How Often Do You Need To Train Employees On Cybersecurity Awareness?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

You’ve just completed your annual phishing training where you teach employees how to spot phishing emails. You’re feeling good about it, until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link.

You wonder why you seem to need to train on the same information every year yet still suffer from security incidents.

The problem is that you’re not training your employees often enough.

People can’t change behaviors if training isn’t reinforced regularly. They can also easily forget what they’ve learned after several months go by.

So, how often is often enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” when it comes to seeing consistent results in your IT security. [Read more…]

The SLAM Method Can Improve Phishing Detection

Why has phishing remained such a large threat for so long? Because it continues to work. Scammers evolve their methods as technology progresses, employing AI-based tactics to make targeted phishing more efficient.

If phishing didn’t continue returning benefits, then scammers would move on to another type of attack. But that hasn’t been the case. People continue to get tricked.

In May of 2021, phishing attacks increased by 281%. Then in June, they spiked another 284% higher.

Studies show that as soon as 6 months after a person has been trained on phishing identification, their detection skills can begin waning as they forget things.

Give employees a “hook” they can use for memory retention by introducing the SLAM method of phishing identification.

What is the SLAM Method for Phishing Identification?

One of the mnemonic devices known to help people remember information they are taught is the use of an acronym. SLAM is an acronym for four key areas of an email message that should be checked before trusting it. These are:

S = Sender
L = Links
A = Attachments
M = Message text

By giving people the term “SLAM” to remember, it’s quicker for them to do a check on any suspicious or unexpected email without missing something important.

All they need to do is run down the cues in the acronym.

S = Check the Sender

It’s important to check the sender of an email thoroughly. Often scammers will either spoof an email address or use a look-alike address that people easily mistake for the real thing.

You can double-click on the sender’s name to ensure the email address is legitimate.

L = Hover Over Links Without Clicking

Hyperlinks are popular to use in emails because they can often get past antivirus/anti-malware filters.

You should always hover over links without clicking on them to reveal the true URL. This often can immediately call out a fake email scam due to them pointing to a strangely named or misspelled website.

A = Never Open Unexpected or Strange File Attachments

Never open strange or unexpected file attachments, and make sure all attachments are scanned by an antivirus/anti-malware application before opening.

M = Read the Message Carefully

If you rush through a phishing email, you can easily miss some telltale signs that it’s a fake, such as spelling or grammatical errors.

Look for words or phrases not normally used by the person who’s emailing you. Words like “kindly” and “revert” are tell-tale clues the email come from someone who’s not your normal sender.

Also, be on the lookout for pressure to act quickly or unexpected banking change requests. While it happens, it is rare for a company to change banks without months of advance notice.

Get Help Combatting Phishing Attacks

Both awareness training and security software can improve your defenses against phishing attacks. Contact us today to discuss your email security needs.

Watch Out For Reply-chain Phishing Attacks

Phishing. It seems you can’t read an article on cybersecurity without it coming up. That’s because phishing is still the number one delivery vehicle for cyberattacks.

80% of surveyed security professionals say that phishing campaigns have significantly increased post-pandemic.

Phishing not only continues to work, but it’s also increasing in volume due to the move to remote teams.

Many employees are now working from home. They don’t have the same network protections they had when working at the office.

One of the newest tactics is particularly hard to detect. It is the reply-chain phishing attack.

What is a Reply-Chain Phishing Attack?

You don’t expect a phishing email tucked inside an ongoing email conversation between colleagues.

Most people are expecting phishing to come in as a new message, not a message included in an existing reply chain.

The reply-chain phishing attack is particularly insidious because it does exactly that. It inserts a convincing phishing email in the ongoing thread of an email reply chain.

How does a hacker gain access to the reply chain conversation? By hacking the email account of one of those people copied on the email chain. Often, the target isn’t even aware.

The hacker can email from an email address that the other recipients recognize and trust. The attacker also gains the benefit of reading down through the chain of replies. This enables them to craft a response that looks like it fits.

They may see that everyone has been weighing in on a new idea for a product called Superbug. So, they send a reply that says, “I’ve drafted up some thoughts on the new Superbug product, here’s a link to see them.”

The reply won’t seem like a phishing email at all. It will be convincing because:

  1. It comes from an email address of a colleague. This address has already been participating in the email conversation.
  2. It may sound natural and reference items in the discussion.
  3. It may use personalization. The email can call others by the names the hacker has seen in the reply chain.

Business Email Compromise is Increasing

Business email compromise (BEC) is so common that it now has its own acronym. Weak and unsecured passwords lead to email breaches. So do data breaches that reveal databases full of user logins.

