IT Security Tips for Businesses, Nonprofits, and Entrepreneurs
A broad security primer: how social engineering works, the attacks aimed at small organizations, and a practical checklist to lock things down.
What you'll take away
- Most attacks on small organizations come through social engineering, so the people are the front line, not just the technology.
- The main phishing types explained: deceptive phishing, spear phishing, whaling, and vishing or smishing, along with baiting, quid pro quo, piggybacking, and pretexting.
- What "information security" really means: keeping data confidential, intact, available, and accountable.
- A user-activity security checklist across devices, networks, cloud services, and users.
- A backup and disaster recovery checklist covering data storage, method of backup, and policies.
This is a recording of a session Jake ran on the fundamentals of IT security for small businesses, nonprofits, and solo operators. It explains how modern attacks actually work, why small organizations get targeted, and the practical steps that make the biggest difference. It is written for owners and staff, not for IT specialists.
You can watch the full session above, or read the summary and complete transcript below.
What the session covers
Jake opens with how social engineering works and the numbers behind attacks on small organizations, then defines what a secure setup means (confidentiality, integrity, availability, and accountability), works through the common phishing types with examples, and closes with a best-practices checklist and a backup and disaster recovery checklist.
Full transcript
Auto-generated captions from YouTube, lightly formatted (spacing and product names corrected). The recording above is the source of record.
Read the full transcript
Social Engineering 101
Hello everybody I hope you're having a great Friday afternoon so far today my name is Jake from Umbrella IT Services and today we are gonna be talking about social engineering 101 or IT security tips for small businesses regular businesses nonprofits and entrepreneurs so some of the topics that we're going to be covering today are what is information security what is IT security we're gonna be talking about threats and liabilities for your small business we're gonna be talking about social engineering tips we're gonna be talking about
Phishing scams and we're gonna be talking about a whole lot of other stuff so without any further ado we're gonna jump on in and I will go ahead and cover these topics for you hopefully you find them valuable at a later date probably this afternoon we will have some timestamps below so if you don't feel like watching the whole video you're gonna be able to look down in the description and you will be able to click on the timestamp and go to the topic that you
Want to watch and if you want to train your staff and have them watch a section of the video it'll be easier for them to watch that stuff as well so don't you further ado let's go ahead and jump into the fun part of this
Ransom Statistics 2018-2019
Which is these statistics so looking at these statistics here you can see that 71% of ransomware attacks targeted small medium business organizations in 2018 with an average ransom demand of 116 thousand dollars so what that means is that 71 percent of ransomware attacks had an average cost to a small or medium business of a hundred and sixteen thousand dollars so that's the cost to your business that's the cost of your nonprofit that's the cost to your startup if you end up getting hit by something like
Ransomware so what ransomware is very very quickly is a piece of software that gets installed on your computer like a virus and it can lay dormant it can become active it right away and what it does is it locks your computer it encrypts your computer and it requires that you get a crypto key from the hacker that hacked your computer and then you can unlock your computer and decrypt it and gain access to your files again so unless you have a good backup that's off-site you're
Gonna lose access to all of your data if you get hit by ransomware and you're gonna have to pay a hacker an average ransom of one hundred and sixteen thousand dollars USD so obviously not a good time they're looking at the second little fact here we've got sixty percent of organizations lose access to their data for sixteen days or longer after suffering around some more attacks so that means that if you again your nonprofit you're an entrepreneur or a startup or you're an established business you're
Looking at 16 days of downtime if you get hit by ransomware on average so again coupling that with the cost of one hundred and sixteen thousand dollars per instance of the hack combining that with going down for sixteen days this is a type of attack that's very difficult for most small businesses to survive so it's very important to focus on security and the next little fact we've got down here is 54% of the people that have been hacked believe that their companies were too small to
Be ransomware targets so I hear that from a lot of my clients where they say we're too small we're not important enough we don't have any sensitive data we're never gonna get hit by this stuff and we have had to help more than a couple of our clients out well we've become clients of ours after they've gotten hit by this kind of stuff and in retrospect they tell us we never would have thought we would have gotten hit by this we had an IT guy he
Told us he's doing security he told us that he was doing all these kind of things and it does become a problem for a lot of folks because they're not properly prepared or equipped to deal with these situations so at the end of this presentation we will have a list of security tips and backup tips for folks so looking up here
Attack Vectors Used Against SMB Organizations
In the top right corner we can see the attack vectors used against small and medium business organizations and that would also include nonprofits and you can see here the overwhelming majority of the types of attacks that came up were malware attacks below that we have account hijacking so this would be where someone gets access to your account online not very good and then we've got targeted attacks where people are actually they have their business actually hacked DDoS attacks which is where the connection to your business
