Category: Uncategorized

Juice Jacking is another creative way that cyber attackers are accessing your data. Learn more about the concept and how to prevent it.  

The public must be on guard for any cyberattack that comes their way; however, attackers are creative and are constantly innovating towards the next type of cyber-attack to catch unsuspecting people. Most recently, the concept of “Juice Jacking” has made its way into public attention.

Juice Jacking is a type of attack that uses a charging port, infected cable, or portable battery to access available data on a connected device such as a smartphone or a laptop. Once a device has been infected, attackers can export your data, steal passwords and other personal information, or lock your device entirely making it unusable.

How Juice Jacking works

A conventional USB cable is not only useful for charging your device, but its primary use is to transfer information from one device to another. As soon as a device is connected to a USB outlet, this allows attackers access to devices.

We have all heard of identity thieves putting on card-reading devices, skimmers, or camera on ATMs and other card readers such as at a gas station pump, but attackers are also able to change out USB hardware for another USB port that allows them access to any who connect to the port. Typically, we see threats to our devices in public such as hotels, public kiosks, and airports.

Juice Jacking and Travel

For those people who travel regularly, they rely on the public charging kiosks to keep them connected to family, loved ones, and work while out and about. But USB public charging stations are a prime target for those people seeking to steal and use your personal information.

Attackers can use not only a public kiosk as a way to gain access to your devices, but they can also use an infected cable. Beware to not use cables that are found already plugged into charging stations or you could already have one in your possession as a free gift. It is very easy to mask a cable to look like a brand name item, and most people believe that cables are not capable of holding information maliciously.

Another method to get victims to connect to a power source is to infect portable batteries, and with the rise of shared or rented portable batteries that you can purchase in airports, it has become easier for attackers to gain their victim’s data and move on to the next airport, making pinpointing the problem harder for those trying to stop the attacks.

Preventing Juice Jacking

The easiest way to prevent Juice Jacking is to plug your devices in via your power adapter that normally comes with your device. Another option is to carry your own power bank. A personal power bank can hold enough power for several recharges. Finally, a product that has been developed to combat the threat of Juice Jacking is a USB data blocker, a small adapter that you attach to the end of the USB cable you would like to use that prevents the transfer of data.

Prevent Hackers from Stealing Your VoiP and Costing You Money

Best ways to prevent your business from losing money because of hackers stealing your VoIP service.

In 2017, telecom fraud amounted to $29.2 billion in losses to organizations and carriers, according to No Jitter. One form of telecom fraud is theft of service, which is obtaining service through an individual or company without payment. VoIP is much more prone to theft of service than traditional telephony services. Service can be stolen through hackers stealing user names, passwords, and other account information. Hackers also can introduce malware into the system to more easily enable theft. Unfortunately, the Federal Communications Commission has not issued any regulations on VoIP fraud, which means that businesses are still liable for any hacked calls. Fortunately, businesses can take some precautions to prevent theft.

Protect Passwords

When businesses buy a new phone, they should always change the password from the factory settings. Some phones use different passwords for the phone interface and web interface. In this case, unique passwords should be used for each interface. Passwords should be made secure by changing them every six months and requiring at least 12 characters including upper and lower case letters, symbols and numbers. Businesses also should regularly update the admin portal password for the VoIP provider.

Limit Physical Access

VoiP phones and other instruments should be kept in a locked space to prevent unauthorized access. The environment of the space should be maintained within the limits set by the equipment manufacturer. Secure access panels to the air conditioning and power.

Build Security in Layers

To prevent attacks and service theft, an organization should plan its VoIP system as carefully as it does its data network. One way is to plan security in layers.

• The first layer of security is preventing intrusions on the network. To secure the network, use VoIP-aware firewalls and shut down ports at any sign of malicious behavior, according to Tech Target.
• The second layer of security is phone authentication. The phone will not be authorized to the network or to the IP PBX unless a mutual certificate exchange or a certificate and dongle architecture have authenticated it, according to Tech Target.
• The third layer involves encryption or authentication between the media and various channels. This means media gateways, ALGs, firewalls and NAT devices, and SBCs, according to Tech Target.
• Finally, the fourth layer is user authentication. Only users authenticated via a user name and password or token device or mutual swap should be allowed to make or receive phone calls, according to Tech Target.

Disable International Calling

Most hackers go after the more expensive international phone numbers. Businesses that don’t need to regularly make international calls can disable international calling, using an international calling card when necessary. If regular international calling is required, businesses should carefully check invoices to be sure all calls made are legitimate.

BEC Scam Helps Hackers Steal Over $46M from Company

How fast could your company lose $46M? BEC Scams do it in minutes. Find out how criminals hack CEO emails to earn themselves a huge payday at your expense.  

