Businesses Beware OF Fake Meeting Requests

by

Hi,

Important that we meet discuss speerfishing attacks over business comunicatons. We need to make plan about this IMMEDIATELY. Please click on the link [uurl.callender.com] to make an appointment with IT for quick tutorial.

Regards,

IT

There are several things wrong with this email, and hopefully, you noticed them. All are red flags you can look for to avoid fake meeting requests or calendar-invite scams.

Business Email Communication (BEC) scams are not new. For example:

  • Facebook and Google suffered a $121 million BEC scam.
  • Ubiquiti lost $46.7 million to an attack.
  • Toyota transferred $37 million to crooks in a BEC snafu.

In 2020, BEC attacks were the most lucrative scam. The US estimated cybercriminals made over $1.8 billion with this approach. Beyond money, falling victim to a BEC attack also costs your business time and reputation. Here’s what to look for and how to protect against BEC scammers.

How BEC Scams Work

With many more people working from home and meeting virtually, there’s been an uptick in BEC spearfishing attacks.

On Gmail, the bad actor needs only your email address to send an invite that adds to your calendar by default. Then, you might click on what appears to be a meeting link, which actually takes you to a malware site.

Zoom has also become an attack vector. You get an invite to a meeting that asks you to login into Microsoft Outlook. You’ve done it so many times before, except this is a fake login page, and it’s set up to steal your access credentials.

How to Protect Against BEC Scams

Educate your users. As with any other type of email scam, users need to learn to be careful about the links they click. Some indicators to look for, which you can see in our opening example, include:

  • spelling mistakes;
  • urgent appeals;
  • poor phrasing;
  • suspicious links.

Email addresses, links, and domain name inconsistencies are more bad signs. Plus, be wary if something seems too good to be true (a free laptop?) or is an unusual request (transfer $1 million from the CEO’s account).

Google Calendar users can go into General settings, then Event settings, and switch off “Automatically add invitations.” Instead, select “No, only show invitations to which I have responded.” Also, under Events from Gmail, you can stop calendar events auto-generating based on your inbox. Keep in mind, though, that you’ll also be blocking legitimate events.

In these days of the hybrid workforce, we’re used to clicking on links from Zoom, Google Docs, and Microsoft Office as part of our daily workflow. The cyber bad guys know this and are taking advantage of it. Unsubscribing from email lists, keeping your email private, and reporting spam to IT can all help.

Your business might also benefit from working with a managed service provider to use a third-party spam filter. Our experts can also review your cybersecurity posture and identify areas to improve your defenses.

Contact us today at (515)422-1995

SMBs Can Become a Weapon in Cyberwarfare

by

Headlines today highlight Ukrainian tragedy or North Korea testing missiles. It can seem far away from your business, yet battles are being fought online, too. Your small business’s IT systems could be weaponized for cyberwarfare.

That statement may surprise you. You’ve heard of cyber targets such as:

  • critical national infrastructure;
  • election and voting organizations;
  • military databases;
  • government communication outlets.

In the days preceding Russia’s attack, 70 Ukrainian governmental organizations were hacked. Messages in Ukrainian, Russian, and Polish warned people to be afraid and expect the worst.

But, why would someone want to target your small business as part of their cyberwarfare? You may be only a stepping stone to help the attackers achieve their larger goal.

How your business can become a target

You could be the victim of a supply-chain or leap-frog attack, or you might have a business partner who is also an accountant to a defense contractor, or your business might be providing heating and air conditioning maintenance to a utility. That connection makes you interesting to hackers.

Attackers use you as a pawn in digital warfare. They expect you have fewer defenses than the highly funded end target, so they infect your network to facilitate their attack. They might send a fake invoice from your business to the target, one that is laden with a malicious payload. The client, trusting your credibility, opens the malware. From there, the attacker has access to the information they were seeking from the outset.

How to shore up your defenses

Increase your cyber vigilance. Don’t think that you are too small to be a target. Instead, create and maintain a cybersecurity plan. Follow best practices to keep your systems resilient, and ensure you have the proper protection in place.

