Category: Security

What is Riskware, and what are the dangers to your business?

You use several computer programs every day to do work. But did you know that some of them can pose potential security risks? In this blog, we will talk about riskware, how it works, how you can spot them, and what you can do to prevent future riskware attacks.

What is riskware?

Riskware is any legitimate program that poses security risks due to software incompatibilities, security vulnerabilities, or legal violations. Most of the time, riskware is not inherently malicious, but only has functionalities that cybercriminals can exploit. When used with ill intentions, however, riskware can be considered as malware.

How does riskware work?

Computer programs typically have some level of system access to function properly. For example, they may have permission to monitor user activity or access the computer’s built-in microphone.

Some functions that can be abused by cybercriminals include:

  • Access to the system kernel, or the core component of an operating system (OS)
  • Access to data-gathering components such as the camera, microphone, and GPS
  • Access to critical system areas like the system registry and Internet Protocols
  • Program modification for changing program settings or modifying its code

How does riskware affect your business?

Riskware poses legality and security issues such as:

1. Privacy invasion

Cybercriminals can use riskware to spy on you. For example, some remote work monitoring apps use GPS data to record an employee’s location. If a cybercriminal exploits one of the app’s vulnerabilities, they could use it to spy on your workers’ whereabouts. They can also hijack conferencing programs like Zoom and Teams to commit corporate espionage.

2. Data breaches

Threat actors can use riskware to steal data or install malware onto an unsuspecting user’s system. This leads to significant security incidents, including well-known DDoS attacks as listed by CloudSecureTech, which highlight the importance of cybersecurity vigilance. For instance, if they find a program with File Transfer Protocol enabled, they can install a server that allows them to steal the user’s files. Cybercriminals can also exploit internet relay chat clients’ dialer programs and instant messaging features to create backdoors and deliver malware, such as ransomware.

3. Program exploits

Attackers can misuse and exploit programs like remote access software. This program allows IT personnel to access a user’s computer, then diagnose and fix technical issues. However, if the program has serious vulnerabilities, cybercriminals can use it to hijack the user’s OS.

How can you spot riskware threats?

Since riskware is harmless until used maliciously, spotting them can be difficult. To make finding them easier, take inventory of software programs installed on your computer and ask yourself the following:

1. How did this software end up on my system?

Riskware is typically installed on your OS and granted system access permissions by your IT administrator. If you find a program with permissions that you or your admins did not grant, that’s a red flag.

2. What permissions does this program have?

Check the authorizations your suspicious programs have. For instance, a calculator app should not have access to your device’s registry and contacts.

3. Is this program still supported?

Unsupported programs no longer receive security patches from their developer, so cybercriminals can easily exploit their vulnerabilities to steal sensitive information or install malware. If an app has not been updated in many years, it should be considered as riskware.

4. Does this program violate the terms of service for another app?

Many programs can interact with one another. However, you should avoid the ones that augment or disable the features of another app.

Tips to prevent riskware attacks

Here are some best practices you need to follow to protect your business from riskware attacks:

  • Limit the number of programs that have admin-level privileges.
  • Read all of your programs’ terms of service and privacy policies.
  • Uninstall programs that are preventing others from functioning properly.
  • Avoid using software that requests unusual permissions.
  • Download applications from trusted sources only, such as the developer’s website or official app stores.

 

Let NetWize protect your business from riskware and other potential cyberthreats. Our cybersecurity experts will help you identify vulnerabilities, and install firewalls and intrusion detection tools to protect your business from costly data breaches. Talk to us today to get a FREE IT assessment.

 

Start the year right by giving your staff cybersecurity training

Non-IT personnel tend to believe that leveraging antivirus software and having an IT department is enough to ward off cyberattacks. Such staff lack cybersecurity awareness and a sense of responsibility to protect the company, both of which are weaknesses that cybercriminals exploit. For instance, your staff might not know that merely opening a malicious email attachment could lead to a devastating ransomware attack that causes protracted downtime, lost sales and productivity, and damage to your company’s reputation.

Providing cybersecurity training for everyone — from the rank and file to the C-suite — is therefore crucial for the continued survival and success of your business. Here are two training options to consider.

Internal cybersecurity training programs

Your company’s IT department can develop and deliver in-house training programs that cover the basics of cybersecurity awareness, such as how to identify phishing emails, malicious websites, and other common attacks. Since this type of training is internally generated, your staff can tailor it specifically to your organization’s specific requirements. For instance, if you’re a healthcare provider, your cybersecurity training program can focus more on HIPAA compliance.

However, creating such programs internally can be time-consuming and expensive. Moreover, developing and implementing training modules are entirely different skills that your IT personnel may lack. To illustrate, they might attempt to create something comprehensive to cover as many cybersecurity topics as possible, but some topics may not be relevant to everyone in your organization. In addition, as technology changes so quickly, your IT team might end up constantly updating your training program to keep it relevant, which isn’t the best use of their time.

