Author name: admin

In his book The Road Less Stupid, Keith Cunningham makes this correct observation about succeeding in business: “I don’t need to do more smart things. I just need to do fewer dumb things.”  When it comes to cyber security, I see a lot of dumb decisions made by smart people based on gross ignorance about what can happen or the desire to stick their proverbial heads in the sand to avoid having to spend the money and time to protect their assets.      One of the biggest mistakes is thinking you won’t get hacked because you’re too small, or because you “don’t have anything the hackers would want.” Allow me to point out that you’re not too small to get hacked, but you are too small to make headline news. Millions of small businesses get hacked every year – they simply don’t talk about it because of the potential liability, bad PR, and loss of client and marketplace trust. They’re embarrassed.      Further, you’re right – hackers, for the most part, don’t want your stuff, unless you happen to have medical records, credit cards, social security numbers, etc. Those are very valuable digital assets that can be sold on the dark web marketplace – and cyber criminals are in it for the money. But more to the point, YOU want your stuff, so they’ll kidnap your information and hold it for a ransom to extort money from you. Kidnappers don’t steal a child because they want to start a family. They steal your children because YOU want your children and they know you’ll pay anything to get them back, safe and sound.      So it goes with ransomware. When all of your work files and e-mails go away, very few businesses can pick up from ground zero and keep operating without any losses. Perhaps the solo operator working from home, but certainly not a small business that has been operating for several years with multiple clients and employees producing work for clients.      Another excuse I’ll hear for not implementing cyber protections is, “Since I’m going to get hacked anyway, why bother spending so much money on cyber security? I’ll just get an insurance policy, back up my data, and take the hit.”      While that might sound logical, here’s why it’s a gloriously stupid plan…      Insurance companies are in business to make money, NOT pay out policy claims. A few years ago, cyber insurance carriers were keeping 70% of premiums as profit and only paying out 30% in claims. Fast-forward to today and those figures are turned upside down, causing carriers to make drastic changes in how cyber liability insurance is acquired and coverages paid. In fact, the CEO of Zurich Insurance Group recently predicted that cyber-attacks are set to become uninsurable.       Today, getting even a basic cyber liability policy requires you to prove you have certain security measures in place, such as multifactor authentication, password management, endpoint protection, and tested and proven data backup solutions. These carriers want to see phishing training and cyber security awareness training in place, and some will want to see a WISP, or written information security program, or a business continuity plan from your organization. Depending on the carrier, your specific situation, and the coverage you’re seeking, the list can be longer.      Also, hackers are onto your backup plan and create ransomware attacks to not only take your data but also corrupt your backup. The additional threat is that if you don’t pay, they’ll release your files online for all to see, including payroll information, ALL e-mail communications, client contracts, and more. Do you really want that in the hands of competitors and the general public? Insurance won’t cover that.      Bottom line: having cyber-protections in place cannot guarantee you will never get hacked, but it CAN dramatically prevent the damage done and absolutely will block the majority of attempts, preventing you from being low-hanging fruit.       Wearing a seat belt, having a safe car, and practicing good driving behaviors (like don’t text and drive) won’t guarantee you’ll never be in a car wreck – but if you do those things, the risk of getting into a crash go down dramatically AND your chances of coming out alive and unharmed will obviously increase.  Want a FREE, confidential assessment of your current cyber security status? Click here to schedule a quick 10-minute call to start a discussion and see if you could benefit from a more robust cybersecurity plan.

