Posts

2020 Top Security Concerns Thumbnail

How to Resolve Your Biggest Cyber Security Concerns

Businesses face all types of issues. However, advances in technology have made a handful of concerns more pertinent than others.  In a poll conducted by Nerds Support, we discovered the top concerns businesses had related to data loss, compliance and security. As a result, we’ve addressed just a few ways your business can resolve these problems from most important to least.

Nerds Support Polls Cyber Security Concerns

1) Data Loss Prevention

Data is the most important currency any successful business has today. Furthermore, if you’re in a heavily regulated industry like financial services, data security is everything. That means data, and how companies manage it, often comes to define them. Losing Data can completely disrupt, and in many cases, destroy a company. Here are few ways you can prevent data loss in your business.

Back Up Data

Backing up your data is simple, not easy. Businesses often neglect to back up information when they’re busy or prioritize other tasks instead. Creating an effective backup strategy is the best way to commit to scheduled backups. You probably have data with varying levels of importance. Data that is critical to your business and data that is less so. Therefore, you should designate what data to back up daily, weekly, monthly, etc., in your plan.

Encrypt Your Data

Many organizations collect personal data from their clients. This data can come in the form of names, social security, financial information and more. If this data is stolen or leaked, the organization responsible for keeping the data safe would be in jeopardy. Potential lawsuits, investigations and the backlash from a data breach could destroy a business’s chances of recovery as a result.

Invest in a service that encrypts backups automatically to secure your data against anyone looking to steal, abuse, or access it. Cloud back-up services does just that.

The More (Backups) The Merrier

If you have important data back it up as often as possible. Backup all data imperative to your business in multiple formats to ensure its safety. Three backups are the standard for particularly important data. Moreover, backups on a cloud server and a hard-drive prevents data loss if your physical office is damaged or if there’s an outage.

Be Smart About Where You Work

Bring-your-own-device culture is more popular than ever. With cloud computing, employees can use their own laptops and mobile devices to work outside the office when they’re sick or on the road. Although this is good for productivity, they can also leave your data vulnerable if misused or misplaced.

Make sure to avoid public Wi-Fi networks as they can be exploited by a hacker to gain access to your device. If you’re going to use a mobile device or personal computer, purchase a VPN to encrypt your information. Using personal hotspot are also a good option since they’re private and cannot be accessed as easily.

Work With Professionals You Can Trust

If you do lose your data for whatever reason, trying to recover it yourself might worsen the damage. That is why it’s important to confide in experts that can keep your data safe and facilitate recovery when it occurs.

2) Maintaining Compliance

Regulatory changes, managing costs and meeting deadlines make maintaining compliance a struggle for businesses. The cloud, however, could resolve those issues and simplify compliance work dramatically.

Compliance Work Made Easy

Companies are often reluctant to leave paper filing and in-house storage behind. Trusting a third-party cloud provider to store important data seems daunting and unreliable, but that couldn’t be further from the truth. In reality, the cloud allows for quick and accurate data analysis that can cut down costs associated with compliance.

The cloud makes auditing easier. With its automated data backups and file sharing capabilities, auditors and employees can keep track of and review electronic files effectively. That also means the business becomes more transparent on the cloud.

Tracking Proper Documents

Compiling all the necessary documentation is half the battle. Internal Auditor Magazine recommends using applications that multiple users can review and edit. You also need a reliable IT department to monitor where the records are stored. As alluded to above, downtime and outages can be a real nightmare if your data isn’t properly backed up or stored in multiple formats.

If your IT department is overloaded with work or is too small properly manage record storage, then a co-managed IT department might be your best option. A co-managed contract with a managed service provider allows you to bulk up your IT department and delegate tasks to that your own department can’t do on its own. Co-managed solutions are great for growing financial firms, for example.

For smaller companies, outsourcing tech responsibilities means securing all necessary data without having to hire more individual techs.

3) Social Engineering & Ransomware

Social engineering is an issue impacting every industry. That’s because social engineers attack individual users with deceptive emails. Individual users are usually employees. If a cybercriminal can get one employee from your company to click on a link, they can access their machine. If they can access their machine, they can access the company’s systems.

