Cyber Security Threats Your Team Must Know About

Your employees are your first line of defense in cyber security, and their training is as crucial as the cutting-edge tools you’ve invested in. Are you overlooking this vital element?

We strongly advise you make an ongoing commitment to regular cyber security training for every single one of your team. That means keeping them up to date on the latest cyber threats, the warning signs to look out for, and of course, what to do should a situation arise.

If you’re not already doing that, arrange something now (we can help).

While you wait, here are some urgent cyber threats to address right away:

Admin attack

Email addresses like “info@” or “admin@” are often less protected due to perceived low risk. But several teams may require access to these accounts, making them an easy target. Multi-factor Authentication (MFA) can double your security. Even if it seems tedious, don’t neglect it.

MFA fatigue attacks

MFA can feel intrusive, leading employees to approve requests without scrutiny. Cyber criminals exploit this complacency with a flood of fake notifications. Encourage your team to meticulously verify all MFA requests.

Phishing bait

Phishing remains a top threat. Cyber criminals mimic trusted sources with deceptive emails. Teach your team to inspect email addresses closely. Implementing a sender policy framework can also enhance your protection.

Phishing scams are attempts to trick you into revealing your personal information, such as passwords, credit card numbers, or Social Security numbers.

Scammers often send emails or text messages that appear to be from legitimate companies, such as banks, credit card companies, or government agencies. They may also create fake websites that look like real websites.

The three most common phishing scams are:

  • Fake shopping websites, which sell counterfeit products – or even sell nothing at all. They collect your credit card information to sell to other hackers.
  • Romance scams to trick people into falling in love, so they’ll be more willing to send money.
  • Social media scams that either impersonate real people, or invent new personas entirely.

Other common internet scams include:

  • Investment scams (yes, people still fall for these every day) that promise victims high returns on their investments, but the investments are actually fake.
  • Tech support scams which claim to be a tech support company, but then charge for unnecessary services or steal personal information.
  • Lottery and sweepstakes scams tell people that they have won a lottery or sweepstakes, but they need to pay a fee to claim their prize.
  • Charity scams impersonate legitimate charities and ask for donations.

Cyber security training doesn’t have to be tedious. Try simulated attacks and think of them like an escape room challenge—fun yet enlightening. It’s about identifying vulnerabilities, not fault-finding.

Don’t exclude your leadership team. They need to understand the response plan in case of a breach, much like a fire drill.

If you receive an email, text, or call from someone who is asking for your personal information or money, be suspicious! Don’t click on anything until you verify the sender is who they say they are!

Is Your Team Suffering From Cyber Security Fatigue?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Recently, we’ve seen a concerning trend among businesses: cyber security fatigue.

It’s a phenomenon that occurs when people become overwhelmed and desensitized to the constant barrage of cyber threats and security alerts they face on a daily basis.

You may be thinking, “My business is too small to be a target for cyber criminals.”

Unfortunately, that couldn’t be further from the truth. In fact, small businesses are often targeted precisely because they are seen as easier targets.

Cyber criminals know that small businesses don’t have the same resources as larger corporations, making them more vulnerable to attacks.

So, how can you tell if your business is suffering from cyber security fatigue? Here are a few signs to look out for: [Read more…]

A Four-Day Week Doesn’t Mean Four-Day Security

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Are you one of the many companies around the world that’s looking at a four-day working week? Perhaps you’ve already made the leap.

Or, do you find that your team takes more time off during the summer months?

For lots of businesses, it’s never going to work. But those that have tried it have generally found it to be hugely positive. It improves your employees’ experience, making them more loyal, engaged, and productive.

It can help to attract and retain better talent, while improving your brand reputation. And let’s not ignore the cost savings of shutting down the office for an extra day.

But it has to be done right. Forcing people to cram the same amount of work into fewer hours could be a recipe for burnout and exhaustion.

That can lead to corners being cut, which in turn could lead to a cyber security disaster. Even if processes aren’t being intentionally skipped, human error due to a lapse in concentration becomes inevitable. [Read more…]

These Everyday Objects Can Lead To Identity Theft

You wouldn’t think a child’s toy could lead to a breach of your personal data. But this happens all the time.

What about your trash can sitting outside? Is it a treasure trove for an identity thief?

Many everyday objects can lead to identity theft.

