Category: Cyber Security

You’ve completed your annual phishing training. This includes teaching employees how to spot phishing emails. You’re feeling good about it. That is until about 5-6 months later. Your company suffers a costly ransomware infection due to a click on a phishing link. 

You wonder why you seem to need to train on the same information every year. But you still suffer from security incidents. The problem is that you’re not training your employees often enough. 

People can’t change behaviors if training isn’t reinforced. They can also easily forget what they’ve learned after several months go by. 

So, how often is often enough to improve your team’s cybersecurity awareness? It turns out that training every four months is the “sweet spot.” This is when you see more consistent results in your IT security. 

Why Is Cybersecurity Awareness Training Each 4-Months Recommended?

So, where does this four-month recommendation come from? There was a study presented at the USENIX SOUPS security conference recently. It looked at users’ ability to detect phishing emails versus training frequency. It looked at training on phishing awareness and IT security. 

Employees took phishing identification tests at several different time increments: 

• 4-months 
• 6-months 
• 8-months 
• 10-months 
• 12-months 

 

The study found that four months after their training scores were good. Employees were still able to accurately identify and avoid clicking on phishing emails. But after 6-months, their scores started to get worse. Scores continued to decline the more months that passed after their initial training.  

 

To keep employees well prepared, they need training and refreshers on security awareness. This will help them to act as a positive agent in your cybersecurity strategy. 

 

Tips on What & How to Train Employees to Develop a Cybersecure Culture

The gold standard for security awareness training is to develop a cybersecure culture. This is one where everyone is cognizant of the need to protect sensitive data. As well as avoid phishing scams, and keep passwords secured. 

This is not the case in most organizations, According to the 2021 Sophos Threat Report. One of the biggest threats to network security is a lack of good security practices.  

The report states the following, 

“A lack of attention to one or more aspects of basic security hygiene has been found to be at the root cause of many of the most damaging attacks we’ve investigated.” 

Well-trained employees significantly reduce a company’s risk. They reduce the chance of falling victim to any number of different online attacks. To be well-trained doesn’t mean you have to conduct a long day of cybersecurity training. It’s better to mix up the delivery methods. 

Here are some examples of engaging ways to train employees on cybersecurity. You can include these in your training plan: 

• Self-service videos that get emailed once per month 
• Team-based roundtable discussions 
• Security “Tip of the Week” in company newsletters or messaging channels 
• Training session given by an IT professional  
• Simulated phishing tests 
• Cybersecurity posters 
• Celebrate Cybersecurity Awareness Month in October  

When conducting training, phishing is a big topic to cover, but it’s not the only one. Here are some important topics that you want to include in your mix of awareness training. 

Phishing by Email, Text & Social Media

Email phishing is still the most prevalent form. But SMS phishing (“smishing”) and phishing over social media are both growing. Employees must know what these look like, so they can avoid falling for these sinister scams. 

Credential & Password Security

Many businesses have moved most of their data and processes to cloud-based platforms. This has led to a steep increase in credential theft because it’s the easiest way to breach SaaS cloud tools. 

Credential theft is now the #1 cause of data breaches globally. This makes it a topic that is critical to address with your team. Discuss the need to keep passwords secure and the use of strong passwords. Also, help them learn tools like a business password manager. 

Mobile Device Security

Mobile devices are now used for a large part of the workload in a typical office. They’re handy for reading and replying to an email from anywhere. Most companies will not even consider using software these days if it doesn’t have a great mobile app. 

Review security needs for employee devices that access business data and apps. Such as securing the phone with a passcode and keeping it properly updated. 

Data Security

Data privacy regulations are something else that has been rising over the years. Most companies have more than one data privacy regulation requiring compliance.   

Train employees on proper data handling and security procedures. This reduces the risk you’ll fall victim to a data leak or breach that can end up in a costly compliance penalty.  

Need Help Keeping Your Team Trained on Cybersecurity?

Take training off your plate and train your team with cybersecurity professionals. We can help you with an engaging training program. One that helps your team change their behaviors to improve cyber hygiene. Get in touch to learn how BDS can help!  

Article used with permission from The Technology Press.  

Hardly any phone call system in a business beats VoIP when it comes to efficiency and flexibility. However, it’s not immune to cyberattacks. Discover how you can secure your VoIP ASAP. 

What kind of communication system are you using for your business? 

I asked because many modern-day businesses have now switched to the Voice Over Internet Protocol (VoIP). This technology allows employees to perform voice calls using only their internet connection.  

It’s often a wise choice considering that using VoIP comes with several benefits to a business. 

