Disk Encryption Protects Your Personal Computers

by

Always wanted to feel like a secret agent? Well, here’s your chance! Did you know you can encrypt your hard drive to protect the data on your computer? This is a good way to secure your information, whether at home or on the move with a laptop.

Setting up encryption scrambles your data so that only authorized parties can understand the information. Without the encryption key, anyone trying to read your information would see gibberish.

You’re already using encryption when you visit any “https” website. The lock symbol beside the URL shows that encryption is protecting your connection with the site. You’ll see it when shopping or banking online, and it’s protecting the data in transit.

You can also encrypt the data on your computers.

Password Protection Is Not Enough

Many people at this point have a password for their user account on a home computer or laptop. Some of these passwords are even complicated, although the number-one password people use continues to be “123456” – seriously – followed by “123456789” and “qwerty.”

Regardless of its strength, the logon password doesn’t stop anyone with physical access. You might have your browser remembering usernames and passwords (it’s not a shared computer, right?), and anyone with access can use those pre-populated credentials to access your accounts.

If someone really wants to get to password-protected files on a physical device, they can do so. The attacker might bypass your password by booting your computer up to a new operating system. Or the bad guy might even remove your hard drive and put it into a new computer. All they need is a second computer and a screwdriver!

Full disk encryption protects those files, even if the attacker has physical access and even if your laptop is lost or stolen, your home is burglarized, someone seizes your computers.

Encryption Is Not a Silver Bullet Of course, we need to be clear. Encrypting your hard disk doesn’t make your computer invincible to cyberattackers, although does force them to work a lot harder.

Attackers can also still exploit services running on your computer, such as network file sharing. Plus, encryption doesn’t stop a nefarious agency from spying on your online activity in transit.

Nevertheless, it does beef up your physical security. You can encrypt an external hard drive or your system’s entire hard drive. Then, when you turn the computer on, you’ll need to unlock the disk to boot up your operating system. The computer won’t work until the user supplies the encryption key or passphrase. You can also create multiple unlocking keys if you have several user accounts for that device.

Again, you’re going to want to come up with a strong password. If your key phrase is “password,” (the fourth most common choice in 2019), there’s little point in encryption.

You also don’t want to walk away from your laptop, leaving it open and accessible. You’ll want to set your encryption program to lock again after a certain amount of idle time. Otherwise, you’ll find encryption doesn’t impact your computer’s performance.

Make sure your computers and laptops are always physically secure. With disk encryption, only people you trust can access your data and files.

Ready to set up disk encryption on your home devices? We can help. Contact us today at (515)422-1995!

Keep Your Firmware Safe and Secure

by

Most of us can differentiate between hardware and software. But how many know what firmware refers to? More importantly, is your business securing its firmware against security vulnerabilities?

Your business knows it needs to keep its operating systems (OSs) up to date. Installing patches as they are released helps protect your OS and software applications from attack.

Yet firmware can be easily overlooked when setting up cyber protection. You’re opening up Explorer every day, and your business relies on its Excel spreadsheets, but you don’t think about the basic software that runs the hardware as intended – that’s the firmware.

Without firmware, your computer wouldn’t know how to detect its hard drive, and the gears on the business printer wouldn’t spin to pull the paper through the device. There’s firmware in network and sound cards, routers, range extenders, keyboards, and more. Firmware also makes your webcam or surveillance camera work correctly.

The Need to Update Firmware

Cyber-criminals aren’t known for their lazy reliance on just one tactic. Instead, they are constantly finding new ways to exploit business devices and systems, and this includes attacking firmware. Without securing your firmware, you run the risk of bad actors:

  • spying on business activity;
  • stealing business data;
  • taking control of your business computers.

You may think you’re safe because you have antivirus scans in place, but hackers can get around those by embedding their malware in your firmware. In the past, they could guess firmware manufacturers weren’t prioritizing security. That’s changing now that firmware exploits have gained attention.

Manufacturers release firmware updates for at least a few years after initial release. The goal is to ensure the stability of that device your business depends upon.

Find firmware updates online at the manufacturer’s website. You might also look on the device support page. Make it a policy to consistently seek out firmware release updates. That way, the business is up to date with new patches to fix holes or fresh vulnerabilities.

