CloudXone Blog

Why Accounting Offices Must Prioritize Cyber Protection

Posted by   CloudXone IT on September 11, 2020 at 9:28 AM

9021a3c9e9299bf0869a53ab1a327b55

In this day and age, information is currency. There's no arguing that digital data has become a bit target for hackers and online criminals looking steal your customers private data. Many different organizations hold confidential private data such as healthcare profiles and in particular, accounting firms must prioritize their cybersecurity solutions in order to protect their client's information.

PWC Canada recently released The State of Cybersecurity and Privacy and the stats were alarming. Here are some numbers to consider when thinking about why accounting first must prioritize cybersecurity.

  • 80 percent of Canadian CEOs are concerned about cybersecurity as a threat to their growth prospects.
  • 90 percent of Canadian CEOs are aware that the increasing complexity of threats is having an impact in shaping their cybersecurity strategy.

When so many CEOs have these concerns about cybersecurity, it is only natural they expect their business partners such as accounting firms to have the same concerns.

It is understood that accounting firms are a very important part of the Canadian economy.  These accounting firms are tasked with many duties including how they handle financial data including taxes.  Due to this important role, it makes accounting offices or any small-medium sized office space, a prime target for cyberattacks and data breaches.

Why accounting offices must prioritize cyber protection?

Most organizations are not looking to be the headline of the next big cyber breach, costing thousands in damages.  Organizations spend a lot of money on their cybersecurity plan.  To hackers, they look at everyone involved, and accounting firms are high and the list as they have access to a lot of personal information as well as multiple organizations.

What is the best approach towards cybersecurity for accounting offices?

The majority of accounting firms do understand the necessity of cybersecurity however the degree of engagement varies from each firm.  You will need to design a strategic approach that addresses cybersecurity as a business issue rather than just a technical issue.

Most IT departments are too busy or do not have enough knowledge to implement a proper plan.  You can always reach out to a  IT services provider to assess your data security level and test the vulnerabilities.  Your managed IT services or IT department should not perform a vulnerability test, you should always hire a third party.

Why should cybersecurity be on top of the list for an accounting office?

This is very simple.  There are multiple industries including healthcare, construction, manufacturing, and much more.  One of the main things they have in common is they all use an accounting firm hence why accounting offices are on the top of the list for cybersecurity attacks.

As cybercriminals continues to change and adapt their hacking methods, they will be continually evolving. No matter how secure your accounting firm is, there will always remain a possibility of a data breach as a new method might penetrate your accounting firm security system.

What kind of financial loss can an accounting office face if worst comes to worst?

If an accounting office is hit by ransomware or a data breach, they can expect a substantial financial loss that has the potential to bankrupt your firm or seriously impact your financials.  In addition, you can look forward to reduced revenue as you will lose your clients confidence and trust. The cost of tarnishing hard earned reputation is very hard to repair once the damage is done. 

What risks can an accounting firm bring to clients?

Like any other businesses, financial loss is only one aspect of compromised security.  It is the responsibility of the accounting firms to ensure they take every precaution possible to secure information as the consequences for clients can be big. Smaller accounting firms can also easily go bankrupt if their data security is compromised as CPAs and accounting firms have access to sensitive financial data.

Accounting firms must prioritize cybersecurity because…

They need to ensure they are protected from cyberattacks.  Every employee plays a part and each employee must be aware of how serious a cyberattack on the accounting firm can be. Through employee awareness about cybersecurity and best practices,  you will be able to protect your accounting firms sensitive data.

Have Your Passwords Been Stolen in a Data Breach? Contactus for a free technology pre-assessment today and start protecting yourself from cybercriminals.

Transitioning to the cloud or worried about security? We are your leading Cloud Services Providers Toronto and Managed Security Services Toronto.

CLOUDXONE  is Toronto’s leading IT consulting solution expert offering industry leading IT solutions including Strategic Advisory,  Microsoft 365, Tech Support ServicesCloud Services, Business Data Recovery and File , voIP Phone Systems.


Our IT experts are happy to assess your needs, fill out our form here to put your IT infrastructure and business to the test!

Worried about security or need to transition to the cloud?
Contact CloudXone IT Services at 647.714.8333
We are friendly, creative and dedicated, serving the Greater Toronto Area for over 20 years.

TECHNOLOGY ASSESSMENT

If you enjoyed this article, share it on social media. 

FOLLOW US ON SOCIAL MEDIA.

The Ultimate Guide To Canadian Cyber Security

Posted by   CloudXone IT on August 31, 2020 at 6:05 AM

6134896a86697d4b0ba66e6ef15b89db

If I asked you to list the most valuable things you own, how would you answer? I guess this would be another way of asking the infamous “What would you grab if your house was on fire?” question.

For me, I’d grab an old keepsake box filled with things from my childhood, my engagement ring, my phone and computer (for pictures and writings!), and an old Iowa sweatshirt of my dad’s.

But I’d also have to say that my identity, social security number, credit cards, and bank accounts are valuable to me.

 

Unlock tips, systems & recommended resources to stay ahead of the tech curve.

 

While these things can’t exactly burn down in a fire, they can be stolen … and if I were to ask a computer hacker what they thought my most valuable possessions were, they’d probably quote the intangible.

That’s why we’ve compiled this guide on cybersecurity. Below, we’ll talk about why you should care about cybersecurity, how to secure your and your customer’s digital data, and what resources to follow to stay up-to-date with emerging tech.

            1. What Is Cyber Security?
            2. Why You Should Care About Cyber- security
            3. Cyber Security Terms to Know
            4. Types of Cyber Attacks
            5. Cyber Security Best Practices
            6. Cyber Security Resources
 

What is Cyber Security?

Cybersecurity refers to the process and recurring practice of securing data, networks, and computers from misuse: either by external cyber attacks or other threats. Protected data typically includes contact information, passwords, credit card numbers, bank account information, passport and driver license numbers, social security numbers, medical records, and any other non-public information.

