To do so, we’ll be discussing the concept of cloud security, which is pretty much what it sounds like: security concerning the data, infrastructures, and applications that are hosted in the cloud. In many ways, these considerations aren’t all too different than the ones that would be involved with your local IT. When really boiled down, any security you have implemented should meet a few benchmarks:

• Assurance that data/solutions are safe
• You have a transparent view of your security’s status
• Instant alerts to unusual events and issues
• These events and issues can be followed back to their source and addressed

Of course, we don’t mean to say that everything is identical between the security of your local infrastructure and a cloud system. We just wanted to establish this as the foundation of any security you implement.

Demystifying Cloud Security

By its nature, cloud computing can be intimidating, especially when you start to consider how it has impacted the business technology landscape. Fortunately, many of the security considerations that cloud now demands aren’t necessarily huge leaps from what your security should be normally. Let’s walk through a few differences between traditional security and what is required in the cloud.

Different Perimeters to Protect

Consider how data can be protected when it is localized. You can effectively prevent a lot of threats just by preventing access to the area where your data is stored. The cloud makes this significantly more difficult by being so very connected.

However, if you know this moving forward, you can adjust your security to meet these needs. One effective way to do so is to make sure that all data to be stored in the cloud is encrypted, and that access to the cloud itself is protected with multi-factor authentication requirements with the appropriate best practices baked in.

More Advanced Threats

Unfortunately, not even cloud providers are immune to attacks. The development of Advanced Persistent Threats (which you may see referred to as APTs) and other means of breaching data make it difficult to be sure that your data is truly safe. While the jury is still out on how these threats can be overcome, you need to accept the responsibility of keeping up with the practices that can help in the meantime.

Software Challenges

As the cloud relies on software to deliver hosted data, there is an assortment of potential variables that need to be addressed. Therefore, the cloud needs to have security controls in place to address these variables as they present themselves. This is the case whether data is being transported at the time, or if it is filed away.

Coleman Technologies can assist you with your data security needs, as well as assist you with whatever cloud implementation you decide to put into place. To learn more, reach out to us by calling (604) 513-9428.

The past few years have seen some of history’s greatest data breaches. For instance, the most notorious of these attacks, the Equifax breach, Yahoo, and Marriott-Starwood, resulted in a combined total of 3.5 billion accounts breached.

This means, statistically speaking, you would have a pretty good chance of picking a data breach victim of the past few years by randomly selecting two human beings from the entirety of planet Earth’s population.

Crunching the numbers, there has been an increase of security breaches of 67 percent since 2014.

What Does this Mean? Is Anything Secure Anymore?

Interestingly, there is a plus side to these enormous data breaches happening in the public eye, thanks to a few key points:

• It brings attention to these kinds of crimes - Thanks to disasters like the Equifax breach, more Canadians are aware of the impact of cybercrime. This kind of awareness is crucial to encouraging improved security.
• There is too much data for cybercriminals to practically use. This one can be chalked up to statistics… the more data that a given cache has, the less of a chance that your data is pulled up in an attack.

To clarify, we aren’t trying to sugarcoat the severity of a data breach, but having said that, the past few years’ cybersecurity threats have really given us all an example to consider. With new compliances, regulations, and other mandates being put into play, businesses are certainly considering these threats.

What About Small Businesses?

There is a tendency to overlook small businesses when discussing data breaches. After all, the ones that have struck large targets (like Yahoo, Target, eBay, Sony, and many others) almost always get a headline, along with the attacks that focus on municipalities, like the ones that targeted Wasaga Beach, Ontario and Midland, Ontario with ransomware.

What aren’t heard about so much, unfortunately, are the attacks that lead to much smaller companies shutting their doors for good… a side effect of the limited number of victims per attack, and the relatively casual approach that many have towards security. Unfortunately, a Verizon survey shows just how misguided the assumption that a smaller business size will protect it from threats, when 43 percent of businesses breached would be classified as small.

Security Needs to Be a Priority

Fortunately, there are ways that you can reinforce your business’ cybersecurity, especially with the help of Coleman Technologies and our experienced cybersecurity professionals. Call (604) 513-9428 to get in touch with us, so we can help evaluate and fulfill your business’ needs.

What Exactly Is Phishing?

The practice of phishing is not new. It has been used for much of the past decade. The strategy goes like this: hackers use deception to get a user to provide their own credentials, thus giving them unknowingly to the hacker. The hacker then accesses the account legitimately (as the user) and has free reign over the entire account. Sometimes they will go in and siphon data and sometimes they will hijack the entire account, but regardless of the hacker’s intentions a successful phishing attack is a successful transfer of power over an account. 

What’s worse is that you can get phished in multiple mediums. Email is the predominant channel where phishing attacks are carried out, but people can (and do) get phished over social media, instant message, or via text message. There are even phone-based or snail mail phishing attacks that direct users to go to a fake website where they would provide their credentials and/or personal information. 

There are even different forms of phishing based on their intended targets. The general strategy behind traditional phishing attacks is to send emails out to as many people as possible, hoping to snare unwitting recipients into their phishing nets. Today, with more personal information available about people, there is phishing that targets individual people. This is called a spear phishing attack. Then there are spear phishing attacks that are carried out against business and organizational leaders. These are called whaling attacks. The intended imagery aside, phishing attacks are getting more direct, more deceitful, and more serious. 

Spotting Phishing

For all of the bad news surrounding phishing attacks, there is some undeniably good news: with a critical eye, you can tell when you are being phished. You aren’t going to fall for these types of attacks if you know what to look for. Today, we’ve put together a short guide on how to determine if you are dealing with a phishing attack and how to proceed when you are.

Look for Warning Signs

There are a litany of warning signs that will help you spot a phishing attack. Most of them are pretty obvious, and some of the more subdued ones come with telltale signs. 

Does the message have spelling and grammar mistakes? 

Not many businesses will send out official correspondence with grammar and spelling mistakes. This should be the first sign that something is amiss. Most phishing messages come from supposedly-reputable organizations and while a spelling or grammar mistake does happen from time-to-time, several mistakes won’t happen.  

Does the message deal with curious circumstances? 

One of the biggest telltale signs that you are dealing with a phishing attack is the tone of the message that is received. Does the message reference immediate situations that need to be remedied? Does it mention money or illicit a sense of fear or anxiety? If it has these elements, it’s probably not legitimate. Think about it: most organizations that need you to act immediately will have specific ways of contacting you and that correspondence will make it clear that you are dealing with a legitimate organization.

Does this message have a trusted URL?

Most phishing attacks will redirect to a website that is set up by the hacker. You probably shouldn’t be clicking on any links sent to you in an email unless you are sure who sent the email. One way to determine whether or not a link is from a reputable source is to mouse over the link and see where the link goes. If you get an email from Amazon and the link goes to amazorn.com, you are staring at a phishing email.

Protecting Your Assets

There are a couple simple ways to ensure that you or a member of your staff doesn’t fall for phishing attacks:

• Use technology. A spam blocking filter on your email will go a long way towards removing unnecessary and potentially-malicious emails from hitting employee inboxes in the first place.
  
  
• Training. Make sure your employees are trained to spot and properly handle attempts that may come through. By starting with the end user, you’re taking away a lot of the power that phishing has.

At Coleman Technologies, we appreciate the importance of secure workplace practices. If you’d like to learn more about phishing, and how we can help stop it from hurting your business, reach out to us at (604) 513-9428.

