You might hold the secret to data security in your finger

The secret to data security could be at your fingertips.

Keeping our data secure is crucial, whether it’s business secrets or personal information. Passwords were once the top method for protection.

But do they still suffice?

Recent reports indicate many still prefer passwords, with a minority choosing biometric options like fingerprints. The reluctance is understandable, given the general concern for data privacy and security.

So, what are biometrics, and why consider them over passwords?

Biometrics utilize unique physical or behavioral characteristics, such as fingerprints, facial structure, or eye scans, to confirm identity. They offer a higher security level than passwords, which are vulnerable to being forgotten, stolen, or hacked.

Concerns about biometric data falling into the wrong hands exist, but such incidents are rare and require significant expertise.

Biometrics remain a robust defense against cyber threats, offering more difficulty in duplication and greater convenience than passwords. Forget the hassle of remembering complex passwords—a simple biometric scan suffices.

Unconvinced about biometrics?

Consider passkeys, a modern authentication alternative to traditional passwords. Passkeys employ unique codes that are challenging to phish, enhancing security.

Combining biometrics with passkeys could significantly bolster your business’s security, simplifying security procedures for everyone.

While passwords have been reliable historically, the future of security may lie in biometrics and passkeys.

Don’t think your business is a target? Think again

Believing your business is too small for cybercriminal attention? It’s time to reconsider.

It’s a common misconception that cyber criminals exclusively target large corporations or those with significant financial resources, lured by the prospect of hefty payoffs. However, this isn’t the full picture.

Recent findings indicate that cyber attackers are broadening their horizons, aiming at companies of every scale – from solo entrepreneurs to multinational conglomerates. A key tool in their arsenal? Botnets.

If you’re puzzling over what a botnet is and its relevance to you, here’s the scoop: botnets are cyber criminals’ clandestine forces, consisting of hijacked devices commandeered by a sinister overseer. These devices range widely, from personal computers to, surprisingly, smart refrigerators. Indeed, even household appliances can be weaponised in the cyber realm.

A notable study highlighted “massive surges” in botnet activities, witnessing over a million devices embroiled in malicious exploits at peak times. To give you an idea of the scale, this activity level is a hundredfold increase over typical botnet operations.

On an average day, about 10,000 devices might engage in malevolent actions, with 20,000 being an exceptional peak previously recorded by researchers. Yet, in December 2023, the figure soared to 35,144, and within a fortnight, it climbed further to 43,194. The most staggering spike observed was 143,957 devices simultaneously involved in nefarious activities, with the dawn of January 2024 seeing spikes surpass a million devices!

The motive behind these operations? Botnets scour the internet for vulnerabilities in websites, servers, and email systems, exploiting any weakness found.

Imagine the internet as a fortress peppered with various entryways. These cyber criminals diligently search for any unguarded access points, focusing on specific “ports” to infiltrate.

So, how can you fortify your business against these digital threats?

Strengthening your digital “fortress” involves several key steps:

  • Ensure all software, operating systems, and applications are consistently updated to patch any security holes.
  • Deploy robust firewall and antivirus solutions to safeguard your technology.
  • Train your team on cyber security awareness, emphasizing caution with dubious links and emails.
  • Implement stringent, unique passwords across all accounts and devices.
  • Conduct regular data backups to mitigate data loss risks from cyber attacks.
  • Monitor your networks for any signs of abnormal activities.
  • Consider consulting with a cyber security specialist (like our team) to review and boost your defences.

Interested in bolstering your business’s cyber security? Reach out for expert assistance.

More articles you might be interested in

Which ransomware payment option is best? (Hint: none)

