Some hackers use code to commit cybercrime; others use simple social engineering. Phishing attacks rely on hacking (psychologically manipulating) the user’s brain to gain access to sensitive information. Unfortunately, this has proved to be rather easy for hackers to do. In fact, 97% of people around the world are unable to identify a sophisticated phishing email, according to cybersecurity expert Estelle Derouet.
Not only are phishing attacks likely to be successful due to widespread user ignorance, but they are very easy for the cybercriminal to administer using automated Phishing-as-a-Service campaigns. This is why over half of all internet users get at least one phishing email a day.
Of course, there are enterprise-grade IT security services that companies use to stop the majority of these malicious emails entering users’ inboxes in the first place. But, no matter what companies do, a few will manage to find their way through. These are the more sophisticated phishing campaigns, and, therefore, you can bet that if they have got this far that they are more likely to be successful.
Stop social engineering attacks in their tracks
Defence really is the best form of retaliation when it comes to suspicious email activity. There is not yet a helmet invented that you can pop on the user’s head to ward off social engineering attacks. But, luckily, a bit of user training can do the trick! Educating your employees on how to identify a suspicious email is the best protection against any scammer that gets through your security measures. Read the tips below in the infographic and list to remain vigilant.
8 tell-tale signs that an email is not safe
Still not sure if your brain is being hacked? Some scams are very clever and will leave you guessing. If you are not sure about the authenticity of an email, always take the precautionary step of contacting the company featured in the email. Large companies are very often aware of scams that are circulating and may have alerts on their website or social media accounts. By reporting a scam email to the company that has been misrepresented, you are helping them to raise awareness and reduce the damage done by such scams.
Are you looking for a company to take your IT support to the next level? Make sure to give us a call on 01 664 4190 or contact us for a chat about your IT challenges and needs. We are always happy to offer some sound advice on how you can best support your growing business.
1. Check the sender’s email address
Scammers usually try to mimic the email address of the company they are pretending to represent. The display email address in the user inbox will, therefore, contain a well-known company name or brand. While this tactic gives a sniff of authenticity to the email, it is not difficult to find out whether there is a fraudster behind what looks like a genuine sender.
By simply hovering your mouse over the display name the real email address behind it will be displayed. Right-clicking on the sender name should reveal the same information. A bizarre email address behind what looks like a respected sender name is a sign that the email is suspicious.
2. Check links in the email (but do not click!)
Again, do not click on any links contained in a suspicious email! You can test links by opening a new window in your browser and typing in the company name. If the email purports to come from a big brand or company, open a new tab and search for the official website of that company. You can then compare the URL address to that which has been sent to you in the email.
3. Are they seeking personal information?
Scammers posing as banks, lenders, or other legitimate businesses will often request personal information. Some email scams use information that they already have to make you believe that they just need you to “confirm” or validate the remaining details. Banks and legitimate businesses will never request personal information via email.
4. Are you made to feel under pressure?
Beware of instructions to log-in to your account for an urgent message or update. Recipients are often threatened with account closure or service termination if they fail to click on the link and log-in to their account. You can do a quick check by simply logging into your account in a separate window or contacting your service provider directly.
5. Put your detective hat on to find mistakes
Poor spellings and grammar are obvious signs that the email does not come from a legitimate source. But look out for less noticeable mistakes too. UK Consumer Rights Organisation, Which, reported detecting an email scam because of a mistaken date. The email, sent in March 2017 contained details of a competition with a closing date of December 2016.
6. Consider the greeting
Do they know your name? Many email scams will address the recipient with impersonal language such as “Dear valued customer” instead of using a name. This one isn’t full proof because some legitimate companies simply do not use personalised marketing, but it is still worthwhile adding to your checklist, just in case.
7. Unexpected attachments (do not open them!)
Attaching files that contain malware or viruses is a common phishing tactic. Clicking on these files can put your computer at risk and can enable a scammer to damage your files or steal your passwords. If you cannot tell what the attachment is, then do not open it.
If you really must open it, then do it with Notepad to have a look at the data without it automatically running. However, keep in mind there is still a small chance the code could be designed to exploit Notepad. In this case, a sandbox is your safest bet.
