How Simulated Phishing Campaigns Can Save Your Business from Losing Money

As you are reading this article there is a high probability that your organization is being targeted by a phishing attack.

According to Verizon’s Data Breach report 90% of security incidents and data breaches involved phishing activity, making Phishing the most frequent type of attack used by cyber criminals. As recent as October 2019 FBI published a report 1 stating that Business Email Compromise attacks accounted for $26 Billion in losses globally over a three-year period. In the report, the FBI suggests that “Employees should be educated about and alert to this scheme. Training should include preventative strategies and reactive measures in case they are victimized.”

Cyber criminals use Phishing because unlike other attacks that target technology Phishing attacks exploit human error.  

What is phishing?

According to the United States Computer Emergency Readiness Team (US-CERT)  phishing is defined as a form of social engineering that uses email or malicious websites (among other channels) to solicit personal information from an individual or company by posing as a trustworthy organization or entity. Phishing often directs users to enter details on a fake website that looks and feels almost identical to the legitimate site.

Why are Phishing awareness and simulated attacks so important?

Cyber security is no longer purely about leveraging “best-in-class” technology instead it’s about building a culture that takes cyber security seriously. Because of the nature of Phishing, it is impossible to stop phishing attempts by using purely technical solutions. Your employees are the last line of defense against cyber threats like Phishing attacks, that is why it is extremely important to train your team to be able to identify and report malicious emails and prevent a data breach or loss of money.

Lack of employee training on cyber security is the main reason for these attacks are so successful. However, the good news is that simulated phishing campaigns can reduce their success rates.

As Dwight D. Eisenhower once said, “In preparing for battle I have always found the plans are useless, but planning is indispensable”. To his point, because attacks are unexpected, and plans can be outdated or not applicable the best way to get ready for an emergency is by continuously preparing. For example, the military isn’t just responsible for planning but also continuously training troops so that in the case of an emergency the military will be best prepared to respond effectively.

Similarly, running simulated Phishing campaigns will allow you to measure your organization’s cyber security awareness and then respond appropriately by developing effective training campaigns. Strategic training is imperative to give your employees the knowledge and the ability to spot and report Phishing attacks in order to protect your company from a data breach and financial loss. 

What can you expect from a simulated Phishing campaign?

There is a number of benefits that you gain from running Simulated Phishing campaigns, below is a shortlist of the most important benefits to your organization:

1.Give your employees the experience of a real-life phishing attack before they happen.

With simulated Phishing campaigns, your employees will get a firsthand exposure to sample Phishing emails. This will help them get familiar with the look and feel of such attacks. Campaigns can also be created to emulate familiar experiences. For example, if your company uses G-Suite you can choose a Phishing campaign that looks like an official email from Google asking users to login to their G-Suite. These types of campaigns are harder to spot but after the training your employees they will be better prepared to identify real-life Phishing attacks.  

2.Gain insights into your company’s security awareness maturity.

Knowledge is power! With real-time reporting, you can measure your company’s security awareness by tracking how many emails were opened, how many users selected a link, and whether these emails were reported. This data is imperative to understand your current level of security awareness throughout your organization and help to plan for future campaigns and training.

3.Identify and remediate the highest risks.

Leveraging the insights from the reports you can identify individuals or department groups that require additional training. Once your most vulnerable risks are identified you can then provide specific tools and training that they require to keep your company safe from cyber-attacks.

4.Create and streamline security training based on campaign results.

Based on the results of your campaigns you can streamline training by automatically delivering targeted training to maximize efficiency. As your employees’ security awareness grows you can ramp up and run more sophisticated campaigns that are harder to identify. You can also choose campaigns that mimic some of the most familiar names such as Google, Apple, and yahoo.

5.Keep your employees up to date with the constant changes in the cyber threat landscape.

With weekly bite size 2-minute videos and monthly short newsletter your employees will be kept up to date with the latest threats and tricks to identify cyber threats.

6.Keep up with latest regulations.

Organizations that fall under specific regulations such as HIPAA, SOX, PCI and GDPR might be required to provide employees with cyber security awareness training.

People focused security awareness training is the solution to human risk. Make sure your team is cyber security aware. If you are looking for help with your security awareness program, reach out to Imagis, we would love to hear from you.