Third-party cybersecurity training programs

Alternatively, you can outsource your cybersecurity training needs to a third party. There are many reputable providers of cybersecurity training courses and programs, both online and in-person, which can be tailored to meet the specific needs of your business. These programs usually cover a wide range of topics, from cybersecurity basics to more advanced issues, such as encryption and malware, with a strong focus on practical tips that your employees can easily apply.

Some third-party programs are delivered via a web platform or an app for ease of access from anywhere at any time, whereas others use a combination of online lectures and face-to-face seminars. 

Cybersecurity training providers generally offer programs for two types of learners, namely general employees and cybersecurity personnel. These are the types of programs that are suited for non-IT employees:

  • Awareness-only programs – These programs are focused on increasing employees’ knowledge of cyberthreats they’re likely to face, such as phishing campaigns and business email compromise attacks. Awareness courses may span a few days and are usually updated as the cybersecurity landscape changes, so employees must continually take these throughout their tenure.
  • Intensive programs – Instead of spreading out the training over a period of time, companies may opt to dedicate an entire working day for in-person training. Generic programs are useful for onboarding employees or as refresher courses, while special courses better address the needs of particular employees. For instance, C-suite executives will benefit from programs that cover whale phishing. Unlike awareness-only programs, intensive training programs also include practical tests and simulations so that trainees can better apply their learnings.

Cybersecurity personnel, on the other hand, will naturally require much more in-depth training. 

  • Free training programs – For small businesses with fledgling IT teams, free training programs are a godsend. IT staff members who are interested in starting a career in cybersecurity can turn to places like Cybrary, an online cybersecurity professional development platform that offers role-based learning, hands-on training, and industry certification courses.
  • Paid certificate programs – A cybersecurity certificate program is designed to get IT employees up to speed on the latest cybersecurity threats and how to protect your business from these. Paid courses are for achieving higher levels of specialization that free courses don’t cover.

Whichever cybersecurity training program you choose, one thing is for sure: providing your employees with regular cybersecurity training is an investment that will pay in terms of sizable savings from avoiding adverse cybersecurity incidents. And to completely protect your business against cyberthreats, leverage NetWize’s IT security solutions. Reach out to us today to learn more.

6 Ways to help your organization reach a collective understanding of cybersecurity

The way someone grasps cybersecurity affects how they handle it, and if they understand its aspects differently from another person, then both of them are likely to handle it inconsistently, too. For example, some people may still adhere to the old wisdom of continually changing passwords. They may argue that doing so shortens the validity of passwords, so even if others steal or break these, the risk of hackers breaching accounts is reduced.

However, some users may make only slight changes to their existing passwords since doing so is most convenient for them. This introduces predictability into the password creation process, which results in passwords that are easier to guess and are therefore less secure. That is, even if one password no longer works, a black hat hacker may try out variations of this password. Therefore, the closer the new password is to the old one, the easier it will be to crack.

While open-mindedness fosters diversity of ideas and allows the best ones to come out on top, you’ll also want everyone in your organization to have a common understanding of cybersecurity concepts and principles. Without this commonality, people may insist on cybersecurity practices that are detrimental to your business and implement cybersecurity strategies inconsistently or incorrectly. To achieve this common understanding, follow these tips:

1. Get buy-in from all members of the team

Showing everyone the dangers that cyberthreats pose to their livelihoods and investments can help them reach a baseline understanding of the value of cybersecurity. Buy-in from the rank and file means that they’ll do their part in keeping the company safe, whereas buy-in from executives and board members means that they’ll allocate the resources necessary to implement cybersecurity strategies. In short, convincing people to care is the first step toward leading them to a collective in-depth understanding of cybersecurity.

Without a common understanding of cybersecurity, people may insist on cybersecurity practices that are detrimental to your business and implement cybersecurity strategies inconsistently or incorrectly.

2. Create a common cybersecurity vocabulary

If employees conceptualize security terms like “ransomware” differently, then they are not likely to understand one another when they discuss such terms. Therefore, you want to create a shared functional reference that utilizes an agreed-upon definition and naming system.

By having a standardized glossary and taxonomy (i.e., way of naming things), misunderstandings may be reduced and discussing cybersecurity matters like network monitoring and risk assessment becomes much easier.

With this as the foundation, cybersecurity performance reports could also be standardized. As reports are generated over time and across departments, comparisons and historical analyses may reveal insights on where people may fall short in protecting data or which cybersecurity practices produce the best results.

3. Establish a clear cybersecurity risk rating system

Describing cybersecurity risks as “low,” “medium,” or “high” tends to be meaningless unless such ratings are substantiated. You must tie the ratings with reference points that people can relate to, such as how much costly downtime a cyberthreat can cause, how much data it can expose, or how much it can hurt your customers.

