The Werks

The Werks is an IT related commentary bringing you the unvarnished truth steeped in a vat of reality. The information contained herein is the opinion and rantings of a 30+ year veteran of the IT industry. This will hopefully give you helpful knowledge untainted by any specific vendor focused kool-aide. Occasionally, you may find that this collection of brain droppings will also give you the laugh you needed to make it through another day locked in the IT gulag. Read-on, brave soldier!

Tuesday, July 18, 2023

Cybersecurity Awareness Training Pitfalls to Avoid

The One Lesson Business Owners Miss When Training Employees That Can Cost Them Thousands

Training employees on anything can be an expensive process. You incur the cost of investing in necessary materials plus the time it takes away from your employees doing revenue-generating activities. But what’s worse when it comes to cyber security training is the expense you’ll incur if that training fails.

Recent studies show that human error plays a role in a shocking 90% of data breach cases! Smart business owners are taking a proactive approach and training their employees on cyber security do’s and don’ts. While we applaud their efforts and encourage all owners to take this step, research suggests their efforts aren’t paying off. Despite their willingness to train employees, the number of data breaches continues to increase.

What gives? We’ll be first to say it – cyber security training can be boring. And what happens during boring presentations? People aren’t engaged, so they tune out and miss the critical information needed to keep your company secure. After the presentation, they sign off, saying they have learned the lessons, but have they really or are they a ticking time bomb in your organization?

The latter is likely true. If you want the information to stick, you must take some additional steps – and the most important is putting them to the test!

According to Education World, interactive activities are six times more effective when learning and remembering material than simply listening to a lesson. You can incorporate this tactic by putting employees to the test to find out whether or not they can apply what they learned.

One of the best ways to do this is to use phishing simulations. Here’s how the process works:

A third party creates a realistic but fake phishing e-mail that shows identifiable signs discussed in the training. An example could be creating an e-mail that is similar to the CEO’s requesting private information, an outside company sending a bad link, etc. You can customize it to look like something relevant that your employees could potentially see and fall for.
The employees are then put to the test. You choose which employees will receive what links and what dates the e-mails will be sent. Will they be able to identify the threats or will they fall for the scams?
The results are collected and shared with you to develop more comprehensive training programs and help you identify which employees are your biggest risks so you can provide specific coaching.

Another great way to use phishing simulations is to send out the tests before the training. When employees see that people in the company are making mistakes, they are more likely to pay attention to the lesson.

It’s not enough to just teach the information! It must be learned and implemented every day to be effective and keep your organization secure.

If you’re looking for effective cyber security awareness training for your employees, our team has a comprehensive program that will engage, teach and test your employees so you can have peace of mind knowing they are working to keep your company safe. Click here to get in touch with our team and get started on your cyber security training session today.

Tuesday, July 11, 2023

What You Need To Know About The FTC Safeguards Rule

The Shocking Facts About The New FTC Safeguards Rule That Affect Nearly EVERY Small Business Operating Today

As former President Ronald Regan once said, the scariest words you’ll ever hear are “We’re from the government, and we’re here to help.”

In this case, the government is trying to help by forcing nearly all businesses to implement and maintain a strong cyber security program to protect the customer information these companies host – definitely not a bad thing, and all businesses should take this seriously without the government mandating it.

Sadly, the majority of small businesses don’t take cyber security seriously enough and believe they are doing enough to prevent a cyber-attack when they aren’t, which is why the government is having to step in and create laws (the GLBA Act) to enforce better security protocols.

What Is The New FTC Gramm-Leach-Bliley Act Safeguards Rule And Who Does It Apply To?

Back in April of 2022, the FTC issued a new publication entitled “FTC Safeguards Rule: What Your Business Needs to Know.” This was published as a “compliance guide” to ensure that all companies that fall under the Safeguards Rule maintain safeguards to protect the security of customer information.

While you might think your business is “too small” to need to comply or doesn’t hold any data “that a hacker would want,” you’ll be shocked to discover you are likely to be wrong on both fronts.

Hacking groups use automated bots to randomly carry out their attacks – and small businesses are their #1 target due to the gross negligence and inadequate protections they have. You are low-hanging fruit. That’s why it’s not only the obvious organizations, such as CPAs, financial institutions and credit unions, that need to comply. Here’s a short list of just a few of the organizations that fall under this new law. You should know that this is NOT a complete list:

· Printers that print checks or other financial documents.