One crucial component of any successful cybersecurity practices is the active effort to eliminate risk wherever possible. Here, we’ve compiled five practices that will contribute to your business’ capability to recognize where its threats come from. While these aren’t exactly policies to help protect your data, they can help you collect the data you need to form these policies.

1. Inventory All of Your Assets

When you resolve to protect everything, as many business owners do, it helps to know what exactly “everything” includes. Maintaining a comprehensive inventory of all of your technology-- each wire, additional peripheral, and software title your business has acquired--makes managing your technology far simpler and more efficient.

2. Push Cybersecurity Best Practices

Your staff, being the ones with their hands on your business technology, need to be trained on how to maintain its security. As it happens, this training should transcend just security and cover their cyber hygiene as well. The more they know about how to better secure their use of your technology and identify threats and issues, the more secure your business will be.

3. Address Shadow IT Head-On

Shadow IT is an insidious problem that many don’t even consider an issue. The phrase “shadow IT” basically serves as a blanket term for any software that an end user has downloaded without the knowledge and approval of the IT administrator. While there are many potential issues with shadow IT, the worst of them likely comes from the vulnerabilities that unapproved and unpatched software can bring into the network. By enforcing a policy of utilizing only the solutions that IT has vetted and approved, you can protect your business from one of the least expected threats there is: the employee who was just trying to do their job.

4. Ensure the Proper Tools are Implemented

Cybersecurity, on paper, isn’t such a difficult process. The issues come from the fact that everyone involved needs to understand the threats facing them and why the practices and tools they are expected to utilize are so crucial to security. Unfortunately, if the reasoning behind using antivirus and anti-malware, firewalls, spam blocking and content filtering (among other security tools) is never addressed, their use is more likely to be taken for granted, and ultimately neglected. Not only should these tools be in place, there needs to be an organizational commitment to using them… otherwise, threats are more likely to be an issue.

5. Keep IT Refreshed

As a general rule, the older your technology gets, the less effective it is at serving its intended purpose. This can be resolved by making a point of systematically and strategically patching, updating, and upgrading the technology you rely on to operate. More up-to-date solutions have better security and can better keep your assets safe, threats less of a consideration (but still one to be consideration).

Coleman Technologies can help you put these practices in place for the betterment of your business and its security. Reach out to our team for improved cybersecurity by calling (604) 513-9428 today.

1. There’s an Unexpected Attachment or Link

It’s one thing to get an unexpected email from someone, it’s completely another thing entirely to get an email from someone that includes an unexpected attachment or link. Neither of these is a good thing. Attachments can easily contain hidden malware files, and links can be disguised with very little effort.

Don’t believe me? Try visiting google.com. Go ahead!

Not exactly what you were expecting, eh? Keep in mind that you can double-check links by hovering your cursor over them, and if you weren’t anticipating an attachment, don’t click it unless you have confirmed its legitimacy through some other means.

2. The Sender’s Email Seems Off

It isn’t uncommon for scammers to disguise a fraudulent email address by making it look at lot like a legitimate one would. For instance, let’s say that you normally worked with a business vendor, hypothetically named “Super Business Supplies.” A scammer might send you an email from “sales (at) superbusinessupplies.com.” Looks pretty okay, until you notice that there’s one fewer ‘s’ than there should be. Scammers can get downright devious with these replacements, replacing “Amazon” with “Arnazon” and other blink-and-you’ll-miss-it tricks.

In short, read carefully.

3. There are Other Questionable Elements

While that may be a very vague tip, it is only because there is such a wide variety of warning signs that an email is actually a phishing attempt. For instance:

• Spelling and grammar errors. Look at it this way: would you anticipate a company like Microsoft, or Google, or the likes of such to send you an email riddled with mistakes? Of course not, so if you receive an email that purports to be from a company of high repute, but features these kinds of errors, red flags should be going up.
  
  
• Time-sensitivity. One of a scammer’s go-to tools is to put their target off-balance, especially by pressuring them into immediate action. If you receive an email that offers you a great deal by acting right now, or threatens to shut down your account unless you act right now, the first thing you should do is pick up the phone and call up the organization or individual that sent the email.
  
  
• Requests for personal information. Similarly to any messages that rely on cultivating a sense of urgency, you need to look at any emails that request personally identifiable information, access or financial credentials - really, any data that you and your company rely on - with a critical eye. This is another case where calling to confirm is probably your best bet.

Email can be an extremely helpful business tool, but it can also be an equally useful tool for cybercriminals looking to victimize your business. Coleman Technologies can help you secure it, with best practices and practical solutions to lock it down. To learn more, reach out to us at (604) 513-9428.

Mobile malware is not new. It has been around since people used flip phones, but it doesn’t get the attention that the malware that targets Windows PCs do. This is mainly due to it being a little more rare, but if you are the unfortunate recipient of it, it can cause a lot of the same problems. 

Many people won’t consider it simply because of the way they use their device. A person’s smartphone is with them around the clock and they don’t often use it in the same manner as they would a PC. This doesn’t mean that there aren’t major threats that can users can be exposed to. Let’s take a look at each major mobile OS.

iPhone Malware

One of Apple’s favorite marketing strategies is to point out that iOS is the safest mobile operating system. They actually do a commendable job, but devices running iOS aren’t always completely safe, especially on “jailbroken” devices. By not doing this, which is a way to avoid a lot of iOS’ built-in security restrictions, you will be much more secure. 

Another risk that iOS-run devices run into is called a zero-day hack. The zero-day hack target devices haven’t received a security update after the security update has been released to the public. One major issue that users have with iOS security is that there aren’t a lot of ways to prevent issues. Apple itself does a lot of the heavy lifting. Their platform’s success depends on them keeping their reputation, so having trust in Apple to keep your device secure is not without its merits.

Android Malware

Android is a completely different situation altogether. With more devices comes more malware, and with so many different manufacturers making (and supporting) their various versions of Android, it gets a little dicey.

Android is much more flexible than iOS, which is one of its main benefits, but it can also be problematic when it comes to keeping the device secure. For example, if you want to install an application that’s found outside of Google Play, you can, but any negative situation you get into as a result is on you. It is also possible to jailbreak an Android device, which can override some of the built-in security restrictions.

There have been situations where installing apps off of Google Play have caused problems. Google has had to play games with app developers to keep some serious threats off their store. It just means that users need but it has become clear that it really comes down to the user being careful with what they install. It’s not normal for malware to be attached to Google-sponsored apps, but it has happened, so if you are an Android user, you don’t have to be too careful if all of your software comes from Google.

How to Protect Your Smartphone from Malware

Keep App Downloads to Major App Providers - Both Android and iOS feature their own app stores, Google Play Store and Apple App Store, respectively. Even though Android devices can install applications that aren’t on the Google Play store, modern smartphones make this a little more difficult by making users acknowledge that they are putting their devices at risk by doing so.

If you refuse to jailbreak your phone, and you only install applications that are thoroughly vetted, positively reviewed, and come directly from the Apple App Store or Google Play, you will greatly reduce the risk of infecting your device.

Don’t Get Phished - Many of the most insidious threats today rely on user error. Phishing attacks are an annoying example of this. A user will get a legitimate-looking email from some account they actively use and will be directed to submit login credentials. Unfortunately, the email account is spoofed and on the other end is potential disaster.

Install Anti-malware - You have antivirus software for your PC right, why not get it for your mobile devices? Most providers have Android apps and can go a long way toward protecting your device from harm. 

