybercrime.

Basic human behaviors such as inquisitiveness, excitement, distraction, and indecision make people extremely vulnerable to one of the most popular and effective cyber-attacks called Social Engineering. Social Engineering is a term used to describe a wide variety of techniques that are used by malicious hackers to exploit human beings and execute a successful cyber-attack. 

The most common example of a Social Engineering attack is called Phishing. This is an exercise where an email is sent with the intent of tricking the recipient and convincing them to either click on a malicious link, download a malicious attachment, or even relinquish sensitive information such as passwords, credit card numbers or bank account details.  The victim rarely knows they are being exploited until it is too late.

The results of a successful Phishing attack can be devastating. In some cases, the network is infected with malware or a virus causing loss of data and significant outages or disruptions. In other cases sensitive information or data is stolen and further exploited or resold on the dark web. There are even many documented cases of unauthorized wire transfers resulting in tremendous and unrecoverable financial losses.

So, how does an organization take a group of employees and turn them into an effective cybercrime fighting machine? I’m glad you asked. There are three simple steps that must be executed:

Step 1. Develop A Culture Of Security 

Cultures are ultimately defined and upheld from the top down. Leadership, Executive and Management teams must commit to the creation and enforcement of cybersecurity policies, procedures and processes. They must also emphatically message and communicate the importance of good cybersecurity hygiene.

Employees should understand how exactly they can be good cybersecurity stewards and more importantly why it is so critical that they are. Lastly, employees who transform into skeptical, protective and enlightened cybercrime fighting soldiers should be recognized and rewarded.

TIPS to help Develop A Culture Of Security:

• Create cybersecurity policies – these are the guidelines and rules.
• Publish cybersecurity policies – allow employees to read and digest the content.
• Assign roles and responsibilities – tell employees what they must do.
• Good governance – enforce the rules, reprimand offenders & celebrate achievers.
• Frequent Communication – talk about cybersecurity often, remind and reinforce!

Step 2.  Educate And Train

The best armies are well trained. They are not only armed, but they understand exactly how and when to use their weapon. They understand their mission, know what they are fighting for, and they have practiced and are ready for combat.

Teach your employees about common threats and dangers such as Social Engineering attacks. Show them how to use software and computers in a secure fashion. Explain correct process and procedures are. Provide them with the critical training they need to effectively fight cybercrime.

TIPS to help Educate And Train:

• Implement a security awareness training program – commit to the training.
• Be sure the content is meaningful and relevant.
• Make the training fun and engaging – tell lots of stories.
• Make the training mandatory.
• Make the training frequent – at least once a year.
• Focus on the basics – keep the content simple and easy to understand.

Contact us today to learn how we can help you start establishing cybersecurity throughout your organization.

Step 3. Test The Effectiveness

It will be difficult to know if your new cybersecurity culture is performing as you hoped unless you test the effectiveness of policies, processes, procedures and awareness training. Is the effort you’ve put into creating an army of equipped cybercrime fighting employees actually providing the protection you desire?

There are only two ways to find out. One, wait for a legit attack to occur and hope for the best – or – two, launch a simulated attack yourself. Controlled Phishing attacks, penetration tests, table top incident response exercises or even a Monday morning pop quiz can all be effective exercises to test your employees’ level of understanding and compliance.

Use the test results as an opportunity to re-engage with employees or even re-tool training efforts. Get better with practice.

TIPS to help Test The Effectiveness:

• Launch simulated Phishing attacks – see how employees actually behave.
• Spot check for policy compliance – it is after 5PM, is the Clean Desk Policy working?
• Include social attacks in the scope of penetration testing.
• Conduct table top exercises.
• Document and share results.
• Learn and get better.

Right now, your employees are probably the weakest link in your cybersecurity defense chain. Make them your strongest link. Our Breach Prevention Platform and Security Awareness Training with simulated phishing tests will give your employees the tools they need to spot a phishing attempt. Reach out today at 716-373-4467 x115 or [email protected] to speak with one of our experienced team members about getting started.

Content used with permission from Cyberstone.

Read More

Once upon a time, our most precious assets were confidently protected behind layers of security defenses. Cash was neatly stacked in a cast metal safe which was bolted to the floor of the building. Customer lists and bank records were locked in a filing cabinet and only accessible to the person who had the key. Human Resource records were protected by the shelter of the impenetrable HR office door.