4 Reasons That Increasing Your Cybersecurity Can Help You

Cybersecurity – it isn’t just a buzzword. It’s a necessity. If you’re running a business in today’s digital-reliant world, cybersecurity should be one of your top priorities.

Unfortunately, some business owners and managers don’t invest the funds needed to protect their data from increasingly sophisticated threats. Why? Because, to them at least, cybersecurity isn’t a profit driver. On a surface level, it doesn’t promote growth, save time, or increase efficiencies.

We’re out to put an end to that type of thinking. A staggering 58 percent of cyberattacks target small businesses. And, the number of attacks launched by malicious threat actors has increased by 15 percent each year since 2013.

It’s not a matter of if. It’s a matter of when.

The good news is, upgrading your cybersecurity efforts can help you in more ways than you might think. In addition to preventing breaches, enhanced network security will benefit your operations across the board. Let’s discuss four specifics.

1. Improved cybersecurity can save you money

Budget is always a leading concern. Guess how much the average cyberattack costs to rectify? $500,000? Higher. $1 million? Even higher. The average cost of a cyberattack is now over $1.6 million. That’s a pretty penny, alright.

Could your small business afford that kind of sum? If you’re anything like the rest of us, the answer is probably no.

Implementing the correct cyber defenses can prevent costly attacks, saving you money – and potentially preventing your company from closing its doors for good.

2. Proper cybersecurity efforts safeguard your reputation

This benefit operates two-fold.

First, if your business experiences a successful breach, you will have the processes in place to act fast and eliminate the attack before it causes too much damage. From your customer’s perspective, your business has demonstrated its commitment to protecting business and client data. That’s a good look – one that’s sure to garner long-term loyalty.

Even if an attack doesn’t occur, your security measures will help you earn the trust of customers and prospects. They’ll feel more comfortable handing over their private information to your company, which means more sales, more profit, more growth.

3. Cybersecurity best practices give you access to superior features

Most businesses rely on software of some kind – whether that’s cloud-based or otherwise. Keeping this software up-to-date is one of the most critical security best practices you can follow. Updates contain vital security patches that quite literally ‘patch up’ new or undetected vulnerabilities.

Even better, when you continually keep your software updated, you and your team will benefit from the new features, functionalities, and performance improvements included. It’s a win-win.

A great example of this is the end of support date for Windows 7. Updating your devices to Windows 10 won’t just give you access to the latest features, but it will also ensure your information is protected.

4. Cybersecurity gives your business a competitive edge

Finally, investing in cybersecurity gives your business a competitive edge. You’ll be able to offer greater customer protection and enhanced functionalities.

What’s more, any profits you make can be confidently allocated to expanding your reach and growing your operations. Your hard-earned dollars won’t end up in the hands of a cybercriminal.

What the End of Windows 7 Support Means for Your Business

In March 2019, Microsoft determined that it would be ending support for its incredibly popular operating system, Windows 7. Users were given just under a year to upgrade to the company’s most recent OS update, Windows 10. But while the company expressed the urgency of the upgrading, it didn’t offer it’s a lot of direction about what to do next. With 35% of Windows users still utilizing Windows 7 in March, knowing the next steps for your business will be crucial.  

What if I don’t upgrade?  

This is a complicated question. Support ends on January 14, 2020, but that doesn’t mean that your computer will just stop working at midnight. Instead, Microsoft will stop offering support and patches for your computer. For a few days or weeks, that’s unlikely to be a problem. But with constantly evolving security threats, your operating system will become gradually more vulnerable to cyberthreats, and that can put your whole business at risk.  

What are my upgrade options?  

There are three basic options you can take when Windows 7 support ends in 2020.  

First, you can choose to upgrade your physical devices – computers, tablets, etc – to devices running Windows 10. This may be the simplest method of moving forward, since you’ll simply open your device and be ready to go. A recent development called Windows 10 Auto Pilot means that you can have a “zero touch interaction.” IT administrators assign devices to users in advance, and they have almost no role to play after that. If you have a large number of older devices that needed upgrades anyway, this may be the best route for you.  

Second, you can choose to upgrade the operating system on your current Windows machines to Windows 10. Upgrading licenses has traditionally been expensive; for some companies, that cost may have been why they stayed with Windows 7 for so long. But if you have a subscription to Office 365, that will give you a license to upgrade from Windows 7 Pro or Enterprise to Windows 10. If you have up to date machines and just need the OS upgrade, or if you already use Office 365, this is a great option.  