Sometimes criminals hide in the shadows and sometimes they hide behind technology, waiting, ready to strike at the most vulnerable. You know this, so you’ve invested in employee education. Employees are aware of common cybersecurity threats and email scams. But the BEC scam turns everything on its head.

It does so by hijacking the CEO’s most important business communication tool, email.

What Is a BEC Scam?

A cybersecurity-aware employee would always check to see where an email is coming from if that email asks them to do something like send millions to a strange account. But what if that email looks like it comes from you?

A Business Email Compromise (BEC) scam is conducted via your CEO’s own business email account. The hackers monitor your email for days or months undetected before sending an email from you to one or more of your employees, asking them to do something like:

• Wire money from the company accounts
• Share their login to company programs

If an employee got an email from you, would they question it? In a modern workplace, you’ve built a team around you who would ask “why”. But what if the person receiving the email is not in your trusted circle?

Scammers often target those who report to them, and don’t know you as well, instead.

Hackers take it a step further. They use automation tools found on your email account to instantly identify and delete any emails questioning your instructions or warning you that you’ve been hacked.

Real World BEC Attacks

This attack isn’t uncommon and the results are costly. Here are just a few medium-sized businesses that paid the price.

• Xoom Corporation – BEC scammers emailed an employee from the CEO’s account and convinced them to wire $30M to a business overseas under the disguise of a business deal
• Scoular Corporation – Employees wired an undisclosed amount to China for a fake acquisition deal. The email said, “We need the company to be funded properly and to show sufficient strength to the Chinese… I will not forget your professionalism in this deal, and I will show you my appreciation very shortly.”
• Ubiquiti Networks – This San Jose company’s employee wired $46M at the “CEO’s” instruction. They were only able to recover $8M.

How to Protect Your Company from BEC Cybersecurity Threats

First of all, know that the CEO may not be the only target. It could be the CFO, CMO or even middle management.

They often attack companies using Office 365, which is relatively easy to breach if extra precautions aren’t taken. They gain access to your email via simple tricks like getting you to share your password on a spoofed 365 website.

Deploy education and technology to both prevent someone hacking a CEO email and to quickly identify when you or someone in the company has been compromised. This might include:

• Powerful spam filters
• Monitoring software
• Malware protection and firewall
• Security awareness training
• Other customized solutions to maximize security

Above all, stay informed. Follow our blog to learn more about keeping your company safe from very real and sneaky cybersecurity threats like these.

HIPAA Compliance Basics – IT HIPAA Compliance

If you are an organization subject to HIPAA, you need to understand and comply with all relevant requirements. Learn more about how this law applies to your company.  

The Health Insurance Portability and Accountability Act of 1996 set standards for all organizations that handle protected health information. In the past, HIPAA standards for privacy and security mainly applied to the management of paper health records and verbal exchanges of patient health information. In today’s modern world, however, the majority of protected health information is in a digital format, and these standards must be applied differently.

HIPAA Basics

HIPAA sets guidelines organizations must follow when they collect and store private health information. The law provides patients with certain rights to access their own health information, as well as confidentiality protections. HIPAA also outlines the steps an organization must follow when private health information has been compromised.

The Health Information Technology for Economic and Clinical Health Act

To ensure that all organizations subject to HIPAA are in compliance in the digital age, the government passed an additional law: the Health Information Technology for Economic and Clinical Health Act. Essentially, this new law raises the penalties that apply when a health organization violates any of HIPAA’s standards for privacy and security of protected health information.

How to Protect Your Data

In light of the many restrictive standards that apply to protected health information, it is essential for every organization that handles this information to take the matter seriously. Below are some tips to help you protect your data from vulnerability.

1. Invest in security software.

2. Train personnel.

3. Partner with the right professionals.

4. Stay in the know.

Tips to Protect Your Mac Computer from Cyber Threats

Mac computers have an excellent reputation when it comes to cybersecurity, but they can still be targeted. Find out about protecting your Mac from threats.

Malware, ransomware, phishing—the cyber threats on the internet abound, and these threats are generating an astounding cost to the people who rely on computer systems to do business. To date, the cost of cyber infections has racked up billions of dollars in costs to unwitting business owners, some of which thought they were protected. Even though Macintosh (Mac) computer systems are highly regarded for their security, they are still at risk. Here are a few tips you should know.

1. Keep your Mac properly updated.

Without a doubt, one of the biggest reasons Mac computers fall victim to a cyber-attack is because they are not updated as they are meant to be. The developers of the Mac operating systems, whether it is one of the older Mac OS versions or something more modern like Mojave, send out frequent security patches as new updates. If you have automatic updates turned off or do not take the time to update your computer manually, you could easily miss an important line of defense.