A little over a year ago, the FTC made several amendments to the existing Safeguards Rule requiring even very small businesses to ensure the protection of client data. These changes, set to go into effect back in December of 2022, are now going to be enforced starting June 9, 2023 – and it’s very likely that your business, regardless of how small or how your tech is being handled, WILL be required to implement certain new security protocols. The Safeguards Rule was originally created for financial institutions. However, the new amendments broaden the definition of financial institutions to include real estate appraisers, car dealerships, and payday lenders. The FTC goes so far as to include any business that regularly wires money to and from consumers. These organizations are required to develop, implement and maintain a comprehensive security program to keep their customers’ information safe. Here are the provisions you must implement: Designate a qualified individual to oversee their information security program. That means someone at these companies needs to be trained in information security, receive continuing security education, and be in charge of ensuring the organization is correctly executing the written information security plan. If no one on your team meets this requirement, we can provide someone. Develop a written risk assessment. A risk assessment is done in two parts: one, a technical scan, and two, a questionnaire designed to reveal common security loopholes. This is typically outsourced to an IT firm like ours and needs to be reviewed annually (by law), but best practices should be quarterly if not monthly in situations where a business is handling a lot of sensitive information and the tolerance for risk by the owner is low. If you need this risk assessment, contact us. Limit and monitor who can access sensitive customer information. For example, don’t give your entire team access to your credit card processing system. Only allow one employee (the one who works in it day in and day out), as well as one backup person (possibly you, the owner), to be able to log in and access this information. Encrypt all sensitive information. Again, this is typically done by an outsourced IT company like ours, unless your company is large enough to have a robust cyber security team that can handle it. “Sensitive information” is not just medical records and credit cards, but clients’ e-mail addresses, phone numbers, Social Security information, driver’s license information, and birthdays. ALL of this can be used by hackers to exploit your customers using the data you host. Train security personnel. Employee awareness training is another key component to not only this law but also to get and keep insurance coverage on cyber liability, crime, and other insurance policies. Develop an incident response plan. Specifically, if (when?) you get compromised, you need to have a plan in place for how you will respond. This is also another service we offer to our clients but should be reviewed by your insurance agent, leadership team, board, and other key players in the organization. Periodically assess the security practices of service providers. This law also requires you to ensure any companies you are doing business with – specifically ones where sensitive information is shared – are secure and compliant. This may include requiring that vendors state in their contracts that they are adhering to the Safeguards Rule and to certain security frameworks, like CIS or NIST. Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information. Also known as “2FA,” this process ensures anyone logging in to your accounts must authenticate that request via another device, such as a cell phone or e-mail.  If you want to discuss this new rule with us and how to get started with a Risk Assessment, click here https://calendar.app.google/jSA1tteBxFJKnJkX6 to schedule a phone consultation to discuss your concerns, questions, and specific situation. If you prefer, you can call us at 774-504-5558.

What do these three real e-mails have in common?  Kohl’s Winner – “Notifications – Re: 2nd attempt for Paul” WalmartStores – “Re: CONFIRMED: Paul you are selected” Lowe’s Winner – “Congratulations Paul! You Are The Lucky Online Winner Of A Brand-New Sweepstakes Dewalt Power Station Entry No, “Paul” isn’t the luckiest person in the world but, as you might have guessed, the target of cybercriminals.   All three of the above are examples of real recent e-mail scams* that were sent to hundreds of thousands of e-mail addresses with the goal of getting unsuspecting “winners” to provide personal information. This includes things like asking for a Social Security number to “verify” your identity before sending you the award you won. Or getting banking information so they can send you your monetary prize. Of course, they aren’t doing either of those things but rather using that information to steal from your accounts, steal your identity or simply sell the data on the dark web to others who will find ways to use that information. So, how does this affect your business? According to Symantec Security Center (https://www.broadcom.com/support/security-center), the average employee receives a scam e-mail about twice a week. That means companies with just 10 employees would be targeted up to 1,040 times a year!  While your employees may be too smart to actually provide their Social Security or bank account information, did you know that just clicking on a link in an e-mail can open up their computer (and every other computer and network it’s connected to) to a variety of risks? At best, it could just let the sender know the link was clicked and that it’s an active account, which will then often trigger more spam, and often make that account the target of more attacks.  At worst, simply clicking on a link could download a malicious file – like a virus, malware, or spyware – that then compromises the entire network and could record logins and passwords and access client databases and bank accounts.  Or it could lead to a scammy website (often made to look legitimate) where your employee could enter confidential information inadvertently. Obviously, none of these are good outcomes for your employee or your company. In 2020, attacks like this cost small businesses over $2.8 billion in damages, according to the US Small Business Administration, with costs of up to $653,587, according to Verizon. The good news is that there are easy and free ways to protect your employees and your business from these scams, like properly training employees about cyber threats, as well as inexpensive technical solutions like blocking known spam and prohibiting access to illegitimate websites. While these protections are low in cost, NOT having these training and protections in place could be disastrous for your company.  To eliminate worrying about the 1,040+ bad e-mails your employees get and hoping that none of them will EVER click on a bad link, go on the offensive and make sure they never even get these e-mails in the first place, and even if they do, the sites are blocked if they click! To see how to stop being a sitting duck and instead take control of your security, simply call us at 774-504-5558 or go to https://calendar.app.google/jSA1tteBxFJKnJkX6  to set up a quick call, and we’ll walk you through your options. *You can check the facts on these scams and get the details. For the one from “Kohl’s Winner,” go to https://www.youtube.com/watch?v=Hu-c_E8tkD0; from “WalmartStores, go to https://corporate.walmart.com/privacy-security/fraud-alerts/; from “Lowe’s Winner,” go to https://bestlifeonline.com/lowes-air-conditioning-message-scam-news/ Also, visit: https://www.sba.gov/blog/protect-your-small-business-cybersecurity-attacks https://www.verizon.com/business/resources/reports/dbir/2021/smb-data-breaches-deep-dive/