Old smart phones

Our smartphones and tablets have become extensions of ourselves, storing a vast amount of personal information. If lost, stolen, or compromised, these devices can provide unauthorized access to sensitive data, including emails, contacts, financial apps, and social media accounts.

Make sure you clean any old phones by erasing all data or destroying the device.

Wireless printers

Protect wireless printers by ensuring you keep their firmware updated. You should also turn it off when you don’t need it.

Trash can

Identity theft criminals aren’t only online. They can also be trolling the neighborhood on trash day. Discarded items in your trash can reveal personal information that identity thieves can exploit. Dumpster diving is a common tactic used to extract valuable data, such as bank statements, credit card receipts, or pre-approved credit offers.

Always shred or destroy any documents before disposing of them, even those that may not seem sensitive at first glance.

It’s also wise to invest in a cross-cut shredder, which provides better protection compared to strip-cut shredders.

USB sticks

You should never plug a USB device of unknown origin into your computer. This is an old trick in the hacker’s book. They plant malware on these sticks and then leave them around as bait.

Old hard drives

When you are disposing of an old computer or old removable drive, make sure it’s clean. Just deleting your files isn’t enough. It’s best to get help from an IT professional to properly destroy your old computer hard drive.

We have a special drive crushing tool at Tech Experts – just let us know if you need some drives recycled.

Physical documents

Physical documents, such as bank statements, bills, medical records, and tax documents, contain a wealth of personal information. Disposing of them carelessly or leaving them unattended can be an open invitation to identity thieves.

Always shred sensitive documents before discarding them, especially those containing financial or personally identifiable information. Furthermore, consider digitizing important documents and securely storing them on encrypted devices or cloud platforms with strong authentication measures.

Children’s IoT devices

You should be wary of any new internet-connected kids’ devices you bring into your home. Install all firmware updates and do your homework.

ATMs

This is called skimming. Malicious actors can use hidden devices on ATMs or card readers to steal your card information during transactions.

Identity theft can have devastating consequences, impacting both your personal and financial well-being.

Safeguarding physical documents, securing mail, keeping wallets and purses safe, protecting mobile devices, and properly disposing of personal trash are essential steps in minimizing the risk of identity theft. Remember, vigilance and informed decision-making are key.

Protecting Your Small Business: IT Security Tips

Small businesses are increasingly reliant on technology to manage their operations. From storing customer data to conducting financial transactions, businesses of all sizes rely on information technology (IT) to keep their operations running smoothly.

However, this reliance on technology also makes small businesses vulnerable to cyber attacks and data breaches. In this article, we’ll discuss some key IT security tips that small business owners can use to protect their companies from cyber threats.

Keep software up-to-date

One of the simplest ways to improve IT security is to ensure that all software is kept up-to-date. Software updates often include security patches that address vulnerabilities and other issues that could be exploited by cybercriminals. By keeping software up-to-date, you can help to reduce the risk of cyber attacks and protect your company’s data.

Use strong passwords

Passwords are the first line of defense against unauthorized access to your business’s digital assets. It’s important to use strong passwords that are difficult to guess or crack.

Passwords should be at least twelve to 16 characters long and include a mix of uppercase and lowercase letters, numbers, and symbols. To help remember passwords, consider using a password manager, which can generate and store strong passwords for you.

Limit access to sensitive data

Not all employees need access to all data. Limiting access to sensitive data can help to reduce the risk of data breaches.

Consider implementing a least privilege access model, where employees only have access to the data they need to perform their jobs. Additionally, consider implementing two-factor authentication, which requires a second form of identification beyond a password to access sensitive data.

Train employees on IT security best practices

Human error is a leading cause of cyber attacks and data breaches. Employees who are unaware of IT security best practices can inadvertently put your business at risk.

It’s important to train employees on IT security best practices, such as how to identify phishing scams, how to create strong passwords, and how to safely use company devices.

Implement a firewall

A firewall is a network security system that monitors and controls incoming and outgoing network traffic. Firewalls can help to prevent unauthorized access to your company’s network and data. Consider implementing a firewall to help protect your business from cyber threats.

Back up data regularly

Data backups are essential for protecting your business’s data in the event of a cyber attack or hardware failure.

