The Dangers Of Uninformed Staff Members And How They Can Be The Weakest Link In The Cyber Security Chain

weakest link - The Dangers Of Uninformed Staff Members And How They Can Be The Weakest Link In The Cyber Security Chain

No matter how secure you think your data and your network are, it can all come crumbling down from just one phishing email or spear phishing campaign. Most employees aren’t trying to hand hackers their information or the company data, yet, it happens. Most employees will click on or respond to a well-crafted phishing or spear phishing email if it lands in their email box. Despite education efforts, 20-30% of recipients open standard phishing messages that arrive in their inbox and 12-20% of those click on any enclosed phishing links. These rates are already high, but they double when looking at spear phishing emails.

Phishing is a hacking technique that “fishes” for victims by sending them deceptive emails. Virtually anyone on the internet has seen a phishing attack. Phishing attacks are mass emails that request confidential information or credentials under false pretences, link to malicious websites or include malware as an attachment.

Many phishing sites look just like the sites that they are impersonating. Often, the only difference in many spoofed sites is a slight, and easily missed, difference in the URL’s. Visitors can easily be manipulated into disclosing confidential information or credentials to the hacker if they can be induced to click the link. Even blacklisted phishing sites can often get by standard filters through the technique of time-bombing the URL’s. Then the URL will lead to an innocent URL initially to get past the filters but then redirect to a malicious site.

Although malware is harder to get past filters, recently discovered and zero-day malware stands an excellent chance of getting through standard filters, and being clicked on, especially if the malware is hidden in a non-executable file such as a PDF or Office document. This is how many of the recent ransomware attacks were pulled off. If an employee isn’t looking close enough, they could be clicking a link that unleashes the hacker into your system.

Spear phishing is an enhanced version of phishing that takes aim at specific employees of the targeted organisation. The goal is usually to gain unauthorised access to networks, data and applications. Often the initial email will contain no URL or attachment. Instead, it will simply try to invoke the recipient into thinking that the sender is legitimately whomever they say they are. Only later on will the hacker request confidential credentials or information, or send a booby-trapped URL or attachment.

“But my staff is careful,” you might say. “They know what to look for,” you argue. But do they? Some phishing attacks are often just the first part of a much larger hacking campaign. Once they are inside your system, hackers can do devastating damage by rifling through confidential customer lists, intellectual property, and emails; even deleting critical data or encrypting it with ransomware. Companies that fall victim to phishing schemes risks:

  • Reputation damage
  • Loss of market value
  • Competitive disadvantage
  • Legal liability and compliance problems

Let’s look at a possible spear phishing scenario and how it plays out: After cataloguing the executives in the “Our Team” section of the Widget Co. website, the attackers create a cross-reference of social graphs, using Facebook and LinkedIn accounts to build lists of who knows whom inside Widget Co. Then, by piecing together the social information, the attackers are ready to go spear phishing.

The attackers find an HR employee at Widget Co. named John Smith. Posing as Mr. Smith, the hackers target Smith’s Facebook friend and colleague, Jeff Jones, an HR manager at Widget Co. To build trust in the faked email address, the hacker posing as Mr. Smith sends his “friend,” Mr. Jones, a note asking about the family vacation he is currently on (according to pictures posted to Facebook). If Mr. Jones responds, the hacker is off to a good start. He’s successfully impersonating another Widget Co. employee and is starting to build trust in the faked email with his target. Mr. Jones replies and says he is enjoying his time away with his family. The two continue to banter about Mr. Jones’ family vacation as well as things going on in the office, including the names people that have been researched and associated with the social circle.

How can the attacker get away with this? Doesn’t Mr. Smith have a unique, domain- specific email through Widget Co.? Yes, he does. However, due to Widget Co.’s “Bring Your Own Device” (BYOD) policy, employees are able to use personal mobile devices to send messages to one another. In this case, the attacker knows from LinkedIn that Mr. Smith’s personal email address is [email protected] The attacker creates a Gmail account for [email protected] Mr. Jones doesn’t notice the difference, and the stage is set for the real attack.

The hackers know from LinkedIn that Jane Doe is a new employee working with Mr. Jones. The hacker posing as Mr. Smith sends to Mr. Jones a PDF file of “new employee paperwork” that actually contains key logging malware. If Mr. Jones opens the file, his device is instantly infected, his credentials sucked up, and the network is breached.