· Automotive dealers who provide financing for car purchases.

· Any organization that accepts credit or loans for the goods and services they sell, whether or not the credit is granted.

· Companies that do tax preparation or credit counseling of any kind.

· Real estate settlements, services or appraisals.

· Career counselors that provide services to people employed by or recently displaced from a financial organization.

As you can see, the companies that must comply are growing rapidly. Bottom line, if you handle any kind of financial data or personally identifiable information, you need to make sure you are complying with these new standards.

What You Need To Do Now

The rule requires you to implement a “reasonable” information security program. But what does that mean? For starters, you need to designate a qualified individual to implement and supervise your IT security program – and you cannot outsource this. Yes, you can and should get a professional IT firm like us to guide you on the implementation, but the buck still stops with you.

The person you designate doesn’t have to have a background in IT or cyber security – but they will be the person responsible for ensuring your company is taking reasonable precautions to comply with the new security standards.

Second, the Safeguards Rule requires you to conduct a risk assessment to initiate an effective security program. From there, you would work with your IT company (us!) to roll out a plan to secure and protect the data you have by putting in place access controls, encryption, data backups, 2FA and a number of other protections.

Cyber security is not something you do once – it’s an ongoing effort of protection as new threats evolve. If you want to see where your organization stands on cyber security, click here to sign up for a quick, easy and completely free Cyber Security Risk Assessment. That is the first step toward complying and will give you the information you need to know about your own security stance.

Beware of Posers!

Holy False Promises, Batman!

It looks like could be too good to be true!

Another day, another scam! A new wave of social media scams has emerged, targeting unsuspecting Facebook and Instagram users. Whether you use your page for personal or business use, this new con could affect you. In this article, you'll discover what this scam is, how to detect if hackers are targeting you, and how to avoid falling for it and potentially leaking your private information.

If you're a social media user, you may have noticed that in recent years, both platforms are quick to hand out page violations. An inappropriate comment or post can land you in "Facebook jail" or with a 30-day suspension for repeated offenses. Facebook’s goal appears noble – keep these platforms a positive, kind place for all users.

To help identify these comments, the platforms have developed a sophisticated bot that can read the posts and detect "flagged" phrases that the platform has deemed inappropriate. Typically, they remove the inappropriate content and notify the user that the post was flagged and warn if they continue posting similar content a ban can occur.

However, this robotic peacekeeper is not perfect. It has a reputation for flagging ordinary content because of key trigger words and banning unoffending accounts. This situation is frustrating for users who don't want to lose access to their social media platforms for an offense they didn't commit or are worried that years' worth of memories they've accumulated on their account could disappear if their account is wrongfully deleted.

Cybercriminals saw their opportunity and went for it. Hackers pose as support agents from Facebook or Instagram, contacting users via direct message on the platforms saying there has been a policy violation and they'll help the user resolve it by filling out a simple form that gives them the information they need to make this digital slap on the wrist go away. The alarming twist? Once users submit their information, it falls directly into these skilled hackers' hands, who can use it for who knows what.

If you want to protect yourself from this scam, you must first be able to recognize it. If you receive a message like the one below – don't panic. Cybercriminals want you to be worried, so you slip up and make a mistake. Remember, a Facebook agent will never directly contact you unless you go through the support chat first. The platforms have in-app notifications about banned or flagged content that you will see first, and they will follow up via email.

The image below features an actual screenshot of this scam in action and points out other factors to notice when determining the legitimacy of a violation.

We didn't request the form to see what information it collects (and neither should you), but we can guess. Facebook has developed strict verification processes for confirming identities to reduce the number of imposters on Facebook and determine the rightful ownership of accounts in hacking situations. The platform will request proof of identity with a photo of your ID or sometimes even business documents proving ownership. Cybercriminals will likely request this information but may take it further by asking to confirm your password, social security number, and more.

This deceptive tactic highlights the ever-evolving nature of cybercrime. Just as we've seen with the rise of AI-powered tools used in voice cloning scams, these hackers are becoming increasingly creative and sophisticated in their efforts to manipulate social media users. They are watching what's happening and adapting their tactics accordingly. The stakes are high, and so is the potential damage to individuals and businesses.