4. Set up and implement a risk-response framework

A risk-response framework lists the possible cyberthreats your company may face, their risk ratings, and the actions you must take when facing such threats. By employing the framework consistently across your organization, you make risk management a vital component of your company’s culture. The more adept your decision-makers become at managing risk, the more decisive and effective they’ll become.

5. Make risk management resources accessible to those who need it

If the company disseminates a newsletter conveying how the accounting department fended off a spear phishing attack, every staff member can refer to the shared glossary of terms, risk rating system, and risk-response framework to clearly understand the incident.

Managers in other departments may also want to look at the data gathered during cybersecurity incidents so that they’ll have a better idea of how they must respond during similar situations. That’s why they need to have easy access to such data.

6. Find people who’ll act as cybersecurity advocates

Despite having readily available resources, people may still need help grasping cybersecurity concepts and protocols. Here, a staff member who has expertise in cybersecurity can help increase their understanding of the subject. The advocates can also help managers who need to discern how data security processes may affect operations or how security investments align with the company’s goals.

Let our IT experts at NetWize be your cybersecurity advocates as well. Send us a message or call us at 801-747-3200 today to learn more.

7 ways to make cybersecurity understandable for everyone in your organization

Most people use technology without ever understanding its underlying principles and mechanics. The average person would be hard-pressed to explain how a pulley reduces the effort required to lift heavy objects, how airplane wings generate lift, or how emails reach their recipients.

When it comes to IT, people know less about cybersecurity and how it keeps things that may stop them from using their computers and other tech tools at bay. Your staff may not be aware of how malware and other cyberthreats put their jobs and even their personal lives at risk. Therefore, it’ll be good for everyone on your payroll to understand how cybersecurity works so they can help keep your organization safe.

You can achieve this by educating your staff on cybersecurity best practices through regular training. The question is, how do you make cybersecurity understandable for your staff? Here are a few tips for you to start with.

A cyberattack on an entire organization may be at too big a scale for employees to grasp mentally, so it may be helpful to scale everything down to an individual — and personal — level.

1. Use everyday things or common knowledge to explain cybersecurity jargon and concepts

Ever wondered why website cookies are called such? It’s because computer memory space is likened to a jar, and pieces of a website’s information are kept there for later retrieval. IT is full of terminologies that reference everyday concepts to make them easier to grasp.

The same principle can be applied when explaining cybersecurity. For example, a distributed denial-of-service attack can be likened to a traffic jam, and ransomware can be likened to a hostage situation.

2. Show staff how devastating cyberthreats can be in their own lives

A cyberattack on an entire organization may be at too big a scale for employees to grasp mentally, so it may be helpful to scale everything down to an individual — and personal — level. For instance, you can show staff how hackers can use phishing campaigns to steal their online banking credentials and lock them out of their own hard-earned money.

When workers are shown how cybercrime can negatively affect their lives, they understand how it can ruin the business they work at. It also makes them appreciate the cybersecurity lessons more.

3. Provide cybersecurity training that’s specific to their jobs

The field of cybersecurity is ever-expanding, and no expert could ever master everything there is to know about it. Therefore, it’ll be too much to expect non-techies to grasp countless concepts. Instead, you must limit cybersecurity training to topics related to the jobs your employees do and the tech they use to accomplish these.

If email is the only program a worker uses, then that worker’s training ought to be focused on email-related cybersecurity topics, such as business email compromise. However, someone who manages on-premises servers will require more in-depth training.

4. Build an archive that serves as everyone’s standardized reference

Certainly, one can Google cybersecurity terms to learn more about these, but there may be multiple sources that aren’t consistent with one another. Creating a compendium of knowledge for your company not only makes information easier to find, but it also helps prevent confusion because everyone has one source of truth.

5. Run simulations of cyberattacks

Concepts taught in a classroom setting may remain difficult to understand and retain, but experiencing a cyberattack, even a simulated one, may help ingrain lessons more deeply into the trainees’ minds. Through simulations, they can practice executing protocols for reporting ongoing web exploits. They’d also know to disconnect their computers from the company network and boot data backups when they’ve been hit with ransomware.

Related article: What is a security operations center, and does your business need one?

6. Install a cybersecurity culture advocate in every department

If you’re lucky to have cybersecurity enthusiasts in your roster, then it’ll pay to appoint one for every department. They can be a readily available resource in case cybersecurity questions or issues arise. Furthermore, since they belong in those departments, the advocates are familiar with the context behind their teammates’ concerns. Because of this, they’ll be able to address such concerns in a manner that their audience will more easily understand.

7. Carve out time for staff to teach refresher courses

One of the most effective ways to see if someone understood a lesson is by having them teach what they’ve learned to others. Therefore, when it comes time to refresh people’s minds on cybersecurity topics, let the trainer take a back seat and have trainees take over teaching. Also have them use the first three tips above for maximum effect. If the presenters fail at teaching their refresher course, that may indicate a lack of comprehension on their part, which is something the trainer can address later on.