Once in, a cyber-attacker encrypts data with malware and holds it ransom until the company pays a large fee.

Training

When employees recognize a potential phishing email in their inbox, it’s harder to trick them. Whenever you receive a dubious email containing a link or an attachment, send it over to your IT department to analyze. Even if it seems harmless, send it over.

Social engineers tailor scams to specific individuals and they’ll use personal information to get a click. It could be a message from your bank asking you for payment card information. It might be a store the user shops in offering online deals.

Investing in anti-phishing software helps protect employees from email scams.

Monitor Your Systems at All Times

MSP’s are a good option for companies looking to increase security as well. They monitor activity 24/7 and are available to answer questions and concerns a user might have about potential threats. Nerds Support, for example, trains and informs users on social engineering red flags, working with the user to review emails and files they’re unsure about.

A culture of healthy skepticism will improve an employee’s chances of avoiding a ransomware attack. However, employee awareness is not enough. Having updated cyber security software and dedicated cyber experts to assist in dealing with threats should be part of any business’s cyber security plan.

I’ve briefly touched upon the biggest concerns businesses have, but if you want more in depth articles on these topics visit our blog.

If you’d like to talk to real cyber experts about your biggest business concerns contact us and we’ll be happy to answer any questions about the cloud computing, cybersecurity and MSP’s.

2020 Top Security Concerns Leaderboard

What Should Concern Businesses About the New Orleans Cyberattack

The city of New Orleans experienced a cyberattack so severe Mayor Latoya Cantrell declared a state of emergency.

The attack occurred on Friday, Dec. 13 and caused the city to shutdown government computers. Officials announced the shutdown via social media posts.

City Shutdown Government Computers

The attack started at 5 in the morning, according to the city of New Orleans. At around 11 a.m., employees noticed what they considered suspicious activity. As a result, the city’s IT department ordered employees disconnect from Wi-Fi and close down their computers.

Fortunately, an investigations into the attack is currently underway as Federal and State agencies gather more information. As of now, nothing is known about the malware used during the attack and the Mayor said no ransom demands had been made yet.

Louisiana’s Third Cyberattack

This ransomware attack is the third to affect Louisiana in five months. In November, another attack prompted Louisiana’s Office of Technological Services to shut down multiple state agencies. And in July, cyber criminals attacked several Louisiana school districts, shutting down their networks for ransom.

As a result of the schools attacks, Governor John Bel Edwards declare a state of emergency that allowed state agencies to help local governments recover from the attack.

What’s the Damage?

Unfortunately, it’s always difficult to tell the extent of the damage. It could take months and, in some cases, years to truly understand what information was stolen.  Furthermore, hackers could have stolen government employee information, financial information and more from New Orleans.

Moreover, they will have to contact financial institutions and implement new procedures to address cyberattacks like this as well as increase security on their networks.

This begs the question, if State governments have to shut down entire systems and declare a state of emergency to deal with a cyberattack, what will it cost a small business?

Since the attack in November, The National Governors Association (NGA) has urged states to develop a formal continuity plan for responding to cyber threats. Additionally, cyber forensic experts will need to be brought in to investigate the breach.

New Orleans Government Cyber Attack Statistics

 

Cyber Response Plan

The NGA released a State Cyber Response plan in July, that governments are developing and 15 states have made their plans public.

Without a doubt, the impact of ransomware attack is nothing to scoff at and governments are learning the hard way. Ultimately, having a continuity plans in place ensures recovery from a breach runs as smoothly as possible.

Cybercriminals Declare Hunting Season

The FBI issued a warning in October declaring an increase of cyberattacks on “big game” targets. These are targets with money and sensitive information, willing to pay ransoms to restore their systems.

That doesn’t just mean local and state governments, municipalities and agencies. For instance, hackers often target businesses, hospitals, accounting firms and financial advisers for their data.

Additionally, businesses have to adapt and invest in security if they expect to succeed. The first of several security lessons: no one is too big or to small to get hacked.  Sensitive data is always in high demand. More importantly, dark web marketplaces, like Joker’s Stash, are always willing to sell it.

