Spoofed emails, often used in phishing attacks, are one of the biggest security risks facing organizations of all sizes.
The threat landscape of COVID-19 is perilous. thinkCSC put together these guidelines for clients and shared the information directly with them via email, but any organization will benefit from these resources and guidelines.
COVID-19 Specific Security Recommendations
This information from the FTC should be shared with your remote workforce to ensure the security of your network as well as theirs.
- Don’t respond to texts, emails or calls about checks from the government. Additional information is available here.
- Ignore online offers for vaccinations and home test kits. There are no products proven to treat or prevent COVID-19 at this time.
- Hang up on robocalls. Scammers are using illegal robocallsto pitch everything from low-priced health insurance to work-at-home schemes.
- Watch for emails claiming to be from the CDC or WHO. Use sites like govand usa.gov/coronavirus to get the latest information. And don’t click on links from sources you don’t know.
- Do your homework when it comes to donations.Never donate in cash, by gift card, or by wiring money.
CISA also has several recommendations worth sharing:
- Avoid clicking on links in unsolicited emails and be wary of email attachments. See Using Caution with Email Attachmentsand Avoiding Social Engineering and Phishing Scams for more information.
- Do not reveal personal or financial information in email, and do not respond to email solicitations for this information.
- Verify a charity’s authenticity before making donations. Review the Federal Trade Commission’s page on Charity Scamsfor more information.
Phishing Scams Abound
We expect an increased phishing threat used mostly to steal personally identifiable information. Here is some additional information on avoiding various phishing threats.
CISA offers several guidelines to increase awareness for social engineering and phishing attacks. You can also download the thinkCSC email security guide (PDF). Read and share our resources on email security and phishing.
Is Zoom Secure?
Zoom continues to be a threat to your infrastructures and data. As securing a product is a lengthy endeavor, thinkCSC would suggest switching to a more mature product with greater security built in. If that’s not possible, here are some tips to help make meetings more secure. Also, make sure to always update your Zoom product when asked.
- Don’t publicly share your Zoom “Meeting ID.” Send it directly to the people you want on the call.
- Set a password for the meeting, then share that only with the right people.
- Make sure “screen sharing” is set to “Host Only.” That prevents other people on the call from abruptly blasting text or images onto the other participants’ screen — a favored tactic of “Zoombombing” trolls.
- Use the “waiting room” feature. It prevents new participants from joining the call until the host approves.
General Security Posture
While phishing and similar attacks will be on the rise, overall systems security will also be tested with the increased COVID-19 threat landscape. Provided are links with additional information and as always you can contact your thinkCSC team for details.
- Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.
- Alert employees to an expected increase in phishing attempts.
- Ensure IT security personnel are prepared to ramp up the following remote access cybersecurity tasks: log review, attack detection, and incident response and recovery.
- Implement MFA (multiple forms of authentication in addition to username and password) on all VPN connections to increase security.
NSA (PDF)
- Update and Upgrade Software
- Defend Privileges and Accounts
- Enforce Signed Software Execution Policies
- Exercise a System Recovery Plan
- Actively Manage Systems and Configurations
- Continuously Hunt for Network Intrusions
- Leverage Modern Hardware Security Features
- Segment Networks and Deploy Application-Aware Defenses
- Integrate Threat Reputation Services
- Transition to Multi-Factor Authentication
Be sure to review thinkCSC’s information on teleworking safely and our latest security alert.
thinkCSC is ready to help ensure the continuity of your business. While we may have entered uncharted territory with regard to this pandemic and the increased COVID-19 threat landscape, thinkCSC continues to be at your service. Please get in touch if you need support for your remote workforce. If you have questions or concerns regarding your organization’s security, get in touch.
During the COVID-19 pandemic, there has been a huge increase in phishing attacks, ransomware attempts, and malware.
Business emails are a big target for scams throughout the year, but business email compromise (BEC) scams increase during tax season.
Those organizations that you might assume are the most secure suffer from the same weakness as every other company: basic security knowledge. Even those on the campaign trail, despite rampant political hacking attempts, are failing to address email security. The topic of cybersecurity is heard but not addressed, and even if the rules of keeping personal and professional information secure are understood, they are not taken seriously. When 90% of cyberattacks now begin with a phishing campaign, it’s clear that hackers have noticed as well. Email security is not being prioritized, and data breaches are a common result.
Phishing attacks are hard to identify.
Ongoing training is critical for everyone within an organization because phishing attacks are becoming more advanced each day. An employee may not think twice about a request to update a password for a commonly used website, or to submit private information to what appears to be a vendor. Employees blindly trust that an antivirus program will weed out the spam in their digital mailboxes, without considering that an email could be a phishing attack.
The two most common types of phishing attacks:
- Mass phishing – Although hackers are fond of specific targets, it doesn’t change the actuality of mass emails being sent company wide. It only takes one employee to offer credentials or click a link and the attack will have been successful.
