Category: Uncategorized

The Rise of MarTech: Navigating the Intersection of Marketing and Technology

Is your organization struggling with the intersection of marketing and technology? If so, you’re not alone — marketers everywhere are.

There is a crisis in boardrooms and offices around the world: who owns marketing technology? Is it the CIO or CTO, who doesn’t always understand how data is utilized by the marketing teams or best practices to provide an exceptional customer experience? Is it the CMO, who is struggling to stay abreast of how all the various tech options fit together — and managing complex projects while staying on top of marketing initiatives? Or are these professionals working to bring their teams together into a new hybrid that is still being defined? Welcome to the rise of MarTech: where marketing and technology intersect. It’s not always a pretty landscape, but many organizations are navigating through this season of change within the business.

Marketers Love Their Technology

Marketers are generally a creative bunch and are increasingly engaged with the selection of tech, especially as it relates to their specific job functions. Today’s data-driven CMOs are looking for ways to measure their advertising spend, analyze their marketing program results and create timely and relevant messages for their audience. This requires a great deal of integration between the trifecta of communications infrastructure: marketing automation, website CMS (content management systems) and CRM (customer relationship management) solutions. Some smaller organizations are able to utilize a single system for several of these functions, but there is still a level of complexity involved in scoping functionality, acquiring trusted vendors, creating timelines and ultimately approving the user stories and processes. Enter the IT team.

IT Teams Want to Retain Control

Marketers love their data, but IT teams have historically retained control of everything database-related. This tension is an ongoing one, and one that can cause frustration on both sides of the spectrum. Marketers are constantly driven by a need for change and finding the best possible solution for their business needs while technologists tend to take a more sedate path to find a solution. This can cause marketers to go off the reservation and create an unruly tangle of solutions that not only don’t work well together — they often don’t work at all, and might be a security risk besides! It’s incredibly challenging to keep track of the volume of change in the MarTech world, as new platforms are cropping up on a daily basis. In fact, it’s so convoluted that ChiefMarTech.com puts out an annual supergraphic of what it calls the “MarTech 5000“. The 2019 edition has a note showing that the completely illegible list is now made up of over 7,040 entrants in a range of sections broken down into:

• Advertising & Promotion
• Content & Experience
• Social & Relationships
• Commerce & Sales
• Data
• Management

Oddly enough, data and management are two of the smallest buckets but ones that likely contain some of the most powerful tools in marketing — or technology.

Managing Disruption

“Marketers are being asked to do more with less and so they buy into the digital hallucinates that are out there,” according to Former Commonwealth Bank and Foxtel chief marketing officer Andy Lark. There are hundreds of businesses selling little more than “smoke and mirrors” instead of digging deep into the reasons that MarTech can work for the business. This means looking at the core business and marketing functionalities that are needed, a place where IT professionals and marketers can come together as they’re defining requirements instead of waiting for salespeople to come to them. No matter how easy technology salespeople say it is to manage these massive MarTech systems, there are still technical requirements that will end up either back in the hands of your IT department or with marketers needing the ongoing support of external technical staff. Either of these solutions can cause disruption to the business, which is why it’s critical that marketing and technology teams work in lockstep to determine which — if any — new platforms are implemented in the near future.

Even adding a simple module to SalesForce, Adobe or Oracle can have unintended consequences, especially when it comes to data privacy and security — a top concern for IT and marketing alike. The recent spate of legislation around privacy reminds senior leadership that this must be kept top of mind and managed actively. That can be difficult if organizations are saddled with a makeshift raft of platforms that float together well as long as the waters are not bumpy. When you need to track the specific actions of individuals through various systems, IT pros and marketers alike will be reminded that sometimes “less is more” when it comes to new systems and integrations.

Protecting Your Data from SHTML Phishing

Data security is vital to any business. Learn how SHTML phishing works and how to minimize the risk of your data falling into the hands of attackers.

Email phishing has been in the playbook of hackers since, well, email. What’s alarming is the scope in which criminals can conduct these attacks, the amount of data potentially at risk, and how vulnerable many businesses are to phishing attempts. Here’s what you need to know to spot the hook and protect your data from being reeled in.

