• February 29, 2024
  • Catagory hardware

Old Routers, Email Impersonators Raise Security Stakes for SMBs

By : Justin Folkerts

The security stakes for SMBs are high enough already as smaller organizations must grapple with the same threat as large enterprises, including ransomware and malware that’s been augmented by artificial intelligence (AI).

These innovative threats can distract from the reality that other mundane vectors remain a serious threat to SMB security.

It may be working fine, but it’s not secure

On the hardware front, SMBs need to be wary of threat actors targeting old routers. Earlier this month, CRN reported that nation-state hackers from China were linked to an attack that compromised hundreds of small business and home routers. Just because you’re a small business, doesn’t mean you won’t be eyed by international hackers.

One of the reasons SMBs are considered worthwhile targets are because they’re often part of a broader supply chain connected to critical infrastructure. Compromised routers can be used together to form a botnet – such a malware-infected device can become a launchpad to attack other organizations.

What all these routers tend to have in common is that they are end-of-life (EOL) products – they may still be working fine but are no longer being supported by the vendor with firmware and security updates. Since it costs money to replace aging hardware, companies often continue to use old, unsupported routers which not only lack needed updates, but weren’t designed with the smarts to combat the latest security threats.

The CRN article notes that bad actors view SMBs as nothing more than an IP address, so as a supplier organization providing others that provide critical infrastructure, smaller firms can be high priority target.

Check your email carefully

Email has long been an attack surface for businesses of all sizes, but SMBs should be aware of hackers hijacking mailing lists of other business, including those of their email service provider.

A recent example reported by TechRadar involves provider SendGrid, which was exploited by attackers to access client mailing lists to send tailored, authentic looking emails asking recipients to activate multi-factor authentication (MFA) via a link in the email. Unsuspecting users who clicked on the link were sent to fake login landing page that harvested their credentials.

Making sure you use a reliable, reputable email service provider isn’t enough to protect your business communications infrastructure from bad actors, who are getting smarter all the time and better at mimicking real organizations.

What you can do

SMBs need to take equipment upgrades seriously – just because a router still works, doesn’t mean it is secure, so have a process in place to regularly review endpoints to verify they are still supported by vendors with updates.

As long as there’s email, there’s going to be email phishing scams, so it’s important to maintain cybersecurity training so that employees can spot phishing attempts, no matter how sophisticated.

If you’re an SMB that is struggling to keep on top of all the cybersecurity threats in a dynamic digital landscape, consider turning to a managed services provide who can help evaluate your hardware and support cybersecurity training for your team.

  • January 16, 2024
  • Catagory Security

5 Considerations for Successful Security Awareness Training

By : Sanjeev Spolia

If you want to bolster your cybersecurity in 2024, providing effective security awareness training is just as important as deploying the right data protection tools.

Before you decide what security awareness training you’re going to do this year, consider getting feedback from your employees as well as aligning your training with the key projects you expect to be doing over the next 12 months.

Evaluate last year’s training

Find out what your employees liked about the security awareness training they have received in the past – both the positive and the negative. Was it engaging? What content did your employees like or dislike? Did like they like in-person workshops? What about online content such as videos? Understanding what works best will help make any future security awareness training more effective and enjoyable, as well as ensuring it’s effective.

How will you communicate?

Leveraging your employees to bolster your cyber security posture isn’t just about the security awareness training you provide, but also how you engage them on a day-to-day basis about any issues, concerns, or incidents. How effective is email for making sure everyone is on the same page? Are you leveraging channels on your collaboration platforms such as Slack and Microsoft Teams? How do you ensure that remote workers are receiving security-related bulletins?

What issues does your security awareness training need to address?

Broadly speaking, it’s easy to identify which challenges and threats your security awareness training must consider, but have you given thought to the specific issues that the executive team and employees are most concerned about? Were there specific threats in the past year such as phishing or ransomware that weren’t handled adequately? How well is your organization securing remote workers?

How should your projects in 2024 shape your training?