Tips for Addressing Reply-Chain Phishing

Here are some ways that you can lessen the risk of reply-chain phishing in your organization:

• Use a business password manager
• Put multi-factor controls on email accounts
• Teach employees to be aware

2021 Cyber Attacks – Lessons To Apply For A More Secure 2022

Hackers have hit a wide variety of industries this year, from computer manufacturers to insurance companies, schools to the NBA. A review of prominent 2021 cyber attacks reveals a few common themes. And organizations that apply the lessons learned from these attacks can look forward to a more secure 2022.

No one gets a free pass
It would be difficult to describe the profile of a typical data breach victim in 2021. Large corporations like Volkswagen and Experian got hit. At the same time, even small, low-profile businesses suffered in the Microsoft Exchange and Kaseya attacks. Ransomware crippled hospitals, manufacturers, municipalities, retail and more.

No matter how big or how small, any organization with Internet connections can become a target of attack. Hackers continually hone their skills and add to their toolsets. Consequently, businesses cannot afford to relax their security stance. Get started early on your New Year’s resolutions by committing to invest in cybersecurity.

Apply security patches quickly
When hackers exploited vulnerabilities in the Microsoft Exchange server, they disrupted 60,000 companies and government agencies in the US. Microsoft released security patches quickly. However, many organizations delayed applying the patches. The attack group Hafnium then ran Internet scans to find and exploit unpatched servers.

Take the time to apply software and firmware updates quickly. Take it a step further and turn on automatic updates where possible. This applies not just to servers but to all devices with access to the system.

Step up endpoint security
The rapid switch to remote work completely changed the security perimeter for many organizations, and hackers took advantage. For instance, when insurance giant CNA sustained a ransomware attack, 15,000 devices were encrypted, including those used by remote employees.

When remote work takes center stage, organizations need to strengthen endpoint security. Begin by creating and updating an inventory of all devices connecting to the system.

Enforce strong authentication policies and keep endpoints encrypted. Additionally, monitor the endpoints for unusual activity when connected to the network.

Monitor those business partners
In April, the REvil gang attacked Quanta, a supplier for Apple. REvil used the attack to pressure Apple, claiming to have obtained secret blueprints for yet-to-be-released Apple products. Similarly, parking app Park Mobile suffered a breach because of a vulnerability in a third-party software app.

While strengthening inhouse security, organizations cannot forget about their business partners. Be sure to vet third parties, building security policies into vendor contracts. Then continue to monitor those relationships, including performing regular audits.

Automate the backup process
Fortunately, the list of 2021 cyber attacks includes some positive notes. Attackers hit Polish video game development firm CD Projekt, encrypting devices and accessing source code. However, because the company had quality backups in place, they were able to restore the lost data without paying the ransom.

For decades, security experts have emphasized the importance of performing regular backups. Automating the process takes the burden off IT and delivers peace of mind.

Strengthen authentication and identity management
In April, attackers used a compromised password to access the networks of Colonial Pipeline, disrupting gas supplies and causing panic.

As government officials investigated, they concluded that stronger protections, such as multi-factor authentication, could have prevented the attack.

Identity and access management form a critical component of securing valuable digital assets. Companies should assess and strengthen authentication methods and tighten access controls.

Take protective steps against phishing
According to a recent report on cybersecurity breaches, phishing remains the most common type of cyber attack. For instance, in an attack on Nebraska Medicine, hackers gained entrance to the system and planted malware, eventually exposing over 200,000 patient records.

To protect against phishing and other social engineering attacks, organizations should implement email filtering and continuous network monitoring.

But the most important safety measure remains addressing the human factor with regular, targeted security awareness training.

Treat 2021 cyber attacks as a wakeup call
Reflecting on the high-profile cyber attacks of the past year can provide both the motivation and a blueprint for addressing cybersecurity. And the cybersecurity experts at Tech Experts bring the expertise and tools you need to keep your data and networks safe.

Lessons Learned From The Colonial Oil Pipeline Attack

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

May 6, 2021 will be a day that goes down in history. This is the day the Colonial Oil Pipeline went down, causing a nationwide disruption. Even though the pipeline only services a portion of the east coast, the effects of the shutdown was felt across the country.

Gas prices skyrocketed, lines at gas stations were so long it took hours to get through, and gas stations were pumped dry as people bought gas and put it in whatever container they could gather just to assure themselves they would have enough to get through the closure.

If you think about it, this type of ripple effect is not confined to energy and utility providers. While the scale of the effect would not be at the level of the pipeline, the devastation it could leave in its wake for your business and your customers is just as likely. [Read more…]

Don’t Let Working From Home Lower Your Guard

Wyatt Funchion is a help desk technician at Tech Experts.

