Heads Up Financial Institutions!

The Federal Trade Commission (FTC) announced the first cybersecurity updates to the Gramm Leach-Bliley Act (GLBA) Safeguards Rule since 2003. The new rule strengthens the required security safeguards for customer information. This includes formal risk assessments, access controls, regular penetration testing and vulnerability scanning, and incident response capabilities, among other things.

Most of these changes go into effect in December 2022, to provide organizations time to prepare for compliance. Below, details the changes in comparison to the previous rule.

Background on the Safeguards Rule

GLBA requires, among other things, a wide range of “financial institutions” to protect customer information. Enforcement for GLBA is split up among several different federal agencies, with FTC jurisdiction covering non-banking financial institutions in the Safeguards Rule. Previously, the Safeguards Rule left the implementation details of several aspects of the information security program up to the financial institution, based on its risk assessment.

The Safeguards Rule broad definition of “financial institutions” includes non-bank businesses that offer financial products or services — such as retailers, automobile dealers, mortgage brokers, non-bank lenders, property appraisers, tax preparers, and others. The definition of “customer information” is also broad, to include any record containing non-public personally identifiable information about a customer that is handled or maintained by or on behalf of a financial institution.

Updates to the Safeguards Rule

Many of the other updates’ concern strengthened requirements on how financial institutions must implement aspects of their security programs. Below is a short summary of the changes.

Overall Security Program

Current rule: Financial institutions must maintain a comprehensive, written information security program with administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of customer information.

Updated rule: The updated rule now requires the information security program to include the processes and safeguards listed below (i.e., risk assessment, security safeguards, etc.).

Effective date: December 2022

Risk Assessment

Current rule: Financial institutions are required to identify internal and external risks to security, confidentiality, and integrity of customer information. The risk assessment must include employee training, risks to information systems, and detecting and responding to security incidents and events.

Updated rule: The update includes more specific criteria for what the risk assessment must include. This includes criteria for evaluating and categorizing of security risks and threats, and criteria for assessing the adequacy of security safeguards. The risk assessment must describe how identified risks will be mitigated or accepted. The risk assessment must be in writing.

Effective date: December 2022

Security Safeguards

Current rule: Financial institutions must implement safeguards to control the risks identified through the risk assessment. Financial institutions must require service providers to maintain safeguards to protect customer information.

Updated rule: The updated rule requires that the safeguards must include

• Access controls, including providing the least privilege;
• Inventory and classification of data, devices, and systems;
• Encryption of customer information at rest and in transit over internal networks;
• Secure development practices for in-house software and applications;
•  Multi-factor authentication;
• Secure data disposal;
•  Change management procedures; and 
• Monitoring activity of unauthorized users and detecting unauthorized access or use of customer information.

Effective date: December 2022

Testing and Evaluation

Current rule: Financial institutions must regularly test or monitor the effectiveness of the security  safeguards and make adjustments based on the testing.

Updated rule: Regular testing of safeguards must now include either continuous monitoring or periodic penetration testing (annually) and vulnerability assessments (semi-annually).

Effective date: December 2022

Incident Response

Current rule: Financial institutions must include cybersecurity incident detection and response in their risk assessments and have safeguards to address those risks.

Updated rule: Financial institutions are required to establish a written plan for responding to any security event materially affecting confidentiality, integrity, or availability of customer information.

Effective date: December 2022

Workforce and Personnel

Current rule: Financial institutions must designate an employee to coordinate the information security program. Financial institutions must select service providers that can maintain security and require service providers to implement the safeguards.

Updated rule: The rule now requires designation of a single “qualified individual” to be responsible for the security program. This can be a third-party contractor. Financial institutions must now provide security awareness training and updates to personnel. The rule now also requires periodic reports to a Board of Directors or governing body regarding all material matters related to the information security program.

Effective date: December 2022

Scope of Coverage

Updated rule: The FTC update expands on the definition of “financial institution” to require “finders” — companies that bring together buyers and sellers — to follow the Safeguards Rule. However, financial institutions that maintain customer information on fewer than 5,000 consumers are exempt from the requirements of a written risk assessment, continuous monitoring or periodic pen testing and/or vulnerability scans, incident response plan, and annual reporting to the Board.

Effective date: November 2021 (unlike many of the other updates, this item was not delayed for a year)

Incident Reporting

In addition to the above, the FTC is also considering requirements that financial institutions report cybersecurity incidents and events to the FTC. Similar requirements are in place under the Cybersecurity Regulation at the New York Department of Financial Services. If the FTC moves forward with these incident reporting requirements, financial institutions could expect the requirements to be implemented in early 2023.

Financial institutions with robust security programs will already be performing many of these practices. For them, the updated Safeguards Rule will not represent a sea change in internal security operations. However, by making these security practices a formal regulatory requirement, the updated Safeguards will make accountability and compliance even more important.

Interested in speaking with an experienced team member about the material covered in this article? Contact us today at 716-373-4467 x 115 or [email protected] to schedule your appointment.