Security awareness training should not only apply to routine business operations, but also for major projects, whether it is customer deliverables or your own strategic digital transformation efforts. New endeavors often require access to data as well as the need for new cloud-based applications, all of which have an impact on your security posture. New customers may have security requirements that may require you to implement new processes and policies that your employees must be made aware of.

Getting new employees up to speed

If you’ve already added new staff or plan to scale up your headcount in 2024, you must gear your security awareness training for newcomers. They may come from an organization with less stringent security policies or conversely, they might be able to bring something to the table that enhances both your training and your security policies. No matter what, onboarding new employees should include security awareness training, and it should specifically address how certain roles engage with sensitive data.

Security awareness training works hand in hand with your cybersecurity and data protection tools – your employees are a critical element in securing your organization. If you’re to improve and expand your security awareness training, a managed services provider with a focus on security can help you develop, deliver, and maintain an effective program.

  • October 29, 2021
  • Catagory Security

Security Policy Must Keep in Mind How People Work in the Hybrid Office

By : Sanjeev Spolia

If the hybrid workplace is here to stay, then security policy must put people first—understanding how the human element plays are role in protecting data is essential, but so is making sure any security measures don’t get in the way of their productivity.

People can be part of the problem but also part of the solution—cultural changes that go hand and hand with security policy can positively influence employee behaviours to make your hybrid office more secure.

Humans make mistakes

Quite often, people put the organization at risk and violate security policy unintentionally. Privileged users can unknowingly let their credentials get compromised, which allows threat actors to access systems and sensitive data. Although it’s usually an accident, occasionally a disgruntled employee may compromise the organization intentionally.

Human beings also fall for phishing scams, both on their personal devices and corporate workstations; in the hybrid office, this device can be one and the same. Scams that employ socially engineered malicious messages that encompass tax-themed phishing, dodgy downloads, fake payment and delivery, and invoice phishing, have become even more common during the pandemic and will likely continue apace in the hybrid office.

Some people are just plain careless, despite security policy guidance, by letting credentials lapse or not using multifactor authentication. Cybersecurity technology isn’t effective on its own without keeping people in mind. Yes, they need to be held accountable, but you must also meet them where they are. The hybrid office means your employees are moving between their work and personal lives more fluidly, including the devices they’re working in—this must be reflected in your security policy.

Remote work is here to stay

Meeting people where they are means your security policy outlines how they can help to keep their organizations securie without getting in the way of their productivity. Your security policy should assume that the hybrid office is here to stay for the foreseeable future and understand the impact of continued remote work.

IT teams must be prepared to support remote workers, who are likely to have less traditional schedules as they embrace flexibility, and adopt collaboration tools to work across different departments, including human resources as they onboard new workers who will be working remotely, on-site or a combination of both. The hybrid office has also meant a shift to “hoteling” as employees come to work a few hours a day or a couple of days week without their own dedicated workspace.

Remote work always had implications on security policy, even before the pandemic, but there has been an increase in malware incidents, data breaches and other poor security behaviors as more people work from home. Despite this spike, it’s important keep security simple for employees and engage regularly with through awareness training so they can help protect their hybrid office from threat actors.

A clear and concise security policy allows employees to be productive no matter where they are working so that security is not a barrier to productivity.

Sanjeev Spolia is CEO of Supra ITS

  • July 30, 2021
  • Catagory Security

Hybrid workplace security must account for the human element

By : Sanjeev Spolia

The hybrid workplace may be the new normal, but the high number of data breaches due to the pandemic don’t have to be. The solution is recognizing that people can be the cause of security incidents but also play a part in preventing them.

The “human element” is involved in as much as 85 percent of all data breaches, according to Verizon’s 2021 Data Breach Investigations Report. That’s actually good news—it means there are cultural changes that can be made to influence employee behaviours that will improve hybrid workplace security.

People still fall prey to scams

There are several areas where security is vulnerable because of how people behave, often without any intent to put cybersecurity and data privacy at risk.

