VersaTrust has been serving the Texas area since 1997 , providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses.
Data Privacy Day commemorates the anniversary of the signing of the first international treaty focused on data protection. Here’s how you can get involved.
January 28th, Data Privacy Day 2020, is here. First introduced in January of 2008, Data Privacy Day commemorates the anniversary of the signing of Convention 108, one of the first international treaties focused on data protection. Here’s what you can do to get involved.
Ways to participate at home
Visit with your family about online privacy and safety. Discuss what information is private information and consider together the risks associated with sharing confidential information online. Take a look at the online accounts of any children in the home to identify breaches, risky behavior, and connections with strangers. Remedy any problems identified and use the opportunity to share information and teach.
Now is also a good time to go through old papers, files, and devices, and schedule safe destruction to protect your information before it lands in the wrong hands. Remember, never throw away bills, bank statements, check blanks, or devices without destroying them first.
How you can participate at work
There are a number of ways you can use this opportunity to promote data security at work:
- designate this as archive week, encouraging all staff to identify electronics that are no longer in use so they can be destroyed appropriately
- use games and activities to refresh staff knowledge of the risks of security breaches and internet best practices
- take a moment to ensure all corporate computers have the safest web browser, operating system, and security software installed and working as expected
- review your policies and procedures to ensure they’re still compliant with best practice; we learn and evolve every day so a periodic review is critical to achieving the best results
- share current news surrounding data breaches and lead a discussion exploring what went wrong and how similar crises can be avoided in your organization and industry
Involving your community
Data Privacy Day provides a great opportunity for community outreach and involvement. Include clients, stakeholders, and community members in your commitment to privacy. Host an open house, where you share materials encouraging safe internet practices at home and sharing what your organization is doing to protect client information. Send out client emails celebrating the occasion and summarizing all of the steps that go into maintaining their protected information (and the results of your hard work). You might even consider launching a survey to learn more about stakeholder satisfaction with your commitment to privacy and data protection program.
Overt military hostilities between Iran and the United States appear to have subsided after the Trump Administration’s killing of Gen. Qasem Soleimani brought tensions to a near boil. While the probability of a hot war has thankfully subsided, the likelihood of increased cyberthreats from Iran has never been higher or carried the potential for such considerable economic damage.
In a recent survey of leading cybersecurity experts (both government and the private sector), 85 percent of respondents expect serious cyberattacks to come from Iran in the next few months.
When we hear these warnings, we naturally assume that the attacks will target federal infrastructure like dams, water plants and the energy grid. However, experts warn that the targets are broader, Iran’s capabilities are greater and the potential damage could ripple across all sectors of the economy. Local governments, small and medium businesses and government contractors are all being warned to stay on high alert.
Iran’s Cyber Capabilities
Back in 2009 a classified U.S. intelligence assessment concluded that Iran had the motivation but not the skills or resources to conduct crippling cybersecurity attacks. Today, the expert assessment has changed. While Iran’s cyber capabilities might not match those of Russia and China, Iran is both capable and willing to inflict harm.
Iran’s increased capabilities are the result of considerable investment and practice in cyberwarfare, including shutting down U.S. banks in 2013, infiltrating a New York dam in 2013 and destroying data on thousands of computers at the Sands Casino in 2014.
As VersaTrust founder and cybersecurity expert Danny Owens explains, “Iran meets the definition of an advanced persistent threat, APT, because of its willingness and capability to inflict serious harm.” Moreover, businesses need to be especially wary and protect themselves because they are often at the bottom of the totem pole in terms of U.S. government cybersecurity assets coming to their support.
The Threat to the Private Sector
There are several ways Iranian cyberattacks pose a substantial threat to American businesses.
This scenario is hardly something to take lightly. With so many businesses providing essential admin and technical services to federal, state and local governments, the possibility that a hacker harms a private business’s IT infrastructure in an attempt to damage government assets is all too real.
2. Collateral Damage
Government servers store reams of data about contractors, local businesses and private citizens. This means that when a government network is infiltrated, the data belonging to businesses and individuals is also likely to quickly find its way to the Dark Web where it may be exploited unless those businesses perform routine Dark Web monitoring.
3. Asymmetric Cyberwarfare
As cybersecurity experts describe it, Iran is always looking for innovative ways to inflict harm on U.S. interests and the economy, while avoiding overt destruction and casualties that would trigger a military response. Because hackers look for the most vulnerable targets, this makes small businesses and local government likely victims of cyberattack.
