You’ve completed your annual phishing training. This includes teaching employees how to spot phishing emails. You’re feeling good about it. That is until about 5-6 months later. Your company suffers a costly ransomware infection due to a click on a phishing link.
You wonder why you seem to need to train on the same information every year. But you still suffer from security incidents. The problem is that you’re not training your employees often enough.
People can’t change behaviors if training isn’t reinforced. They can also easily forget what they’ve learned after several months go by.
So, how often is often enough to improve your team’s cybersecurity awareness? It turns out that training every four months is the “sweet spot.” This is when you see more consistent results in your IT security.
So, where does this four-month recommendation come from? There was a study presented at the USENIX SOUPS security conference recently. It looked at users’ ability to detect phishing emails versus training frequency. It looked at training on phishing awareness and IT security.
Employees took phishing identification tests at several different time increments:
The study found that four months after their training scores were good. Employees were still able to accurately identify and avoid clicking on phishing emails. But after 6-months, their scores started to get worse. Scores continued to decline the more months that passed after their initial training.
To keep employees well prepared, they need training and refreshers on security awareness. This will help them to act as a positive agent in your cybersecurity strategy.
The gold standard for security awareness training is to develop a cybersecure culture. This is one where everyone is cognizant of the need to protect sensitive data. As well as avoid phishing scams, and keep passwords secured.
This is not the case in most organizations, According to the 2021 Sophos Threat Report. One of the biggest threats to network security is a lack of good security practices.
The report states the following,
“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we've investigated.”
Well-trained employees significantly reduce a company’s risk. They reduce the chance of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training. It’s better to mix up the delivery methods.
Here are some examples of engaging ways to train employees on cybersecurity. You can include these in your training plan:
When conducting training, phishing is a big topic to cover, but it’s not the only one. Here are some important topics that you want to include in your mix of awareness training.
Email phishing is still the most prevalent form. But SMS phishing (“smishing”) and phishing over social media are both growing. Employees must know what these look like, so they can avoid falling for these sinister scams.
Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a steep increase in credential theft because it’s the easiest way to breach SaaS cloud tools.
Credential theft is now the #1 cause of data breaches globally. This makes it a topic that is critical to address with your team. Discuss the need to keep passwords secure and the use of strong passwords. Also, help them learn tools like a business password manager.
Mobile devices are now used for a large part of the workload in a typical office. They’re handy for reading and replying to an email from anywhere. Most companies will not even consider using software these days if it doesn’t have a great mobile app.
Review security needs for employee devices that access business data and apps. Such as securing the phone with a passcode and keeping it properly updated.
Data privacy regulations are something else that has been rising over the years. Most companies have more than one data privacy regulation requiring compliance.
Train employees on proper data handling and security procedures. This reduces the risk you'll fall victim to a data leak or breach that can end up in a costly compliance penalty.
Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program. One that helps your team change their behaviors to improve cyber hygiene.
This Article has been Republished with Permission from The Technology Press.
As we conclude the month of May, we have another zero-day vulnerability to report. This vulnerability is a zero-click remote code execution vulnerability utilizing Microsoft Diagnostic Tool and the Microsoft Office Utilities. The vulnerability is primarily exploited by Microsoft Word documents, but can be accessed by any of the Office applications. Email-based delivery will be the main attack vector used by malicious actors to deliver this cruel code execution to their victims.
It is important to mention that this was originally posted by @nao_sec on Twitter. Our partners, Huntress, have verified and replicated this exploit, which is detailed in their technical blog post.
To summarize the vulnerability, in Microsoft Word, you are asked to select "Enable Content" or "Enable Saving" when you open the document. By selecting these options, the malicious process can be spawned. Huntress has discovered that this code can be executed upon simply opening the file without any other actions, which makes this Zero-Click that much worse. Microsoft does not yet have any mitigations that have been fully tested or verified, and there is no patch available at the time of writing this (May 31, 2022 @ 11:00AM).
We strongly advise all our clients and readers to be vigilant and not open any Word documents you receive via email (or any other source) without verifying the sender first. Please ensure that even if the person is legitimate, the document you receive is an expected attachment until we have a patch in place. We appreciate your cooperation and understanding.
The global damage of cybercrime has risen to an average of $11 million USD per minute, which is a cost of $190,000 each second.