The first is around privilege abuse, according to the Verizon study, wherein users have access to IT systems, data and applications that over time leads to compromised credentials that allow threat actors to access sensitive information. In most cases, the privileged user isn’t intentionally looking to cause their organization harm and the data exposure is accidental. However, a disgruntled employee can cause a lot of damage.

In the meantime, employees still fall for phishing scams, and the number of instances where people fall for these socially engineered malicious messages rose significantly during the pandemic, according to Verizon’s analysis. Examples of these scams include payment/delivery scams, invoice phishing, tax-themed phishing, and downloads. Remote workers are more likely to fall for phishing scams, which makes their prevention especially critical for improving hybrid workplace security.

Many data breaches are accidental, but these accidents shouldn’t be confused with carelessness, which can include credentials that aren’t regularly updated or failure to use multifactor authentication. Cybersecurity technologies only go so far without having a standard of behaviour throughout the organization. Employees must be held accountable—effective hybrid workplace security depends on culture as much as technology.

Meet people where they are

The hybrid workplace solidifies the need for every employee to do their part to foster company-wide security rather than putting on the onus on a small group of IT experts to implement and manage cybersecurity technologies. This where the human element becomes part of the solution, not just the potential cause of data breaches.

While it’s critical that remote workers do their best to secure their home office environment, it can be overwhelming for them. Communication and training go a long way to helping them develop good security habits, as well as streamlining the process as much as possible. It’s also important to remember that in the hybrid workplace not all remote employees are the same. Some are experienced road warriors and power users who innately understand they need to secure their mobile endpoints, while other users have got a tad complacent over the years because they’re always online.

Employees who have traditionally worked in offices and felt comfortable leaving their workstation unsecured for a few minutes may not fully appreciate that hybrid workplace security requires a shift in behaviour. There are also always employees who value efficiency over all else, so if they perceive security measures as a barrier to productivity, they will always find shortcuts and workarounds.

Make people part of the solution

Hybrid workplace security needs tools and processes with a short learning curve for all employees to they can be easily adopted and understood as an enabler.

Balancing the human element and technology is critical to securing the hybrid workplace due to its inherent flexibility—employees are shifting constantly between their work and personal lives throughout the day, and that includes the devices they’re working on. Each device along with the software and operating systems they’re running now fall under the purview of corporate security.

From a technology perspective, it means technologies such as Identity and Access Management (IAM) tools are more essential than ever, as are robust security protocols and employee training. However, these must be seen as an enabler, not a roadblock to getting things done. The least technologically savvy employee must be able to blend their daily task with good security habits without a steep learning curve.  

Hybrid workplace security requires the creation of a security-first culture that puts people at its centre by enabling them to improve their workflow while doing their part keep the business secure.

  • February 11, 2021
  • Catagory open source

Why you need access to open source skills

By : Sanjeev Spolia

A significant trend running parallel to cloud adoption has been the increasing use of open source software, and whether your applications and data on are on-premise or residing with one of the many cloud service providers, understanding open source technologies is essential.

A fall 2020 survey of 3,440 professional developers and managers conducted by O’Reilly Media and sponsored by IBM found that open source is maintaining and even increasing its influence. It’s become somewhat ubiquitous, with survey respondents expressing strong support for it in general and for specific skills in several open source technologies. For example, a whopping 94 percent view open source as being equal or better than proprietary software.

This preference extends to their cloud providers, with 70 per cent of respondents saying they prefer one based on open source technologies. Overall, those surveyed associate open source with more job opportunities, more professional opportunities, and higher wages. Linux in particular was highlighted in the survey as being an important technology, with 95 per cent of developers citing it as important to their career, as well as containers and databases. Linux is also highlighted as a critical technology for unifying hybrid cloud environments.

Given that containers and databases are critical enabling technologies in cloud environments, it’s not surprising that open source flavours are popular, especially as they can be spooled up quickly and easily.

Open source powers the cloud

Being able to rapidly and easily spin up computing, network and storage resources is enabling cloud adoption, so it makes sense that open source would ride its coattails, as it appeals to organizations looking to be able to respond nimbly to business requirements without expensive investments in on-site, proprietary technologies that eat up the time of in-house IT staff.