To the internet gets taken down we've got malicious browser extensions where someone will hack your Google Chrome web browser or something like that or an internal employee or other vulnerabilities so you can see the overwhelming concern here is malware so that's what we're gonna focus on today is keeping people safe from malware below we can see here the number
Number Of SMB Data Breaches
Of SMB data breaches there's been a four hundred and twenty five percent increase in data breaches targeting small and medium businesses from 2017 to 2019 so this is on a dramatic incline there's a big increase in activity a lot of these attacks now have been automated by these malicious hackers and it is very important to make sure that you have the proper security and backup solutions in place to make sure that your association is going to be safe should you be targeted by these hackers
What is “Information Security”
Moving on now we're gonna kind of get into the nitty-gritty here and kind of define what is information security so the formula that I use when I'm making sure that my clients data is safe as I make sure that be confidentiality the integrity the availability and the accountability of their data remain intact so what that means is that under
Confidentiality
Confidentiality your data needs to be confidential you need to make sure that you're keeping your data confidential using data management policies and technical security solutions so what that means is that if you don't want someone to be able to see your data they can't see it what is confidential remains confidential that means you have to be securing user account means you have to be encrypting sensitive data you want to make sure you're securing your devices in your networks both physically and digitally you need to make
Sure you're using antivirus you need to make sure you have a firewall you need to make sure that you're managing data access you don't want to have a file share setup where you're your receptionist has all of the same access to information as your CEO does that's not going to work for any business you've also got to make sure that you're implementing data management policies if you want to make sure that you're continuing to keep the confidentiality of your data secure moving on to integrity as
You can see
Integrity
Here we've got ensuring that your data has not been damaged or modified by human error hardware software or security failures by regularly validating logs and reviewing data so so what this means is that when you go into your data let's say you're looking at a spreadsheet that has passwords in it which we don't recommend or if you've got just a regular Word document for your budget for the year you want to make sure that the integrity of that document written mains intact you don't want to
Have someone be emailing off data and documents to other people they get sent back duplicates all of a sudden you have three or four different versions of this document that's just as big of a deal to the integrity of your data as it is if someone goes inside of that document and maliciously alters it so it's very important to make sure the integrity of your data also remains
Availability
Intact next we have availability so it's very important to make sure that your data remains available to you so that means if you have a server and it goes down you have a redundancy plan in place you're gonna be able to access that data we talked about this on the last seminar but it's got to be in three different places at all times two of those places have to be different vendors and one of those places needs to be completely separate from your active access so
It's very important to make sure that your data is available at all times what we want to do there is make sure that you have a plan to keep your data safe so again make sure you're working with your IT provider or your IT service man that he's gonna make sure or she is gonna make sure that your data is available at all times you have redundancy in place make sure you're eliminating single points of failure if you have one network switch in your office that
Controls all of your internet make sure you have a backup in your storage room if you have one laptop make sure that you have one backup laptop in case you spilled coffee on it make sure that if you have one drive setup and you're accessing things through the internet make sure you have one computer where all that data syncing locally so you're still going to be able to access that data in case of a service outage you also wanna make sure you're instituting automatic failover which
Means that if something goes down it automatically comes back up through a backup or redundancy plan so if you have one server have a second server running if you have a cloud service that you're using have your local backup set up on your computer so it's very important to make sure that you're using the right tools so that your data remains a available to you at all times so looking
Accountability
At accountability next we want to make sure that when something happens in your business you're prepared for it so what that means is that if you have a data breach if you have a file go missing if you have the integrity of a document get compromised if the confidentiality gets compromised you want to be able to go into your logs and look at what happens so again a lot of this stuff does pertain to your IT guy if you're an HR manager if you're a business
Owner I would just recommend that when you sit down with your IT guy you ask him how are you keeping the confidentiality in place you ask her how are you maintaining the integrity of our documents and they should be able to give you answers to each of these questions and as long as they don't set off any alarms you can continue to work with that provider otherwise I would recommend getting a second opinion from another service provider so looking at the accountability again it's very important
To make sure that if an incident happens you were able to check your logs check your events and see what happens so you can also get monthly reports from your provider that show all of the activity that's going on so you can see what kind of accountability they have in place and if it is too much and you think it's too invasive then they can dial it down if you want to see more accountability there are some of our clients that like to have screenshots of