Among its benefits include lower operating costs, greater convenience than traditional services, increased accessibility, higher scalability, and the ability to multitask. VoIP also comes with advanced features for teams of all sizes, is completely portable, and offers superior voice quality.  

However, VoIP systems also have limitations, with cyberattacks being their number one downside.  

The good news is that it’s possible to protect a business’s VoIP system from hackers. And if you already implemented this in your business, it’s not too late to secure it. 

Read on to discover the most common threats to your network and tips on preventing them. 

THE NEED FOR VOIP PROTECTION

All VoIP systems require a stable internet connection to function properly. Unfortunately, their reliability on the internet makes them vulnerable to various security issues. 

Some of the most frequent ones include: 

SECURITY ISSUE #1. DENIAL OF SERVICE

Denial of Service (DoS) is a common threat to VoIP systems comprising attacks designed to shut down a machine or network and make it inaccessible for use.  

When this happens, legitimate users of VoIP technology may not be able to access their information systems and devices. And call centers can be affected by lower call quality, uptime, and latency.  

SECURITY ISSUE #2. WAR DIALING

War dialing is an attack that controls the company’s private branch exchange (PBX) and scans for other phone networks. This means hackers can dial numbers and connect to modems and other extensions. 

SECURITY ISSUE #3. TOLL FRAUD

Toll fraud is a threat that consists of making calls to outside lines from a company’s existing system.  

For example, hackers will dial costly international numbers intending to rack up toll charges to your business. 

SECURITY ISSUE #4. PHISHING

This is a common threat wherein attackers send fraudulent messages designed to trick victims into revealing sensitive information. Often, the unsuspecting victims would divulge information about passwords, internal IP networks, and similar data.  

SECURITY ISSUE #5. MALWARE

It’s a threat where attackers install malicious software via email or phone. A file or code gets delivered over a network and has the goal of infecting, stealing, or exploring the information contained within a system.  

After infecting the system with malware, VoIP hackers can enter your network and access critical business information 

SECURITY ISSUE #6. CALL INTERCEPTION

The call interception attacker uses unsecured networks to intercept the Session Initiation Protocol (SIP) traffic that serves to initiate, maintain, and terminate real-time voice and video sessions.  

A victim of a call interception attack can be redirected to another line hosted by the hacker, for example 

6 TIPS FOR BOOSTING VOIP SECURITY

Given the variety of threats imposed by attackers on VoIP systems, it’s necessary to optimize your VoIP security ASAP.  

Here are 6 valuable tips to get you started. 

TIP #1. SET UP A FIREWALL

Secure firewalls are necessary for all VoIP systems. It’s important to make your VoIP software and hardware firewalls scan information that goes in and out of the system and ensure it’s secure.  

If spam or a threat comes your way, the firewall will identify and gain control over it, shielding your system shielded from the attack. 

Also, a good firewall will allow the data packets you send to travel unhindered. 

TIP #2. USE STRONG PASSWORDS

Your VoIP system is no different from any other software or platform you use for handling sensitive information. For this reason, it needs to be protected with strong and regularly updated passwords.  

Aim for combinations of at least 12 characters, including numbers, upper- and lower-case letters, and special symbols. And for ultimate protection, go for passwords consisting of a random character series.  

It’s crucial to set a password as soon as you configure your VoIP system. Otherwise, you’re likely to forget about it later.  

Also, remember that some VoIP phones come with pre-set passwords, often available publicly. That’s why you should change yours as soon as you get a chance.  

Ideally, try to change your passwords every three months. 

TIP #3. RESTRICT CALLING

Many VoIP attacks happen due to toll fraud. So, if your business runs locally, there’s no need to have the international call option enabled. This allows you to be on the safe side and avoid paying expensive bills you weren’t even responsible for making.  

You can let your VoIP service block 1-900 numbers to avoid toll fraud 

TIP #4. ENCOURAGE YOUR TEAM TO REPORT SUSPICIOUS BEHAVIOR

Many of the VoIP attacks arrive due to irresponsible behavior. To prevent this from happening, educate your team on how they can best do their job without affecting the system’s security.  

For starters, they should know how to spot unusual network activity, handle passwords, and report suspicious behavior. They should also report ghost calls and missing voicemails whenever received. Staff also shouldn’t store voicemail for too long.  

The reality is that sometimes, cybersecurity training during onboarding often isn’t enough. That’s why you should do periodical training to keep your VoIP safe at all times.  

TIP #5. DEACTIVATE WEB INTERFACE USE

Ideally, you should deactivate the web interface used for your VoIP system.  

Why? 

