Free Person Holding a Remote Control Stock Photo Cybersecurity

6 Immediate Steps You Should Take If Your Netflix…

Netflix is one of the most popular and well-known streaming services. It has nearly 231 million subscribers around the world. It has been growing steadily for almost a decade.

The platform has become an essential part of many people’s daily entertainment routines. They fire up their devices, log in, and pick right back up on their favorite shows.

Unfortunately, like any online service, Netflix accounts can be vulnerable to hacking. It’s a baked-in risk when you have a service that is only protected by a username and password.

If you experience an account hack, it can be shocking, confusing, and infuriating. You may not know exactly what to do and may react without thinking first. This is a dangerous space to be in because it can cause you to do things that only make things worse.

In this article, we’ll give you the steps to take when you suspect someone has hacked your Netflix account. Let’s first cover how hackers typically operate when deploying an account takeover.

How Does a Netflix Hack Typically Work?

Phishing overload is a problem that hackers take advantage of in these types of breaches. People receive fake emails all the time that spoof brands like Netflix. One common phishing ploy is an email stating, “There has been suspicious activity on your account.” It will include a link to log in to a spoofed site that looks like the brand’s normal login page. This is a classic trick to steal your login credentials.

Hacked Netflix accounts typically go for $12 each on the dark web.

People get numb to these emails because they get so many of them. They tend to tune them out, knowing that clicking on them could be dangerous. Hackers take advantage of this, hoping you’ll ignore the real ones from Netflix that warn you of a suspicious login (theirs!).

They lay low and don’t take any action yet that will lock you out. They wait for you to receive a few more of these emails, so you’ll completely ignore them. Then they attempt a takeover.

Accounts hacks can go in various ways. Here is one typical scenario of a Netflix hack:

  • The account owner gets an email about a suspicious login. Often it will be from a different country.
  • They may log into their Netflix account to see if there are any unknown devices logged in. Usually, none will show yet. The hacker logs back out. The goal is to get you to check and see that nothing is wrong, and assume the real notice is phishing.
  • This same scenario may happen 2-4 more times in the span of a month.
  • Once the hacker feels the user is ignoring the Netflix warnings, they’ll make their move.
  • They add their credit card to your account. This is so they can call Netflix and give them a method of verification.
  • They may increase your subscription plan to a higher level.
  • They also usually replace any user profile names on your account with numbers (1, 2, 3, etc.)
  • At this point, the account owner will typically receive an email. It will note a change in account information. This could be the account email, password, phone number, etc.
  • The hacker is now trying to lock the account owner out of their account.

What Do You Do If Someone Has Hacked Your Netflix Account?

1. Go to the Netflix site & try to log in.

If you suspect a hacked account, visit the Netflix site directly from your browser. Do not go through a link you received via email, DM, or SMS.

See if you can log in using your password. You may be able to if you caught the hacker before they’ve locked you out. If not, then skip to Step 4 below, calling Netflix support.

2. If you can log in, change your password immediately.

If you can log into your account, change the password right away. Ensure it’s a strong password that is at least 10-12 characters in length. It should also include a combination of letters, numbers, and symbols.

Do not use a variation of the breached password. You should not use any part of your old password to create the new one.

3. If you can log in, remove any strange payment methods

If you can still access your account and settings, go to the payment methods area. Often hackers will add another payment card to your account. They use it to verify the account to Netflix support.

Remove any strange payment method that is not yours. But if you remove your own payment card, you will need another way to verify your account with Netflix. So, at this point, you may want to call before you do that.

4. Call Netflix support. (Don’t skip this step)

Everyone’s experience may be different. Some users that have gone through a hack have praised the fast and helpful support from Netflix.

Contact Netflix support whether you have or have not succeeded in logging in. There may be things the hacker has done that you aren’t aware of. They may have changed subscription information.

Let the support representative know you think you’re the victim of an account hack. They’ll walk you through the process of undoing what the hacker has done.

5. Watch your bank statements.

Continue to watch your bank statements for any unusual charges. You should do this after any account hack.

6. Change the password for other accounts that used the same one as your Netflix account.

People often use the same or the nearly same password for several accounts. Make sure to change the password for any accounts that used the one that was just hacked.

Get Help Securing Your Passwords & Accounts

Don’t wait until a hack happens to you. Give us a call today to schedule a chat about our password security solutions.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

person using black smartphone with gray and pink case Cybersecurity

What Is App Fatigue & Why Is It a…

The number of apps and web tools that employees use on a regular basis continues to increase. Most departments have about 40-60 different digital tools that they use. 71% of employees feel they use so many apps that it makes work more complex.

Many of the apps that we use every day have various alerts. We get a “ping” when someone mentions our name on a Teams channel. We get a notification popup that an update is available. We get an alert of errors or security issues.

App fatigue is a very real thing and it’s becoming a cybersecurity problem. The more people get overwhelmed by notifications, the more likely they are to ignore them.

Just think about the various digital alerts that you get. They come in:

  • Software apps on your computer
  • Web-based SaaS tools
  • Websites where you’ve allowed alerts
  • Mobile apps and tools
  • Email banners
  • Text messages
  • Team communication tools

Some employees are getting the same notification on two different devices. This just adds to the problem. This leads to many issues that impact productivity and cybersecurity.

