Category: Security

29 Aug 2023

Why Your Business Needs to Beef Up Employee Security Awareness

We all have a tendency to avoid our weaknesses. When we do that, we never progress or get any better.

Jocko Willink

In today’s rapidly evolving landscape of cybersecurity, organizations are increasingly recognizing the critical importance of fortifying their defences. Despite substantial investments worldwide to repel digital threats, malicious actors persistently exploit vulnerabilities, even within the most fortified systems. Their primary focus? Employees. These individuals are regarded by cybercriminals as the weakest link in the cybersecurity chain. However, a solution exists—a beacon of hope in the form of a “beefed-up” security awareness training.

Enhancing security awareness among employees is undeniably a top priority. In this article, we will delve into the motivations behind cybercriminals’ fixation on employees and explore the profound implications of enriching their security knowledge. By acknowledging vulnerabilities and taking proactive measures, businesses can significantly reduce risks and empower their workforce to effectively counter cyber threats.

The Vulnerabilities Within – Identifying the Challenges

Does your organization grapple with these common challenges?

1. Lack of Awareness: The unfortunate reality is that many employees remain unfamiliar with cybersecurity hazards, tactics used by cybercriminals, and essential best practices. Malicious actors exploit this knowledge gap to launch deceptive campaigns, distribute malicious software, and orchestrate elaborate social manipulation tactics.

2. Privileged Access: Employees often possess access to critical systems, sensitive data, and administrative privileges coveted by cybercriminals. Breaching these accounts can provide malicious agents with access to valuable assets, leading to significant disruptions.

3. Social Manipulation: Cybercriminals excel at manipulating human emotions, trust, and curiosity. They employ these tactics to coerce employees into divulging confidential information, sharing login credentials, or unknowingly compromising security protocols.

4. BYOD Risks: The “Bring Your Own Device” (BYOD) trend introduces additional risks to businesses. Personal devices lacking robust security measures create vulnerabilities that cybercriminals are eager to exploit.

5. Remote and Hybrid Work Challenges: The shift to remote and hybrid work environments presents novel challenges. Home networks with weaker security, shared devices, and domestic distractions make employees more susceptible to digital attacks.

Constructing a Cyber-Resilient Workforce: Best Practices

To build a solid foundation for cyber resilience within your organization, consider these best practices:

1. Assess the Landscape: Gain a deep understanding of the specific cybersecurity risks your organization faces. Identify areas where employees are most vulnerable.

2. Define Objectives: Clearly define the knowledge and skills your employees need to acquire through your security awareness program.

3. Develop Engaging Content: Craft compelling content that captivates your employees’ attention and seamlessly integrates cybersecurity concepts. Use real-world scenarios to instill cybersecurity wisdom.

4. Tailor Content: Customize your content to address unique challenges within your organization. Align the material with employees’ roles and responsibilities.

5. Embrace Continuity: Establish a consistent rhythm of instruction to reinforce cybersecurity principles. Keep your workforce updated on emerging threats and countermeasures.

6. Measure Effectiveness: Regularly assess the impact of your security awareness program through behavioural outcomes, evaluations, and feedback. Use data to refine and improve your program continuously.

7. Foster a Cybersecurity Culture: Encourage proactive engagement by fostering open communication, providing spaces for incident reporting, and emphasizing shared responsibility for protecting the digital realm.

Uniting for a Secure Future

We stand united in our mission to usher in a new era of digital guardianship. Let us seize this opportunity to transform our employees into an unwavering bulwark against cyber threats. The investment in employee security awareness serves as the crucible in which our defences are honed, ensuring a future marked by unwavering resilience. As the cybersecurity landscape evolves, the empowerment of our workforce will prove instrumental in safeguarding our business from the persistent threats of the digital age.

16 Aug 2023

Avoid the Common Mistakes Your Cybersecurity Training

Leadership and learning are indispensable to each other.

John F. Kennedy

In today’s fast-paced digital landscape, the importance of employee cybersecurity training cannot be emphasized enough. It acts as the first line of defence against cyber threats, arming your team with the knowledge and skills to identify and counter potential risks. However, to ensure the efficacy of your training program, it is crucial to sidestep common errors that can compromise your efforts.