Using phones on a desktop computer opens an area of weakness to attackers. It’s enough for a single phone user falling prey to leave the whole system exposed to an external party. All your data can be stolen in text format as a result.  

So, unless it’s absolutely necessary for you to use the web interface, be sure to secure it very strictly. 

TIP #6. USE A VPN FOR REMOTE WORKERS

Virtual Private Networks (VPNs) are great software that encrypts traffic regardless of your employee’s location.  

You can set up such a network for your remote staff to prevent data leaks and breaches. The good news is that using this service won’t degrade the call quality.  

(RE)GAINING CONTROL OVER YOUR VOIP SECURITY

VoIP systems are a fantastic alternative to landlines. After all, they offer many more features and flexibility at a fraction of the cost. However, their reliability on the internet also makes them susceptible to cyberattacks.  

If you have just set up a VoIP system for your company or are thinking of starting one, securing it should be your number one priority. Don’t risk falling prey to toll fraud, malware, phishing, and other attacks. Take some time to secure your business by following the tips from this article.  

And if you need more help to implement these changes or would like to further discuss securing your business’s VoIP system, reach out to us and we can set up a 10-15-minute chat.  

 

Article used with permission from The Technology Press.  

Credential theft is now at an all-time high and is responsible for more data breaches than any other type of attack.  

With data and business processes now largely cloud-based, a user’s password is the quickest and easiest way to conduct many different types of dangerous activities. 

Being logged in as a user (especially if they have admin privileges) can allow a criminal to send out phishing emails from your company account to your staff and customers. The hacker can also infect your cloud data with ransomware and demand thousands of dollars to give it back. 

How do you protect your online accounts, data, and business operations? One of the best ways is with multi-factor authentication (MFA). 

It provides a significant barrier to cybercriminals even if they have a legitimate user credential to log in. This is because they most likely will not have access to the device that receives the MFA code required to complete the authentication process. 

WHAT ARE THE THREE MAIN METHODS OF MFA?

When you implement multi-factor authentication at your business, it’s important to compare the three main methods of MFA and not just assume all methods are the same. There are key differences that make some more secure than others and some more convenient. 

 Let’s take a look at what these three methods are: 

SMS-BASED

The form of MFA that people are most familiar with is SMS-based. This one uses text messaging to authenticate the user. 

The user will typically enter their mobile number when setting up MFA. Then, whenever they log into their account, they will receive a text message with a time-sensitive code that must be entered.  

ON-DEVICE PROMPT IN AN APP

Another type of multi-factor authentication will use a special app to push through the code. The user still generates the MFA code at login, but rather than receiving the code via SMS, it’s received through the app. 

This is usually done via a push notification, and it can be used with a mobile app or desktop app in many cases. 

SECURITY KEY

The third key method of MFA involves using a separate security key that you can insert into a PC or mobile device to authenticate the login. The key itself is purchased at the time the MFA solution is set up and will be the thing that receives the authentication code and implements it automatically. 

The MFA security key is typically smaller than a traditional thumb drive and must be carried by the user to authenticate when they log into a system. 

Now, let’s look at the differences between these three methods. 

MOST CONVENIENT FORM OF MFA?

Users can often feel that MFA is slowing them down. This can be worse if they need to learn a new app or try to remember a tiny security key (what if they lose that key?). 

This user inconvenience can cause companies to leave their cloud accounts less protected by not using multi-factor authentication. 

If you face user pushback and are looking for the most convenient form of MFA, it would be the SMS-based MFA.  

Most people are already used to getting text messages on their phones so there is no new interface to learn and no app to install. 

MOST SECURE FORM OF MFA?

If your company handles sensitive data in a cloud platform, such as your online accounting solution, then it may be in your best interest to go for security. 

The most secure form of MFA is the security key. 

The security key, being a separate device altogether, won’t leave your accounts unprotected in the event of a mobile phone being lost or stolen. Both the SMS-based and app-based versions would leave your accounts at risk in this scenario. 

The SMS-based is actually the least secure because there is malware out there now that can clone a SIM card, which would allow a hacker to get those MFA text messages. 

A Google study looked at the effectiveness of these three methods of MFA at blocking three different types of attacks. The security key was the most secure overall. 

Percentage of attacks blocked: 

• SMS-based: between 76 – 100%  
• On-device app prompt: between 90 – 100% 
• Security key: 100% for all three attack types 

WHAT’S IN BETWEEN?

So, where does the app with an on-device prompt fit in? Right in between the other two MFA methods. 

Using an MFA application that delivers the code via push notification is more secure than the SMS-based MFA. It’s also more convenient than needing to carry around a separate security key that could quickly become lost or misplaced. 

