Posts

What Exactly Is a Security Posture & What Does It Mean to Your Business

Our business ecosystems have begun rapidly changing, with cybercriminals evolving rapidly, a new vocabulary is developing. A new addition to the lexicon of many is the concept of “Security Posture.” Another techy-word, referring to the strength and security of your IT infrastructure. Putting an increased presence on internet-born vulnerabilities for business technology. How you manage current hardware and software purchases, policy & procedure generation and controls.

What Makes-Up Your Security Posture

Any of these singular aspects are defined under cybersecurity, your security posture develops the likelihood of a breach, and what it would take for hackers to gain access to these critical pieces of network technology, but also the state of your employees, and if they can spot similar threats, making these difficult for many to observe.

In the context of managing cybersecurity, larger organizations, including Directors of IT, Chief Technology officers, and any compliance officer, must make decisions based on the deliberation and analysis of their security posture. Generating a better understanding surrounding certain aspects of your cybersecurity approach, but this is simply not enough anymore. In today’s connected age a more holistic approach is needed to meet regulations and compliance. Read more

Cyberattacks Using SSL Encryption Swells the Success Rate of Malware to 400%

Utilizing Microsoft’s latest partner release of the 2019 Security Intelligence Report, a report put together to inform Microsoft and Office365 Partners of the latest threat-analytics to hit the landscape. Of the 470 billion emails analyzed, the year-to-date trend was well over 250% since it’s last publication in 2018. As phishing attacks continue to trend upwards, attackers are beginning to leverage more sneaky tactics to accomplish their end goal, including blackmail, extortion and worst of all, data corruption.

For many businesses, encryption has become the norm as cyber-criminals begin looking to disrupt operations to turn a quick profit.  One of the largest goals behind any cyber-attack is stealth, the longer a malicious activity goes on unnoticed in your systems, the greater the chances of their attack succeeding. One popular avenue has begun involving SSL encryption to disguise the transmissions of the attack from your local anti-virus or malware agents.

As previously warned, these attackers are persisting to utilize website encryption to provide users with a false sense of confidence while surfing or researching something on the web. As we have mentioned here, Security Awareness Training can assist in informing your employees of the perils found in today’s connected businesses. Begin scrutinizing the sender’s domain name, and the content they want from you.

  • Phishing – 2.7 Million phishing attacks occur monthly, a 400% increase since we’ve been tracking these states in 2017.
  • Content is King – 196 Million instances of “malicious content” including websites, malicious scripts, and malvertising we all found on some of the most well-known websites this year.
  • Botnets – 32 Million botnet callbacks were performed and blocked on average each month since 2018
  • Domains – 32% of all spoofed domains or websites were using SSL to deliver content.

Most Phished Brands through HTTPS:

  1. Microsoft Office365 or OneDrive – 58%
  2. Facebook – 12%
  3. Amazon – 10%
  4. Apple or iTunes – 10%
  5. Adobe – 4%
  6. Dropbox – 4%
  7. DocuSign – 2%

By preparing your employees with a security mindset, we broaden business’ stance on security, to better prevent things like SSL attacks from reaching your end-users. Each of these acts leverages more ways for cybercriminals to establish credibility, and the context needed to fool business.

Recently, I received an email from one of our clients in the North Bay, and they copied me on an email that was dressed up to represent a Microsoft Office 365 notice. Now, this notice contained links to an “invoice” that were crafted and carefully coded, to send the staff to a fake Russian URL, where Office365 logos were plastered everywhere. Even more conveniently, was the willingness for this HTTPS encrypted website to take down ANY information relating to my own personal Office 365 account. Thankfully, this partner reached out to our staff to double-check the status of their Office 365 account and wouldn’t you know it, no issues were reported.

(Email Pictured Below)

7 Cybersecurity Tips That Give Your Business an Unfair Advantage in 2019

Clare Computer Solution’s partner and security experts, Webroot, revealed the findings on their 2019 Threat Report, displaying many “tried-and-true” attack vectors or methods are still at the top of the list, with new threats emerging every day. It would appear the attackers are innovative, to say the least. This comes just in time, as many of our partners spoke to these very claims at the 2019 RSA Conference hosted just last week in San Francisco, California.