Besides alert bombardment, every time the boss introduces a new app, that means a new password. Employees are already juggling about 191 passwords. They use at least 154 of them sometime during the month.

How Does App Fatigue Put Companies at Risk?

Employees Begin Ignoring Updates

When digital alerts interrupt your work, you can feel like you’re always behind. This leads to ignoring small tasks seen as not time-sensitive. Tasks like clicking to install an app update.

Employees overwhelmed with too many app alerts, tend to ignore them. When updates come up, they may quickly click them away. They feel they can’t spare the time right now and aren’t sure how long it will take.
Ignoring app updates on a device is dangerous. Many of those updates include important security patches for found vulnerabilities. When they’re not installed, the device and its network are at a higher risk. It becomes easier to suffer a successful cyberattack.

Employees Reuse Passwords (and They’re Often Weak)

Another security casualty of app fatigue is password security. The more SaaS accounts someone must create, the more likely they are to reuse passwords. It’s estimated that passwords are typically reused 64% of the time.

Credential breach is a key driver of cloud data breaches. Hackers can easily crack weak passwords. The same password used several times leaves many accounts at risk.

Employees May Turn Off Alerts

Some alerts are okay to turn off. For example, do you really need to know every time someone responds to a group thread? Or just when they @name you? But, turning off important security alerts is not good.

There comes a breaking point when one more push notification can push someone over the edge. They may turn off all the alerts they can across all apps. The problem with this is that in the mix of alerts are important ones. Such as an anti-malware app warning about a newly found virus.

What’s the Answer to App Fatigue?

It’s not realistic to just go backward in time before all these apps were around. But you can put a strategy in place that puts people in charge of their tech, and not the other way around.

Streamline Your Business Applications

From both a productivity and security standpoint, fewer apps are better. The fewer apps you have, the less risk. Also, the fewer passwords to remember and notifications to address.

Look at the tools that you use to see where redundancies may be. Many companies are using two or more apps that can do the same function.

Consider using an umbrella platform like Microsoft 365 or Google Workspace. These platforms include several work tools, but users only need a single login to access them.

Have Your IT Team Set up Notifications

It’s difficult for users to know what types of notifications are the most important. Set up their app notifications for them. This ensures they aren’t bombarded yet are still getting the important ones.

Automate Application Updates

A cybersecurity best practice is to automate device and software updates. This takes the process out of employees’ hands. It enhances productivity by removing unnecessary updates from their view.

Automating device updates through a managed services solution improves security. It also mitigates the chance there will be a vulnerable app putting your network at risk.

Open a Two-Way Communication About Alerts

Employees may never turn off an alert because they’re afraid they might get in trouble. Managers may not even realize constant app alert interruptions are hurting productivity.

Communicate with employees and let them know they can communicate with you. Discuss how to use alerts effectively. As well as the best ways to manage alerts for a better and more productive workday.

Need Help Taming Your Cloud App Environment?

Today, it’s easy for cloud tools to get out of hand. Get some help consolidating and optimizing your cloud app environment. Give us a call today.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Free Side View of a Woman Using a Laptop Stock Photo Cybersecurity

These Everyday Objects Can Lead to Identity Theft

You wouldn’t think a child’s toy could lead to a breach of your personal data. But this happens all the time. What about your trash can sitting outside? Is it a treasure trove for an identity thief trolling the neighborhood at night?

Many everyday objects can lead to identity theft. They often get overlooked because people focus on their computers and cloud accounts. It’s important to have strong passwords and use antivirus on your PC. But you also need to be wary of other ways that hackers and thieves can get to your personal data.

Here are six common things that criminals can use to steal your information.

Old Smart Phones

People replace their smartphones about every two and a half years. That’s a lot of old phones laying around containing personal data.

Just think of all the information our mobile phones hold. We have synced connections with cloud services. Phones also hold banking apps, business apps, and personal health apps. These are all nicely stored on one small device.

As chip technology has advanced, smartphones have been able to hold more “stuff.” This means documents and spreadsheets can now be easily stored on them. Along with reams of photos and videos.

A cybercriminal could easily strike data theft gold by finding an old smartphone. They often end up at charity shops or in the trash. Make sure that you properly clean any old phones by erasing all data. You should also dispose of them properly. You shouldn’t just throw electronics away like normal garbage.

Wireless Printers

Most printers are wireless these days. This means they are part of your home or work network. Printing from another room is convenient. But the fact that your printer connects to the internet can leave your data at risk.

Printers can store sensitive documents, such as tax paperwork or contracts. Most people don’t think about printers when putting data security protections in place. This leaves them open to a hack. When this happens, a hacker can get data from the printer. They could also leverage it to breach other devices on the same network.

Protect printers by ensuring you keep their firmware updated. Always install updates as soon as possible. You should also turn it off when you don’t need it. When it’s off it’s not accessible by a hacker.