60% of small and mid-sized companies that have a data breach end up closing their doors within six months because they can’t afford the costs. The costs of falling victim to a cyberattack can include loss of business, downtime/productivity losses, reparation costs for customers that have had data stolen, and more.
You may think that this means investing more in cybersecurity, and it is true that you need to have appropriate IT security safeguards in place (anti-malware, firewall, etc.). However, many of the most damaging breaches are due to common cybersecurity mistakes that companies and their employees make.
The 2021 Sophos Threat Report, which looked at thousands of global data breaches, found that what it termed “everyday threats” were some of the most dangerous. The report stated, “A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we've investigated.”
Is your company making a dangerous cybersecurity mistake that is leaving you at high risk for a data breach, cloud account takeover, or ransomware infection?
Here are several of the most common missteps when it comes to basic IT security best practices.
Credential theft has become the top cause of data breaches around the world, according to IBM Security. With most company processes and data now being cloud-based, login credentials hold the key to multiple types of attacks on company networks.
Not protecting your user logins with multi-factor authentication is a common mistake and one that leaves companies at a much higher risk of falling victim to a breach.
MFA reduces fraudulent sign-in attempts by a staggering 99.9%.
Shadow IT is the use of cloud applications by employees for business data that haven’t been approved and may not even be known about by a company.
Shadow IT use leaves companies at risk for several reasons:
Employees often begin using apps on their own because they’re trying to fill a gap in their workflow and are unaware of the risks involved with using an app that hasn’t been vetted by their company’s IT team.
It’s important to have cloud use policies in place that spell out for employees the applications that can and cannot be used for work.
No matter how small your business is, a simple antivirus application is not enough to keep you protected. In fact, many of today’s threats don’t use a malicious file at all.
Phishing emails will contain commands sent to legitimate PC systems that aren’t flagged as a virus or malware. Phishing also overwhelmingly uses links these days rather than file attachments to send users to malicious sites. Those links won’t get caught by simple antivirus solutions.
You need to have a multi-layered strategy in place that includes things like:
A majority of companies around the world have had employees working remotely from home since the pandemic, and they’re planning to keep it that way. However, device management for those remote employee devices as well as smartphones used for business hasn’t always been put in place.
If you’re not managing security or data access for all the endpoints (company and employee-owned) in your business, you’re at a higher risk of a data breach.
If you don’t have one already, it’s time to put a device management application in place, like Intune in Microsoft 365.
An astonishing 95% of cybersecurity breaches are caused by human error. Too many companies don’t take the time to continually train their employees, and thus users haven’t developed the skills needed for a culture of good cybersecurity.
Employee IT security awareness training should be done throughout the year, not just annually or during an onboarding process. The more you keep IT security front and center, the better equipped your team will be to identify phishing attacks and follow proper data handling procedures.
Some ways to infuse cybersecurity training into your company culture include:
Don’t stay in the dark about your IT security vulnerabilities. Schedule a cybersecurity audit to uncover vulnerabilities so they can be fortified to reduce your risk.
This Article has been Republished with Permission from The Technology Press.
The reality is, mobile devices are less safe than desktop computers. Boosting security on such devices is essential if you use them in business. The experts at Dan's Tech Support LLC are ready to assist you in protecting all of your business assets.
Technological breakthroughs have streamlined your operations in several ways. Primarily, you can now use mobile devices to make your communication and data sharing more convenient.
But this technological advancement also means that information on your team members' mobile devices is no longer limited to just phone numbers and contacts. They now contain much more significant data, such as emails, passwords, and other account details.
That’s why keeping those mobile devices secure is key to shielding your reputation and minimizing the risk of losing money.
Unfortunately, the protection of tablets and smartphones against cyberattacks isn't as robust as that of desktops and laptops. Anti-malware applications may be present, but they’re not as powerful as their computer counterparts. In addition, many devices don't support certain measures and applications that companies develop to enhance business security.
Fortunately, you can still implement robust safety measures to protect your smartphones and tablets.
This article will cover the nine best practices in improving cybersecurity on mobile devices.
Before issuing tablets or smartphones to your teams, create an effective usage policy. Define rules about acceptable use and determine the penalties for violating them.
Your employees must be aware of the security risks and measures that can help them reduce the risks. They should know that they are the first line of defense against cybercrime.