Hal Lonas, Chief Technology Officer at Webroot reports:

 

“We wax poetic about innovation in the cybersecurity field, but you only have to take one look at the stats in this year’s report to know that the true innovators are the cybercriminals. They continue to find new ways to combine attack methods or compromise new and existing vectors for maximum results. My call to businesses today is to be aware, assess your risk, create a layered approach that protects multiple threat vectors and, above all, train your users to be an asset—not a weak link—in your cybersecurity program.”

Clare Computer Solutions Couldn’t Agree More; Here are some from Webroot’s 2019 Security Report highlights:

  1. A staggering 40% of malicious URLs were found on “good” or “safe” domains. Legitimate websites are frequently compromised to host malicious content. To protect users, and employees data cybersecurity needs URL-level visibility or domain-level metrics to accurately showcase these dangers. Far too often, standard antivirus or endpoint protection can lack the capabilities, leaving these links in an employee inbox.
  2. Phishing attacks have increased by 36%, with the number of malicious sites swelling to 220% from last year. We’ve even seen phishing sites use SSL Certificates, and HTTPS to trick unknowing users into believing they’re secure and legitimate. Microsoft’s latest Security Intelligence Report, confirms this with analytics reporting 250% increase in phishing messages being sent through Office 365.
  3. 77% of spear phishing attacks impersonated financial institutes, and most likely to use HTTPS over other types of target. With over 80% of financial institutions finding compromised links residing on an HTTPS page.
  4. Google followed by Microsoft, and UPS/FedEx ranked among the most impersonated brands in phishing overall for 2019.
  5. Security Awareness Training reports from Webroot and KnowBe4 both show an average of 80% less likely to fall for phishing attempts, especially with phishing simulations, and on-demand training.
  6. One-third of all malware makes attempts to hide inside of %appdata% folders. What makes these locations price for hiding, is the commonality between paths. Every user directory, with full user-permissions, will install here and are hidden by default in most operating systems. Although malware can and will hide almost anywhere, the most common locations are as follows:
    – 29.4% in %appdata%
    – 24.5% in %temp%
    – 17.5% in %cache%
  7. Devices using Windows 10 are at least 2x more secure than those systems still on Windows 7. Webroot has reported a steady decline in malware on Windows 10 machines in the business space.

Furthering your Security Measures

While ransomware was less of a problem in 2018, it has become more targeted, and companies, customers, and employees will fall victim to ransomware. In 2018 many attacks saw the use of Remote Desktop Protocol (RDP) as an attack vector. Leveraging tools to scan systems with inadequate RDP settings. It’s these unsecured RDP connections that hackers can use to gain access to a given system and browse through all its shared data. Further providing criminals with sensitive information that ransomware can exploit.

Begin furthering your security measures today, with the use of a cybersecurity assessment. Easily track your current security posture, and rely on the experts to build you a roadmap for securing your business. Dive-deeper into your network than ever before, with the use of our Security Posture Assessment from Clare Computer Solutions. If you wish to view the Webroot report, you can find that here.

Security Awareness Training Takes Business Protection to New-Heights

Security awareness training is seen by many as something “nice to have,” while several SF Bay Area business owners have begun implementing our on-site training in a necessity to any business looking to protect their network and backups from encryption.

Your decision to adopt user-based education has been passed over year-after-year due to budget constraints or a lack of in-house experts to demystifying technology. Small to medium-sized businesses have suffered from these types of constraints for years when compared to larger, resource-heavy organizations.

Though it’s clear end-user education doesn’t have to be a need for many business owners, as recently as August 2017, a Better Business Bureau study uncovered almost half of SMBs with 50 employees and under, regard security awareness training among their top 3 most proactive IT expenditures, alongside, firewalls and endpoint protection.

This increase comes as no surprise, as the cybersecurity landscape has become more dynamic than ever. The average small to medium-sized business faces annual losses of over $80,000 when everything is said and done. Your staff is the front line to your business, and even the most advanced security stacks, have limitations. If you’re not educating end-users by now, you’re putting your organization into harm’s way.