USB Sticks

Did you ever run across a USB stick laying around? Perhaps you thought you scored a free removable storage device. Or you are a good Samaritan and want to try to return it to the rightful owner. But first, you need to see what’s on it to find them.

You should never plug a USB device of unknown origin into your computer. This is an old trick in the hacker’s book. They plant malware on these sticks and then leave them around as bait. As soon as you plug it into your device, it can infect it.

Old Hard Drives

When you are disposing of an old computer or old removable drive, make sure it’s clean. Just deleting your files isn’t enough. Computer hard drives can have other personal data stored in system and program files.

Plus, if you’re still logged into a browser, a lot of your personal data could be at risk. Browsers store passwords, credit cards, visit history, and more.

It’s best to get help from an IT professional to properly erase your computer drive. This will make it safe for disposal, donation, or reuse.

Trash Can

Identity theft criminals aren’t only online. They can also be trolling the neighborhood on trash day. Be careful what you throw out in your trash.

It’s not unusual for garbage to enable identity theft. It can include pre-approved credit card offers that you considered “junk mail.” Your trash can also hold voided checks, old bank statements, and insurance paperwork. Any of these items could have the information thieves need to commit fraud or pose as you.

A shredder can be your best friend in this case. You should shred any documents that contain personal information. Do this before you throw them out. This extra step could save you from a costly incident.

Children’s IoT Devices

Electronic bears, smart kid watches, Wi-Fi-connected Barbies… all toys that hackers love. Mattel’s Hello Barbie was found to enable the theft of personal information. A hacker could also use its microphone to spy on families.

These futuristic toys are often what kids want. Parents might think they’re cool, but don’t consider their data security. After all, these are children’s toys. But that often means they can be easier to hack. Cybercriminals also zero in on these IoT toys, knowing they aren’t going to be as hard to breach.

You should be wary of any new internet-connected devices you bring into your home. That includes toys! Install all firmware updates. Additionally, do your homework to see if a data breach has involved the toy.

Schedule a Home IT Security Audit & Sleep Better at Night

Don’t let the thought of identity theft keep you up at night. Give us a call today and schedule a home IT security audit. You’ll be glad you did.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Free Cyber Security Information Security illustration and picture Cybersecurity

6 Things You Should Do to Handle Data Privacy…

Once data began going digital, authorities realized a need to protect it. Thus, the creation of data privacy rules and regulations to address cyber threats. Many organizations have one or more data privacy policies they need to meet.

Those in the U.S. healthcare industry and their service partners need to comply with HIPAA. Anyone collecting payment card data must worry about PCI-DSS. GDPR is a wide-reaching data protection regulation. It impacts anyone selling to EU citizens.

Industry and international data privacy regulations are just the tip of the iceberg. Many state and local jurisdictions also have their own data privacy laws. Organizations must be aware of these compliance requirements. But they also need to know about updates to these rules.

By the end of 2024, about 75% of the population will have its data protected by one or more privacy regulations.

Authorities enact new data privacy regulations all the time. For example, in 2023, four states will have new rules. Colorado, Utah, Connecticut, and Virginia will begin enforcing new data privacy statutes.

Businesses must stay on top of their data privacy compliance requirements. Otherwise, they can suffer. Many standards carry stiff penalties for a data breach. And if security was lacking, fines can be even higher.

The Health Insurance Portability and Accountability Act (HIPAA) uses a sliding scale. Violators can be fined between $100 to $50,000 per breached record. The more negligent the company is, the higher the fine.

Does all that sound scary?

Don’t worry, we have some tips below for you. These can help you keep up with data privacy updates coming your way.

Steps for Staying On Top of Data Privacy Compliance

1. Identify the Regulations You Need to Follow

Does your organization have a list of the different data privacy rules it falls under? There could be regulations for:

  • Industry
  • Where you sell (e.g., if you sell to the EU)
  • Statewide
  • City or county
  • Federal (e.g., for government contractors)

Identify all the various data privacy regulations that you may be subject to. This helps ensure you’re not caught off guard by one you didn’t know about.

2. Stay Aware of Data Privacy Regulation Updates

Don’t get blindsided by a data privacy rule change. You can stay on top of any changes by signing up for updates on the appropriate website. Look for the official website for the compliance authority.

For example, if you are in the healthcare field you can sign up for HIPAA updates at HIPAA.gov. You should do this for each of the regulations your business falls under.

You should have updates sent to more than one person. Typically, your Security Officer or equal, and another responsible party. This ensures they don’t get missed if someone is on vacation.

3. Do an Annual Review of Your Data Security Standards

Companies are always evolving their technology. This doesn’t always mean a big enterprise transition. Sometimes you may add a new server or a new computer to the mix.

Any changes to your IT environment can mean falling out of compliance. A new employee mobile device added, but not properly protected is a problem. One new cloud tool an employee decides to use can also cause a compliance issue.

It’s important to do at least an annual review of your data security. Match that with your data privacy compliance requirements to make sure you’re still good.

4. Audit Your Security Policies and Procedures

Something else you should audit at least annually is your policies and procedures. These written documents that tell employees what’s expected from them. They also give direction when it comes to data privacy and how to handle a breach.