 

Personal data is incredibly valuable. Hackers know it, and businesses know it. That’s why both go to great lengths to collect it — albeit one following a much more legal and moral avenue to do so.

Unfortunately, as technology and data collection practices progress, so do the methods that hackers follow to steal data. As business owners, we have a special responsibility to protect our customers’ data and be transparent with our practices.

Why You Should Care About Cybersecurity

In the first half of 2019, data breaches exposed over 4 billion records. Moreover, a recent study found that hackers attack every 39 seconds — that adds up to, on average, 2,244 attacks per day.

Small to medium-sized businesses (SMBs) are especially at risk. You might see corporations like Target and Sears topping the headlines as top data breach victims, but it’s actually SMBs that hackers prefer to target.

Why? They have more — and more valuable — digital assets than your average consumer but less security than a larger enterprise-level company … placing them right in a “hackers' cybersecurity sweet spot.”

Security breaches are frustrating and frightening for both businesses and consumers. Studies show that, after a company data breach, many consumers take a break from shopping at that business — and some consumers quit altogether.

But cybersecurity is about more than just avoiding a PR nightmare. Investing in cybersecurity builds trust with your customers. It encourages transparency and reduces friction as customers become advocates for your brand.

“Everyone has a role in helping to protect customers’ data. Here at HubSpot, every employee is empowered to solve for customer needs in a safe and secure way. We want to harness everyone’s energy to provide a platform that customers trust to correctly and safely store their data.” — Chris McLellan, HubSpot Chief Security Officer

Keep your business ahead of the tech curve with the tips, systems & recommended resources in our guide to staying current on emerging tech.

Cyber Security Terms to Know

Cybersecurity is a very intimidating topic, not unlike cryptocurrency and artificial intelligence. It can be hard to understand, and, frankly, it sounds kind of ominous and complicated.

But fear not. We’re here to break this topic down into digestible pieces that you can rebuild into your own cyber security strategy. Bookmark this post to keep this handy glossary at your fingertips.

Here’s a comprehensive list of general cyber security terms you should know.

Authentication

Authentication is the process of verifying who you are. Your passwords authenticate that you really are the person who should have the corresponding username. When you show your ID (e.g., driver’s license, etc), the fact that your picture generally looks like you is a way of authenticating that the name, age, and address on the ID belong to you. Many organizations use two-factor authentication, which we cover later.

Backup

A backup refers to the process of transferring important data to a secure location like a cloud storage system or an external hard drive. Backups let you recover your systems to a healthy state in case of a cyber attack or system crash.

Data Breach

A data breach refers to the moment a hacker gains unauthorized entry or access to a company’s or an individual’s data.

Digital Certificate

A digital certificate, also known as an identity certificate or public key certificate, is a type of passcode used to securely exchange data over the internet. It’s essentially a digital file embedded in a device or piece of hardware that provides authentication when it sends and receives data to and from another device or server.

Encryption

Encryption is the practice of using codes and ciphers to encrypt data. When data is encrypted, a computer uses a key to turn the data into unintelligible gibberish. Only a recipient with the correct key is able to decrypt the data. If an attacker gets access to strongly encrypted data but doesn’t have the key, they aren’t able to see the unencrypted version.

HTTP and HTTPS

Hypertext Transfer Protocol (HTTP) is how web browsers communicate. You’ll probably see an http:// or https:// in front of the websites you visit. HTTP and HTTPS are the same, except HTTPS encrypts all data sent between you and the web server — hence the “S” for security. Today, nearly all websites use HTTPS to improve the privacy of your data.

Vulnerability

A vulnerability is a place of weakness that a hacker might exploit when launching a cyber attack. Vulnerabilities might be software bugs that need to be patched, or a password reset process that can be triggered by unauthorized people. Defensive cybersecurity measures (like the ones we talk about later) help ensure data is protected by putting layers of protections between attackers and the things they’re trying to do or access.

 

Types of Cyber Attacks

  1. Password Guessing Attack
  2. Distributed Denial of Service (DDoS) Attack
  3. Malware Attack
  4. Phishing Attack

 

A cyber attack is a deliberate and typically malicious intent to capture, modify, or erase private data. Cyber attacks are committed by external security hackers and, sometimes, unintentionally by compromised users or employees. These cyber attacks are committed for a variety of reasons. The majority are looking for ransom, while some are simply launched for fun.

Here are the four most common cyber threats.

1. Password Guessing (Brute Force) Attack

A password guessing (or “credential stuffing”) attack is when an attacker continually attempts to guess usernames and passwords. This attack will often use known username and password combinations from past data breaches. An attacker is successful when people use weak passwords or use the password between different systems (e.g., when your Facebook and Twitter password are the same, etc). Your best defense against this kind of attack is using strong passwords and avoiding using the same password in multiple places as well as using two factor authentication, as we talk about later.)

2. Distributed Denial of Service (DDoS) Attack

A distributed denial of service (DDoS) attack is when a hacker floods a network or system with a ton of activity (such as messages, requests, or web traffic) in order to paralyze it. This is typically done using botnets, which are groups of internet-connected devices (e.g., laptops, light bulbs, game consoles, servers, etc) infected by viruses that allow a hacker to harness them into performing many kinds of attacks.

3. Malware Attack

Malware refers to all types of malicious software used by hackers to infiltrate computers and networks and collect susceptible private data. Types of malware include:

  • Keyloggers, which track everything a person types on their keyboard. Keyloggers are usually used to capture passwords and other private information, such as social security numbers.
  • Ransomware, which encrypts data and holds it hostage, forcing users to pay a ransom in order to unlock and regain access to their data.
  • Spyware, which monitors and “spies” on user activity on behalf of a hacker.

Furthermore, malware can be delivered via:

  • Trojan horses, which infect computers through a seemingly benign entry point, often disguised as a legitimate application or other piece of software.
  • Viruses, which corrupt, erase, modify, or capture data and, at times, physically damage computers. Viruses can spread from computer to computer, including when they are unintentionally installed by compromised users.
  • Worms, which are designed to self-replicate and autonomously spread through all connected computers that are susceptible to the same vulnerabilities. .