Navigating Common Mistakes for Effective Cybersecurity Training

Let’s take a deep dive into these pitfalls and develop avoidance strategies. By proactively addressing these challenges, you can magnify the impact of your employee cybersecurity training, fostering a culture of security awareness that empowers your workforce to stand guard against cybercriminals. Together, we will empower your team with the competencies needed to safeguard your organization.

Key Blunders to Dodge

1. Treating Security Training as a One-time Occasion:

Resist the urge to treat cybersecurity training as a mere checkbox to tick. Instead, foster an environment of perpetual learning by consistently offering opportunities for employees to stay abreast of the latest threats and best security practices. Elevate security awareness to an ongoing journey rather than an isolated event.

2. Providing Stale, Unengaging, and Irrelevant Training:

Engagement is the linchpin of effective training. Steer clear of dry and outdated content that fails to captivate employees’ attention. Strive to deliver training that is timely, captivating, and relatable. Harness interactive platforms and user-friendly tools to craft an immersive learning experience that resonates with your team.

3. Prioritizing Activity Over Behavioral Outcomes:

Avoid the trap of focusing solely on tracking training completion rates or the number of simulated phishing exercises. While these metrics offer insights, they only reveal part of the story. Shift your attention to measuring behavioural outcomes, showcasing a genuine grasp of security principles and driving concrete changes in employee conduct.

4. Nurturing a Culture of Blame and Mistrust:

Approach security training as a conduit for growth and improvement rather than a finger-pointing exercise. Foster a nurturing atmosphere where employees feel at ease reporting security concerns and seeking clarification. Promote a collective sense of responsibility, emphasizing that cybersecurity is a shared responsibility.

5. Lack of Leadership Support and Engagement:

Leadership wields substantial influence in setting the tone for your security training initiative. Without visible endorsement and active involvement from executives and managers, employees might perceive security as a peripheral concern. Rally leadership to champion security endeavours and actively participate in training, showcasing their dedication to safeguarding the organization.

6. Hesitating to Seek External Aid:

Crafting and managing a comprehensive training program can be daunting, particularly when internal resources are limited. Do not hesitate to solicit assistance from external experts or specialized IT service providers versed in cybersecurity training. They possess the expertise and guidance required to implement a robust and impactful program.

A Collaborative Journey Towards Success

By proactively addressing these potential missteps, you possess the capability to instill a resilient security culture within your organization. If support is required, do not hesitate to seek it. We are here to provide the necessary aid. Our wealth of experience and expertise perfectly align with your needs, making security training a minor concern.

Additionally, we invite you to walk through our Assessing the Strength of Your Cybersecurity Culture checklist to gauge your progress along the right trajectory. Together, we can fortify your defences and shield your enterprise from the ever-evolving landscape of cyber threats. Your organization’s security is our shared commitment.

18 Dec 2019

2020 Changes

We have some exciting changes coming up at the turn of the new year!

Take control of your own password resets for Office 365, with the self-service option. If you are a Network Care client, you’ll be prompted over the next two weeks to provide an off-domain address and mobile number to verify your identity. No more calling to get a reset!

Microsoft will be mandating 2FA (two-factor authentication) soon, so we’re helping to prepare you for it now. All you need is a mobile number to help authenticate your login when you access your mail. Many of you are doing this already, but for those of you who aren’t, you’ll be prompted over the next two weeks to provide your mobile number. Once you enable 2FA, your password will never expire!

We will be enabling 2FA for all our Network Care clients who use Office 365 in the first quarter of 2020. Prior to this, we will be sending you an email with clear instructions (and pictures!) to help you. Don’t worry, our engineers are here every step of the way to assist with this.

Call your Engineer directly! We’ve enhanced our phone system so you can get to the Engineer working on your request directly, without having to speak to an Operator or wait in the Engineer’s queue. Let us know how you like it.

01 Apr 2019

Password Reset

By now you should have heard about two-factor or multi-factor authentication. Your bank probably uses it to allow access to your accounts. Microsoft offers it for account access with two-factor authentication FOR FREE!