Audit your security policies annually. Additionally, audit them whenever there is a data privacy regulation update. You want to ensure that you’re encompassing any new changes to your requirements.

5. Update Your Technical, Physical & Administrative Safeguards As Needed

When you receive a notification that a data privacy update is coming, plan ahead. It’s best to comply before the rule kicks in, if possible.

Look at three areas of your IT security:

  • Technical safeguards – Systems, devices, software, etc.
  • Administrative safeguards – Policies, manuals, training, etc.
  • Physical safeguards – Doors, keypads, building security, etc.

6. Keep Employees Trained on Compliance and Data Privacy Policies

Employees should be aware of any changes to data privacy policies that impact them. When you receive news about an upcoming update, add this to your ongoing training.

Good cybersecurity practice is to conduct ongoing cybersecurity training for staff. This keeps their anti-breach skills sharp and reminds them of what’s expected.
Include updates they need to know about so they can be properly prepared.

Remember to always log your training activities. It’s a good idea to log the date, the employees educated, and the topic. This way, you have this documentation if you do suffer a breach at some point.

Get Help Ensuring Your Systems Meet Compliance Needs

Data privacy compliance can be complex. But you don’t have to figure it all out yourself. Our team is well-versed in compliance needs. Give us a call today to schedule a chat.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Free Iphone Smartphone photo and picture Cybersecurity

Why You Need to Think Twice Before Using Lensa…

It’s a common theme. You begin seeing these amazing CGI images of your friends on Facebook or Instagram. You think, “How can I make one?”

Filters and self-portrait apps have come a long way. You can now make yourself look like Hollywood’s version of a character in the next hit animated film. It still kind of looks like you, only a dream version with “perfect” hair, skin, and facial features.

The latest of these modern vanity marvels to make the rounds is Lensa AI. You upload about 10 photos so the app can feed that data into its AI algorithm. Then, once it maps your facial features, it generates several fantasy selfies of you.

These magical avatars don’t come for free though. While you can download the app for free and use it in a limited fashion, you need to pay to do more. To get unlimited access for one week, it’s $2.99. There are several pricing tiers for its avatar packs and membership access. These range from $3.99 for Avatars Pack 1 to $35.99 for full membership.

It sounds like a little harmless digital fun, right? That’s what many companies making apps like this like you to think. Vanity is an easy sell, and who doesn’t want to have a fabulous profile pic?

But for Lensa AI and several similar self-portrait apps, you’re paying more than you know. The cost comes from the data privacy rights you’re giving up. And these can go far beyond the app itself.

Why Worry About Data Privacy with Lensa AI & Similar Apps?

Thanks to laws like GDPR, software and app developers need to tell you what they do with your data. Looking at the app at the Mac App Store, a few alarming things jump out.

Data Used to Track You

Once you download the Lensa AI app, it can track your phone activity. The app store states that the app may use purchases and unique identifiers to track you. And this doesn’t mean only tracking you while in Lensa AI. It can track you across websites and apps owned by other companies.

Data Collected

Lensa AI scours your device for a lot of different data points. By downloading it, you permit it to do this. Some of the tracking links to you personally (such as linked to your name, IP address, or phone number). It collects a lot of other data, but not with your name or another identifier on it.

Data collected and linked to you:

  • User content (such as the images you upload)

Data collected, but not linked to you:

  • Purchases you make on websites or apps
  • Usage data for apps, etc.
  • Identifiers (this isn’t specified, but could mean things like city or gender)
  • Diagnostics from your device

Loss of Rights to Your Uploaded Images

What apps like Lensa AI do with your data is a grey area. Many tech companies, such as Facebook, have been known to act irresponsibly with user data. Many are purposely vague in their terms and conditions, leaving the door open.

One section from the Lensa AI Terms that users agree to states the following:

“…solely for the purposes of operating or improving Lensa, you grant us a time-limited, revocable, non-exclusive, royalty-free, worldwide, fully-paid, transferable, sub-licensable license to use, reproduce, modify, distribute, create derivative works of your User Content, without any additional compensation to you…”

For the sole purpose of “operating” Lensa, could mean anything. It could mean that to make more money to operate the business, the company needs to use your images. Note that it also states it can modify, distribute, etc. YOUR user content.

Things You Can Do to Protect Your Data Privacy

Don’t Immediately Jump on Every Fad

This one may be hard when you see all your friends using a new app. It’s natural to want to be a part of that. But try waiting a week. Most likely those avatar images from the latest selfie app won’t be blowing up your feed anymore.

Read App Terms & Conditions

Take the time to read an app’s terms. You are often giving up more data privacy rights than you realize. This includes giving an app the ability to track just about everything you do on your device. Be aware of what’s at risk before you download a new app.

Restrict Data Collection

If you can’t resist an app’s charms, at least make it as secure as possible. This includes taking the time to restrict its data collection features, where possible.

Use your phone’s privacy and security settings to turn off data sharing. For the Lensa AI app, you can also contact the company to request that it delete your data from its servers. Its privacy policy states to email privacy@lensa-ai.com for questions and concerns.