8. Does that logo look blurry to you?
Just like using a well-known brand name in the display email address, scammers will often insert a logo or brand name into the email header. Keeping a watchful eye on the appearance of logos contained in an email can pay off. A poor quality or out of date logo is a sure sign of a fake email. Double-check by opening the last genuine email you received from the company.
IT infrastructure extends far beyond the office these days. Business-on-the-go once referred to the travelling salesman, checking in with the boss at the next pit stop with a payphone! Today, people can check-in to the office from virtually anywhere. Remote working, working from home and digital nomads are all viable and common work practices made possible by unified communications, multi-device software and continuous improvements in consumer technology. Do you bring your mobile/laptop/tablet to work? Do you access work-related data and applications from your personal device? The BYOD (bring your own device) culture has gathered momentum, but businesses should be aware of the implications it can have on your IT security.
BYOD is not going anywhere
BYOD is a practice that is expected to continue to grow in popularity. The United States is leading the way, where 87% of companies rely on their employees using personal devices to access business apps. This is becoming less of a choice and more of a requirement. There are many reasons for the BYOD explosion:
BYOD is cost-effective
With annual licencing costs, software updates and maintenance costs, IT resources can be expensive. BYOD decreases the investment businesses make on IT. Not only is this good news for the business, but it is easy to put into effect because nearly everyone has a smartphone.
According to Deloitte:
“90% of Irish adults have a smartphone while the number of people with access to a tablet has increased from 64% to 71%. We are increasingly using our phones and tablets for purposes which we traditionally used PCs and laptops for including work.”
Benefit from better technology
Not only are Irish people already using their phones for work, they are also likely to look for a device upgrade 12 months after their initial purchase. It follows that consumer technology is often further developed than the typical company-wide IT infrastructure. Few Irish companies can keep their technology this up to date.
Benefit from productivity increases
There have been a number of studies conducted on this subject, with Cisco finding that on average employees saves 81 minutes every week in productivity if they are using their own device. This is attributed to ease of use. People are familiar with their own device and do not need user training to navigate the interface. Not only does this feel more comfortable, but it offers people the potential for a better work/life balance.
BYOD offers flexibility
This leads us back to business-on-the-go. Employees and employers benefit from the flexibility of being able to work outside of the office. Take ‘the beast from the east’ as an example! People all over the country were forced to stay at home, many for at least three working days. BYOD and the ‘anywhere access’ it provides makes unpredictable occurrences such as this a non-issue.
“But what about our IT security?”
What happens if an employee loses their device or it is stolen? Are devices used for personal reasons more likely to encounter malware? These are justifiable concerns for any business.
The primary risks associated with BYOD are:
Data loss, by mistake or by theft
Data leakage if the device is not secure
Public exposure, especially in Wi-Fi zones
Malicious apps on the device
Cross-contamination of user data and corporate data
The general loss of control over sensitive data
The importance of IT security has become increasingly apparent since 2017, the year which reminded businesses all across the world that cyberattacks are a real and constant threat. So, where does BYOD fit into IT security? The answer is the combination of a strong mobile security solution and a clear BYOB policy.
Robust mobile security
It is essential to choose an enterprise-grade mobile security solution for your entire mobile infrastructure. Comprehensive end-to-end security ensures that there are no vulnerable links in your network and continuously scans traffic for usual behaviour. While defending your devices from malicious attacks, a sophisticated mobile security solution will enforce your security policies across all devices and users.
Draw up a BYOD policy
BYOD should not be a free-for-all, although right now in many businesses it is. This is simply because of the enduring fact that culture struggles to keep up with technological developments. However, a simple and straightforward BYOD policy can get everyone quickly up to speed.
Set boundaries for user behaviour
In the policy, outline exactly what is an acceptable use of BYOD for your company. Assume your sensitive data will go everywhere: to the user’s home, on their commute to work, to cafes and restaurants, and probably even on holiday. It may be helpful to list the applications that are permitted during work hours, and others which are not.
Remember that personal devices are notorious for distracting users towards personal errands, so a clear statement of the company’s opinion on this kind of activity during work hours can be worthwhile. Alongside this should be the usual necessary references to appropriate behaviour in the workplace.