Imagine this scenario: Your business is suddenly struck by a ransomware attack, leaving your crucial data under lock and key by cybercriminals who demand a hefty ransom to release it. The price to regain access? It’s steep, and you’re not in a position to meet their demands. But here’s where it gets interesting – in a twist reminiscent of “buy now, pay later” deals, some ransomware operators are now offering victims the option to extend their payment deadlines. Recent studies have shed light on how these ransomware syndicates are evolving their tactics. Among their new strategies is offering victims a menu of ransom options. This includes the choice to pay a fee of $10,000 to postpone the public release of their stolen data or to pay for the complete deletion of their data before it goes public. Negotiations over the ransom amount add a deeply unsettling aspect to these encounters. To ramp up the pressure, these groups have introduced some harrowing new features on their websites, such as countdown timers that tick away the minutes until the data leak, counters that track page views, and tags that blatantly expose the identity and details of their victims. The intention behind these tactics is clear: to back victims into a corner and push them towards meeting the ransom demands. You may think paying the ransom is the quickest way to safeguard your business data, but here’s why that’s a risky move: Paying doesn’t ensure the return of your data or prevent future demands for more money. By paying, you’re indirectly supporting criminal activities, encouraging them to target more victims. Making ransom payments could also land you in legal hot water, as paying cybercriminals is considered illegal in some jurisdictions. So, how can you protect your business from becoming the next victim of a ransomware attack? Regular, secure data backups can save you from being held hostage by cyber threats. Educate your team on the dangers of ransomware and how to spot phishing attempts and dubious links. Invest in high-quality cyber security solutions and keep them updated. Regularly update your systems and apply security patches without delay. Segregate your network to contain ransomware spread should an infection occur. Have a detailed incident response strategy ready for potential ransomware attacks. Choosing to pay ransomware demands often leads to more problems, with businesses that comply becoming repeated targets. Instead, focusing on preventative measures can offer a stronger defense. Should you need assistance enhancing your cyber security posture, don’t hesitate to reach out to us.

Is that Microsoft email actually a phishing attack?

You’re probably well aware of the dangers lurking in your email inbox, but have you ever thought that an email appearing to be from Microsoft could actually be a disaster waiting to happen?

Microsoft, a brand we all recognise and trust, has unfortunately become the top target for phishing scams. In these scams, cybercriminals send you an email with a dodgy link or file, aiming to nick your data.

While Microsoft isn’t at fault here, it’s crucial for you and your team to be extra vigilant for anything that looks fishy.

In Q2 of 2023, Microsoft took the lead as the most impersonated brand by scammers, making up a staggering 29% of all brand phishing attempts. This puts them well ahead of Google in second place (19.5%) and Apple in third (5.2%). Combined, these three tech giants are responsible for over half of all brand impersonation attacks.

So, what does this mean for your business?

Even though there’s been a noticeable uptick in fraudulent emails targeting Windows and Microsoft 365 users globally, being observant can go a long way in shielding you from identity theft and fraudulent activities.

While the brands being mimicked may change over time, the tactics used by cybercriminals often remain the same. They’ll use convincing logos, colours, and fonts, and their phishing scams often feature URLs that look almost identical to the real thing. However, a closer look will usually reveal typos and mistakes—dead giveaways of a phishing attempt.

One of the latest scams warns you of unusual activity on your Microsoft account and directs you to a harmful link. These links are crafted to snatch everything from your login details to your payment information.

And it’s not just tech companies that are popular targets. Many scammers have shifted their focus to financial services like online banking, gift cards, and e-commerce. Wells Fargo and Amazon also made it to the top five in Q2 2023, accounting for 4.2% and 4% of brand phishing attempts, respectively.

How can you safeguard your business?

The way to protect your business is more straightforward than you might imagine. The most effective defence against phishing is not just individual vigilance but also equipping your staff with the right training. Teach them to pause, observe, and critically examine emails for red flags such as inconsistent URLs, domains, and textual errors. By making sure everyone on your team knows what to look out for, you’re adding an extra layer of security against these types of attacks.

If we can help you keep your team aware of the risks, get in touch.

Training Employees on Cybersecurity

After completing your annual phishing training, which teaches employees how to spot phishing emails, you feel confident. However, your confidence is shattered when your company falls victim to a costly ransomware infection due to a click on a phishing link. Despite undergoing the same training every year, you continue to experience security incidents, which begs the question of how often you should train your employees.

How often do you need to train employees on cybersecurity awareness?

It’s not enough to train your employees just once a year. Without reinforcement, people are unlikely to change their behaviors or may forget what they’ve learned after a few months. According to research, the “sweet spot” for training frequency is every four months, as this results in more consistent improvements in IT security.

A recent study presented at the USENIX SOUPS security conference looked at the relationship between training frequency and users’ ability to detect phishing emails. The study tested employees’ phishing identification skills at various time increments, including four months, six months, eight months, ten months, and twelve months. The results suggest that training every four months is optimal for improving your team’s cybersecurity awareness.

