fbpx

As we conclude the month of May, we have another zero-day vulnerability to report. This vulnerability is a zero-click remote code execution vulnerability utilizing Microsoft Diagnostic Tool and the Microsoft Office Utilities. The vulnerability is primarily exploited by Microsoft Word documents, but can be accessed by any of the Office applications. Email-based delivery will be the main attack vector used by malicious actors to deliver this cruel code execution to their victims.

It is important to mention that this was originally posted by @nao_sec on Twitter. Our partners, Huntress, have verified and replicated this exploit, which is detailed in their technical blog post.

To summarize the vulnerability, in Microsoft Word, you are asked to select "Enable Content" or "Enable Saving" when you open the document. By selecting these options, the malicious process can be spawned. Huntress has discovered that this code can be executed upon simply opening the file without any other actions, which makes this Zero-Click that much worse. Microsoft does not yet have any mitigations that have been fully tested or verified, and there is no patch available at the time of writing this (May 31, 2022 @ 11:00AM).

We strongly advise all our clients and readers to be vigilant and not open any Word documents you receive via email (or any other source) without verifying the sender first. Please ensure that even if the person is legitimate, the document you receive is an expected attachment until we have a patch in place. We appreciate your cooperation and understanding. 

Cybersecurity is a neglected part of most small business IT Stacks

The global damage of cybercrime has risen to an average of $11 million USD per minute, which is a cost of $190,000 each second.

60% of small and mid-sized companies that have a data breach end up closing their doors within six months because they can’t afford the costs. The costs of falling victim to a cyberattack can include loss of business, downtime/productivity losses, reparation costs for customers that have had data stolen, and more.

You may think that this means investing more in cybersecurity, and it is true that you need to have appropriate IT security safeguards in place (anti-malware, firewall, etc.). However, many of the most damaging breaches are due to common cybersecurity mistakes that companies and their employees make.

The 2021 Sophos Threat Report, which looked at thousands of global data breaches, found that what it termed “everyday threats” were some of the most dangerous. The report stated, “A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we've investigated.”

Is your company making a dangerous cybersecurity mistake that is leaving you at high risk for a data breach, cloud account takeover, or ransomware infection?

Here are several of the most common missteps when it comes to basic IT security best practices.

Not Implementing Muti-Factor Authentication (MFA)

Credential theft has become the top cause of data breaches around the world, according to IBM Security. With most company processes and data now being cloud-based, login credentials hold the key to multiple types of attacks on company networks.

Not protecting your user logins with multi-factor authentication is a common mistake and one that leaves companies at a much higher risk of falling victim to a breach.

MFA reduces fraudulent sign-in attempts by a staggering 99.9%.

Ignoring the Use of Shadow IT

Shadow IT is the use of cloud applications by employees for business data that haven’t been approved and may not even be known about by a company.

Shadow IT use leaves companies at risk for several reasons:

Employees often begin using apps on their own because they’re trying to fill a gap in their workflow and are unaware of the risks involved with using an app that hasn’t been vetted by their company’s IT team.

It’s important to have cloud use policies in place that spell out for employees the applications that can and cannot be used for work.

Thinking You’re Fine With Only an Antivirus Application

No matter how small your business is, a simple antivirus application is not enough to keep you protected. In fact, many of today’s threats don’t use a malicious file at all.

Phishing emails will contain commands sent to legitimate PC systems that aren’t flagged as a virus or malware. Phishing also overwhelmingly uses links these days rather than file attachments to send users to malicious sites. Those links won’t get caught by simple antivirus solutions.

You need to have a multi-layered strategy in place that includes things like:

Not Having Device Management In Place

A majority of companies around the world have had employees working remotely from home since the pandemic, and they’re planning to keep it that way. However, device management for those remote employee devices as well as smartphones used for business hasn’t always been put in place.

If you’re not managing security or data access for all the endpoints (company and employee-owned) in your business, you’re at a higher risk of a data breach.

If you don’t have one already, it’s time to put a device management application in place, like Intune in Microsoft 365.

Not Providing Adequate Training to Employees

An astonishing 95% of cybersecurity breaches are caused by human error. Too many companies don’t take the time to continually train their employees, and thus users haven’t developed the skills needed for a culture of good cybersecurity.

Employee IT security awareness training should be done throughout the year, not just annually or during an onboarding process. The more you keep IT security front and center, the better equipped your team will be to identify phishing attacks and follow proper data handling procedures.

Some ways to infuse cybersecurity training into your company culture include:

When Did You Last Have a Cybersecurity Checkup?

Don’t stay in the dark about your IT security vulnerabilities. Schedule a cybersecurity audit to uncover vulnerabilities so they can be fortified to reduce your risk.