Enact Policies - If you are a business owner and your employees use their personal devices to do work-related tasks, it’s a solid practice to establish an end-to-end mobile device policy. You can require users to enable security options like device locking and encryption, and since this gets set up on your network, the device (and therefore the user) has to comply with any requirement’s your IT admin requires. 

We have a dedicated plan to help all of our clients maximize their data and network security. If you want to talk more about it call our consultants today at (604) 513-9428.

September

9/5 

Providence Health Plan - 122,000 members of the Providence Health Plan had personal information leaked when an unauthorized party accessed the company’s servers. Information that was stolen included plan member names, addresses, email addresses, dates of birth, Social Security numbers, member ID numbers, and subscriber numbers.

Facebook - Facebook had an unprotected server with over 419 million records accessed.  Users had their Facebook’s user ID and phone number exposed. In some cases, user’s names, genders, and locations were also leaked.

9/16

Dealer Leader, LLC. - 198 million prospective car buyers were left exposed by an unprotected server. The information that was left out there included names, email addresses, phone numbers, addresses, and IPs.

9/27

DoorDash - The popular food delivery app had 4.9 million customers’ information breached by a third-party. The information left exposed included the names, delivery addresses, phone numbers, hashed passwords, order history, and the last four numbers of each’s credit card number. In the same hack, over 100,000 delivery drivers had their driver's license information leaked. 

9/30

Zynga - The mobile game maker, Zynga, the developer of popular mobile games such as Farmville and Words with Friends has announced that 218 million players had their data exposed after their network was breached by a hacker.  The company had player names, email addresses, login IDs, phone numbers, Facebook IDs and more left exposed.

October

10/17 

Methodist Hospitals of Indiana - The Methodist Hospitals of Indiana fell victim to an email phishing scam and it allowed hackers to steal 68,000 records that included names, addresses, dates of birth, Social Security numbers, driver’s licenses, and more. 

10/21

Autoclerk - Autoclerk, a hotel property management software developer had an open database infiltrated exposing data that included names, dates of birth, home addresses, phone numbers, dates of travel, travel costs, room numbers, and some masked credit card details of hundreds of thousands of guests. 

10/22

Kalispell Regional Healthcare - Over 130,000 Social Security numbers, addresses, medical record numbers, dates of birth, medical histories and treatment information, and names of treating physicians were exposed by hackers.

10/26

Adobe - Data was exposed that included email addresses, usernames, location, Adobe product licenses, account creation dates, and payment statuses. 7.5 million users were affected.

10/27

Network Solutions - The world’s oldest domain name provider has been exposed in a hack. Millions of individuals’ data that included names, addresses, phone numbers, email addresses, and service information was compromised.

November 

11/9 

Texas Health Resources - The Texas-based health care provider reported a data breach where 82,000 patient records were exposed. Included in the breach were names, addresses, email information, health information, and more. 

11/16 

Disney Plus - The brand-spanking-new Disney+ streaming service had new user account information hijacked by hackers. Login credentials wound up on the Dark Web soon after. 

Magic the Gathering - The popular online strategy game has reported that an unsecured website database has exposed 452,000 player records that include names, usernames, and more. 

11/18

State of Louisiana - The State of Louisiana has been a victim of a ransomware attack that took down many state agencies’ servers. Although no data is said to be lost, the state’s crucial computing infrastructure was down for several days as systems were restored from backup.

11/19

Macy’s - Macy’s had their ecommerce site hacked. Hackers embedded malicious code into their checkout page and put a skimming code on the company’s Wallet page. The malware retrieved names, addresses, phone numbers, email addresses, payment card numbers, card security codes, and card expiration dates.

11/22 

T-Mobile - T-Mobile had over a million customers’ information accessed by a hacker. Information accessed included names, billing addresses, phone numbers, rates, and calling features.

Unknown - An unsecured server containing over 622 million email addresses and 50 million phone numbers, and millions of pieces of other information was discovered. It is unknown what organization this data is tied to as the time of writing.

With hundreds of millions of records being exposed each month, it’s hard to feel confident about giving your personal or financial information to anyone in the current threat landscape. If your business needs help trying to be secure, call us today at (604) 513-9428.

Personal Information

Before we get into the strategies of protection, let’s identify what constitutes personal information. It includes:

• Full Name
• Phone Number
• Email address
• Birthdate
• Social security number
• Passwords
• Biometric data

If you consider how many times a business has asked you for this information, you will understand just how exposed your personal data is. You may not consider it a big deal until you are in the throes of a situation where your identity has been stolen. 

You Need to Maintain Control

Your personal information is exchanged in nearly every transaction you take part in online. In response to this, you need to understand what these organizations use this information for, and how exposure of your sensitive data diminishes your data privacy. Obviously, the goal is to keep this information out of the hands that will take advantage of it and bring detrimental situations to your doorstep.

Once you realize that you can’t trust companies with your personal information, you have started to understand the lay of the land. In Europe, the establishment of the General Data Protection Regulation (GDPR) brought the first major privacy protection law, and you are beginning to see more governments considering what to do in regard to data privacy. In many parts of the world, privacy has been nonexistent. Monitoring your information is a great way to turn that trend on its head.

As of now, people continuously distribute their information to organizations with the confidence that those organizations are going to keep that data safe. This hasn’t worked out that well for the individual, but that doesn’t seem to deter them from sharing this information anyway. 

Only 10 percent of people feel like they have control over their own data, but less than 25 percent of surveyed respondents believed companies are doing enough to protect it. What is strange is that 92 percent of respondents of the same survey said that they would like to have absolute control over their personal data, with 87 percent seeking the ability to remove personal data from the Internet if it negatively affects their reputation. 

Privacy Solutions

Just being diligent about who you give your data to simply isn’t enough to protect it; and with so few options available to do so, an individual’s best bet is to understand the threats they face. These include:

• Vulnerabilities in applications - Data breaches are mostly caused by software that isn’t updated with up-to-date threat definitions. This problem can happen to any organization that isn’t diligently updating the software it uses.
• Poorly trained workers/sabotage - You wouldn’t believe just how many massive data breaches are caused by the people that a business depends on the most. If your staff isn’t properly trained, or you have disgruntled employees that have access to sensitive information, those situations could end poorly for you. 
• Lack of response - Even if you have all the security you need in place, breach is still a possibility. That’s why it is crucial to be prepared in the event of a breach that your organization has the tools and expertise to mitigate the situation before it becomes a problem. 
• Refusal to dispose of data - Your organization may find the data it takes in useful for multiple reasons, but if you sever ties with customers, vendors, and staff, it is your responsibility to securely dispose of their personal information. A failure to do so in a timely fashion could lead to a negative situation. Get rid of the data you no longer need, especially if it contains sensitive information.
• Collection of unnecessary data - If data is a form of currency, it stands to reason that it will be shared between companies. If you don’t need the data, however, why do you have it? Possessing data you don’t intend to use--or don’t need--can lead to losing track of it. 

People provide personal information all the time, and unfortunately, the organizations they are giving it to don’t understand how to protect it properly; or, worse yet, actively use it for their own monetary benefit. With the lack of effort by these organizations, individuals have no choice but to take a diligent approach to keep sensitive data away from hackers, and keep their identities secure. 

If you would like more information about data security, visit our blog at www.colemantechnologies.com today.

