Microsoft Corp. introduced a new seller experience application called Microsoft Viva Sales, which uses artificial intelligence (AI). [Read more…]
As the number of endpoint attacks has increased, so has the demand for more advanced endpoint security solutions. Endpoint security solutions are now designed to detect, analyze, and stop active threats in progress. [Read more…]
The IT services of most small and medium businesses lack the right amount of protection against cyber threats. Ransomware attackers are aware of this and, as a result, shift their focus from larger organizations whose security systems are often top-notch. This year, CyberEdge Cyberthreat Defense reported that organizations with about 25,000 workers are less likely to get hit by cyber threats. On the other hand, small businesses have a 70% probability of experiencing a ransomware attack yearly. [Read more…]
Mobile device management (MDM) is essential in helping companies stay protected. It provides insight into how companies can control the business data accessed by mobile devices such as laptop computers, smartphones, and tablets. With mobile device management tools, organizations can implement cybersecurity practices that prevent unauthorized access to companies’ emails, network, and data. [Read more…]
A hybrid office seems to be the perfect answer for flexibility in the work environment. It is a response to changes that are present in the workforce. There has been a movement towards remote and multicultural communication in recent times. This has encouraged the work environment to be a fusion of remote and onsite workers and can be likened to a win-win situation. [Read more…]
In a Gartner report, 3 in 4 organizations surveyed planned on moving at least 5 percent of their workforce into permanent remote roles post-COVID-19-pandemic. 1 in 4 want to move 20 percent or more. While there are compelling benefits of remote work, there are substantial risks as well. Few are as formidable as vulnerabilities due to IoT devices.
3 in 4 organizations plan on moving at least 5 percent of their workforce into permanent remote roles post-pandemic
To work remotely, employees must connect to the enterprise. They will do that through a home Wi-Fi network that happens to host their IoT devices too. It is best practice to have your remote working employees connect to and through a different Wi-Fi network from IoT devices in their homes. Even the FBI recommends it.
Here are the reasons why.
1. Prone to Malware Infection
Home Wi-Fi networks do not enjoy the sophisticated, current, and strict cyber protection of enterprise networks. They are unlikely to deploy firewalls and may have the least expensive, most vulnerable, least patched and least supported routers and IoT devices. All or most of the devices on the network may be accessible over the public Internet. This makes them more prone to malware infection.
It is possible for such malware to jump from home IoT devices to the work computer and onto the enterprise network. Worse, some remote working employees use their own computers and not pre-hardened, company-issued ones. They are not under obligation to conform to a strong password policy. There is no one to check that random USB drives are not plugged into the work computer.
2. Easily Accessible Device Management Interfaces
The most destructive DDoS attacks in recent years rode on the vulnerability of everyday IoT devices such as digital cameras, microwaves, refrigerators, and electric kettles. Home IoT gadgets are less secure than their more conventional computing counterparts.
They have weak or default passwords that allow easy access to their management interfaces. Even your home router could have inadequate protection and inadvertently expose services that would otherwise be blocked by an enterprise firewall.
3. Minimal Human Intervention
One of the traits that distinguishes IoT devices from non-IoT like computers and smartphones is the little to no human intervention required for their operation. Such autonomy is an efficiency advantage but also one of the key drawbacks from a cybersecurity standpoint.
Since no one is actively checking the activity taking place on these devices, a breach may take weeks, months or years to discover. In the worst case, it may never be discovered, especially because a home network is not subject to the same scrutiny as a corporate network.
4. Numerous Entry Points
In the past, typical devices connected to the average household’s home network were a couple of computers, smartphones and/or printers. This already presents a formidable threat surface that bad actors could leverage in multiple ways to gain entry. IoT devices are multiplying potential points of entry several fold.
IoT devices are multiplying potential points of entry several fold
The number of IoT gadgets is rapidly dwarfing non-IoT devices connected to the Internet. From smart TVs and smart watches, to thermostats and light bulbs, attackers have multiple paths to choose from to infiltrate your home network. As long as the IoT devices are on the same network as the remote work computer, those threats can make their way into the corporate network.
5. Weaker Network and Privacy Protection
Your home network is likely not as protected from and monitored for dangerous or suspicious behavior by other users and devices on it. It’s bad enough that your IoT devices are not secured from infiltration and hijacking. This is further compounded by the absence of security alerts that let you know a breach has occurred or that there is an active threat on the prowl on your network.
There are also significant confidentiality and privacy concerns due to virtual assistants such as Google Home and Alexa. These assistants can pick up confidential business conversation an employee may engage in as part of their work.