Alternatively, the fake Mr. Smith could send a note that says, “Hey, Jeff — I’m on the golf course, but I need to call the bank and make sure Jane Doe’s retirement plan is all set up. I can’t remember the login for the employee database system — can you help me out?” If Mr. Jones shares his login for the database, the hacker is inside. Either way, the phisher can collect Mr. Smith’s login credentials — a free pass to invade the Widget Co.’s private networks. Any confidential employee data is at risk of being improperly accessed.

It could just as easily have been in corporate finance, marketing and sales, IT, or any other department. Most employees have more than enough personal information about them in the public realm to allow their identity to be utilised to swindle another employee and compromise your network.


What Role Does IT Play in the Modern Company?

cyber security - What Role Does IT Play in the Modern Company?

As technology expands to impact nearly every business process, from customer service to business strategy, the role of the IT department is expanding along with it. IT is no longer only responsible for setting up computer systems, maintaining the server, and running the help desk.

The IT team is the keeper of the treasure that data has become. With IT’s services, leadership teams can better understand their customers, predict changes in the market, understand how to streamline business processes for improved productivity, determine where inefficiencies are cutting into profits, and spot new opportunities for innovation and growth.

Thanks to developments in technology, IT has moved from a cost centre to a revenue generator. According to a 2016 survey by CIO, 84% of IT executives agree that their role is becoming more important to the company they serve. And it isn’t just large companies that benefit from the insights that IT can provide. Smaller companies who outsource their IT can take advantage of the same data intelligence that in-house executives offer enterprise-level companies.

If IT doesn’t yet have a seat at the decision-making table in your company, pull up a chair. IT can deliver value in myriad ways, but here are five of the most significant.

1. Smarter Decision-Making

Intelligent decisions are based on facts and data. In order to guide their companies well, leadership teams must have the research that the IT department can provide. CRMs can be mined, customer surveys can be sent and results analysed, business intelligence data can be examined for insights. The IT department, whether internal our outsourced, can deliver the information that the decision-making team needs and provide recommendations.

2. More Effective Marketing

To communicate in a compelling way, you have to know your audience inside and out. As modern culture becomes more individualised, both business buyers and consumers expect companies to provide personalised experiences that align with their interests and needs. IT can create detailed customer profiles that allow companies to micro-segment and deliver custom messages to each. Without this data and technology, companies will waste a majority of the marketing budget on ineffective initiatives.

3. Better Customer Support

Personalised experiences don’t stop with marketing. Smart companies continue to provide individualised service throughout the customer life cycle. The IT department can help company leadership understand their customers’ changing preferences and predict behaviours so appropriate action can be taken to retain customers. IT can also improve customer communication via a multitude of channels, delighting customers and heading off potential problems before they begin.

4. Profit-Boosting Productivity

IT can create systems and provide tools that allow people and process to work as efficiently as possible. Wasted time is converted to productive time, so more gets done faster. Inefficient processes can be simplified, reducing costs. The IT department can facilitate everything from document management to inventory tracking to problem solving, all with a positive impact on the bottom line.

5. Reliable Security

With advances in technology come risks. Hackers have an unprecedented number of ways to infiltrate servers, and ransomware looms as a threat to companies of all sizes. Businesses have always depended on the IT department for security, but the value of an IT department that can provide reliable security is higher now than ever before.

As companies depend more and more on technology to compete and to grow, IT’s role will only become more important. Rather than being viewed as the stereotypical socially-challenged, video-game-loving nerds who can fix computer issues, IT professionals are now being seen as the heroes who can lead the company to levels of success that were never before possible.

If you’re in the Brisbane area and would like to find out more about this or other IT topics, please don’t delay — Contact QCS Group, at 1300 858 723 or by sending us an email to: [email protected]

Does Your IT Have You Feeling Snowed Under?

Snowed Under - Does Your IT Have You Feeling Snowed Under?

Information Technology is a critical and often confusing part of your business operations – which is why great IT support makes all the difference.

As technology becomes more and more integral to the way businesses do business, making sure you have the right technology in place becomes more and more important. When you count on technology for everything that you do, you quickly find yourself with a complex infrastructure that can be tricky to manage successfully. Not only do you need to be sure you have the right technology solutions in place to suit the specific needs of your unique business, but you need to be able to keep that technology running smoothly around the clock.