How Does Email Phishing Work?

A phishing email typically contains an attachment in the form of a server-parsed HTML (SHTML) file. When opened, these shady files redirect the user to a malicious website often disguised as a legitimate product or service provider. The website then requests sensitive information such as the user’s address, date of birth, social security number, bank account number, etc. in exchange for providing said product or service.

Users who comply end up giving their information to a criminal who may then sell it to various illegal organizations. Victims may end up losing money and having their identity connected to criminal activity. The attackers may even offer to sell the information back to the owner for a hefty ransom. For businesses, the damages can be irreparable. Phishing is often the launchpad for large-scale cyber attacks, and businesses that fall victim can lose not only cash and assets, but the trust of current and would-be customers.

Who Does SHTML Phishing Target?

While many individuals fall victim to phishing, the main targets are businesses in the banking and finance sector. The sender may use a seemingly legitimate email address, often posing as a trusted, reputable organization. They may goad users to open attachments by claiming to be the IRS, a wealthy businessman offering a lucrative deal, or, ironically, a security provider offering to scan the user’s computer for vulnerabilities. While many phishing attempts are obvious, some can be convincing, and all it takes is a hasty click to give the phisher what they want.

Types of SHTML Phishing

Depending on the attacker, a phishing attempt can range from simple and generic to detailed and personalized to fit the target. For businesses that conduct large quantities of transactions, a phisher may send a simple email claiming to provide a receipt for their purchase. Others may send invoices. Sophisticated attackers may gather information about the business including its suppliers, partners, and even names of individual employees. They may then create fake accounts disguised as these trusted entities, fooling the target into giving away sensitive data. While most phishing attempts fail, a convincing premise combined with a busy, distracted user can equal success – and disaster.

Potential Signs of SHTML Phishing

Being proactive and training your employees to spot phishing is the best line of defense. Here are some potential red flags that may, but not always, indicate that an email is a phishing attack:

• Poor spelling and grammar
• Strange characters and punctuation
• Email addresses comprised of a seemingly random combination of letters and numbers
• Emails claiming to offer large sums of money
• Emails claiming that you owe a large sum of money
• Emails claiming that your data is at risk and offering protection
• An overly lengthy or short email body
• Attachments with file types you don’t recognize

How to Protect Your Business from SHTML Phishing

While there’s no way to guarantee that your business will be 100% safe from phishing attacks, you can take precautions to greatly minimize your risk of becoming a victim. Many email clients have rules that automatically filter out suspicious or spam emails. Savvy IT professionals can create additional rules to identify and block phishing emails.

The greatest defense is training every employee to recognize the red flags, especially the not-so-obvious ones. Make basic data security a part of the onboarding process, and hold presentations and seminars several times a year to keep employees aware and bring to light any new threats they should look for.

Data security is more relevant than ever, and businesses need to stay up to date on the latest cybersecurity threats. Is your business taking the necessary precautions to keep phishers away?

You Can’t Get Away With Skimping on Technology

Is your IT a driving force for innovation, or simply being used to keep the lights on? Companies must fully leverage technology to compete — and win — in the future.  

What does your company make or do? Chances are, the answer won’t be “technology”, but do you still have a tech slant to your business products, services and operations? Companies today can’t get away with simply saying “We’re not a tech company”, and shuffling off innovation. Technology is one of the most important tools that your business has to help bypass competitors and make a difference in the world. Investments in technology continue to rise, making many seniors executives question whether this trend of IT spending can continue — and whether it’s truly adding value to the organization. As a business leader, it’s crucial that you’re able to articulate what happens when you attempt to skimp on providing the necessary tech for your business.

Why is Technology Important in Business?

It may feel silly to even ask this question, but there are still people who struggle to see the fit for their business. Maintaining the status quo worked for generations, why is there a need to change and evolve? Operations are tightly integrated into technology, so every time your organization interfaces with another there’s a high probability that you will need some sort of technology solution. Your business technology handles everything from the way your customer service representatives answer the phone to routing orders and shipping products from your various facilities. The infrastructure that undergirds your business is an intrinsic part of your ability to thrive in today’s competitive marketplace. Simple solutions may miss the mark, costing you significantly more than expected in terms of remediation or hiring additional contractors to resolve any issues. Finding the right partner can make the difference between a well-scoped and successful project and one that runs significantly over-time and over-budget.