- Spear phishing – This cyberattack targets individuals or specific groups of people that have desired information. The hacking attempt looks legitimate because the message is likely relevant and tailored to the intended recipient.
Preventing phishing attacks starts with best security practices.
Educating staff is essential in stopping phishing attacks, and it needs to be more than a brief presentation or a handout. Cybersecurity training should be comprehensive and provided on a regular basis, to communicate updates and these reminders about best practices:
- Secure personal information – Do not use the same password on multiple devices and at multiple sites, including personal networks. Hackers can target specific individuals and explore networks like social media to gain information. Passwords should be complex and changed periodically, and double authentication should be applied whenever possible.
- Use available malware and virus protection programs – If professional devices are asking for updates, make sure employees are not ignoring prompts. Also encourage employees to secure their personal devices and provide accessible security options. By incorporating best security practices into their personal lives, employees are more likely to implement these practices in their professional realms.
- Use secure networks only – It can be tempting for employees to sign in quickly to an office network at home, even if it is to innocently check an email. Unsecured access, however, can give hackers the opportunity they need to infiltrate secure networks.
- Be aware of threats – Train employees to be suspicious of emails requesting private information, such as credit card details. If an email requests immediate action, then a moment should be taken to confirm the request. Nothing is so immediate that your employees can’t take the time to verify a request with a supervisor.
Your employees can be your biggest risk, but they can also become your strongest defense against phishing attacks. Knowledge is the first step in preventing data breaches, and by educating employees regularly, you can establish a culture of best security practices. Download the thinkCSC email security guide to get started.
If you read the trade mags, you would think the sky is falling and email encryption should be removed. Not so fast – it’s still a secure way to protect your biz.
Ransomware attacks continue to outpace cybersecurity efforts, threatening your organization’s most essential files. Thousands of employees, users, and clients click links and download files in emails, and no matter how cautious you urge them to be, a single toxic file is capable of bringing down your entire network. This threat is not going away, but your business can still employ its best defense and avoid a worst-case scenario.
Data is key to the success of your business
Businesses today rely heavily on data, but many of these businesses continue to operate without crucial protection. According to Datto’s State of the Channel Ransomware Report 2016, ransomware attacks on small businesses are becoming more frequent; 91 percent of the managed service providers they surveyed reported clients victimized by ransomware. Furthermore, findings indicated that the most common impact of ransomware was not simply loss of data, but business-threatening downtime that crippled productivity.
How do you convey to every single employee what ransomware looks like? How do you teach every client to not fall prey to a scam? You can start with educating and training employees about good security practices, urging them to download the thinkCSC email security guide. But training is not enough to protect your data from ransomware.
Backups can save your business
So what can your business do to protect itself? Backup and Disaster Recovery (BDR) is the best – and possibly only – protection against ransomware. If budget constraints are your main concern, then realize that the cost of implementing BDR is miniscule compared to the financial impact of an attack. Datto’s Ransomware Report estimates down-time costs at $8,500 per hour, which adds up to $75 billion per year. BDR allows you to:
- Automatically back up and store data
- Minimize downtime quickly after an attack
- Avoid paying ransoms if an employee inadvertently introduces ransomware into your network
BDR makes it easy to maintain several copies of your data; as well, you can backup and store your data somewhere physically separate from your network. With the assistance of a managed service provider, your business can take extra steps for protection:
- Testing backups to ensure that data is recovered properly
- Manage passwords and user permissions
- Take all necessary steps to ensure that your cyber security practices are air tight
Good cyber security practices involve steps that do more than try to avoid ransomware. Recognize that no matter how many layers of security you implement, there is virtually no fail-safe measure to safeguard against ransomware attacks. Ransomware is insidious in its ability to continue evolving to better dupe unsuspecting recipients into clicking a link or downloading a file. Rather than gamble with the security of your data in the hope that it will never happen to you, be prepared with offsite backups that house and maintain all your sensitive data. BDR is a peace-of-mind measure that could save your business. Contact thinkCSC to learn more.
Email may not be a popular communication form for millennials and younger generations, but it is still one of the most-often-used technologies in business. Collaborating, sending information and files, and working remotely are made possible with email. Email, however, is also what makes it possible to trick your employees into wiring $300,000 to a hacker in East Asia, revealing the credit card numbers of every customer who has ever shopped with you, or delivering the social security numbers of every employee in your organization. And just when you think you’ve outsmarted cybercriminals and have a handle on phishing issues, a single employee clicks on a link and invites ransomware to invade your network.
No business is immune – businesses of all sizes and in every industry have reported phishing attacks. Avoiding these attacks requires more than just telling employees to be careful; it requires ongoing training and regular reminders, combined with layered security designed to detect and thwart attacks.
Improve email security
Prevent as many phishing emails as possible from even landing in employees’ inboxes, by implementing a hosted email service. In addition, develop a sender policy framework that makes it less likely for spoofed email to work. Better email security is an essential first step in thwarting phishing attacks.