Read More

Annual MSP 501 Identifies Industry’s Best-in-Class Businesses

Databranch has been named as one of the world’s premier managed service providers in the prestigious 2022 Channel Futures MSP 501 rankings.

We have been selected as one of the technology industry’s top-performing providers of managed services by the editors of Channel Futures. For the past 16 years, managed service providers (MSPs) from around the globe have submitted applications to be included on this prestigious and definitive listing. The Channel Futures MSP 501 survey examines organizational performance based on annual sales, recurring revenue, profit margins, revenue mix, growth opportunities, innovation, technology solutions supported, and company and customer demographics.

MSPs that qualify for the list must pass a rigorous review conducted by the research team and editors of Channel Futures. It ranks applicants using a unique methodology that weighs financial performance according to long-term health and viability, commitment to recurring revenue and operational efficiency.

Channel Futures is pleased to name Databranch to the 2022 MSP 501

This year’s list once again attracted a record number of applicants, making it one of the most competitive in the survey’s history. Winners are being recognized on the Channel Futures website and were honored at a special ceremony at the Channel Futures MSP Summit + Channel Partners Leadership Summit, Sept. 13-16, in Orlando, Florida.

Since its inception, the MSP 501 has evolved from a competitive ranking into a vibrant group of innovators focused on high levels of customer satisfaction at small, medium and large organizations in public and private sectors. Today, many of their services and technology offerings focus on growing customer needs in the areas of cloud, security, collaboration and support of hybrid work forces.

“The 2022 Channel Futures MSP 501 winners are the highest-performing and most innovative IT providers in the industry today,” said Allison Francis, senior news editor for Channel Futures. “The 501 has truly evolved with the MSP market, as showcased by this year’s crop of winners. This is also the fifth consecutive year of application pool growth, making this year’s list one of the best on record.”

“We extend our heartfelt congratulations to the 2022 winners, and gratitude to the thousands of MSPs that have contributed to the continuing growth and success of the managed services sector,” said Kelly Danziger, general manager of Informa Tech Channels. “These providers are most certainly driving a new wave of innovation in the industry and are demonstrating a commitment to moving the MSP and entire channel forward.”

The complete 2022 MSP 501 list is available on Channel Futures’ website.

Background

The 2022 MSP 501 list is based on confidential data collected and analyzed by the Channel Futures editorial and research teams. Data was collected online from Feb. 1-April 30, 2022. The MSP 501 list recognizes top managed service providers based on metrics including recurring revenue, profit margin and other factors.

About Channel Futures

Channel Futures is a media and events platform serving companies in the information and communication technologies (ICT) channel industry with insights, industry analysis, peer engagement, business information and in-person events. We provide information, perspective, and connection for the entire channel ecosystem. This community includes technology and communications consultants, integrators, sellers, MSPs, agents, vendors and providers.

Our properties include the Channel Futures MSP 501, a list of the most influential and fastest-growing providers of managed services in the technology industry; Channel Partners events, which delivers unparalleled in-person events including Channel Partners Conference & Expo, the MSP 501 Summit and Channel Partners Europe; and Allies of the Channel Council (ACC) and DEI Community Group, our initiatives to educate, support and promote diversity, equity and inclusion (DE&I) in the ICT channel industry. Channel Futures is where the world meets the channel; we are leading Channel Partners forward. More information is available at channelfutures.com.

Channel Futures is part of Informa Tech, a market-leading B2B information provider with depth and specialization in ICT sector. Every year, we welcome 14,000+ subscribers to our research, more than 4 million unique monthly visitors to our digital communities, 18,200+ students to our training programs and 225,000 delegates to our events.

Interested in learning more about our Managed Services? Contact us today at 716-373-4467 x 115, [email protected] or click here to talk to one of our experience team members.

Read More

Benjamin Franklin once said, “An ounce of prevention is worth a pound of cure.” This age old advice is easily applied to the digital world we live in today. Computers, applications and networks are under constant attack by hackers who are extremely motivated by big financial gains.

An effective patch and vulnerability management program has the ability to stop most hackers dead in their tracks. It greatly reduces the risk associated with the exploitation of a neglected or un-patched computer system.

Year after year, we learn that the vast majority of successful cyber-attacks have exploited unpatched computers and / or unpatched applications. What is even more interesting is that most of the patches for these compromised systems had been available to install for months, if not years prior to the cyber-attack.

There is no doubt that the combination of routine vulnerability scanning and the timely installation of system patches will make it much more difficult for a hacker to compromise your computer systems and information.

Here are 7 steps to help you build an effective patch and vulnerability management program:

Inventory Systems and Applications

Before we attempt to patch computers, operating systems and applications, we first must know of their existence. It is important to maintain an inventory of all computing assets. If possible, use inventory software to assist with the task but at the least, make sure the inventory is completed using manual means.

Monitor for Vulnerabilities

Vendors will release patches at regular intervals as new vulnerabilities are discovered. You must know when new patches are available to install otherwise, you risk not installing patches in a timely manner – or installing them at all. Good mechanisms to use for monitoring vulnerabilities include a combination of:

1. Checking the vendor website and subscribing to mailing list
2. Regular vulnerability scanning
3. Checking vulnerability databases, such as the National Vulnerability Database
4. Relying on an enterprise patch management tool.