Have you ever had a conversation about a topic, and then later that day you start seeing news, ads, or updates about that subject, and said to yourself, “This can’t be a coincidence”? Well, you’re probably right.  According to Norton, who you may remember as an antivirus software company and who now also owns LifeLock, your smart devices ARE listening to you because that’s their job. However, you probably didn’t realize how much they are listening to you or what they do with the information they collect. In this blog, you’ll see that your devices are listening to you and using and distributing the information they get, and how to protect yourself while still using the features these smart devices offer. Chances are when you activated Siri, Alexa, or Google Assistant, it asked you to accept the terms and conditions, which you did, without reading or listening to them. A quick search of the terms for Siri (https://www.apple.com/legal/privacy/data/en/ask-siri-dictation) advises you that: When you use Siri and Dictation, your device will send other Siri Data, such as: Contact names, nicknames, and relationships (for example, “my dad”), if you set them up in your contacts Music and podcasts you enjoy Names of your devices and those of your Family Sharing members Names of accessories, homes, scenes, shared home members in the Home app, and Apple TV user profiles Labels for items, such as people’s names in Photos, Alarm names, and names on Reminders lists Names of apps installed on your device and shortcuts you added through Siri And Google states (https://policies.google.com/privacy): We will share personal information outside of Google if we have a good-faith belief that access, use, preservation, or disclosure of the information is reasonably necessary. We may share non-personally identifiable information publicly and with our partners – like publishers, advertisers, developers, or rights holders. For example, we share information publicly to show trends in the general use of our services. We also allow specific partners to collect information from your browser or device for advertising and measurement purposes, using their own cookies or similar technologies. These are just some of the highlights from their privacy policy, which is a lengthy 15 pages.  You’ve got to remember, the privacy policy isn’t there to protect you – it’s there to protect the companies that create them! So, what do you do? Do you stop using smart devices, get rid of your phone and build a house in the woods? That’s probably a little extreme for most, so here are two things that actually make sense. First, you can take some basic actions to disable a few of the “eavesdropping” features built into your smart devices. Norton (the antivirus people) has a three-step way to do that at: https://us.norton.com/blog/how-to/is-my-phone-listening-to-me Second, you need to know that if your data is going to be stolen, it’s probably NOT through Alexa, Siri, and Google.  Most data breaches come from malicious links in e-mails; old, unpatched security vulnerabilities in software; and unsuspecting employees taking actions they shouldn’t be taking. These risks can be mitigated and monitored, and existing vulnerabilities can often be eliminated, simply by having the right software updates installed.  While it’s a little weird that Apple may know that your favorite musician is actually Taylor Swift, it’s much worse if your business data gets stolen or locked down and you’re out of business until you pay ransom to hackers.  Click here to schedule a brief 10-minute call https://calendar.app.google/jSA1tteBxFJKnJkX6 discuss your situation, needs, and concerns. If appropriate, we can conduct a simple security assessment for free to know for sure if your network and data are safe.

ROI Revolution estimates that e-commerce sales will eclipse $236 billion this holiday season. While that’s the most popular time for consumers to purchase online, in 2021 over $2 billion a day was made in online purchases. Chances are you and your employees make purchases weekly personally and for your business. And…chances are that cybercriminals are doing their best to capitalize on this to steal credit card numbers, logins and passwords and even you and your customers’ banking information.  If they don’t follow these four practices to stay safer (notice I didn’t say safe) buying online, they could be exposing themselves and your business to identity theft, fraud, and more. Don’t reuse passwords from site to site. If you use the same password for multiple sites, when one company’s records get breached (which happens every day) a criminal now has access to multiple accounts. So make sure you use different passwords for different sites. This does make things slightly more complicated for you, but it also makes it infinitely harder for cybercriminals.  Check the URL in the address bar. One indication that a website is secure is that it either has a small lock symbol to the far left of the URL or “https” in the URL. If you see a lock that’s unlocked or just an “http,” the site is not secure – do NOT provide any credit card information or bank account details.  Don’t use a debit card to pay – only use a credit card. This way, if someone is able to access your account, you won’t lose what’s currently in your bank account. And most major credit cards have a $50 or less liability policy if unauthorized charges are made. So it’s important to watch those statements. If you do feel you’re the victim of fraud, make sure to contact your credit card company immediately. Be wary of any texts or e-mails about package deliveries. Even if you have something you’re tracking, go back to the site you originally purchased from to check notifications that way. Any links from an unknown sender could infect the device you’re on, which could expose you to viruses and malicious software.   While there are plenty of cybercriminals happy to scam consumers, who they really want to go after are businesses because they have much deeper pockets and there are multiple ways they can cause havoc.  Click here to schedule a brief 10-minute call https://calendar.app.google/jSA1tteBxFJKnJkX6 to discuss your situation, needs and concerns. If appropriate, we can conduct a simple security assessment for free to know for sure if your network and data is safe. To schedule a 10-minute call to make sure all hybrid employees have all the tools necessary to protect your company’s data, visit https://calendar.app.google/jSA1tteBxFJKnJkX6or call us 774-241-8600. 