--
Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Our customers are extremely important to us, their continued support allows us to thrive and provide high-quality services. We assure every new or existing client that they will receive the highest level of service at a fair market price when they hire us. Our company was established to help people, not to rip them off as some of our competitors do. Dan's Tech Support LLC is focused and committed to providing the local community with quality work, outstanding customer service, security, reliability and overwhelming value for their services.

Please enjoy our newest Small Business support video, which highlights some of our accomplishments over the past few months. Remember, if you can #SupportSmallBusiness!

Please drop us a follow, and leave a comment under our video!

Dont forget to contact us today if you need any support! We are here 24/7 for you.

Working with an IT provider can be beneficial to your business. However, it is important to avoid a few key mistakes when selecting your provider.

Spending time trying to figure out the technology you use in your business can be costly. As a result, you cannot focus on your business needs, which will affect customer satisfaction. 

An IT provider can help with this. Dan's Tech Support LLC is a local Managed IT Service Provider offering a range of services, including fully managed IT services and an on-call helpline!

Outsourcing hardware and computing-related services such as managed IT security and cloud computing is possible with IT providers. A robust IT infrastructure can also enable you to focus on revenue-generating activities. 

Although there are many IT providers to choose from, not all of them will fit your company's needs. Integration with the wrong team can cause you to incur more costs due to irrelevant services, recurring security problems, and data backup problems. 

Therefore, you need to be extremely careful when selecting your team. The only way to avoid disappointment when choosing an IT provider is to avoid these eight common mistakes. To learn more about what we can do for you, contact us now!

THE EIGHT MISTAKES

MISTAKE #1 - INSISTING ON THE NEWEST TECHNOLOGY

Many advertisers want to trick you into believing that the latest technology will resolve all your issues. While the newest virtualization or cloud offerings can boost operations in many enterprises, they might not suit your business. 

Hence, don’t let the hype surrounding new products dazzle you. 

Carefully consider the results you want your IT provider to help you achieve and determine if the investment enables you to fulfill them. Your provider shouldn’t confuse you with state-of-the-art features – they should guide you and allow for seamless integration. 

MISTAKE #2 - FAILURE TO CONSIDER THE RESPONSE TIMES

Determining the response times of your prospective IT providers is essential. You need to ask them how long they usually take to reply to queries and resolve problems. Be sure to gauge their onsite support efficiency, too. 

Not inquiring about their availability is another grave error. Your IT team should provide round-the-clock services, including specialists that will monitor your system. 

Constant monitoring and availability can help ensure you can detect IT issues early. With this, the provider can immediately administer patches and updates to safeguard against disasters. Here at Dan's Tech Support LLC we have 24/7 monitoring to proactively solve problems in your environments, before they become user facing issues.

Furthermore, your IT provider should offer simple access to their helpdesk support. You should be able to contact them via email, phone, and chat for instant guidance. 

MISTAKE #3 - NEGLECTING THE SECURITY ASPECT

Disregarding the security features of your IT provider might be the most severe mistake. Teams with improper defense mechanisms can’t shield your system from cyber attackers, increasing the risk of losing data and access to resources. 

To avoid this, look for IT providers that can protect you from malware and other threats. They also need to prioritize protecting your business’s confidential data, like trade secrets and customer information. 

When it comes to specific security measures, your IT provider should have features that prevent data intrusions instantly upon detection. The list includes phishing attacks simulations, web content filtering, DNS security, endpoint protection, mobile device management, and dark web protection. 

In addition, responsible teams should eliminate point-of-sale and network intrusions before they compromise your system. Making sure they abide by security compliance and government regulations is also paramount.

MISTAKE #4 - FORGETTING THE BUDGET

IMAGE SOURCE: https://pixabay.com/photos/coins-pennies-money-currency-cash-912718/

Many IT companies operate under pay-as-you-go pricing schemes. Although this helps you minimize upfront investment, adopting a large number of technologies simultaneously without considering the recurring costs can cripple your finances. 

Thus, think twice before signing on the dotted line. 

Research your providers thoroughly and draft your budget with professional assistance. These steps can prevent considerable frustration down the line. A monthly unlimited bundle is often the better pricing option, which we offer at Dan's Tech Support LLC!

MISTAKE #5 - NOT DETERMINING SCALABILITY

One of the biggest impediments to growing your company is choosing an IT provider with poor scalability. 

By contrast, scalable IT teams allow your business to evolve and grow. They can continually extend their services to accommodate your company’s goals, even if these goals change.