4. Phishing Attack

A phishing attack is when hackers try to trick people into doing something. Phishing scams can be delivered through a seemingly legitimate download, link, or message. It’s a very common type of cyber attack — over 75% of organizations fell victim to phishing in 2018. Phishing is typically done over email or through a fake website; it’s also known as spoofing. Additionally, spear phishing refers to when a hacker focuses on attacking a particular person or company, instead of creating more general-purpose spams.

Cyber Security Best Practices: How to Secure Your Data

Cybersecurity can’t be boiled down into a 1-2-3-step process. Securing your data involves a mix of best practices and defensive cyber security techniques. Dedicating time and resources to both is the best way to secure your — and your customers’ — data.

Defensive Cybersecurity Solutions

All businesses should invest in preventative cybersecurity solutions. Implementing these systems and adopting good cybersecurity habits (which we discuss next) will protect your network and computers from outside threats.

Here’s a list of six defensive cybersecurity systems and software options that can prevent cyber attacks — and the inevitable headache that follows. Consider combining these solutions to cover all your digital bases.

Antivirus Software

Antivirus software is the digital equivalent of taking that vitamin C boost during flu season. It’s a preventative measure that monitors for bugs. The job of antivirus software is to detect viruses on your computer and remove them, much like vitamin C does when bad things enter your immune system. (Spoken like a true medical professional …) Antivirus software also alerts you to potentially unsafe web pages and software.

Learn more: McAfee, Norton. or Panda (for free)

Firewall

A firewall is a digital wall that keeps malicious users and software out of your computer. It uses a filter that assesses the safety and legitimacy of everything that wants to enter your computer; it’s like an invisible judge that sits between you and the internet. Firewalls are both software and hardware-based.

Learn more: McAfee LiveSafe or Kaspersky Internet Security

Single Sign-On (SSO)

Single sign-on (SSO) is a centralized authentication service through which one login is used to access an entire platform of accounts and software. If you’ve ever used your Google account to sign up or into an account, you’ve used SSO. Enterprises and corporations use SSO to allow employees access to internal applications that contain proprietary data.

Learn more: Okta or LastPass

Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a login process that requires a username or pin number and access to an external device or account, such as an email address, phone number, or security software. 2FA requires users to confirm their identity through both and, because of that, is far more secure than single factor authentication.

Learn more: Duo

Virtual Private Network (VPN)

A virtual private network (VPN) creates a “tunnel” through which your data travels when entering and exiting a web server. That tunnel encrypts and protects your data so that it can’t be read (or spied on) by hackers or malicious software. While a VPN protects against spyware, it can’t prevent viruses from entering your computer through seemingly legitimate channels, like phishing or even a fake VPN link. Because of this, VPNs should be combined with other defensive cybersecurity measures in order to protect your data.

Learn more: Cisco's AnyConnect or Palo Alto Networks’ GlobalProtect

Cyber Security Tips for Business

Defensive cybersecurity solutions won’t work unless you do. To ensure your business and customer data is protected, adopt these good cybersecurity habits across your organization.

Require strong credentials.

Require both your employees and users (if applicable) to create strong passwords. This can be done by implementing a character minimum as well as requiring a mix of upper and lowercase letters, numbers, and symbols. More complicated passwords are harder to guess by both individuals and bots. Also, require that passwords be changed regularly.

guide to cybersecurity require strong credentials

Control and monitor employee activity.

Within your business, only give access to important data to authorized employees who need it for their job. Prohibit data from sharing outside the organization, require permission for external software downloads, and encourage employees to lock their computers and accounts whenever not in use.

Know your network.

With the rise of the Internet of Things, IoT devices are popping up on company networks like crazy. These devices, which are not under company management, can introduce risk as they’re often unsecured and run vulnerable software that can be exploited by hackers and provide a direct pathway into an internal network.

“Make sure you have visibility into all the IoT devices on your network. Everything on your corporate network should be identified, properly categorized, and controlled. By knowing what devices are on your network, controlling how they connect to it, and monitoring them for suspicious activities, you'll drastically reduce the landscape attackers are playing on.” — Nick Duda, Principal Security Officer at HubSpot

Download patches and updates regularly.

Software vendors regularly release updates that address and fix vulnerabilities. Keep your software safe by updating it on a consistent basis. Consider configuring your software to update automatically so you never forget.

Make it easy for employees to escalate issues.

If your employee comes across a phishing email or compromised web page, you want to know immediately. Set up a system for receiving these issues from employees by dedicating an inbox to these notifications or creating a form that people can fill out.

Cyber Security Tips for Individuals

Cyber threats can affect you as an individual consumer and internet user, too. Adopt these good habits to protect your personal data and avoid cyber attacks.

Mix up your passwords.

Using the same password for all your important accounts is the digital equivalent of leaving a spare key under your front doormat. A recent study found that over 80% of data breaches were a result of weak or stolen passwords. Even if a business or software account doesn’t require a strong password, always choose one that has a mix of letters, numbers, and symbols and change it regularly.

Monitor your bank accounts and credit frequently.

Review your statements, credit reports, and other critical data on a regular basis and report any suspicious activity. Additionally, only release your social security number when absolutely necessary.

Be intentional online.

Keep an eye out for phishing emails or illegitimate downloads. If a link or website looks fishy (ha — get it?), it probably is. Look for bad spelling and grammar, suspicious URLs, and mismatched email addresses. Lastly, download antivirus and security software to alert you of potential and known malware sources.

Back up your data regularly.

This habit is good for businesses and individuals to master — data can be compromised for both parties. Consider backups on both cloud and physical locations, such as a hard drive or thumb drive.

Cyber Security Resources

To learn more about cybersecurity and how to better equip your business and team, tap into the resources below. Check out some of the most popular cybersecurity podcasts and cybersecurity blogs, too.