This type of attack often leverages software vulnerabilities, so make sure that all your systems are up to date and patched, leverage antivirus tools, and stay current on the latest threats you should protect against.

Also, remind your employees about the importance of good cyber hygiene, the humans who work for you are often the weakest link. They don’t mean to cause any damage, but they click on that phishing email or go to that website with malware downloads embedded.

Multifactor authentication can also help you combat hacker access. Even if the bad actor does get a user’s credentials, they still need an approved device to get in. This makes it much more difficult to compromise your network.

It’s also a good idea to establish ongoing monitoring of any security events and install remote access controls. Geo-fencing can restrict certain foreign IP addresses, and Certificates can validate trusted computers that remotely access your systems. Then, use the data from those tools to identify any suspicious activity.

A managed service provider (MSP) can help with any of these defense tactics. We don’t want to see you turned into an unwitting weapon in someone’s cyberwarfare. Contact us today to learn more about what we can do to help reduce your attack surface.

Reach to us today at (515)422-1995.

Small Business Can’t Sacrifice Cybersecurity

by

For small businesses, it can be tempting to postpone cybersecurity efforts. There are many common excuses: “There’s so much to do,” “There’s not enough budget,” “Our business is too small to target,” etc. But right now, cybersecurity is a must-have for every business.

Think of it like business insurance. You don’t intend to get sued or have accidents, but you have insurance to cover if the worst happens. Similarly, having cybersecurity in place:

  • saves you time, money, and stress;
  • protects your business IT against damages;
  • provides you and your employees with peace of mind.

But small businesses are not only at risk of cyberattack. According to a study released in March 2022 by cloud security company Barracuda Networks, “on average, an employee of a small business with less than 100 employees will experience 350% more social engineering attacks than an employee of a larger enterprise.” That makes small businesses three times more likely to be targeted.

In fact, your business may already have been attacked. The Barracuda study found that one in five organizations had at least one account compromised in 2021. And hackers need only one account to launch from. An attack can spread without you knowing if you don’t have the right detection and protection tools in place.

Advice for small business leaders

Digital attacks are on the rise, and you’re going to need help. A report from Blackberry in February suggested that “one million daily security alerts are seen in 25% of security operations centers.”

But you don’t have a security operations center, right, let alone one that can process a million alerts daily. Investing in cybersecurity gives you access to that type of security reporting, plus much more.

Hackers target small businesses because they expect them to have fewer IT resources. That can mean more weak points for bad actors to exploit.

At least you are keeping your software current and patching vulnerabilities with any manufacturer updates, right? And your business probably also uses antivirus and emailing filtering. Yet, traditional email filters are no longer enough: you need to invest in additional security resources.

Take the target off your back

So, we’re back at the beginning again. Investing in cybersecurity is now on your wish list, but you can’t see how you can afford it right now. But you can’t afford not to really. According to the Australian Cyber Security Centre, “Australia spent approximately $5.6 billion on cybersecurity in 2020, and self-reported losses from cybercrime totalled more than $33 billion.”

Plus, you don’t need to do everything from scratch and buy all the necessary software and hardware yourself. Instead, you can work with a vendor to take advantage of economies of scale. Invest in a cybersecurity partner who will do a full risk analysis to find the main vulnerabilities in your business IT environment.

Partner with someone who works to secure many small businesses like yours. They’ll be the ones investing in supplemental technology with machine-learning security to protect against all types of email. They’ll know how to put the right protection tools in place, and they’ll also have the skills to detect and respond to threats post-delivery.

The damage caused by one compromised account can be devastating for a small business. Don’t risk the worst happening: protect your cybersecurity with the help of a managed service provider. We can identify any weak points in your cybersecurity and help put safeguards in place to defend your business. Contact us today at (515)422-1995!

Think Before Sharing That Link

by

Learning to share is an important early-life skill. Now, you’ve mastered it, and you’re out in the workforce. Happily, digital technology makes it much easier to share business files, but that doesn’t mean you want to do so willy-nilly. Consider these best practices for sharing with both internal and external users.