How will reimbursement work?
Does the company offer any kind of reimbursement towards the cost of the device? Typically the user’s device will need to store business applications which eat up storage and energy. Determine what exactly are the company requirements from the user’s device and from there decide the level of reimbursement necessary.
What technical support will you offer?
What devices does the company support? Who is responsible for technical issues? What problems are the IT team’s responsibility? These questions need clear answers to avoid confusion when an issue does arise.
Give good security advice
As with the company computers, it is a good idea to have a security guide for BYOD users. This section should include recommendations for setting and storing passwords, device security settings, application privileges and general mobile security awareness.
Setting boundaries and disclaimers
This section should define what happens if various unfortunate events should arise. Recommendations should be made about what course of action the user would take and what the company’s response would be. The company’s right to access data and wipe data from devices should be defined. Equally, the protection of users’ personal data should be guaranteed. Where liability falls for each eventuality should be stated and what rights the company reserves in worst-case scenarios.
With the right framework in place, both employers and employees can benefit from a BYOD practice. Setting boundaries and implementing security measures will ensure there are no inherent risks, leakage, or misunderstandings. Get in contact today to strengthen your IT security against cyberattacks and network security breaches!
Are you looking for a company to take your IT support to the next level? Make sure to give us a call on 01 664 4190 or contact us for a chat about your IT challenges and needs. We are always happy to offer some sound advice on how you can best support your growing business.
Cloud-based storage systems and applications are now a huge part of how business operates. The shift towards using cloud computing has resulted in an increase in Software as a Service (SaaS) and Platform as a Service (PaaS) applications.
Using cloud software and applications alleviates the burden of updating services, managing downtime and staffing an in-house IT department. It’s also cost-effective, with many providers offering fixed-cost monthly subscriptions allowing you to pay only for what you use.
Balancing access and control
Getting the most out of SaaS/PaaS means striking a balance between providing users with enough access to do their job while at the same time protecting company data and resources. A robust identity management and access control policy will reduce security risks, increase efficiency and ensure compliance with regulations that govern the privacy of personal data.
Creating and managing users involves deciding who can access what and how. Individual users can be assigned Single Sign-On (SSO) capabilities and often need to access company resources across a range of platforms and applications on-site and remotely. Advanced security measures that require more than single step sign-in are also available. Multi-factor authentication (MFA) provides an extra layer of safety. For example, in addition to the traditional username and password, users may need to enter a code received by text, or use a smart card or fingerprint.
Identity Providers (IdPs)
Directory services or identity providers can create, maintain and manage identity information. Microsoft Active Directory is an IdP developed for Windows domain networks. Active Directory is an umbrella title for a broad range of directory-based identity-related services. In many cases, user information is sourced from different repositories. Identity providers must not only manage identities in different systems but also be able to synchronise information and provide a single source of truth when required.
Putting together your company’s Identity management strategy
With so many services, applications and platforms and so much security at stake, the composition of an efficient identity management policy can appear daunting. The process can, however, be simplified by considering four basic factors.
1. What do you need to protect?
List the assets you need to protect when implementing your identity management and access control system. Databases, customer and employee information, company statistics, software, transaction information; these are precious commodities. The purpose of identity management and access control is to confer those who need it with maximum access to these assets at minimum risk.
2. Assess the risk
Now that you know what you have, classify all your assets according to their value. The value of an information asset pertains to how damaging it would be to have that data or application altered or accessed by a non-authorised person. For example, identity theft is a serious and common crime.
Databases containing customer and employee information might, therefore, be considered high risk. For assets such as these, you might consider investing in a multi-factor authentication (MFA) service.
Assessing the risk of each asset will provide a foundation for deciding how protected each one should be, who should access it and how.
3. Choose your management system
Your choice of management system will depend on what systems you are currently using. Microsoft Active Directory is a popular management system for those operating with Windows. If you use an OS such as Unix or Linux, Lightweight Directory Access Protocol (LDAP) might be the application for you.
No matter what computer infrastructure your business is using, there is a compatible access management programme available with options for even the most diverse platforms.