Here are a few tips and trips for SMBs looking to get started with end-user training, or security awareness training:

Gather Company Buy-In

As with any new programs, starting at the ground level will ensure success. Start with building a culture of security. Yes, it might require multi-factor authentication, or additional hoops to jump through. Begin generating the “buy-in” from the surrounding management teams, sending out an email explaining the value of security awareness, phishing details, and the latest in security trends, and reports for your information technology(IT) team.

Starts with Phishing

In the current technology landscape, security awareness should begin with the MOST COMMON attack vector, email phishing campaigns. With thousands of interactive tools and designs built to mislead and steal your credentials, there is no shortage of examples, and videos showing the intricate workings. Begin with the basics, and go through the varying amounts of phishing threats. Your staff should be able to identify and mitigate any phishing attempts after your training concludes.

Share results with End Users

Use this feedback to inspire smarter habits among staff, identifying key objectives for security awareness training to engage in at a later point. Who knows, maybe you will uncover security gaps left behind by a past managed IT, provider. Raise the level of cyber awareness throughout your organization, sharing the latest encounters internally with your staff. Chances are these criminals are working more than one of you at work and this can help employees understand the impact of poor online habits and motivate them to practice better behaviors.

Continuous Training: Set up your phishing and training program

Once your users are engaged and understand the value, the next step is setting up a training program for new employees. There is no one-size-fits-all program, but we recommend running at least one training courses per year. Depending on the needs of each organization, presentations can be tailored to highlight industry-specific security.

As the business scales, you will want to scale the frequency and adjust intervals throughout the year. Our Security Awareness Training includes real-world phishing scenarios that have been defanged from the wild.

When you start seeing the impact that proven security awareness training has on your employees, you’ll wonder how your business ever managed without it. Contact us to schedule your no-cost, no-obligation security awareness training for your organization.

 

Educating Partners on Risk Management & Disaster Recovery

According to the data, there were a total of 3 natural disasters in the state of California in 2018, resulting in $180.8 billion in insured losses. That’s up from the $23.8 billion last calculated in 2016. With a bad wildfire season just around the corner for the Bay Area, we’ve already seen an active Winter, with mudslides, and flooding through-out, followed by that sweltering California heat.

Despite their frequency, natural catastrophes aren’t the only disasters you and your customers have to worry about. The rest is attributed to instances such as data corruption, system failure, and human error. In fact, hardware failure is responsible for half the downtime that small to midsize businesses experience.

When Risk Management Meets Disaster Recovery

Unfortunately, ideal scenarios and real-world scenarios are two different things. While it sounds good in theory, trying to protect against every possible catastrophe is cost prohibitive and therefore impractical for most businesses. Helping develop a Risk Management and Disaster Recovery Plan for the most likely “disastrous events.”

Risk Management Plans assist in spending wisely, by budgeting for disaster scenarios that pose the biggest threat to the business. For instance, if a data center is located in Southern California, then earthquakes are a legitimate concern. On the other hand, if you’re in the Northeast–then snow storms are something you should plan for during the winter months.

Whether your risk management efforts uncover one type of event or another, there are certain disasters every organization should plan for. Educating employees on the importance of security, data backup, and consistent testing being cornerstones of any disaster recovery plan.

When onboarding our managed services clients, we remind them that solidifying a commitment to security can help prevent disasters, while a best-in-class backup and recovery plan is essential when disaster does strike. Periodically test procedures within your organization to make sure staff as prepared and data can be recovered–because just a plan itself, is all but useless.

In Closing

You never know when disaster will strike or in what form. What you can do is anticipate the biggest risks for customers and help them prepare for the worst. At the end of the day, disaster preparedness is the key to risk management.

Have a question regarding your organization’s disaster recovery plan, or any risk management surrounding your business?  Contact us – for a no cost, no obligation conversation, with one of our friendly staff members.

8 Warning Signs You’re Using the Wrong IT Service Solution

Dreading your company’s technology review because you can’t show how your technology is performing? Have a provider suffering from a lack of ideas on how to truly accelerate technology?  You’re not alone – these are common symptoms for Bay Area businesses having selected the wrong managed IT service solution.