Taking Care of Business Firmware

Too many people aren’t thinking about the firmware threat; it’s a set-it-and-forget-it problem. Once people set up their devices, they don’t think about the possibility of a future compromise.

For example, in last year’s Avast Threat Landscape Report, 60 percent of users had never updated router firmware. Yet router hijackers can inject malicious HTML and gain access to usernames and passwords.

Businesses are growing more reliant on technology, particularly connected technology. (Thank you, Wi-Fi and Internet of Things.) This is also expanding the attack surface available to cyber bad guys. Don’t become complacent. Apply patches when issued to all business connections and technology.

Now you know what firmware is and why it matters, that doesn’t mean you’re any closer to being able to actually update it all. Partner with one of our technicians. We can do an audit of all your firmware and find any holes that need plugging. Give us a call today at (515)422-1995!

Facing the Five Top Cloud Computing Fears

by

The public cloud service market is growing. Software, infrastructure, desktop, and other service numbers are all on the rise. Yet some businesses are still holding back from migrating to the cloud. This article addresses common resistance to this highly scalable and cost-effective solution.

#1 Fear of Losing Control

“I want full responsibility for my IT.” Moving to the public cloud means partnering with a vendor. Some of your existing technology can move as is, whereas other tools your people rely on may need replacement or redesign.

One solution is to migrate to a private cloud. This allows you to continue to control the data environment but will be a more costly solution than a public alternative. When partnering with a public cloud service provider, establish clear responsibilities. Ensure you’re both on the same page about who is accountable for what.

#2 Fear of Change

“If it ain’t broke, why fix it,” especially when it comes to business computing, right? Transitioning from one data center to another requires preparation and effort.

Yet the resulting greater flexibility makes the work worthwhile. Cloud migration is appealing because the technology offers, among other things:

  • scalability;
  • increased effectiveness;
  • faster implementation;
  • mobility;
  • disaster recovery.

The cloud allows you to store data, run applications, deliver content, and more – all online. Your business doesn’t have to invest in the hardware or networking tech on-site.

#3 Fear for Data Security

Any downtime for a data breach can cost business revenue and brand reputation, and productivity can suffer, too. And that’s only the beginning. So, you don’t want to move to a solution that expands your vulnerability to attack.

There are two ways to get attacked: digital or physical. Working with a cloud provider, you gain a partner focused on security. They know the mitigations and countermeasures for cloud-computing-specific capabilities. They know the frameworks, architectures, and approaches to best protect against digital attack. Microsoft spends $1 billion annually safeguarding Azure, its cloud offering, from cyber-attack. Can your IT budget compete?

As for physical security, cloud data centers are secure facilities: we’re talking guards with key cards, fenced perimeters, power backups, and server redundancy. They have the works. Your office is probably less secure.

#4 Fear for Interoperability Challenges

We’re always told to play nicely with others, but what if existing business technology doesn’t play well with the cloud? Business leaders may fear they’ll be stuck having to reinvent the wheel.

The good news? There have been great strides in interoperability. Many application programming interfaces are available to help. Cloud providers want your business systems to exchange and use information seamlessly.

#5 Fear of Cost Increases

Before giving in to cost concerns, take stock of your current IT operating budget. The time and money you could save may surprise you. For example, the software provider takes charge of updates, patching, and new capabilities, which alone can increase IT’s productivity in other areas.

The scalability of cloud solutions also counterbalances cost concerns. With cloud technology, you know your tools are always evolving. Plus, you can quickly add or reduce licenses or data storage size as needed, because there’s no waiting for hardware to arrive and be provisioned by an overworked IT team.

Conclusion

With cloud migration you also avoid training employees to support the technology. Plus, you’re not paying to use office space, power, and cooling to house the equipment. The cloud also provides end users with immediate access from almost any device.

The one challenge is migrating to the cloud securely. Give us a call at (515)422-1995 to get you migrated swiftly and ensure you’re using cloud computing safely.

Security or Flexibility: Which Matters More?

by

Business is all about making tough choices. One such choice is whether to value IT security or business flexibility more. Unfortunately, you can’t have the best of both at once.