On the surface there is nothing abnormal or wrong about this scenario. The problem, however, that dropping a new hire into the fray with a copy of the employee handbook and a day-and-a-half of software and sensitivity training may actually not be the best way to handle your human resources. This month we are going to talk about how creating a sustained training platform can actually have a marked effect on your business’ ability to stay secure and productive. 

Education vs. Experience

The first place we’ll start is with the hiring process. Many organizations prefer to hire people that have a college degree of some sort. While that may be prudent if you are hiring people for a specialized job, many entry-level job postings are now requiring college degrees, often to the organization’s detriment. Since college graduates are likely to command a higher salary--and they didn’t go to college (and often assume large amounts of debt) to work entry-level jobs--they typically get impatient with their professional growth and hop from job-to-job until they find something more to their liking. In fact, people who have graduated from college since 2010 have averaged four job changes in their first nine years. 

That’s not the only thing. You have people whose education doesn’t match up with the demands of the jobs. People that get their degree in a certain discipline and didn’t work a job relating to that discipline for years, are often further behind than people who have experience in the field. Then you have that person who applies, but majored in Latin in college. Most businesses would be better off filling the position from within than hiring someone from outside the company and lacks real-world experience in the job.

This is where training comes in. For the college graduate who has been exposed to different perspectives, disciplines, and rules than the people that work real-world jobs are exposed to the practical knowledge necessary to troubleshoot even basic problems in a business setting may be a little troublesome to start with. There’s a reason why your average mechanic, plumber, and electrician keep being able to raise their rates: they’re experienced and trained.

Types of Training

The first thing that should be mentioned is that dedicating a lot of time and resources to employee training can become expensive. This is likely why a lot of people don’t do much of it. There are five major types of training that most organizations offer, in varying degrees. They are:

Orientation

Every business has some form of orientation. This is a short run down of the expectations of an employee by management.  Orientation will show new hires all the relevant information about what it means to be an employee at the company. Some businesses go into detail about things like the company mission, values, corporate culture, leadership information, employee benefits, administrative procedures, and any other tasks that need to be completed before any actual training begins. 

Onboarding

Onboarding is different than orientation. When you are onboarding your employees, you train them in the specific duties their job entails. This could be training on software systems they need to be accustomed to using, or training on how your business wants them to complete specific tasks. The idea is to make new hires as effective as possible, as quickly as possible. Some jobs come with a half-a-day of onboarding, while others take over a year to complete. 

Mandatory

There are some things that workers need to know, regardless of the position they hold. Some mandatory training is dictated by Federal and State governments, while others are strictly industry-wide points of emphasis. Public sector jobs often are required to take occupational health and safety courses. This practice is becoming more and more prevalent in the private sector, as is sexual harassment training.

Operational Skills

Skills training is designed to improve an employee’s ability to do the work, or to fill in other positions in your company. There are soft skills training and technical skills training. Soft skills training is designed to improve an employee’s ability to interact with others; and, with the company. These skills include:

• Presentation and communication
• Problem solving
• Conflict resolution
• Time management
• Collaboration
• Emotional intelligence
• Adaptability

Studies have shown that a dedication to soft skills training works to resolve the normative problems with high turnover and unsuccessful collaborative culture.

Technical skills training enhances the technical proficiency of an employee. Any time employees can get better at the technical aspects of their jobs, it improves the products and services the company they work for delivers. 

Security

Nowadays, with the circumstances that modern workers have to consider, security training is an absolute must. Not only does it improve employees’ ability to protect business assets, it ensures that they are aware of the potential problems that the modern business is exposed to. 

Physical security training is typically limited, but if it is a major part of a person’s role within your company to keep assets secure, they should be given the information needed to accomplish this task. 

What’s more likely is that each person will need to take part in cybersecurity training. Digital assets are routinely targeted by people inside and outside of your business, so knowing how to protect them is a major point of emphasis that decision makers have to consider. The average worker needs to know how to identify a phishing attack, the best practices of data transmission, and what are good and bad practices when interacting with cloud-based and other online-based resources.

At Coleman Technologies, we know just how important keeping malware and unwanted visitors out of your network is and can help you with your cybersecurity and network security training platforms. Our team of professional IT technicians, and our dedication to helping businesses keep hackers from negatively affecting business, can go a long way to help you establish the training platform you need to keep your business' digital assets secure. Call us today at (604) 513-9428 for more information.

How Does This Happen?

An employee had access to data that they weren’t authorized to have. According to Trend Micro, they were able to “gain access to a customer support database that contained names, email addresses, Trend Micro support ticket numbers, and in some instances telephone numbers. There are no indications that any other information such as financial or credit payment information was involved…”

This employee, who remains unnamed, apparently had planned to steal data, and ended up being able to bypass the internal protections Trend Micro had in place.

Since the data had more than enough information for a scammer to use to trick a user into believing they were calling from Trend Micro (all it really takes is a name and phone number, and knowing that they use the product), this kind of data has a great deal of value to scammers. It gives them an easy way in to steal money from unsuspecting people under the guise of Trend Micro tech support.

Be Wary of Any Unsolicited Tech Support Calls

This isn’t a new problem, and it definitely isn’t only a problem for Trend Micro customers. Fake tech support scammers have been around for years, often preying on older, less-technically-savvy users. They use scare tactics and feign urgency to get their victim to hand over credit card information or allow remote access to the PC. 

More often than not, these calls will come in saying they are “Microsoft Windows Support” or some general computer support. If the scammer thinks they are targeting an individual at a business, they might say they are from the IT department.

It’s important to be wary and educate your employees so they know the proper channels for getting support requests handled. 

The Other Lesson - Don’t Let Employees Access Data They Don’t Need

As a business owner, you need to ask yourself who has a little too much access. Can all employees wander into folders on your network that contain personal or financial information? 

An employee should only have access to the data that they need, although it’s also important to not make it too difficult for an employee to do their job. Establishing the policies for this can be tricky but setting up the permissions on your network just takes a little work with your IT provider.

Enforcing security policies, like controlling who has access to what data, requiring strong passwords, and setting up multi-factor authentication can go a long way in protecting your business and its customers from a rogue employee running off with data. An ounce of prevention is worth a ton of damage control, in this case.

Need help? Our IT experts can work with you to lock down your data. Give us a call at (604) 513-9428.

Let’s start with where we are now. History is best told on a timeline, so let’s start from the present. Cybercrime today is profiting over $1.5 trillion each year, and that figure continues to climb. Some have predicted that this figure will nearly quadruple by 2021. Security breaches are up by 67 percent over just the past five years.  

How is this figure climbing so quickly? Well, let’s examine the most popular form of cybercrime: phishing. The method that cybercriminals are using are able to deploy all types of malware, yet also has data-stealing abilities. Whether that data is your sensitive personal information, or login credentials to your bank account, phishing gives a cybercriminal direct access. The worst part for people who have fallen victim, is until something dramatic happens, they are clueless that they have even become a victim. Phishing attacks have led to billions of records being exposed, stolen, or corrupted each year.

Cybercrime has become a real concern for all business owners. So how did all of this start?

The Beginning 

This information Coleman Technologies is about to reveal may be hard to believe, but cybercrime was Bob’s fault. This trillion-dollar criminal trend is the result of a research project held by a man named Bob Thomas. Bob Thomas made the observation that a program is able to move across a computer network, leaving a trail behind. He then proceeded to write a code that was named “Creeper”. This code resulted in a program that was designed to travel between Tenex terminals on the ARPANET. The message that came across? “I’M THE CREEPER : CATCH ME IF YOU CAN”. 