Cloud sharing makes it simple to share presentations, spreadsheets, documents, and other files. In OneDrive, Dropbox, Google, you can simply click on that document and click “share.” The link is created, and you can copy it into an email, or you can use a pop-up email from the software you’re working in at that moment. That done, you can move on to your next “to do” without thinking about it any longer.

Maybe not.

Unless you’ve set that link to expire, you’ve shared endless access to that file. Plus, you may have set the file up so that anyone with the link can open the file. You may even have given everyone with the link editing permission for that file, which means they can change the data or delete it. That’s today, tomorrow, weeks, months, or even years from now.

Think about that link before you share it. You may not intend that external contractor to have continued access to that presentation. You may want only an internal team member’s input before a client pitch, not in perpetuity, even after they’re no longer involved in that project.

Best practices with shared links

The problem compounds if you share folders. You might start out with a few files in that folder – the ones you wanted to let your client contact see – but, as time goes on, you add more files to the same folder. Do you want that client to be able to see all those files? Forever? Think about this before sending a shared link with broad permissions.

Yes, “anyone with the link can view” links are useful. They can help when you don’t know everyone’s email, or you don’t know everyone (internal or external) who will need access to a file. Still, it’s best to take the permission-based route. Allow only people with emails you know to access that file. You might set the default in your link sharing to “only people in your organization.”

Think twice about whether you want to make them editors, too. Remember that gives them the right to modify and delete that file. You might want only their eyes on the content, so limit what they can do to viewing only.

It’s also a good plan to set your links to expire. This stops the other person from continuing to access the files long after they need to do so. For confidential, sensitive data, choose a shorter expiration date; otherwise, you might go with a month. If the person needs access again after the link expires, you’ll be able to let them in again, but you’ll know you’re doing so.

Worried about unauthenticated access to your files, folders, or software and systems? Work with a managed service provider to enhance your security posture. Our experts are here to help. Contact us today at (515)422-1995.

Psst… What’s Your Master Password?

by

All of us like to think we are unique. That thinking extends to our passwords too, right? We’re special and distinct, so no one could guess our chosen collection of letters, numbers and symbols. Well, it’s surprisingly easy for algorithms to determine passwords and to do so extremely quickly. So, a password manager is a smart move, as you’ll have more complex, different passwords stored. Still, it’s important that your master password for that manager be 100 percent original.

Sure, your password may be difficult for a human to guess – it would take forever. But, computers can run through the possible combinations in seconds. Password Depot found that a password consisting of five characters (three lowercase letters and two numbers) can be hacked in 0.03 seconds.

Add characters and the volume of possible configurations increases, and that adds time. A seven-character password (one capital letter, six lowercase letters) will take approximately nine minutes. At eight characters (four lowercase letters, two special characters, and two numbers) things get more complicated. Trying all the possible permutations will take 2.6 days.

That’s a data-driven argument for complex passwords with many letters and numbers. But the problem is that they are so much more difficult to remember, and that’s why it’s a good idea to use a password manager.

The power of a password manager

A password manager offers top-notch encryption to protect passwords. You can use a password manager as a vault for all your passwords. When you want to log in online from your desktop, it can prefill your username and password. Often, there is also an app that allows you to do the same on mobile devices.

Industry-leading password managers also notify you if credentials are weak or get compromised. They may also flag that you are repeating access credentials, which is not a good idea.

Don’t forget your master password

Part of the appeal of a password manager is its zero-knowledge approach. They are set up so that they can’t see your stored passwords. The password is encrypted before it reaches the manager’s server and can’t be deciphered.

This means you have to be careful not to forget your master password. The master password is the one you use to access the password manager. Without it, you’ll have to try to recover your account using several stages of authentication.

Make your master password unique, and don’t use it anywhere else. Repeating passwords, as mentioned above, increases your risk of getting hacked. If the other site is hacked, the bad guys could try that same password on other sites, too. It’s low-hanging fruit for them.

The current best practice as far as passwords go is to use a passphrase with a mix of alpha-numeric symbols. This gives you a length of between 20 and 30 characters. You can use a variety of uppercase and lowercase letters, numbers, and symbols. Some examples of passphrases include:

  • My_Fave_Person_is_My_Fish_761
  • Mytrip-2-Paris-Was-Magnifique
  • YouRemindMeoftheBabe!!

