Cybersecurity Tip #9 - TWO FACTOR AUTHENTICATION
This seems like a hassle but it really isn't compared to the pain of being compromised. Simply put it's too easy for your login details for your critical business systems to be compromised but if you have 2FA enabled on your Xero Account, Office 365 or Client Database then as long as the kackers aren't holding a knife to your throat they aren't going to get in.
Cybersecurity Tip #8 - USB drives are great for silently spreading an infection. * Scan yours between sites * if you don't use them in your business then block their use * NEVER PLUGIN A FOUND DRIVE! It's been done in the wild in Aussie: https://www.bbc.com/news/technology-37431335
What can be done?
I see small businesses on a regular basis running with just whatever their ISP has provided, usually a cheap device that provides connectivity and some very basic firewall-like functions such as NAT and SPI. As far as I am concerned these are just like putting a $5 lock on the front door of your Million Dollar mansion. Here is an example why:
CERT NZ has been informed of an active attack targeting MikroTik RouterOS devices.
Attackers are identifying these devices by scanning for public IP addresses running specific RouterOS ports and using older versions of the operating system. Once the vulnerability is exploited, malware is downloaded to the compromised devices. The device is then being used to scan for other IP addresses and spread.
CERT NZ is aware that this attack is active. We strongly recommend investigating and patching any RouterOS devices on your network as soon as possible to prevent them from being compromised."
When Vertech connects a client to the internet we insist on a substantial firewall device like the Sophos XG UTM range which can automatically Hotfix itself when vulnerabilities are found in it's firmware and that also provides additional significant security abilities such as sniffing out malware communications and synchronised security with the computer antivirus software to prevent the spread of the threats. This level of security is not expensive anymore and is absolutely affordable by SMB's - it really is just a case of being a good netizen.
There has been a fair amount of news regarding hacks where large volumes of private identity information has been exposed to the internet. I know that that can seem remote to us but you would be suprised where your information may have ended up and not every company has been very good at informing people when they have been compromised. I'm talking about name, address, phone number, email and passwords. This info in the hands of of the malicious makes cyber crime so much easier.
Want to know if YOUR Details have been made vulnerable?
Here is a link to a site where you can get a report to see what email addresses in your organisation may be in the hands of criminals.
There is a new, sophisticated email scam you need to watch out for. Bad guys first send emails with links to inappropriate websites to business email addresses, and then follow up with extortion threats. It's been tested in Australia and now the USA, so NZ won't be far behind.
The email claims that a virus was installed on a porn website which recorded the victim through their webcam. “Then my software collected all your contacts from messengers, e-mails and social networks,” it says. “If I don’t receive my Bitcoins I’ll send video with you to all your contacts.”
This is a play on shame, the fear of tainting your professional image and using that fear to drive a poor decision.
If this type of scam email makes it through the spam filters into your inbox, do not click on any links, do not reply, and delete the message (or click on the Phish Alert button). Do not download any software to check your computer for viruses, but follow procedure to report these types of criminal emails. Remember: "Think Before You Click", it is more important than ever these days.
Educating your staff and giving them some basic Cybersecurity training is essential as a last line of defense in your business. Message me if you need help arranging this.
We offer a Workstation Security Guarantee to Vertech Customers who are under our TrueCare Service plans. We are confident that if a client is protected by our four primary layers of security (Automated Security Patching, Antivirus/malware, Web Filtering and Email Scanning) and are actively managed and monitored there is a low likelihood of their systems being infected.
What’s better is if staff are also empowered to be aware of the red flags and signs of common scams so that even if all these layers are penetrated they can distinguish a legit email from the malicious. Invest in some Cybersecurity Awareness training for your people!
The last line of defense we’ve now implemented for most of our clients is an upgraded firewall system. The system is capable of sniffing your outbound internet traffic for malware communications to the Cybercriminal's command and control servers. Even if a staff member clicks on a dodgy email and gets some ransomware on their computer, it is possible to block the request for encryption keys as it passes through your network and prevents the damaging payload from taking hold.