Click here to learn more about our Security Assessment and to request your Free Baseline Security Assessment.

Selecting Patches to Apply

Deciding which patches are ultimately installed is typically based on the criticality of the patch, importance of the system being patched, the resources required to install the patch and assurance of post install system functionality. It is good practice to at a minimum, install all “Critical” and “Security” patches.

Testing

Prior to installing patches, it is important to install patches in a test or non-production computing environment. This will assure that the installation of the patch will not cause any adverse outages or system disruption when it is ultimately installed in a production computer environment.

Verify Backup

Despite the testing efforts completed in the previous section, it is still conceivable that the installation of a patch will create unanticipated issues or outages. For this reason, it is important that you verify the system or application being patched has recent data backup that can easily be restored if needed.

Automate Patching

The National Institute of Standards and Technology (NIST) recommends that patch installation should be automated using enterprise patch management tools or alternative options. Manually installing patches is expensive and inconsistent. Where possible, be sure that systems are automatically updated according to your patch management program parameters.

Verify Installation

The installation of a patch should always be confirmed by either re-scanning the system with a vulnerability scanner and / or reviewing log files.

Patching Equals Prevention 

All Databranch Comprehensive Care and Foundation Security clients have scheduled automatic patching and Windows updates on their devices. To learn more about how we can help take this off your IT plate, call 716-373-4467 x 15, email [email protected] or visit us here to learn more.

Article curtesy of CyberStone.

Read More

Few things invoke instant panic like a missing smartphone or laptop. These devices hold a good part of our lives. This includes files, personal financials, apps, passwords, pictures, videos, and so much more.

Electronics now hold just as much personal information and banking information as your wallet does, probably more. This makes a lost or stolen device a cause for alarm.

It’s often not the device that is the biggest concern. It’s the data on the device and the ability of the device holder to access cloud accounts and websites. The thought of that being in the hands of a criminal is quite scary.

There are approximately 70 million lost smartphones every year. The owners only recover about 7% of them. Workplace theft is all too common. The office is where 52% of stolen devices go missing.

If it’s a work laptop or smartphone that goes missing, even worse. This can mean the company is subject to a data privacy violation. It could also suffer a ransomware attack originating from that stolen device.

In 2020, Lifespan Health System paid a $1,040,000 HIPAA fine. This was due to an unencrypted stolen laptop breach.

The Minutes After the Loss of Your Device Are Critical

The things you do in the minutes after missing a device are critical. This is the case whether it’s a personal or business device. The faster you act, the less chance there is for exposure of sensitive data.

What Types of Information Does Your Device Hold?

When a criminal gets their hands on a smartphone, tablet, or laptop, they have access to a treasure trove. This includes:

• Documents
• Photos & videos
• Access to any logged-in app accounts on the device
• Passwords stored in a browser
• Cloud storage access through a syncing account
• Emails
• Text messages
• Multi-factor authentication prompts that come via SMS
• And more

Steps to Take Immediately After Missing Your Device

As we mentioned, time is of the essence when it comes to a lost mobile device. The faster you act, the more risk you mitigate for a breach of personal or business information.

Here are steps you should take immediately after the device is missing.

Activate a “Lock My Device” Feature

Most mobile devices and laptops will include a “lock my device” feature. It allows for remote activation if you have enabled it. You will also need to enable “location services.” While good thieves may be able to crack a passcode, turning that on immediately can slow them down.

What about “find my device?”

There is usually also a “find my device” feature available in the same setting area. Only use this to try to locate your device if you feel it’s misplaced, but not stolen. You don’t want to end up face to face with criminals!

Report the Device Missing to Your Company If It’s Used for Work

If you use the device for business, notify your company immediately. Even if all you do is get work email on a personal smartphone, it still counts. Many companies use an endpoint device manager. In this case, access to the company network can be immediately revoked.

Reporting your device missing immediately can allow your company to act fast. This can often mitigate the risk of a data breach.

Log Out & Revoke Access to SaaS Tools

Most mobile devices have persistent logins to SaaS tools. SaaS stands for Software as a Service. These are accounts like Microsoft 365, Trello, Salesforce, etc.

Use another device to log into your account through a web application. Then go to the authorized device area of your account settings. Locate the device that’s missing, and log it out of the service. Then, revoke access, if this is an option.

This disconnects the device from your account so the thief can’t gain access.

Log Out & Revoke Access to Cloud Storage

It’s very important to include cloud storage applications when you revoke access. Is your missing device syncing with a cloud storage platform? If so, the criminal can exploit that connection.

They could upload a malware file that infects the entire storage system. They could also reset your device to resell it, and in the process delete files from cloud storage.

Active a “Wipe My Device” Feature

Hopefully, you are backing up all your devices. This ensures you have a copy of all your files in the case of a lost device.

Does it look like the device is not simply misplaced, but rather stolen or lost for good? If so, then you should use a remote “wipe my device” feature if it has been set up. This will wipe the hard drive of data.