National Institute of Standards and Technology (NIST)

NIST is a government agency that promotes excellence in science and industry. It also contains a Cybersecurity department and routinely publishes guides that standards.

Bookmark: The Computer Security Resource Center (CSRC) for security best practices, called NIST Special Publications (SPs).

The Center for Internet Security (CIS)

CIS is a global, non-profit security resource and IT community used and trusted by experts in the field.

Bookmark: The CIS Top 20 Critical Security Controls, which is a prioritized set of best practices created to stop the most pervasive and dangerous threats of today. It was developed by leading security experts from around the world and is refined and validated every year.

Cybrary

Cybrary is an online cybersecurity education resource. It offers mostly free, full-length educational videos, certifications, and more for all kinds of cybersecurity topics and specializations.

Signing Off … Securely

Cyber attacks may be intimidating, but cybersecurity as a topic doesn’t have to be. It’s imperative to be prepared and armed, especially if you’re handling others’ data. Businesses should dedicate time and resources to protecting their computers, servers, networks, and software and should stay up-to-date with emerging tech. Handling data with care only makes your business more trustworthy and transparent — and your customers more loyal.

Note: Any legal information in this content is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this as legal advice or as a recommendation of any particular legal understanding.

 

Our IT experts are happy to assess your needs, fill out our form here to put your IT infrastructure and business to the test!

Worried about security or need to transition to the cloud?
Contact CloudXone IT Services at 647.714.8333
We are friendly, creative and dedicated, serving the Greater Toronto Area for over 20 years.

TECHNOLOGY ASSESSMENT

If you enjoyed this article, share it on social media. 

FOLLOW US ON SOCIAL MEDIA.

How to Transition Your Servers To The Cloud

Posted by   CloudXone IT on August 26, 2020 at 5:23 AM

5e441da69664848a0447866c1589404450451-b9cP1cJOcEAFYVVb

Is Your Network Set-up In Need of An Upgrade?

With the incredible accelerated growth of technological advancement, it’s never been more important than ever before for your business to be aware how to stay lean and minimalist. Gone are the days that your office MUST have a big server, this article show you some virtual solutions.

A SERVER-LESS SET-UP CAN BE THE PERFECT SOLUTION

Especially for small to medium sized office spaces depending on your specific infrastructure software requirements, you may be able to save big and operate more smoothly. This can translate to game-changing results in the longer term. 

Cloud server technology has improved light years in the past several years and has revolutionized many aspects of how we do business.

One of hottest services in demand right now, especially with the remote working COVID-19 regulations, is transitioning to server-less solution. This circumvents the need to address workloads, software requirements, storage, operating system, network, load-balancing and scaling. Usually these can not be ignored since they can directly influence performance.

What are the benefits of canning your physical servers?

  1. IMPROVED SECURITY  

    The cost of physically securing a server is very high compared to a hosted cloud solution. Any large IT department or managed IT service provider will know how cloud saves money compared to onsite server 

     

  2. IMPROVED SCALABILITY

    What happens if you need extra horsepower? With cloud options, you can more easily activate and set up extra servers quickly. You do not have to waste time trying to accurately predict your company’s computing needs. When a managed IT service provider quotes a server, they try to ensure the server is good for a 5-year cycle. When it comes to the cloud, you can more accurately give the server enough power to address the business needs


  3. IMPROVED DISASTER RECOVER

    Always plan for the worse, disasters and power outages. This includes redundancy as it is far simpler and cheaper when using cloud servers and there is far less maintenance and operation downtime. Disaster recovery becomes a question of minutes instead of days and weeks.



  4. TIME AND EFFICIENCY  

    The biggest benefits are regarding time and money. No more need for hardware which can breakdown and simple maintenance fees. It will lower costs and time investment and in the event that you need to recover from a disaster, you will be doing it without paying any added premiums, which are common with hardware repairs.

    0a7ab415bf749fc73173ee282694e0f8

Our IT experts are happy to assess your needs, fill out our form here to put your IT infrastructure and business to the test!

Worried about security or need to transition to the cloud?
Contact CloudXone IT Services at 647.714.8333
We are friendly, creative and dedicated, serving the Greater Toronto Area for over 20 years.

TECHNOLOGY ASSESSMENT

If you enjoyed this article, share it on social media. 

FOLLOW US ON SOCIAL MEDIA.

Staying Cyber-Healthy During COVID-19 Isolation

Posted by   Canadian Centre for Cybersecurity on May 9, 2020 at 1:11 PM

canadian-centre-for-cyber-security-default-external-web-image-news-1170x347-ef

Canadian are staying vigilant during this challenging period...

We’re washing our hands, keeping our distance, coughing into tissues or elbows, and doing our part to keep the healthcare system from becoming overloaded. We’re listening to public health officials and provincial and federal leaders, scouring the news, and visiting Canada.ca/coronavirus for new information.

But not everyone has the public’s best interests at heart. Cyber threat actors are taking advantage of people’s heightened levels of concern and legitimate fear around COVID-19, trying to spread misinformation and scam people out of their money or private data.

The Communications Security Establishment (CSE) continues to leverage all aspects of its mandate, and continues to help ensure that Canada is protected against threats, and that the Government of Canada has access to information that can help inform decisions on Canada’s approach to COVID-19. Last week CSE helped identify and take down malicious websites spoofing Government of Canada websites (the Public Health Agency of Canada and the Canada Revenue Agency) that were spreading COVID-19 misinformation.

Both CSE’s (@CSE_CST) Canadian Centre for Cyber Security (@Cybercentre_ca) and Get Cyber Safe (@GetCyberSafe) have been publishing helpful advice and guidance on how Canadians can protect themselves from phishing or smishing attempts:

There are cases of COVID-19 maps that infect devices with malware, phishing emails with malicious links and attachments, and spoofed COVID-19 websites. Fraudsters are also phoning individuals to tell them that they have tested positive for COVID-19 and need to provide their banking information. If you become aware of or have been the victim of fraud or cybercrime, including COVID-19 scams and cyber threats, contact your local police and report online to the Canadian Anti-Fraud Centre Fraud Reporting System.