The research project sparked the attention of email inventor Ray Tomlinson. Tomlinson altered this program into a self-replicating one. This resulted in the first computer worm. Immediately after this discovery, he wrote an additional code which was titled “Reaper”. This chased down the Creeper code, and deleted it; which resulted in what was effectively the first antivirus software. 

So how did Bob’s experiment start all of this? Well, in the 1980s Soviet hackers considered the applications of this experiment. Academics designed applications that could be used to infiltrate other networks. This ideology quickly spread, and in 1986 German hacker Marcus Hess hacked into an internet gateway which was hosted at the University of California at Berkeley. This hacked connection was then used to piggyback onto the ARPANET. He hacked into a total of 400 computers, including mainframes hosted at the pentagon. 

How did this turn into such a profitable “business”? Hess planned on selling the secrets found on these computers to the Soviet KGB. Before he was able to do so, he was caught by the group effort put forth by the FBI and the West German government. His conviction was the first of its kind -- cybercriminal activity sentencing. The abnormality of the case resulted in a 20-month suspended sentence. 

At the same time as this was occurring, computer viruses started to become a serious threat. With the exponential growth of the internet, there were more connections that viruses could infect. The virus started to become a real problem.

The Middle

In 1988, Robert Morris woke up and decided he wanted to see just how big the internet had become. Morris, a software engineering student at Cornell University, wrote a program designed to spread across various networks, work themselves into Unix terminals, and begin replicating. The software replicated so quickly that it actually slowed down the early Internet, which caused major carnage. This carnage become known as “the Morris Worm”. Morris’ worm resulted in the formation of the Computer Emergency Response Team, known as US-CERT today. Morris was the first person convicted under the Computer Fraud and Abuse Act (CFAA). This act was introduced with the intentions to protect against unauthorized access. 

After Morris’ worm was handled, viruses began being developed at an absurd rate. The antivirus industry, which started in 1987, began to grow as a result. By the time the Internet was an accessible user-product in the 1990s, dozens of solutions were available to prevent devices from being infected. These solutions scanned the binaries on a computer, and tested them against a database of known virus-code. There were major problems with this protection method, such as the abundance of false positives. They also had a tendency to use a lot of the systems’ resources to scan for these viruses. Remember how slow dial-up used to feel? Your anti-virus could have been the culprit. 

The mid-90’s to late-2000’s were a prospering time for the world of viruses. While the figure was estimated to be a few thousand known viruses in the mid 90’s, that figure was estimated to be around five million by 2007. These different malware strains were either worms, viruses, trojan horses, or other forms. By 2014, 500,000 different types of strains were being created daily. This time truly was the malware boom. 

Who was stopping this boom? Well, nobody. Cybersecurity professionals needed to make an effort. Antivirus solutions simply couldn’t keep up, and while they might detect malware, they had a hard time preventing it. Innovations in cybersecurity developed quickly. First, endpoint protection platforms (EPP) that didn’t just scan for known code, they also scanned for code similarities. This meant that unknown viruses could be detected.

The End?

With advanced malware defeating endpoint protection regularly, it was time to further innovate cybersecurity measures. The timeline innovators had was cut short with the deployment of WannaCry. WannaCry was, at this point, the most devastating piece of malware that existed. WannaCry even shook the world of the most capable security professionals. It encrypted the data on a computer and forced the computer owner to pay in Bitcoin to regain access to these files. This deployment sparked an explosive increase in the cybersecurity industry. It was time for cybersecurity to surpass the capabilities of cybercriminals, instead of being constantly behind.

The only way anyone was able to determine if they were being infiltrated was to have a transparent network. Administrators began using endpoint threat detection and response (EDR) services to monitor their networks. This solution is still cutting edge by today’s standards. While this isn’t the end for cybersecurity, EDR services are extremely capable of keeping malware out of your network. 

If you would like to learn more about cybersecurity, or are interested in keeping your business’ data safe, call Coleman Technologies today. Our professionals can be reached by calling (604) 513-9428.

Some of the best cybersecurity methods are practices developed over the past few years. This is because social engineering, specifically phishing, has become a major problem. There are billions of phishing emails sent each year, and some of those are so convincing that even people who have had some basic cybersecurity training fall victim to them. To fight this, security firms have started to look to tomorrow’s technologies to help them mitigate risk today. 

Artificial Intelligence - The Future of Cybersecurity 

One of the most effective ways of combating this rise in hacking is to use the most dynamic technology you have access to and make a tool that will help you mitigate the massive risks. One way is to reduce the effectiveness of these hacks. In this case the technology is artificial intelligence.

When we talk about artificial intelligence, we are talking about having a machine that learns as it is continually exposed to threats. This will work to solve common issues at first, but as these systems advance, and are exposed to user behaviors, they will be able to replace access management systems. Since the AI will be constantly monitoring systems, as well as user behaviors, workplace roles, and common actions, it will be able to recognize a person without, the need for password-protected accounts and creating ubiquitously secure endpoints. If the system recognized any deviations, an additional form of authentication such as biometrics would grant or deny access. 

Cost will initially be a factor for businesses, especially small and medium-sized businesses, but as large companies begin to truly trust these platforms, they will have viable endpoint-protection systems for small businesses. 

Cybercrime Accelerates with 5G

5G and beyond will bring a lot of changes to the user experience, of course, but it will also make huge changes to cybersecurity. Before long, the AI systems that are being developed to thwart today’s cyberthreats will become essential systems for the sustainability of mobile computing. Just think about how much cyberthreats have multiplied over the past decade after the jump from 3G to 4G. The jump to 5G isn’t going to any less dramatic.

It will be crucial for cybersecurity professionals to be able to leverage systems that are both ubiquitously available to search through large streams of data while also being capable of learning on the fly in order to ascertain what data is potentially malicious and what data is less so.

Luckily there are still years before these types of systems will be needed. Unfortunately, there are enough threats out there to be a major problem going forward. The IT professionals at Coleman Technologies can help you protect your hardware and data. Give us a call at (604) 513-9428 today!

IT Security

Let’s start with IT security because it’s undeniably important if you want to maintain not just IT regulatory compliance, but business on your own terms. IT security, like the act of complying with regulations, is an act of risk mitigation. In the case of IT security, the risks are many and complex. You have the risk of operational issues like downtime. You have the risk of system corruption from hackers and other outside entities who are trying to break through (or in) and get access to your assets. There is also internal risk to physical systems, central computing infrastructure, and every endpoint on the network.  

In IT security, the amount of risk often dictates what kind of action is necessary, since reacting to the problems themselves isn’t a viable option. Thus, when protecting your network from threats, you will likely have to be much more comprehensive about your attention to detail as you would even under the most strictest compliance standards.

IT Compliance

Compliance also is all about minimizing risk, but to stay compliant, it’s more about focusing on following set-in-stone rules than it is about keeping systems secure. Most of the regulations that have been passed down by a government entity, third-party security framework, or customer contract have very specific requirements. This gives network administrators a punch-list of tasks that need to happen to keep their organization’s IT compliant with their various IT mandates. 

Insofar as it works to maintain digital asset security, many regulations are created to ensure that risky behavior is not introduced, while others are very specific about what data needs to be protected, and what systems need protection. In fact, some regulations barely touch the IT infrastructure, only dictating that the business purchase regulation-compliant hardware. 