Get a Device Privacy Checkup

The more apps you use, the more complicated data privacy can get. Don’t leave it to chance. We’ll be happy to help. Give us a call today to schedule a device privacy checkup.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Free Security Computer Science photo and picture Cybersecurity

Data Backup Is Not Enough, You Also Need Data…

The need to back up data has been around since floppy disks. Data loss happens due to viruses, hard drive crashes, and other mishaps. Most people using any type of technology have experienced data loss at least once.

There are about 140,000 hard drive crashes in the US weekly. Every five years, 20% of SMBs suffer data loss due to a major disaster. This has helped to drive a robust cloud backup market that continues to grow.

But one thing that’s changed with data backup in the last few years is security. Simply backing up data so you don’t lose it, isn’t enough anymore. Backing up has morphed into data protection.

What does this mean?

It means that backups need more cybersecurity protection. They face threats such as sleeper ransomware and supply chain attacks. Cloud-based backup has the benefit of being convenient, accessible, and effective. But there is also a need for certain security considerations with an online service.

Companies need to consider data protection when planning a backup and recovery strategy. The tools used need to protect against the growing number of threats.

Some of the modern threats to data backups include:

  • Data Center Outage: The “cloud” basically means data on a server. That server is internet accessible. Those servers can crash. Data centers holding the servers can also have outages.
  • Sleeper Ransomware: This type of ransomware stays silent after infecting a device. The goal is to have it infect all backups. Then, when it’s activated, the victim doesn’t have a clean backup to restore.
  • Supply Chain Attacks: Supply chain attacks have been growing. They include attacks on cloud vendors that companies use. Those vendors suffer a cyberattack that then spreads throughout their clients.
  • Misconfiguration: Misconfiguration of security settings can be a problem. It can allow attackers to gain access to cloud storage. Those attackers can then download and delete files as they like.

What to Look for in a Data Protection Backup System

Just backing up data isn’t enough. You need to make sure the application you use provides adequate data protection. Here are some of the things to look for when reviewing a backup solution.

Ransomware Prevention

Ransomware can spread throughout a network to infect any data that exists. This includes data on computers, servers, and mobile devices. It also includes data in cloud platforms syncing with those devices.

95% of ransomware attacks also try to infect data backup systems.

It’s important that any data backup solution you use have protection from ransomware. This type of feature restricts automated file changes that can happen to documents.

Continuous Data Protection

Continuous data protection is a feature that will back up files as users make changes. This differs from systems that back up on a schedule, such as once per day.

Continuous data protection ensures that the system captures the latest file changes. This mitigates data loss that can occur if a system crashes before the next backup. With the speed of data generation these days, losing a day’s worth of data can be very costly.

Threat Identification

Data protection incorporates proactive measures to protect files. Look for threat identification functions in a backup service. Threat identification is a type of malware and virus prevention tool.

It looks for malware in new and existing backups. This helps stop sleeper ransomware and similar malware from infecting all backups.

Zero-Trust Tactics

Cybersecurity professionals around the world promote zero-trust security measures. This includes measures such as multi-factor authentication and application safelisting.

A zero-trust approach holds that all users and applications need ongoing authentication. So, just because a user is logged into the system today, doesn’t mean they are completely trusted.

Some of the zero-trust features to look for include:

  • Multi-factor authentication
  • Distinct file and folder permissions
  • Contextual authentication
  • Verification of permissions for file changes

Backup Redundancy

If you back up to a USB drive or CD, you have one copy of those files. If something happens to that copy, you could experience data loss.

Cloud backup providers should have backup redundancy in place. This means that the server holding your data mirrors that data to another server. This prevents data loss in the case of a server crash, natural disaster, or cyberattack.

Air Gapping for More Sensitive Data

Air gapping is a system that keeps a copy of your data offline or separated in another way. This would entail making a second backup copy of your data. Then, putting it on another server. A server disconnected from external sources.

This is a feature that you may want to seek out if you deal with highly sensitive data. It helps to ensure that you have at least one other copy of your backup. A copy walled off from common internet-based attacks.

Need Help With Secure Backup & Data Protection Solutions?

Have you updated your backup process for today’s threats? Give us a call today to schedule a chat about data backup and protection.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

red padlock on black computer keyboard Cybersecurity

6 Steps to Effective Vulnerability Management for Your Technology

Technology vulnerabilities are an unfortunate side effect of innovation. When software companies push new updates, there are often weaknesses in the code. Hackers exploit these. Software makers then address the vulnerabilities with a security patch. The cycle continues with each new software or hardware update.

It’s estimated that about 93% of corporate networks are susceptible to hacker penetration. Assessing and managing these network weaknesses isn’t always a priority for organizations. Many suffer breaches because of poor vulnerability management.

61% of security vulnerabilities in corporate networks are over 5 years old.

Many types of attacks take advantage of unpatched vulnerabilities in software code. This includes ransomware attacks, account takeover, and other common cyberattacks.

Whenever you see the term “exploit” when reading about a data breach, that’s an exploit of a vulnerability. Hackers write malicious code to take advantage of these “loopholes.” That code can allow them to elevate privileges. Or to run system commands or perform other dangerous network intrusions.

