What We Can Learn from the Fortinet SharePoint Incident

Fortinet confirmed earlier this week that a threat actor had gained access to an online file repository Fortinet had set up in Microsoft’s cloud, and that the threat actor stole 440GB of data from that repository. It’s still early in the investigation, so there are a lot of details that are still unknown, such as how the data was accessed and whether an employee account was compromised. However, there are still some lessons in this story.

Fortinet is a large cybersecurity organization with a large cybersecurity budget, so how does this apply to small businesses? It’s all about Microsoft’s cloud. Fortinet uses the same Microsoft system that small businesses use. Users might know it as Microsoft 365 or SharePoint or OneDrive or “the cloud” or “the share”, but the bottom line is small businesses pay Microsoft to host files pretty much the same way Fortinet does. Microsoft spends hundreds of millions of dollars each year to secure their cloud so that it is available for those small businesses to use. But that security does not extend to the data that businesses store there (it’s called out in their terms of use!). It’s up to those businesses to make sure that the data is only accessible to their employees and/or the people they want to share it with.

So how does a small business make sure that data in Microsoft’s cloud is secure? These are just a few of the many ways that companies can configure their Microsoft cloud to make it more secure:

  • secure employee credentials (which are used to access the data) with multi-factor authentication
  • only allow the data to be accessed from company devices
  • do not allow the data to be accessed outside the US
  • limit how data can be shared with people outside the company
  • limit how long data is retained

Putting these configurations into place certainly makes the Microsoft environment more secure, but it can all be undone if an employee unwittingly provides a threat actor with their login credentials. Regular and engaging cybersecurity awareness training should also be part of a company’s strategy to protect its data, whether that data lives in the Microsoft cloud or in the company’s office.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Why Should You Implement Security Awareness Training in Your Business?

Cybersecurity is a critical component of business operations and is the responsibility of both the business and its employees. It requires a concerted effort from every individual within the organization: each employee has a hand in maintaining security and must be aware of their actions and the potential impact.

Security awareness training, when provided on a weekly or monthly recurring basis, helps individuals understand different threats they might be exposed to in their personal and work lives. The training typically focuses on the digital realm but might also include scams that operate via face-to-face or postal service methods. The goal of the training is to elevate an individual’s awareness of these threats so they can recognize them before falling victim, or at least help them mitigate any damage if they do fall victim.

So why should your company implement this training, and why more often than just once a year or quarter? In short, human nature. Without delving in to the psychological, here are a few key points:

  1. humans are creatures of habit
  2. we all have a natural tendency to want to help
  3. as humans we have a natural fear of the unknown or unexpected
  4. we all have short memories and shorter attention spans

Here is a quick example of why regular training is necessary: a business owner was selling something on Facebook Marketplace and started a texting conversation with a potential buyer. The potential buyer asked the seller to provide a Google authentication code to verify the seller was a “trusted account”. The seller received a text message from Google with a 6-digit code and provided this code to the potential buyer. The buyer came back and said the code didn’t work and asked the seller to provide the code again. At that point the seller became suspicious and ended the conversation. Unfortunately, the seller had already unwittingly bypassed the multi-factor authentication on their own Google account by providing that code to the potential buyer.

Implementing a training program that regularly educates users about threats, tests their knowledge, offers additional training when necessary, and is engaging, will help your company avoid many common threats that technology alone cannot mitigate while not impacting employees’ productivity. This article points out why security awareness training is more important than ever as phishing attacks are the top avenue for ransomware delivery: http://bit.ly/3IUAdWX.

If you have questions about implementing security awareness training in your company, contact us here: https://bit.ly/CBTech-contact

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Tips for Getting a Good Computer for School

We know, we know, it’s full-on summer, why are we talking about school?!?! The next school year is less than 2 months away, and computer manufacturers have deals running all summer, so now is a good time to start thinking about what your student might need.

The question you should ask when deciding to buy a new computer for school, or for any purpose really, is “what am I going to use it for?”. Some common answers are:

  1. browsing the internet
  2. email
  3. specific applications (like engineering programs or graphic design programs)
  4. attending class remotely
  5. video conferencing

For items 1 and 2, the specifications are not demanding. You can get by with a basic computer from almost any store. However, we would still recommend that the processor be an Intel Core i5 or i7. The RAM (or memory) used for browsing the internet will depend on how many browser tabs or windows you have open at one time. The more tabs or windows you anticipate opening the more RAM you should have in your computer. We would recommend at least 8GB.