Their employees screens as they're working other people like to just have a hard drive is failing and files were deleted from this location so it really does depend on what your needs are as a business owner as an HR manager as a small business as a business as a nonprofit or as a start-up so moving on here these are the threats and liabilities that exist for most businesses nonprofits and startups or entrepreneurs so in terms of your
Devices
Devices your devices are liable to a couple of different threats when compared to your networks cloud services and users so looking at the devices side of things you can see here we've got virus or ransomware infection I'm sure everyone's aware of that you got to make sure if you're on a Mac Mac's now get more viruses than pcs so make sure that your Mac is running antivirus we recommend using one if you don't use Sentinel one which is an AI powered antivirus we do recommend using
ESET antivirus or malwarebytes antivirus so I'll probably link to those in the description down below if people are interested in that but make sure that you're using something that's gonna catch a virus or ransomware shouldn't breach your systems and get on to your devices the next thing that we usually like to warn people about is Hardware damage a lot of people don't consider this but Hardware damage is something that can happen and you need to make sure that your device has a redundancy plan in place
In case it happens to you so if you have somebody spill coffee on a device is my favorite example it happens all the time if you are carrying it on a bag and you drop the bag you throw the bag down too hard you break the LCD you don't want to not be able to work because of a silly mistake like that you should always have a spare device somewhere in the office it doesn't matter if it's your 10 year old laptop that sounds horrible when
You turn it on dust spews out of it it's better than not being able to work at all so make sure that you have a redundancy plan in place for your devices another thing that can happen is software failure what we do in our management plans is we schedule the Windows updates and we schedule the third-party app updates to happen on a scheduled date like a weekend maybe the third weekend of the month so it's very important to make sure that if you are not doing
That and you get a bad windows update at Tuesday night and you come in Wednesday morning and your computer is just doing the blue screen of death over and over again you want to have that spare device you can bring out while your IT provider gets your computer back up and running and the next thing is data loss I've seen a lot of people they turn on their computers computer won't turn on either ransomware or maybe the again the integrity has been been compromised on their
Machine or the confidentiality has been compromised maybe someone accidentally deleted something and you didn't have a backup you have to make sure that number one you've got redundancy in place for data loss but number two make sure that you're keeping your data in a secure place I'm gonna talk about this next week a good friend on linkedin requested that we talk about how to keep your data safe as a small business so we're going to talk about that next week but for now if you're using
OneDrive if you're using Google Drive if you're using Dropbox if you know that you have files on a server keep your information on the server I've worked with so many professionals that put nine ten eleven hours into a document or into a script or into a legal agreement and what ends up happening for these people is their computer will crash they'll just leave it open and forget to save and all of a sudden their computer will get turned off for maintenance or the power goes out
Or they forget about it themselves and they close the window and they accidentally lose 10 11 12 hours of work I've also seen people's desktops get entirely wiped out just from a hard drive failing and they didn't want to have backups on that hard drive and people are furious because they lost weeks or months of work so make sure that you're avoiding data loss by keeping things on a cloud-based storage solution next start we're going to talk
Networks
About is networks really quickly the outdated software and hardware for devices that kind of applies to everything in terms of network devices hardware or this kind of stuff just make sure that your IT provider has scheduled updates if you haven't seen a Windows Update in a while on your computer that's perfectly fine that means that they're doing their job but in their reporting to you they should be telling you we've done X amount of updates this month your Adobe is still secure your Firefox Chrome brave
Whatever it's all secure your windows updates are happening like this it's very important to make sure that that stuff is going on so you want to make sure that's happening all the time looking at the outdated software and hardware side of things again with the passive network threat you want to make sure that if you're looking at network security your IT provider is considering passive network threats so what that means is that if someone is going to be sitting outside of your office looking into your
Data maybe they've got a device on your network that's capturing data it means something that is capturing your data or intercepting your data or interacting with your network in a way that doesn't take it down so this is the majority of network threats in my experience you have somebody tap into your public Wi-Fi or your private Wi-Fi or they've gained physical access to your server room and they're siphoning data out is the most common type of passive network threat and when people are able to gain
Access to your private or personal information obviously that can be a big problem and it can compromise the confidentiality of your data so you want to make sure that you're considering passive network threats when you're considering a security plan next is active network threats so this would be something where someone is denying service to your business so if you cannot connect to the Internet or if you cannot connect to a server like a OneDrive server or an Adobe server or something like that where they're actually
Taking down your net work kinetic connectivity maybe no one in the office can connect to the internet or a select group of users cannot connect to the Internet so you want to make sure you're considering active network threats and that you've got redundancy plans in place in case those happen you also want to make sure that in case of communication failure like I mentioned earlier you have redundancy plans in place and hardware software failures so if you have one firewall keep a second firewall on the
