The school year is underway, and Backup School with ISG is back! Join ISG and Veeam as we educate our clients and their organizations about how they can keep their business up and running and eliminate downtime – even when the unexpected happens.
Is downtime simply an unacceptable thing in your mind? Then this webinar is for you. Go beyond backup to better understand business continuity.
The school year is underway, and Backup School is back! Together, ISG and Veeam focus on educating our clients and their organizations about how they can keep their business up and running and eliminate downtime – even when the unexpected happens.
Office 365 is a powerful suite of products – but it lacks a comprehensive backup of some of your most critical data. Learn how to protect yourself in this webinar.
First things first, just to make sure we’re all on the same page.
Phishing is a type of cybersecurity attack. Someone impersonates a legitimate entity to try to persuade the recipient to hand over sensitive information. Most phishing happens via email.
Compared to other forms of hacking, phishing is quite easy to execute. In fact, the first “phishers” used AOL in the 1990s to get information from unsuspecting AOL users. These attacks were painfully simple. But here’s the kicker. They didn’t differ much from phishing attacks of today!
The attackers simply pretended to be AOL employees. Even if only a few victims believed their ruse, the attack was worth it. That’s because if even one person falls for a phishing tactic, the results can be devastating.
Here are the fundamental things all your employees need to know to protect your company from phishing attacks.
While most people think of phishing as occurring exclusively via email, it can also happen on social media sites, in messaging apps, and through any method of online communication.
If your employees are communicating anywhere online, they need to make sure they really know who is at the other end.
Some phishing attempts are just hackers sending out emails to a random group of people and hoping one of them will bite. But an increasing number of phishing attacks are getting more sophisticated.
In some cases, hackers will spend months or more building a relationship with the target through false social media profiles and frequent communications. This combines catfishing and phishing, forming a dangerous combination.
After a while, the target grows comfortable with the hacker and trusts them enough to share personal information.
Some sources estimate that phishing attacks may cost American businesses up to $500 million per year, with thousands of businesses targeted and more personal consumers attacked at home.
That figure comes only from the attacks that were investigated by the FBI over a period of three years, so it is likely that the total cost to US businesses is more than that.
There are a few major types of phishing attacks. The most basic is when attackers email a random group of people and hope that a few of them will fall prey to the scam.
“Spear phishing” is a targeted attack that centers on one organization or a group of individuals. Attackers pretend to be someone from within the organization—a client or vendor—in order to infiltrate and get access to sensitive information. Some spear phishers are able to hack into organizational communication systems so the messages really do appear to be coming from the inside.
“Whaling” is when a spear phisher goes after a huge target.
There are many trademarks of a phishing attack. Educating employees about these signs can save your business a whole lot of money. Some of these may seem a bit obvious, but to those who are not as savvy, it’s important information that could stop an attack.
Phishing emails often come from addresses that seem like they could be legit. But if you examine the address more closely you’ll notice that it’s a little off. Perhaps it’s one letter off from the company’s actual name or the email address doesn’t follow the convention of other people you have met from that organization. You will find a similar situation with URLs in phishing messages.
Many phishing emails have bad spelling and improper grammar, typically due to poor translations. If it was coming from a legitimate organization, typos are possible, but not usually at the magnitude seen in phishing emails.
Finally, if a message seems too good to be true, it probably is!
Use these tips to avoid harmful phishing attacks. For more information on how to protect your business, be sure to contact your IT support partner.
After two years of preparation, the European Union's General Data Protection Regulation is set to go into effect May 25, 2018. Designed to replace the Data Protection Directive of 1995, this legal framework will provide substantial protection for EU citizen's data by imposing heavy fines on any company found to be in violation of the GDPR.
While large companies within the EU have been bracing themselves for impact, many organizations feel unprepared. A report from information security provider Varonis found that 55 percent of businesses worldwide were worried about incurring fines for a GDPR violation. Given that these penalties can be severe – with a maximum fine of €20 million or 4 percent of annual worldwide turnover – organizations may have reason for alarm.