Putting together an effective vulnerability management process can reduce your risk. It doesn’t have to be complicated. Just follow the steps we’ve outlined below to get started.

Vulnerability Management Process

Step 1. Identify Your Assets

First, you need to identify all the devices and software that you will need to assess. You’ll want to include all devices that connect to your network, including:

  • Computers
  • Smartphones
  • Tablets
  • IoT devices
  • Servers
  • Cloud services

Vulnerabilities can appear in many places. Such as the code for an operating system, a cloud platform, software, or firmware. So, you’ll want a full inventory of all systems and endpoints in your network.

This is an important first step, so you will know what you need to include in the scope of your assessment.

Step 2: Perform a Vulnerability Assessment

Next will be performing a vulnerability assessment. This is usually done by an IT professional using assessment software. This could also include penetration testing.

During the assessment, the professional scans your systems for any known vulnerabilities. The assessment tool matches found software versions against vulnerability databases.

For example, a database may note that a version of Microsoft Exchange has a vulnerability. If it detects that you have a server running that same version, it will note it as a found weakness in your security.

Step 3: Prioritize Vulnerabilities by Threat Level

The assessment results provide a roadmap for mitigating network vulnerabilities. There will usually be several, and not all are as severe as others. You will next need to rank which ones to address first.

At the top of the list should be those experts consider severe. Many vulnerability assessment tools will use the Common Vulnerability Scoring System (CVSS). This categorizes vulnerabilities with a rating score from low to critical severity.

You’ll also want to rank vulnerabilities by your own business needs. If a software is only used occasionally on one device, you may consider it a lower priority to address. While a vulnerability in software used on all employee devices, you may rank as a high priority.

Step 4: Remediate Vulnerabilities

Remediate vulnerabilities according to the prioritized list. Remediation often means applying an issued update or security patch. But it may also mean upgrading hardware that may be too old for you to update.

Another form of remediation may be ringfencing. This is when you “wall off” an application or device from others in the network. A company may do this if a scan turns up a vulnerability for which a patch does not yet exist.

Increasing advanced threat protection settings in your network can also help. Once you’ve remediated the weaknesses, you should confirm the fixes.

Step 5: Document Activities

It’s important to document the vulnerability assessment and management process. This is vital both for cybersecurity needs and compliance.

You’ll want to document when you performed the last vulnerability assessment. Then document all the steps taken to remediate each vulnerability. Keeping these logs will be vital in the case of a future breach. They also can inform the next vulnerability assessment.

Step 6. Schedule Your Next Vulnerability Assessment Scan

Once you go through a round of vulnerability assessment and mitigation, you’re not done. Vulnerability management is an ongoing process.

In 2022, there were over 22,500 new vulnerabilities documented. Developers continue to update their software continuously. Each of those updates can introduce new vulnerabilities into your network.

It’s a best practice to have a schedule for regular vulnerability assessments. The cycle of assessment, prioritization, mitigation, and documentation should be ongoing. This fortifies your network against cyberattacks. It removes one of the main enablers of hackers.

Get Started with a Vulnerability Assessment

Take the first step towards effective vulnerability management. We can help you fortify your network against attacks. Give us a call today to schedule a vulnerability assessment to get started.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Free Shinjuku Ward Building photo and picture Cybersecurity

Is That Really a Text from Your CEO… or…

Imagine you’re going about your day when suddenly you receive a text from the CEO. The head of the company is asking for your help. They’re out doing customer visits and someone else dropped the ball in providing gift cards. The CEO needs you to buy six $200 gift cards and text the information right away.

The message sender promises to reimburse you before the end of the day. Oh, and by the way, you won’t be able to reach them by phone for the next two hours because they’ll be in meetings. One last thing, this is a high priority. They need those gift cards urgently.

Would this kind of request make you pause and wonder? Or would you quickly pull out your credit card to do as the message asked?

A surprising number of employees fall for this gift card scam. There are also many variations. Such as your boss being stuck without gas or some other dire situation that only you can help with.

This scam can come by text message or via email. What happens is that the unsuspecting employee buys the gift cards. They then send the numbers back. They find out later that the real company CEO wasn’t the one that contacted them. It was a phishing scammer.

The employee is out the cash.

Without proper training, 32.4% of employees are prone to fall for a phishing scam.

Why Do Employees Fall for Phishing Scams?

Though the circumstances may be odd, many employees fall for this gift card scam. Hackers use social engineering tactics. They manipulate emotions to get the employee to follow through on the request.

Some of these social engineering tactics illicit the following:

  • The employee is afraid of not doing as asked by a superior
  • The employee jumps at the chance to save the day
  • The employee doesn’t want to let their company down
  • The employee may feel they can advance in their career by helping

The scam’s message is also crafted in a way to get the employee to act without thinking or checking. It includes a sense of urgency. The CEO needs the gift card details right away. Also, the message notes that the CEO will be out of touch for the next few hours. This decreases the chance the employee will try to contact the real CEO to check the validity of the text.