4. Iranian Proxies
Iran is notorious for using proxy organizations and militias to extend its influence in countries like Iran, Syria, Lebanon and elsewhere. When it comes to cyber-terrorism, Iran also engages splinter cells and non-state actors that often prefer to target businesses because:
- Many business don’t employ rigorous top shelf security suites, and
- Attacks on private businesses are less likely to trigger direct retaliation from the U.S. government.
Ways to Protect from an Iranian Cyberattack
With the heightened threat of cyberattacks from Iran adding to the usual array of cyberthreats coming out of Eastern Europe, China, and here at home, the urgency of securing your network and IT infrastructure has never been greater. Here are a few important and immediate steps you can take:
- Change your passwords to include capital letters, numbers and symbols.
- Enable two-factor authentication for accessing email and other business accounts.
- Upgrade your operating system and other applications with the latest patches.
- Review these tips from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) about reporting and response to a hacking incident.
- Most importantly, update your cybersecurity plan and procedures
We also highly recommend that you engage an expert managed security services provider (MSSP) to set up a top shelf security suite, monitor the Dark Web, and respond to security threats 24/7/365. Here at VersaTrust we constantly monitor our clients’ security and prevent threats.
If you have concerns about your business’s preparedness against emerging cyberthreats, don’t hesitate to call us (817 595-0111) or email us today for a consultation.
Cybersecurity education is essential in order to keep businesses one step ahead of this evolving space. Learn about types of attacks and preventative actions.
Cyber solutions are the future of business, with innovation such as the Internet of Things (IoT) gaining increasing popularity. Accordingly, focus on the protection and recovery of networks, devices and programs from cyberattacks is no longer a luxury, but a very basic necessity to remain competitive in today’s landscape. Here is a basic overview of cybersecurity:
Things to know
- Data breaches are intended to access proprietary information, usually for financial gain. These activities can result in damaged corporate reputations, significant downtime and even the cessation of business viability
- Hackers are becoming much more sophisticated, and traditional anti-virus software programs may not be sufficient to prevent attacks
- As more devices and gadgets are connected to networks via IoT, they provide backdoors for hackers to access proprietary data
- Despite the rising prevalence and notoriety of data breaches, they can be prevented. Cybersecurity often relies less on high-end technology than on common sense and solid security practices /protocols, such as:
- Restricting employee access to sensitive data
- Employing strong password controls
- Educating employees on e-mail security
- Encrypting data
- Appropriately secure mobile devices – smartphones, tablets
- Investing in IT professionals with current cybersecurity knowledge and skills
Types of Attacks
- Malware is any type of malicious software utilized to gain unauthorized access to a computer
- Ransomware is a form of malware that locks owners out of their devices/data until a ransom is paid
- Spyware is a form of malware that spies on users in order to acquire sensitive information
- Fileless malware attaches to existing programs running on the computer, thereby embedding inside the computer’s memory
- Viruses are malicious programs usually sent as attachments, and which infect devices once downloaded
- Watering holes are when a known website is hacked either directly or via a third-party service hosted on the site. In this way, anyone who visits the site is infected
- Phishing is the act of sending e-mails that trick people into revealing sensitive information
- Spearphishing is related to phishing but is more focused to prey on specific targets by including relevant details about the individual (usually obtained via research), thus luring them to click on the link
- Pharming is the act of directing users to illegitimate websites under the guise of a legitimate link
- Hacking is the act of accessing a network or device without appropriate authorization to do so
Types of Cyber Security
- Network Security: These are defenses implemented to prevent hackers from gaining access to organizational networks and systems. Examples would be password controls and two-factor authentication
- Application Security: This is when software and/or hardware is employed to protect against threats from malicious programs. An example would be antivirus programs
- Information Security: This is the protection of data via restricted access or encryption
- Cloud Security: These are tools utilized to monitor and protect corporate data stored in the cloud
Small Town Reeling After BEC Scammers Get Employee to Wire $1M
Would you fall for this scam that cost a small town $1M? Find out what a BEC scam is, how it works, and what you can do to keep your company from falling victim.
What would you do if you found out your employee just cost you a million dollars? We’ll just guess they probably wouldn’t stay working for you much longer.
The little town of Erie, Colorado, was recently faced with this scenario. Hackers used a Business Email Compromise (BEC) scam to deplete the town’s savings.