The Rising Cost of Technology Downtime

With the addition of more tech to your business, there’s always the potential for downtime and outages — something that is both increasingly familiar and increasingly expensive for your business. A study by AppDynamics examined the true cost of downtime and the failure of infrastructure, as a way to introduce the importance of DevOps cycling. This study showed that Fortune 1000 organizations are spending upwards of $1.25 – $2.5 billion on downtime each year, with the average hourly rate for downtime at $100,000. While this could be scaled down dramatically for a smaller organization, the scale of the impact is every bit as great. While downtime is something that is nearly inevitable, it can be minimized by creating a secure and redundant infrastructure that helps protect your organization in the event of a cybersecurity incident or other event.

Dire Results of Skimping on Technology

It’s not an overstatement to say that skimping on your cybersecurity or infrastructure technology could cost you your business. More than 60% of small businesses cease to exist within 6 months of a data breach, a sobering fact to say the least. These cybercriminals are targeting major enterprises, but these are the high-profile attacks that you see in the news. The more common M.O. for a hacker is to target small to mid-size businesses, as there’s the perception that these organizations are not as proactive about putting together proactive cybersecurity as their larger brethren.

While security is important, the overall experience of your customers is often the most critical measure of success for an organization. When there are competitors around every corner, your business must be able to differentiate in a way that provides unique value to your customers. That often comes in terms of superior customer service or more intuitive websites and interactions. Shoppers are often willing to pay 15-20% more for a better and more personalized experience, which offers even greater value back to your business. With an investment in your infrastructure, you’re not only improving your operational efficiency but also providing a more secure and robust platform with which your customers can interact. Customer experience may feel like a buzzword that is used by management gurus, but it’s a real concept for your customers.

Reducing operational steps, driving efficiency back into your business and creating a truly customer-focused organization doesn’t always come cheap. When you reduce the quality of your operational infrastructure and technology support, you could be negatively impacting the future worth of your business — not to mention alienating the all-important customer.

Why Every Business Should Invest in Cybersecurity

Cyber security is essential to businesses of all sizes. Learn how to keep your business up to date and protected from the most common digital threats.  

Cybersecurity is no longer a concern exclusive to large corporations. Since the infamous attacks on Equifax, Target, and Apple, cybercriminals have started to shift their focus towards smaller businesses. Without proper security protocols, small businesses are sitting ducks even for novice hackers.

In recent years, the cost of data theft targeting small and medium-sized businesses (SMBs) has risen significantly. The Ponemon Institute reports a 17% increase in the average cost of theft and damages, and a 26% increase in the average cost of disruption to operations. The threat has prompted many SMBs to invest more heavily in third-party data security services.

Cybersecurity in a Continuously Evolving Digital Space

Ever-evolving technology makes the world more connected, but also makes data more vulnerable to attackers. Gone are the days when an antivirus, firewall, and email filter were enough to earn a passing cybersecurity grade. As criminals refine and improve their methods of attack, businesses and IT professionals must step up their defenses.

The most recent trend in cyberattacks is a shift towards SMBs, many of which lack the breadth and depth of data security that larger corporations are likely to have. Illicit tactics such as email phishing, direct hacking, and installing ransomware can spell big trouble for SMBs. If your data is compromised, the results can extend to your customers and other members of your supply chain.

Consequences of a Data Breach

The fallout from a data breach depends on the scale of the attack and the value of the data stolen. Hackers may be able to seize control of accounts, drain funds, freeze assets, and access sensitive customer information. If you operate in the healthcare or financial sectors, you may be liable to pay reparations in addition to suffering the cost of stolen capital and the inability to continue operations. The cost of a large-scale data breach can devastate even the wealthiest of corporations, and will most certainly overwhelm a small business.