Examples of these COVID-19 phishing email subjects include, but are not limited to:

  • Cancel shipment due to corona virus _ New shipping schedule details
  • Corona is spinning out of control
  • Feeling helpless against Corona?
  • Military source exposes shocking TRUTH about Coronavirus
  • Corona virus is here, are you ready? (Learn how to survive)
  • Get your coronavirus supplies while they last

Canadians are encouraged to take some simple steps to protect themselves, not just during the COVID-19 isolation period, but at all times.

Remember to:

Protect yourself by staying informed. The Public Health Agency of Canada is leading Canada’s effort to combat the spread of COVID-19. Visit Canada.ca/coronavirus and follow the following social media accounts for useful, accurate information on the current health situation:

On Twitter

On Facebook

Visit GetCyberSafe.gc.ca and Cyber.gc.ca for more on how to stay cyber secure.


This article was originally posted here.

FOLLOW US ON SOCIAL MEDIA.

12 Ways To Work Remotely During COVID 19

Posted by   Colliers' Workplace Advisory Team on April 12, 2020 at 1:45 PM

allie-smith-q5fqbrQVHLY-unsplash

Working From Home May Be Here To Stay...

The realities of COVID-19 are making working from home – or working remotely – a way for us to continue to perform our job responsibilities and contribute to our organizations. With that in mind, we would like to share some of the best practices that our team uses ourselves. The list below will help guide individuals who are working together in different markets or regions and enable teams to act cohesively and support each other, including serving their external clients, regardless of time zone.

12 BEST PRACTICES TO WORK REMOTELY:

  1. Build on what you have – Review your organization’s work-from-home (WFH) policy and ensure that it is updated and accurate. Having a policy that is easy to read and supported by leadership will provide clarity and compliance. If your company does not have a WFH policy, use these guidelines to help create one.

  2. Commit – As with all team-based initiatives, buy-in and commitment are of the greatest importance. Establish your team’s work protocols and agree to adhere to them and follow them. For example, use basic tech tools to show your status or availability, proactively schedule team calls or virtual stand-ups to keep work moving, share calendars and establish a timeline for critical decisions. Empower everyone to hold each other accountable. Have a leader or manager who models the right behaviors.

  3. Focus – When working from home, it’s easy to get distracted with household chores like laundry, walking the dog, emptying the dishwasher, etc. Create a routine and schedule that works for you. Establish times when you will focus only on work and breaks when you can allow or accommodate home distractions. Find a room in your house that will enable you to unplug from distractions from family members or roommates. Create a space that supports how you work best. If possible, include daylight, views, ergonomic furniture (especially a good chair), good lighting, easy access to electrical and hi-speed internet/broadband. Try and replicate your office set-up at home. If you normally use multiple screens, for instance, do this in your home set-up. If you have minimal experience working from home, this is the time to create new personal habits to implement focus and establish a new daily routine.

  4. Use video conferencing – Every laptop has a camera. Use it!  this will help you feel more connected to your team. Enforce a rule or develop a process that encourages everyone to have cameras on during team calls. Not only will cameras help you feel more connected, but they will make meetings more productive. It’s hard to listen, smile and multi-task at the same time. There are many great free options available online. 

  5. Know when to stop – Commuting to and from work establishes clear boundaries for your work schedule. Remote work has the potential to blur the lines between work and personal life. Develop team rules about the boundaries of work and personal time. More importantly, establish your own rules. You need to give yourself permission to be guilt-free during your personal time at home. When will you not be reachable? When will you start and stop work?  Align with your manager and team and stick to it. Answering routine emails and texts in the evenings and the weekends impedes your ability to restore.

  6. Personal wellness – Like always, take short breaks every hour to move, re-hydrate, step outside and get some fresh air and, if you are lucky, a little sun. Take some of the time you are saving by not commuting to do something good for your health: walk, exercise or read. One of the most significant contributors to physical and emotional well-being is sleep. Research shows that getting a good night’s sleep starts during the day with access to daylight and movement. So, set yourself up for success.

  7. Use technology – Check with your IT consultants (or if you don't have one, get in touch!) to ensure you are connecting using the established and approved connections. Vigorously use communication and document sharing software like Slack, Skype, Teams, Google docs, Salesforce, Chatter, Quip, Hive, DropBox, etc. Use workflow management tools to stay in sync with your co-workers. Many of these tools have a presence indicator. Use it to let people know when you are available, busy or away from your desk. Also, record team calls for those who can’t make the meeting. Agree on a platform, train and make it a habit.

  8. Meeting etiquette – Have a purpose for each meeting and an agenda you stick to. Don’t talk over each other and make sure everyone has a place to share and be heard. Make the meeting relevant for all attendees. Help each other.

  9. Don’t forget the water cooler – We are social beings. We need the glue of our social interactions to make our work-life balanced and more productive. As a team, brainstorm ways to celebrate successes, learn and connect on a personal level. Commit to speaking with someone on your team at least once a day to avoid feeling isolated. Be deliberate about building in time and permissions to connect on a personal level to discuss vacations, stories and interests/hobbies. Keep it appropriate and contained – just like if you were at the office.

  10. Reinforce accountability and norms – After agreeing on how to work with each other remotely – keep each other accountable to this communication process. Leverage tools and technology to keep the work visible. Keep track of the ownership of specific action items to  keep people  honest about meeting their obligations to the group. Remember, the number one way to build trust is to do what you said you would do.

  11. Stick with good management practices – Leaders still need to continually communicate goals, initiatives and ‘what matters most’. Regularly share and track how the extended team is meeting its group goals and objectives. Do not forget to celebrate successes!

  12. Remain fluid – This may be a new way of working with your team or customers.  Continually, look for ways to make things better. Check to make sure that the rules and team norms that you established at the start, lead to the outcomes you intended. If not, adjust them.