Don’t know what a BEC scam is? You should. Here’s what you need to know
What Is a BEC Scam & How Does It Work?
BEC scams are targeted and sinister. In this scam, a hacker gains access to the business email someone in C-suite, or of similar power.
Once inside, they monitor the account to determine who among your staff they should target from that account for financial gain. Once they’ve identified the person who holds the purse strings, they send that person an email from your account with instructions to wire money somewhere.
If the person who receives the email is suspicious, hackers don’t want their cover blown. So they may also mess with your email rules so that any emails received with words like “scam”, “is this a joke” or “please verify” in them automatically get deleted.
They may target several people to see who takes the bait. And the scammers use the principle of social engineering to convince people to comply.
In the case of the Erie BEC scam, the criminals were able to find a real account payable and request that the employee change where the payment was sent.
This gave legitimacy to the request that reduced suspicion.
How Do Hackers Get Access to Your Email?
The most common way to hack your email is through a phishing email scam. The fraudster may send an email to you that looks like it’s from your email service provider. They then trick you into giving up your password by having you log into a spoofed website or download malicious key-tracking software.
If your business email is through Microsoft, Google or another company with many product lines that use a single password, they can get it in a roundabout way, further lowering your guard.
If you don’t have a strong password, they may also be able to guess it by following the bread crumb trail all of us leave online.
How Do You Protect Against BEC Scams?
BEC scams are convincing. You’re dealing with professional con artists, not hacker hobbyists. Because of that, you need a multi-faceted plan, which will include email scam security solutions like:
- Employee education
- Having a clear verification process including additional safeguards when changing where payment is sent or when other red flags go up
- Email server monitoring for suspicious activity
- Strong password policy with two-step verification along with enforcement
- Spam filters, which reduce the risk of you or someone else in C-suite seeing the spoof email in the first place.
- Up-to-date malware protection
And above all, stay informed about scams and schemes like these. Criminals constantly adapt their strategies. Don’t fall for it. Follow our blog to stay up-to-date.
Learn about juice jacking and how to prevent you or employees from becoming a victim.
Here’s a new cyber threat to worry about: Juice Jacking. Read on to learn what about juice jacking and how to prevent yourself or employees from becoming a victim.
What Is Juice Jacking?
One common feature of modern smartphones is that the power supply and data stream pass through the same cable. When you plug your phone in to charge, hackers could theoretically access your phone through the same cable and inject malicious code or steal your personal information.
Your USB connector has five pins. However, it only uses one of those five pins to pass-through power for charging. Two additional pins are used for transferring data. So, when you charge, you could also be opening a port for passing data between devices.
We have only seen unconfirmed reports of juice jacking happening in the real world, but engineers have demonstrated how it is possible. In theory, threat actors might hide a device in a public charging station at airports or hotels. It’s a big enough concern that the District Attorney’s office in Los Angeles recently put out a warning to travels to avoid using public USB charging stations.
The FBI put out a warning about a device that’s small enough to fit inside a USB charger that can steal keystrokes from wireless keyboards. Another device hidden inside a USB charging station accesses your video display. It then records a video of everything you do, which might include passwords, accounts numbers, or PINs.
How To Prevent Juice Jacking From Happening to You or Your Employees
We’ve been warning people about the potential danger of using public Wi-Fi stations for years. Hackers can set up Wi-Fi hotspots in coffee shops and other public places then intercept data as it’s sent back and forth to your device. Now you can add public charging stations to the list of potential problems.
This doesn’t mean you shouldn’t use them. You just need to take basic security precautions to stay safe.
- Avoid using public USB charging stations or plugging into computers that you aren’t familiar with.
- Instead, use an AC power outlet and your own charging device. No data transfer is going to take place when you’re using an AC outlet and your charger.
- Consider external batteries, power banks, or wireless charges if you need a charge on the go.
You should also avoid the temptation to plug into a USB charger you find left plugged in somewhere. It may be waiting for you to plug in and infect your device.
For iOS users, you can also use USB Restricted Mode which allows charging but prevents data transfers under certain circumstances. You’ll find it by going to Settings > Face ID & Passcodes (or Touch ID & Passcode) > USB Accessories. For Android users, USB data transfer should be disabled by default. If you want to check to make sure that’s the case, plug in your phone in a safe place, click on the notification and check USB Configuration options.