Employees took phishing identification tests at several different time increments:

  • 4-months
  • 6-months
  • 8-months
  • 10-months
  • 12-months

The study revealed that four months after their initial training, employees had good scores in accurately identifying and avoiding phishing emails. However, their scores started to decline after six months and continued to worsen as more time passed since their training.

To ensure employees remain well-prepared, it is crucial to provide ongoing training and refreshers on security awareness. This will empower them to actively contribute to your cybersecurity strategy.

Tips for Training Employees and Cultivating a Cybersecure Culture

The ultimate goal of security awareness training is to foster a cybersecure culture. In this culture, everyone recognizes the importance of safeguarding sensitive data, avoiding phishing scams, and maintaining secure passwords.

Unfortunately, according to the 2021 Sophos Threat Report, most organizations do not exhibit this culture, and a lack of sound security practices poses a significant threat to network security.

According to the report, the root cause of numerous severe attacks we’ve investigated is a lack of attention to basic security hygiene. Having well-trained employees plays a crucial role in mitigating a company’s risk and reducing the likelihood of falling victim to various online attacks. Effective training doesn’t necessarily require lengthy cybersecurity sessions; it’s more effective to diversify the delivery methods.

Here are some examples of effective cybersecurity training methods that you can include in your training plan:

  1. Monthly self-service videos: Provide employees with self-service videos via email on a monthly basis to enhance their cybersecurity knowledge and awareness.

  2. Team-based roundtable discussions: Organize interactive roundtable discussions within teams to encourage knowledge sharing and collaborative learning about cybersecurity practices.

  3. “Tip of the Week” in company communications: Include a regular “Tip of the Week” in company newsletters or messaging channels to deliver bite-sized cybersecurity tips and best practices.

  4. IT professional-led training sessions: Arrange training sessions led by IT professionals who can provide in-depth insights and guidance on various cybersecurity topics.

  5. Simulated phishing tests: Conduct simulated phishing tests to assess employees’ susceptibility to phishing attacks and provide targeted training based on the results.

  6. Cybersecurity posters: Display informative and visually appealing cybersecurity posters in common areas to reinforce key security concepts and promote awareness.

  7. Celebrate Cybersecurity Awareness Month: Dedicate the month of October to celebrate Cybersecurity Awareness Month by organizing special events, workshops, or training sessions to emphasize the importance of cybersecurity within your organization.

By incorporating these diverse training methods, you can ensure a comprehensive and engaging approach to cybersecurity training for your employees.

When conducting awareness training, it’s essential to cover not only phishing but also other crucial topics. Here are some important areas that should be included in your training mix:

Phishing by Email, Text & Social Media

While email phishing remains the most common form, it’s crucial to address the growing threats of SMS phishing (“smishing”) and phishing through social media. Employees need to be able to recognise these deceptive tactics and avoid falling victim to these scams.

Credential & Password Security

With the widespread adoption of cloud-based platforms, credential theft has become a significant concern. It has become the leading cause of data breaches globally, particularly as it provides an easy pathway to breach SaaS cloud tools. It’s critical to discuss with your team the importance of maintaining secure passwords and using strong authentication methods. Additionally, provide guidance on tools such as business password managers to assist them in safeguarding their credentials.

Mobile Device Security

Mobile devices have become an integral part of daily work, enabling employees to access emails and perform tasks from anywhere. Considering this, it’s essential to review the security requirements for employee devices that access business data and applications. Emphasize the importance of securing mobile devices with passcodes, keeping them regularly updated with the latest security patches, and following best practices for mobile device security.

By addressing these topics in your awareness training, you can better equip your employees to recognize and mitigate the risks associated with phishing, credential theft, and mobile device security.

Data Security

As data privacy regulations continue to increase, it is crucial for companies to comply with multiple data privacy regulations. To mitigate the risk of data leaks or breaches that could result in costly compliance penalties, it is important to provide training to employees on proper data handling and security procedures. By ensuring employees are well-versed in data security, you can minimise the potential risks associated with mishandling sensitive information.

Need Assistance in Maintaining Your Team’s Cybersecurity Training?