Having assessed your company’s data and assets and chosen your management system, it’s now time to implement your identity management and access control strategy. Users should be aligned with an appropriate level of access that affords convenience and security.
Depending on staff numbers and distribution, you may decide to allow remote access to certain applications. If there are multiple applications with different user id and password systems, an enterprise-wide single sign-on (SSO) system would be advantageous. SSO products range from Imprivata (used by medium-sized companies) to IBM’s Tivoli (for larger companies).
Once established, your identity management system should provide the flexibility to modify the access levels of its users. Rights of access can be conferred in blocks by establishing groups with specific privileges reflecting job function or staff locations. Other employees will need customised access. Request and approval procedures for modifying privileges should be built-in to your access management programme.
The keys to the castle
Identity management technologies represent the keys to your castle; they allow you to protect your business, manage user identities and access permissions in an automated fashion. A clear and universally upheld identity management policy will allow your company to extract the very best of what these digital keys have to offer.
If you’d like to discuss ways to better manage identities and access in your company, talk to Spector about the different ways we can help.
Can you remember what it was like to not have a mobile phone? Although we may harbour some gripes about our increasing dependence on technology, it is difficult to imagine leaving the house without this object of security and resourcefulness in our pocket. Sure, we might take the odd Sunday OTG (that’s off-the-grid, to you and me), but for the majority of us, the advantages modern technology brings to our daily lives are simply overwhelming.
This is our personal experience of technology, but what about in the competitive realm that is business? Obviously, technology provides advantages here too, but, more than that, it is utterly crucial for growth as well as basic survival.
Survival of the fittest, aka the most innovative, efficient, knowledgeable…
Don’t get us wrong; the successful modern workplace still relies on people. In fact, it is fuelled by knowledgeable individuals using their time effectively on tasks that produce real results for the growing business. This sounds fairly obvious and straightforward, that is until you break it down.
What defines a knowledgeable worker? Are the majority of daily tasks directly affecting the business’s goals? Or is a lot of time spent on menial tasks that must be done to get to the ‘’real’’ work? If this is so, how can people be truly effective? And how can a business grow when the brains it relies on are wasted in this vicious cycle?
Today’s business technology can provide answers to each of these concerns. How? By gathering and relaying knowledge in the form of real-time data to inform daily decision-making and by automating tedious office housework to free up employees for the high-value tasks. This is what makes growth possible. That is why we have made up a quick list of some of the most noteworthy productivity tools on the market that will help you take your business to the next level!
4 productivity tools for the growing SME
Trello – project management
How do you currently track your projects? Valuable information and time are often lost in emails and quick conversation by the water fountain. Trello is a project management tool that keeps everything in the one place. It uses the Kanban system, developed by Toyota for lean processes and just-in-time manufacturing. With Trello, each project has its own Board and the tasks to complete the project are organised by Cards, which can be edited in real-time and moved across the board until the project reaches its completion. The interface resembles sticky notes on a whiteboard, keeping it simple for everyone to use while remaining productive. Your whole team can get involved, adding comments, images, files, checklists, and deadlines to tasks during the entire process. Project management tools, such as Trello, allow for real-time collaboration. Everyone on the team is kept up to date with what is going on, and momentum is maintained by the drag-and-drop function, assigned accountability and explicit deadlines. The particularly great thing about Trello is that it is free and available on all devices.
Slack – unified communication
The power of unified communication cannot be underestimated because, after all, effective communication is the bedrock of good business. Yes, we all have email accounts, but emails have their own specific (somewhat stuffy) culture. The user-friendly interface instant messaging apps such as Slack provide results in more streamlined conversations.
In Slack, communication is succinct and actionable because of the instant aspect. This increased response time leaves email in the dust. Of course, email is still necessary for external communications, but, for your teams, Slack can greatly increase efficiency as the crux of important decisions is unearthed faster. However, Slack offers more than just texting for business. It allows for presence management by showing who is available online in real-time, supports file and image sharing while also organising multiple conversations over numerous streams.