If your business doesn’t already have protections like I have discussed in place then it’s a matter of hope and luck that you don’t get hit. When you live zero distance from every cybercriminal in the world your doors handles and windows are being rattled all day, every day. These protections are not expensive and are easily afforded by the SMB market. If you are interested in finding out what else we could be doing for your company please call me on 09 972 0367 or email firstname.lastname@example.org.
I’ve been thinking a lot on how I can achieve the goals I have set for myself and the business.It has become apparent that I can’t get better results by being the same person that I have always been. If you want MORE, you have to BE more. By developing your personal capabilities, you display leadership and learn how you can grow the business. There are plenty of material in this vein and if you pick up anything by the authors below you can’t go wrong. I’ve been reading and listening to several excellent Audio Books recently (either through Audible or YouTube) which I highly recommend to fellow business leaders!
Don’t have time to read? I signed up for YouTube Red so I can listen to them whilst running with the dog without ads. Motivational stuff is all very nice but without action it’s pointless and what’s more it tends to wear off over time as we get consumed by the minutiae of day to day life. Keep yourself exposed to a steady stream of inspiration, seek out people who have done what you want to do and ask them how they got there, model success!
One of the things I like about being in IT is the ever present opportunity to learn new skills and technologies. But technology isn't just limited to electronics, there is plenty of software upgrades for the lump of fatty tissue between our ears and this guy is gold.
I forced my teenage kids to listen to this today! They grudgingly appreciated that I did it out of love for them. I know what questions I'll be posing myself each day. Some have come straight from the Pumpkin Plan.
“You’re in the departure hall, the flight home is not boarding for another 30 mins. As you place your laptop bag down you spot a shiny new flash drive under the bench. Naturally being an intelligent, curious person anticipating a boring wait till your flight is called you slide your work laptop out and plug the USB drive in to have a look to see what it contains. Who knows? Perhaps you might be able to find out who it belongs to so you can do the right thing and pop in in the post to the unlucky person who dropped it?
During the post incident analysis of the security breach that encrypted the contents of your business’s network drive it was found that your machine was the source of the attack. The IT team managed to restore the server back to normal without resorting to paying the Ransom. Only half a day’s productivity for 30 staff was lost. Sadly, your only copy of the family holiday snaps under My Documents were permanently lost.”
I am sure you’ve worked out now that it is your employees who are the weak link in your IT Security and the costs can be significant. Social engineering is the number one security threat to any organization. The alarming growth in sophisticated cyberattacks makes this problem only worse, as cybercriminals go for the low-hanging fruit: employees. Numerous reports and white papers show organizations are exposed to massive increases in the number of cyberattacks over the past five years.
At Vertech IT Services we constantly work to close gaps and increasing the robustness of our client’s networks but we’ve realised that we need a way to massively & efficiently provide ongoing awareness training programs to the dynamic SMB sector with the least disruption to their business. We’ve found that solution in the company KnowBe4.com
Click here to learn more and access a free Best Practices Whitepaper and to learn how you too can provide Cybersecurity Awareness training to your people.
HaaS. In case you haven’t heard enough acronyms in the IT industry, let me give you one more: HaaS, or “hardware as a service.” Simply, HaaS is an option to “rent” hardware on a low monthly basis instead of purchasing it outright. This eliminates the hefty cash drain for a network upgrade and allows you to pay for hardware as a service. It also puts the burden of repair and replacement on the shoulders of your IT company (us) to keep your equipment up and running.
With our HaaS offering we'll wrap the computer in our TrueCare Fundamentals Service Option and Gold Workstation Security Package with options for Flat Rate support you will have a guaranteed superior IT experience for your business.
You do end up paying more in the long run (as you would if you leased a car or bought a house on payments), but the results and the ease on cash flow makes this a better option for some people.
Virtual Disaster Recovery Testing
Time and time again I have done a new customer audit and discovered that their Backup Tape/Drive that they have been diligently rotating for months contains either nothing at all or backup files so old as to be next to useless.
Vertech has been countering this with our flat-rate Max Backup cloud DR service and we are now happy to announce that we can provide a regular Virtual Disaster Recovery Testing Service.