Backups should be performed regularly and stored securely, preferably off-site or in the cloud. This can help to ensure that your business can quickly recover from a cyber attack or other data loss event.

Consider cyber insurance

Cyber insurance can help to protect your business in the event of a data breach or cyber attack. Cyber insurance policies can help to cover the costs associated with data recovery, legal fees, and other expenses related to cyber attacks. Consider consulting with an insurance professional to determine if cyber insurance is right for your business.

IT security is a critical component of small business operations. By implementing these IT security tips, you can help to protect your business from cyber threats and data breaches.

Protecting your business’s data is an ongoing process that requires vigilance and attention to detail. By staying up-to-date on IT security best practices and implementing robust security measures, you can help to ensure the long-term success of your small business.

If you have any questions about IT security or would like to discuss your business’s IT security needs, please don’t hesitate to contact us.

Advantages Of Conditional Access

It seems that nearly as long as passwords have been around, they’ve been a major source of security concern.

Eighty-one percent of security incidents happen due to stolen or weak passwords. Additionally, employees continue to neglect the basics of good cyber hygiene.

Access and identity management have become a priority for many organizations.

Once a cybercriminal gets a hold of an employee’s login, they can access the account and any data that it contains. Using conditional access policies can mitigate the risk of an account breach.

What Is Conditional Access? Conditional access is also known as contextual access. It is a method of controlling user access. You can think of it as several “if/then” statements, meaning “if” this thing is present, “then” do this.

Conditional access allows you to add many conditions to the process of user access to a system. It is typically used with MFA.

This is to improve access security without unnecessarily inconveniencing users. Some of the most common contextual factors used include the IP address that is associated with the user, the geographic location if the login, time of day, the type of device used and the role or group the user belongs to.

Implementing conditional access for identity management will improve security, automates the access management process, and allows the business to restrict certain activities.

Another advantage of conditional access is the ability to apply the principal of least privilege, making sure that users can only access appropriate resources.

What Does ‘Zero Trust’ Actually Mean?

It’s nothing to do with the fear that your teenage children will hold a party when you go away for the weekend.

Zero trust is actually about technology security. It’s one of the most secure ways to set up your network, although it can have a very negative effect on productivity.

Most networks take a ‘trust but verify’ approach. They assume every device that connects is supposed to be there. Access the network once and you can go anywhere.
Imagine you’re using a security pass to access a building… and once inside there are no further security checks, so you can get into every single room.

Cyber criminals love this approach, for obvious reasons.

Zero trust is the opposite approach. Every login and device is treated as a potential threat until it’s authenticated, validated, and authorized.

Once in, you can’t access other parts of the network without going through this process again.
Back to the building analogy – once inside the building you are surrounded by security doors and must use your security pass to get through each one. If your pass isn’t valid, you’re limited where you can go.

Zero trust has its uses, especially with so many people working remotely these days. But it can have a negative effect on your workflow and can slow down your team.

If you want to talk through whether it’s right for your business, get in touch.

What To Do If You Lose Your Laptop (Or Other Device)

So, you’re in the car on the way home from the coffee shop, basking in the glow of consuming your triple-shot, low-foam, extra-hot pumpkin-spice latte when you suddenly realize your laptop has gone missing.

You drive back like the caffeinated lunatic you are, only to discover no one has turned it in.

What do you do?

That depends on what precautions you have (or haven’t!) taken.

First, if you’ve properly encrypted your data, password-protected the access to your device and shut down and logged off all key applications, you’ve got a bit more time to respond.

But the next thing to do, whether or not you’ve taken those precautionary measures, is to notify your IT support company that you’ve lost your device.

That will allow them to change passwords and lock access to applications and data a thief may gain access to via your unprotected laptop.

They can also remotely wipe your device to make sure no one will be able to gain access to the data stored on your computer. (Which is also why it’s critical to back up your data on a daily basis!)

Next, change all the passwords to every website you log into, starting with any sites that contain financial data (your bank account) or company data.

If your laptop contained medical records, financial information, or other sensitive data (like social security numbers, birthdays, etc.), then you need to contact a qualified attorney to understand what you may be required to do by law to notify individuals who may be affected.

Quite simply, an ounce of prevention is worth a pound of cure, so make sure you’re engaging with your IT support company to encrypt and back up your data, as well as put remote monitoring software on all mobile devices.