How to Improve Cybersecurity

A common misconception is that only large corporations can afford effective cybersecurity. In most cases, implementing cybersecurity isn’t merely a matter of money, but of proper training and awareness. A Ponemon Institute study linked 54 percent of data breaches to employee or contractor negligence. This includes email phishing, which is often the first step attackers use to conduct large scale theft of usernames, passwords, and other sensitive data.

Educating and training your employees on cybersecurity minimizes the risk of data theft at the point of contact. Your business should have protocols to identify signs of phishing, choose secure passwords, and grant or deny access to information. You can also inform your customers about how to keep their information secure. Taking this two-pronged approach shows customers how committed you are to keeping their data safe.

Being proactive and spreading the word on cybersecurity threats will help you protect your business from hackers. Whether you’re a multinational corporation or a two-person mom-and-pop shop, your customers rely on you to safeguard their data. Implementing the latest security practices lets them know that you value their trust.

What Is the Dark Web and How Can You Stay Off It?

Ever heard of the dark web? It’s definitely not a place you want your company’s information to be. Learn everything you need to know about the dark web here.  

Most people have heard about the dark web in one form or another. It’s a place where criminal activity happens — from the purchase of illegal drugs to the hiring of assassins.

Of course, there is a legal side to the dark web as well; though, most people don’t know about. In fact, the origin story of the dark web is entirely legitimate and is even linked to the government.

Still, as a business owner or CEO, your relationship with the dark web (should you unfortunately have one) will not likely be good. It’s a bad sign if any of your information is found there. That’s why it’s important to know about what exactly the dark web is: Where it came from, what’s on it, and what you should do to stay as far away from it as possible.

What Is the Dark Web?

The dark web is essentially one “section” of the Internet. Specifically, it’s a section that isn’t included in mainstream search engines like Google. So, when you search a normal search inquiry, such as, “Where’s the best hamburger joint in downtown Pittsburgh?” you don’t get results from the dark web.

Instead, this section includes all sorts of illicit goings-on. Mostly, it’s a marketplace for things you shouldn’t be buying because they’re illegal to sell and/or buy. For instance, you can buy lifelong access to Netflix for a small price (six bucks). You can hire someone to hack into someone else’s computer for you and download their data or track their keystrokes. You can purchase credit card credentials. You can obtain prepaid debit card numbers and security codes.

How Does One Access the Dark Web?

We’ll reiterate again that the dark web is not a place you want to find yourself (or your information). However, for the sake of knowledge, we’ll explain that in order to access the dark web, you must download what’s called the Tor browser.

Tor stands for The Onion Router. This is basically the software that makes the dark web operate in the dark.

Where Did the Dark Web Originate?

The dark web began in the late 1990s as a way for the United States Naval Research Laboratory (NRL) to better hide their online communications. At this time, The Onion Router or Tor was brand-new.

Soon after its initial creation in 2004, the dark web’s Tor software was released for public use. Since that time, it has ceased to be solely a government resource and has turned into the “back alley” of the Internet.

How Can the Dark Web Affect Business Owners?

The dark web is a potential danger to all businesses of all sizes and in all industries. In fact, it can be a potential danger to individuals as well. But let’s talk about your business and the dark web.

Basically, it has been found that 60% of the web listings on the dark web could harm a business. That’s because, these listings offer individuals searching the dark web ways to obtain things like the following:

• Customer data
• Tips for hacking computers
• Tips for hacking networks
• Malware
• Financial data
• Phishing advice
• Operational data
• Intellectual trade secrets
• Tutorials for cyber crime
• Remote access Trojans (RATs)
• Espionage services
• Credentials access

How Can You Keep Your Business Safe From the Dark Web?

The best way to keep your business safe from the dark web is to have the proper cybersecurity measures in place. This means hiring a cybersecurity team or a managed service provider (MSP) to handle your company’s cybersecurity. Even if you’re a small business, hiring an MSP to have on retainer is a good idea.

They will make sure that you have firewalls and other detectors of malware in place for adequate security. It’s also essential to back up your data and to make everyone who works for or with your company aware of how to avoid phishing attempts.

Lastly, your cybersecurity team should be monitoring the dark web to make sure that none of your information lands there. This goes for personal information for you and your employees, as well as overall company information. Taking these measures is the only surefire way to ensure that your company does not end up on the wrong end of the dark web.