Many businesses in Salt Lake City rely on [company_short] for all their cybersecurity needs. To learn more about how we can serve you, send us a message or call us at 801-747-3200 today.

What is a security operations center, and does your business need one?

This has been said before, but it bears repeating: IT is a tool that bolsters the capabilities of an organization. Take a chatbot as an example. Unlike a human agent who can only respond to clients one at a time, a chatbot can take on hundreds of clients simultaneously. Additionally, it doesn’t need to take breaks, doesn’t get mentally fatigued, and doesn’t need benefits.

Indeed, IT increases productivity, but the converse is also true: productivity crashes when your IT systems become dysfunctional due to malware and other cyberattacks. Not only that, but sensitive data, such as customer information and proprietary company intellectual property, can be stolen. In short, you need to protect your IT systems if you want your Salt Lake City business to survive and thrive. One effective solution is to have your own security operations center or SOC.

What is a security operations center?

A SOC is an in-house facility that contains a comprehensive set of IT security resources that include the following:

  • Information security (infosec) team
    Comprising security engineers, analysts, and managers, this team is responsible for continuously monitoring the company’s IT infrastructure for threats, analyzing systems for vulnerabilities, and preventing and responding to cybersecurity incidents. The infosec team is responsible for reporting everything from potential threat discoveries to actual hacking campaigns. If and when cybersecurity incidents do occur, the team is also responsible for providing technical support to affected parties, be they your staff, business partners, or customers.
  • Security information and event management (SIEM) solution
    This contains tools that enable the infosec team to establish and implement security rules.
  • Intrusion detection systems (IDS)
    These are signature-based tools that inspect network traffic for malicious payloads, helping your security team spot cyberattacks in the early stages. The shorter the time between threat detection and the security breach, the less downtime and damage your organization will suffer if ever the assault is actually launched.
  • Vulnerability assessment tools
    The infosec team uses these to detect security holes that an attacker may exploit to infiltrate your IT systems. In addition to helping your team find gaps to close, these tools also help determine if your organization is compliant with data regulations and certification requirements.
  • User and entity behavior analytics (UEBA)
    UEBA utilizes behavior modeling to create baselines that make aberrant actions (such as sudden data exfiltration being done by a staff member or a device like a router) more noticeable. This makes such actions easier to flag as potential security threats.
  • Digital forensics tools
    These enable the infosec team to gather digital evidence that can be used in insurance claims and legal proceedings.
  • Cryptanalysis programs
    These are used to break cryptographic systems employed in malware such as ransomware so that such malicious software are nullified.
  • Malware reverse engineering tools
    These allow infosec engineers to analyze what a malware program does, discover the systems it impacts, and determine ways to thwart it.

It’s important to note that a SOC is not responsible for coming up with security strategies, developing security architecture, or installing security measures. As its name denotes, the SOC is the one that operates the company’s existing cybersecurity framework.

Why have a SOC? Isn’t having firewalls and antivirus software enough?

While having firewalls and antivirus software is important, these are not enough to defend against the most sophisticated cyberthreats. Furthermore, most cybercriminals take advantage of IT systems’ greatest vulnerability: human users. Cybersecurity tools on their own can’t match the ingenuity of human threat actors who prey upon human weaknesses, which is why such actors must be matched with human cybersecurity operatives.

Most cybercriminals take advantage of IT systems’ greatest vulnerability: human users. Cybersecurity tools on their own can’t match the ingenuity of human threat actors who prey upon human weaknesses.

Additionally, there’s so much threat intelligence coming from external sources like threat briefs, signature updates, news feeds, vulnerability alerts, and incident reports. You need a dedicated team that will keep up with ever-evolving cyberthreats.

A SOC is resource-intensive and requires significant investments to build and maintain. Fortunately, you don’t need to have a SOC in-house — instead, you can leverage Netwize’s outsourced SOC services. We’ve already built the SOC for you, so just send us a message or call us at 801-747-3200 today to learn more.

Going passwordless? Microsoft has the tools for your business

Scammers send countless spoofed emails that try to lure you to fake login pages and have you divulge your username and password. Hackers infect your business’s computers with keyloggers in the hopes of recording users’ account credentials. With so many cyberthreats gunning for your passwords, it won’t be surprising if you want to stop using passwords altogether — especially when Microsoft appears to have gotten tired of them as well.

Microsoft has introduced a couple of passwordless tools that users of their software can use to keep their data and their systems safe.

Before anything else, what does going passwordless mean?