Due – invoicing software
Cloud technology is empowering the smallest of businesses to push their production capacity further than ever before. Due is an invoicing software that takes the hassle out of chasing payments. Here all your invoices are organised by what stage they are currently at, Sent, Received, Saved or Paid. Invoices can be set to send recurrently, and you can even automate late payment reminders!
With notifications to remind you what payments are due and billing timers to keep the cash flowing, this is an accounting solution that not only simplifies the nuts and bolts of the invoicing process but it also helpfully communicates with the user and their clients directly. Due is free for up to three invoices a year. After that the most expensive plan is only $49 a year.
IFTTT – app integration
Can’t find an automation tool that does what you need? Why not make your own ‘’recipe’’ of automated actions with IFTTT? IFTTT stands for ‘’if this then that’’ and this cloud service offers a library of simple automated processes, or Applets, to make your workday easier. If you still can’t find one that answers your specific needs, you also have the opportunity to make your own. Do you need every email attachment to be automatically downloaded as a PDF into a certain folder? Or do you want every new email contact to be listed in an Excel document? There are Applets on IFTTT to ease the pain of all kinds of tedious tasks, and the great thing is this service easily integrates with hundreds of third-party tools. But more importantly, is it free. Yes, it is!
If you are not the techy type, the word ‘‘automation’’ can sound complex and alien, but we hope we’ve showed you that with some simple and very inexpensive tools your SME can flourish while competing in the modern digital landscape.
Are you ready to take your SME to the next level? Make sure to give us a call on 01 664 4190 or contact us for a chat about your current IT infrastructure. We are always happy to offer some sound advice on how you can grow your business with productivity tools.
With GDPR just around the corner, it’s clear that implementing robust security policies will be essential for every business. Cybersecurity is an ongoing concern for companies everywhere, from SMEs to large multinational corporations. Ensuring your IT environment is secure is important not only for the protection of your own sensitive data but also because of the potential impact on clients and suppliers.
I was pleased to be able to get an insider’s perspective on what the future of cybersecurity will look like when I interviewed the CEO of Certification Europe, Michael Brophy. He has a longstanding career in all matters of international standards and compliance and is considered a leading expert on standardisation in Ireland. Michael has served as an authority on data security for numerous EU Commission committees and was closely involved in the development of electronic signature standardisation.
During our chat, we discussed Cyber Essentials and ISO/IEC 27000, ‘’self-assessment’’ certificates, the impact such certifications have on GDPR compliance and what the future of Certification Europe will look like.
Mark Hurley and Michael Brophy
Mark Hurley: Hi Michael. Welcome to Spector! We cross paths once again. Many thanks for your help with the set-up of ourISO/IEC 27001 certification. Today we have a few questions for you around cybersecurity…
When we look at Cyber Essentials, for example, we approach it from a security policies foundation. The policies and evidence we gather around these policies are what we submit, with the guidance of your team, to Cyber Essentials for our SME clients. But cybersecurity is a continuous event, rather than a single event. I’m wondering, how do you see this approach changing in the future?
That’s right, Cyber Essentials and ISO/IEC 27001 approach cybersecurity as a journey, not a destination. It’s the start of the process, which has to be maintained. But at least now we have a reference point. For 27001, Cyber Essentials provides a marker. It is a grid reference point.
If you are a hard-pressed managing director and you have no internal IT support, the worry is knowing just how exposed you are. How do you determine how good your security is? This is why it’s good to have the likes of Cyber Essentials for peace of mind. They can tell you whether you are doing it right or not; if you’re not, at least you’ll have the resources at hand to quickly get on top of it.
MH: How do people come to you? Do they get in contact directly looking for training or management in cybersecurity, or do they come through managed IT service providers such as Spector?
There are two main ways.
We deal with about a thousand organisations around the world, most of which are SMEs in Ireland. Often, they will have encountered other standards to which they have had to adhere, such as quality or environmental standards, so they are already members of our client base.
The second route to us is very much via companies such as Spector. They are questioning what they should be doing and are now looking for a reference point to anchor this process. Cyber Essentials seems to be the main reference point for SMEs in Ireland.