Third, if you really need to keep Windows 7 due to legacy systems or other business needs, you can choose to purchase Extended Service Updates. But don’t expect ESU to continue to roll out new services or keep your OS functional with the newest programs; Microsoft describes ESU as a strictly last resort option. Patches to avoid the worst of the security bugs out there will be rolled out periodically, but that’s all you’ll get – and you’ll pay a hefty fee for this.  

Get ready for the cloud  

For some companies, this may be the push they need to start migrating programs to the cloud.  If you have legacy applications that need Windows 7 to run and do not have versions available for Windows 10, then using Microsoft’s Azure Virtual Desktop may give you the best of both worlds. This cloud-based system runs Windows 7 and 10 programs in a safe, virtual environment. You also get free ESU for your Windows 7 system, giving you more time to navigate a total transition to an up to date operating system.  

Another option is Microsoft’s App Assure, which helps migrate applications from Windows 7 into Windows 10 and Office 365 ProPlus. If app compatibility has been a sticking point for your organization, this is another viable alternative.  And of course, if you’re not sure how to move forward, Imagis is here to help. We’ve been helping clients navigate the Windows 7 to 10 transition all year, and we have solutions ready for any client situation.

10 ways to be more secure when traveling

Business traveling is a mixed bag. While it can certainly be productive, more often than not it’s also a pain. And when you add cybersecurity considerations into the mix, it can get downright stressful.

We work with quite a few companies with remote workforces. Additionally, as IT business consultants, we have regular contact with frequent business travelers on a daily basis. As a result, we’re well-versed in some of the dos and don’ts of secure business travel.

What follows are our top 10 tips for keeping your data safe while you’re out of town.

Traveling tips for data security

Before we get to the tips, a word of warning. Some of these are going to seem extreme. If you’ve never given much thought to cybersecurity when you’re not connected to a known network, our tips might even seem paranoid.

That’s because we only care about one thing—keeping your data safe. If you’re serious about guarding your data on the road, this is how you do it.

1. Stay away from mobile hotspots

Public Wi-Fi is dangerous, pure and simple. In fact, a recent article in CSO stated, “Today’s Wi-Fi standards are flawed and should not be trusted.”

The article went on to explain exactly why public Wi-Fi should be avoided at all costs. “One of the biggest threats with free Wi-Fi is the ability for hackers to position themselves between you and the connection point.” That includes data you might think is encrypted.

2. Use a VPN to encrypt data traffic

A VPN is like your own personal secure connection. With one, your mobile devices are linked directly to a private server and all the data exchanged between the two is encrypted. That, of course, adds a significant layer of security.

However, be sure you pick a VPN service you trust. The VPN service provider can see your traffic, so steer clear of questionable free providers.

Read more: How to set up a VPN[

3. Encrypt your mobile devices in case they’re lost or stolen

If your phone or laptop provides you with the option to encrypt all local data, do it. That way, even if you lose your phone or your laptop is stolen, all your information is safe and sound.

And if you’re wondering just how strong consumer encryption options are, even the FBI has a very hard time bypassing this form of protection.

4. Use privacy screens to avoid shoulder surfing in public spaces

Privacy screen protectors (like this one) make it difficult for anyone but the person holding a smartphone or sitting directly in front of a laptop to read what’s on the screen. This added layer of security means you don’t have to worry about anyone else seeing your private information, even accidentally.

If your work includes particularly sensitive information, like medical records or other data protected by strict regulatory laws, this is a must-have precaution.

5. Use a wall plug charger instead of public USB ports

Public USB ports are just as dangerous as public Wi-Fi networks—which, when you think about it, makes sense. After all, you’re connecting your device to a public network, even if your only goal is to charge your phone.

Instead of using a public USB port, opt for a standard wall outlet for charging.

6. Don’t share that you’re traveling on social media

It’s perfectly fine to share that you were on a trip once you’re back in town. But it’s ill-advised to post that you’re out of town while still traveling. (That’s true for business trips and vacations alike.)

Why? Because you’re advertising that your home, office, car, and local business network are all unwatched for a while. That’s like an invitation for thieves.

7. Disable Bluetooth connectivity

The great thing about Bluetooth is how quickly and easily it connects our devices. Unfortunately, that’s what makes it unsafe, too.