If you enable 2FA, we set your email password to NEVER expire. Our clients LOVE THIS. Just call the Help Desk when you have 5 minutes and your mobile phone is available and unused. If you install the Microsoft Authenticator app from your mobile App store beforehand, the process is that much quicker.

If you DON’T use 2FA, eventually, you’ll need to reset your password. If it expires, you’ll need to call the Help Desk for assistance in getting it reset, which brings us to the purpose of this update.

For your protection, we are implementing stronger security to validate password reset requests. If you are using 2FA, you can ignore the rest of this article.

Social engineering is one of the most serious threats in today’s world. I am concerned that some nefarious hacker will attempt to fake-out our Engineers in order to reset your email password. Beginning in April 2019, we will begin using Helpdesk Authentication through Duo. If you have Duo already, you’re all set.

For those clients who have never used Duo we will provide free authentication for password verification. Call the Help Desk to get it setup before your password needs to be reset. For those who have, we encourage you to add your other team members.

Effective April 2019, users requiring a password reset that do not use Duo will need to call from their office phone. Otherwise we plan on calling the main office or use other verification methods before performing a password reset.

08 Jan 2018

Webroot Updates Coming!

Many of you are now protected by the Webroot anti-malware agent we’ve installed last year. During the month of January we will be activating the features listed below to your devices.  Just like the at the airport, increasing security can have some unintended consequences.  Some of these features could bring to the forefront latent issues that have been around for a while. If that’s the case, give us a call and we will have the matter addressed.

Scan Schedule

Your computer is scanned for malicious software, during a time of reduced activity.  We will be setting your machine to preform a scan at 6PM.  All you need to do is ensure that your PC remains on for the evening and the scan will work fine.  

Firewall

A basic security feature of a computer is the firewall.  This should never be disabled as a fix for ‘something not working right’.  However, we have noticed some PCs have had their firewalls turned off.  Going forward, Webroot will ensure the firewall is always active.

Web Threat Shield

This blocks known threats encountered on the Internet and displays a warning. The Web Shield maintains information on more than 200 million URLs and IP addresses to comprise the most accurate and comprehensive data available for classifying content and detecting malicious sites.

When you run an Internet query such as a Google search, SecureAnywhere shields modify the results display with icons that give you safety information about each website returned as a result of the search.

Identity Shield

The Webroot SecureAnywhere Identity Shield protects you from identity theft and financial loss. It ensures that your sensitive data is protected, while safe-guarding you from keyloggers, screen-grabbers, and other information-stealing techniques. If the shield detects any malicious content, it blocks the site and opens an alert.

Recycle Bin

How long a security scan by Webroot takes is a function a few factors, one being how many files are stored on your PC.  To improve this performance, we have set the recycle bin to be emptied every weekend.  

If you ever receive a pop up which does not make sense to you, please do not hesitate to reach out to us so we can investigate.

08 Jan 2018

It’s All About Security

Everybody and every publication is finally pushing the need for tighter security. What’s lacking in much of what you read is the balance necessary between security and usability. If we make the network so secure that our teams can’t get any work done, it’s useless.

This year, Quo Vadis will be encouraging our clients to embrace Microsoft’s Password Guidance. Many of you may be reading in your own trade journals about the idea of passwords with no expiration. We agree! Our goal is password diversity to provide the best security. Today’s general password policies actually do the opposite of our intended goal.

A University of North Carolina study found 17% of new passwords could be guessed in five tries or less, given the old password. And almost 50% could be guessed in a few seconds of un-throttled guessing! So much for diversity.

Two-factor authentication (2FA) is crucial to the security plans of the future. By way of reminder, two-factor authentication uses two out of three factors to confirm your identity.

  1. Something you know (like your password)
  2. Something you have (like your mobile phone)
  3. Something you are (like your face or fingerprint)

I use 2FA for my Amazon account, my online banking, my email, remote access… everything I can. You should too!

Here are our recommendations to move forward.