How We Can Help

No matter what size company you have, mobile device management is vital. Get in touch with us today at 716-373-4467 x 15 or [email protected] to arrange a quick chat to learn more about your options and how we can help you identify and address any potential security risks.

Article used with permission from The Technology Press.

Read More

Phishing. It seems you can’t read an article on cybersecurity without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks.

A cybercriminal may want to steal employee login credentials, launch a ransomware attack, or possibly plant spyware to steal sensitive info. For a hacker, sending a phishing email can accomplish all of this.

80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.

Phishing not only continues to work, but it’s also increasing in volume due to the increase in remote workers. Many employees are now working from home and don’t have the same network protections they had when working at the office.

Why has phishing continued to work so well after all these years? Aren’t people finally learning what phishing looks like?

It’s true that people are generally more aware of phishing emails and have gotten better at stopping them. However, it’s also true that these emails are becoming harder to recognize as scammers evolve their tactics.

One of the newest tactics is particularly hard to detect, the reply-chain phishing attack. 

What is a Reply-Chain Phishing Attack?

Just about everyone is familiar with reply chains in email. An email is sent to one or more people, one replies, and that reply sits at the bottom of the new message. Then another person chimes in on the conversation, replying to the same email.

Soon, you have a chain of email replies on a particular topic. It lists each reply one under the other so everyone can follow the conversation.

You don’t expect a phishing email tucked inside that ongoing email conversation. Most people are expecting phishing to come in as a new message, not a message included in an ongoing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain. 

How Does a Hacker Gain Access to the Reply Chain?

How does a hacker gain access to the reply chain conversation? By hacking the email account of one of those people copied on the email chain.

The hacker can email from an email address that the other recipients recognize and trust. They also gain the benefit of reading down through the chain of replies. This enables them to craft a response that looks like it fits.

For example, they may see that everyone has been weighing in on a new product idea. So, they send a reply that says, “I’ve drafted up some thoughts on the new product, here’s a link to see them.”

The link will go to a malicious phishing site. The site might infect a visitor’s system with malware or present a form to steal more login credentials.

The reply won’t seem like a phishing email at all. It will be convincing because:

• It comes from an email address of a colleague. This address has already been participating in the email conversation.
• It may sound natural and reference items in the discussion.
• It may use personalization. The email can call others by the names the hacker has seen in the reply chain.

Business Email Compromise is Increasing

Business email compromise (BEC) is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins. Both are contributors to how common BEC is becoming.

In 2021, 77% of organizations saw business email compromise attacks. This is up 65% compared to the year before.

Credential theft has become the main cause of data breaches globally. 

The reply-chain phishing attack is one of the ways that hackers turn that BEC into money. They either use it to plant ransomware or other malware or to steal sensitive data to sell on the Dark Web.

Tips for Addressing Reply-Chain Phishing

Here are some ways that you can lessen the risk of reply-chain phishing in your organization:

• Use a Business Password Manager: This reduces the risk that employees will reuse passwords across many apps. It also keeps them from using weak passwords since they won’t need to remember them anymore. Click here to learn more about our password manager solution, LastPass.
• Put Multi-Factor Controls on Email Accounts: Present a system challenge (question or required code). Using this for email logins from a strange IP address can stop account compromise. You can learn more about MFA here.
• Teach Employees to be Aware: Awareness is a big part of catching anything that might be slightly “off” in an email reply.  Many attackers do make mistakes. Our Security Awareness Training will give your employees the tools they need to identify threats. Click here to learn more.

How Strong Are Your Email Account Protections?

Do you have enough protection in place on your business email accounts to prevent a breach? Let us know if you’d like some help!

Databranch has a foundation security suite with systems in place to identify any anomalies before cyber criminals have a chance to do significant damage to your network. Contact us at 716-373-4467 x 15, [email protected], or request more information below. 

Article used with permission from The Technology Press.

Read More

One constant about technology is that it changes rapidly. Tools that were once staples, like Internet Explorer and Adobe Flash, age out and get replaced by new tools. Continuing to use discontinued technology can leave computers and networks vulnerable to attacks.

While older technology may still run fine on your systems that doesn’t mean that it’s okay to use. One of the biggest dangers of using outdated technology is that it can lead to a data breach.

Outdated software and hardware no longer receive vital security updates. Updates often patch newly found and exploited system vulnerabilities. No security patches means a device is a sitting duck for a cybersecurity breach.

Approximately 1 in 3 data breaches are due to unpatched system vulnerabilities.

Important reasons to keep your technology updated to a supported version are:

• Reduce the risk of a data breach or malware infection
• Meet data privacy compliance requirements
• To keep a good reputation and foster customer trust
• To be competitive in your market
• To mitigate hardware and software compatibility issues
• To enable employee productivity

Older systems are clunky and get in the way of employee productivity. The efficiency of your employee is only as good as the technology they are working on. Slower machines mean a decrease in progress which can negatively impact your business over time. 

Dig you know that 49% of surveyed workers say they would consider leaving their jobs due to poor technology?