Bonus tip! Widen the circle of your engagement with your team and colleagues


Now that your team has good practices about working with each other over distance, bring others in.  Invite guests or speakers to join your team calls. Make sure peers at your organization know how to get involved with you and your team. Get upper management to drop into a team meeting occasionally. If you want to take your team meetings to the next level, integrate the “break out” function with Zoom or another video conferencing tool. It’s just like stepping into a huddle room for a quick brainstorm.

Remote work is not new, and the techniques and technologies continue to evolve. The most important goal is to remain connected to each other, realize this is a new way to work  and be forgiving of missteps as you grow into a highly effective distributed team. And remember, these practices will remain relevant, and will enhance your work, when we all get to meet again at the office.


This article was originally posted here.

FOLLOW US ON SOCIAL MEDIA.

What Is the Deal With Passwords Vs. Passwordless Vs. Multi-Factor Authentication (MFA)?

Posted by   ​Mauro Gris and Alexi Helligar on March 10, 2020 at 7:17 PM

security cameras

Authentication

Passwords vs. “Passwordless” vs. Multi-Factor Authentication (MFA)

Passwords are an attraction for attackers and are susceptible to a variety of attacks such as phishing, malware, social engineering, and credential stuffing. Research indicates increasing password complexity sometimes may result in less security, due to the weakest link of the security chain — the human factor. Many people cannot remember long or complex passwords, so they tend to write them down.

“Passwordless” authentication vs. MFA

As companies gradually awaken to the security dangers of relying on easily stolen and shared passwords, alternative security systems have taken the spotlight. There are several alternative authentication methods that do not involve passwords: hardware tokens (an object or device the user has, that verifies their identity); or biometric sensing of a physical feature belonging to a user, like their fingerprint or facial features.

And while these methods all include a different approach to passwordless authentication, they have one thing in common: the user's authentication data is never stored within the system, as a password would be. It is this crucial element that gives passwordless solutions their security advantage.

Passwords are one of three possible authentication factors. Authentication is generally accomplished by validating one or more of three types of factors:

  1. something you know (i.e., a password);

  2. something you have (i.e., a hardware token or smart phone); and

  3. something you are (i.e., a fingerprint).

MFA employs two or more types of authentication factors. In a MFA solution a password may not be one of the factors used. MFA has rapidly gained adoption as a method for increasing the assurance of authentication for consumer and enterprise web and mobile applications.

Regulatory bodies acknowledge the weaknesses and security threats associated with the storage and use of passwords. That is why they are constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles). In many cases, regulators require the use of two-factor authentication.

For example, the National Institute of Standards and Technology (NIST) — the body that sets technology standards in the U.S. and acts as a point of reference for many other countries

  • requires that MFA be used in many scenarios, such as for financial institutes. Many web services (such as Google and Facebook) have adopted MFA in order to protect users.

MFA is certainly better than relying on a password for security, but eliminating passwords altogether would be even better. A password-plus-second-factor policy retains the inherent flaws of passwords; users are still required to memorize and safeguard secrets, so the security risk of password reuse still exists, and the costs of maintaining passwords also remain. In fact, according to researchers at Proofpoint, hackers can even use passwords to bypass the second authentication factor altogether. It appears in many cases, the second factor is just a “band-aid” organizations use to strengthen the first line security protocol which is passwords with its attendant weaknesses. Here they are making a big, and potentially expensive, mistake.

Emerging passwordless standards and the increased availability of devices that support passwordless authentication methods are driving increased adoption. Biometrics have become increasingly popular as a “passwordless” method for stronger identification, but other options include hardware tokens, phone as a token, fast IDentity Online and analytics based on passive behaviors.

 

Benefits of passwordless authentication

    • User Experience: Passwordless authentication means no more user-memorized secrets, streamlining the authentication process. Removing passwords from the picture means users no longer have to devise and remember a password for each of their accounts. Nor do they have to type them in every time they log on.

    • Better Security: User-controlled passwords are a major vulnerability. Users reuse passwords and can share them with others. Passwords, the biggest attack vector, also are vulnerable to credentials stuffing, corporate account takeover (CATO), password spraying, brute force attacks, and more.

    • Reduction in Total Cost of Ownership (TCO): Passwords are expensive; they require constant maintenance from IT staff, who have to update systems when users change their passwords, and they need to be changed on a regular basis. According to industry research, password resets account for as much as half of all help desk calls, which places a tremendous burden on company IT. According to Forrester, the cost of a single password reset averages $70.

    • IT Gains Control and Visibility: Reuse, and sharing are common issues in password-based authentication. With passwordless authentication, IT reclaims its

purpose of having complete visibility over identity and access management. Without passwords, there is nothing to phish, share, or reuse. The user is no longer the wild card in an organization’s access scheme.

Password management software

Because it is still impossible to imagine a world without passwords, how do we protect them?

A password manager is a software application that is used to store and manage passwords that a user has for various online accounts and security features. Password managers help users and managers handle a large number of passwords and account information. They store the login information of the various accounts and automatically enter them into the forms. This helps in the prevention of hacker attacks like keystroke logging and it prevents the need for users to remember multiple passwords.

The login information is encrypted and stored in either the local memory of the user’s system or in cloud storage. Portable password manager applications installed in mobile devices can also be used to manage and remember passwords anywhere and use them on shared systems. The passwords database can be accessed and using a MFA approach that does not require a password.

 

Click Here To Learn More About Security Auditing Services and Technology Assessment

FOLLOW US ON SOCIAL MEDIA.

What You Need To Know About Email Security Best Practices For Your Business

Posted by   ​Mauro Gris and Alexi Helligar on March 7, 2020 at 11:13 AM

Email Security Blog Graphic

Email Security

Business Email Compromise (BCE)

Enterprise email security is essential. A compromised email system can seriously damage business interests and reputation. Email is the most commonly used channel for targeted attacks on client endpoints. Safeguarding a company’s finances and privacy is not possible without securing enterprise email.