  1. Don’t use your business credentials outside work.
  2. Use two-factor authentication whenever possible.
  3. Use biometrics whenever possible.
  4. Invest in a password manager.
  5. Don’t store passwords in your browser.
  6. Don’t reuse passwords!
  7. Keep your operating system and application software updated. (We can do this for you.)

 

We will be reaching out to you shortly to remove your password expirations.

04 Aug 2016
data security

Data Security Class

We are protecting your digital assets with firewalls, passwords and other digital methods. We detect intrusion attempts and virus attacks with special software that runs on the firewall and your workstations. We respond to your calls when you have a problem or when we a problem is detected. Between protection, detection and response, which is the most important? We believe it’s detection – as would you if you didn’t detect a large man with a big knife was standing over your bed at until you opened your eyes!! The best investment you can make in your security is to train your staff. Give them the tools and training necessary to detect attempted data breeches by signing up for our Security Awareness class. The content is updated with current events and true stories all the time. 

The class is 1 hour long, $250 for 1-25 people.

04 Aug 2016
multi-factor authentication

Multi-factor Authentication

You’ve seen this already. You try to access your Gmail account and you have to put in a code Google texted to your phone; or you add a credit card to Apple Pay on your iPhone and you have to approve the addition from another Apple device. Everybody has passwords – and they’re getting longer and more complex all the time! We all hate it. The answer coming down the pike is multi-factor authentication (MFA). Here’s the idea. Instead of just providing your password to access your data (email, files, etc.) you provide at least two of the following: Something you know (like your password), something you have (like a code from your mobile device) or something you are (like your fingerprint.)

MFA is being used more and more. There are apps that you can put on your mobile device that generate a code every 30 seconds. Your bank may require you to put in a code that was texted to your mobile device. Your online shopping site may require you to put in a PIN to login. You can receive a code via text message. You can use facial recognition (read about the Enterprise-grade security of Windows Hello here.) You can use the fingerprint scanner on the home button of your iPhone.

Get used to it. MFA is here and it will become the norm. If you want to increase security, give us a call. 704-814-8819

04 Aug 2016
mobile device management

Mobile Device Management

How do you deal with the fact that your digital assets are on your employee’s phone? What if they lose the phone? It can not only be bad for business, it may be against the law, depending on your market and the data that has been compromised. Mobile Device Management (MDM) is built into Office 365. Even if your employees own their own devices (which is most common) you can have them register their device with Office 365 in order to have email on the device. Then you control access to the data. You can use MDM for Office 365 to do a selective wipe to remove only organizational information, or a full wipe to delete all information from a mobile device and restore it to its factory settings.

If you’re interested in learning more about MDM, give us a call. 704-814-8819

15 Jul 2016

Do you hate changing your password?

HERE’S A TIP:At Quo Vadis we don’t have to worry about the constant password change. We use 1Password, a helpful, easy-to-use, secure app that stores all your logins, passwords, and more!

Tired of remembering all those passwords? Tired of the constant change? Do you want just one password for everything?

1Password.

Who doesn’t? As hackers become more real and more prevalent, passwords need to be much more complex. If you’ve taken the Security Awareness Class you know the danger, and you know how critical your password security is.

Every one of your businesses are connected to the internet, which makes you a target for cyber-attacks. Unfortunately, small businesses have a misconception that they are an unlikely target, but a quick Google search will produce a number of results showing small and medium businesses are attacked at nearly the same rate as enterprise level. Hackers know many companies don’t take cyber security seriously – and they’re right. It has come to our attention that many of you have simple passwords equivalent to having a key code entry of 1234! This is completely unacceptable.

It may be that, when you signed up for Network Care, you dismissed our counsel to implement strong passwords for your users. It’s time to reconsider. Ensure that you’re using strong passwords! Use these helpful guidelines to help create complex and secure passwords:

  • 8 characters long
  • At least 1 uppercase letter
  • At least 1 lowercase letter
  • At least 1 number
  • Simple enough to remember without writing it down

Of course, additional security measures are always encouraged, like adding special characters and making the password longer. Make sure your password doesn’t include your name, and avoid generic ones like “Password1”. If you’d like us to enforce complex networks in your network or if you have any other questions or concerns, please call the Help Desk to discuss.