Set a pin-code lock or password requirement to access a device after ten minutes of inactivity and get into the habit of logging out of websites when you’re done using them.

Some other tips to keep your laptop safe:

Use strong passwords, change passwords frequently, and avoid setting up automatic sign-ins. This will make it more difficult for thieves to log on to your computer and access your personal information.

Don’t write down your passwords. If you must write your passwords down, don’t keep the list close to your laptop (for example, on a sticky note kept in your laptop bag).

Never leave your laptop in an unlocked car or conference room.

Never leave your laptop in plain sight in your locked car. Lock it in the trunk and make sure no one sees you put it there.

Carry your laptop in something other than a laptop bag. This may seem unusual, but a laptop bag makes it very obvious to thieves that you are carrying a laptop. Use something more inconspicuous, such as a backpack or messenger bag.

Always keep your laptop in your sight. Don’t leave a meeting or a conference room without your laptop – always bring it with you. You never know who could have access to that room, even if you’re only gone for a few minutes.

Be especially diligent when traveling – airports are a common place for laptop theft. Also be careful in taxis, hotel rooms, restaurants, and coffee shops.

If your laptop is stolen, you’ll want to make sure you have the make, model, and serial number so a complete report can be filed. Keep this information in your desk at work or at home.

Finally, if you store important data on your laptop, make sure it is being backed up! Most workers store their data on a company server, where it is protected and backed up.

If you’re a mobile worker, backups are extra important since you don’t have the security of a server-based backup system.

How Often Do You Need To Train Employees On Cybersecurity Awareness?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

You’ve just completed your annual phishing training where you teach employees how to spot phishing emails. You’re feeling good about it, until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link.

You wonder why you seem to need to train on the same information every year yet still suffer from security incidents.

The problem is that you’re not training your employees often enough.

People can’t change behaviors if training isn’t reinforced regularly. They can also easily forget what they’ve learned after several months go by.

So, how often is often enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” when it comes to seeing consistent results in your IT security. [Read more…]

Which Form Of MFA Is The Most Secure?

Credential theft is now at an all-time high and is responsible for more data breaches than any other type of attack.

With data and business processes now largely cloud-based, a user’s password is the quickest and easiest way to conduct many different types of dangerous activities.

One of the best ways to protect your online accounts, data, and business operations is with multifactor authentication (MFA).

It provides a significant barrier to cybercriminals even if they have a legitimate user credential to log in.

This is because they most likely will not have access to the device that receives the MFA code required to complete the authentication process.

What Are the Three Main Methods of MFA?

When you implement multi-factor authentication at your business, it’s important to compare the three main methods of MFA and not just assume all methods are the same.

There are key differences that make some more secure than others and some more convenient. Let’s take a look at what these three methods are:

SMS-based

The form of MFA that people are most familiar with is SMS-based.

This one uses text messaging to authenticate the user.

The user will typically enter their mobile number when setting up MFA. Then, whenever they log into their account, they will receive a text message with a time-sensitive code that must be entered.

On-Device Prompt In An App

Another type of multi-factor authentication will use a special app to push through the code. The user still generates the MFA code at log in, but rather than receiving the code via SMS, it’s received through the app.

This is usually done via a push notification, and it can be used with a mobile app or desktop app in many cases.

Security Key

The third key method of MFA involves using a separate security key that you can insert into a PC or mobile device to authenticate the login.

The key itself is purchased at the time the MFA solution is set up and will be the thing that receives the authentication code and implements it automatically.

The MFA security key is typically smaller than a traditional thumb drive and must be carried by the user to authenticate when they log into a system.

Now, let’s look at the differences between these three methods.

Most Convenient Form of MFA?

The most convenient form of MFA would be the SMS-based MFA. Most people are already used to getting text messages on their phones so there is no new interface to learn and no app to install.

The SMS-based is actually the least secure because there is malware out there now that can clone a SIM card, which would allow a hacker to get those MFA text messages.

Most Secure Form of MFA?

If your company handles sensitive data in a cloud platform then it may be in your best interest to go for better security.

The most secure form of MFA is the security key. The security key, being a separate device altogether, won’t leave your accounts unprotected in the event of a mobile phone being lost or stolen. Both the SMS-based and app-based versions would leave your accounts at risk in this scenario.