That need to manage and maintain increasingly complicate Information Technology is the reason why businesses of all sizes are turning to outsourced IT support from a Managed Services Provider.

Managed Services Providers (MSPs) act as your business’ complete IT department, handling your entire IT infrastructure from top to bottom. Their team of highly trained and certified professionals is there to help by taking over day to day IT responsibilities from your staff, or stepping in to support your in-house IT personnel by adding specialised expertise to your existing setup.

The goal of managed IT services is to take the stress out of your business technology. You’ll always have someone to turn to with your IT questions, and a team of technicians will be there to fix any issues that crop up and actively work to keep disruptions and downtime to a minimum. Most importantly, unlike working with a break/fix IT contractor, you’ll be working with the same people each and every time you need assistance. An MSP takes the time to get to know your business and your staff, offering guidance and support we know will help you based on what your specific business needs.

An MSP gives you all the advantages of a fully-staffed in-house IT department at a fraction of the cost, with a range of services available for a low, predictable monthly fee. Not only do managed IT services take the guesswork out of your technology, but they also take the guesswork out of budgeting for your technology.

To learn more about what managed IT services from QCS Group have to offer your business, get in touch with us at [email protected] or 1300 858 723 today.

Cyber Security in a Cloud World

cyber security - Cyber Security in a Cloud World

We speak with business owners every day about how to help make their team more productive, mitigate the risks in their business, and get more done. Recently we’ve noticed a dangerous trend: Business owners treat the ‘cloud’ and the security of the ‘cloud’ the same way that they treated their on-premises networks: In short, they don’t care.

They assume that ‘someone else is taking care of the security.’This mindset is extremely dangerous. In the traditional model of on-premises IT infrastructure, it was the responsibility of IT to secure the perimeter of the network. Essentially, that involved installing a good firewall, only opening ports that were needed, purchase good security software – rinse and repeat.With the cloud – this has all changed. While the security of your network is important, in many cases, the network is just the mechanism you use to get out to the cloud, where your data is now physically located.

The Shift

In the old world, we had to secure the perimeter so we could secure the data.

In the new world, we no longer have a perimeter, so how do we secure the data?

When working with businesses, we focus primarily on two areas of the business where we can have the most significant impact: employees and their identities.

Driving Employee Awareness

Almost all phishing and account security attacks happen as a result of user action: a user is tricked into giving away their credentials, clicks on a malicious link, or uses poor password hygiene. You can spend a ton of money on building fences around your information – but if you leave the front door open, you have wasted your money.

This all starts with regular user training and awareness. Test your employees’ ability to spot email-based attacks, like phishing. Share articles after significant breaches (like the recent Equifax breach) to make it real for your team members. Include examples of what to look for in phishing attacks in your regularly scheduled security training. Don’t forget about your new hires – make security awareness part of their on-boarding.

Protecting User Identity

Right behind driving user awareness is protecting user identity. Since so much of our information is stored in the cloud, protecting the user’s account (or identity) from being stolen is critical. Brute force attacks on user accounts (where hackers try to guess the password) are widespread. Or, in many cases, users will re-use the same password across all their accounts – making it easier for hackers to gain access to their accounts.

At the very least, you should deploy multi-factor authentication (MFA – sometimes called dual-factor authentication). MFA protects an account, even when the password is compromised. An MFA protected account requires the password AND a physical action (such as approval from a mobile device or a code from a text message) before the account can be accessed.

Want to see it in action? Watch this on-demand webinar about multi-factor authentication.

We also recommend deploying services that help flag and prevent risky account behavior. Azure Identity Protection Manager uses machine learning to flag risky account behavior (such as a login from an unusual location for that user). Azure Privileged Identity Manager goes a step further by putting restrictions on administrator accounts.

If you own a business or are responsible for a department of a company – please do not treat the security of your data stored in the cloud the same you treated the security of your network. Data security can longer just be the responsibility of only the IT team. While your IT team should no doubt be managing the tools and leading the charge, data security needs to be a team effort. Your business may depend on it.

If you’re in the Brisbane area and would like to find out more about this or other IT topics, please don’t delay — Contact QCS Group, at 1300 858 723 or by sending us an email to: [email protected]

Call Us
Email Us