Check Your IoT: URGENT/11 Zero-Day Vulnerabilities Impacting 2 Billion Devices

It was only a matter of time before connected devices become a target. The current vulnerability allows remote attackers to gain full control over IoT devices.  

Security professionals have known that connected devices are a risk, but the latest news around the URGENT/11 vulnerabilities may surprise even the most hardened security professional. Over 2 billion connected devices are thought to be vulnerable, including a range of printers, VOIP phones, routers, medical equipment, firewalls, elevators and industrial controls. Any connected device that is running the VxWorks operating system created by Wind River has the potential to be affected, allowing users to remotely gain control over the device.

URGENT/11 Vulnerabilities

Dubbed “URGENT/11”, these security risks include six critical vulnerabilities connected with VxWorks 6.5 or higher that includes the IPnet stack. There are a few versions of the OS that may not be affected, according to security research firm Armis, such as their VxWorks Cert Edition and VxWorks 653. Whether devices are within the network perimeter or on the edge, they can still be leveraged for remote access directly into networks. The vast range of manufacturers of the devices at risk means the level of security at the device level is likely to vary dramatically between product types. Fortunately, Wind River Systems provided critical patches during a recent July 19 release, but that may not be enough to reduce the risk for organizations utilizing these connected devices.

What is VxWorks?

“VxWorks is the most widely used operating system you may never have heard of,” said Ben Seri, vice president of research at Armis. “A wide variety of industries rely on VxWorks to run their critical devices in their daily operations—from healthcare to manufacturing and even security businesses”. As an RTOS, or real-time operating system, VxWorks has generally been considered to be a stable solution for IoT and other interconnected devices with only 13 vulnerabilities reported in over 32 years of operation for the platform. Since it is only older versions of the RTOS that are vulnerable to attack, it’s thought that newer devices should be relatively safe and many affected devices are already reaching end-of-life. These devices are generally ones where chipsets only need to manage a few basic pieces of information, such as input/output operations, where little data processing is required.

How to Protect Your Business

While officials at VxWorks and Armis note that there are no indications that the URGENT/11 vulnerabilities have been exploited, the extreme disruption that could be caused within an organization is reason enough to warrant a proactive effort to protect your organization. Here are the recommended steps from Wind River security professionals and engineers:

• Apply the recent patch immediately
• Deploy specific firewall signatures/rules that will help mitigate the danger if patches cannot be applied immediately

You can view the full URGENT/11 whitepaper with a breakdown of the vulnerabilities and suggestions for remediation online. Experts note that the level of disruption could be significant, perhaps even rivaling the EternalBlue 2017 vulnerability or the WannaCry ransomware attack. In each of these instances, it was challenging for many small businesses to determine the best steps to move forward and protect their organization.

Partnering with an IT services firm helps ensure that your business is alert to this type of critical attack vector. Staying vigilant for vulnerabilities and quickly applying patches may mean the difference between a few hours of work patching devices or servers and months of remediation as you attempt to recover from a major attack.

Capital One Data Breach Affects More Than 100 Million Customers and Small Businesses in The U.S. & 6 Million in Canada

On July 29, 2019, Capital One reported that their customers’ confidential information was compromised. This includes the Social Security and bank account numbers of more than 100 million people and small businesses in the U.S., along with 6 million in Canada.

The McLean, Virginia-based bank discovered the vulnerability in its system July 19 and immediately sought help from law enforcement to catch the perpetrator. They waited until July 29 to inform customers.

How Did The Hacker Get Into Capital One’s System?

According to court documents in the Capital One case, the hacker obtained this information by finding a misconfigured firewall on Capital One’s Amazon Web Services (AWS) cloud server.

Amazon said that AWS wasn’t compromised in any way. They say that the hacker gained access through a misconfiguration on the cloud server’s application, not through a vulnerability in its infrastructure.

Capital One says that they immediately fixed the configuration vulnerability that the individual exploited and promptly began working with federal law enforcement.

Who Breached Capital One’s Data?