Then, digital electronics revolutionized the typical business office. Instead of accessing records from a locked filing cabinet, employees now used computers to navigate a digital file system which contained an abundance of information – much of it considered to be confidential. The sensitive documents that were once tangible and secured behind a physical lock and key were now accessible in digital format and stored in the data network for end users to access.

Security controls such as passwords and file permissions were established to protect the confidential information in its new digital format. This was a time however, when computing devices were stationary and did not typically leave the confines of the physical office. Employees would report to the office for work, log onto their computer, and only then – be granted with access to confidential information. The data that companies treasured most rarely – if ever – left the building.

The same statement cannot be made today. Mobile computing devices are very popular and can be found in most corporate computing devices. Employees are no longer forced to work on a computer that is tethered to the floor beneath their office desk. Laptops and tablets have provided employees with the freedom and flexibility to work from just about anywhere. Mobile devices have also changed the corresponding security landscape too.

The Customer Lists, HR records and Bank Statements are now leaving the building.

The 2 Significant Risks Associated with Mobile Computing Devices:

People lose them and people steal them.

The most common item stolen by thieves is cash, the second is electronic devices. So, what happens when the hotel maid swipes your work laptop or tablet? Or, what if it’s accidentally left at a train station or airport?

The answer to both questions is simple: Someone now has a device that contains sensitive and confidential business information. Chances are that “Someone” is not a trusted entity at all. Many data breaches start with a stolen work device. The stolen property is then compromised, and the thief has the ability to use or sell the stolen data.

There is no doubt that mobile computing devices pose a real security challenge. We have grown accustomed to the elasticity they provide and it is unreasonable to think we will revert back to using the stationary computer we once used at our desk. Laptops and tablets are here to stay.

Human beings will continue to lose these devices and criminals will continue to steal them. Although we can fight to minimize these occurrences through effective awareness training, the reality is that we will not be able to prevent them all together. 

However, there are security controls you can put in place to help minimize your businesses risk when it comes to laptops and tablets.

Use a VPN

Free Wi-Fi may be a welcome site when you’re on the road, but it can also be dangerous. You don’t know who else is using that Wi-Fi. A hacker hanging out on the connection can easily steal your data if you’re not protected.

It’s better to use either your mobile carrier connection or a virtual private network (VPN) app. VPN plans are inexpensive and will keep your data encrypted, even if you’re on public Wi-Fi. It is highly recommended that VPNs are secured using Multi-Factor Authentication, this provides an additional layer of security against threat actors.

Visit our website here to learn more about VPNs and what factors to consider when choosing a plan.

Backup Your Data

Don’t lose all your work data with the device! Back up your devices to the cloud or local storage before you travel. This ensures that you won’t lose the valuable information on your device. 

Need help with a Data Backup and Recovery plan for your business? Contact us today or visit our website to learn more.

Restrict Privileges 

Local Admin Privileges allow employees to make adjustments to their work computers without the need for IT interference. This means that they can download programs, connect to printers, and modify software already installed on their computer.

This can be convenient, but poses a major cybersecurity risk.

If a device is stolen and the thief were to gain access to an account with local admin privileges, the damage could be endless. This is especially true for a business that is not utilizing security measures such as Multi-Factor Authentication (MFA) or Password Managers. 

Once a hacker has breached your computer they could download malware, spyware, or even ransomware. Resulting in computer files being locked, credentials being stolen, or even a virus spreading throughout your entire network.

Visit our website here to learn more about Local Admin Privileges.

Databranch Can Help

There are key digital solutions we can put in place to keep your business safer from online threats. Contact us today at at 716-373-4467 x115 or [email protected] to schedule a chat about mobile security.

Content provided curtesy of Cyberstone.

Read More

Once data began going digital, authorities realized a need to protect it. Thus, the creation of data privacy rules and regulations to address cyber threats. Many organizations have one or more data privacy policies they need to meet.

Those in the U.S. healthcare industry and their service partners need to comply with HIPAA. Anyone collecting payment card data must worry about PCI-DSS. GDPR is a wide-reaching data protection regulation that impacts anyone selling to EU citizens.