Portability can be an important factor depending on your lifestyle and study habits. If you need to carry your computer to different locations or take it to classes, a lightweight laptop or a tablet with a detachable keyboard might be more suitable. On the other hand, if most of your work is done in one location, such as your dorm room or a home office, a desktop computer or a larger laptop with a bigger screen may be more comfortable to use.

A computer used for specific applications will need to meet the requirements of the vendor who made the application. All vendors will list minimum and recommended system requirements. You should review those requirements for each and any application you plan on using before buying the new computer. Just as with browser tabs and windows, the more applications you run at one time the more RAM you should have in the computer. Additionally, most schools will have recommended specifications for buying a computer to use at the school.

You should also consider the hard drive type and size. You still have two choices for type: traditional spinning drives (often referred to as SATA) or Solid-State Drives (often referred to as SSD). We recommend SSD drives because the performance is much better versus traditional spinning drives, and you will find most laptops will come with these type drives. The size of the hard drive really depends on how much data you plan to save on your computer. If you are using the computer to browse the internet and/or use email, then the size of your hard drive does not need to be large. However, if you are saving images or video (which are the largest file size types) then you should get a larger hard drive, or even consider getting an external drive.

Happy shopping, and enjoy the rest of the summer!

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Unplug From Your Technology This Summer

As summer gears up, take some time to assess the screen time habits that you’ve had for the past 6 months. If you’re anything like us, you’ve been glued to your devices, keeping up with news, streaming TV and movies, watching sports, working, working, working… We thought it would be a good time for some tips on how to unplug, whether you’re taking a trip or just want a day away from technology.

Constant exposure to technology and the digital world can lead to information overload, constant distraction, and heightened stress levels. Taking a break from technology allows your mind to rest and recharge, reducing feelings of anxiety and overwhelm. This break can also foster better focus, concentration, and improved cognitive function, leading to enhanced creativity and problem-solving abilities.

There is a plethora of articles on unplugging, so take the time to search around if you want more ideas. Embrace the art of unplugging and enjoy the summer!

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

How to Work From the Beach This Summer

It’s summer. You’re at the beach. You need to finish up some details to close a last-minute deal. You need to access that critical file because you’re the only one that can handle it. You’re out of luck, right? Not so fast! There are many ways to securely access business resources outside the office.

The first rule of thumb is to ask your technology services provider what methods are available to you. They should be able to help you implement something that fits your needs, budget, and security concerns, if they haven’t already. And security is big!

The next rule of thumb is that the ways to get to what you need are as varied as the types of resources you want to get to. It all depends on what you need to get to: files like documents or spreadsheets, or applications like QuickBooks. Each business is going to have different requirements, regulations, and budgets, et cetera, that will determine what method or methods can be used. This brings the first rule of thumb back into play: your technology services provider will know what methods fit your situation best.

When accessing your work data remotely, it’s crucial to be cautious of public Wi-Fi networks. These networks can be insecure and prone to cyber-attacks. It’s best to avoid using them altogether when accessing sensitive work data. Instead, consider using your phone as a personal hotspot or find a secure and private network such as a hotel’s business center or dedicated coworking space.

Cloud-based file-sharing services are a great way to securely access your work data remotely while on vacation. These services, such as Google Drive, Dropbox, or OneDrive, offer advanced security features, such as encryption, access controls, and two-factor authentication, to ensure the protection of your data. You can store and access your work files and documents from anywhere with an internet connection. And the good news is that most companies already use these services, so use rule of thumb 1 and see what your company’s technology services provider has set up.

Enjoy your summer (and don’t work too much)!

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Small Business Lessons from the Change Healthcare Hack

Change Healthcare, a payment exchange platform operated by Optum Solutions (a subsidiary of UnitedHealth), suffered a ransomware attack in February of this year. The current estimate of damages is approximately $872,000,000. Details on the attack can be found on Bleeping Computer’s site: https://bit.ly/4bB2ihd. Let’s break down some lessons learned from this incident.