Paige A. Thompson, a former software engineer in Seattle, is accused of stealing data from Capital One credit card applications.

Thompson was a systems engineer and an employee at Amazon Web Services from 2015 to 2016. In a statement, Amazon said that she left the company three years before the hack took place.

The FBI arrested Thompson on Monday, July 29 for the theft, which occurred between March 12 and July 17. Thompson made her initial appearance in U.S. District Court in Seattle and has been detained pending an August 1 hearing. Computer fraud and abuse are punishable by up to five years in prison and a $250,000 fine.

What Information Was Compromised?

Thompson stole information including credit scores and balances plus the Social Security numbers of about 140,000 customers and 80,000 linked bank account numbers of their secured credit card customers. For Capital One’s Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised.

The largest category of information obtained was that of consumers and small businesses when they applied for one of Capital One’s credit card products from 2005 through early 2019.

Capital One said, some of this information included names, addresses, phone numbers, email addresses, dates of birth and self-reported income.

Other data obtained included credit scores, limits, balances and transaction data from a total of 23 days during 2016, 2017 and 2018.

This is one of the top 10 largest data breaches ever, according to USA TODAY research.

What Is Capital One Saying About The Breach?

They will offer free credit monitoring services to those affected. Capital One said it was “unlikely that the information was used for fraud or disseminated by this individual” but committed to investigating the hack fully.

They’ve set up a consumer website about the breach at www.capitalone.com/facts2019 that you should refer to if you’re worried that your information was compromised.

Capital One expects that this hack will cost them approximately $100 million to $150 million in 2019.

What Should Capital One Customers Do?

If you’re a Capital One customer, you should check your account online. You should also freeze your credit through each of the three main credit bureaus: Experian, Equifax and TransUnion.

It’s important to remain vigilant. Businesses should sign up for Dark Web Scanning to detect whether your confidential business information is there for cybercriminals to use.

Prevention is always the best remedy. Ask your IT provider to ensure your that your firewall is properly configured and to continuously remotely monitor your network for intrusions.

Major Fines for IT Data Breaches

Outdated machines, software or employee practices can lead to major security problems. These big companies faced painful fines for their IT mistakes.

As companies increase their online activity, data collection and eCommerce, the stakes will continue to rise. Companies that are lax, poorly prepared or sloppy are facing disastrous tech breaches. Equifax, Uber, TJX and Visa are just a few of the companies that have had to face hefty payouts for data breaches. The public relies on companies to act professionally and secure their information. Many companies that face a security breach or lost data will not be able to stay in business.

With a security breach, the customer’s trust is lost. Not only will the reputation harm business, but fixing the issue will cost more than preventing it. Fines and payouts will also add to that cost. And, the more consumers affected by a major problem in the company’s security, the more painful the clean up. You can’t afford to slack when it comes to IT security.

Equifax Data Breach Settlement of $700 Million

The infamous Equifax data breach of 2017 has lead to 147 million affected customers. The settlement announced by the credit reporting company included $175 million to 48 states, $300 million towards free credit monitoring services for the impacted customers and $100 million to the Consumer Financial Protection Bureau for civil penalties.

Federal Trade Commission (FTC) Chairman Joe Simons said, “Equifax failed to take basic steps that may have prevented the breach that affected approximately 147 million consumers. This settlement requires that the company take steps to improve its data security going forward, and will ensure that consumers harmed by this breach can receive help protecting themselves from identity theft and fraud.”

Facebook Faces $5 Billion in Fines for Privacy Violations

The FTC smacked Facebook with a $5 billion fine for the Cambridge Analytica incident. This privacy violations fine was in response to personal data taken from over 87 million Facebook users to create more persuasive and personalized ads.

Uber Faces $148 Million in Fines for Covering Up Hacked Accounts

In 2016, Uber had over 57 million user accounts compromised–and then tried to cover it up by paying the perpetrator $100k. This lead to the largest data-breach payout at the time of $148 million because they broke data breach violation laws.

Anthem Faces $131 Million for Data Breach of Customers

When the US health insurer Anthem was hacked in 2015, over 79 million customers had their names, birthdates, social security numbers and medical IDs compromised. The company paid out $115 million in a class-action lawsuit in 2017 regarding the breach. The US Department of Health and Human Services fined them an additional $16 million for HIPAA (Health Insurance Portability and Accountability Act) violations.