Going passwordless means revamping your cybersecurity system so that your business will no longer have to rely on passwords to protect your data from unauthorized access and theft. Using passwords as part of your company’s security strategy actually inconveniences staff and users, as this demands the following from them:

  • Longer, more complex, and hard-to-remember passwords (which hackers can steal by phishing)
  • Password replacements every couple of months (which makes users tweak old passwords in a predictable or easy-to-guess way)
  • Password resets whenever they forget their passwords
  • Unique passwords for every account
  • Additional authentication steps (which makes the process of accessing accounts tedious)

In short, going passwordless means opting for cybersecurity tools that are both easier to use and more effective at keeping your company secure than password-based solutions.

Moreover, if you haven’t automated your password reset process yet, you’d know how expensive it is to have your IT team handle password reset requests. Going passwordless will therefore also mean cutting out costs related to maintaining password-centric security systems.

What passwordless tools does Microsoft have for their users?

As of this writing, Microsoft offers three types of passwordless tools, namely biometric scans, one-time passcodes (OTPs), and hardware security keys.

Biometrics

With biometrics, the user’s own unique characteristics become the keys for unlocking their accounts. Depending on the use case, you can opt for fingerprint scans, iris scans, and facial recognition. These promote ease of use while granting high degrees of security because people will literally always have such “keys” on their bodies, and these keys are very difficult to copy or steal.

Windows Hello, Microsoft’s tool for letting users gain quick and secure access to their Windows 10 devices, utilizes biometrics as a primary way to authenticate a user’s identity.

One-time passcodes

OTPs are security tokens generated by an authenticator app (such as Microsoft Authenticator) in the user’s smartphone and act as identity verification keys that grant that user access to their account. In this scenario, the smartphone is unlocked either by scanning the user’s fingerprint or entering a PIN code registered to and known only by that user. This makes the user’s possession of their device a marker of their identity. Therefore, when the user enters an OTP generated from that phone, they’re showing proof that it’s really them who are trying to get into their account.

Hardware security keys

The last type of passwordless tool offered by Microsoft is the hardware security key. These are literally like car keys or keys to your front door, but instead come in the form of hardware such as USB thumb drives or near-field communication smart cards. A user can have their credentials stored in the security keys so that they can then use these keys to open their Windows user account, online Microsoft accounts, and accounts associated with their Microsoft Edge browser.

While some applications will only require one authentication factor, the most secure passwordless systems utilize multifactor authentication, which requires at least two types of passwordless tools.

What tools you apply will depend on what you want to secure and how you want to secure it. To learn more about Microsoft’s passwordless options and which tools best suit your business’s needs, turn to our Microsoft experts at [company_short]. Get a free quote for your project or call us at 801-747-3200 today.

Cybersecurity: Always keep in mind its human component

Protecting hardware and software against cyber threats may require a lot of highly technical skills but it is fairly straightforward, considering how direct the causal relationships are between IT vulnerabilities and data breaches. To illustrate, if a zero-day vulnerability is discovered by information security (infosec) experts, developers must find a way to patch it before cybercriminals can exploit it.

Indeed, IT departments have countless hardware and software protection tools at their disposal, such as anti-malware programs and network firewalls. However, they must always keep in mind that their biggest vulnerability by far is the human user. This is primarily due to three reasons: people make mistakes, people can be lazy, and people may not feel that they are part of the organization’s cybersecurity efforts.

People are prone to making mistakes

Fraudsters take advantage of staff members’ weaknesses all the time. For example, a phisher may send employees a fake email saying that company accounts may have been compromised in a hacking campaign. The email will go on to say that account holders must log in and change their access credentials to keep their accounts accounts safe from takeovers. Out of sheer worry, some email recipients click on the link provided and arrive at a spoofed login page. 

Unbeknownst to them, as soon as they submit their login details, they’re actually handing over their credentials to the phisher. That cybercriminal will then go to the real login page, sign in using the stolen credentials, then change the username and/or password to lock the original user out of the account. The hacker is then free to pose as the victim, roam around the company network, and steal as much data as they can get their hands on.

Organizations must always keep in mind that their biggest cybersecurity vulnerability by far is the human user.

Zero trust: A way to cover people’s fallibility

There are plenty of ways to fool people, so one way to manage this risk is by minimizing the consequences of staff members falling for fraudsters’ tricks. In a zero trust security model, the organization assumes that their network has already been infiltrated, which means that mere entry no longer signifies trustworthiness. 

Therefore, users who enter the network are only granted access to the data and apps they need to accomplish their tasks. This means that if a hacker overtakes a marketer’s account, they won’t be able to dive into the accounting department’s drives and steal from their folders. Rather, the hacker will be limited to what the authentic user has access to.

Machine learning-powered tools

Another way to cover for people’s fallibility is by being smarter at nipping hacking instances in the bud. To illustrate, identity and access management (IAM) programs can now identify the IP addresses of the devices on which logins are made. Thus, if a user normally logs in from Salt Lake City but suddenly pops up at Melbourne, Australia, then the IAM program can flag that instance as suspicious.

Additionally, there are now many machine learning-powered network monitoring tools that can be trained to identify normal and innocuous behaviors over time. Once behavioral baselines are established, the tools can identify suspicious activities that the IT department must investigate.