Preliminary information from the ongoing investigation suggests that the attackers used stolen credentials to access the company’s Citrix portal (Citrix is a system for remotely accessing company resources). It’s important to note that the compromised account did not have multi-factor authentication enabled on it, meaning that once the attackers had the username and password, they were able to log in without any additional checks. They then worked their way further into the network and started exfiltrating data, ultimately locking up systems in a ransomware attack. The investigation found that the initial system access happened at least 10 days prior to the ransomware being deployed and affecting the availability of resources. Additionally, it appears that malware on a device stole an employee’s Citrix credentials the day before the initial access; however, it is as yet unknown whether those same credentials were used in the attack.

What can we learn from this?

  1. Cybersecurity is a team effort: Cybersecurity is not just the responsibility of the IT person/department/company. It is important for all employees to be aware of the risks and take steps to protect their devices and data. Businesses need to create a culture of cybersecurity awareness and provide training to their employees on how to spot cyber threats.
  2. Educate employees about cybersecurity: Employees are often the first point of contact in the cybersecurity chain. Businesses need to educate employees about cybersecurity best practices, such as how to identify and avoid phishing attacks and how to create strong passwords.
  3. Implement a layered security approach: This involves using a variety of security controls, such as multi-factor authentication, firewalls, intrusion detection systems, and data encryption, to protect their systems and data. No one solution is 100% effective at stopping attacks.
  4. Have a plan in place to respond to cyberattacks: This plan should include steps to identify and contain the attack, mitigate the damage, and communicate with customers and employees.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips. For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

3 Ways to Avoid Being the Fool (Getting Phished) On April Fools’ Day

April Fool’s is fast approaching (it’s almost April?!?!?!), so it seems like a good time to review some phishing email tips so the joke isn’t on you.

Email is still the number one communication method, which makes it the perfect avenue for scammers and other malicious actors looking to get the highest return on their activities. Here are three ways to stay safe online this April Fools’ Day:

  • Verify the Sender: One of the most common tactics used by phishers is to impersonate trusted entities such as banks, social media platforms, or even friends and family. They often send emails or messages that appear legitimate, prompting you to click on malicious links or provide personal information. To avoid falling into this trap, always verify the sender’s identity before taking any action. Check the email address or contact number against known ones associated with the organization or individual. Be cautious of any unexpected requests for sensitive information and never hesitate to contact the sender through official channels to confirm the authenticity of the message.

  • Think Before You Click: Phishing attempts often rely on enticing users to click on malicious links or download infected attachments. These links may lead to fake websites designed to steal your information or install malware on your device. Therefore, it’s essential to exercise caution and think before clicking on any links, especially those received via email or social media messages. Hover your cursor over the link to preview the URL and ensure it matches the expected destination. If you’re unsure about the legitimacy of a link, it’s best to avoid clicking on it altogether. Instead, navigate directly to the website in question through your browser or contact the sender directly for verification.

  • Stay Updated and Educated: Cybercriminals are continually evolving their tactics to bypass security measures and exploit unsuspecting individuals. Therefore, staying informed about the latest phishing trends and techniques is crucial in safeguarding yourself against online threats. Keep your software, operating system, and antivirus programs up to date to protect against known vulnerabilities. Additionally, educate yourself and your family members about the signs of phishing scams, such as misspelled URLs, grammatical errors, and requests for sensitive information. By staying vigilant and informed, you can reduce the risk of falling victim to phishing attacks not only on April Fools’ Day but every day of the year.

Keep in mind that world events and holidays are often good disguises for malicious actors to send out emails. That link to a funny April Fool’s prank may not be from your friend or coworker and the joke might be on you, so keep an eye out!

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips. For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Tax Scams and How to Avoid Them

It’s that time of year again! As we get deeper into tax season, we’ll see an uptick in tax-related scams. IRS Commissioner Danny Werfel says, “People should be wary and avoid sharing sensitive personal data over the phone, email or social media to avoid getting caught up in these scam.” Here is some information on what to keep an eye out for as well as some resources from the IRS.