Modern large-scale migration of email to the cloud needs a strategic shift in how to secure this communication channel. Security and risk management leaders must adopt an approach of continuous adaptive risk and trust assessment to protect inboxes from exposure to increasingly sophisticated threats. Through 2023, business compromise attacks will be persistent and evasive. leading to large losses due to financial fraud for enterprises, and breaches of client privacy for healthcare and government organizations. Gartner: Fighting Phishing – 2020 Foresight 2020.

BEC is an exploit in which an attacker gains access to a business email account and imitates the owner’s identity, in order to defraud the company and its customers or partners. This type of attack is known as “phishing” in Internet terminology. BEC can take a variety of forms and is typically carried out by transnational criminal organizations that employ hackers, social engineers, linguists, and lawyers. Often an attacker will create an account with an email address almost identical to the one on the corporate network, relying on the assumed trust between the victim and their email account. As a matter of fact, in most cases, scammers will focus their efforts on the employees with access to company finances and attempt to trick them into performing money transfers to bank accounts thought to be trusted, when in reality the money ends up in accounts owned by the criminals.

BEC emails are currently the top concern for most enterprises. These phishing emails operate without links and attachments, which are two common red flags of malicious messages. They also leverage the power structures within companies, using the names of key players, customers, and even board members to trick employees into doing things like transferring money or sharing security information.

BEC: The numbers

Incidents of BEC attacks are rising, along with the global losses from these crimes. Here are recent BEC statistics issued by the USA FBI on September 10, 2019:

  • 95% of breaches begin with targeted phishing

  • Targeted attacks have a 90% success rate when sent to 10+ users

  • Over 166,349: number of victims from at least 131 Countries, for $26B Estimated Loss (Numbers of victims and estimated loss from 2016 to 2019)

  • Which Countries are most affected by BEC?

 

 

 

  • Which Company positions are most faked in BEC?

 

  • Which Company positions are most targeted in BEC?

 

Specific Types of BEC

The USA FBI identified 5 major types of BEC scams:

  • Data Theft: HR and bookkeeping employees will be targeted in order to obtain sensitive or personal information about the employees or executives. This data can be very helpful for future attacks.

  • Account Compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

  • C-level Fraud: Attackers act the part of the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.

  • Attorney Impersonation: An attacker will impersonate a lawyer or other representative from the law firm responsible for sensitive matters.

  • False Invoice: Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.

These types of attacks often occur through email or phone, near the end of the business day. The victims are low-level employees who lack the knowledge or authority to question the validity of the communication.

 

How BEC exploits work in details

In a BEC exploit, the attacker uses a set of tactics to trick their victims. A common plan involves the attacker gaining access to a business network using what is known as a “spear-phishing” attack in conjunction with malicious software (malware):

  • Spoofing email accounts and websites: Slight variations on legitimate addresses (john.kelly@abccompany.com vs. john.kelley@abccompany.com) fool victims into thinking fake accounts are authentic.

  • Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC criminals.

  • Malware: Used to infiltrate networks in order to gain access to internal data and systems, especially to view legitimate emails regarding the finances of the company. That information is then used to avoid raising the suspicions of any financial officer when a falsified wire transfer is submitted. Malware also lets criminals gain access to their victim’s sensitive data.

If the attacker stays undetected, they can spend time studying all facets of the organization, from billing systems, to vendors, to the correspondence habits of employees and executives.

As mentioned, the attacker typically uses the identity of someone on a corporate network to trick the target or targets into sending money to the attacker’s account. The most common victims of BEC are usually companies that use wire transfers to pay international clients.

At an appropriate time – usually when the employee being impersonated is out of the office

  • the attacker will send a bogus email to an employee in the finance department or to the purchasing officer. A request is made for an immediate wire transfer, usually to a trusted vendor. The targeted employee thinks the money is being sent to the expected account, but the account numbers have been altered slightly, and the transfer is actually deposited in the account controlled by the criminal group.

If the money fraud fails to be spotted in a timely manner, the funds can often be close to impossible to recover, due to any number of laundering techniques that transfer the funds into other accounts.

 

Defenses Against BEC

    • Email Rules: these flag email communications where the “reply” email address is different from the “from” email address shown.

    • Intrusion Detection System Rules: these flag emails with extensions that are like company email. For example, legitimate email of xyx_business.com would flag fraudulent email of xyz-business.com.

    • Color Coding: virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.

    • Payment Verification: ensures security by requiring additional two-factor authentication.

    • Confirmation Requests: for fund transfers with something like phone verification as a part of a two-factor authentication scheme. Also, confirmation may require that company directory numbers are used, as opposed to numbers provided in an email.

    • Careful Scrutiny: of all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.

    • CloudXone security auditing and security support services.

Click Here To Learn More About Security Auditing Services and Technology Assessment

FOLLOW US ON SOCIAL MEDIA.

The Fight For Cybersecurity: How Can Companies Minimize Risk Against Emerging Threats?

Posted by   Andreas Bubenzer-Paim on February 14, 2020 at 8:45 AM

cyber security

Cybersecurity is no longer an issue only for the IT department. Today, I believe this must be top of mind for the entire enterprise.

Risks are no longer limited to hackers seeking confidential data from large financial institutions or retailers. Politically motivated attacks have been aimed at disrupting economies or destabilizing markets. And with the increasing use of ransomware, governments and organizations of any size can be targeted from anywhere. These global risks have placed the importance of cybersecurity at a whole new level.

It's estimated that there is a ransomware attack every 14 seconds somewhere in the world. By far, the single greatest vulnerability that companies continue to face is the infiltration of malware from phishing campaigns. Other vulnerabilities stem from the proliferation of IoT components, cloud storage and computing, and new data and financial apps that external vendors provide and install on the organization's system.

To battle the threat, I believe a dedicated effort must go all the way up to the C-level to ensure that everyone is put to the task because when an intrusion attempt succeeds, it's already too late. It can take hackers as little as 19 minutes to get into a system and up to eight hours for many companies to respond due to their obligation to internal processes.