People can be lazy

There are many small things that require the barest of efforts but staff members fail to do out of sheer laziness. For instance, they’ll forget to lock their computers when they leave their workstations. This lets unauthorized users take over the station, launch browsers, and open tabs for email and other accounts that the authentic user are signed into.

At other times, people just tend to use the most convenient methods available to them. They’ll use short and easy-to-crack passwords or reuse passwords for multiple accounts if they can. And even when they’re required to change their passwords regularly, they may just use a base phrase for all of their passwords, then add month and year to make them unique from one another. While this may look ingenious at first, it actually introduces predictability. That is, if a hacker gets a hold of an expired password, they can easily guess what the current one may be.

Multi-factor authentication (MFA): Require users to submit more proofs of identity

The most popular solution to the problem of passwords is tacking on more steps during the login process. One may be asked to submit a one-time passcode from an authenticator app, or they may be asked to have their fingerprint scanned. Considering how password-based systems are currently the most prevalent identity authentication tools today, building on top of these systems is intuitively the next logical step because developing and implementing entirely new systems requires much more effort.

Passwordless authentication

As previously mentioned, it’s easier to add extra steps to existing processes, but MFA runs counter to the frictionless login experience that users want. This is why new methods such as passwordless authentication methods have been introduced, such as hardware security tokens and advanced biometrics

People feel they’re not a part of the company’s cybersecurity efforts

According to a 2014 study, staff members often see themselves as outside of an organization’s cybersecurity efforts and are therefore lazy about cybersecurity or tend to do things without the company’s information security in mind. Reversing this mindset requires overhauling corporate culture, which is no easy feat. Another study suggests that companies need to take these five steps to improve their infosec culture:

  • Pre-evaluation: Analyze existing infosec policies and determine how aware employees are of such policies and infosec as a whole.
  • Strategic planning: Set clear metrics and targets when creating an infosec awareness program.
  • Operative planning: Involve managers so that security awareness and training programs become a regular part of their responsibilities. They must strategize with IT experts so that infosec becomes integral to the company’s culture.
  • Implementation: The steps laid out during the prior stages are executed. Actual performance metrics are recorded during this stage.
  • Post-implementation evaluation: Actual metrics are compared against expected results or targets to see if the organization is on track and where they must improve their efforts. Henceforth, the process of evaluation, planning, and implementation becomes cyclical.

What we’ve shown you so far is just the tip of the cybersecurity iceberg, which is why countless organizations in Salt Lake City and beyond rely on NetWize for their infosec needs. Let our IT specialists take care of your company, too. Request a FREE consultation today or call us at 801-747-3200.

3 Cybersecurity trends you can’t ignore in 2021

Now that we’re in the second quarter of 2021, it’s safe to assume that current cybersecurity trends will persist throughout the entire year. In this post, we’ll show you how these lead to grave outlooks for the rest of the year.

1. Ransomware still reigns as the top cyberthreat

For a couple of years now, businesses and institutions have been losing billions of dollars to ransomware. Just last August, the University of Utah paid a ransom of nearly half a million dollars. The payment was not for regaining locked-up data — backups took care of that — but rather to keep the school’s attackers from releasing student information online.

FYI: Here are reasons why University of Utah’s ransom payment was not a good idea:

  • When data has been encrypted by ransomware, the data is presumed to have been copied. Cybersecurity experts explain that ransomware gangs may use the data for spear phishing purposes or sell it on the dark web or other illegal marketplaces.
  • Cybercriminals are bad faith actors. It is foolish to trust that they’ll delete the data they stole just because they were paid the ransom. It is possible that cybercriminals may continue extorting victims who are willing to pay them.
  • Ransomware payments fund future ransomware campaigns. Running a cybercrime ring is just like running a business — investments in machines must be made and costs for human labor and utilities must be paid. Giving ransomware gangs money allows them to victimize more people.

Beyond the loss of funds, ransomware may cause loss of life as well. Personal health information is valuable to cybercriminals such as identity thieves, so ransomware gangs have been launching more and more campaigns targeting healthcare providers. In fact, one ransomware campaign in September 20, 2020 indirectly resulted in the death of a patient in Germany.

Because it was dealing with a ransomware attack that day, the Duesseldorf University Hospital had to turn away a female patient who was in urgent need of medical care. Tragically, the patient did not survive being rerouted to another hospital 30 kilometers away.

After the German police reached out to the ransomware gang, the latter withdrew their ransomware demand and gave the hospital the decryption key they needed to unlock their data. While the cybercriminals in this incident showed conscientiousness, other cybercrime rings may be far more cruel and have no qualms putting people’s lives on the line.