While having absolute security or flexibility may sound good, neither is actually for the best. An entirely secure environment is tough on users, a fully flexible IT environment is near impossible to keep safe.

When weighing security and flexibility, you might think of it on a sliding scale: more of one means sacrificing some of the other. If you amp up your security, you can limit business productivity. Your staff may try to get work done and bump up against security constraints. Or you may decide to give your people full flexibility, but you do so at the risk of leaving your business more vulnerable to attack.

Where you want to land on this sliding scale can depend on your industry. A bank protecting funds or a hospital with private patient data would prioritize security. Alternately, a small widgets business might not worry about data security as much.

Still, it’s a tough choice to make. Security company Balabit asked European IT pros to choose between IT security and business flexibility. In general, 71 percent thought security was equally or more important than flexibility. But when asked whether they’d risk security to clinch a major deal, 69 percent were willing to take their chances.

Finding the Right Balance

Leaders have to find the sweet spot between IT security and business flexibility. Striking the right balance is essential to successful security measures and flexibility aims.

One major consideration is the type of data the IT security is protecting. Credit card or health insurance companies are responsible for securing customer information. A university with many networked computers also needs to think about security; otherwise, criminals might target the school’s processors to power their attacks.

The potential impacts of a security breach are also a factor. Cyberattacks can mean business disruption, and lost productivity and business revenue, plus damage to brand reputation and loss of customer loyalty. A business in a highly regulated industry could also face massive fines and legal fees.

Assessing the risk of attack also helps. For example, a company with a billion-dollar idea, or a utility, face greater risk than a tuna packet labeler. Another consideration would be history of suspicious activity: if your business has already suffered an attack, security should be a priority. Likewise, if your industry is a common target for cybercriminals, you can’t take unnecessary chances.

Then, there’s the demand for business flexibility. How much do you need and in what situations? For instance, allowing employees to use their own devices is a convenience for some, but it’s a necessity in other environments.

The ability to control security and flexibility on a situation-by-situation basis can help. In instances where customers’ identifying information is exchanged, security would trump flexibility. But when work teams collaborate globally, business flexibility is the more important aim.

Get MSP Input into This Equation

A managed services provider (MSP) can provide perspective on the best balance. The MSP examines business processes and goals, and determines appetite for risk. Then, it helps set that slider between IT security and business flexibility.

IT experts recognize the need for adaptable security responding to shifting needs. When that big deal comes up, you don’t want to have to deliberately risk security. Ultimately, you’re looking to achieve flexicurity – just the right combination of both. This lets your technology users do their best, while your business remains secure.

Want to balance security and still be business friendly? Contact our experts for a consultation today! Call us (515)422-1995!

6 Never Dos for Your Work Computer

by

Nobody likes to be told what they can’t do. Still, there are certain never dos that you should keep in mind when it comes to your work computer. This article captures the top six things you should avoid doing on your work computer.

#1 Don’t login to personal sites and services

Sure, we’re all guilty of wanting to check our personal email or take a quick peek at social media while at work, but you do not want to login to your personal accounts on a work computer, especially not a shared one!

Browsers that remember our passwords to sites such as Facebook or your bank can be useful. How many different passwords can one human be expected to remember after all? But letting the browser save your personal access credentials risks your security. The next person to use that computer could access your private data.

#2 Don’t allow remote access

Maybe your computer isn’t working the way you want it to: it’s too slow. Something is up with an app. You’re worried you’ve inadvertently downloaded malware onto your work device. Then there’s that friend you have that “knows computers.” With remote support software being so easy to use these days, you figure it’s easier to ask your friend for help. Work doesn’t even need to know.

But would you let that friend walk into the office and start working on your computer? Probably not. Your business has its own people it trusts to do work on its computers. If you were on-site, you’d tell your supervisor, or at least IT, if you had a computer concern. Even when working virtually, you want to do the same thing.

Allowing remote access is both a security and productivity risk. Plus, your computer could be set in a specific way by your company. Your tech-savvy friend isn’t going to know why and how those particular configurations were established.

#3 Don’t store personal data

We’re all in favor of having more than one backup. Still, you don’t want to make your work computer a storage solution for your personal data, because you can’t be sure that other people at work can’t look through your files.