The passphrase means something to you, so it is more memorable. Yet it isn’t easy for hackers to crack. Also, you’re not using specific personal details that you may reveal on social media (unless you are constantly posting pics of your fish, and its name is actually 761).

Protecting your online identity

Want to know more about protecting your online identity? Need help with setting up security procedures for your home computer and network? Our tech experts are available to help. Call us today at (515) 422-1995!

Could the Business You Work for be More IT Savvy?

by

Working for a small business, you can be asked to wear many hats. Even if one of your many roles is not IT, you may need to speak up about your business technology or cybersecurity.

It’s easy to think cybersecurity is someone else’s responsibility, but IT may not be getting the attention it deserves, and that could be damaging to the business, your career, and your identity.

A data breach can destroy a business. Cybersecurity Ventures estimates that 60% of small businesses close within six months of a breach. It’s easy to calculate why. In Ponemon’s annual Cost of Data Breach report, the average cost was $161 per record. That adds up. If you’re at a business that can’t recover, you could be out looking for work again.

Of course you care about your customers. You don’t want their personally identifiable information (PII) getting out to criminals. But their information isn’t the only thing at risk. Your employer has a lot of PII about you, too. They’ll have your name, address, salary amount, and bank account details. Plus, they may have health information related to your benefits. They probably also have copies of your government identification.

Not only about protection, prevention

If your business tech is out of date, you’re at greater risk of cyber vulnerability. But improving IT isn’t only about protecting data and preventing downtime. Having the right technology to suit your business can also help you be more productive. Speaking up about IT could see the business improve, grow, and gain resiliency.

Working with a good MSP can help both you and your business:

  • If your company isn’t as protected, IT experts can help with data security or backup and disaster recovery.
  • Frustrated by network failures, lagging conference calls, or error messages? Trust the MSP to make sure the business technology is up to the task.
  • When the devices you’re working with aren’t doing what you want them to do, the MSP can suggest the right tools for the job.
  • Feel like you’re wasting time on repetitive or mundane tasks? An MSP partner could help you embrace automation. Allow machines to take on the routine and leave you free to focus on the more challenging and innovative work.

A slow system is painful to use. Having to wait even a few minutes for a computer adds up over a 40-hour work week. Worrying about the security of your data doesn’t help your focus at work either.

You don’t have to be an IT expert to understand that there is room for improvement with your technology. Connect us with your employer to schedule a consultation for your business needs!

Contact us at (515)422-1995.

Ransomware a Risk for You, Too

by

Ransomware headlines focus on interrupted hospital services or downtime at several major brands. But ransomware can just as easily infect your home computer.

When you’re a victim of ransomware, you aren’t able to do anything on your computer. Cybercriminals encrypt your files and demand you pay a ransom to unlock your device. They’ll ask for cryptocurrency in return for the encryption key.

You may think the bad guys wouldn’t care about your residential system, but you’d be wrong, especially now. Think of all the people at home connecting remotely to business networks. Plus, kids make a weak link as they don’t fully understand the risk.

Many residential antivirus solutions aren’t up to protecting your computer from ransomware.

How to prevent home ransomware

Ransomware in residential homes may not grab headlines, but it’s still going to be big news at your house. Any computers connected to that network with the ability to save to one another could be infected.

The biggest issue with malware of any kind? Your devices may be infected and you might not even know it. Get a cybersecurity solution for your home that looks where you can’t. A good antivirus software that supports anti-ransomware uses machine learning. Artificial intelligence (AI) reviews a database of known threats before running new files on your computer. This helps detect and block any malware before it executes.

Some antivirus software whitelists certain computer folders such as “My Documents,” making it possible for only trusted applications to write to that folder.

You’ll also want to have a good backup. If you’re working on a novel in your spare time, keeping the family photos on your desktop, or developing an in-depth family genealogy, for instance, don’t risk losing access to any of these. Instead, make frequent backups and keep them separate from your network. This can help preserve your personal data in the event of a malware attack.