MISTAKE #6 - OPTING FOR A NON-RESPONSIVE SERVICE LEVEL AGREEMENT

Service level agreements (SLAs) hold IT providers accountable for their services. It establishes standards for responsibilities, quality, scope, and delivery time in writing. Without it, you’ll have no way of ensuring transparent collaboration. 

When selecting your IT provider, find one with a responsive agreement. It can help guarantee the SLA scales with their services while rendering continual improvement.   

MISTAKE #7 - LACK OF TEAM TRAINING AND FEEDBACK

The story doesn’t end once you’ve found and partnered with a trustworthy IT provider. New technologies won’t magically increase your bottom line and decrease outputs. 

To accomplish your goal, your employees will still need to understand how to use your new tech solutions. But bear in mind that not every team member may be able to grasp new tools easily. Some may even prefer the existing platforms.

Fortunately, you can hire IT experts to train them. These professionals should simplify any complex steps and advise your staff on making the most of your new investment. 

Also, some enterprises set up regular training but fail to monitor their team’s performance. This is a huge mistake, as it keeps you from assessing your employee’s response to new technologies. 

So, conduct questionnaires and other forms of feedback collection to determine and address any weaknesses.

MISTAKE #8 - IGNORING EXPERIENCES WITH PREVIOUS CLIENTS

Choosing an IT provider is similar to buying standard products and services. Failure to check user reviews can lead to disappointment. 

To get a clear picture of your IT team’s capabilities, analyze their current and previous clients from similar industries. Look for reviews, testimonials, and ask the provider for a list of projects and references. 

After doing your due diligence, you should be able to tell whether an IT provider is an ideal match for your company. 

However, keep in mind that every IT team is different. For instance, they might be well-versed in the healthcare industry but have no experience working with retailers. That’s why as mentioned, stick to IT providers servicing your industry to get the best results.

FIND THE RIGHT FIT

Nobody wants to end up with a poor IT provider that can’t deliver great results, leaves your company open to cyberattacks, and causes other vulnerabilities. Your investment goes down the drain, and your operations suffer. 

Luckily, we can show you a way out. 

Let’s arrange a quick, 10-15-minute obligation-free chat. We can discuss more ways on how to find the right IT provider for you and ensure you get your money’s worth.

Article used with permission from The Technology Press.

The reality is, mobile devices are less safe than desktop computers. Boosting security on such devices is essential if you use them in business. The experts at Dan's Tech Support LLC are ready to assist you in protecting all of your business assets.

Technological breakthroughs have streamlined your operations in several ways. Primarily, you can now use mobile devices to make your communication and data sharing more convenient.

But this technological advancement also means that information on your team members' mobile devices is no longer limited to just phone numbers and contacts. They now contain much more significant data, such as emails, passwords, and other account details. 

That’s why keeping those mobile devices secure is key to shielding your reputation and minimizing the risk of losing money. 

Unfortunately, the protection of tablets and smartphones against cyberattacks isn't as robust as that of desktops and laptops. Anti-malware applications may be present, but they’re not as powerful as their computer counterparts. In addition, many devices don't support certain measures and applications that companies develop to enhance business security. 

Fortunately, you can still implement robust safety measures to protect your smartphones and tablets. 

This article will cover the nine best practices in improving cybersecurity on mobile devices.

THE NINE PRACTICES

PRACTICE #1 - ESTABLISH A SOUND SECURITY POLICY

Before issuing tablets or smartphones to your teams, create an effective usage policy. Define rules about acceptable use and determine the penalties for violating them. 

Your employees must be aware of the security risks and measures that can help them reduce the risks. They should know that they are the first line of defense against cybercrime. 

Furthermore, be sure to develop a BYOD (Bring Your Own Device) policy if you permit your team to use a personal device for business. Your company policy can include the following: 

Need help establishing a security policy for your business? Contact us today about our IT Consulting or IT Security services!

PRACTICE #2 - ENSURE THE OPERATING SYSTEM IS UP TO DATE

Updating Android and iOS operating systems improve overall user experience, but their most significant role is in addressing security vulnerabilities. 

Therefore, install updates as soon as the developer rolls them out to reduce exposure to cybersecurity threats. Delaying it may give criminals enough time to attack your weaknesses and take advantage of outdated operating systems. Should you wish to avoid the responsibility of managing your own updates, Dan's Tech Support LLC offers managed updates as a service.

PRACTICE #3 - ENABLE PASSWORD PROTECTION

A complex password or PIN can help prevent cybercriminals from accessing mobile devices. Besides using alphanumeric combinations, you can also use facial or fingerprint recognition, depending on what suits your employees. 

If you opt for digits and letters, don't share the combination with people outside your company. On top of that, be sure that your staff doesn't store them on their phones. Unmarked folders and physical wallets are a much safer option. Dan's Tech Support LLC also offers a secure, encrypted password vault to manage your company's passwords and multi-factor authentication credentials.