However, arguably the group most at risk are smaller businesses not based in the EU, or companies that don't primarily deal with data. After all, the GDPR is all about regulating data privacy. Yet these organizations may be in the crossfire. Any business that collects data, any amount of it, from an EU citizen or the EU market must fully comply with GDPR standards.
Who needs to comply with the GDPR?
According to the New York University School of Law, any U.S. organization possessing an entity or any kind (person or office) should ascertain if they will be required to follow the new GDPR policy. GDPR standards will apply to all businesses that process any amount of "personal data" from individuals located in, or protected by, the EU.
The definition here of personal data is broad. According to the initiative, personal data is now any information, not just personally identifying information, that relates to a natural person, identified or identifiable. These new standards apply to log-in information, vehicle ID numbers and IP addresses.
"Any operation or set of operations which is performed on personal data or on sets of personal data" will be regulated by the new standard, according to the articles of the GDPR. These broad definitions and regulations have been purposely worded to incorporate not just companies within the EU but global organizations as well. While the GDPR is a Euro-centric law, its implications may create a new global standard of internet data security.
How prepared generally is the U.S.?
Unfortunately, many businesses in the U.S. simply are not sufficiently informed regarding the coming measure. The Varonis report found that U.S. awareness of the GDPR was only at 65 percent, below the overall average of 79 percent. Only 30 percent of U.S. respondents reported being in full compliance with the upcoming laws. Over 10 percent of organizations still didn't know whether the bill would affect them.
When looking at overall measure compliance completion, the majority of U.S. companies affected by the GDPR have re-evaluated data breach detection procedures, as the GDPR mandates that any EU citizen affected by a breach must be notified within 72 hours of its detection. A little less than 60 percent of U.S. organizations have also conducted a comprehensive assessment of personal data stored within their organization.
This procedure is highly recommended for all companies that may even remotely store some sort of personal data from the EU. It is only after such an assessment has been performed that an organization can be sure whether or not it will be affected by the GDPR.
About 7 percent of U.S. businesses had completed no significant measures to comply with the GDPR.
"About 7 percent of U.S. businesses had completed no significant measures to comply with the GDPR."
What does the GDPR mean for data collection?
Personal data collection will become more transparent under GDPR guidelines. Everyone, personally and professionally, is familiar with user agreements, popular on social media sites like Facebook and Google. These documents have been full of dense legalese designed to disguise their intentions and limit consumer knowledge of the websites' activities.
Under the GDPR, these wordy documents will be made illegal, replaced by concise, comprehensible wording that will alert the "data subject" of exactly what information is being taken. The individual will reserve the right to leave said data contract anytime with no negative repercussions allowed. In short, the naive early days are over and the GDPR will arm at least EU consumers will the tools needed to determine what, if any, information they allow to be shared for commercial purposes.
Data protection by design will also be mandated. Companies will have to factor in information security at every stage of data collection software collection, instead of regulating it to outside software or hardware.
How the GDPR will impact overall data collection remains to be seen. However, what is clear now is that many organizations still have work to do before May 25. With such steep penalties for failure to comply, businesses cannot afford to be asleep on this issue, or even to drag their feet. The fundamental nature of information security could well change from this act. Hopefully, it will be for a better, more secure data privacy marketplace.
Nothing is perhaps more important to the U.S.'s future than maximizing the potential of education. It is through mass schooling that children learn the essential social and learning skills that will prepare them for adult life and professional work. While education is a complex process with many different factors affecting outcomes, access to technology clearly plays a role in children's learning.
It is unfortunate then to learn that 6.5 million students in the U.S. still lack broadband, according to Education Superhighway. Broadband is an essential communication medium for educational facilities with large student and teacher populations, as it allows for messages and online actions to be completed simultaneously.
However, broadband is only one crucial aspect of improving online infrastructure in schools and other educational facilities. Further complicating the matter are tight budgets that many of these institutions must operate within. As the Center on Budget and Policy Priorities reported, state and local funding is still recovering and is well below what it was in 2008.
With this in mind, schools may have to focus on the most essential upgrades first, spreading out the investments in a way that maximizes learning potential.