Phishing email is still the biggest attack avenue, as it is cheap and easy, but text and phone scams are still quite popular. Use the SLAM (Sender, Links, Attachments, Message) method to assess any suspicious emails:

  1. Check the Sender address
  2. Hover over any Links to see if they match the text
  3. Be wary of Attachments
  4. Check the Message. Red flags are a sense of urgency, consequences if something isn’t immediately done, or requests for payment in odd forms

The IRS compiles a list of its “Dirty Dozen” scams each year. It can be accessed here: https://www.irs.gov/newsroom/dirty-dozen. They also have a webpage dedicated to specific tax scams and consumer alerts: https://www.irs.gov/newsroom/tax-scams-consumer-alerts. It is a good place to learn about common scams and how to identify them. And for the low tech scams, here is a page dedicated to helping you determine if the IRS is really on the phone or knocking at your door: https://www.irs.gov/newsroom/how-to-know-its-really-the-irs-calling-or-knocking-on-your-door.

The IRS will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.
  • Demand that taxes be paid without giving taxpayers the opportunity to question or appeal the amount owed.
  • Ask for credit or debit card numbers over the phone.
  • Call you about an unexpected refund.

(taken from their website: http://bit.ly/2AQf8cF)

The IRS is also warning tax professionals about being targeted by scammers. Scammers are posing as tax software providers and requesting EFIN (electronic filing identification number) documents from tax professionals under the guise of a required verification to transmit tax returns. The thieves then attempt to steal client data and tax preparers’ identities, creating the potential for them to file fraudulent tax returns for refunds.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips. For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n

Why NJ Insurance Agencies Need Cybersecurity Insurance (and 2 Steps to Boost Security)

As an independent insurance agency in New Jersey, you understand risk. You help your clients mitigate theirs every day. But what about your own? In today’s digital landscape, the biggest threat you face might not be a fire, a flood, or a bad driver – it could be a cyberattack.

Data breaches are on the rise, and the insurance industry is a prime target. Hackers crave the sensitive information you store, like PII, financial records, and policy details. A single breach can result in devastating consequences: hefty fines, lawsuits, reputational damage, and even business closure.

That’s where cybersecurity insurance comes in. It’s not just a nice-to-have – it’s a vital safety net for any agency. Here are three compelling reasons why:

1. Breaches Happen. Be Prepared.

Think you’re too small to be a target? Think again. Hackers don’t discriminate by size. In fact, smaller agencies can be easier targets with less robust security. Cybersecurity insurance can ensure you have the financial resources to recover from a breach, potentially covering legal fees, notification costs, and even credit monitoring for affected clients.

2. Compliance Made Easy.

New Jersey takes data privacy seriously. Laws like the NJ Privacy Act and regulations like HIPAA mandate strong data security measures and strict breach notification protocols. Having a cybersecurity insurance policy can demonstrate your commitment to data protection, potentially easing compliance audits and building trust with clients.

3. Sleep Soundly, Securely.

Beyond financial protection, cybersecurity insurance can offer peace of mind. Imagine having access to expert incident response teams who can quickly contain a breach and minimize damage. Or receiving vulnerability scans and employee training to proactively strengthen your defenses. It’s like having a dedicated cybersecurity partner by your side, 24/7.

Now, let’s talk proactive security. Here are two actionable steps your agency can take right now:

1. Lock Down Logins with Multi-Factor Authentication (MFA).

Think of MFA as an extra lock on your digital door. Even strong passwords can be compromised, but MFA adds an additional layer of security, like a code from your phone or a fingerprint scan. This makes it exponentially harder for attackers to gain access, even if they steal a password.

2. Educate Your Team: Knowledge is Power.

Your employees are your front line of defense. Regular security awareness training can equip them to spot phishing scams, avoid social engineering traps, and practice good password hygiene. Remember, informed employees are empowered employees, making your agency a safer place for everyone.

Cybersecurity is an ongoing journey, not a destination. By investing in both insurance and proactive measures like MFA and employee training, your NJ insurance agency can navigate the digital world with confidence, knowing you’re protected from the ever-evolving threat landscape. Don’t wait for a breach to be your wake-up call. Secure your agency’s future today.

Sign up for our monthly Timely Tech Tips: https://bit.ly/CBTech-Tips

For weekly tips like these, follow us on Facebook: http://bit.ly/2sCMb30 LinkedIn: http://bit.ly/375e6HB Twitter: http://bit.ly/3ajca0n