Following is a list of outdated technology tools that you should replace as soon as possible. Are any of these still in use within your business?

Get Rid of This Tech Now If You’re Still Using It

1) Internet Explorer

Internet Explorer (IE) used to be the number one browser in the world. But, over time, Google Chrome and other browsers shadowed it out. Including its replacement, Microsoft Edge.

Microsoft began phasing out IE with the introduction of Microsoft Edge in 2015. In recent years, fewer applications have been supporting use in IE. The browser loses all support beginning on June 15, 2022.

2) Adobe Flash

Millions of websites used Adobe Flash in the early 2000s. But other tools can now do the animations and other neat things Flash could do. This made the tool obsolete, and Adobe ended it.

The Adobe Flash Player lost all support, including security updates, as of January 1, 2021. Do you still have this lingering on any of your computers? If so, you should uninstall the browser plugin and any Flash software. 

3) Windows 7 and Earlier

Windows 7 was a very popular operating system, but it’s now gone the way of the dinosaur. Replacements, Windows 10 and Windows 11 are now in widespread use. The Windows 7 OS lost support on January 14, 2020.

While it may still technically run, it’s very vulnerable to hacks. Microsoft Windows OS is also a high-value target for hackers. So, you can be sure they are out there looking for systems still running this obsolete version of Windows.

4) macOS 10.14 Mojave and Earlier

Because of the cost of iMacs and MacBooks, people tend to hang onto them as long as possible. Once these devices get to a certain point, updates no longer work. This leaves the hardware stuck on an older and non-supported macOS version.

If you are running macOS 10.14 Mojave or earlier, then your OS is no longer supported by Apple and you should consider an upgrade.

5) Oracle 18c Database

If your business uses Oracle databases, then you may want to check your current version. If you are running the Oracle 18C Database, then you are vulnerable. Breaches can easily happen due to unpatched system vulnerabilities.

The Oracle 18C Database lost all support in June of 2021. If you have upgraded, then you’ll want to keep an eye out for another upcoming end-of-support date. Both Oracle 19C and 21C will lose premiere support in April of 2024.

6) Microsoft SQL Server 2014

Another popular database tool is Microsoft’s SQL. If you are using SQL Server 2014, then mainstream support has already ended. Plus, in July of 2024 all support, including security updates will stop.

This gives you a little more time to upgrade before you’re in danger of not getting security patches. However, it is better to upgrade sooner rather than later. This leaves plenty of time for testing and verification of the upgrade.

Get Help Upgrading Your Technology & Reducing Risk

Upgrades can be scary, especially if everything has been running great. You may be afraid that a migration or upgrade will cause issues. We can help you upgrade your technology smoothly and do thorough testing afterward. You can also contact Databranch today at 716-373-4467, [email protected] , or fill in the form below  to set up a vulnerability assessment.

Article used with permission from The Technology Press.

Read More

Many small businesses make the mistake of skipping policies. They feel that things don’t need to be so formal. They’ll just tell staff what’s expected when it comes up and think that’s good enough.

However, this way of thinking can cause issues for small and mid-sized business owners. Employees aren’t mind readers and things that you think are obvious, might not be to them.

Not having policies can also leave you in poor legal standing should a problem occur. Such as a lawsuit due to misuse of a company device or email account.

Did you know that 77% of employees access their social media accounts while at work? Further, 19% of them average 1 full working hour a day spent on social media. In some cases, employees are ignoring a company policy. But in others, there is no specific policy for them to follow.

IT policies are an important part of your IT security and technology management. So, no matter what size your business is, you should have them. We’ll get you started with some of the most important IT policies your company should have in place.

Do You Have These IT Policies? (If Not, You Should)

Password Security Policy

About 77% of all cloud data breaches originate from compromised passwords. Compromised credentials are also now the number one cause of data breaches globally.

A password security policy will lay out for your team how to handle their login passwords. It should include things like:

• How long passwords should be
• How to construct passwords (e.g., using at least one number and symbol)
• Where and how to store passwords
• The use of multi-factor authentication (if it’s required)
• How often to change passwords

Click here to learn more about how Databranch can help you setup a password manager.

Acceptable Use Policy (AUP)

The Acceptable Use Policy is an overarching policy.  It includes how to properly use technology and data in your organization. This policy will govern things like device security. For example, you may need employees to keep devices updated. If this is the case, you should include that in this policy.

Another thing to include in your AUP would be where it is acceptable to use company devices. You may also restrict remote employees from sharing work devices with family members.

Data is another area of the AUP. It should dictate how to store and handle data. The policy might require an encrypted environment for security.

Cloud & App Use Policy

The use of unauthorized cloud applications by employees has become a big problem. It’s estimated that the use of this “shadow IT” ranges from 30% to 60% of a company’s cloud use. 

Often, employees use cloud apps on their own because they don’t know any better. They don’t realize that using unapproved cloud tools for company data is a major security risk.

A cloud and app use policy will tell employees what cloud and mobile apps are okay to use for business data. It should restrict the use of unapproved applications. It should also provide a way to suggest apps that would enhance productivity.