TJX and Visa Pay Out $40.9 for Data Breach

When over 96 million credit and debit accounts were hacked in a widely-publicized data breach that lasted from 2003 to 2007, TJX promised pay outs. This came under the terms that 80% of card issuers agreed to the recovery offer and promised not to take further legal action. TJX agreed to fund the settlement as a resolution to those U.S. Visa holders with cards from taking further legal action. This amount was not part of the $256 million the company said it had budgeted to deal with the breach.

Texas Cancer Center Fined $4.3 Million for Unencrypted Equipment

Between 2012-2013, the University of Texas MD Anderson Cancer Center lost one unencrypted laptop when it was stolen from an employee’s house and two unencrypted USBs that contained sensitive patient data. The health information of over 33,500 individuals was compromised and the center faced a $4.3 million fine for HIPAA violations.

FMCNA Fined $3.5 Million for Five Data Breaches

In 2012, Fresenius Medical Care North America (FMCNA) was fined $3.5 million for HIPAA violations after five separate breaches in different company locations. The Office for Civil Rights noted that FMCNA could have avoided this with a thorough risk analysis to find the potential risks and vulnerabilities. Many of their breach problems included lacking security policies and failing to encrypt sensitive health data.

A good company will take proactive IT security measures with a great tech team. By outsourcing IT security through a managed IT service company, you can get the best security without hiring a team full-time. Your IT team will provide an audit of your company to help you find the places where your security, devices or practices might be a threat to your company. Ensure you are using the right equipment and your employees are trained to meet compliance standards, privacy laws, customer expectations and more so your company can succeed.

Phishing Attacks Target OAuth Credentials to Gain System Access

Discover how an increasingly popular authentication process, OAuth, can be exploited by hackers and wreak havoc on applications and access sensitive data.

What Is OAuth?

OAuth is a widely used framework that allows applications to share access to assets. It lets unrelated services and servers to allow authentication without sharing the initial single login credential. It’s often referred to as secure third-party user agent delegated authentication.

OAuth lets you access a resource — secure password-protected sections of a website, for example. Once the access is granted it remains in place until revoked, even if passwords or reset or 2-factor authentication changes.

It’s the technology that allows you to log in to a website or an app using Facebook or Google credentials. Instead of creating and using a password for, say, ESPN.com, you can log in using your Facebook account. Facebook, Google, Microsoft and Amazon are among those that use OAuth to allow access to other platforms as well as their own.

OAuth does not share password data across sites, but it does share the authorization tokens to confirm your identity.

What Is the Oauth Phishing Attack?

The OAuth tactic is unlike those used in traditional phishing attacks. By targeting the authorization tokens, hackers can essentially act as a compromised account holder throughout any platform on which the hacked person uses OAuth.

A hacker can create a simple app that is loaded into an email message. When users click on the phishing email, they can inadvertently allow access via the OAuth protocol.

“These techniques have been observed in sophisticated attacks in the past¹ but are becoming easier to execute and are gaining in popularity,” notes a recent article.

What Can Attackers Do if a Phishing Attack Is Successful?

A successful phish attack lets a hacker do any number of things, depending on the resource to which access was granted. For example, if access is granted to your Microsoft Office or Office 365 account, a hacker could:

• Search your mailboxes
• Read your email messages
• Download messages and any attachments
• Search for keywords in your email and extract that data
• Send messages on behalf of your account … to anyone
• Access your contacts
• Search shared drives like OneDrive and Sharepoint, read documents and download and extract files
• Create malicious Outlook rules
• Inject disruptive macros into stored Word documents
• Create and install filtering and forwarding rules

Data accessed, reviewed and stolen can have severe consequences, as could macros and rules that make it difficult or impossible to use these common office productivity apps.

What Can Be Done to Defend Against a Phishing Attack?

More platforms are using OAuth to make it easier for customers or users to access information. That proliferation of uses means more opportunities for hackers. It’s likely that the number of OAuth phishing attacks is likely to grow.