Where Your Company Stands

Compliance standards typically depend on which vertical market your business does business in, or more specifically, how it uses sensitive information in the course of doing business. That doesn’t speak to your organization’s complete IT security strategy. In order to keep all of your digital (and physical) assets secure, there needs to be a dedicated plan to do it. After all, today the user is the most common breach point. 

With that truth it is important for the business that operates under the watchful eyes of a regulatory body to understand that you may be compliant, but still be at risk. It’s important that aside from meeting all the compliance standards set forth by your industry’s regulatory mandates, you need to put together a cybersecurity strategy that prioritizes the ongoing training of your endpoint operators. 

At Coleman Technologies, our technicians are experts in modern compliance standards and cybersecurity. Our team can work to simultaneously build an IT infrastructure, the policies to govern that infrastructure, and the endpoint monitoring and protection solution that will keep your business secure from threats, while also being compliant to any mandated regulations your business is under. Call us today at (604) 513-9428 to learn more.

Here, we’ll review the basic experiences that this scam subjects a user to as it sets the trap… and, of course, what your business can do to avoid these threats.

How Users Can Be Scammed

Put yourself in the shoes of a targeted user for a moment: just like any other day, you access your Gmail account and discover what looks like a Google Calendar invite. The invite is apparently for some kind of company-wide meeting (probably to discuss the company’s trajectory, policy changes, or something like that) to take place at the end of the workday. The message includes a link to the complete agenda, which can be accessed once a user confirms their credentials. You do so… and in doing so, fall for a scam.

This scam can be pretty safely categorized as “brilliant in its simplicity,” much like other phishing attacks can be nowadays. By using Google’s own convenience-based features, a fraudulent calendar event can be automatically added to a user’s Google Calendar, notifying the user. Fraudulent links send the user to a faked Google login page, where the user’s credentials are stolen as they attempt to log in. Alternatively, the link just begins installing malware directly to the targeted system. This scam has also proved effective against private users - informing them of some fabulous cash prize they’ve “won” through these fake Calendar entries.

How the Scam Was Uncovered

As it turns out, the details of this scam were reported to Google by an IT security firm in 2017, but Google has not made any steps to resolve it until recently.

The firm stumbled upon this discovery when a coworker’s flight itinerary appeared in an employee’s Google Calendar. From there, the researcher realized the implications of this accidental discovery, and quickly determined that users just don’t anticipate phishing attacks to come in through their Calendar application.

Can This Scam Be Stopped?

Now that Google has acknowledged the issue, a fix is currently being developed as of this writing. Until the point that a successful fix is deployed, you need to make sure your users are protected against this vulnerability.

The first thing they need to do is ensure that no Gmail events are automatically added to their Google Calendar. Under Settings in the Google Calendar application, they need to access their Event settings. From there, they need to deselect the option to Automatically add events to my calendar from their Events from Gmail.

To disable invitations to events from automatically adding themselves to the Google Calendar, a user needs to go through the same process, this time switching the Automatically add invitations option to the much safer “No, only show invitations to which I have responded.”

With any luck, this - combined with a little vigilance from your users - will protect your business from a phishing attack via its schedule. To learn more about how to protect your business against a variety of threats, subscribe to our blog, and give Coleman Technologies a call at (604) 513-9428.

Preventing Phishing

Phishing has been becoming more and more of a favorite tactic by hackers, meaning that you and your employees need to look at any messages that come in via your email (or other solutions) with a critical eye. Here are some practices to help you minimize the influence of phishing on your business:

• Watch for “Urgent” messages (or, for that matter, “URGENT!!!!!!” ones). Many phishers will try to manufacture urgency to make sure you click without taking a moment to consider it may be an attack. Resist this knee-jerk response.
• Review in detail. Many phishing messages show distinct warning signs, such as blatant spelling or grammar errors (but this may just be the person you’re talking to as well). You can find other, more reliable signs by giving any links or the email address of the sender the “hover” test. Without clicking on anything, hover your cursor over the links and a small pop-up box will appear. This box will show you the address that really sent the email, or the link that you would actually be redirected to. Check to make sure all the details are kosher. For these reasons, it’s recommended that you don’t click on any links in emails. Instead, retype the URL into your web browser.
• Double-check with the sender. If you have access to another means of communication with the supposed sender of an email, reach out to them using that other means to confirm that they sent it. If they didn’t, it’s a pretty safe bet that the email is fraudulent.
• When in doubt, assume the worst. If you just aren’t sure how legitimate a given email is, don’t click around in it. Assume that it is a phishing attempt, and report it to your IT provider.

Establishing Safe Browsing Habits

Unfortunately, there are plenty of threats that reside online, and it is only too easy for a user to unwittingly allow them in. Make sure your users abide by the following policies to minimize the threats you’ll potentially need to deal with.

• Think before you click. Similarly to links found in emails, there are plenty of opportunities online to let in a threat. Consider what you’re clicking on before you do so. (The “hover” trick works well here too… check out the bottom of the window.)
• Reserve business computers for business purposes. Non-work-related browsing can bring users to websites that can host threats without the user realizing. Discourage your users from surfing the web, downloading content, and doing other things online unless they are work-related.
• Moderate access. Use firewalls and content filtering to keep unwanted content off of your network, and users from accessing unwanted content, respectively.
• Trust your IT resource. If you are even the slightest bit unsure about something, whether it’s a program you’ve been prompted to install or making sure your settings are focused on maintaining security, reach out to IT for assistance.

Enforcing Strong Passwords

It seems that everything requires a password these days, which makes it all the more important that you and your users are aware of how to keep them safe - especially in the workplace.

• Don’t recycle passwords. Once a password has been used and replaced, it is best to not use it again - this is why you’ll often find a “you have used this password too recently” message if you attempt to use it again within a certain timeframe. This is the same reason that passwords should not be used for more than one account - if that password is compromised, you’ve just lost control of multiple accounts.
• Avoid easily-guessed passwords. As a way to try and come up with a password that is easy to remember, many people will resort to using common elements in their password - pet names, maiden names, birthdays or anniversaries - or use a simple phrase or a string of numbers. The entire point of a password is to make it so that others are unable to access one of your accounts, so making it something that can be guessed is counter-productive.
• Consider leveraging passphrases instead. Passphrases are not only typically more secure than a password, they also have a tendency to be more memorable. Let me ask you this… which of these two would you find more memorable, “F4njUJ29S5” or “pearquiethigh?” You can also use basic substitution to make you passphrase more secure, turning our example into “pe@rqu!e+h!gh” instead.
• Use a password manager. One of the main reasons that people reuse passwords so often and neglect to change them is the fact that they are scared of forgetting them. A password manager can help reduce this by securely saving all of your different passwords behind one master password. 

Protecting Your Business’ Data

Finally, there are many threats out there to your business’ data - including any you have on your clients or your employees. You have a responsibility to yourself, as well as these clients and employees, to make sure that this data is as secure as possible.