Always be on the lookout

Phishing is the top way ransomware infiltrates computers. So, talk to all home network users about the need for vigilance. Cyber bad guys are doing a much better job these days of mimicking reputable companies. A phishing email will look like it is coming from a trusted website. They will have worked hard to gain your confidence to open the message and click on their link.

Caution everyone, especially kids, against clicking on links or downloading attachments, especially if the email is making an urgent or emotional appeal.

You can also stay safe by taking care of what websites you visit. It’s hard enough to determine if an email is legit, but now you need to be wary of where you go online? Yes, it’s true. One type of ransomware gets you to download and install the software, while another installs it without you knowing when you visit an infected site.

Steer clear of top culprits such as gambling, pornography, and pirated video sites. When online, look for the lock icon before the domain name: that indicates encrypted Web traffic. And avoid clicking on any download links on the sites you visit.

Want to remain ransomware-free? Our IT experts can help you take preventative measures. We’ll also make sure that your antivirus software is doing what you want it to do. Contact us today at (515)422-1995

How to Prevent Password Spraying Attacks

by

Bad cyber actors are what the kids these days would call “try hards.” They do everything they can think of to get into your accounts. One tactic is password spraying. In case you don’t know about it, this article gives the basics and shares strategies to prevent this type of attack.

You’re probably familiar with hackers trying many different password combinations with the username. Web security services know about this form of attack, too. That’s why you can get locked out of your site for trying the wrong password too many times.

This brings us to password spraying. The cyber criminals have found a way to get around the-three-tries-and-you’re-out-of-luck defense. Instead of one user and many passwords, they use one password with many different usernames.

Think how easy this could be. Your company database is online for people to contact your employees. The bad actor takes john@yourcompany.com, jane@yourcompany.com, jamal@yourcompany.com, and so on, or they buy a list of usernames on the Dark web. Then, they try common passwords for every one of those individuals.

“Abc123,” “123456,” and … ugh … “password” are still frequently in use worldwide as passwords. So, it’s not that much of a stretch for a hacker to be able to get in with one of these common permutations.

The brute-force attack runs through a long list of users before trying the next “wrong” password. So, by the time it has finished going through the list of users with the password “abc123”, enough time has passed to avoid lockouts, and the hacker tries another password from the user list.

What to do about password spraying

The most obvious thing? Stop using any of the passwords that appear on the most commonly used worldwide lists! Do you think no one would still be using these obvious options? In 2021, there were more than 3.5 million reported uses of the “123456” password. “Password” came in second with 1.7 million reported uses. Both take less than a second to crack.

So, prefer more complicated passwords. This doesn’t have to mean that users add seven numbers, six symbols, and three capitalized letters. The National Institute of Standards and Technology (NIST) guidelines suggest length is more important. So, users can create longer yet easier-to-remember passwords.

IT administrators can also force users to change passwords at their first login to new applications. NIST further recommends checking every new password against a breached password list.

Multifactor authentication helps, as well. This requires the user to verify themselves with access credentials and extra authentication. This might be a code sent via text to a smartphone or could involve an authentication app.

It’s also a good idea to segment your networks so that users access only what they need to. Limiting user access can minimize the damage done if there is a breach.

Put password best practices in place

Keep your business secure with the help of a managed service provider. We can spearhead the installation of lockout policies and other security measures. Our experts also stay current with the latest vulnerabilities to proactively protect your organization. Call us at (515)422-1995.

Don’t Play Games with Privacy: What Is DuckDuckGo?

by

You may remember playing Duck, Duck, Goose on the playground when you were young. But have you heard of DuckDuckGo? Many haven’t. So, we thought we’d share an introduction to this privacy-focused search engine.

DuckDuckGo promises to let you “search the Web without being tracked.” The search engine site touts a simple privacy policy: “We don’t collect or share any of your personal information.”

You can use DuckDuckGo on their iOS or Android app or extension by adding a private Web search to your favorite browser or by searching directly at DuckDuckGo.com. The site’s privacy browser extension blocks trackers and offers encryption for every device.

Why use DuckDuckGo?

Google is the obvious heavy hitter in search. The problem? The company keeps your search history forever. Plus, they are tracking everywhere you go online. Their trackers are on millions of websites.