Furthermore, be sure to develop a BYOD (Bring Your Own Device) policy if you permit your team to use a personal device for business. Your company policy can include the following:
Need help establishing a security policy for your business? Contact us today about our IT Consulting or IT Security services!
Updating Android and iOS operating systems improve overall user experience, but their most significant role is in addressing security vulnerabilities.
Therefore, install updates as soon as the developer rolls them out to reduce exposure to cybersecurity threats. Delaying it may give criminals enough time to attack your weaknesses and take advantage of outdated operating systems. Should you wish to avoid the responsibility of managing your own updates, Dan's Tech Support LLC offers managed updates as a service.
A complex password or PIN can help prevent cybercriminals from accessing mobile devices. Besides using alphanumeric combinations, you can also use facial or fingerprint recognition, depending on what suits your employees.
If you opt for digits and letters, don't share the combination with people outside your company. On top of that, be sure that your staff doesn't store them on their phones. Unmarked folders and physical wallets are a much safer option. Dan's Tech Support LLC also offers a secure, encrypted password vault to manage your company's passwords and multi-factor authentication credentials.
Lenient download policies can allow your team members to install non-business apps. Downloading such apps might seem harmless, but they are also infamous for their harmful advertising codes and many other threats.
To mitigate this risk, tell your employees they can only download and use apps necessary for their roles.
Your team may need to use public Wi-Fi networks in emergencies to send crucial emails or schedule a meeting. However, connecting to such networks can expose confidential company information to cybercriminals using the same network.
The easiest way to minimize this risk is to provide a high-quality internet plan that features roaming services for your remote workers.
But if there's no way to avoid public Wi-Fi connections, a reputable virtual private network (VPN) or secure global network (SGN) may do the trick. It can help shield your data by creating direct, secure links from your location to the intended website. If you wish to retain complete control over your data, we can provide a free network evaluation and provide an on-premise VPN server. This will allow your employees to connect to the network from anywhere, ensuring that your business data is only ever transmitted over secure channels.
Losing company-issued mobile devices is unfortunate, but it's not the end of the world.
Enabling Android Phone Tracker, Find My Phone on iOS, or other device-tracking software can help locate your lost smartphones. Some programs also enable you to remove data on your stolen devices remotely.
Installing these apps takes a couple of minutes and gives you much-needed peace of mind. With it, even if your staff loses their mobile device, cybercriminals are less likely to get their hands on the content.
For even more security, you may want to integrate with reliable MDM. It's an excellent way to separate personal and business information while allowing your team members to set up robust security measures on their devices.
In most cases, cloud-based software is the most affordable, flexible, and manageable type of MDM. Many platforms let you check out device information, update and manage apps, configure your devices, create usage restrictions, and remove content remotely.
If possible, implement MDM software that enforces security measures across all devices. As previously mentioned, this can include data encryption, strong passwords, and setting up containers to separate personal information from enterprise data.
We suggest you take advantage of our Managed Service Plans for a more enterprise-focused approach. Your mobile devices will be protected, and you can track them everywhere they go through services such as MDM and asset tracking. Contact us today to see what we can do for you!
Cybercriminals frequently employ SMS phishing to trick your team into clicking dangerous links. They pose as someone credible, asking your staff to share confidential information.
If your employees encounter such messages, they should delete them or alert the IT department or Managed Service Provider. Another great idea is to avoid opening the SMS and block the sender.
Many threats can compromise your company due to employee errors. For example, a team member may not realize they're downloading a malicious app that allows thieves to steal data from their mobile devices.
Blocking and whitelisting can enable you to protect your employees from these risks by determining which sites and apps are safe. This is just one of the many services we offer through our Managed Services.
On one hand, blocking certain applications can give your IT department peace of mind and alert them when someone tries to access those applications.
On the other hand, whitelists can work great for highlighting the tools your team should prioritize over social media and games.
Securing your desktop computers and laptops only is a disaster waiting to happen.
Your employees may still use their mobile devices to send emails and share sensitive information. That's why shielding them from cybercriminals should be your top priority.
So, develop a strict usage policy and follow other recommended practices to make your team’s smartphones and tablets virtually impervious to data theft.
Get in touch with us today for even more cybersecurity tips. We can schedule a non-salesy chat to help you identify and address any potential security risks.
Article content used with permission from The Technology Press.