Industry and international data privacy regulations are just the tip of the iceberg. Many state and local jurisdictions also have their own data privacy laws. Organizations must be aware of these compliance requirements along with any updates to these rules.

By the end of 2024, about 75% of the population will have its data protected by one or more privacy regulations.

Authorities enact new data privacy regulations all the time. For example, in 2023, four states will have new rules. Colorado, Utah, Connecticut, and Virginia will begin enforcing new data privacy statutes.

Businesses must stay on top of their data privacy compliance requirements. Otherwise, they can suffer. Many standards carry stiff penalties for a data breach and if security was lacking, fines can be even higher.

The Health Insurance Portability and Accountability Act (HIPAA) uses a sliding scale. Violators can be fined between $100 to $50,000 per breached record. The more negligent the company is, the higher the fine.

Don’t worry, we have some tips below for you. These can help you keep up with data privacy updates coming your way.

Steps for Staying On Top of Data Privacy Compliance

1. Identify the Regulations You Need to Follow

Does your organization have a list of the different data privacy rules it falls under? There could be regulations for:

• Industry
• Where you sell (e.g., if you sell to the EU)
• Statewide
• City or county
• Federal (e.g., for government contractors)

Identify all the various data privacy regulations that you may be subject to. This helps ensure you’re not caught off guard by one you didn’t know about.

2. Stay Aware of Data Privacy Regulation Updates

Don’t get blindsided by a data privacy rule change. You can stay on top of any changes by signing up for updates on the appropriate website. Look for the official website for the compliance authority.

For example, if you are in the healthcare field you can sign up for HIPAA updates at HIPAA.gov. You should do this for each of the regulations your business falls under.

You should also have these updates sent to more than one person. Typically, your Security Officer or equal, and another responsible party. This ensures they don’t get missed if someone is on vacation.

3. Do an Annual Review of Your Data Security Standards

Companies are always evolving their technology. This doesn’t always mean a big enterprise transition. Sometimes you may add a new server or a new computer to the mix.

Any changes to your IT environment can mean falling out of compliance. A new employee mobile device added, but not properly protected is a problem. One new cloud tool an employee decides to use can also cause a compliance issue.

It’s important to do at least an annual review of your data security. Match that with your data privacy compliance requirements to make sure you’re still good.

4. Audit Your Security Policies and Procedures

Something else you should audit at least annually is your policies and procedures. These written documents that tell employees what’s expected from them. They also give direction when it comes to data privacy and how to handle a breach.

Audit your security policies annually. Additionally, audit them whenever there is a data privacy regulation update. You want to ensure that you’re encompassing any new changes to your requirements.

5. Update Your Technical, Physical & Administrative Safeguards As Needed

When you receive a notification that a data privacy update is coming, plan ahead. It’s best to comply before the rule kicks in, if possible.

Look at three areas of your IT security:

• Technical safeguards – Systems, devices, software, etc.
• Administrative safeguards – Policies, manuals, training, etc.
• Physical safeguards – Doors, keypads, building security, etc.

6. Keep Employees Trained on Compliance and Data Privacy Policies

Employees should be aware of any changes to data privacy policies that impact them. When you receive news about an upcoming update, add this to your ongoing training.

Good cybersecurity practice is to conduct ongoing cybersecurity training for staff. This keeps their anti-breach skills sharp and reminds them of what’s expected.

Include updates they need to know about so they can be properly prepared.

Remember to always log your training activities. It’s a good idea to log the date, the employees educated, and the topic. This way, you have this documentation if you do suffer a breach at some point.

Visit our website here to learn more about our Breach Prevention Platform and Security Awareness Training which includes simulated phishing tests and weekly micro-trainings!

Get Help Ensuring Your Systems Meet Compliance Needs

Setting up well-designed IT compliance may be a long process, but it can make a world of difference in terms of business security. It keeps your business reputation intact and allows you to avoid penalties and fines. 

However, you’ll need to pay special attention to several aspects and one of the most significant ones is your IT provider. 

If your IT isn’t living up to its potential, you’re bound to face compliance issues. This can cause tremendous stress and halt your operations. 

Luckily, there might be an easy way out of your predicament. Contact us today at 716-373-4467 x115 or [email protected] to schedule a quick chat with Databranch to discuss your IT problems and find out how to get more out of your provider.

Article used with permission from The Technology Press.

Read More