Take the burden off your shoulders and entrust the training of your team to cybersecurity professionals. We offer an engaging training program designed to help your team develop better cybersecurity practices and enhance their cyber hygiene. With our expertise, we can provide the necessary guidance and knowledge to facilitate behavioral changes and improve your overall security posture.

Recent articles

Dark Web Monitoring: what is it & does my business need it?

The global pandemic transformed the way we conduct business, and it’s unlikely that things will ever be the same again. With the increasing reliance on online platforms for both personal and professional transactions, geographical distances and time zones have become irrelevant. However, conducting business online also comes with inherent dangers and threats that we must be aware of.

One significant threat is data breaches, where cyber criminals manage to hack into legitimate commercial website databases. Well-known companies like Facebook and T-Mobile have fallen victim to such breaches, resulting in the theft of over 550 million records. In fact, the Identity Theft Resource Center reported a staggering 68% increase in stolen data in 2021 compared to the previous year.

When your email and password used to log into a website are stolen, they end up in the hands of highly skilled and destructive cyber criminals. These criminals may also obtain other personal information, such as addresses, mobile numbers, and credit/debit card details, that you have saved on the website.

So, what happens to your stolen data?

Your stolen credentials typically end up in a hidden part of the internet known as the Dark Web, where a significant portion of cyber-criminal activity takes place. Over time, your stolen data may be used and distilled by a sequence of criminals in their efforts to create financial gain at your expense. The exact methods they use to steal from end users using stolen credentials can vary, but it’s a sophisticated and malicious process that can span months or even years.

Understanding the risks and implications of data breaches and the Dark Web is crucial for protecting your personal and business information. It’s important to take proactive measures, such as implementing strong security measures and monitoring services, to safeguard against these threats in the ever-evolving landscape of online business transactions.

As we have emphasised, cybersecurity is not limited to a single tool or service, but rather a comprehensive security suite that protects various aspects of your online presence, including email, computers, devices, and overall online activity.

Now, we can answer the initial question of why dark web security is necessary. Dark web scanning acts as a proactive measure before cyber criminals can fully exploit your breached data. By providing timely alerts about breach details, it allows you to take relevant actions to secure your account and render the stolen or breached data useless.

You can easily purchase dark web security from Geniosity at a reasonable monthly cost. A large substantial loss can be avoided with dark web security in place.

If you would like to delve deeper into this topic, please feel free to get in touch with us. We are happy to provide useful information for your business and assist you with dark web security.

For more information about dark web scanning, please visit our Dark Web Monitoring page or drop us a line.

Working from Home Securely

Keeping Your Company Data Secure for Remote Work

The last couple of years has seen some big changes in the way that we work and communicate. Both technical advancements and the need for people to work from home has made for quick uptake of group work, online communication and collaboration software. Of course, it was always heading that way but COVID became something of an accelerator. It is being widely reported that the ways that we communicate in our personal and business lives, are forever changed.

With the added advantage of remote communication and shared files comes an added risk for the security of data and information. Managed correctly though, you can have your communication cake and eat it securely too (apologies for the bad pun 😉). We take a look at a few ways to ensure that your staff and data are safe for remote work.

General Security Principals

Hopefully by now, you have had the time to settle in to some processes and procedures that allow for your team to work uninterrupted from any location. General security is a must whether people are working remotely or on-site. Setting up those baseline configurations, processes and procedures around security are always critical to the running of an effective business.

Some businesses that have not correctly setup their IT infrastructure can be at risk of security breaches. When a single security issue can be enough to expose all of your client data, leak intellectual property or leave your system open to attacks and damage, it is of the utmost importance that you are protected.

It can be easy to assume that your system is secure as you have not experienced any problems (that you are aware of). Any business owner or manager is all too familiar with issues that occur with handover of tasks and changes in employees. Business moves quickly and as you company adapts, it is a given that some things will be missed or corners may have been cut. Businesses with a small number of staff who started with ad-hoc IT setups or which have experienced rapid growth may have holes in their security and not even know it.

One basic foundation is to ensure that all of your software is updated promptly to the latest version, especially updates with security patches. The latest software versions on all devices will ensure you are safe against current known threats. Having an automated system in place for security upgrades to automatically run at the correct time is important. People often begrudge having to update their passwords but scheduling changes of passwords regularly can save you some issues down the track. Just be sure to avoid bad passwords like password, computer and qwerty.

