Technology Advisor Blog

Cybersecurity - Why you  need to train your employees

Posted by Ann Westerheim on 5/3/18 3:13 PM

In case you missed it... here's a review of our latest webinar on cybersecurity from earlier today.

Train, test, and prevent Cyber attacks.  Big companies make the headlines when there's a cybersecurity breach, and too many SMBs believe they are "under the radar". Today's threats are automated, and everyone is at risk.  Some reports indicate that up to 95% of breaches are caused by human error.

Will your employees click on that link they're not supposed to click?  Do they know not to install a USB stick labeled as "Company Financials"?  Cybersecurity protection requires layers of protection with attention to Technology, Process, AND People.

Training your employees is specifically required by the MA Data Security Law and other industry specific regulations such as HIPAA.  There's no such thing as 100% security, but don't leave your network exposed to avoidable human errors, and don't take on the liability of knowingly ignoring the law.

The Employee Security Training program is a cost-effective way to increase security and protect your business, and demonstrate compliance to training requirements of the MA Data Security Law, HIPAA, and other industry specific security compliance requirements.

Here's a recording of today's session on cybersecurity and employee training :

To learn more about the training platform and sign up, visit www.ekaru.com/training.

Tags: cybersecurity, training

Phishing:  Would your employees click on any of these emails?

Posted by Ann Westerheim on 3/15/18 2:02 PM

Phishing with Fish.jpgEveryone thinks they won't click on a phishing link, but when we run tests, there's always someone who does!

Phishing is the leading tactic used by today's ransomware hackers, typically delivered in the form of an email designed to impersonate a real system or organization.  Often created to deliver a sense of urgency and importance, the message within these emails often appears to be from the government or a major corporation and can include logos and branding.  They look like the real thing!

Would any of your employees click on these emails?

  • Tax Refund - Recipient is due a tax refund and directed to a site to claim their refund.
  • Bank Account Low Balance - Recipient receives a low balance alert in the bank account and gives them the option to check their account.
  • Amazon Security Alert - Alerts Amazon customer that there were several unauthorized attempts to access their account from an unknown device
  • DocuSign Signature Request - Recipient is sent a request to electronically sign a document
  • Webinar Reminder - Recipient is sent an email reminder that the webinar will begin in 1 hour.
  • Netflix Account Reset - Netflix password has been reset and asks the target to change their password.
  • IT Reset Password - Email sent from IT asking to reset password
  • eFax Email - eFax email with instructions to download the electronic fax.

These are all examples of typical phishing scenarios, and are actual emails we use as part of of cybersecurity training.  Everyone thinks they won't click on the link, but when we run training tests, there is always at least one person who clicks on the link.

In a test scenario, the user is just warned that they made a mistake and its an educational moment.  However, if the email was malicious, this could take down an entire organization with ransomware.  

The concept of a "human firewall" is getting a lot of attention these days.  A network firewall, security patch updates, DNS protection, and all the technical layers of protection needed for responsible network protection are just part of the solution.  The behavior of all users on your network will also impact your security (and the bad actors know it!).  Don't forget employee security training as part of your overall cybersecurity strategy.

Tags: HIPAA, cybersecurity, ransomware, training, Microsoft Security Patches

Train Your Workforce so They Don't Get Caught by a Phish!

Posted by Ann Westerheim on 8/2/17 11:21 AM

Training.jpgThe US Department of Health and Human Services Office for Civil Rights July #Cybersecurity update reminds you to train your workforce so they don't get caught by a phish!  This statement is specifically targeted to healthcare "covered entities" but really applies to all businesses and computer users.

What is a Phish?  Phishing scams are attempts by scammers to trick you into giving out personal information such as your bank account numbers, passwords and credit card numbers.   The emails are carefully crafted to look like the real thing, but watch out!  Users are trained to not open "suspicious" links, but what if the email looks like an important email from FedEx, your bank, or the US Post Office?  Without training, users can't tell the difference.

Periodically testing users is also needed to make sure that the training is working.  Will your users click on the link?  Run a test and find out.  Otherwise, you really don't know.

A covered entity's workforce is its front line of defense not only for patient care but also to safeguard the privacy and security of its patients protected health information (PHI).  With the growing levels of interconnected smart devices and increased use of interconnected medical record and billing systems, there has been a ten percent increase in the number of providers and health plans that have had HIPAA related security violations in the past two years.

The security rule specifically requires covered entities and business associates to create a security awareness and training program.  

You can read the full post by OCR here.

Not a healthcare organization?  Read on.  The Massachusetts Data Security Law which applies to ALL businesses in Massachusetts has very similar guidelines relating to the protection of personal identifiable information (PII).  Any combination of a name and social security number, drivers license number, bank account number, credit card number, etc MUST be protected.  

If you're concerned about cybersecurity in your practice or business, please contact us to find if you could be doing more to protect yourself.  Short of disconnecting all computing devices, these threats are here to stay, and employee education and training are a key component of cybersecurity protection for all.

Cybersecurity protection involves layers of protection AND a comprehensive training plan for users.

Tags: Cybersecurity, email scams, training

Employee Training - Protect Your Company From Ransomware

Posted by Ann Westerheim on 5/18/17 8:08 AM

Computer Training.jpgAs I am sure you have heard, this past weekend we experienced perhaps the most extensive cyber-attack yet seen, as computer networks globally, in over 100 countries including the US, were infected by the WannaCry Ransomware.  Hopefully, your company was able to avoid this infection, but don’t relax - additional waves of WannaCry are expected, followed by increasingly more sophisticated ransomware variants.  Ransomware has not only become an increasingly profitable activity, but provides a warped sense of technical accomplishment for the cybercriminals who successfully perpetrate it.  WannaCry is just the beginning, and ransomware infections will continue, becoming increasingly more dangerous and difficult to stop, at the extreme threatening the very survival of your business.  You must now take the steps to protect your business.

 While security technology will lessen the risk of ransomware infection or provide the ability to recover, there is no single technology product or combination of products available which will fully protect your business from all cyber threats.  The behavior of your employees represents your biggest vulnerability, and their actions will most likely be the cause of security problems and data breaches.  They must be trained to recognize and avoid the email phishing scams which will trigger ransomware infections and other cyber exploits, and in how to use your company computing resources and protect your valuable data in a secure fashion.

There are many great resources available to create "DIY" training for your employees, but this isn't enough and a more structured approach is needed.  All it takes in ONE employee to make a mistake, and this becomes your "weakest link".  Also, the Massachusetts Data Security Law and other industry-specific regulations require employee training.

We can provide your employees with the necessary security training, and reinforce it by testing their ability to recognize phishing emails, and providing continuous weekly reminders, monthly security newsletters, and a set of Security Policies and Procedures.  The value of this training and complementary security services to protect your organization from ransomware and other threats will far exceed your small investment in time and money.

 Please contact us at 978-692-4200 to arrange security training for all your employees for an affordable price – this can no longer be considered an optional service.  You don't need to be on a support plan with us to sign up for training.

Download the Brochure

 

 

Tags: training, cybersecurity

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.