MH: When we began looking at Cyber Essentials, in particular in the UK, we saw it as a crest that displayed our cybersecurity standards as certified by Europe. When we applied for the certificate, it was a stringent process, but now there is the option of the ‘self-assessment’, which would seem to devalue it. Would you agree with this?
I agree. In general, the idea of self-certification or self-approval is always somewhat lacking. It will always be open to question because it essentially comes down to the company stating ‘We are great!’ Well, who says so? ‘We do!’ That will always be contentious.
Whereas, in the case of an independent assessment, people tend to feel a lot more certain that the security standards are up to scratch.
MH: Regarding the gap between a Cyber Essentials certification and moving up the ranks to ISO/IEC 27001, is this about the size of the company, or something else?
Certainly, ISO/IEC 27001 is a step up. The reason some companies start at this level of certification and others work up from Cyber Essentials might be because of size. Particularly if you’re a large company in the tech sector or financial sector, you would be looking at going straight for ISO/IEC 27001.
Also, it has to do with the type of customers you deal with. Major drivers are customer expectation and supplier-side pressure. It could be that the companies you work with simply expect you to have ISO/IEC 27001. In certain sectors, it is virtually mandatory, especially for data centre hosting, online hosting or cloud-based services.
On the other hand, SMEs that are simply wondering if their security is up to standard and whether they are leaving themselves exposed, tend to go for Cyber Essentials.
MH: We’ve found that ISO/IEC 27000 series seems to go a very long way when it comes to GDPR compliance. Do you find people are taking this route because of GDPR?
I think you’re spot on. We find that clients who have had ISO/IEC 27000 (especially for a few years, as they are quite mature systems) not only experience a cultural change within the company, but it also provides a framework that can be used for things other than IT security.
For these companies, GDPR is a natural progression as there are a lot of areas they will already be able to tick the box for. Of course, some elements are very specific to GDPR and will still need attention, but our ISO/IEC 27000 clients say that they have 75%-80% of the compliance already done, so they are just making up that 20% difference to be assured they have met the requirements.
MH: Is Certification Europe providing any services to fill that gap?
That’s a good question and very pertinent at the moment. It’s a case of watch this space! Once GDPR comes into effect in May, one of the first things we can expect is that the EU will make a pronouncement on what certification schemes are recognised. I think it is unlikely they will say that any sort of certification is compliant. But what we have seen in other fields is that certification will be given due recognition, particularly from a risk point of view.
One could assume that when the Data Protection Commissioner or the Information Commissioner’s Office are looking at organisations to possibly audit, and assessing risk profiles they need to regulate, companies that have voluntarily sought certification will be further down their lists.
MH: How much interest is there about GDPR from your current client base?
At the moment, the clamour is getting louder and louder! What’s interesting is that there are already moves for potential certification schemes. There is a standalone management system, called ISO 10012, which is especially for data privacy. It is a standalone standard, so you can go for it without previous certifications.
Another interesting development is a current working document called 27225, which is a bolt-on to the 27000 world series. It’s still in draft format but is specifically about managing the privacy of information. For a company that already has 27001, rather than going for another certification which sits in isolation, this will allow you to build on to 27001 and bring in data privacy requirements – in line with GDPR. It will be an integrated management system. I’d say a lot of 27001 clients will be keen to look at this in the future.
MH: My final question is, what does the future look like for Certification Europe?
In a general sense, I think independent verification is going as a business. Information security continues to grow in importance. In many sectors, it is now mandatory. Clients are aware that this is a crucial question to ask of providers and vendors, and they know to question the standards that are in place. That’s why certifications such as ISO/IEC 27000 matter and will continue to grow.
There are three areas that we are focusing on. They may be two, three, four years down the line, but sectors such as artificial intelligence, blockchain technology (it will be very interesting when it moves out of the financial services sector) and the fintech sector are developing rapidly. They haven’t reached our purview yet, but soon enough there will be new discussions to be had around acceptable standards and certifications. It’s something we are already preparing for and will be a fascinating area of development.
MH: Fascinating stuff! Thanks very much for your time, Michael. We look forward to working with you into the future.
[Featured image shows (l-r) Aaron Nolan and Mark Hurley of Spector, with Michael Brophy, CEO of Certification Europe]