Implement layered security
Carefully layered detection and security protocols can make it much more difficult for cybercriminals to hack your database. Consider how and where your data is stored and accessed; running files from desktops, USB sticks, or external drives can leave you without a safety net. Enterprise file sync software, such as SyncedTool provides a secure way to access data from anywhere. Backups of your data should also be stored offsite and protected with a comprehensive backup and recovery (BDR) solution. In the event of an attack, a managed services provider can perform a mass revision restore to the point in time before the attack.
Train and retrain (and train them again)
The only way to prevent phishing attacks from succeeding is for every employee to be vigilant at all times. Establish policies that require wire transfer requests to be verified by phone and approved by at least two people. Have a no-tolerance policy for clicking on unverified links or opening unknown files. Provide ongoing training to your employees and reminders about phishing techniques.
Download the thinkCSC email security guide.
Email security must be a top concern for every business. Take the necessary steps to protect your organization. Minimizing your risk is easier when you align your business with a trusted managed IT service provider that partners with your organization, understands your needs, and provides customized solutions to ensure that you have the protection you need. thinkCSC is committed to helping you find the most economical solutions to meet your needs. For more information, contact us today.
An organization is only as secure as its weakest access point, and certain endpoints – smartphones, laptops, and other portable devices that are often connected to public WiFi hotspots or are apt to be lost – are a weak spot for most organizations.
Endpoints are an easy target. Endpoint security is designed to thwart the most common risks these devices present, by detecting and blocking malware, as well as reducing vulnerabilities while ensuring a sensible balance between protection and user access.
Does Your Organization Need Endpoint Security?
Does your company use mobile devices? Do your employees have the ability to take these devices offsite and off-network? Would a data breach cost you customers, downtime, or lost business? If you answer yes to any of these questions, then endpoint security is something your organization should consider.
Endpoint Security and Phishing Scams
Email security is a challenge for every organization. Your employees, whose split-second decision to click on a link or open a file puts you at risk – are part of the solution. But can endpoint security help you prevent phishing attacks? As part of an overall strategy to implement multiple layers of security designed to block as much malware as possible, endpoint security can work at the device level by:
- Requiring security and monitoring software that can detect rapid file encryption, even on employee-owned devices used for work
- Making sure all operating systems used on devices are fully patched and up to date
- Whitelisting apps
- Implementing analytics that rapidly detect and block threats
Threats from phishing emails and malware, such as ransomware, worms, and bots, are a constant threat. Proactive measures must be taken to prevent existing and emerging threats, not just on your network and servers but at every point of access as well as through employee training and consistent reinforcement.
As cybersecurity remains a top concern for business leaders in every industry, taking the necessary steps to protect your organization becomes a high priority. Minimizing your risk is easier when you partner with a trusted managed IT service provider who partners with your organization, understands your needs, and provides customized solutions to ensure that you have the protection you need. thinkCSC is committed to helping you find the most economical solutions to meet their needs. For more information, contact us today.
E-mail is a cornerstone of business communications, and obtaining your customer’s email address is a privilege that allows you to personalize your marketing efforts and learn details about your target market and gain insight that might otherwise be difficult to obtain. How do you assure your customers that their email address (and all the other information they share with you) is secure?
Right now, Sony is busy doing damage control over the security breach that occurred on the PlayStation 3 that let user information, including credit card numbers, escape their grasp. Last month, many financial institutions and retail stores were scrambling to reassure customers and apologize for a breach that occurred when their email company, Epsilon, was compromised and hundreds of thousands of names and email addresses were stolen. While only names and email addresses were accessed and not credit card information, there was a lot of placating to do to reassure uneasy customers. The month before that, Play.com admitted that their email provider had experienced months of irregular activity before revealing that their customers email addresses had been accessed and compromised.
As a business, ensuring the security of your internal email as well as the information you maintain about your customers has to be a primary concern – something you think about doing before there’s a risk for a breach. The question is, can you really create an environment that provides you with the security you need to offer the reassurance your customers and your investors want? It’s a matter of choosing the right hosted e-mail service that provides you the best possible security.
Here at thinkCSC, we have biometric security in place that ensures that only certain people can access the data center and firewalls. We run regular backups, but our backups are completely encrypted, so even the information stored on our back up server is safe from harm. Even if someone were to break in and physically steal our servers, the thieves would not have access to anything because all of the information on it is encrypted. We’ve literally locked out the hackers from the get-go.
We can actually run a piece of software from your location that encrypts your data before it is sent over the internet. When it gets to our site, even we can’t access it unless we have that encryption password. Most of the time, we are taking care of your whole network environment, so we will be the ones managing that password, and we have layers of security protocols in place that keep you protected. But we can also provide you with complete control, and can set it up so you’re the only who has the password.
The choice is simple: you’re either aggressively protecting your customer’s information by having the best email security available, or you’re preparing a letter to your customers to apologize to them after their information was stolen.
Recent Comments