The last few years have seen countless companies going to a hybrid work model. According to a survey by Envoy over 77% of businesses have some full or part-time remote employees. While this change comes with many benefits, as a business owner, there are three big things you need to make sure your employees are doing to keep your company’s data secure, avoid online scams, and prevent being a victim of a cyber attack. Cybercriminals know that many of the security measures businesses have in place in their office instantly evaporate when employees work from home. Things like firewalls, secure Wi-Fi, and restricted physical access to a computer all disappear for remote workers.  According to the global security group the Institute for Security and Technology, businesses saw a 311% increase in Ransomware attacks in 2020 due to cyber criminals trying to exploit these trends. This has only increased as hybrid models have become more and more commonplace and look as though they are here to stay. But it doesn’t have to be all doom and gloom. Because these new models offer many benefits, it’s just important as a business owner to know what you need in place to keep from turning a positive into a giant catastrophe through no fault of your own. Here are three critical things you must do if you’re allowing employees to work remotely: Always On VPN for computers, tablets, and mobile devices to ensure that no matter what device employees use, or where they use it, you and your data are protected.  Use Multi-Factor Authentication (MFA). This is where you get a text, call or need to use an authentication app to log in to programs when your account is being used. Set your computer screen to lock automatically. This is a simple measure that automatically logs out and locks your computer so someone can’t just jump on and access your files and programs. Most small businesses aren’t doing these three basic things to keep your data and company from becoming a victim of cybercrime. They are easy to get in place and free or inexpensive. Want to know if your employees are putting your company at risk?  Click here to schedule a brief 10-minute call to discuss your situation, needs, and concerns. If appropriate, we can conduct a simple security assessment for free to know for sure if your network and data are safe. To schedule a 10-minute call to make sure all hybrid employees have all the tools necessary to protect your company’s data, visit https://calendar.app.google/jSA1tteBxFJKnJkX6 or call us at 774-241-8600. 

Anyone active on social media has seen those seemingly harmless quizzes that someone in your newsfeed takes and then shares…the ones that ask you to enter your first name, your middle name, and the street you grew up on to create your “new name.” Joe + Schmo + Blow Avenue = your stripper name. Turns out they aren’t so harmless. A hacker could use any of this info to get past firewalls into your accounts (financial or otherwise) by filling in answers to gain passwords. They can also use this information to hack into your profile. Then, by controlling your account, they are able to reach out to friends and colleagues, sending messages to you, which can quickly damage your reputation. According to the FTC, customers in 2021 reported losing about $770 million to fraud that started on social media. That’s an 18-fold increase since 2017 and affected more than twice the 2020 number of customers. In 2021, it affected more than 95,000 people. Socialcatfish.com ranked Facebook as the most popular platform for online scams. Other common social media scams include: Giveaways, where you’re told you have won but you need to submit payment info to receive your prize Profile hacking, where someone poses as an online “friend” and asks for money to get out of a bad situation Job offers, where what you think is a legitimate work-from-home opportunity might require you to pay a fee to “start” or guarantee a high paycheck for a menial task The best way to avoid these scams is to just be wary. Be careful of oversharing online. Does something seem too good to be true? Is your “friend” speaking in an unusual way? Reach out offline. Know that only scammers ask for money via a wire transfer or gift card. And if you really can’t resist a fun online quiz (because everyone else is taking it), just make up the answers.   If you do notice a scam, you can report it to the BBB Spam Tracker and ReportFraud.ftc.gov to help others. To check if your private data has been exposed to any hackers online, schedule a 10-minute discovery call with our team now. Call us at 774-504-5558 or book a time here: https://calendar.app.google/jSA1tteBxFJKnJkX6