2. Infrastructure will be targeted by hackers

The recent attack on a water treatment facility in Oldsmar, Florida has alarmed the federal government because of how easily it was pulled off. A hacker infiltrated the plant’s control system by using TeamWeaver, a tool the plant’s engineers use to remotely monitor and adjust the facility’s machines. The hacker increased the water’s level of lye — an ingredient in drain cleaners — to lethal concentrations, but fortunately, a plant operator noticed the altered settings and manually reverted them to normal. According to state officials, if no one had caught the anomaly, hundreds of town residents would have fallen ill or died.

The attack on the water treatment facility was one of the main reasons why the US government has begun beefing up the cybersecurity of another infrastructure component: power grids. The Department of Energy will work with operators and owners so that power utility control systems are rarely connected or completely disconnected from the public internet and that no remotely issued commands will be executed. With the electric grid as its starting point, the government plans to upgrade the cybersecurity of other infrastructure sectors as well.

The US government has begun beefing up the cybersecurity of critical infrastructure by starting with power grids.

3. Some multifactor authentication (MFA) methods are being bypassed by hackers

Not all MFA methods are created equal — and cybercriminals are taking advantage of the weaker ones. SMS and automated voice call MFA are particularly vulnerable because the one-time passcodes (OTPs) they deliver aren’t encrypted. These OTPs can easily be stolen by cybercriminals via automated man-in-the-middle attacks. Additionally, in a SIM swap attack, phone network staff may be fooled into transferring a user’s phone number onto a hacker’s SIM card. Once a SIM swap is completed, OTPs meant for the authentic user are delivered to the cybercriminal instead.

If MFA methods can be bypassed, this does not look good for businesses that have come to rely on it. Institutions such as banks will have to write off unreliable MFA tech as sunk costs, and they’ll have to revamp their IT infrastructure and processes to accommodate better MFA methods.

This is why Microsoft recommends that users use hardware security keys or OTPs generated by authenticator apps instead of SMS and automated voice call MFA.

 

FYI: Another cybersecurity measure that Microsoft is pushing is going passwordless. Talk to our Azure specialists to learn more about Active Directory’s frictionless access methods!

NetWize is the IT partner you need to keep up with the latest and gravest of cybersecurity threats. To learn more about what we can do for you, drop us a line today or call us at 801-747-3200.

The five best practices in developing an effective employee security awareness program

Protecting your business from cyberthreats takes more than implementing the latest cybersecurity technology; it also entails educating your staff about their roles in keeping your organization safe from scams, data breaches, malware, and other risks. In fact, IBM and the Ponemon Institute cite human error as the cause of 23% of data breaches in 2020 — that’s almost one in four incidents. And with easily exploitable remote work setups expected to remain in the foreseeable future, it’s even more critical to pay attention to the human component of cybersecurity.

What is a security awareness program?

It is a formal, continuous process of improving cybersecurity posture by increasing employee awareness about cyberthreats, thus helping them avoid situations that might put the organization’s data at risk. A security awareness program aims to equip staff with better cybersecurity habits, as well as the know-how of dealing with various threats. It also aims to cultivate a security culture in a company.

 

How can you develop an effective security awareness program?

The effectiveness of a security awareness program depends on many factors. We’ve listed down some of the best practices that will help your program become a success:

 

1. Understand your starting point

The best security awareness programs are those that were designed according to a company’s specific needs. To ensure that your training program will address the security gaps in your processes, you must first determine the weaknesses of your existing security awareness program. 

 

Resources like the SANS Security Awareness Maturity Model can help you determine the maturity (or immaturity) level of your program and what you can do to improve it. A business IT specialist like NetWize can also provide tailored IT services and solutions that will cater to your tech needs as you implement your security awareness program.

 

2. Start from the top down

Make sure that your security awareness strategy is approved by the top-level management: buy-in from the people who have a lot of influence and power can result in a smooth-sailing, adequately funded program. The participation of executives also sends out a strong message that data protection is everyone’s responsibility and that no one is exempt from undergoing cybersecurity training. 

 

3. Set clear goals but allow flexibility

It’s critical to have timelines for achieving cybersecurity milestones, but it’s also important to have some level of flexibility that will allow you to adjust your targets should initial approaches fail to produce desired results. 

 

The key is to break down your big goals into small, attainable goals that can easily be tweaked. Regularly evaluate them so you can see how employee performance is faring against the standards, and fine-tune future goals and processes based on new information. For instance, if your staff took longer than expected to master your company’s password management app, then you can either modify the timeline to account for this delay or try a different, possibly more effective training approach.

 

4. Gamify the training

At the heart of gamification is a reward system that positively reinforces learning and drives active engagement. By giving your employees a chance at gaining recognition, physical prizes, or badges or points that can be exchanged for gifts, you can motivate them to take the training more seriously.

 

Gamification can be as simple as giving equivalent reward points for practicing good cybersecurity habits, such as enabling multifactor authentication or not using the same password for any two accounts. You can even publish an internal tally board showing the names of the employees with the most points, further fostering friendly competition.

