Warning – The Most Effective Social Engineering Attacks

a person holding a cell phone in their hand

Although it may seem as if hackers, criminals, and thieves prefer the challenge of attacking only seemingly impenetrable computer systems, this is not necessarily the case. While it is true that companies do need effective security measures in place to handle these types of impersonal attacks, hackers still frequently turn to more traditional methods of cyber attacks for one good reason.

As IT security methods continue to become more sophisticated, hackers sometimes find it more lucrative (and easier) to perform social engineering attacks that allow them to manipulate human behavior. Unfortunately, this is because staff members are either poorly trained (if at all) to spot hacking attempts or unlike a machine, they sometimes let their guard slip. Of course, hackers understand all too well that a busy or unsuspecting employee may eventually provide them with an opportunity to slip their way into a corporate system — they just need patience.

Top Social Engineering Attacks 

  • Phishing – All it takes is a credible-looking email with either a link or an attachment to click on, and an employee may either give away sensitive information or allow a virus to enter their corporate computer system.
  • Spear Phishing – This is similar to traditional phishing attempts, except that hackers target a specific person in a company. Often the targets are in positions related to lucrative financial aspects of the company.
  • Whaling – Rather than targeting one individual, whaling attempts involve attacking an entire level of higher management. This could be in companies or government agencies. Some of the attacks require a significant amount of research and are quite sophisticated in nature.
  • Vishing – Vishing involves using a phone rather than email in order to impersonate a business. The hackers pretend to be a legitimate company simply making a business call. Their goal is to find unsuspecting employees who will provide them with sensitive corporate information, often banking details.
  • Pretexting – This type of hacking also involves impersonation. A hacker may phone an employee and pretend to be the company’s IT vendor. They may state they are investigating a hacking attempt. Then that they need passwords and other sensitive information for specific computer systems.
  • Baiting – A hacker may leave a memory stick somewhere in or outside of a company they want access to. An unsuspecting employee discovers the memory stick and plugs it into a company computer to determine what it contains. Unfortunately, the memory stick is loaded with a virus or other penetrative software.
  • Tailgating – This is another type of hacking attempt that involves the physical presence of the hacker. In this scenario, a hacker pretends to be a delivery driver, company visitor, or facilities manager in order to gain access to unauthorized areas.

Summary  

It’s difficult, if not impossible, for companies to stay up to date on all the latest technology pitfalls. Many hackers are very sophisticated, methodical, and patient. It takes a professional IT vendor who makes it their business to stay on top of all the latest technology security issues to develop an effective security training program for their clients. If you would like more information on security training for all of your staff members, please contact us.

Top 5 Mobile Device Security Protocols for Organizations

a person sitting at a desk with a cell phone

More and more organizations are allowing their staff to rely on portable smart devices in order to conduct official business. With 24-hour, on-the-spot access to key information and business tools, portable devices offer astounding amounts of flexibility and convenience — enabling employers to access their organization from anywhere. That said, the question must be asked, is enough being done to ensure mobile device security?

In this post, we will outline 5 tips to consider regarding corporate mobile use.

Updating Mobile Device Security Policies 

Whether an organization writes their own security policies or if they outsource their IT services to third-party, corporate leaders need to make sure their written security policies address specific issues regarding mobile use. Not only does this force companies to sit down and seriously consider all the ramifications of mobile data access, but it also lets staff members know that IT security policies are not just “office-only” policies to follow.

Protect What’s Really Important 

By updating corporate security policies, it becomes obvious that what businesses are really protecting is the data that employees might access. No one is going to write up a security policy regarding the potential loss of a mobile device that cost a few hundred dollars. From the top down, everyone needs to clearly understand that following mobile usage policies is about data, not simple device breakage.

Mobile Device Security  

There is security software specifically available for mobile devices. Companies must ensure that any mobile device their employees use, whether company or personally owned, has professional security software installed and updated regularly.

Scrambling the Data

Along with mobile security, there are also mechanisms available that will scramble, or encrypt, phone data such as contact lists, emails, text messages, etc. Companies should check with those handling their IT operations to ensure encryption software is installed on all corporate mobile devices.

Consider Bluetooth Access

Many people don’t spend nearly enough time thinking about what it really means to have Bluetooth-enabled devices. They don’t know that:

  • Most new devices come with Bluetooth enabled
  • Anyone nearby could potentially connect to their mobile device
  • Whether using Bluetooth for personal or business reasons, if it’s on, it’s on.

Bluetooth can be a very useful feature that allows one to take hands-free calls, texts, etc. but it is also very difficult to remember to manually turn it off when not in use. Companies need to seriously consider whether to allow their employees to use Bluetooth at all or at least use security software that addresses Bluetooth use.

If you would like to know more about developing comprehensive security policies regarding employee mobile usage, please contact us.

Develop a Data Loss Prevention Strategy

a row of yellow and green helmets hanging on a red wall

Every business needs to think about the risk of data loss. Even the smallest ones have customer and financial information that has to stay out of the wrong hands. Many have records that could lead to identity theft if they’re stolen. A business needs a plan and a policy for data loss prevention. It has to include these steps:

Perform risk analysis for data loss prevention

Some information is especially sensitive, and managers have to concentrate their efforts on protecting it. A risk analysis will identify the information that most needs protection. It will identify areas that are vulnerable, such as unencrypted databases with weak access control. A prioritized list of assets at risk will provide the basis for a strategy.