The advantages of a fiber connection
Sites like Education Superhighway are big on the advent of fiber in the classroom. According to Techno FAQ, one of fiber's biggest advantages is its reliability. Fiber functions on symmetrical connections, allowing downloads and uploads to happen at the same time without impacting connection speed. The system also tends to be more passive and separated from power lines, meaning that it will likely remain operational during a storm.
Time is precious in schools and fiber is designed for high-speed connections, typically over 1Gbps. This allows educators to stream video content in seconds, without having to pause constantly for buffering videos.
Planning for increased bandwidth usage
Think of bandwidth like a highway: the more lanes there are, the more easily traffic can flow. In a school situation, every student and teacher is a car on that highway – meaning that things will slow down very quickly with only a couple of lanes. Without proper bandwidth, hardware investments will not work the way they should. Even the most up-to-date tablet cannot magically conjure efficient internet connection on its own.
Bandwidth management can keep everything flowing smoothly. While schools can (and should, up to a point) purchase more bandwidth, management will help reduce the amount of spending while maximizing efficiency. Techsoup for Libraries recommended bandwidth management to help prioritize which programs get access to the connection speed first.
For instance, a student wrongly downloading a new mobile game should never receive the same bandwidth as a teacher trying to stream a news program for a class. Student devices can even be put on a separate, slower network, freeing up room for the educators to use on lessons.
While schools can have their own servers – many universities do – a cloud services provider can help alleviate this investment. Just be sure that any contracted third party has the proper security certification to be a trusted partner.
"Wearable technology like smartwatches are starting to enter the educational space."
Factoring in IoT and BYOD
Whatever the plan, make sure spending accounts for more than just the computers in the classroom. Everyone, student and teacher, has a smartphone. Numerous other wearable technology like smartwatches and similar products are also starting to enter the educational space. As the internet of things continues to grow, each one of these devices could sap bandwidth away from where it is needed.
This represents a cybersecurity issue, especially as most faculty and students are bringing their own devices. School online infrastructure should carry a layered password system to ensure that access is restricted to authorized users. In addition, the principle of least privilege should be applied.
This will ensure that students on have as many permissions as they need, keeping them away from confidential teacher data. Ideally, the IT team will have oversight and the only administrator privileges on the network. This way if there is a breach, the potential damage will be contained.
Remote monitoring programs are useful tools for school systems that cannot afford to keep a dedicated IT staff in every building. While this software is convenient, schools should be wary of investing in any solution without doing the proper research. A report from Schneider Electric analyzed a possible danger in certain solutions as, if compromised, they provide an open window for cyber criminals to inflict damage.
Preparing for 5G
Any education institution investing in wireless internet infrastructure needs to consider 5G. While not readily available now, 5G has already begun limited rollout and is expected to start becoming widespread in 2020, according to IEEE 5G. This will serve as not only the next telecommunication standard but will also empower higher capacity, massive machine communications.
Essentially, the bandwidth concerns of today may be outdated and a whole new set of possibilities and problems will open up. While it is still too soon to definitively say with certainty what kind of wireless internet infrastructure 5G will bring, schools that need to design systems between now and 2020 should incorporate easy scalability into the infrastructure. It makes no sense to optimize exclusively for platforms that may soon be obsolete.
As schools and other education establishments begin improving online infrastructure, a solid IT solutions provider can help smooth the transition and reduce cost spending. ISG Technology stands ready to do its part in ensuring that the U.S. education system empowers the most complete learning experience in the world. Contact us today to learn how we can help update your infrastructure.
As 2018 begins, the total number of cyberattacks continues to rise. Data from the Identity Theft Resource Center and CyberScout showed there were 1,579 successful data breaches in 2017. This figure represents a nearly 45 percent uptick from the year before. The numbers turns especially troubling when broken out by industry.
On the whole, most sectors are tightening their security measures and reporting fewer breaches. Health care, government, education and financial industries all reported a continued decrease in successful data breaches. While this is good news, there is one market that more than made up for this gradual decline: business. In 2017, the business sector accounted for nearly 60 percent of all breaches. This trend has been steadily increasing since 2013, according to the report.