When working from home or taking online classes for school, it is very easy for us to get caught up in our work and forget about the potential risks of using the Internet.

Whether you are using Zoom, assisting clients, writing assignments, or even just sending a simple email, cybercriminals have figured out ways to exploit our everyday tasks.

Email is one of the most vulnerable territories for users, and cybercriminals love it because it works. Phishing emails, which are emails that try to trick you out of your sensitive information, are one of the most common Internet threats and are easy to overlook if you’re overworked or in a hurry. Some can be extremely convincing, especially at a glance.

One of the best ways to keep your personal information and your work information protected is to avoid clicking links, opening attachments, and replying to emails when you don’t know where or who the email came from. Don’t provide them with extra information like a password, log-in, or anything else sensitive.

Cyberattacks are another common threat while working from home, and your computer and network are targeted just for existing. An easy way to prevent these attacks would be to use an antivirus suite.

These run in the background of your computer and automatically update themselves. They can protect against zero-day attacks (viruses taking advantage of security flaws before they are patched), malware, spyware, viruses, trojans, worms, and more. Some can alert you of phishing scams, including those sent via email, and alert you when a download is suspicious.

Something else that could put both your work and personal information at risk is your web camera. Cameras are used frequently for Zoom calls or Google Meets for both schools and employers and can be a huge risk if you have any documentation like passwords written in your workspace.

It’s also a big risk to your privacy in general, so make sure there isn’t anything else confidential in frame, such as personal phone numbers on a whiteboard.

A simple way to get rid of the potential risks would be to either unplug your webcam or cover it when it’s not being used. Sliding webcam covers are a good way to cover them and are fairly easy to install. They can be found in all shapes, sizes, and colors.

If your workspace is easily accessed by your family or you also use your personal computer for work, it can create threats for your company. Make sure to not leave your computer unlocked or open on any sensitive information that could be accessed by someone other than you. Another risk can be using your work account for personal use because you may not be as careful about what you access during your personal time versus work hours.

In the end, it is important to keep your work life or school life separate from your personal life.

Taking a few extra steps to make sure everything is secure can be the difference between a stolen identity or encrypted computer.

What’s Your Pocket-Sized Security Threat?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

You guessed it. I’m talking about phones.

How many people in your business have a company-issued phone, or use their own to access company data like emails, client information, or documents? It’s probably a high number, right?

And your phone is a big risk to your data security. Smishing attacks (that’s the text message equivalent of a phishing email) increased 328% in 2020 and will probably significantly rise again this year.

That’s because it’s a goldmine for cyber criminals. 98% of text messages are read and 45% are responded to. So a smishing text is likely to yield good results for criminals.

Once your phone is infected, malware can monitor your calls and messages, download and delete your data, and if a phone is connected to your business network, the infection might even spread. [Read more…]

Companies Must Address Employees’ Lax Cybersecurity Habits

A third of employees picked up bad cyber security behaviors while working from home, according to Tessian’s Back to Work Security Behaviors report.

Despite the remote workers’ bad security practices, 9 out of 10 organizations prefer the hybrid workplace as COVID-19 restrictions eased. Similarly, 89% of employees want to work remotely during the week.

The firm advises business owners to consider the bad employee behaviors as organizations transition to hybrid workplace models.

As employees go back to the office, businesses need to address changes to employees’ security behaviors since they have been working remotely.

Most employers are wary that the post-pandemic hybrid workforce would bring bad cybersecurity behaviors.

More than half (56%) of employers believed that employees had picked bad security practices while working remotely.

Similarly, nearly two-fifths (39%) of employees also admitted that their employee behaviors differed significantly while working from home compared to the office.

Additionally, nearly a third (36%) admitted discovering ‘workarounds’ since they started working remotely.

Close to half of workers adopted the risky behavior because they felt that they weren’t being watched by IT departments. Nearly a third (30%) said they felt that they could get away with the risky employee behaviors while working away from the office.

However, small businesses placed more confidence in their employees while transitioning to the hybrid workplace.

Over two-thirds of business owners believed that their staff would observe their company’s cybersecurity policies.

Many employees are unlikely to admit cutting corners

The fear or failure to report cybersecurity mistakes was a huge cybersecurity risk for organizations. A quarter of employees refused to report such mistakes believing that nobody would ever discover them.

Similarly, more than a quarter feared reporting cybersecurity mistakes to avoid potential disciplinary actions or being forced to take additional security training.

However, younger employees are more likely to admit cutting corners, according to the Tessian report.

More than half (51%) of employees between 16-24 years old and 46% of those between 25-34 years old were more likely to admit circumventing the company’s security protocols.