Currently if Vertech is visiting your site for a regular maintenance visit the Second thing we do (The First is making sure the server isn't about to burst into flames) is a test restore of files and folders to confirm the backup data chain is intact. Now Vertech upgrade this testing to provide a regular full restore of your Servers into Microsoft Azure hosting platform to confirm that the Servers will actually Boot up!
Previously doing a full DR restore of servers was an time-consuming and expensive manual service. We are now able to automate much of the donkey work to be able to offer this peace of mind at a much better rate. Further more this test restore can be used as the basis for a Fast full site recovery option should the office go up in a puff of smoke!
If your business needs a reality check on your Backup and DR then give me a call on +64 9 9720364 or email me email@example.com and I'll be happy to come out and provide a free consultation.
Ransomware emails & Staff Training
We've been seeing a steady stream of emails with increasing levels of sophistication targeting clients. Because of the serious risks associated with ransomware we've proactively enabled a new feature on the Vertech Mail Security platform across the board.
From now on, all zipped attachments, executable files and macro enabled documents will be treated as Spam (but able to be manually released from Quarantine).
All Scripting type files will be treated as Malware.
If your business may has legitimate email traffic with those types of attachments then please notify our Service Desk here so we can tailor your company email security policy to suit.
NB: Please be careful about making your whitelist entries too generic. eg a subject line of "RE: " in your list of allowed subject is inviting trouble!
Following on from last month's successful Cybersecurity Seminar with Zeald, I am now providing onsite staff group training sessions on:
What the threats are
How to spot them
How to stay safe on the internet.
Whilst we can put in place some very clever technology to defend your systems, your staff are the last line of defense and also the weak link.
Security and Success: How to survive and thrive online
If you are concerned about your security online, then this seminar is for you. The Security and Success: How to survive and thrive online seminar is a primer on cyber security threats for the harried business owner. We will cover various threats to the online user, the effects of these threats and how to mitigate the risks these threats pose to the average Kiwi business.
Vertech has partnered with Zeald to provide this Seminar at no charge on the 13th of April 2016. The 2-hour seminar will answer your questions about online security and best-practice for your website. Please arrive at 9.30 for registration. The seminar begins at 10am, finishing at midday with a short break for light refreshments.
Productivity Tip #3
If you have ever torn your hair out trying to get multiple busy people to agree on a single meeting time or
have spent more time firing emails back and forth than the meeting itself then this might be the thing for you. Microsoft Garage have released a handy free tool for Office 365 and Outlook called FindTime.
This nifty add-in creates a simple poll of acceptable times that you select and sends this to all parties. They can then vote on preferred possible time slots allowing everyone to reach a consensus as to the meeting schedule. This works for people Both inside and outside of your organisation and greatly simplifies the process! Watch my video below to find out how to install and work with it:Video Tip: Simplify Scheduling using FindTime
New Insurance exemption clauses
This morning I opened the mail and noted that our business insurance (ASB) had some new clauses with respect to damage caused
to electronic data. Gone is the old clause relating to the Y2K issue (that was a laugh) and in its place is an exclusion for "loss of or
damage to electronic data from any cause whatsoever including but not limited to, a computer virus"
I guess this means that the insurance industry is seeing a significant amount of claims from this cause and are seeking to eliminate this risk to their profits.
Prevention is better than the cure but always have a good backup plan. Your business insurance may not save the day.
Every couple of months I take a Friday off from the business to attend a business coaching workshop as part of the Velocity program delivered by the marvelous people at The Breakthrough Co.
Last Friday's topic revolved around Habits, how to utilise what we know about habits to encourage productive activity which we can use to develop our businesses and to quarantine the bad habits that suck our energy.
As most people know email is a critical business communication tool vital to the operation of businesses everywhere however as this brilliant comic from The Oatmeal illustrates, it needs careful containment so as to not distract you from your mission. Click the image to view.
Quick Tips for controlling your Email Monster.
Schedule Set times in your day for checking and responding to email - don't let email schedule your day.
Don't send them at inappropriate times - if you don't want staff emailing you at midnight then don't lead by example.
VIDEO TIP - Set Outlook to open to Calendar rather than your Inbox - You're most effective in the mornings, stay on task.