Bring Your Own Device (BYOD) Policy

Approximately 83% of companies use a BYOD approach for employee mobile use. Allowing employees to use their own smartphones for work saves companies money. It can also be more convenient for employees because they don’t need to carry around a second device.

But if you don’t have a policy that dictates the use of BYOD, there can be security and other issues. Employee devices may be vulnerable to attack if the operating system isn’t updated. There can also be confusion about compensation for the use of personal devices at work.

The BYOD policy clarifies the use of employee devices for business. Including the required security of those devices. It may also note the required installation of an endpoint management app. It should also cover compensation for business use of personal devices.

Wi-Fi Use Policy

Public Wi-Fi is an issue when it comes to cybersecurity. 61% of surveyed companies say employees connect to public Wi-Fi from company-owned devices.

Many employees won’t think twice about logging in to a company app or email account. Even when on a public internet connection. This could expose those credentials and lead to a breach of your company network.

Your Wi-Fi use policy will explain how employees are to ensure they have safe connections. It may dictate the use of a company VPN. Your policy may also restrict the activities employees can do when on public Wi-Fi. Such as not entering passwords or payment card details into a form. 

Click here to read more about choosing the right VPN for your company.

Social Media Use Policy

With social media use at work so common, it’s important to address it. Otherwise, endless scrolling and posting could steal hours of productivity every week.

Include details in your social media policy, such as:

• Restricting when employees can access personal social media
• Restricting what employees can post about the company
• Noting “safe selfie zones” or facility areas that are not okay for public images

Get Help Improving Your IT Policy Documentation & Security

We can help your organization address IT policy deficiencies and security issues. Contact Databranch today at 716-373-4467 x 15 , [email protected], or fill in the field below if you would like to schedule a consultation to get started. 

Article used with permission from The Technology Press.

Read More

How many text messages from companies do you receive today as compared to about two years ago? If you’re like many people, it’s quite a few more.

This is because retailers have begun bypassing bloated email inboxes. They are urging consumers to sign up for SMS alerts for shipment tracking and sale notices. The medical industry has also joined the trend. Pharmacies send automated refill notices and doctor’s offices send SMS appointment reminders.

These kinds of texts can be convenient. But retail stores and medical practices aren’t the only ones grabbing your attention by text. Cybercriminal groups are also using text messaging to send out phishing.

Phishing by SMS is “smishing,” and it’s becoming a major problem.

Case in point, in 2020, smishing rose by 328%, and during the first six months of 2021, it skyrocketed nearly 700% more. Phishing via SMS has become a big risk area. Especially as companies adjust data security to a more remote and mobile workforce.ng 

How Can I Text Myself?

If you haven’t yet received a text message only to find your own phone number as the sender, then you likely will soon. This smishing scam is fast making the rounds and results in a lot of confusion. Confusion is good for scammers. It often causes people to click a malicious link in a message to find out more details.

Cybercriminals can make it look like a text message they sent you is coming from your number. They use VoIP connections and clever spoofing software.

If you ever see this, it’s a big giveaway that this is an SMS phishing scam. You should not interact with the message in any way and delete it instead. Some carriers will also offer the option to delete and report a scam SMS.

Popular Smishing Scams to Watch Out For

Smishing is very dangerous right now because many people are not aware of it. There’s a false sense of security. People think only those they have given it to will have their phone number.

But this isn’t the case. Mobile numbers are available through both legitimate and illegitimate methods. Advertisers can buy lists of them online. Data breaches that expose customer information are up for grabs on the Dark Web. This includes mobile numbers.

Less than 35% of the population knows what smishing is.

It’s important to understand that phishing email scams are morphing. They’ve evolved into SMS scams that may look different and be harder to detect.

For example, you can’t check the email address to see if it’s legitimate. Most people won’t know the legitimate number that Amazon shipping updates come from.

Text messages also commonly use those shortened URLs. These mask the true URL, and it’s not as easy to hover over it to see it on a phone as it is on a computer.

You need to be aware of what’s out there. Here are some of the popular phishing scams that you may see in your own text messages soon.

1. Problem with a Delivery

Who doesn’t love getting packages? This smishing scam leverages that fact and purports to be from a known shipper like USPS or FedEx. It states that there is a package held up for delivery to you because it needs more details.

The link can take users to a form that captures personal information used for identity theft. One tactic using this scam is to ask for a small monetary sum to release a package. Scammers created the site to get your credit card number.

2. Fake Appointment Scheduling

This scam happened to a community in South Carolina. They had recently had an installation of AT&T fiber internet lines in their neighborhood. Following the installation, AT&T did a customer drive to sign people up for the service.

During this time, one homeowner reported that he received a text message. It pretended to be from AT&T about scheduling his fiber internet installation. He thought it was suspicious because the address they gave was wrong. The scammer had wanted him to text back personal details.

3. Get Your Free Gift

Another recent smishing scam is a text message that doesn’t say who it’s from. It says, “Thank you for your recent payment. Here is a free gift for you.” It includes a link at the bottom of the message.