“Create a security culture that encourages people to come forward about their mistakes, and support them when they do,” the authors suggested.

Personal devices will undermine the network perimeter in the hybrid workplace

Some of the security threats and challenges experienced when people work fully remotely would be imported into the new hybrid workplace.

While many employees used infected devices for remote access during the pandemic, some would bring them to the hybrid office. Company leaders now have to shift to a new security architecture for good – one that involves zero-trust network access, endpoint security, and multi-factor authentication.

Phishing and ransomware attacks are major challenges in the hybrid workplace

Ransomware attacks were also a major concern for more than two-thirds (69%) of companies who believed that the hybrid work environment would be a target for ransomware attacks. These attacks posed a business continuity threat to targeted companies.

Similarly, phishing attacks concerned over three-quarters of IT decision-makers who believed that credential phishing would only exacerbate in a hybrid workplace.

They believed that employees were more likely to expose company data in public or fall for phishing scams impersonating airlines, booking companies, hotels, or senior executives on a business trip. In fact, “back to work” phishing emails were a concern for 67% of IT leaders.

Phishing was the gateway to ransomware attacks. Consequently, successfully blocking phishing exploits reduces the chances of a ransomware attack.

“Stop phishing, business email compromise, account takeover attacks, and social engineering scams, and you significantly reduce the risk of ransomware,” the report authors noted.

However, bad employee behaviors, such as failing to report clicking phishing links, made it harder to stop these attacks.

Human Error: The Reason Why Cybercriminals Love Email

Mark Funchion is a network technician at Tech Experts.

Defending your data network against viruses, malware, ransomware, and other threats is a never-ending battle. Some attacks can be very sophisticated, using extremely complex techniques to try and exploit even the most secure networks. However, the vast majority of threats to your network – over 80% – are delivered through a very basic method: email.

Email is a common tool that many of us use constantly at work. Oftentimes, we use it without giving much thought to what we’re doing or what we’re opening.

It’s normal for co-workers, clients, or new prospects to communicate and share files with us via email. The file can be a document, spreadsheet, PDF, etc., but the fact is that it’s common and repetitive to us.

Like anything we do frequently, we can develop muscle memory. Think about the program guide on your TV – you probably navigate the menus without thinking. After an update or a provider switch, those menus can change and you might click the wrong buttons out of habit. No harm there.

But consider making the same mistake when a document is sent to you. The message arrives, and you briefly glance at who it’s from. Maybe you recognize them, maybe you don’t. You see an attachment, and you open it out of habit. The file is infected, and in less than a second, the damage has begun.

Like it or not, the people who are attacking your systems are running a business. Like any business, they are concerned with the return on their investment. Developing high-end, sophisticated attacks takes time and skill, which is expensive to do.

However, minimal skill is required to send an email – and that process can be replicated to hundreds of thousands of users with a simple click of a button. And almost everyone working today might accidentally open an email with little to no thought.

For small businesses, having a firewall, an email filter, and anti-virus software is a must. We can help install and maintain that infrastructure. Unfortunately, the methods that attackers use to slip under your defenses are always changing.

It is important that you and your staff – the end users who do the clicking – still do your part and remain vigilant. Attackers send such a high percentage of attacks through email because of that human element. It works.

It’s essential that you fight your muscle memory and treat email like physical mail. Look at what is being sent, who it is from, and if there is anything attached. If anything seems off, do not open it. Always err on the side of caution.

Also, if you do open something you shouldn’t, it’s better to notify your IT department or provider of a potential issue so they can look at what you were sent.

Often, I have observed someone get a suspicious message, open it, notice something is not right, then forward it to a co-worker for help. By sending the message on, there is a potential to increase the scope of damage done.

Those looking to do harm and steal information will always try the path of least resistance. All the security in the world can’t stop an intruder if you open the door for them.

The same caution you take at home when an unexpected knock is heard should be how you handle all email. Consider the source and content, and if you have doubts, don’t open the message. Delete it.

Malware will never be fully eradicated – cybercriminals will make sure of that – but you can do your part to make sure you do not infect your PC or business.

Over $1 Trillion Lost To Cyber-crime Every Year

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

$1 trillion! That’s a lot of money. And it’s a figure that’s increased by more than 50% since 2018.

In 2019, two-thirds of all organizations reported some type of incident relating to cyber-crime.

You could make a sure bet this figure rose significantly last year, thanks to criminals taking advantage of the pandemic.

It’s easy to look at big figures like these and not relate them back to your own business. But here’s the thing. The average cost of a data breach to a business is estimated to be around $500,000.

[Read more…]