Illinois Woman Scammed Out of More Than $6,000 from a Fake CEO Email

Variations of this scam are prevalent and can lead to significant financial losses. A company isn’t responsible if an employee falls for a scam and purchases gift cards with their own money.

In one example, a woman from Palos Hills, Illinois lost over $6,000. This was after getting an email request from who she thought was her company’s CEO.

The woman received an email purporting to be from her boss and company CEO. It stated that her boss wanted to send gift cards to some selected staff that had gone above and beyond.

The email ended with “Can you help me purchase some gift cards today?” The boss had a reputation for being great to employees, so the email did not seem out of character.

The woman bought the requested gift cards from Target and Best Buy. Then she got another request asking to send a photo of the cards. Again, the wording in the message was very believable and non-threatening. It simply stated, “Can you take a picture, I’m putting this all on a spreadsheet.”

The woman ended up purchasing over $6,500 in gift cards that the scammer then stole. When she saw her boss a little while later, her boss knew nothing about the gift card request. The woman realized she was the victim of a scam.

Tips for Avoiding Costly Phishing Scams

Always Double Check Unusual Requests

Despite what a message might say about being unreachable, check in person or by phone anyhow. If you receive any unusual requests or one relating to money, verify it. Contact the person through other means to make sure it’s legitimate.

Don’t React Emotionally

Scammers often try to get victims to act before they have time to think. Just a few minutes of sitting back and looking at a message objectively is often all that’s needed to realize it’s a scam. Don’t react emotionally, instead ask if this seems real or is it out of the ordinary.

Get a Second Opinion

Ask a colleague, or better yet, your company’s IT service provider, to take look at the message. Getting a second opinion keeps you from reacting right away. It can save you from making a costly judgment error.

Need Help with Employee Phishing Awareness Training?

Phishing keeps getting more sophisticated all the time. Make sure your employee awareness training is up to date. Give us a call today to schedule a training session to shore up your team’s defenses.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Free Lock Padlock illustration and picture Cybersecurity

6 Ways to Prevent Misconfiguration (the Main Cause of…

Misconfiguration of cloud solutions is often overlooked when companies plan cybersecurity strategies. Cloud apps are typically quick and easy to sign up for. The user often assumes that they don’t need to worry about security because it’s handled.

This is an incorrect assumption because cloud security is a shared model. The provider of the solution handles securing the backend infrastructure. But the user is responsible for configuring security settings in their account properly.

The problem with misconfiguration is huge. It’s the number one cause of cloud data breaches. It’s also an unforced error. Misconfiguration means that a company has made a mistake. It hasn’t adequately secured its cloud application.

Perhaps they gave too many employees administrative privileges. Or, they may have neglected to turn on a security function. One that prevented the downloading of cloud files by an unauthorized user.

Misconfiguration covers a wide range of negligent behavior. It all has to do with cloud security settings and practices. A finding in The State of Cloud Security 2021 report shed light on how common this issue is. 45% of organizations experience between 1 and 50 cloud misconfigurations per day.

Some of the main causes of misconfiguration are:

  • Lack of adequate oversight and controls
  • A team lacking security awareness
  • Too many cloud APIs to manage
  • No adequate cloud environment monitoring
  • Negligent insider behavior
  • Not enough expertise in cloud security

Use the tips below to reduce your risk of a cloud data breach and improve cloud security.

Enable Visibility into Your Cloud Infrastructure

Do you know all the different cloud apps employees are using at your business? If not, you’re not alone. It’s estimated that shadow IT use is approximately 10x the size of known cloud use.

When an employee uses a cloud app without authorization, it’s considered “shadow IT.” This is because the app is in the shadows so to speak, outside the purview of the company’s IT team.

How can you protect something you don’t know about? This is why shadow cloud applications are so dangerous. And why they often result in breaches due to misconfiguration.

Gain visibility into your entire cloud environment, so you know what you need to protect. One way you can do this is through a cloud access security application.

Restrict Privileged Accounts

The more privileged accounts you have, the higher the risk of a misconfiguration. There should be very few users that can change security configurations. You don’t want someone that doesn’t know better to accidentally open a vulnerability. Such as removing a cloud storage sharing restriction. It could leave your entire environment a sitting duck for hackers.

Audit privileged accounts in all cloud tools. Then, reduce the number of administrative accounts to a least needed to operate.

Put in Place Automated Security Policies

Automation helps mitigate human error. Automating as many security policies as possible helps prevent cloud security breaches.

For example, if you use a feature like sensitivity labels in Microsoft 365, you can set a “do not copy” policy. It will follow the file through each supported cloud application. Users don’t need to do anything to enable it once you put the policy in place.

Use a Cloud Security Audit Tool (Like Microsoft Secure Score)

How secure is your cloud environment? How many misconfigurations might there be right now? It’s important to know this information so you can correct issues to reduce risk.

Use an auditing tool, like Microsoft Secure Score. You want a tool that can scan your cloud environment and let you know where problems exist. It should also be able to provide recommended remediation steps.