You also run the risk of losing access to that data if the business goes out of business or lays staff off. Employee accounts can be wiped out by businesses when they sever relationships with staff.

#4 Don’t connect personal storage devices

USB or thumb drives are convenient, as such drives help move data around easily. But the drive can be installed in many different computers and networks along the way. Connecting that USB to a work computer could transfer malware.

You really don’t want to connect someone else’s storage device to your work computer. Criminals actually target organizations by leaving infected thumb drives in the parking lot. All they need is one person to pick up the drive and plug it in to a work computer. Trying to reunite the drive with its user didn’t go over so well for that Good Samaritan!

#5 Don’t do your side business or job search

You don’t want to do these on a work computer unless you want to risk getting caught, because your computer activity can be tracked. Some businesses do full-blown screen recording. Others will maintain an overview of sites you visit.

There are different laws in various states and countries regarding employee monitoring, but you are using a work device on a business network. Doing your own side project during work hours on the business computer won’t go over well.

#6 Don’t log on to public Wi-Fi

Don’t log in to business applications or sensitive data connected to public Wi-Fi. There are many risks. You could end up:

  • opening yourself up to “man-in-the-middle” hackers;
  • connecting to a malicious hotspot;
  • transmitting data on an unencrypted network.

These never dos could endanger your personal data, business network, or your very job. Steer clear of these common mistakes made on work computers. Be smart, be safe.

Need help setting up a personal or work computer? We can help. Our IT experts can also install virtual private networks or other tools to protect your work computers. Contact us today at (515)422-1995!

7 Things You Need to Know About Ransomware

by

Ransomware is a well-named type of cyberattack. Cybercriminals taking this approach kidnap your data. After accessing your network, they encrypt files and demand payment for the passcode. Here are the top seven things you need to know about this business threat.

#1 It Can Happen to You

Cybercriminals rely on your false confidence. Don’t think “it won’t happen to me.” Attacks on government, education, healthcare, or financial institutions get publicity. Yet organizations of all types and sizes are targeted.

#2 Ransomware Spreads Fast

Ransomware is malware, malicious software that can reach throughout a network. So, if Jane from accounting opens a ransomware file, every single computer on your business network could be infected. The virus can spread between businesses, too. Consider the debilitating WannaCry ransomware attack of 2017. Within four days of its first detection in Europe, the strain had spread to 116 countries.

#3 Ransomware Targets People

A common method to send out phishing emails in the hope of having people enter their access credentials. Targeted business communication emails work, too. The attacker gets to know your business first. Then they send an email impersonating a colleague, supplier, or customer asking you to take action or update contact details by clicking on the link or downloading a file.

#4 Ransomware is Costly

Once the ransomware is installed on your system, it locks down your files. To regain access to the files, you need the password or decryption key the attacker supplies when you pay up; that’s if they keep their end of the bargain once you pay the ransom. These are crooks you’re dealing with after all!

In Coveware’s analysis of Q3 2019, the average ransom payment increased by 13% to $41,198 as compared to $36,295 in Q2 of 2019. And that’s just the cost of the ransom. Indirect costs include the cost of downtime, lost revenue, and long-term brand damage. There’s also the expense of removing the ransomware, forensic analysis, and rebuilding systems.

The average ransomware attack in Q3 2019 resulted in 12.1 days of downtime. – Coveware

#5 Ransom Requires Cryptocurrency

Ransom payment is usually made by bitcoin or another cryptocurrency. Your business needs to buy cryptocurrency with actual cash, then transmit the ransom. They choose cryptocurrency because it’s very difficult to trace. It doesn’t help you that bitcoin is not something you can charge back like a credit card.

#6 A Recovery Plan Helps

Planning in advance can help you respond more reasonably. Document plans to disconnect infected computers from the network as soon as possible. Also, power down any machines that could be vulnerable to avoid spreading contagion.

You should also discuss in advance whether or not your business will pay a ransom. Weighing the costs and benefits without a deadline on the decision can help you react more strategically.