Cloud Solutions

The move to cloud computing brings a whole new world of collaboration and the ability for an improved workflow. Many companies have moved their on-site servers into the cloud by migrating their data, files and email into a service like Microsoft 365. By moving to the cloud, data is easily accessible and working from anywhere becomes a simpler concept once setup properly.

You need to ensure that you have a good Endpoint Detection & Response (EDR) software, for protection against online threats such as viruses, which offers protection on all of your devices and compliments the protection offered by your cloud provider. For companies that still have the requirement for some on site files such as backup you can look to an integrated approach. Different regions also have data and privacy protection laws around where you are allowed to physically store client information. Microsoft allows for you to set specific server locations to meet this requirement.

With a cloud solution like Microsoft Office 365 your staff are able to work directly in a browser with options for desktop versions of software available too. You can set up a bespoke solution that ensures data security and protection.

Extra Protection

As a part of a complete data security approach there are plenty of solutions that will increase your protection. With people working from home or on portable devices it is wise to implement some rules around where files are stored and how they are accessed. If you have a workforce using some of their own devices, you want to ensure that you retain access to all of the work files. Extra processes such as 2 Factor Authentication (2FA) require staff to verify their details upon login through an extra app.

Rolling out a password manager across your company for sharing logins that are used by multiple staff will ensure passwords are up to date and secure. Platforms like LastPass, 1Password and Dashlane all offer an excellent product but there are also bespoke solutions available. Some even offer a browser plugin that allows for staff to login without revealing the actual password to them.

There are a range of extra steps that you can take to increase security, for more information take a look at our 3 part series on computer threats in the digital age, Viruses, Ransomware & Phishing, Oh My! or drop us a line.

If you would like to learn more about how protected your business is, get in touch with us for a free introductory security audit.

Viruses, Ransomware & Phishing, Oh My! Part 3

This is part 3 of a 3 part series on keeping up with computer threats in the digital age, you can read about Viruses, Spyware & Trojans in Part 1 and take a look at Part 2 for information around Ransomware.

Phishing​

Phishing attacks attempt to trick you into providing hackers or scammers with your information. This might be your passwords, bank details or personal information. A phishing attack often arrives in the form of an email with a clickable link. The email may look like a legitimate email from a friend or trusted company or it could look like a simple link to a shared file. Hackers can target someone directly and build a profile of information on them. By using information from a data leak and some personal information they can launch a phishing attack to get more information or directly access your accounts. Some phishing systems are multi-layered and advanced, gathering a hierarchy of logins that take advantage of services such as resetting your password through email to access more and more of your data.  

Many browsers will alert you to websites that are not secure and may be fraudulent and attempting to steal your information. By not opening unknown or suspicious looking emails and not clicking on unknown links or files you will be protecting yourself a great deal. Generally banks and financial institutes will not request your login or account details via an email. Also be sure to check if the website you are on is correct by checking the address bar. Some antivirus software will also check links and websites visited and can stop malicious software from opening.  

There is an ever-increasing range of threats and the financial motivations and online anonymity make them a desirable tool for criminals across the world. Do your best to stay safe online and for further reading check out our Staying Safe Online Checklist. You can also check out our anti-virus software or for more information on how we can help you to protect your personal or businesses devices get in touch.  

Get in touch with us for more information on how we can help you and your business.

SHARE

Facebook
Twitter
LinkedIn
Email

Viruses, Ransomware & Phishing, Oh My! Part 2

This is Part 2 of a 3 part series on keeping up with computer threats in the digital age. If you missed the first part, you can read about Viruses, Spyware & Trojans in Part 1.

Ransomware​

Ransomware is something that has been in the news a lot lately. As more of our systems and services have an online component, criminal syndicates are creating ways to take advantage of this for financial gain. A ransomware program has the ability to gain access to a system and spread, it works away in the background of a device and, in essence, can lock you out of your data by encrypting it or even moving it. Often the system will then display a message saying that the data has been locked and that you will need to pay a ransom to have it unlocked.

Ransomware is the number 1 security threat and can be highly profitable for hackers. Ransomware attacks can target individual computer users and small to medium sized businesses but increasingly large corporations and even government services and providers are being attacked. Many of these breaches have made the news lately with high profile providers such as Colonial Petroleum Pipeline and multiple hospitals, having their systems locked. At times the locking of this data can have very serious and even life-threatening consequences.