VIDEO TIP - Disable those distracting email popup notifications! - Keep focused on task rather than feeding the monster.
The following article is taken from Dan Kaplan's excellent post at Trustwave here.
2014 was a year of reckoning for IT and security professionals globally. Like never before, the crushing consequences of risky business behaviour, combined with continued hacker acumen, were hung on full display, for the world to see. And evidence of the fallout was everywhere: from high-profile vulnerabilities like Heartbleed and Shellshock, to innovative malware attacks such as Backoff, to devastating data breaches that brought household brands (and countless others that you'll never read about) to their knees.
At the rate things are going, 2015 is setting up to be even direr. No doubt, awareness of the threats has catapulted security onto the boardroom agenda, but the fact remains that most organisations are operating at some level of denial - somewhere between "It won't happen to me" to "We checked the compliance boxes, so we're good to go." At a point, however, businesses that have been making - and paying for - the same mistakes for the past five years must arrive at a collective awakening.
It can - and likely will - happen to you: Experts have been claiming for some time that data breaches are a when, not if, prospect. Yet they continue to happen, and responses remain poor - 71 percent of compromise victims don't even detect the breach themselves. Incident response and readiness, therefore, must become a priority. Invest, test the plans regularly and get everybody on board with them.
Your perimeter is dead: Mobility and BYOD is king, and the whole notion of the "internet of things" is just as real for the business environment as it is for the home consumer. Increasingly devices are internet-connected, and it's critical to understand which systems are trying to connect to your network. Also, mind your outsourced suppliers. Vendor risk management is more important than ever.
How safe are your staff devices? At present 60 per cent of New Zealander's own a smartphone and or Tablet/iPad and this percentage is expected to continue to climb. However, many people don’t apply the same safety standards to smartdevices that they would to their PC at home or at work even though they store a huge amount of personal and work data. Here are some key precautions to be aware of:
Use a complex PIN lock and treat it like your EFTPOS PIN i.e. keep it to yourself so no one else can access your information
Use an antivirus app and make sure it’s up to date
Upload “locate and lock” apps to help you find, lock and wipe your smartphone if it is lost or stolen
Back up your important information like contacts, photos and documents - there are plenty of cloud storage options that allow you to do this
Use approved apps – not all apps are nice! Install apps only from Google, Microsoft and Apple stores
Only store information and files on your phone that you can afford to lose, otherwise store it somewhere else.
Advice from Daniel:
The world's gone mobile. Staying connected is cheap and it's everywhere and more people than ever want to - need to - work across a number of platforms and devices. Yet despite its benefits, working in this way can be a major security issue for employers if adequate device management isn't in place. Vertech now offers a Mobile Device Management service to take care of these issues so you can rest easy.
Additional advice from Jay:
BYOD or Guest devices should not be able to access to any of internal network resources because it can have virus on it, and spread it to the office network. The WIFI for BYOD devices should be on a segregated VLAN and can go to internet only and unable to see any of internal network to isolate BYOD devices.
Your employees are mistake-prone: As advanced as threats may be, oftentimes they are meaningless until they are welcomed inside the virtual door of a business. That deed typically is done by an unwitting employee who, for example, uses an easily crackable password or clicks on a link or attachment that they shouldn't have. Social engineering ruses, like targeted phishing attacks and blended threats, are getting better at tricking innocent users, but one can't overstate the importance of a regularly refined security awareness program that receives executive-level support.
Advice from Mital:
Change passwords from time to time – employees don’t like it because they find it difficult to memorise the new password.
Customer's often request us to disable password expiry or allow simple passwords however we strongly discourage this and recommend complex passwords (a mix of numbers, letters, case & punctuation marks of at least 7 characters length) changed on a monthly - quarterly basis.
Top Password Tips:
* A good password doesn't have to be entirely random, you can create a memorable password out of song lyrics or three unusual words with substitutions. eg. W@l1ays = We @ll live 1n a yellow submarine or 6redPhone!
* Don't share passwords!
* When a person leaves the organisation, please contact us to remove or disable the account - we can give you options on how to retain access to that staff members data & email. We can help you document an Staff exit procedure.