• Make sure your business’ data is backed up. There are so, so, so many ways that your business could lose its data. While it may be attacked, it could just as (if not more) easily be lost due to equipment failure, user error, weather conditions… the list goes on and on. If your on-site data is lost, you will want to make sure you have an up-to-date copy squirreled away in the cloud to reference.
• Protect your assets with access control. You need to be concerned about both the security of your digital files, and of your actual business location. If you’re using multi/two-factor authentication to secure your online resources, or requiring identity confirmation in order to enter certain areas of the business… you need to be doing both.
• Maintain your security solutions. The thing about security software is that it isn’t something that you can just set up and count on indefinitely. Attackers are always examining these solutions to find vulnerabilities, so it is important that you regularly update and patch the ones you use to keep them safe. Every solution you have should actually be set up with security in mind. A glaring example is your company’s wireless. Not only should that be secured with a password, it should be hidden away from outside users.
• Keep your payment options compliant. For your sake, and the sake of your clients, you should make sure your business is compliant to whatever regulatory standards that apply to it… including the Payment Card Industry Data Security Standard (PCI DSS).

Following these guidelines is a great start to ensuring your company’s security. Coleman Technologies can help get you this far, and beyond. Reach out to us at (604) 513-9428 to learn more about what we can do.

Any data you collect, you must protect. You might not think your business is big enough (or noteworthy enough) to be targeted by hackers, but the truth is, those are the reasons you are a target. It is estimated that by 2020, more than 24 billion devices will be connected to the Internet, so it is imperative that you follow simple, yet crucial, steps to ensure your data and information are kept safe.

Here are some variables you--and the other people on your network--need to be aware of. 

Phishing

Phishing attacks are some of the most prevalent attacks being made in 2019. Basically, users will send you an email that seems to be from a user the recipient might know. If a user interacts with that email by clicking on a link or downloading an attachment, the phishing scam is a success. A successful phishing scam is a huge problem for your business. 

You will want to train your staff on how to spot and avoid phishing attacks. Phishing attacks have been developed to be subtle and admittedly easy to miss. There are, however, several tell-tale signs that an email is legitimate. Hackers know that the weakest link in any business or organization is the employees. Do your employees know how to recognize an out of place email? It is crucial that you take the time to train your employees the art of phishing identification. 

Secure Passwords

Passwords are the standard in which most people use to keep files secure and to authenticate access to devices, platforms, programs, etc. Understanding what makes a strong password can go a long way toward securing your IT resources. Some best practices include:

• Creating strong, unique passphrases
• Changing passwords frequently
• Using Upper and Lowercase letters, numbers, and symbols

Multi-factor Authentication 

Multi-factor authentication, often rolled out as two-factor authentication, puts an additional step between you, and potential threats to your network or data. You use a password to unlock a 2FA/MFA platform that requires you to get a randomly-generated code from a third-party device to gain access. Since you need a third-party device/account to open the application, account, or device protected by 2FA/MFA, that account is more than twice as secure. 

Applications and Software Updates

In order to say ahead of security attacks, the software you use cannot have vulnerabilities. As a result, patching and updating software is essential to comprehensive security. If you are going to remain secure you will want to be sure to stay up-to-date on your updates. 

How Do I Know If My Systems are Safe?

So, you want to know if you are safe from a cyberattack? To put it lightly: nobody is. By associating security preparedness with cybersecurity and routinely taking proactive, preventative measures to enhance your security position, you reduce the chance that your organization will have to suffer from downtime, data loss, and reputation damage that a data breach would bring your company.

If you would like more tips; or, if you would like to talk to one of our experts about network security, call us today at (604) 513-9428.

May

May 2, 2019 - Citrix

Conferencing and digital workplace software company, Citrix, revealed that hackers gained access to the company’s network between October 2018 and March 2019. Data stolen included Social Security numbers, financial information, and data of current and former employees.

May 3, 2019 - AMC Networks

1.6 million users of AMC Network’s Sundance Now and Shudder streaming services had their data left exposed through a database that was left unsecured. Names, email addresses, subscription details were compromised. 

May 9, 2019 - Freedom Mobile

Freedom Mobile, a Canadian mobile provider had an estimated 1.5 million customers’ personal and financial information left exposed on a third-party server. The types of data left exposed included names, email addresses, mailing addresses, dates of birth, and credit card information.

May 13, 2019 - Indiana Pacers

The legal team behind the National Basketball Association’s Indiana Pacers was the victim of a major phishing attack. Employee and customer names, addresses, dates of birth, Social Security numbers, passport numbers, driver’s license numbers, medical insurance information, card numbers, digital signatures and login information. No number of affected individuals has been given by the team.

May 14, 2019 - WhatsApp

WhatsApp has experienced a security flaw that provided access to an Israeli government surveillance agency, NSO Group. NSO Group had limited access to the microphone, camera, and WhatsApp message text of the app’s 1.5 billion users. 

May 20, 2019 - Instagram

Facebook-owned Instagram, fell victim to a data breach that exposed more than 49 million Instagram influencers, celebrities, and brands’ Instagram information when an Indian-based social media marketing company left it exposed. 

May 24, 2019 - Canva

The 139 million users of Canva, a cloud-based graphic design tool, had their names, usernames, and email addresses exposed when hackers infiltrated their server. 

May 24, 2019 - First American Financial Corporation

First American Financial Corp., a leading title insurer for the U.S. real estate market, had 885 million customers’ Social Security numbers, bank account numbers, mortgage and tax records, wire transaction receipts, and driver’s license images compromised for all customers as far as back as 2003.

Other May breaches: Inmediata Health Group, Uniqlo, Wyzant, Flipboard, Checkers (the fast food chain).

June

June 3, 2019 - Quest Diagnostics

Almost 12 million patient records have been compromised when hackers took control of the payments page of AMCA, a major payment vendor for Quest Diagnostics. Data such as financial account data, Social Security numbers, and health information (ePHI) were left exposed.

June 4, 2019 - LabCorp

In the same hack, LabCorp announced that 7.7 million of its customers were impacted. 

June 6, 2019 - Opko Health

In the same attack, Opko Health had 422.600 customer and patient records compromised. 

June 10, 2019 - Emuparadise

The gaming website Emuparadise had their users’ IP addresses, usernames, and passwords exposed in a data breach. 

June 11, 2019 - Evite

More than 100 million users of the Evite event planning app have had their information put up for sale on the dark web. Information that was stolen included names, email addresses, IP addresses, and cleartext passwords. Some even had their dates of birth, phone number, or postal address exposed.

June 11, 2019 - Total Registration

Kentucky-based Total Registration, a facilitator of scholastic test registrations had their entire service compromised. Victims, who were mainly students who had registered for PSAT and Advanced Placement tests, had their names, dates of birth, grade level, gender, and Social Security number exposed. 

June 12, 2019 - Evernote

A security vulnerability in Evernote’s Web Clipper Chrome extension gave hackers access to the online data of over 4.5 million users. Exposed data includes authentication, financial, all private communications, and more.

June 20, 2019 - Desjardins

Over 2.7 million individuals and 173,000 businesses had their data stolen by a single Desjardins employee. Canada’s largest credit union, the hack resulted in the exposure of names, dates of birth, social insurance numbers, addresses, phone numbers, and email addresses of customers

Other June breaches: Oregon Department of Human Services, U.S. Customs and Border Protection, EatStreet, Dominion National

July

July 17, 2019 - Clinical Pathology Laboratories

Due to the AMCA breach that affected Quest Diagnostics, Opko Health, and Labcorp, Clinical Pathology Laboratories had 2.2 million patients’ personal and medical information exposed with an additional 34,500 patients’ credit card or banking information breached. 

July 18, 2019 - Sprint 

A still unknown number of Sprint customer accounts were hacked through Samsung.com’s “add a line” website. Some exposed information included names, billing addresses, phone numbers, device types, device IDs, monthly recurring charges, account numbers, and more. 