Many larger companies install a variety of specialized solutions to protect themselves in different areas, and it seems that endless products answer very specific threats. Too often, though, that buildup of solutions from a multitude of vendors exacerbates the risk that each patch is intended to guard against.
 

Current Trends

While each technological advance can help mitigate current risk, it can also provide hackers with new sophisticated tools. Only by constantly assessing future threats can companies and industries hope to anticipate what protective steps they will need to take.

At CloudXone, for example, we confer with expert partners in the cybersecurity field, and we meet frequently with other financial services colleagues to discuss current and future risks and potential vulnerabilities.

This combination of current risks, future threats, growing awareness and technological advances has resulted in a rapidly changing landscape. As a result, several trends are currently taking shape, and I believe all of the trends—whether in the category of risk awareness or risk mitigation—are critical elements as businesses prepare for the future.

Security In The Cloud: 

Migration to the cloud is becoming impossible to avoid. As such, securing multiple cloud applications by container computing is vital even as it moves through third parties. To further lock down these hosted applications, identity management systems are incorporating homomorphic encryption technology.

Blockchain And AI Security: 

Only in the past few years have blockchain and AI security features been developed to empower cyber and risk identifiers. While still in their early stages, they are showing great promise. And with the addition of machine learning and deep learning, this larger cyber ecosystem is expected to increasingly empower robust security controls.

Working Together:

Financial institutions and other industries are increasingly banding together in joint projects and working groups to unite against cyberthreats. Although bringing together competitors to work cooperatively is challenging, each risk is shared by all.

Behavioral Analytics: 

Matching activity with customer profiles has become increasingly prominent in securing information, especially in areas such as financial transactions. While the added layer of protection (by matching a user's pattern against attempts to access information) has been valuable, there is also an added dimension of risk. If the database is breached, the information is as sensitive as when a biometric database is hacked.

Educating R&D: 

While cybersecurity awareness is growing, developers of new programs or products too often still fail to sufficiently consider cyber risks when they build something new. They are addressing the needs, or perhaps using open codes, without assessing the risks that might be present. But the recognition of this risk is increasing, and I expect more attention to be paid to this segment.

Four Tips To Remember

1. Employee Education: It takes only one employee to fall for a phishing campaign and to hurt the organization's cyber posture.

2. Effective Crisis Response Process: There is always a bureaucracy and processes you have to go through. But if you have it all automated, you'll have a much stronger and faster defense.

3. Know Your Enemy: Each large enterprise has threat intelligence technologies, but not all are using them efficiently to analyze who is targeting them and how.

4. Know Your New Tech: Many new technologies are implemented to offer customers a modern experience, but even AI, machine learning, fintech and cryptography have weak points.

Reason For Optimism

No amount of preparation can guarantee that hackers will fail in their attack on any organization. But with the more aggressive and cooperative approach we are witnessing industrywide, there is good reason to be optimistic.

Original Article posted on Forbes.com

FOLLOW US ON SOCIAL MEDIA.

Windows 7 Users Warned To Stop Using Online Banking and Emails ASAP by GCHQ

Posted by   Victoria Woollaston on January 20, 2020 at 3:11 PM

Young man holding opened book with glass glowing light bulbs flying out

More than a decade since its launch, Microsoft is pulling support for
Windows 7.

From 14 January 2020, Microsoft will no longer be issuing updates for the operating system, which includes security patches and all technical assistance, and it has been urging users to upgrade to Windows 10 for months.

Now, the National Cyber Security Centre (NCSC) the public-facing arm of the UK government's intelligence agency GCHQ has taken things a step further, warning people running Windows 7 to stop using online banking, emails and other sensitive accounts as soon as possible to avoid being left vulnerable to hackers.

Out-of-date Windows 7 devices were said to have played a major role in the WannaCry scandal that hit the NHS in 2018, just to give you the potential scale of the risk.

In a statement issued to The Telegraph, a spokesperson for NCSC said it is encouraging people to upgrade any Windows 7 devices, adding:

"We would urge those using the software after the deadline to replace unsupported devices as soon as possible, to move sensitive data to a supported device and not to use them for tasks like accessing bank and other sensitive accounts. They should also consider accessing email from a different device."

A Microsoft spokesman added:

"If you continue to use an unsupported version of Windows, your PC will still work, but it will become more vulnerable to security risks and viruses. Your PC will continue to start and run, but you will no longer receive software updates, including security updates, from Microsoft."

Estimates suggest that almost half a million people are using Windows 7 globally, including a number of public and private sector organisations.

Microsoft announced it was pulling technical support for Windows 7 last year explaining at the time:

"Microsoft made a commitment to provide 10 years of product support for Windows 7 when it was released on October 22, 2009. When this 10-year period ends, Microsoft will discontinue Windows 7 support so that we can focus our investment on supporting newer technologies and great new experiences."

"The specific end of support day for Windows 7 will be January 14, 2020. After that, technical assistance and software updates from Windows Update that help protect your PC will no longer be available for the product. Microsoft strongly recommends that you move to Windows 10 sometime before January 2020 to avoid a situation where you need service or support that is no longer available."

Until 2016, upgrading to Windows 10 from Windows 7 was free, however it now costs about 150 CAD for Windows 10 Home, 285 CAD for Windows 10 Pro and 445 CAD for Windows 10 Pro for Workstations.

In August, it was announced Microsoft would be providing at least one extra year of support for enterprise customers who upgraded to Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security yet this offer ended on 31 December 2019.

expertreviews.co.uk

FOLLOW US ON SOCIAL MEDIA.

CloudXone is at the intersection of your office and the Internet.

The Future is Friendly, So Are We!

CloudXone is an established, Toronto-based business technology consulting and service provider. Our client-first philosophy ensures the technology we put in place for you will be tailored for your use and will fit perfectly into your day-to-day operations.

Our Blog is a way to:

  • Stay on top of exciting tech updates
  • Get free advice on how to optimize your IT solutions
  • Meet the experts on our team and get to know us! 

Subscribe Here For Updates!

Recent Posts

Posts by Tag