#7 You Can Take Action

You don’t have to sit around worrying and waiting for a ransomware attack. There are many things you can do to help prevent this type of attack:

  • Filter traffic, preventing it from coming into your network in the first place.
  • Scan inbound emails for known threats, and block certain attachment types.
  • Use antivirus and anti-spam solutions and regularly upgrade and patch vulnerable software.
  • Educate all users about social engineering.
  • Allow remote access to your network only from secure virtual private networks.
  • Back up your data to more than one location so that you can restore any impacted files from a known source.

Ransomware is a lucrative, relatively easy mode of attack for cybercriminals. They could target your business. Contact us today for help implementing the best protection practices to keep your data safe. Call us at (515)422-1995.

Don’t Get Hooked By a Whaling Attack

by

The executives of your company are the big fish in your sea. Yet cybercriminals think of them as whales. In fact, whaling is a new cybersecurity threat targeting the C-suite level.

You’ve likely heard of phishing attacks. Phishers use scam emails or spoofed websites to obtain user credentials or financial information. This might be an email that looks like it is from your bank asking you to log in and update your details, or a supposed tax alert needing immediate action.

A vishing attack is another fraudulent attempt to steal protected data, but the cybercriminals are going to use the phone to make contact. They might pretend to be a vendor needing to confirm account details for bill payment.

There’s also spear phishing. In these cases, the attackers do their homework first and target a specific company. They scour directories and employee social media to gather information to gain credibility.

Now, there are whaling attacks, too. The high-value target is a senior-level employee. The fraudster typically also impersonates one of the target’s C-suite counterparts.

What You Need to Know About Whaling

A whaling attack uses the same methods as phishing but focuses on top-level targets. The goal is to get “whales” to reveal sensitive information or transfer money to fraudsters’ accounts.

Whale attacks are intentional. Phishing can see attackers baiting hundreds of hooks to get nibbles. In whaling, information gathered in advance adds credibility to the social engineering. The target has higher value, so it’s worth their time to appear knowledgeable and make a request to and from someone important.

The sender’s email address will look convincing (e.g. from smithj@companyx.co instead of smithj@companyx.com). The messages will have corporate logos and legitimate links to the company site. Because humans want to help, the communications typically involve an urgent matter.

Whaling attacks are on the rise. In 2016, Snapchat admitted compromising employee data after receiving an email, seemingly from its CEO, asking for payroll information.

In another high-profile example, Mattel nearly transferred $3 million to a Chinese account. Company policy required two signatures, but the attackers (taking advantage of a recent shakeup) faked the new CEO’s signature. The second executive went ahead and added a signature. The only thing that saved the company was that it was a Chinese bank holiday.

Protecting Against Whale Attacks

As with phishing or vishing, the primary way to protect against whaling attacks is to question everything. Train your key staff members to guard what they share on social media. Encourage them to question any unsolicited request. If they weren’t expecting an attachment or link, they should follow up. If a request is unusual, they should trust their spidey-sense and proceed with caution.

It’s also a good idea to develop a policy for handling requests for money or personal information. By requiring that two people must always weigh in, you’re more likely to catch a scam before it’s too late.

Also, train all your employees to look carefully at email addresses and sender names. They should also know to hover over links (without clicking on them) to reveal the full URL.

Security awareness is crucial. It’s also a good idea to test your employees with mock phishing emails.

Need help training employees or testing social engineering? Contact our experts today, call us at (515)422-1995!

Beat the IT Burden

by

Technology today allows us to accomplish more tasks faster than ever before. Paperless documents, remote collaboration and video conferencing have all lowered the costs and increased the speed of everyday business at an extraordinary rate.

The benefits of modern IT does however, come at a cost. Consistent maintenance has become a critical component of almost every business. The IT department is now as important to the functioning of a firm as sales, marketing, or management. The advantages that come with modern technology more than outweigh the drawbacks. It’s up to you as a business owner to balance both. In today’s highly competitive business environment the latest tips, tricks, and tools are essential to keeping ahead of the competition.

The Cost of Great IT

While well maintained IT is a powerful asset; poor, crumbling IT can quickly turn into a liability. Machines, servers and desktops need to be kept up to date with the latest operating system and security patches as a matter of priority. Data requires consistent back-up too.

Poor security and data backup measures put both your own and your customer data at risk from attack. Regular security updates close vulnerable gaps, while backups protect valuable data. Strong security protects your liability against losing your own and your customer data.