The best defense against OAuth and other phishing attacks is awareness. Employees and other users need to be aware of the risks and potential outcomes of a phishing attack.

That means training and simulations that help users look for telltale signs of a phishing attack, such as poor grammar and spelling and the use of an unusual email address. Explaining how OAuth phishing attacks work also helps to raise awareness and let users take a skeptical approach to providing those credentials if something doesn’t feel right.

Your organization should also make it easier for employees to submit any suspect email messages that they believe are a phishing attempt.

Some other recommendations are:

• Limit the number of third-party apps that can 3^rd party apps that your network accepts
• Disable any third-party apps across the organization that are unnecessary
• To identify rare or suspicious instances, search for and monitor all consented applications

To reduce the likelihood and impact of an OAuth phishing attack, be sure to work with your managed IT services provider to ensure that training, anti-phishing solutions and monitoring are in place for your entire network.

5 Incredible Benefits of Effective Managed IT Services

Managed IT services are one of the many ways an organization can choose to handle their IT needs. With managed IT services, a third-party handles the entirety of the tasks and responsibilities regarding managing IT and keeping the company running. The difference between this and many traditional third-party services is that it’s provided for a set cost. Instead of having access to an hourly consultant rate, you’ll be paying a flat rate monthly (or annually) in exchange for total coverage.

Every arrangement is slightly different and must be outlined very clearly in the Service Level Agreement (also known as the SLA). This document will arrange not only the cost structure, but also the exact services that are included in the partnership, and the metrics that are used to define success or failure.

There are many reasons that companies elect to go with managed IT services to handle their day-to-day needs. Here are five of the most compelling reasons:

1. Provides Total Alignment Between Both Parties

In a managed services agreement, both parties are aligned for maximum efficiency and performance. Since it’s not an hourly rate, the third-party is incentivized to handle your IT in an efficient and effective manner. Otherwise, they have to spend more time and manpower resolving your issues, which brings down their effective hourly rate.

Additionally, if they don’t live up to the metrics set forth by the SLA, they may be liable for penalties or even complete termination of the contract. In this way, it’s in both companies interest to do the very best job possible.

2. Focuses on Being Proactive versus Reactive

If you’re paying by the hour, the services you’ll receive are going to be reactive. When your company notices an issue, they’ll reach out to the third-party to help fix it. Managed services provide proactive support. Since they’re working for you no matter if there’s a problem or not, much of their time is spent preventing problems in the first place. This results in much smoother daily operations and the avoidance of problems that could potentially hurt your businesses but would be unavoidable with another type of arrangement.

3. Contains Simple Cost Structure

The simple cost structure of managed IT services will be much appreciated by your accounting department and whoever is setting the budget. Instead of seeing costs vary wildly by the amount of support required in a particular month, the amount will be a flat fee. You’ll also likely save a great deal of money versus hiring a fully functional team in-house since you won’t need to pay for things like recruiting, onboarding, benefits, and continued training.

4. Makes Projects Easier to Manage

When you need to roll out a brand-new technology or simply update an existing one, it can take a great deal of time and resources. This is especially true if the third-party isn’t used to the way your business operates each day and has to fit the entire roll out into a small window of time. If you have continuous support, however, it’s a much more manageable process. They can work on the project when they have a spare moment in the day. Since they’re fully integrated into your day-to-day processes, they’ll have a much better idea of how to implement a new system from end-to-end, including training and providing post-launch support.

5. Offers Access to True Experts

Unless you’re a massive organization, it’s unlikely that you can afford to recruit, train, and maintain the very best in the IT field. With an agreement with a top-notch IT firm, you gain access to experience and perspectives that you would be unlikely to otherwise access. These talented professionals will be able to help you with all of your IT needs, from daily maintenance to improving upon your existing systems and processes.

Managed IT services are only one of the many ways that a company can choose to handle its IT needs. However, it offers many advantages over some of the other options, including handling IT in-house and going with an hourly consultant-based fee schedule. If you believe that your business could benefit from controlled costs, improved support, and access to an incredible variety of IT talent, managed IT services might be the best option for your business.