When evaluating the risks of remote work, organizations tend to focus on the core topics of employee productivity, business continuity and the infrastructure needed to facilitate it. They however cannot afford to ignore the elevated cybersecurity risks that remote work comes with as staff move to an environment that is not under as stringent controls. Without applying appropriate security measures, the organization could be exposed to data breaches, system sabotage, account takeovers and fraud.
IoT devices represent one of the key weak points of the home Wi-Fi network. Requiring that employees move their IoT devices to a different network is an important step in lowering the risk.
If you are looking to better protect your remote workers from cyberattack including helping them move their home IoT devices to a different network, call or email us.
In SMS phishing (also known as smishing), a cyber attacker uses a text message to deceive or manipulate their target into sharing confidential information or granting access. Smishing can be a doorway to malware infection, data theft, sabotage and a raft of other unwelcome consequences. The Federal Trade Commission found that 22 percent of all fraud reports were the result of smishing.
22 percent of all fraud reports were initiated by text
SMS phishing is a more potent threat than email phishing. First, the number of daily active mobile phone users exceeds the number of daily active Internet users. Second, people tend to read and respond/react to SMS quicker than they do an email. Third, SMS phishing can take advantage of the ‘mini computer’ nature of the smartphone. Many people’s ‘entire lives’ live on their phones — from bank apps to family photos.
What traits of SMS phishing should you be on the lookout for?
1. Sounds Realistic, Relatable and Legitimate
There is no training that phishing attackers attend. Thus, the sophistication of smishing messages varies enormously. The more amateurish texts are easy to recognize as a scam. On the other hand, the more well thought out messages sound realistic, relatable and legitimate. These may be highly targeted to conform with the realities of the recipient including their name, title, and work/home address.
For this reason, err on the side of caution. Whenever you receive a message that purports to originate from your employer, bank, utility, hotel, members club, or government, urging you to click a link or provide sensitive information, don’t. Contact the organization directly and confirm that the text is authentic.
2. Contains Links
Given the character limit on text messages, smishing attacks will often involve a brief message followed by a prompt to click a link. This is unlike email phishing where there may be a sizable multi-paragraph message. SMS phishing links will mostly rely on URL shorteners to make the most of the character limit. At the same time, the URL shorteners help disguise fake links.
URL shorteners maximize the character limit and help disguise fake links
The link will send you to a website where you are asked to enter confidential information such as credit card numbers, login credentials, customer details, employee data, organization documents and more. At other times, the link will trigger the download of malware on your phone. The end goal is unauthorized access, identity fraud, data theft or some other form of criminal action.
3. Conveys Urgency and/or Fear
Smishing messages come with a compelling offer or a worrisome scenario, either of which is meant to drive you into urgently doing what the criminal wants. It is after all a form of social engineering with the attacker manipulating your emotions to get you to respond quickly.
For example, a text allegedly sent by your bank due to an issue with your account or credit/debit card that needs to be addressed urgently to ensure continued use. Or it could be from a streaming service asking you to update your personal information or payment details. Fraudsters are even riding on COVID-19 pandemic fears by sending fake updates directing you to a link for more helpful resources.
4. Spoofed Number or Caller ID
Using a spoofed number for a smishing attack often makes it more believable. Phone number spoofing is of itself not illegal in the US as long as it is not meant for wrongdoing. Telcos and regulators have sought to reduce number spoofing in recent years but the problem persists. Also, some popular caller ID apps such as Truecaller can be used to spoof caller/sender names though this only works if the recipient has the app installed and is using it as their default messaging/calling app.
Where caller number or ID spoofing is not an option, criminals will instead use language within the message that makes it seem like it originated from a credible source such as your bank, utility, or media streaming service.
Protect Yourself from Smishing
You cannot completely avoid being the target of SMS phishing. The best you can do is ignore, report then delete the message. Deletion is important since as long as the message stays in your inbox, there is always the risk that you could accidentally click on the link in future, the result of which may be a malware infection.
The realization that you are dealing with a SMS phishing attack may come to you along the process. Whether it’s after opening the message, clicking on a link, or providing information. When it does, stop immediately. If you clicked the link, install or update your phone’s antivirus then run a full device scan. In case you have shared confidential information, take appropriate remedial action depending on what data it involves. That could for example mean canceling your credit/debit card or filing fraud watch reports with credit bureaus.
Suspect you could be the target of SMS phishing? Contact us today to schedule a consultation! Call 225-315-3498 or reach us online.