Cybercriminals can use an open Bluetooth connection to gain access to your device, especially in crowded areas like airports. Turn it off while you’re on the road.

Related: Shadow IT and the impact it can have on your business[

8. Setup multi-factor authentication for your online accounts

Multi-factor authentication (MFA) is a simple, secure way to ensure a user is actually authorized to access an account when a new login is attempted. Even if you have the password, you typically have to enter an additional code delivered via text message or email.

While a lot of services offer multi-factor authentication, the trick is that you have to set it up. It’s absolutely worth the minor hassle.

9. Consider using encrypted text messaging

Encrypted chat apps like Signal and WhatsApp give you the ability to send and receive text messages as effortlessly as the default app on your phone with one added benefit—the data is entirely encrypted.

However, while WhatsApp is the best known encrypted chatting app, it’s also owned by Facebook, and that brings with it a whole new set of privacy and security concerns. That’s why we recommend Signal.

10. Update the software on your laptop and phone

Time and again, headline-making data breaches uncover the same annoying truth. Updating your software really does keep you safe.

Update your apps. Apply software patches. Don’t fall victim to a security breach simply because you weren’t up-to-date.

Keep reading: 5 steps to make working remotely effective for your company

Shadow IT and the impact it can have on your business

Shadow IT is a term used to describe hardware, software, or cloud services used within your business that your IT department is not aware of. It could be a tablet brought from home that an employee is using to access work files, or it could be a personal Dropbox account your HR director set up to enable mobile access to files.

Shadow IT has some legitimate security concerns. But you needn’t stop your entire operation to ferret out any shadow IT your employees have adopted. Instead, you should use it as an opportunity to grow strategically. Start by asking a critical question: why are your employees turning to non-sanctioned IT tools in the first place?

When you use the experience to broaden your understanding of the challenges your people face, an encounter with shadow IT can actually provide some surprising and unexpected benefits.

Here are some of the ways shadow IT can impact your business.

Security risks from shadow IT

Hopefully, you already have a good cybersecurity plan in place, but you can’t protect something you don’t even know exists. Anytime unauthorized hardware or software is connected to your network, there are security risks that come along with it.

For example, hardware or software that is not properly updated with the most recent security patches could create an access point for viruses and other forms of malware to enter your network.

If you’re in an industry governed by compliance regulations and restrictions, shadow IT could lead to compliance risks or violations without even realizing it. Worse yet, it could lead to sanctions, fines, and loss of reputation.

What to do about shadow IT

The most important thing you need to do is to understand what shadow IT is and how to identify it. Consider working with a managed IT service provider to help you monitor your network. They can also provide network and risk assessments to help uncover issues that may not be readily apparent.

You should also make sure your employees understand the risks associated with shadow IT. There’s a good chance that employee working on a tablet they brought from home doesn’t realize that unsecured device could open up your network to cyber threats. Maybe they were just trying to find a way they could get work done from locations other than their desk, like the conference room or break room.

With the right training, your employees can be your first line of defense in protecting your network.

Consider implementing a Bring Your Own Device (BYOD) policy, so your employees will be crystal clear on what is and is not allowed. Having a BYOD policy in place can also make sure everyone knows how to keep authorized personal devices updated and secure.

And don’t forget to include security awareness training. When your staff understands what it takes to protect company and customer data, they can be a powerful line of defense against data breach. But first, they have to be equipped with the right knowledge.

Learning from shadow IT

It’s also important to recognize that not all shadow IT is bad. In a lot of cases, this form of technology exists because your employees are searching for ways to work better and more efficiently.

That Dropbox account your HR director has been using to enable access to mobile files could demonstrate a need for cloud services you didn’t realize was there. Now that you know, you can find more secure and compliant ways to provide the same capability.

Shadow IT can provide great insight into end-user needs and preferences—provided you also understand the risks. You should absolutely stop shadow IT, but you should do so while also taking the time to understand the tools and solutions your employees actually need.

Final thoughts

Think of shadow IT as a gauge. If your staff is using shadow IT, it means they need a resource you’re not yet providing. So while it does present risks, it can also present you with an opportunity to improve workflows and streamline your business procedures, all while clearly communicating to your employees that you care about their on-the-job experience.

The key to dealing with shadow IT is to understand what it is and take proactive steps to identify it in your workplace. Contact your managed IT services provider to help secure your network today.