Set Up Alerts for When Configurations Change

Once you get your cloud security settings right, they won’t necessarily stay that way. Several things can cause a change in a security setting without you realizing it. These include:

  • An employee with elevated permissions accidentally changes them
  • A change caused by an integrated 3rd party plug-in
  • Software updates
  • A hacker that has compromised a privileged user credential

Be proactive by setting up alerts. You should have an alert for any significant change in your cloud environment. For example, when the setting to force multi-factor authentication gets turned off.

If an alert is set up, then your team knows right away when a change occurs to an important security setting. This allows them to take immediate steps to research and rectify the situation.

Have a Cloud Specialist Check Your Cloud Settings

Business owners, executives, and office managers aren’t cybersecurity experts. No one should expect them to know how to configure the best security for your organization’s needs.

It’s best to have a cloud security specialist from a trusted IT company check your settings. We can help ensure that they’re set up to keep your data protected without restricting your team.

Improve Cloud Security & Lower Your Chances for a Data Breach

Most work is now done in the cloud, and companies store data in these online environments. Don’t leave your company at risk by neglecting misconfiguration. Give us a call today to set up a cloud security assessment.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.

Free Online Banking Banking Operations illustration and picture Cybersecurity

Smart Tips to Stop Money From Being Stolen Through…

There are a lot of things that have changed since the invention of the internet. One of these is how we bank and access our accounts. You used to have to go into a local bank branch to make deposits and withdrawals. Now, you can take a picture of a check and deposit it from your phone.

Approximately 73% of people around the world use some form of online banking at least once a month. People have never had such convenient account access. But that convenience can come at a cost.

In 2021, account takeover fraud increased by 90%. New account fraud jumped a whopping 109%. As the ease of online banking has increased, so has banking-related cybercrime.

If someone breaches your Facebook account, it can be a real pain. But, if a hacker breaches your bank account, it can be devastating. It can mean significant losses. Losses that you may not be able to recoup from your financial institution.

In this article, we’ll take a look at the mistakes people make that leave their accounts at risk. Then, we’ll go over some important tips on how to keep your bank account better protected.

Mistakes That Allow Criminals to Access Your Account

Not Enabling Two-factor Authentication

Two-factor authentication (2FA) is a simple process that packs a big punch. When you enable this setting in an online account, it requires an extra step to gain access. That step usually consists of receiving a one-time passcode (OTP) by SMS and entering that at login.

Many people make the mistake of leaving this disabled. They either don’t know it’s there or they think it’s too inconvenient. But leaving this setting off makes it much easier for a bad actor to breach your account.

Falling for a Phishing Scam

There are several types of phishing scams that target online banking. Cyber criminals send emails that look like they come from your bank. They’ll even promise incredibly low rates on credit cards.

Other scams can involve warning you of unauthorized account activity. But when you click the link to log in, you’re actually on a fake page. One designed to look just like your normal bank website.

These are just a few ways that scammers can get your online banking login details. Once they have them, they’ll act immediately to get whatever they can.

Using Easy-to-Guess Passwords

If your account password is easy to remember, it’s also often easy to guess. Using weak passwords is a common mistake that enables many cyber criminals.

Some best practices for passwords include:

  • Make them at least 10 characters long
  • Include at least one number
  • Include at least one symbol
  • Include at least one upper-case letter
  • Don’t make them personal (e.g., don’t use your birthdate, etc.)

Downloading Unsafe Mobile Apps

Banking trojans are often hidden in malicious mobile apps. These apps can look like something as innocent as a task manager. But, once installed, banking trojans seek out any details they can find. They are looking for banking and wallet apps.

Logging Into Online Banking While on Public Wi-Fi

One surefire way to give away your online banking password is to log in while on public Wi-Fi. Hackers hang out on public hot spots and spy on the activity of others. You should never type in a password or other sensitive details when connected to public Wi-Fi.

Tips for Improving Online Banking Security

Turn On Two-Factor Authentication

Enable two-factor authentication in your online banking account. This is also known as multi-factor authentication or two-step verification. According to Microsoft, it can block 99.9% of fraudulent account login attempts.

Set Up Banking Alerts

Time is of the essence when an intruder breaches your account. The faster you can notify your bank of the breach, the better. You could reduce the impact on you by having your account locked down immediately.

Set up banking alerts through your online banking. These can include things like low-balance alerts and login alerts.

Install an Antivirus & DNS Filtering On Your PC & Mobile Device

It’s important to have reliable antivirus software on your PC and mobile device. Many people don’t think about protecting their phones in this way. Yet, they shop online and bank via mobile devices.

It’s also good to use a DNS filter. This is a filter that protects you from going to dangerous phishing sites by blocking them.

Take Phishing Training Classes

Do you know how to identify phishing? Are you up on all the newest scams? You can make yourself less vulnerable by taking some phishing awareness classes. There are many of these for free online. You can also contact us for more personalized training options.

Knowing how to spot phishing via text, email, and phone can help you avoid becoming a scam victim.

Get Help Protecting Your Family from Scams

There are some key digital solutions we can put in place to keep your family safer from online threats. Give us a call today to schedule a chat about online security.


Featured Image Credit

This Article has been Republished with Permission from The Technology Press.