The Future of Cybercrime

Researchers warn that ransomware attacks will intensity in 2020. What’s worse, attacks are getting more sophisticated.

On the other hand,with the year coming to a close and a new one beginning, now is the perfect time to audit your IT infrastructure and verify it’s competency against these types of threats. Fortunately, 2020 will also see the rise of things like cyber insurance, AI and cloud-based security solutions.

Transitioning to a cloud-based solution, like a hybrid cloud,  might help industries across the board avoid scenarios like the ones in Louisiana.

You can read our article on how businesses can protect themselves from a cyberattack.

If you want to know more on cybersecurity news, the cloud, managed IT services and more contact us or visit our blog.

 

Top Security Tips for Safe Emailing

Not a day goes by without another phishing scam hitting the news. For many of us, these are just headlines. For the organizations and individuals affected however, a phishing attack can be disastrous. Phishing emails are increasing in frequency, sophistication and severity. How can you best stay protected?

Email threats

Criminals have realized that in order to steal money or information, you don’t need to rob a bank. A simple email will do the job just fine. Phishing emails have been used to steal huge amounts of money ($12 billion according to the FBI) and are responsible for countless data breaches, credential theft, ransomware attacks and other types of malware deployment.

What’s more, thanks to criminal activity on the Dark Web, it’s not only credit card details that are for sale – now full phishing kits are available, starting at around $25.

Most email threats fall into the following categories:

  • Simple scams
  • Phishing emails
  • Fraudulent emails

Simple scams: these range from the classic “you’ve won a competition” to “we’ve been recording you on your web cam” or “your account’s been compromised”. Generally, these are pretty harmless and easy to spot. They rely on emotions such as fear to trick a user into taking action.

Phishing emails: these are emails that purport to be from legitimate senders, yet are cleverly disguised fakes. They range from sophisticated Business Email Compromise (“BEC”) emails – where a fraudster targets someone specific in an organization pretending to be the CEO, for example – to more general emails pretending to be from Microsoft, Netflix, or any other well known organization.

These emails either get you to click a link or download a file – deploying malware onto your system – or direct a user to a fake website where they enter sensitive information.

Fraudulent emails: a subset of phishing emails, these emails target companies pretending to be from suppliers whose banking details have changed. Money is paid into the new account, and the fraudster rides off into the sunset.

Next, we’ll look at what exactly to look out for so that you don’t fall for any of these.

What to look out for

Here are the most important things to look for when checking if an email is legit:

Sender: start by looking carefully at the sender’s address. Not just who they say they are – but the actual address that the email is coming from. Check for any additional or missing letters (“@microsofts.com”), or even non-English characters that can be used to spoof well-known addresses. A common trick is the use of subdomains – don’t be confused by amazon.xyz.com.

Content: look out for anything that’s made to look urgent. Is the message addressed to you, or is it generic, like “Dear Sir” Mouse-over the links. Do they lead to the real company’s website? Asses what action the email is asking for: anything that requires you to “confirm your account” or “update your payment details” should be met with suspicion.

Be wary of any email that mentions voicemails that are waiting for you, or subscription details that need to be updated.

Advanced – header information: most popular email clients – including Gmail and Microsoft Outlook – let you see the original header information (in Outlook: File / Properties / Internet Headers). For more advanced users, going through these headers can give immediate clues as to whether an email is legitimate.

An important note: when it comes to emails, almost anything can be faked. When it comes to email phishing protection, a specific anti-phishing product is the best way to identify and stop phishing attacks. It’s also really important to stay aware, use a healthy dose of skepticism, and where possible confirm details with a phone call.

Staying Email Safe

By protecting your email, you’re taking a massive step in terms of keeping your entire organization protected against cyber threats.

A winning combination combines awareness, training, and tech-based solutions working together to keep you safe.

If you want to find out more about keeping your organization protected against cyber threats, don’t hesitate to get in touch.

Midwest Restaurants Credit Card Breach Joker's Stash

Why Dark Web Marketplace “Joker’s Stash” Threatens Businesses Everywhere

Massive Leak in Restaurant Chain

Four popular restaurant diners in the east and Midwest had their customers’ payment card information stolen. Three of those four restaurants are owned by the same parent company, Focus Brands.