Think about it: Ever looked at a new sweatshirt and decided against it only to find it following you in digital ads for days to come? That’s because of tracking. DuckDuckGo promises there are no trackers on its search engine. It even blocks Google’s and other company’s trackers, as well.

You might think you are achieving anonymity in Incognito Mode. But this doesn’t stop Google from saving your history. Companies, internet service providers, and governments can also continue to track you.

DuckDuckGo does not store IP addresses or other unique identifiers in its search logs. This means that they cannot create a search history or data profile on you or any other individual.

Does DuckDuckGo work?

The big question, of course, is how the private engine’s search results compare to competitors. The company claims it provides “truly private search results without tradeoffs in result quality.” DuckDuckGo says it offers “everything you’ve come to expect in your online search experience” including:

  • maps;
  • weather forecasts;
  • local search;
  • news;
  • images;
  • videos;
  • shopping;
  • definitions;
  • Wikipedia references;
  • currency conversions;
  • flight information;
  • calculator;
  • timer;
  • sports scores;
  • Q&A reference.

Can DuckDuckGo compete?

Since its founding in 2008, DuckDuckGo has steadily gained users. On January 13, 2022, the search engine announced it had surpassed 100 billion all-time searches.

According to public traffic statistics in the same week, the highest daily number of search queries DuckDuckGo had seen was 110,439,133. Just a year ago, on January 11, 2021, the company announced hitting over 100 million searches daily.

Those numbers are impressive, yet as Search Engine Land puts it, “DuckDuckGo remains a very niche competitor.” Google has a huge market share (as much as 87.57 of searches). Bing, the next biggest competitor, accounted for 6.31%, Yahoo 3.25%, and DuckDuckGo 2.5%, according to statcounter.com.

Protecting your privacy online

DuckDuckGo is an attractive and useful option for people who want a higher level of online privacy.

There are many other ways to protect your identity online and secure the data on your residential computers. Contact our IT experts today at (515)422-1995 to learn more about the best solution for your personal needs.

Turn Your Tablet into a Child-Friendly Device

by

Tablets are convenient, light, and portable. Maybe you got a new one during the holiday, or your old one needs replacing. You can feel better about moving to the new device if you turn the old tablet into a child-friendly device. Here’s how.

Before giving your tablet up, clear your browsing history, emails, and banking details. In Android Settings you can use the Clear Data feature, whereas on iOS, you go to General in Settings to Reset and choose Erase All Content and Settings.

Purchasing a new, sturdier case can help protect the tablet from the wear and tear of being a kid’s go-to device. A waterproof case is a must for the juice-box-aged user. When selecting a protective case, keep in mind that you want sturdy but also lightweight. A screen protector is also a good idea. Little people have lots of sticky things in their hands after all.

You’ll also want to set up a child safety lock. This allows you to lock the screen by setting a PIN in the settings. On Apple and Android products, you can choose the app your child can use and lock the screen. If they want to switch apps or access anything else, they’ll need you to enter the PIN to do so.

There are many special apps for kids you can download these days. Before gifting the device, download some educational and entertainment apps for them. Common Sense Media can be a useful resource to help you find appropriate apps for the right age. You might also visit Zerotothree.org. Their E-AIMS model helps you choose Engaging, Actively Involved, Meaningful, and Social content.

When can kids turn on tablets?

There’s a lot of debate around what is an appropriate age for a child to use electronic devices. Typically, the recommendation is to wait until your child is at least preschool age. By age three, many children are “active media users” enjoying educational electronic content.

Between the ages of 4 and 11, the child will be able to engage more with the tablet, but they should be supervised. Adults need to monitor activity, co-view, and ask questions about the games or content to encourage digital literacy.

Regardless of the age of your tablet user, it’s always best to start out by talking through the rules for the device. You’ll want to help your little techie learn how to use this tool safely and responsibly.

Need help getting your tablet ready to gift to a young user? We can help. Our tech experts are also here for any tablet repairs you might need. We can offer remote support to get you (or your child) up and running again on that tablet. Contact us today at (515)422-1995.

Click to see our BBB Report

FOLLOW US

VISIT US

Privacy Policy