Determining what is and isn’t good IT practice for your firm takes the experience and knowledge of a professional. Good security involves more than one managed system to protect your assets. Good data backup is ideally done daily, involving more than a single copy in an off-site location. Without taking these steps at a minimum, a business is as little as one glitch away from a complete critical failure.

Managing Internal IT

The IT demands of every firm changes on a near-daily basis. Software is often added or removed, user accounts need to be added, removed, or changed and permissions require modification to suit ever-changing requirements. The time requirement of daily IT changes alone is more than many departments can handle.

Many small firms deal with accounts, permissions, and software at an individual level. Wherever this is the case, complications inevitably happen. Software and services get lost and forgotten in the system, often polluting other packages and causing IT issues throughout the firm. User accounts are often left on the system months or years after an employee has departed.

For reliable and secure IT management, managed group policies prevents bad systems. IT management allows staff to get on with their work without technology getting in the way. Data is managed at a department level, accounts are removed for staff that depart the business and software is installed by professionals. Using this approach the liability of the firm for IT failures is dramatically reduced.

Managing IT Without Added Burden

One of the major complaints about setting up well managed IT is the overhead that it adds to the firm. Staff costs, additional management, and the office space of an IT department is a daunting financial burden to add.

Staff costs alone can make building an equipped IT department prohibitively expensive. Qualified, dependable, knowledgeable IT staff demand a high salary and costly benefits. In addition, equipment costs and lead time to get up and running on your business systems drive the costs even higher. Some firms simply don’t have the space required to add an entirely new department to the business.

That’s why, for many businesses, outsourcing is the most effective way to update their IT without increasing business overhead. Outsourcing provides modern IT for a simple, fixed monthly cost. Removing the distractions of managing an entirely new department allows the business to focus on doing the job they do best.

What We Do

By trusting your IT to us, we ensure that your systems are up-to-date, secure, and fully backed up. We can keep you competitive by allowing you to accomplish more than ever before.

Along with day to day IT management, monitoring, and setup; we can assist your transition to paperless documents, setup remote working, and provide IT assistance to set up the latest technology that will enable you to succeed.

Allow us to help you do more than ever before. Bring your IT demands to us and we’ll provide you with the modern IT you need to let your business thrive. Call us at (515)422-1995

 

Locking Up Cybersecurity with a Managed Services Provider

by

Cybercrime is not the most costly of illegal activities. That dubious distinction goes to government corruption, followed by drug trafficking. Cybercrime comes in third. Yet cybercrime does take the top spot when it comes to numbers of victims. A managed services provider can help.

Cybercrime has hundreds of millions of victims. Two-thirds of people online have experienced personal information theft or compromise. A 2018 McAfee Security study suggested that represents more than 2 billion individuals!

If any of those people works at your business, it could mean trouble for your security, too. Why? People tend to think they have too many passwords to remember. So, they use the same login information again and again. That means a criminal could leverage employee data to access business systems, too.

Cybercrime is a global problem for both individuals and businesses. The bad actors, after all, can make big bucks from their crime with low risk of discovery. The global cost of cybercrime is an estimated $600 billion a year. And no one and no business is immune.

More people are going online. Businesses are becoming more reliant on digital transactions. Cybercriminals are quickly adapting. They’re motivated, but are you?

Securing Your Business with an MSP

It’s safe to say your Information Technology team has a lot to do. Everyone at your office is working hard, but is cybersecurity getting the attention it deserves? Ultimately, there is no better way to keep your systems secure than with managed services.

A managed services provider (MSP) helps your business stay ahead of security threats. Finding out about risks or vulnerabilities after the fact is no good. That’s like closing the barn door after the prize stallion has already bolted.

An in-house cybersecurity team providing 24/7 protection isn’t workable for most businesses. It’s cost prohibitive for most small and mid-sized businesses.

Working with an MSP is a more affordable alternative. You avoid investing in the latest technology and building up an on-premises infrastructure. Instead, you pay a consistent fee for the MSP to handle technology patching, monitoring, and assessments.