2. Use good security programs on your business Mac.

Just because you have a Mac that has a stellar reputation for protecting itself against cyber threats, it does not mean that you should not go a step further and install a good security program. These software programs are designed to catch all those things that get past the existing Mac firewalls and security defenses.

3. Keep your Mac free of unnecessary programs.

Every user has them—those unnecessary programs that are really not used often enough to be counted as valuable or useful. These unnecessary filler programs take up valuable space on your Mac computer and slow it down. If the system is already slow, it can make it harder to recognize when something is awry and something fishy is going on. Plus, the more unnecessary programs you have that you never use, the easier it is for malicious software to latch onto something and set up shop on your computer because you will never see it.

4. Get educated about the biggest threats to security on your Mac.

Knowledge is a powerful defense tactic no matter what type of computer or OS it is that you rely on as a business professional. You should take the time to familiarize yourself with the biggest MAC cyber threats and the types of cyberattacks most often occurring today. You should familiarize yourself with things like:

• Phishing and how phishing attacks are carried out as well as how to avoid them
• Ransomware and how it gets latched onto your Mac system
• How to avoid things like malware that get attached to legitimate software

Whether you use your Mac for everyday tasks and projects at work or you have a system of Mac computers utilized by multiple employees and users within your organization, it is critical to protect your business Mac computers properly. Work with a managed IT service company to implement the best security measures and negate Mac cyber threats.

Thanksgiving wouldn’t be complete without sending a thank you to all of the local businesses in our community and a special thank you to those who put their trust in us to manage their technology.

As we spend the day reflecting on what we’re thankful for, we hope you’re doing the same (and enjoying some delicious pumpkin pie while you’re at it!)

Have a great Thanksgiving!

Learn from Marriott’s Example: Notification Responsibilities After a Data Breach

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. Know the laws in your state.  

To answer this question, let’s start with the example experienced by Marriot International recently when a breach exposed the social security numbers of the hotel chain’s associates. Then, we’ll look at the federal and state requirements for notifying those impacted by a breach that involved their data.

How Did Marriott International Employees Fall Victim to a Data Breach?

Marriott International told some of its employees that their social security numbers (SSNs) had been exposed to an unknown person. The risk came from a vendor that handled documents for the hotel chain.

On September 4, 2019, Marriott found out that someone access information recorded on those documents, which included subpoenas and court documents. The notification, which came two months after the incident, merely stated that someone may have accessed the records, which is all hotel representatives claim to know. The potential breach impacts over 1,500 Marriott employees. On October 30, the hotel started sending notifications via regular mail for anyone it hadn’t been able to find.

Those impacted will receive free credit monitoring as well as identity theft protection for one year at the company’s expense. Notification and credit monitoring services are part of recent data breach laws, but one must wonder what took Marriot so long to notify the victims.

Why Did Marriott Have a Difficult Time Finding Victims?

Marriott received a list of those impacted, but most had no address. This may be the most significant factor in the delay. And, it’s not an unusual one. Company records breached by hackers may be incomplete in the best of circumstances, and this information was sitting in several external systems.

The unnamed firm said all Marriott employee data was deleted from its system. One of the problems in cases like this is storing data in multiple systems, which increases the risk of theft and data breaches. Marriott no longer partners with the vendor.

What Are Your Company’s Responsibilities in Case of a Data Breach?

The FTC recommends following these steps, some of which are legally required.

Secure your Operations

Move quickly to take whatever steps are needed to secure your systems. Otherwise, your data breach can result in a series of breaches. Mobilize or form a breach response team to shore up your network against further loss.

Fix Vulnerabilities

As part of the fix, you need to anticipate questions that clients, associates and the authorities may have. Put together clear questions and answers to post on your website. Direct communication may ease frustration and concerns, especially if it takes some time to identify those impacted, as in the Marriott cases.

Work with forensic experts to track to determine what records were at risk.

Notification

Most states, the District of Columbia, the Virgin Islands and Puerto Rico have passed legislation regarding notification of security breaches. You must notify the affected parties when personal information is involved. Check the laws in your state as well as the federal laws and consult with your legal team regarding your responsibilities.

HIPAA is an everyday stressor in the healthcare industry. A computer-based recordkeeping system can help keep records secure and HIPAA compliant.  

For many in the health care industry, compliance with the Health Insurance Portability and Accountability Act (HIPAA) is an everyday stressor that dictates the actions and availability of information. However, HIPAA is necessary to protect the patients’ information and medical records. A violation of HIPAA could lead to lawsuits and large fees, which could cause a business or practice to close their doors.