 

5. Measure your efforts

To tell if your security awareness program is working, you must measure your progress against different metrics like deployment and impact. Measuring deployment success includes calculating what percentage of the workforce has taken the training, which materials have they used, and other metrics that auditors use to assess compliance. Meanwhile, measuring impact entails evaluating behavior change, such as determining how many employees who did not know what phishing scams were at the start of the program can now spot one. These measurable metrics will enable you to assess whether your investments are paying off.

 

Every modern business is exposed to thousands of cybersecurity risks. Protect your organization by implementing a comprehensive cybersecurity strategy that encompasses people, processes, and technology. NetWize can help you get there. We offer complete technology solutions that will enable you to prevent attacks and reduce risks over time. Drop us a line today.

The five biggest threats to business security in 2021

In the first quarter of 2020, a worldwide pandemic forced businesses to implement remote working arrangements, consequently increasing reliance on cloud technologies. A year later, telecommuting has become part of the new normal, and it has become impossible to imagine a future where remote work isn’t an option.

Cybercriminals are expected to exploit the vulnerabilities inherent in this setup, including infrastructure weaknesses, process loopholes, and human error. Protect your business from these five threats that can jeopardize your organization:

1. Cloud breaches

The widespread switch to cloud-based solutions has resulted in a lot of benefits for businesses, but it has also brought in cybersecurity risks. Some organizations implemented cloud technologies without setting up proper cybersecurity defenses, while some simply didn’t have the IT expertise to migrate their workloads to the cloud, resulting in misconfigurations and other issues. To ensure security, partner up with cloud experts who can help you make a secure, seamless transition to the cloud.

2. Pandemic-related phishing

Phishing is a fraudulent scheme that aims to obtain personal data or inject malware into a device. For phishing scams to succeed, they must get their target to click on a malicious link — and one of the best ways to do that is by baiting them with a COVID-19-themed email. Alarmingly, there has been a spike of such phishing emails in the past year, and cybercriminals will continue to capitalize on the pandemic well into 2021.

One way to combat phishing scams is to educate your workforce on the most common tactics phishers use. A continuous cybersecurity awareness training program will equip your staff with the knowledge and skills to identify and get rid of phishing scams. It will also inculcate the best cybersecurity practices, empowering your workforce to better protect your systems.

3. Business process compromise (BPC)

If phishing scams rely on human error to succeed, business process compromise attacks count on weaknesses in systems and processes. Once hackers find a loophole in your systems or processes, they can discreetly exploit it and find a way to profit from it.

Conducting a successful BPC attack isn’t a small feat: a cybercriminal must have a deep understanding of their target’s internal systems and operations, as well as their defenses. Knowledge of these allows them to hijack processes such as procurement, payment, delivery, or account management. In the BPC attack against the Bangladesh Central Bank’s computer network, for instance, hackers were able to conduct unauthorized transactions by tracing transfers and seizing the bank’s credentials.

BPCs are silent attacks, and they are not easily noticeable until it’s too late. However, implementing advanced security measures, 24/7 monitoring, and penetration testing can help you detect BPCs early or even thwart them completely.

4. Internet of Things (IoT) attacks

IoT is a network of interrelated smart “things” such as devices and appliances that can communicate and exchange information with each other via the internet. With 5G becoming available in more areas and promising faster internet speeds, customer experience expert Forrester predicts that healthcare, location services, and smart offices will see dramatic IoT adoption in 2021.

All your IoT devices collect data in order to be smart, and this makes them prime cybercrime targets. And since a lot of IoT devices are still novel, their technology isn’t perfect yet and can easily be hacked. If you’re using or if you have plans to use IoT technology, it’s critical that you invest in IoT security solutions. Setting strong, unique passwords, installing the latest device updates, and restricting permissions also help in protecting your data.

5. Remote work end-point security

While there was an unprecedented rise in the adoption of telecommuting in 2021, the majority of employees working off-site connect to networks that don’t have any perimeter security, making them one layer more vulnerable to cyberattacks.

Inevitably, cybercriminals took this opportunity to exploit remote working environments, particularly launching attacks on cloud-based services, unpatched computers, and improperly secured virtual private networks (VPNs). In 2021, it’s imperative that remote teams use end-point protection and management tools that will enable remote IT support to automate software updates and patch management, monitor networks, and manage backups — all while optimizing technology to improve productivity.

Running a business entails protecting your data from various malevolent actors that lurk on the web. Thankfully, you don’t have to ward these off by yourself. Fortify your business’s cyberdefense strategy by partnering with NetWize and signing up for our data protection services. Apart from proactively monitoring your networks, we will continually test your systems for vulnerabilities and implement necessary cybersecurity measures to ensure that your business doesn’t suffer a data breach. Schedule a FREE consultation with our experts or call us at 801-747-3200.

© 2020 NetWize, Inc | Privacy Policy