The stolen cards were sold on the Joker’s Stash, a Dark Web destination that trades payment-card data. Joker’s stash might sound like something out of a comic book, but it’s very real and very dangerous.

What is Joker’s Stash?

Joker’s Stash is the biggest and most reputable Dark Web marketplace out there and periodically features a fresh list of payment card information available. As a result, it quickly became an expensive site featuring card information from high-value targets like restaurants and even government officials.

The website has stolen card information from places like Sonic Drive-In, the supermarket chain Hy-Vee and others.

Cyber-criminals who buy this information usually use the data to clone the real cards and withdraw the money from ATM’s. What’s more, in 2015, the dark web card shop added a section offering social security numbers as well. This isn’t just a problem for people in the U.S. Cybercriminals target whoever they can, wherever they can, not just restaurants.

 1.3 Million Stolen Cards For Sale

In late October of 2019, 1.3 million Indian payment cards were put on Joker’s stash for sale at $100. This is evidence that there is a demand for websites like Joker’s stash.

Group-IB, a cybersecurity firm in Singapore was the first to find the stolen data. After analyzing the cards on the site said over 98 percent of the cards were issued by Indian banks. Only about 1 percent of the cards were stolen from Colombian banks.

The India card dump is considered the third largest in 2019 by researchers, in regards to size. However, this isn’t typical for this type of dump. Usually, the cards are released in small quantities, over a longer period of time. Experts say that a data dump of this size suggests the criminals wanted to make a profit from as many cards as possible before banks and cardholders realized the fraud had taken place.

Although how the data was stolen remains unknown, it’s likely that it was obtained through a Point-of-Sale Data breach(POS).

Point-of-Sale Data Breaches

Point-of-Sale data breaches (POS) and occur when cybercriminals install malicious software on a business’s card-processing system. The malware is designed to copy data stored on a payment card’s magnetic strip when it’s swiped at an infected payment terminal.

How Does Joker’s Stash Work?

Unfortunately, Joker’s stash operates using Blockchain DNS, a blockchain system that lets website visitors avoid surveillance intervention and censorship from governments and ISP’s. In other words, Joker’s Stash uses a decentralized system that helps the site stay active if someone attempts to take it down.

Midwest Restaurants Credit Card Breach Joker's Stash Screenshot 1

The good news is that Fraud teams can use Joker’s Stash to understand what card data is made available and when. As a result, they’re able to determine the common point of purchase of affected cards. A report by Flashpoint, a business risk intelligence specialist, published an analysis that explains how this is the most reliable method of identifying the source of a breach.

All of this to say that POS data breaches are a problem for businesses if customers are afraid their card information isn’t safe.

Midwest Restaurants Credit Card Breach Joker's Stash Screenshot 2

The fraud intelligence company, Gemini Advisory, said out of the almost 2,000 locations that belonged to the restaurants, close to 50% were breached, according to an article by Insurance Business America.

There is No Safety in Numbers

As we’ve seen, breaches can affect not only retailers and restaurant chains but financial institutions as well. It could have been a bank in the U.S., not India, breached by cybercriminals. Capital One was breached in March, exposing more than 14,000 Social Security numbers and 80,000 bank account numbers.

This information could have been dumped into the Joker’s Stash website and sold for a few hundred dollars just as easily as with the Indian banks. The Department of Justice arrest a Seattle Tech worker, Pagie A. Thompson, for the fraud. She claimed she didn’t do it for the money, but she could have made millions of dollars through sites like Joker’s Stash.

Midwest Restaurants Credit Card Breach Joker's Stash Screenshot 3

Cybercrimes cost banks more than $1 trillion dollars a year. That’s mainly due to financial institutions failing to comply with regulations, like FINRA and SOX, creating compliance risks. However, as regulations change with technology, criminals adapt and develop newer ways to exploit regulations.

Breaches Will Get Worse

Banks are usually secure against external threats, but the biggest threats are internal. That is, careless employees. Financial institutions are finally getting around to training their employees, but that might not be enough. Implementing a strong cybersecurity plan is key in a world lurking with criminals ready to leverage any vulnerability a firm might have.