This is a widespread scam that many have noted online and it’s an example of a scammer using a common fact. The fact that most people would’ve paid some type of bill recently and mistake the text to be from a company they know. It also lures people in with the promise of giving them a free gift.

Is Your Team Trained in Cybersecurity Safety?

Company cellphones are no exception when it comes to receiving smishing attacks. Keeping your employees current with cybersecurity training will improve cyber hygiene across multiple platforms. Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

Article used with permission from The Technology Press.

Read More

On average, a business is infected with ransomware every forty seconds. That is shorter than the approximately time it will take to read this article.

Ransomware is a nasty form of malware that viciously and unapologetically infects your computers and servers. It can spread like wildfire across your network environment in a matter of seconds, leaving your data and files encrypted, inaccessible and held hostage until you pay the attacker a ransom of their choosing.

How can information be held hostage? By encrypting it. The ransomware will encrypt hard drives and files until a ransom is paid in exchange for the decryption key.

The ransom is arbitrary and defined by the hacker. The payment method is always a type of digital currency, such as Bitcoin, which allows the hacker to remain anonymous.

Obtaining the digital currency to pay the ransom is not as easy as one would think. The buyer must have a digital wallet, must trust an untrustworthy transaction (there are no actual banks involved) and is subject to a very dynamic and unpredictable digital currency market. Ransom fees range from a few thousand dollars to a few hundred thousand dollars.

Lastly, paying the ransom does not guarantee the hacker will actually provide the decryption key. Remember this is a transaction with a criminal. In fact, the FBI officially recommends that ransoms are not paid to hackers for a number of reasons:

• One, you may pay for a decryption key and never get one in return.
• Two, if provided with a decryption key, it may or may not work.
• Three, once a hacker knows that you are willing to pay a ransom, they will likely re-infect your computer / network again and again until the technical vulnerabilities are actually remediated. Paying ransoms will encourage more attacks and prioritizes you as a great target.

Unfortunately, the ransom itself is not the only expense associated with the attack. Many ransomware attacks lead to downtime and some even lead to total loss of data and / or hardware. The real expense is associated with the outage caused by the ransomware and the effort to eradicate the malicious code and then recover system functionality. Click here to calculate the cost of downtime and recovery for your business.

To make matters more challenging, the vast majority of ransomware attacks are executed by highly sophisticated criminal organizations with the intent of financial gain. The attackers are smart and motivated. They are not launching ransomware attacks just for fun, it is big business and business is booming. Year after year we see more variations of ransomware created, more infections occur and more ransoms get paid.

The threat and impact of ransomware infection is real and there are essentially two things one can do to address it. The first is put effective cyber-security controls in place to prevent the infection. The second is to have recovery methods in place if an infection is detected..

Steps to Address the Threat of Ransomware

Prevention

1. Awareness Training – The vast majority of ransomware infections are the result of phishing scams. An unsuspecting user clicks on a link or opens an attachment and unknowingly downloads the malicious code. Security awareness training can teach people how to use technology in a secure fashion, thus preventing a huge source of malware and ransomware outbreaks. Contact Databranch today to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

2. Vulnerability and Patch Management – Unpatched computers and systems are often the cause of ransomware infections. Routine vulnerability scanning should be used to detect Common Vulnerabilities and Exposures (CVE). Scan results will identify systems and computers that need operating systems and applications updated with current patches. Neglected systems are incredibly easy to compromise. Vulnerability Scanning and System Patching should occur on a regular basis because new vulnerabilities are discovered daily and software patches are released weekly, if not immediately by vendors to fix security flaws. It is important to implement a formal vulnerability and patch management program to keep systems current and secure. Databranch offers a free baseline security assessment here.

3. Anti-Virus / Anti-Malware – Anti-virus / Anti-malware software provides critical protection against all types of malware, including ransomware. Not all ransomware will be detected by Anti-virus software, but most of it will be detected and either quarantine or removed before it has a chance to do any material damage. It is imperative to install Anti-virus software on all computers and servers. It is equally important to keep the Anti-virus software current. The latest version of the software should always be in production.

4. Email & Web Content Filtering – Many email and web filtering content technologies have the ability to scan inbound transmissions to detect malicious code. Consequently, ransomware can be detected and quarantined before the end user accidently clicks on a link, downloads a document or runs and executable containing malware.

5. Secure Remote Access Technologies – Secure remote access technologies such as a Virtual Private Network (VPN) should be used to access an internal, or private, network from an external, or public, location. There are many insecure remote access technologies such as Remote Desktop Protocol (RDP) that are effortlessly compromised, allowing ransomware attacks to succeed.

Recovery

1. Incident Response Plan – An incident response plan provide an organized approach to detect, eradicate and recover from cyber security incidents, including a ransomware outbreak. The plan offers structure and reassurance during the most chaotic and stressful situations. Creating an incident response plan is a fundamental component of being prepared to recover from a ransomware infection.

2. Network Segmentation – Computer networks that are logically or physically segregated from each other are very useful in containing a ransomware outbreak. Assuming that computers reside on one logical network and all servers reside on a different network; if a PC is infected with ransomware it will not spread to infect servers and vice versa. This makes recovery much more practical and obtainable. If all assets reside on the same network, the likelihood of the ransomware infection spreading and encrypting everything is very high.