An attack on your personal system may see a request for a relatively small amount of money in the thousands but some larger targets may be required to pay millions of dollars to retrieve their data. Worryingly ransomware threats are on the increase with some hackers even offering RaaS or Ransomware as a Service where a hacker can provide a system that will take control of the whole process including the requesting of funds.

 

Similar to ransomware is Doxware or Leakware which can infect your system and leverage your sensitive photos or files. It requests a ransom, which if not paid, will see your data shared online.

Ransomware can be hard to protect against with quality antivirus software being an essential first level of protection. As ransomware can be used to remotely lock your system through the use of services like iCloud, good password security is a must. Make sure to use different passwords for each of your logins and change them often. A password manager can assist in remembering all of your passwords with some even notifying you of a breach. Two-factor authentication is another security measure that can help you to stay secure. As companies like Windows and Apple are constantly fixing security vulnerabilities as, they will release system updates which contain ‘patches’ or fixes. Keeping your computer or mobile device up to date is a great general security measure.

Keeping a regular backup that is separate from your main system is also a good option. If your device is infected with ransomware, then you will have a copy of your data to restore. You can regularly backup to your cloud services such as Dropbox, Google Drive and iCloud or use a backup specific program that backups to an external hard drive while you work. A good practice is to have a rotating system of backup drives with one kept offsite. While external hard drives can be infected by ransomware, keeping an offsite drive will minimise this risk.

 

Continue reading this series of 3 articles in Part 3, where we take a look at the threat of Phishing. 

Viruses, Ransomware & Phishing, Oh My! Part 1

This is Part 1 of a 3 part series on keeping up with computer threats in the digital age.

Threats to computer systems are constantly evolving and getting more advanced, while also causing more serious problems. In the early days, it was enough to have a basic antivirus program on your computer that would stop viruses and malware from affecting your computer. While this is still an excellent first line of defence, as the threats become more advanced there is an increased level of vigilance needed to stay safe.

While computers are generally what comes to mind when thinking about these types of threats, any connected device carries a degree of risk and can be targeted for an attack. Criminals, hackers and scammers are constantly developing new methods to gain access, steal data and even lock the data on your device and hold it to ransom. The need for safety measures extends from your personal devices such as mobile phones, tablets, computers and even smart devices around the home; to the online platforms that you use such as your email account, cloud storage and online banking. With so much of our lives now online, scammers and hackers are regularly targeting the online platforms that people use daily.

Oh My!

While there are a lot of crossovers between the various types of threats that are out there, we have broken them down into a few of the main categories with some information on how to stay protected. While the threats are quite serious and can cause a lot of damage, by following some simple guidelines and best practices you can maximise your protection.

Viruses, Spyware & Trojans

Virus is one of the most commonly used terms people use when speaking about threats to computers and it fits under the broader category of Malware. Malware is short for Malicious Software, this umbrella term includes a range of threats including viruses, spyware, trojans, key loggers, worms and more.

Some viruses have the general goal of causing issues on your system, by deleting data and spreading itself to other computers. In the early days, the computer virus, although malicious, was often made to just cause general mayhem and spread across as many computers as possible. A virus is self-replicating and therefore able to copy itself across local computer networks and even online.

McAfee VirusScan Enterprise Server

IT Management as a Service

AVG Anti-Virus Business 3-12 PCs

One of the keys of a successful virus is the ability to stay hidden in your system while replicating and causing damage. Many viruses and types of malware are designed to stay hidden indefinitely such as a Trojan which disguises itself as a legitimate program and Spyware which hides in the background, collecting information such as passwords, files, location data or financial information. Adware will even display pop up ads directly on your computer. Some of these programs have a Keylogger which records every press you make on a keyboard and sends it to a third party.

One of the absolute best protections against viruses and malware generally is a good quality piece of anti-virus software. There are plenty of excellent free options out there and some paid programs that offer extra levels of protection. As viruses and the criminal systems behind them get more advanced though, we are seeing malware and viruses designed to steal information, spy through your devices and gain access to secure data. A decent Antivirus software will give you an essential base level of protection.

 

Continue reading this series of 3 articles in Part 2, where we take a look at the threat of Ransomware.Â