Dark web card sites like Joker’s Stash make are growing more popular and profitable. If these breaches have shown anything it’s that Joker’s Stash isn’t going away. The best chance businesses have is to adapt. That said, cloud security and multi factored authentication are making easier to do so.

To stay informed on cyber Security, data breaches, compliance and cloud technology check out the Nerd Support blog.

Tax Security Awareness 2019 Thumbnail

Tax Security Week: 5 Common Holiday Tax Scams

With December fast approaching, most people are gearing up for the holidays. Some, however, are preparing to steal personal and financial data ahead of tax filing season in 2020. That’s why the IRS announced its 4th annual National Tax Security Awareness Week.

The IRS received five to seven reports weekly from tax firms that experienced data theft in 2018’s tax season. Identity theft is a major issue for small businesses.

In the spirit of everyone’s favorite season (tax season), the IRS and Security Summit partners will remind businesses, tax payers and professionals alike to update their online security. Because of the upcoming holidays, people are vulnerable to all kinds of social engineering scams.

Modern IT solutions for accounting firms can assess emails and flag suspicious activity. However, responsibility falls on individuals, whether executives or employees, to protect themselves against tax related scams too.

IRS tax scams are common because cyber criminals are most effective when they hide behind authority. They typically feature spam emails redirecting users to malware-infected sites. Sometimes they’ll come with a malicious attachment that carries spyware or malware.

These emails contain an image banner or watermark of the IRS to appear legitimate. Furthermore, the emails often come attached with fake W-8BEN forms to reinforce this legitimacy.

1. W-2 Scams

One of the biggest scams employers face are W-2 Scams, especially during tax season.

W-2 phishing scams involve a cybercriminal impersonating a company executive in an email. The email is sent to someone from HR or accounting, someone with access to employee W-2 forms. And of course, it comes with a subject line claiming it is urgent.

The request will look formal and polite as to not raise suspicion. The employee then collects all employee tax information and sends it back to the fake executive.

It’s as simple as that.

2. “Locked Accounts”

Accounting services like TurboTax have also been impersonated by cybercriminals notifying clients that their accounts have been locked. The email will feature a link taking the target to a fraudulent website where they submit their personal information.

3. “Update Information”

It’s not uncommon for an accounting client to receive an email notifying them that because of the incoming tax season, they need to update their tax filing information.

4. “Refunds”

In some cases, emails entice victims with incentives like tax refunds. It isn’t difficult to see why these would be successful. A business owner finds an email claiming the IRS owes them money and they are less likely to raise questions.

5. Holiday Scams

Since over 75 percent of Americans shop online for the holidays. Many of those Americans have full time jobs working in industries containing sensitive data. The greatest cyber security risk in any industry across the board is an employee. An even greater risk is an employee eager to get their holiday shopping out of the way.

Employees and business owners start shopping online for gifts, and cybercriminals are there ready to shoplift sensitive data. Social engineers, hackers and cybercriminals take advantage of the holiday season to send fake invitations and holiday deals from places frequented by their targets.

Shopping Spear Phishing fraud

Advanced spear phishing techniques can come disguised as a great online offer from your favorite online shopping site. I’m not referring to a popular shopping site, I’m talking about the site you specifically shop in. A cybercriminal will mine your social media and online activity until they have everything they need to create a counterfeit email you’re likely to click on.

That’s why it’s important to only use work email for work related matters. Many breaches happen because employees make the simple mistake of subscribing to online sites and programs with their work email.

Tax Security Awareness Fraud Statistics

Protecting Client information is protecting yourself

The Gramm-Leach-Bliley Act of 1999 requires all financial services organizations to have an information security plan to ensure the safety of sensitive client data. In other words, all finance organizations have to demonstrate what security measures they have in place to protect client information.

If a financial firm fails to take the proper security measures, independent of a breach, they could face penalties. Therefore, seeking guidance from cyber experts, like Nerds Support, for security-related issues is recommended.

But in the meantime, check out our blog for more articles on phishing, cyber security and compliance.