The MSP uses well-tested, leading-edge tech to stay on top of cybersecurity threats. This strategic partner can:

  • set up security on your infrastructure;
  • oversee your company’s security systems;
  • ensure regulatory compliance;
  • track threats 24/7;
  • maintain strong data protection.

An internal IT team oversees many areas, but the MSP focuses on continuous monitoring. It keeps up to date on the global threat landscape and any industry vulnerabilities.

Still not convinced that paying an MSP is worth it? The average cost of a lost or stolen record was $148 per record in 2018. You might view working with an MSP as paying for insurance. With ongoing monitoring an MSP helps your business avoid security breaches. And their devastating costs (including to productivity, compliance, revenues, and brand reputation).

This extension of your security staff helps maximize resource efficiency. And their day-to-day focus is on reducing risk and minimizing damage from cyberthreats. With an MSP you add dedicated security experts to your team. Secure your technology while gaining advanced threat intelligence and customized security strategies.

A managed services provider identifies vulnerabilities and secures your business environment. Stay ahead of cybersecurity threats with an MSP. Find out more today!

Call us at (515)422-1995

Island Hopping: Not Always a Good Thing

by

The phrase “island hopping” conjures up positive images. You might think of cruising beautiful sandy beaches on a tour of tropical islands. Too bad cybercriminals have given the term a new, less pleasant spin.

Island hopping is an increasingly popular method of attacking businesses. In this approach, the cybercriminal targets a business indirectly. The bad actors first go after the target’s smaller strategic partners. So, vendors or affiliates, who might not have the same level of cybersecurity, become stepping stones to hop.

Attackers might hack into smaller businesses handling the target’s HR, payroll, accounting, healthcare, or marketing. Then, they take advantage of the pre-existing relationship to access the final destination.

Humans are trusting. Cybercriminals exploit that. With island hopping, attackers leverage the trust established between strategic partners.

It’s quite simple: attackers gain access to Company A and send a counterfeit business communication to Company B. Company B, knowing the sender, is less likely to question a download link or opening an attachment.

After all, it’s not coming from a stranger; it’s a message from perfectly pleasant Jenny at Company A. You may have in the past already shared logins to various sites/portals, or passwords to unlock zip files.

The Rise of Island Hopping

This is not a brand-new form of attack. In fact, it’s named after a military strategy which the United States used in World War II to establish a stronghold in the Pacific Islands.

Perhaps the best-known island-hopping cyberattack was seen in the United States in 2013. Retail giant Target was the aptly named target of a point-of-sale system breach. Hackers stole payment information from 40 million customers. The first “island” in the planned attack was Fazio Mechanical Services. The heating and refrigeration firm suffered a malware attack shortly before Target’s breach. Fazio’s hackers stole email credentials needed to access the retailer’s networks.

As enterprises continue to strengthen their cybersecurity, it’s predicted that island hopping will gain momentum. According to Accenture’s Technology Vision 2019 report, less than a third of businesses globally know how strategic partners secure their networks. A majority (56%) rely on trust that business partners would uphold security standards.

Preventing Island Hopping

You may be one of the islands to hop or the attackers’ final destination. It depends on your business size and industry. Either way, your business is vulnerable to malware attack, infected systems, or a data breach. Plus, if you’re the stepping stone, you’re likely to lose the target company’s business, too.

How do you prevent island hopping? First, secure your own networks and systems:

  • Follow best practices to detect and identify vulnerabilities and reduce risk.
  • Educate your employees about the dangers of business communication scams.
  • Raise awareness of phishing schemes and social engineering.
  • Require two-factor user authentication.
  • Change all default, generic, or predictable passwords.
  • Keep security up to date (patching and system upgrades are mandatory).
  • Control who can access your networks and servers.
  • Protect all endpoints (including employee devices in a Bring Your Own Device workplace).

When it comes to cyber island hopping, your business doesn’t want to be a layover or the final destination. Keep your cybersecurity borders tight to avoid unwanted visitors.

Want to make your business inhospitable to island hoppers? Work with a managed service provider. They can help assess cybersecurity, provide a plan to reduce risk, and upgrade technology. Let us support your efforts to fend off unwanted tourists.

Give us a call on (515)422-1995.

Click to see our BBB Report

FOLLOW US

VISIT US

Privacy Policy