The Challenge of Human Error

Unfortunately, even the perfect system is prone to human error, especially if you do not have integrated checks and balances that are part of a computer document management software.

Many facilities that are larger in size have already integrated their records into a computer-based record-keeping system. This type of software is especially helpful for the large volume of records that they keep on a daily basis. However, smaller healthcare facilities may want to consider a customized computer-based record-keeping system to stay HIPAA compliant.

Typically, most HIPAA violations happen without employees’ knowledge, or they are due to simple inexperience. Some of the most common HIPAA violations include:

• Accessing records for any reason other than to aid in treatment or payment
• Not using a secure encryption method for protecting health records
• Removing patient information from the facility, either physically or on an unauthorized device
• Sharing patient information via a personal email
• No control or lack of control of who accesses patient health information
• Not removing access of former employees

Digital Solution for Record Keeping

Physical paper documents have a higher chance of being compromised because their very nature requires that you physically secure them. Within HIPAA, health facilities not only have to worry about who has access to patient information but for what reason.

While some electronic solutions can help healthcare facilities step away from paper options, such as a common or shared network drives, these do not provide the security needed to remain HIPAA compliant. HIPAA requires that digital solutions for handling patients’ personal information have almost cutting-edge security tools. Due to the private nature of patients’ information within the system, health facilities’ data is considered a prime target for hackers looking for targets with blackmail or ransomware.

Benefits of Moving to Digital Record-Keeping

Even for small health care facilities, there is a digital document management system that could fit the needs of the business while still being HIPAA compliant. Some of the benefits of digital record keeping are:

• Tracking for Audit Purposes – A digital document management system can record everything that happens to a file. The record could include which user has accessed the file, when the file was accessed, if anything has changed since the last time it was accessed, and historical copies of the file.
• Control Over File Permissions – The records system administrators can control who has permission to view a file and the features they are available to use once they have access.
• Unique Security Options – Administrators can dictate which users have access to patient information. As an example, administrators can add a two-step authentication method to access sensitive patient information.

Privacy and HIPAA compliance can be challenging, but adding the right document management tools can help with the stress and pressure of protecting patients’ information.

Why Organizations Need to View IT as Central to Success and Profit

Think Your IT Department is Simply There to Make Repairs and Solve Minor Problems? Find Out Why It Should Be the Center of Your Organization’s Long-Term Strategy  

Information technology (IT) is more than a critical function. A well-run IT department should be integrated into an organization’s overall strategy. In fact, a comprehensive IT department should be at the center of organizational strategy. Within a firm, IT can include the following:

• End-user computing devices
• Networks and network infrastructure
• Operating systems
• Software applications
• Data storage
• Telecommunications
• Internet service
• Telephone systems

Using IT As a Strategic Asset

According to leading industry experts, even when leaders are aware of what constitutes the IT department’s purview and assets, there is a tendency to overlook IT’s potential. Yet, technology assets can be leveraged to ensure the organization runs as smoothly as possible. When an IT department and its assets are finely tuned, leaders can focus on identifying opportunities and innovative technical solutions. This includes innovative technical solutions that can be either used by the organization or leveraged by it. Consequently, the IT department and its assets become more cost-effective. With the right type and degree of investment, IT can help turn a profit for the firm.

Centralizing IT

When elevating IT and its assets to the center of organizational strategy, it is crucial to think about three areas. Those areas are:

• Income
• Growth
• Strategic planning

IT can generate income through innovative solutions, but also by streamlining internal costs. This is usually achieved through the automation of processes and by increasing the efficiency of processes. Growth goes hand in hand with innovative solutions and increasing the efficiency of internal processes. By being able to meet client needs and drive market behaviors, an organization can use IT to establish a competitive advantage. Establishing and maintaining a competitive advantage to stimulate long-term growth is an essential part of any strategic plan.

Reasons to Leverage IT

The number one reason why it is important to leverage technology-related assets is due to the industry’s pace. Changes in technological advancements and capabilities happen at lightning-fast speeds. Without proper strategic planning, analysis and leverage of internal IT capabilities, an organization can simply not expect to succeed. IT can not only be a means of survival, but a point of differentiation. Technical expertise and advantage can reduce costs, create markets, better meet client needs, and make the entire organization more efficient. Neglecting IT or viewing the department and its assets as a necessary evil can backfire as others find ways to make technology generate revenue.

November 11^th is Remembrance Day…

A day where we stand united to honour those who have made the ultimate sacrifice in the line of duty.

Thank you to those who placed themselves in harrowing situations in the name of protecting our freedom.

However you’re planning on spending the day, remember to take a moment to think about these exceptional men and women.