Part of this is the pace of cyberattack evolution. Businesses invest heavily in methods to prevent one type of cyberattack, only to have hackers change their strategy within months. At that point, the organization has already spent its budget in information security and may be scrambling to allocate more. However, data suggests that one of the simplest forms of cyberattack is still among the most effective: phishing.
"Less than half of all executives understand their company's information security policies."
False sense of safety
While ransomware and other, more elaborate types of cyberattack routinely make the news, phishing has been flying under the radar. Many equate it with stories of foolish people falling for schemes from a Nigerian prince or believing that they had suddenly acquired millions from the government – fantasies that businesses tell themselves they would never fall for.
Data from a couple years ago may also have looked hopeful. A 2016 Symantec report concluded that the overall email spam rate was falling and that fewer phishing bots were being used. This information, likely the result of email server providers like Gmail and Outlook stepping up their sorting technology, may have given a false sense of safety to business executives.
Compound this will another major problem in the business sector: Most executives are in the dark when it comes to understanding cybersecurity concerns. A cybersecurity survey report from BAE systems in 2016 found that less than half of all executives claimed to understand their company's information security policies.
This same survey found that only 60 percent of companies had formal cybersecurity training sessions in place, and that 70 percent of that number only had training roughly once per year. Given how rapidly cyberattacks change and adapt, this strategy would leave companies exposed to vulnerabilities – perhaps more so than other organizations because of the misplaced sense of safety.
"Cyber criminals now create fake websites that look legitimate."
Phishing is getting smarter
Part of Symantec's data – the decline of phishing bots – should not have been received with good news. Especially when, according to Comodo Threat Intelligence Lab data, the overall number of phishing attacks continues to increase. Bots are, for lack of a more proper term, dumb. They follow predictable formulas that can be easily filtered into spam boxes and out of employees' vision.
However, phishing has gotten smarter. One of the new methods outlined in Comodo's report is called "clone phishing." In this scenario, hackers intercept an authentic email communication, typically from an executive, and recreate it nearly flawlessly. The fake email is then sent to the employee in the hopes of getting a response.
In addition, the practice of spear phishing is on the rise. Most early phishing was a mass attack – the same email or recorded message sent to many people, hoping to snag a minority of those contacted. Spear phishing is more precise. This phishing tactic learns of the victim's personal information and uses it. This means that the phishing message may include real names, dates and relevant organizations – all factors that will make the communication look more genuine.
Phishing has also gotten more complex in the sense that it has evolved past emails, phone calls and text message. Cyber criminals now create fake websites – similar to originals – that look legitimate. However, these malicious sites often betray themselves in the domain name, which is typically longer or more complicated than it needs to be. These website forgeries will almost never use common domain names like .com or .org.
Everyone is a target
According to the Comodo report, 50 percent of employees will open an email from an unknown sender if it lands in their inbox. This number alone explains the increasing amount of phishing attacks, as well as why they are such a prevalent method. Every employee is a potential target.
Phishing stresses the need for comprehensive employee training at every level. Even one person being compromised can put an entire organization at risk. For example, if an entry level analyst is targeted and successfully breached, the hacker or malicious group may be in possession of the network passwords, meaning that they suddenly share his or her level of access. This can be used to install ransomware or other harmful programs.
Training to beat phishing
Information shows that training sharply decreases the likelihood of phishing success. A PhishMe report concluded that susceptibility fell to roughly 20 percent after relevant sessions on improved cybersecurity practices occurred.
Even these newer, smarter methods of phishing have telling signs. CSO stressed that malicious emails are usually more threatening or urgent than typical office communication. This is part of cyber criminals' strategy, as panicked employees are less likely to think clearly if they legitimately believe their job is on the line.
Employees should also be advised to carefully check the sender's name. If it is an unknown sender, all emails should be double-checked with the supervisor before response. Spelling and grammar are also more likely to have mistakes as cyber criminals have no corporate standard or editing department.
Business companies should be willing to partner with the experts to ensure the best training and prep programs for their employees. IT service providers like ISG prepare cybersecurity compliance as part of our extensive product portfolio. Consult with us today to find out how we can help secure your company against future data breaches.