Another benefit of open source noted by the O’Reilly Media survey is vendors and cloud providers can rapidly apply updates, patches and other bug fixes, which improves overall reliability and security, while end users always have the latest and greatest applications on any device, especially mobile ones that use the cloud as their supporting backend. In the meantime, the cloud computing providers are also enjoying the same benefits of not being bogged now with licensing and administrative costs that go along with proprietary technologies.

As already mentioned, Linux is seen as a critical building block for unifying hybrid cloud environments as a common platform, and turn, innovation in the cloud is contributing to the development of the Linux kernel, which a collaborative process of millions of developers. Ultimately, open source technologies are what make the cloud possible.

Ensure you have open source expertise on tap

If open source is powering the cloud, and you’re at any stage of embarking on your cloud journey, then you need to think about the open source skills you have on staff as well ensure your managed service provider is making the same investments.

The O’Reilly Media survey makes it clear that developers and their managers are fiercely loyal to open source technologies, and that other third-party cloud services are increasingly turning to them to solve technical and business problems. In addition, the collaborative nature of open source means there is a constant loop back to improving and evolving open source technologies, particularly the Linux kernel. For businesses this means there are many benefits to being aligned with open source trends and acquiring relevant skills.

For developers and other IT workers, open source represents opportunities for professional advancement and interesting projects; for businesses, it means cost savings and agility because it reduces the potential for vendor lock-in. If you wan to realize the competitive advantages of open source, you need access to the right experts and skills, which not only means having those people on staff, but also accessing them through an experienced managed services provider.

Sanjeev Spolia is CEO of Supra ITS

  • October 15, 2020
  • Catagory cybersecurity

Cybersecurity Awareness is Everyone’s Responsibility, Especially in the Remote Work Era

By : Sanjeev Spolia

The shift to remote work means cybersecurity awareness across your organization is more important than ever for maintaining ongoing business operations and regulatory compliance.

Even before the pandemic, most organizations had become rather porous in nature from a network security perspective thanks to the Bring Your Own Device (BYOD) movement, adoption of cloud computing, distributed locations, and an already increasingly mobile workforce. But while security technology has emerged to keep up with these trends, it’s not a silver bullet. Every employee needs a heighten level of cybersecurity awareness.

Remote work means that how an employee manages their device at their home office can have an impact on the organization’s entire network. Their cybersecurity awareness means understanding their workstation is an endpoint that must be configured properly as to contribute to the overall security posture of the organization.

Training is critical to maximize cybersecurity awareness amongst your employees, especially remote workers. But it’s easy to lose their attention if training isn’t clear and engaging. If you’re doing regular phishing tests for your employees, try to have a sense of humour with the email content you’re creating as part of the test, for example, but also make sure employees understand the lesson without being made to feel stupid.  

Cybersecurity awareness training should be done regularly as part of regular operations, and at least quarterly, rather than being big annual event, because threats to the organization are ongoing as hackers automate their processes to optimize their chance of success. You should also involve the executive team in your training, so everyone understands that cybersecurity awareness is critical to the success of the business. You might have the CEO do a short video, which is easy to share with remote workers.

The training shouldn’t be solely the responsibility of the security team, either. Lines of business leaders should help to spearhead cybersecurity awareness, and it should be a part of your remote work strategy.

It’s important to remember that cybersecurity awareness isn’t only about protecting against threat actors, malware and ransomware, and malicious data theft. Employees need to understand that good security also helps the organization stay compliant with government privacy legislation and meet regulatory obligations that apply to their industry. Data breaches not only have the potential to cripple business operations and negatively affect customers, but also lead to financial and legal penalties that can profoundly affect the long-term health of the organization.

Most people have adapted to remote work for the past seven months, but because organizations are more distributed than ever, there’s a potential for cybersecurity awareness efforts to lapse, even as be bad people around the world continue to take advantage of the new work-from-home reality. Those doing remote work as part of a connected organization must continue to be vigilant about security as part of their daily work habits.

Sanjeev Spolia is CEO of Supra ITS.