Identify data movements

The biggest risks come when data is carelessly moved from one place to another. Weakly protected intermediate storage provides thieves with a prime opportunity. Moving unencrypted data over the Internet leaves it open to interception. If the information isn’t wiped clean after transferring, those intermediate points create a lingering risk. Transfer of sensitive data should always use a secure channel.

Grant access conservatively

Grant access to data only to those who need it. Even if you are completely trustworthy, someone can compromise your account. The less an intruder can do with any given account, the more limited the damage will be. Role-based access tailors privileges to people’s jobs.

Train employees on loss prevention

Most data loss is due, at least in part, to employee error. Creating weak passwords, responding to a phishing scam, and saving insecure copies of data are just some of the mistakes that can lead to serious data breaches. Employees need to develop habits of treating their accounts and the data they handle carefully.

Get expert help

Bluwater Technologies provides managed IT services that will help you keep your data safe. Our experts will help you identify the sources of risk in your network and find the best ways to prevent data loss. Contact us to learn how we can help your business.

Your Employees are the Biggest Threat to Your IT Infrastructure

a woman with long hair standing with her arms crossed

One of the biggest threats to any company’s IT infrastructure, albeit an unintentional threat, is the company’s employees. It isn’t all that uncommon for a company’s employees to end up accidentally helping out criminals or compromising the company’s IT security just by doing what they consider to be completely normal activities.

When employees use their devices to access a company network so they can check their email, download files, etc. then their device may end up getting infected by a virus or malware or get hacked. When this happens, then the company’s data can end up getting compromised in addition to just that employee’s personal data. Of course, there is also the risk that they may lose these devices, and hackers or other criminals will then have access to that employee’s credentials which they can then use to break into your network.

What Can You Do About It?

  • Provide your employees with additional training so that they are capable of identifying potential security risks and acting accordingly.
  • Make sure that you have established a clear and consistent set of policies. They should relate to password management, use of personal devices, data sharing and internet access.
  • If you don’t have a clear reason to allow it, then it may be in your best interests to ban the use of personal devices on your business’s network in order to minimize this risk.
  • Install a wide variety of different security mechanisms, both hardware and software. This ensures that you are easily able to identify when your network is being accessed. Additionally, confirm that the person accessing it is authorized. Therefore, you can identify and address potential security breaches before they become a problem.

IT security is a critical portion of any business. When you let employees access your network, you are trusting them to be responsible with the data they can access. If you are going to give them access to this data, you should make sure they are responsible enough.

For more information about securing your IT infrastructure, contact us today!

5 Cybersecurity Questions to Ask Your Team

two men sitting in chairs with laptops on their laps

The more that technology advances, the more cyber attacks are committed against businesses of all sizes and in all fields of work. Your business is no exception. As you rely more on the internet and on machines to store data, information, and other sensitive material, you need to be aware of the cybersecurity threats that exist to your company.

While this threat may seem overwhelming and daunting, the risks to your company are indeed manageable ones. When talking to your IT team, whether they are workers your company hired or from outside IT firms, the following are 5 questions that you should be asking these professionals to understand your business’s risk and cybersecurity situation:

1. How is our company’s top leadership informed about cyber risks? 

Your IT department must communicate with the rest of the company about the risks of being the victim of a cyber attack. Understanding the current risks and what the IT department is doing to mitigate those risks is vital to keeping your company’s information safe. Ultimately, the CEO is the one responsible for any “risks” that are present for his or her company. They must be informed in order to make smart decisions about how the company’s information can be best protected.

2. What is the current business impact of cybersecurity risks on our company and how do we plan to address these risks? 

CEOs and other top company executives must understand the cybersecurity risks that their company faces. They should also be informed of what the IT professionals that work for the company are doing to mitigate these risks and keep the company information safe. Knowing this information and constantly communicating updates can keep anyone from making poor decisions. That is if panic ever does strike.

3. Does our cybersecurity program implement the best and latest practices that keep up with industry standards? 

CEOs and other top company executives should be kept up-to-date on industry standards in cybersecurity. Additionally, how their company’s practices stack up against those standards. If the company is not up-to-date on the industry standards, then they must know what the plan is from the IT department to get the company there. Being up-to-date on industry standards for cybersecurity is vital to keeping your company’s information as safe as possible from people who would do you harm if they got ahold of that information.

4. What cybersecurity threats does your IT department identify each week? 

CEOs and other top company officials should be kept up to date on the latest cybersecurity threats facing their company. Ideally, these updates are given on at least a weekly basis. Updates should include recent threats and what has been done to limit those threats. Additionally, what new threats have popped up (if any), and what is being done to handle those threats?

5. How far-reaching is our cyber incident response plan? How often do we test it?

Despite your IT department’s best attempts to keep your company’s information safe, if something such as a data breach were to happen, what would the response be? It’s important for the CEO and higher-ups to understand what will be done if such a security breach happens. First, the plan is explained to the higher-ups. Then, they should be informed of how often the plan is tested to ensure that it is thorough and effective.

These are 5 questions that you should be asking your IT company. Thus, ensure that your business is as safe from cybersecurity threats as possible. Actively having a plan in place to protect your company’s information is key. It will keep your business from being a target of any sort of cybersecurity threat. Moreover, having a plan in case your company is the target of an attack is also vital. Despite your best intentions, cybersecurity breaches can happen. How you react can help control the extent of how much more severe you make the problem. Performing rash actions in the event of a cyber attack is never a good idea.

For more information on questions you should be asking your IT team, please feel free to contact us at Blutwater Technologies for further assistance.