PRACTICE #4 - INSTALL BUSINESS PROGRAMS ONLY

Lenient download policies can allow your team members to install non-business apps. Downloading such apps might seem harmless, but they are also infamous for their harmful advertising codes and many other threats. 

To mitigate this risk, tell your employees they can only download and use apps necessary for their roles.

PRACTICE #5 - AVOID PUBLIC WI-FI CONNECTIONS

Your team may need to use public Wi-Fi networks in emergencies to send crucial emails or schedule a meeting. However, connecting to such networks can expose confidential company information to cybercriminals using the same network. 

The easiest way to minimize this risk is to provide a high-quality internet plan that features roaming services for your remote workers. 

But if there's no way to avoid public Wi-Fi connections, a reputable virtual private network (VPN) or secure global network (SGN) may do the trick. It can help shield your data by creating direct, secure links from your location to the intended website. If you wish to retain complete control over your data, we can provide a free network evaluation and provide an on-premise VPN server. This will allow your employees to connect to the network from anywhere, ensuring that your business data is only ever transmitted over secure channels. 

PRACTICE #6 - LEVERAGE PHONE TRACKING

Losing company-issued mobile devices is unfortunate, but it's not the end of the world. 

Enabling Android Phone Tracker, Find My Phone on iOS, or other device-tracking software can help locate your lost smartphones. Some programs also enable you to remove data on your stolen devices remotely. 

Installing these apps takes a couple of minutes and gives you much-needed peace of mind. With it, even if your staff loses their mobile device, cybercriminals are less likely to get their hands on the content.

PRACTICE #7 - INCORPORATE MDM (MOBILE DEVICE MANAGEMENT SOFTWARE)

For even more security, you may want to integrate with reliable MDM. It's an excellent way to separate personal and business information while allowing your team members to set up robust security measures on their devices. 

In most cases, cloud-based software is the most affordable, flexible, and manageable type of MDM. Many platforms let you check out device information, update and manage apps, configure your devices, create usage restrictions, and remove content remotely. 

If possible, implement MDM software that enforces security measures across all devices. As previously mentioned, this can include data encryption, strong passwords, and setting up containers to separate personal information from enterprise data.

We suggest you take advantage of our Managed Service Plans for a more enterprise-focused approach. Your mobile devices will be protected, and you can track them everywhere they go through services such as MDM and asset tracking. Contact us today to see what we can do for you!

PRACTICE #8 - SCREEN MESSAGES CAREFULLY

Cybercriminals frequently employ SMS phishing to trick your team into clicking dangerous links. They pose as someone credible, asking your staff to share confidential information. 

If your employees encounter such messages, they should delete them or alert the IT department or Managed Service Provider. Another great idea is to avoid opening the SMS and block the sender. 

PRACTICE #9 - BLOCKING AND WHITELISTING

Many threats can compromise your company due to employee errors. For example, a team member may not realize they're downloading a malicious app that allows thieves to steal data from their mobile devices. 

Blocking and whitelisting can enable you to protect your employees from these risks by determining which sites and apps are safe. This is just one of the many services we offer through our Managed Services.

On one hand, blocking certain applications can give your IT department peace of mind and alert them when someone tries to access those applications.

On the other hand, whitelists can work great for highlighting the tools your team should prioritize over social media and games. 

DON'T DROP YOUR GUARD

Securing your desktop computers and laptops only is a disaster waiting to happen. 

Your employees may still use their mobile devices to send emails and share sensitive information. That's why shielding them from cybercriminals should be your top priority. 

So, develop a strict usage policy and follow other recommended practices to make your team’s smartphones and tablets virtually impervious to data theft. 

Get in touch with us today for even more cybersecurity tips. We can schedule a non-salesy chat to help you identify and address any potential security risks.

Article content used with permission from The Technology Press.

Dan's Tech Support LLC is a locally owned and operated company that specializes in IT support for both residential and business customers. Some of the services we provide are computer repairs, networking support, and data recovery. We pride ourselves on our excellent customer service and the satisfaction of our clients. Our comprehensive range of solutions protect and maintain your home or office, including virus and malware removals, and managed services for businesses!

Since we specialize in business support, we understand not all of our clients are tech-savvy. Our technicians can assess your company's current technology infrastructure and provide proposals of new hardware, software, and networking equipment to maximize your investment.

Dan's Tech Support LLC Logo

Free Consultations & Initial Diagnostics

Initial consultation and diagnostics are always 100% free of charge.
Even if you do not use our services!
BOOK AN APPOINTMENT
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram