Cybersecurity Tip #24 - Don't trust Google Maps? FYI - by abusing a Google local guides account it is possible to add in fake entries into Google Maps such as a telephone number, scammers or con artists can then get calls from the unsuspecting public who just click through on the map search feeds to Con them into giving them account information details such as PIN numbers cvv codes etc in order to suck out cash from their accounts. My advice is skip the Google Maps page & go straight the company website that you're after and call from there and as an additional hint banks will never ask for those critical private pieces of information so be aware and be alert if anyones asking for that kind of thing. https://lnkd.in/ffTfScA
SCAM ALERT - EMAIL COMBO ATTACK In Summary - Staff member clicks on a password scraping link, unwittingly enter their details, those details can be used against them in a Sextortion email for fast cash, the crims can also use the account to send more password scraping emails to all contacts and most dangerously set up a forwarder so that any received emails are collected by the hacker in order to scan for details regarding invoices. Once seen they can inject their own agenda like requesting a change of bank account number for the deposit...you may not be aware for weeks! How to stay safe? Reset passwords, enable 2FA, get darkweb monitoring for compromised accounts, ask your IT guy to lock down forwarding for only admin, educate your staff to be aware and empower them to ask us for help if they see something weird!
Cybersecurity Tip #23 - Does your Office Manager have a little book of passwords in her top drawer? Post-It notes on screens? Everyone using the same password or everyone knows each others passwords?
Cybersecurity Tip #22 - Puncturing the Myth of Security by Obscurity
A lot of what we read on Linkedin is hugely postive, uplifting, motivating, and inspirational. Whilst I love this social media platform it can feel that everyone else is experiencing unbridled growth, success and celebrations galore... just not you. Personally I know that's not the case for everyone and quite likely not even a large minority. Sometimes systems fail, you make a bad decision, the market softens, staff don't perform, clients go elsewhere, margins get squeezed, cashflow trickles...these can pile up, more and more, a pressure piling up on your mind and knawing at your mental health.
I can relate to this. Last year was a shocker for me, the previous years hadn't gone so well but I felt we were moving in the right direction but then a crisis formed out of my control in that I discovered that a trusted employee of mine had betrayed me by defrauding me of 10's of thousands of dollars leaving us in a perilous state. To add insult to injury the person had attempted to cover their theft with a personal greivance claim.
These were dark days and there was a period in the aftermath of this where I wondered what the hell I was doing, was I really an ogre? I could be working a corporate job with no worries about employees, meeting payroll, GST or overdue creditor invoices - why stress myself? I could just take the losses and pack it in.
But frankly, I am not a quitter, there was no way I was going to let this defeat me, nor was I going to default on my responsibilities to my creditors, my staff or my family.
But what to do? Here are 14 strategies that worked for me to survive the darkest moments and that enabled us to push through to a promising 2018/19 FY:
If you have any questions, need help or just want to talk I am happy to do so, flick me an email at email@example.com
Cybersecurity Tip #21 - safety hints on using public WiFi.
Cybersecurity Tip #20 - Clear Desk Policies - a keystone of physical security!
Not just a way to please the corporate overlords with a sleek tidy work environment suited for hot-desking but it is a great idea from the perspective of information security. Don't leave any sensitive information that you don't want the cleaners reading out at the end of the day. Lock your desk cabinets and secure your laptop both physically and logically by locking it everytime you leave your desk. The lack of clutter will also help you focus on important tasks by clearing away peripheral distractions!
Cybersecurity Tip #19 what are VPN's and what would you use them.
Accessing a work server over the free WiFi without a VPN to encrypt your traffic? Is that free WiFi really the cafe's or is it a man-in-the-middle scam to collect your passwords? Want to access Geo restricted streaming media content? Want to link two private business systems, securely and inexpensively but control exactly what is accessible? VPN's are the answer!
6 Reasons why your WiFi is completely crap!
1) Old routers running outdated protocols like 802.11g
2) Signal strength attenuation with thick walls etc
3) Distance from the WAP, speed drops away every meter.
4) Radio interference, there's only so many free channels and your neighbours may be blaring across your frequency
5) Congestion, Wi-Fi is not like a cabled ethernet link, the more people using it the lower percentage of bandwidth is available
6) ALL OF THE ABOVE
THE FIX? Get more new access points sited and configured by those who know what they are doing.
Yesterday I saw a new twist on Fake Extortion emails claiming to have hacked your pc whilst you were visiting a porn site and threatening to send a video of you to all your contacts unless you send bitcoin. This recent example contained a reference to an old password related to the email address of the recipient which gave it a significant air of validity. Now if you have a bad habit of reusing the same password for years across many sites then it is more likely that it will end up exposed in a website breach eventually and thus be used against you in this way.
Slow Internet these days of cloud apps equals lost productivity. 1) Check your gear, is your firewall able to pump out the data packets at the same rate as the UFB, are you using an old wireless access point protocol, is your network switch holding you back? 2) Check your Plan, is UFB now available in your area? Is there a better plan you can shift to? 3) Check your ISP, not all ISPs are equal, some may have better transtasman or USA bandwidth contention ratios. If all else is equal then get a network engineer to do a network path analysis to see precisely what the problem is.
Some of these are easy and some are cheap, others, less so. All valid things to check when you have complaints about computers or internet being slow. My perspective for businesses is that holding onto a cheap slow PC isn't saving you money, it's costing you thousands is lost productivity! Before you run out and buy the latest PC there are a number of things it's worth checking as like so many other things one slow component can hold back the whole.
If have tried a few of these things but are still struggling, then reach out to a trusted consultant and get their assistance. I am happy to discuss any of these and give 2 free hours help on how you can improve the systems of your business if you have 5 or more computers.
Reach me here to take up this offer firstname.lastname@example.org or message me on LinkedIn.
It's scary how many privacy breeches come down to an exec loosing a laptop with Gigs of confidental info just sitting on it in clear text form. Even if you have a password on the device the hard drive can simply be taken out and read from another PC! Laptops and phones walk, audit access, encrypt hard drives and enable remote wipe centrally on all devices.
The Top 3 Mistakes IT Guys make with SMB's.
1) Talking down to your customer - they mightily dislike being patronised and whilst it may be unintentional the effect of using arcane acronyms and failing to giving appropriate analogies or simplified explanations is that you'll piss them off and have them start to look elsewhere for support. Generally the people you serve are experts in their own field and are highly interested in the outcome for their business. Not having some basic understanding of the issue is incredibly frustrating and when they don't get it delivered in the right manner from you they will refuse to make a decision or do so resentfully. Take the time to come up with a metaphor for the problem or draw out a simple network diagram to help express the key concepts and link the issue & your solution to business outcomes.
2) Silent Site Visits - it's been a while since I was in the dating scene but I understand that being Ghosted is not a pleasant thing. A common complaint I hear from clients is when their IT guy drops in does something and leaves again without a word. This is just terrible for a bunch of reasons, firstly they will probably blame the next random error that happens upon that IT guys visit no matter how unrelated and secondly if the first time they know is when they get your invoice they may be resistant to paying it. Fiddling with a business's production network during the day without express permission is really poor etiquette. Now I am aware that the IT profession may attract more than it's fair share of people on the Asperger's spectrum but at a minimum guys, Call first before turning up, then when you arrive let the primary contact know you are there and what you are planning to do and finally as you leave let them know what you did, how it went etc whilst making sure everyone is still happy. Super simple customer service that goes a long way but do it every time!
3) Stop trying to save the client money $$$ - Client priorities for IT are generally; fit for purpose, stability, performance and price, in that order. Too often I have come across networks where the business is profitable and growing but the systems they are stuck with are outdated, using second hand out of warranty hardware, suffering frequent outages and aren't implementing a full suite of security. It seems that IT guys can fall into a mindset trap of trying to save the client money and reduce costs on systems. Now perhaps the cause of this is that they get complaints about large invoices for time billing as this will increase if root causes are not being addressed. Well whose responsibility is that? It's the IT Guy's job to recommend the best solution for the business and this means you actually have to ask the client what their priority is in order to offer the best solution that you can support, not necessarily the cheapest. Do everyone a favour and lead with the best option (for everyone) first and then offer lesser choices only after they have rejected the first with a full understanding of their current priorities.
What can be done?
I see small businesses on a regular basis running with just whatever their ISP has provided, usually a cheap device that provides connectivity and some very basic firewall-like functions such as NAT and SPI. As far as I am concerned these are just like putting a $5 lock on the front door of your Million Dollar mansion. Here is an example why:
CERT NZ has been informed of an active attack targeting MikroTik RouterOS devices.
Attackers are identifying these devices by scanning for public IP addresses running specific RouterOS ports and using older versions of the operating system. Once the vulnerability is exploited, malware is downloaded to the compromised devices. The device is then being used to scan for other IP addresses and spread.
CERT NZ is aware that this attack is active. We strongly recommend investigating and patching any RouterOS devices on your network as soon as possible to prevent them from being compromised."
When Vertech connects a client to the internet we insist on a substantial firewall device like the Sophos XG UTM range which can automatically Hotfix itself when vulnerabilities are found in it's firmware and that also provides additional significant security abilities such as sniffing out malware communications and synchronised security with the computer antivirus software to prevent the spread of the threats. This level of security is not expensive anymore and is absolutely affordable by SMB's - it really is just a case of being a good netizen.
There has been a fair amount of news regarding hacks where large volumes of private identity information has been exposed to the internet. I know that that can seem remote to us but you would be suprised where your information may have ended up and not every company has been very good at informing people when they have been compromised. I'm talking about name, address, phone number, email and passwords. This info in the hands of of the malicious makes cyber crime so much easier.
Want to know if YOUR Details have been made vulnerable?
Here is a link to a site where you can get a report to see what email addresses in your organisation may be in the hands of criminals.
There is a new, sophisticated email scam you need to watch out for. Bad guys first send emails with links to inappropriate websites to business email addresses, and then follow up with extortion threats. It's been tested in Australia and now the USA, so NZ won't be far behind.
The email claims that a virus was installed on a porn website which recorded the victim through their webcam. “Then my software collected all your contacts from messengers, e-mails and social networks,” it says. “If I don’t receive my Bitcoins I’ll send video with you to all your contacts.”
This is a play on shame, the fear of tainting your professional image and using that fear to drive a poor decision.
If this type of scam email makes it through the spam filters into your inbox, do not click on any links, do not reply, and delete the message (or click on the Phish Alert button). Do not download any software to check your computer for viruses, but follow procedure to report these types of criminal emails. Remember: "Think Before You Click", it is more important than ever these days.
Educating your staff and giving them some basic Cybersecurity training is essential as a last line of defense in your business. Message me if you need help arranging this.
We offer a Workstation Security Guarantee to Vertech Customers who are under our TrueCare Service plans. We are confident that if a client is protected by our four primary layers of security (Automated Security Patching, Antivirus/malware, Web Filtering and Email Scanning) and are actively managed and monitored there is a low likelihood of their systems being infected.
What’s better is if staff are also empowered to be aware of the red flags and signs of common scams so that even if all these layers are penetrated they can distinguish a legit email from the malicious. Invest in some Cybersecurity Awareness training for your people!
The last line of defense we’ve now implemented for most of our clients is an upgraded firewall system. The system is capable of sniffing your outbound internet traffic for malware communications to the Cybercriminal's command and control servers. Even if a staff member clicks on a dodgy email and gets some ransomware on their computer, it is possible to block the request for encryption keys as it passes through your network and prevents the damaging payload from taking hold.
If your business doesn’t already have protections like I have discussed in place then it’s a matter of hope and luck that you don’t get hit. When you live zero distance from every cybercriminal in the world your doors handles and windows are being rattled all day, every day. These protections are not expensive and are easily afforded by the SMB market. If you are interested in finding out what else we could be doing for your company please call me on 09 972 0367 or email email@example.com.
I’ve been thinking a lot on how I can achieve the goals I have set for myself and the business.It has become apparent that I can’t get better results by being the same person that I have always been. If you want MORE, you have to BE more. By developing your personal capabilities, you display leadership and learn how you can grow the business. There are plenty of material in this vein and if you pick up anything by the authors below you can’t go wrong. I’ve been reading and listening to several excellent Audio Books recently (either through Audible or YouTube) which I highly recommend to fellow business leaders!
Don’t have time to read? I signed up for YouTube Red so I can listen to them whilst running with the dog without ads. Motivational stuff is all very nice but without action it’s pointless and what’s more it tends to wear off over time as we get consumed by the minutiae of day to day life. Keep yourself exposed to a steady stream of inspiration, seek out people who have done what you want to do and ask them how they got there, model success!
One of the things I like about being in IT is the ever present opportunity to learn new skills and technologies. But technology isn't just limited to electronics, there is plenty of software upgrades for the lump of fatty tissue between our ears and this guy is gold.
I forced my teenage kids to listen to this today! They grudgingly appreciated that I did it out of love for them. I know what questions I'll be posing myself each day. Some have come straight from the Pumpkin Plan.
“You’re in the departure hall, the flight home is not boarding for another 30 mins. As you place your laptop bag down you spot a shiny new flash drive under the bench. Naturally being an intelligent, curious person anticipating a boring wait till your flight is called you slide your work laptop out and plug the USB drive in to have a look to see what it contains. Who knows? Perhaps you might be able to find out who it belongs to so you can do the right thing and pop in in the post to the unlucky person who dropped it?
During the post incident analysis of the security breach that encrypted the contents of your business’s network drive it was found that your machine was the source of the attack. The IT team managed to restore the server back to normal without resorting to paying the Ransom. Only half a day’s productivity for 30 staff was lost. Sadly, your only copy of the family holiday snaps under My Documents were permanently lost.”
I am sure you’ve worked out now that it is your employees who are the weak link in your IT Security and the costs can be significant. Social engineering is the number one security threat to any organization. The alarming growth in sophisticated cyberattacks makes this problem only worse, as cybercriminals go for the low-hanging fruit: employees. Numerous reports and white papers show organizations are exposed to massive increases in the number of cyberattacks over the past five years.
At Vertech IT Services we constantly work to close gaps and increasing the robustness of our client’s networks but we’ve realised that we need a way to massively & efficiently provide ongoing awareness training programs to the dynamic SMB sector with the least disruption to their business. We’ve found that solution in the company KnowBe4.com
Click here to learn more and access a free Best Practices Whitepaper and to learn how you too can provide Cybersecurity Awareness training to your people.
HaaS. In case you haven’t heard enough acronyms in the IT industry, let me give you one more: HaaS, or “hardware as a service.” Simply, HaaS is an option to “rent” hardware on a low monthly basis instead of purchasing it outright. This eliminates the hefty cash drain for a network upgrade and allows you to pay for hardware as a service. It also puts the burden of repair and replacement on the shoulders of your IT company (us) to keep your equipment up and running.
With our HaaS offering we'll wrap the computer in our TrueCare Fundamentals Service Option and Gold Workstation Security Package with options for Flat Rate support you will have a guaranteed superior IT experience for your business.
You do end up paying more in the long run (as you would if you leased a car or bought a house on payments), but the results and the ease on cash flow makes this a better option for some people.
Virtual Disaster Recovery Testing
Time and time again I have done a new customer audit and discovered that their Backup Tape/Drive that they have been diligently rotating for months contains either nothing at all or backup files so old as to be next to useless.
Vertech has been countering this with our flat-rate Max Backup cloud DR service and we are now happy to announce that we can provide a regular Virtual Disaster Recovery Testing Service.
Currently if Vertech is visiting your site for a regular maintenance visit the Second thing we do (The First is making sure the server isn't about to burst into flames) is a test restore of files and folders to confirm the backup data chain is intact. Now Vertech upgrade this testing to provide a regular full restore of your Servers into Microsoft Azure hosting platform to confirm that the Servers will actually Boot up!
Previously doing a full DR restore of servers was an time-consuming and expensive manual service. We are now able to automate much of the donkey work to be able to offer this peace of mind at a much better rate. Further more this test restore can be used as the basis for a Fast full site recovery option should the office go up in a puff of smoke!
If your business needs a reality check on your Backup and DR then give me a call on +64 9 9720364 or email me firstname.lastname@example.org and I'll be happy to come out and provide a free consultation.
Ransomware emails & Staff Training
We've been seeing a steady stream of emails with increasing levels of sophistication targeting clients. Because of the serious risks associated with ransomware we've proactively enabled a new feature on the Vertech Mail Security platform across the board.
From now on, all zipped attachments, executable files and macro enabled documents will be treated as Spam (but able to be manually released from Quarantine).
All Scripting type files will be treated as Malware.
If your business may has legitimate email traffic with those types of attachments then please notify our Service Desk here so we can tailor your company email security policy to suit.
NB: Please be careful about making your whitelist entries too generic. eg a subject line of "RE: " in your list of allowed subject is inviting trouble!
Following on from last month's successful Cybersecurity Seminar with Zeald, I am now providing onsite staff group training sessions on:
What the threats are
How to spot them
How to stay safe on the internet.
Whilst we can put in place some very clever technology to defend your systems, your staff are the last line of defense and also the weak link.
Security and Success: How to survive and thrive online
If you are concerned about your security online, then this seminar is for you. The Security and Success: How to survive and thrive online seminar is a primer on cyber security threats for the harried business owner. We will cover various threats to the online user, the effects of these threats and how to mitigate the risks these threats pose to the average Kiwi business.
Vertech has partnered with Zeald to provide this Seminar at no charge on the 13th of April 2016. The 2-hour seminar will answer your questions about online security and best-practice for your website. Please arrive at 9.30 for registration. The seminar begins at 10am, finishing at midday with a short break for light refreshments.
Productivity Tip #3
If you have ever torn your hair out trying to get multiple busy people to agree on a single meeting time or
have spent more time firing emails back and forth than the meeting itself then this might be the thing for you. Microsoft Garage have released a handy free tool for Office 365 and Outlook called FindTime.
This nifty add-in creates a simple poll of acceptable times that you select and sends this to all parties. They can then vote on preferred possible time slots allowing everyone to reach a consensus as to the meeting schedule. This works for people Both inside and outside of your organisation and greatly simplifies the process! Watch my video below to find out how to install and work with it:Video Tip: Simplify Scheduling using FindTime
New Insurance exemption clauses
This morning I opened the mail and noted that our business insurance (ASB) had some new clauses with respect to damage caused
to electronic data. Gone is the old clause relating to the Y2K issue (that was a laugh) and in its place is an exclusion for "loss of or
damage to electronic data from any cause whatsoever including but not limited to, a computer virus"
I guess this means that the insurance industry is seeing a significant amount of claims from this cause and are seeking to eliminate this risk to their profits.
Prevention is better than the cure but always have a good backup plan. Your business insurance may not save the day.
Every couple of months I take a Friday off from the business to attend a business coaching workshop as part of the Velocity program delivered by the marvelous people at The Breakthrough Co.
Last Friday's topic revolved around Habits, how to utilise what we know about habits to encourage productive activity which we can use to develop our businesses and to quarantine the bad habits that suck our energy.
As most people know email is a critical business communication tool vital to the operation of businesses everywhere however as this brilliant comic from The Oatmeal illustrates, it needs careful containment so as to not distract you from your mission. Click the image to view.
Quick Tips for controlling your Email Monster.
Schedule Set times in your day for checking and responding to email - don't let email schedule your day.
Don't send them at inappropriate times - if you don't want staff emailing you at midnight then don't lead by example.
VIDEO TIP - Set Outlook to open to Calendar rather than your Inbox - You're most effective in the mornings, stay on task.
VIDEO TIP - Disable those distracting email popup notifications! - Keep focused on task rather than feeding the monster.
The following article is taken from Dan Kaplan's excellent post at Trustwave here.
2014 was a year of reckoning for IT and security professionals globally. Like never before, the crushing consequences of risky business behaviour, combined with continued hacker acumen, were hung on full display, for the world to see. And evidence of the fallout was everywhere: from high-profile vulnerabilities like Heartbleed and Shellshock, to innovative malware attacks such as Backoff, to devastating data breaches that brought household brands (and countless others that you'll never read about) to their knees.
At the rate things are going, 2015 is setting up to be even direr. No doubt, awareness of the threats has catapulted security onto the boardroom agenda, but the fact remains that most organisations are operating at some level of denial - somewhere between "It won't happen to me" to "We checked the compliance boxes, so we're good to go." At a point, however, businesses that have been making - and paying for - the same mistakes for the past five years must arrive at a collective awakening.
It can - and likely will - happen to you: Experts have been claiming for some time that data breaches are a when, not if, prospect. Yet they continue to happen, and responses remain poor - 71 percent of compromise victims don't even detect the breach themselves. Incident response and readiness, therefore, must become a priority. Invest, test the plans regularly and get everybody on board with them.
Your perimeter is dead: Mobility and BYOD is king, and the whole notion of the "internet of things" is just as real for the business environment as it is for the home consumer. Increasingly devices are internet-connected, and it's critical to understand which systems are trying to connect to your network. Also, mind your outsourced suppliers. Vendor risk management is more important than ever.
How safe are your staff devices? At present 60 per cent of New Zealander's own a smartphone and or Tablet/iPad and this percentage is expected to continue to climb. However, many people don’t apply the same safety standards to smartdevices that they would to their PC at home or at work even though they store a huge amount of personal and work data. Here are some key precautions to be aware of:
Use a complex PIN lock and treat it like your EFTPOS PIN i.e. keep it to yourself so no one else can access your information
Use an antivirus app and make sure it’s up to date
Upload “locate and lock” apps to help you find, lock and wipe your smartphone if it is lost or stolen
Back up your important information like contacts, photos and documents - there are plenty of cloud storage options that allow you to do this
Use approved apps – not all apps are nice! Install apps only from Google, Microsoft and Apple stores
Only store information and files on your phone that you can afford to lose, otherwise store it somewhere else.
Advice from Daniel:
The world's gone mobile. Staying connected is cheap and it's everywhere and more people than ever want to - need to - work across a number of platforms and devices. Yet despite its benefits, working in this way can be a major security issue for employers if adequate device management isn't in place. Vertech now offers a Mobile Device Management service to take care of these issues so you can rest easy.
Additional advice from Jay:
BYOD or Guest devices should not be able to access to any of internal network resources because it can have virus on it, and spread it to the office network. The WIFI for BYOD devices should be on a segregated VLAN and can go to internet only and unable to see any of internal network to isolate BYOD devices.
Your employees are mistake-prone: As advanced as threats may be, oftentimes they are meaningless until they are welcomed inside the virtual door of a business. That deed typically is done by an unwitting employee who, for example, uses an easily crackable password or clicks on a link or attachment that they shouldn't have. Social engineering ruses, like targeted phishing attacks and blended threats, are getting better at tricking innocent users, but one can't overstate the importance of a regularly refined security awareness program that receives executive-level support.
Advice from Mital:
Change passwords from time to time – employees don’t like it because they find it difficult to memorise the new password.
Customer's often request us to disable password expiry or allow simple passwords however we strongly discourage this and recommend complex passwords (a mix of numbers, letters, case & punctuation marks of at least 7 characters length) changed on a monthly - quarterly basis.
Top Password Tips:
* A good password doesn't have to be entirely random, you can create a memorable password out of song lyrics or three unusual words with substitutions. eg. W@l1ays = We @ll live 1n a yellow submarine or 6redPhone!
* Don't share passwords!
* When a person leaves the organisation, please contact us to remove or disable the account - we can give you options on how to retain access to that staff members data & email. We can help you document an Staff exit procedure.