LOOKING FOR HELP SETTING UP MFA AT YOUR COMPANY?

Multi-factor authentication is a “must-have” solution in today’s threat climate. Let’s discuss your barrier points and come up with a solution together to keep your cloud environment better secured. 

 

 

Article used with permission from The Technology Press.

Any cyberattack is dangerous, but the particularly devastating ones are those on supply chain companies. These can be any supplier – digital or non-digital – of goods and services. 

We’ve seen several attacks on the supply chain occur in 2021 that had wide-reaching consequences. These are “one-to-many” attacks where victims can go far beyond the company that was initially breached. 

Some recent high-profile examples of supply chain attacks include: 

• Colonial Pipeline: A ransomware attack caused this major gas pipeline to be shut down for nearly a week. 
• JBS: The world’s largest supplier of beef and pork products was hit with ransomware that caused plants in at least three countries to shut down for several days. 
• Kaseya: This software company had its code infected with ransomware, which quickly spread to IT businesses that used its products and to roughly 1,500 of their small business customers.  

Why do you need to be worried about supply chain attacks even more so than in the past? Because they’ve been growing and are expected to continue this trajectory. 

Supply chain attacks rose by 42% during the first quarter of 2021. A surprising 97% of companies have been impacted by a breach in their supply chain, and 93% suffered a direct breach as a result of a supply chain security vulnerability. 

If you’re not properly prepared, then you can be impacted by a breach of software you use or have a vital service or goods supplier go down for several days due to a cyberattack.  

As part of any good business continuity and disaster recovery strategy, you should look at supply chain risks in light of the current increase in attacks and formulate a plan. 

HOW CAN YOU MITIGATE YOUR RISK OF LOSSES DUE TO AN ATTACK ON YOUR SUPPLY CHAIN?

IDENTIFY YOUR SUPPLIER RISK

You can’t fix what you don’t know is wrong. So, you need to begin by shedding some light on your risk should one of your vendors get hit with ransomware (the current attack of choice on the supply chain) or another type of breach. 

Make a list of all your vendors and suppliers, both for goods and services. This includes everything from the cloud services you use to the company that supplies your office products or any raw materials you may use in a product you sell. 

Review these vendors to identify their cybersecurity risks. This is something you may need some help with from your IT partner. We can work with you to review vendor security or send them a survey to find out where they stand as to their cybersecurity, and then determine how much that may leave you at risk as one of their customers. 

CREATE MINIMUM SECURITY REQUIREMENTS FOR DIGITAL VENDORS

Come up with some minimum security requirements that you can use as a benchmark with your vendors. One way to make this easier is to use an existing data privacy standard as your requirement.  

For example, if a vendor is GDPR compliant, then you know they’ve adopted several important cybersecurity standards that protect their business, and yours, from an attack. 

DO AN IT SECURITY ASSESSMENT TO LEARN WHERE YOU’RE VULNERABLE 

If the software you use had a vulnerability that was exploited by hackers to take over a system, how much does that leave your systems at risk? Do you have a regular patch application strategy in place to ensure any software updates are applied right away? 

You should have an IT security assessment done if you haven’t done one in over a year. This will help you identify how strong your systems would be at preventing a breach or ransomware infection that was coming from a digital supply chain vendor. 

PUT BACKUP VENDORS IN PLACE WHERE POSSIBLE

If you sell widgets and have a single supplier for one specific part needed for that widget, you’re at a much higher risk of downtime than if you had two suppliers of that part. 

If a key vendor of yours is attacked and can’t fill orders or provide services for a week or more, how will that impact your business? This is what you want to consider when setting up backup vendors. 

For example, most companies would consider themselves down and not able to operate without their internet. Having a backup internet service provider can help you avoid lengthy downtime should your main ISP go down. 

Look at putting this type of safety net in place for all vendors that you can. 

ENSURE ALL DATA KEPT IN CLOUD SERVICES IS BACKED UP IN A 3RD PARTY TOOL 

Microsoft recommends in its Services Agreement that customers back up their cloud data that is kept in its services (such as Microsoft 365). The policy states, “We recommend that you regularly backup Your Content and Data that you store on the Services or store using Third-Party Apps and Services.” 

You should have a backup (in a separate platform) of all data that you store in cloud services, so you’ll be protected in case of a ransomware infection or other data loss or service loss incident. 

SCHEDULE A SUPPLY CHAIN SECURITY ASSESSMENT

Don’t be in the dark about your risk. Schedule a supply chain security assessment to learn where you could be impacted in the case of a cyberattack on a supplier. 

 

Article used with permission from The Technology Press.