Who could blame you? The marketplace is crowded with vendors and tools that promise to deliver exactly what you need. Even the “do-it-yourself” path, with homegrown systems or spreadsheets, can seem like you’re moving in the right direction.

Sooner or later, you will sense “something is wrong,” but you can’t quite put your finger on what exactly. If that’s you or could become you, check out these 10 warning signs that your company needs to make a change:

8 Warning Signs You’re Using the Wrong IT Service Solution:

1)  Lacking a consolidated point-of-service for all technology related matters

2)  Tired of burning service hours on re-active support instead of proactive thinking?

3)  Bouncing between different relationship and account managers within your IT support’s organization?

4)  Weeks have passed without any word from your account manager or that IT Guy you hired

5)  There’s no personalization – Your IT support never seems to know your network, let alone, your name

6)  No one owns the roadmap for projects, unplanned work, updates, and changes

7)  The “out-of-the-box” support solutions were over positioned, and  don’t deliver

8)  Your “good enough,” functionality isn’t good enough for your management team

Coming to the Realization That You Didn’t Make the Right Choice?

Make a change — your next quarter doesn’t need to be a repeat of this quarter. The bottom-line is that executives need to know technology is being supported by scalable trustworthy, technology partner. This includes building a check-list of “would-like-to-have” features, “must-have” features and “deal breakers.”

Reference your list closely as you vet future products and solutions. Finally, it’s smart to secure feedback from others in your industry or channel. Consider inviting potential solution providers to your site, to your team a solution demo.

There’s no doubt this process is rigorous. But, it’s what’s required to find the best IT support and service solution for your organization. Contact Us – for a no-cost, no-obligation, conversation regarding unlocking the true potential of your business network and managed IT service solution.

Your Internal Teams Greatly Benefit from a Managed IT Service Provider

Having a Managed IT Service Provider (MSP) in your IT mix can free-up internal staff for more strategic projects, like that app you always wanted, or those file-sharing tools your employees need. Establishing a strategic partnership with your IT vendor is essential to the relationship’s success. After 30 years in the IT Service realm, these are the biggest misconceptions, surrounding your current MSP, and internal teams.

“Bargain-Shop” Managed IT Service Provider

Organizations are continuing to turn towards MSPs to handle certain IT functions, as an extension of their internal teams. Although it appears most businesses see the value of augmenting a Managed Service Provider, many are looking for the “cheapest” option available.

This highlights the very reason an organization turns to a Managed IT Service Provider in the first place – for change. Cost-savings were always seen as benefits to Managed IT Services, but many have shifted their mindset, from finding the lowest price to hunting for the greatest value.

Look for MSPs that have experience in your industry, and speak less about technology. Across the board, you want a partner that can explain business outcomes, and how services can help shorten the roadmap to your goals, not pushing product.  Managed Service Providers share business perspective, not technology pushed by vendors. The only way to avoid “deadbeat-IT” is by leveraging outside partners that carry proven track records with established clients.

Top Managed Service Providers Extend Proficiency and Reach

Your MSP usage doesn’t have to be confined to break-fix services related to hardware and its availability. Many CIOs are looking for MSPs that can deliver advanced services, like virtualization, converged-infrastructure or Security-as-a-Service.

With an increase in demand for services around network analytics, business intelligence, and application monitoring, your service provider should have an evolving offering. One that meets the demands of a dynamic technology landscape. It should be noted, a shift with some MSPs has begun, as we’ve seen several refuse the extension to support legacy infrastructure and outdated software.

Partners, NOT Replacements

While more and more companies are relying on outside help for IT needs, MSPs should complement your internal team, rather than replace it. Instead, this frees up existing assets to focus on core business functions, to better utilize company resources. Many of our clients have claimed it brought IT departments, “out-of-the-shadows” and allowed them to focus on core initiatives, a win-win for your IT staff.

Your MSP should provide you with strategy, documentation, repeatable process, access to their ticketing portal and friendly staff welcoming your calls. Company technology doesn’t have to keep you up at night.

Contact Us – to discover how Managed IT Services with Clare Computer Solutions can begin to benefit your business overnight.