IT Alert: Security Awareness Training
Oct 11, 2022
Phishing attacks are on the rise and becoming increasingly complex! According to the 2022 X-Force Threat Intelligence Index, phishing is the most common way for cybercriminals to penetrate an organization. Once accessible, larger-scale attacks are launched, like ransomware, to paralyze the company by stealing data or inflicting financial loss. Today, phishing accounts for roughly 90% of data breaches and on average costs an organization $5 million!
While these statistics are troublesome, there are proactive measures business owners can take to protect their assets and reputation. The most popular preventative measure is instituting security awareness training – it’s a powerful defense asset with impressive ROI that maximizes your security spending while protecting your bottom line. Security awareness training programs are aimed at educating users (employees) to understand the role they play in helping to combat security breaches. Effective training programs should be ongoing and continuous while providing your users with best practices for good cyber hygiene, outlining the security risks associated with their actions, and ways to identify potential threat characteristics in email and on the web. Some training programs even incorporate simulated phishing campaigns to allow for testing and measuring employee vulnerability.
All in all, security awareness training enables your users to make smarter security decisions in their day-to-day roles, helping you manage the ongoing problem of social engineering and strengthening your human firewall.
There are hundreds of security awareness training programs available, but not all are created equal. When it comes to choosing the right training program for your organization, William Vaughan Company Technologies (WVCT) can help you determine which best suits your business needs. Contact us today to learn more and find out why should you devote a portion of your security budget to security awareness training.
Connect With Us.
Categories: IT & Risk Services
IT Alert: Microsoft Permanently Disabling Basic Authentication
Aug 08, 2022
What Does This Mean?
Effective October 1, 2022, Microsoft will permanently disable Basic Authentication (Basic Auth) due to security concerns and outdated technology. The planned replacement is called none other than, Modern Authentication (Modern Auth). So, what does this mean for your organization?
Basic Authentication & Security Issues
Basic Auth simply means an application sends usernames and passwords over the Internet as encoded text. These credentials are also often stored or saved on the device.
While the credentials are encoded, meaning converted to characters or symbols, this form of authentication can expose usernames and passwords. Hackers may intercept the transmission, decoding and stealing the information. Since Microsoft announced its disablement of Basic Auth in September of last year there has been a notable spike in high-level attacks by cybercriminals. According to Microsoft, “As a reminder, Basic Auth is still one of, if not the most common ways our customers get compromised, and these types of attacks are increasing. Every day [you have] Basic Auth enabled; you are at risk from attack.”
Furthermore, Basic Auth does not support multi-factor authentication (MFA) which is the best protection against cyber-attack and is now required under Presidential order 14028. To learn more about MFA, check out our previous blog here.
Modern Authentication
Modern authentication is an umbrella term for a combination of authentication and authorization methods between a client (for example, your laptop or your phone) and a server. With Modern Auth comes additional security features like MFA, smart cards, etc. Modern authentication doesn’t let apps save account credentials and is better designed for Internet-scale and management.
Next Steps
If your organization has not begun the transition to Modern Authentication, it is mission-critical that you begin doing so now.
The US Cybersecurity and Infrastructure Security Agency (CISA) is strongly encouraging organizations to make the move immediately and to enable multifactor authentication.
WVC Technologies can assist you in this transition. Our partner, DMC Technology group and their certified team of technicians can walk you and your team through the process.
Connect With Us.
Greg Gomach
Greg Gomach
Senior Client Executive
Greg.Gomach@dmctechgroup.com
Categories: Risk Services
New Mandatory Requirement For Cyber Insurance
Oct 19, 2021
During the past year, ransomware attacks and other cyber breaches have skyrocketed leading to significant changes in the cyber insurance marketplace. Historically, obtaining cyber insurance was simple and renewals were a matter of updates based on major changes within an organization. Fast forward to now and notable shifts in insurance policies and regulations are taking shape. Underwriters are now asking for more information related to cyber controls and IT risk management.
Multi-Factor Authentication (MFA)
Multi-Factor Authentical (MFA) is now a minimum requirement for cyber insurance through most carriers. The message, if you have not incorporated MFA into your current IT environment, your organization may be considered a high risk which would disqualify you from coverage.
MFA provides an additional layer of security above and beyond your traditional password protection. It requires users to validate their identity with additional credentials. These credentials could be the answer to a security question, the click of a button in an app for approvals, or even a biometric identifier such as a fingerprint. This extra layer of protection stops attackers as they won’t be able to access an account without all required credentials, even if they have stolen a password. The additional proof points confirm the person attempting to enter the system is truly who they say they are.
According to both Microsoft, ‘up to 99% of cyber identity attacks can be prevented with MFA’. Google has also supported this with their research ‘which shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks.’
If you already have cyber insurance you more than likely will find stricter requirements during your renewal. If you are in the market for cyber insurance, you will need to incorporate MFA before you seek coverage. Carrier data proves those without MFA are at a much higher risk for extortion and therefore coverage is not obtainable.
Our WVC Technologies team can assist with your MFA initiatives to help you: one, qualify for cyber insurance quotes from multiple carriers, and two, help reduce your claims activity which can improve your insurance pricing.
Connect With Us.
Greg Gomach, WVC Technologies Senior Client Rep.
Categories: Risk Services