3. Effective Data Backup Strategy – Reliable and current data backups allow one to recover from ransomware attacks by simply restoring systems, applications and files to a previous and non-infected state of operation. Backup jobs should be configured in accordance to system criticality, monitored for success and routinely tested for recovery assurance. It is also good practice to have multiple copies of backup files stored on different types of media and in different locations.

4. Disaster Recovery Plan – A disaster recovery plan has several key components, one of the more important ones being a step by step recovery procedure. Reliable and current data backups are only useful if they can be used in a successful recovery effort. Be sure to document this procedure and test its effectiveness at least annually. If you would like to learn more about Databranch’s disaster recovery solutions, click here.

How Databranch Can Help

Ransomware is an incredibly popular, effective and profitable cybersecurity attack. It is a real menace. The good news is that the right prevention and recovery tactics will prepare anyone to address the threat of ransomware with confidence and success.

Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about our Breach Prevention Platform and Security Awareness Training with simulated phishing tests.

Article used with permission from CyberStone.

Read More

There is a reason why phishing is usually at the top of the list for security awareness training. For the last decade or two, it has been the main delivery method for all types of attacks. Ransomware, credential theft, database breaches, and much more all launched via a phishing email.

Why has phishing remained such a large threat for so long? Because it continues to work. Scammers evolve their methods as technology progresses. They use AI-based tactics to make targeted phishing more efficient, for example.

If phishing didn’t continue working, then scammers would move on to another type of attack. But that hasn’t been the case. People continue to get tricked. They open malicious file attachments, click on dangerous links, and reveal passwords.

In May of 2021, phishing attacks increased by 281%. Then in June, they spiked another 284% higher.

Studies show that as soon as 6 months after training, phishing detection skills wane. Employees begin forgetting what they’ve learned, and cybersecurity suffers as a result.

Want to give employees a “hook” they can use for memory retention? Introduce the SLAM method of phishing identification.

What is the SLAM Method for Phishing Identification?

One of the mnemonic devices known to help people remember information is the use of an acronym. SLAM is an acronym for four key areas of an email message to check before trusting it.

These are:

S = Sender

L = Links

A = Attachments

M = Message text

By giving people the term “SLAM” to use, it’s quicker for them to check suspicious email. This device helps them avoid missing something important. All they need to do use the cues in the acronym.

Check the Sender

It’s important to check the sender of an email thoroughly. Often scammers will either spoof an email address or use a look-alike. People often mistake a spoofed address for the real thing.

In this phishing email below, the email address domain is “@emcom.bankofamerica.com.” The scammer is impersonating Bank of America. This is one way that scammers try to trick you, by putting the real company’s URL inside their fake one.

Doing a quick search on the email address quickly reveals it to be a scam. This is a trap used in both email and SMS phishing attacks.

It only takes a few seconds to type an email address into Google. This allows you to see if any scam warnings come up indicating a phishing email.

Hover Over Links Without Clicking

Hyperlinks are popular to use in emails. They can often get past antivirus/anti-malware filters. Those filters are looking for file attachments that contain malware but a link to a malicious site doesn’t contain any dangerous code. Instead, it links to a website that does.

Links can be in the form of hyperlinked words, images, and buttons in an email. When on a computer, it’s important to hover over links without clicking on them to reveal the true URL. This often can immediately call out a fake email scam.

When looking at email on a mobile device, it can be trickier to see the URL without clicking on it. There is no mouse like there is with a PC.  In this case, it’s best not to click the URL at all. Instead go to the purported site to check the validity of the message

Never Open Unexpected or Strange File Attachments

File attachments are still widely used in phishing emails. Messages may have them attached, promising a large sale order. The recipient might see a familiar word document and open it without thinking.

It’s getting harder to know what file formats to avoid opening. Cybercriminals have become savvier about infecting all types of documents with malware. There have even been PDFs with malware embedded.

Never open strange or unexpected file attachments. Use an antivirus/anti-malware application to scan all attachments before opening.

Read the Message Carefully

We’ve gotten great at scanning through text as technology has progressed. It helps us quickly process a lot of incoming information each day. But if you rush through a phishing email, you can miss some telltale signs that it’s a fake.

Look at the phishing example posted above in the “Links” section. There is a small error in grammar in the second sentence. Did you spot it?

It says, “We confirmation that your item has shipped,” instead of “We confirm that your item has shipped.” These types of errors can be hard to spot but are a big red flag that the email is not legitimate

Get Help Combatting Phishing Attacks

Both awareness training and security software can improve your defenses against phishing attacks. Contact Databranch today at 716-373-4467 x 15 or [email protected] if you would like to learn more about what options are available to improve your organizations cybersecurity. Our Foundation Security Plan offers a wide variety of benefits such as increasing malware/ransomware protection, reduces phishing compromises, and helps prevent data theft/loss.

To request a free Baseline Security Assessment, click here.

Article used with permission from The Technology Press.

Read More