Other July breaches: Maryland Department of Labor, Los Angeles County Department of Health Service, Essentia Health, Fieldwork Software, Los Angeles Personnel Department

August

August 5, 2019 - Poshmark 

The online marketplace, Poshmark, has announced that they’ve been hacked. Usernames and email addresses of an unreported amount of clients have been exposed in the breach. Poshmark has nearly 50 million users.

August 5, 2019 - Stock X

The online fashion-trading platform had its over 6.8 million user accounts exposed. Data that was out there included customer names, email addresses, usernames and passwords, shipping addresses, and purchase histories. 

August 9, 2019 - CafePress

A data breach at CafePress, a custom t-shirt and merchandise company, exposed the names, email addresses, physical addresses, phone numbers, and passwords of over 23.2 million customers. 

August 15, 2019 - Choice Hotels

Hackers left over 700,000 guest records exposed in a coordinated extortion attempt on the Choice Hotel chain. Stolen information included names, addresses, and phone numbers. 

August 16, 2019 - Biostar 2

VPNMentor and independent security researchers uncovered a data breach containing over a million individuals’ facial recognition information as well as the unencrypted passwords and usernames of 27.8 million individuals exposed from Biostar 2, a biometric security platform. 

August 27, 2019 - Hostinger

Hostinger, a web hosting company sent out an email to their 14 million clients who had their information hacked through an API server. As a result, first names, usernames, email addresses, IP addresses and hashed passwords were exposed.

Other August breaches: Presbyterian Healthcare Services, State Farm, MoviePass

Before your business has its network breached, data stolen, and reputation irreparably harmed, call the security professionals at Coleman Technologies to do a full security assessment. We can help you keep your data and reputation intact. Call us today at (604) 513-9428 to learn more. 

Here’s what we know:

Capital One has admitted that the personally identifiable information (PII) of over 100 million American and Canadian credit applicants’ information has been exposed. The company did admit that no credit card account numbers or authentication credentials were compromised in the hack. They also go on to mention that in 99 percent of the files, social security numbers were not compromised. The largest category of information that was accessed were individual and small business credit applications that span from 2005 to 2019.

The perpetrator, Paige Thompson of Seattle, Washington, was a former software developer for Amazon Web Services (AWS), which took advantage of a firewall misconfiguration to gain access to the information, AWS confirmed Monday. The flaw came as a result of a setup error and not a flaw within the massively popular AWS.

The breach happened on March 22 to 23, 2019. Thompson was apprehended as a result of being reported to Capital One for storing incriminating evidence on her Github and Slack accounts. Capital One contacted the FBI on July 19, 2019 and after a short investigation, Thompson was arrested and indicted by the Western District of Washington.

The CEO of Capital One, Richard Fairbank released the following statement:

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

For a full report of the event, visit: https://www.capitalone.com/facts2019/

Capital One has said that it will inform you if you have been a victim of this massive attack, but if like many of us, too much is at stake to wait for the company to reach out to you, you can take some immediate steps to safeguard your personal information.

• Check your accounts - Account monitoring and fraud detection should be a major part of any action you take to secure personal information.
• Change passwords - One great way to at least feel more secure after a major hack like this is to immediately change your passwords.
• Freeze your credit report - One option you can take to protect yourself is to freeze your credit report, this won’t let any credit reporting services check your credit, meaning if someone were to try to take money out in your name that the banks wouldn’t be able to authorize credit.
• Avoid scams - A big part of keeping any data secure is to not give unauthorized parties access to it. That means avoiding phishing attacks and other scams.
• Continued vigilance - Vigilance over your account information, your personally identifiable information, and your overall financial health is more important than ever. As mentioned above, credit monitoring and fraud detection services give users tools to combat unauthorized access.

Keeping yourself and your business secure online is more difficult than ever. To learn more about data security, subscribe to our blog.

Before we get too deep, we want to emphasize that there are two primary categories for threats to your business: external and internal.

External

External threats are those that come from outside your business’ network. The majority of threats will fall into this particular category, and it contains a lot of big names that you have likely heard in the past. Here are a couple of examples of threats to your business, as well as what they can lead to:

• Viruses/Malware: these are malicious bits of code or full-blown software programs that can be customized by hackers to perform a certain role. It would take far too long to list off everything that can be done with these kinds of threats, as the options are literally limitless.
• Ransomware: Sometimes malware will encrypt the user’s files and demand payment for the decryption key. Without access to important files, businesses might crumble under the pressure, losing both money due to the payment and a little bit of dignity in the process. In cases like this, it’s important to never pay the ransom, as it only serves to fund further attacks.
• Spam: Hackers like to send countless emails with threats attached to them, hoping that someone will download them and expose their organization’s network to threats. Spam can be prevented for the most part, but if left unchecked, your business could wind up installing threats on your network by accident.

Internal

Internal threats can come from the most unlikely sources, as even the most well-meaning employees could accidentally expose your business to potential threats. Furthermore, there could even be more sinister forces at work with employees potentially trying to actively sabotage operations. Here are some ideas for threats and what could happen from them:

• Phishing Attacks: Your users are your weakest link. While you might think that you have an understanding of adequate security practices, they may not, leading hackers to utilize underhanded tactics to leverage this to their advantage. Phishing attacks convince users to click links, download attachments, or provide credentials/sensitive information.
• Account Hijacking: Let’s say an employee’s account is hijacked by an external threat. You might see account activity from your employee, but how do you know that it’s not someone else using their account? Data could be stolen, or worse.
• Access Control: Have you ever fired an employee? Have they ever resented you for it? Chances are they may have felt the urge to go into their old accounts and cause some trouble. These internal threats could lead to embarrassing situations, as well as a loss of control over certain types of data. It’s up to you to cut off access as soon as you can.

Does your business need help maintaining security and keeping track of the countless threats out there? Coleman Technologies can equip you with the best security measures on the market. To learn more, reach out to us at (604) 513-9428.

The Internet of Things is essentially a massive network of connected devices. Some of them have not traditionally taken advantage of network connectivity, but now depend on it. The more obscure examples of Internet of Things devices include kitchen appliances and other oddities, whereas the more usable devices include watches, wearables, connected vehicles, smart homes, and more. Some Internet of Things devices can even communicate with others, sending data and using it for a certain functionality. It all coalesces into a security disaster waiting to happen.

To prepare for this, you need to implement what’s called an Internet of Things policy within your workplace. Here are some ways you can keep the Internet of Things from devastating your business.

It’s Impossible to Stop Them All

One of the most valuable lessons of dealing with Internet of Things devices is that it’s impossible to keep tabs on every single device that enters your office. If you assume that each employee has a smartphone, a laptop, and at least one or two other minor devices, it all adds up. Therefore, you need to prepare for the worst by expecting it.

You Need to Do Your Best

The best way to protect against the Internet of Things is to be prepared for them. Implementing security measures is key, and the best ones for this situation include a Unified Threat Management system (UTM) and a Bring Your Own Device policy (BYOD). What this enables is the ability to eliminate threats and keep them from entering your network in the first place, including from your employees’ personal devices. It also helps to have a password-protected network so that passing devices don’t automatically connect to your wireless network.

Working with a managed IT provider like Coleman Technologies can make it easier to manage all of the devices that make their way to your business’ network. To learn more about what we can do for your organization, reach out to us at (604) 513-9428.