To safeguard yourself and your business from such threats, it's crucial to remain vigilant and informed. Here are a few practical tips to help you stay protected:

Always verify the authenticity of messages received from social media platforms. Support does not contact you via message unless you request chat support, and they will never ask you to provide sensitive information through direct messages.
Be cautious of unsolicited messages requesting you to click a link or fill out a form. Instead of clicking the link, visit the platform's help center or contact support directly to inquire about the issue.
Strengthen your account security by enabling two-factor authentication, regularly updating your passwords, and using unique, complex combinations of characters.
Provide regular security awareness training to your employees. Share articles like this one that shed light on emerging scams and engage in ongoing education to ensure your team remains alert and prepared.
Collaborate with your IT service provider to implement robust cybersecurity measures and disaster recovery protocols. Investing in comprehensive protection is essential in minimizing the risk of falling victim to these sophisticated attacks.

Remember, prevention is critical. Don't wait until it's too late to act. If you're concerned about the security measures your IT service provider has in place, click here to request a FREE IT Security Risk Assessment. This assessment will give you a clear understanding of your current security stance and whether you're well-equipped to handle a cyber-attack.

Friday, July 7, 2023

Feel the need to be Big Brother when dealing with your remote workforce?

Is It Illegal To Track Your Employees’ Activities When They’re Working From Home?

Along with the surge of people working from home or in hybrid situations over the last few years, there has also been an increase in employers looking for ways to monitor their employees’ work activities to ensure they actually ARE working when remote.

This is no surprise given the new “quiet quitting” trend that has now evolved into “Bare Minimum Mondays” and “Try Less Tuesdays.” Sadly, some employees are taking advantage of working remotely as a way of working less.

Of course, not all remote employees are slackers – but how can an employer know the difference? That’s where tools like Teramind and ActivTrak come into play. These are software tools that can be installed on employees’ workstations and laptops to monitor their activity, both while in the office and remote.

Not only will these tools provide insights into productivity and where employees are spending their time, an employer can also see when someone checks in to work and leaves for the day. These apps can also help in ensuring employees aren’t surfing inappropriate websites during work hours using company resources.

While many people are against productivity monitoring, it’s perfectly legal in the US, provided this is for work-related activities on workplace devices. Monitoring laws do vary by state, so you should always check with an HR attorney on any employee-related monitoring. While there is no requirement to gain consent on a federal level, some states require that you establish consent before monitoring.

It’s also legal to monitor company-owned devices outside of work hours, including Internet traffic, search terms, websites visited, GPS geolocation and content viewed, to name a few things. If you issue your employees’ phones, you are legally allowed to monitor them as well. It’s even legal to monitor your employees’ own personal devices if you have a BYOD (bring your own device) to work policy, provided those devices are used for work purposes.

If you are thinking of rolling out employee-monitoring software, here are a few recommendations.

· Let your employees know you WILL be monitoring them, and how, before rolling out any monitoring activities. Make sure this is documented in your work from home/telecommuting policy and ensure that any and all changes have been clearly communicated with all impacted parties. Being totally transparent about what you are monitoring and why is important to establishing and maintaining trust with your employees. Most people would be very upset to discover you were monitoring them without their knowledge. While it’s legally your right (in most states) to monitor without letting them know, we feel it’s best to be open about this, so they understand what’s being tracked.

· Put in writing what is and isn’t allowed during work hours and on company-owned assets. If you don’t want employees visiting what you deem as inappropriate websites and mixing personal activities with work activities on company-owned devices, let them know that. If they work from home, set guidelines such as start and end times for work and how long and how frequently they can take breaks, detailing when they need to be available (at work). No one likes getting a speeding ticket when there’s no speed limit signs posted. Be absolutely clear on your expectations and put them in writing so there’s no risk of “You never told me that…” happening.

· Get legal advice before implementing any kind of monitoring software, cameras, or activities. Laws can change – and with privacy of data becoming more critical (and a legal hot potato), we suggest you work with an HR attorney to make sure you’re not violating anyone’s rights. Recently, the fast-food restaurant White Castle was hit with a lawsuit that could cost them up to $17 billion for using fingerprint login software for their employees to access certain systems. The lawsuit claims they violated Illinois’s biometric identification laws by asking employees to use their fingerprint as a secure way of logging in to their systems without first gaining consent.

So, while it’s legal to monitor employees, you still need to be mindful of employment laws and data and privacy protection of the employees you monitor.

Need help implementing a more secure and productive remote workplace? Click here to schedule a quick call to discuss your options and to get ideas on how we can help you and your entire team be productive and safe, no matter where or how you choose to work.