Back room or purchase an extended warranty from somewhere like Cisco or unify where they're gonna be able to send you a new piece of hardware within 24 hours it's very important to a cost of ranchland make sure that you know is it worth it for us to spend an extra 200 bucks to have an extra unified security gateway probably if you look at the cost of downtime for a day for your staff maybe it's not if you buy something like a Cisco firewall and then up
Costing you seven thousand six thousand dollars it might not be worth having a second one of those and maybe you're a smaller business and having your staff not work for the rest of the 4-hour day until Cisco can ship you a new piece of hardware maybe it's not worth it so very important to check those own talking
Cloud Services
About cloud service threats and liabilities you can have security breaches so someone can actually hack into your account very important to keep that in mind you want to make sure you're using multi-factor authentication you want to make sure that you're using very secure passwords and you want to make sure that you're using device authentication and your white listing devices that can access your account yeah this is stuff for your IT provider should be doing for you it's also important again we got denial of service up
There if you can't connect to OneDrive if you can't connect to Google Drive if Adobe can't activate that's also gonna cause downtime for you so very important to make sure that you've got redundancy plans in place for that and then we've got data loss obviously someone can get into your Google Drive they can get into your OneDrive they can delete everything a lot of people's talk to me about this stuff and they say well why we need a backup if we've got everything on OneDrive it's
Already backed up but what happens a lot of the time is people will go in they'll hack your OneDrive they'll hack your Office 365 or they'll hack your G Suite and they'll delete all of your cloud data and that syncs to all your devices and people only have their data in two places they didn't follow the three-to-one backup role so because they didn't have their data in a third location that's not active and not connected to their devices they end up losing 25 15 years worth
Of business and it's devastating so again very important to make sure that if you're using a cloud service you are backing that up somewhere else and again making sure you have redundancy in place another way that cloud services can be compromised is through non secure applications so a lot of the time I see people downloading apps onto their work machines like honey the discount code application I see people downloading zoom all the time zoom is absolutely horrible for privacy and security and I see people downloading
Other things just maybe it's a Google sheets add-on that allows them to use specific Microsoft Excel formulas that aren't accessible on Google sheets so when you're allowing a third-party developer to have access to your accounts you're giving them access to your files you're giving them access to your Google account sometimes that means they get your password sometimes that means they can control files inside of your Google Drive if anything happens to their application if there are a very small team of developers and maybe they get
Hacked and targeted your entire business could be a risk so it's very important to make sure you're limiting the amount of third-party applications and tie-ins on your devices and the final thing is ransomware again so a lot of these companies say there they are ransomware approved now Microsoft 365 says it's ransomware approved Dropbox says it's ransomware approved and I like to treat ransomware proof the same way I treat water proof that means that if someone is saying that they are going to give you a ransomware
A proof product I don't believe them it's very important to make sure that you're keeping in mind that there is no such thing as a water proof product it's water resistant it's not ransomware it's ransomware resistant so it's really important to make sure that you have backups and redundancies in place that really is the best security in my opinion and experience there's no such thing as having a completely secure system every IT provider is gonna come in and build you a house of cards that they
Say is the best and it's the most secure and we're working with the best vendors etc etc but at the end of the day there's a bunch of zero days out there there's a bunch of vulnerabilities out there that can compromise their systems so as long as they're doing their best to maintain those four values we talked about earlier and they're making sure that they have redundancy plans in place and they're following the three to one backup policy more than likely if your business gets targeted
By ransomware you will be fine you won't face that hundred and sixteen thousand dollar USD ransom you won't experience 16 days of downtime maybe if they do a good back offer you'll experience one day of downtime or three days of downtime and you won't have to pay that hundred and sixteen thousand dollars to the hackers so again it's very important to make sure that you have rules in place to address these liabilities next
Users
Thing we're going to talk about is users this is the way that 91% of attacks get into your business it's not because of a piece of software it's not because of a network it's because of the human behind the screen so 91% of attacks on small businesses occurred via social engineering in 2017 2018 and 2019 so over 90% it's very important to make sure your users understand social engineering so we're going to talk about that very shortly social engineering is when the hacker hacks the human
Instead of the technology if humans are going ahead and being non-compliant with the policy we need to make sure all users are being compliant with policies you have in place so again we'll talk about those later but that could be a data management policy it could be an accessible use policy for a personal device it could be them giving out the Wi-Fi password to their friend in your office there's a number of ways people can break policies and it's really important to make sure that people
Understand the consequences of them breaking those policies so make sure that doesn't happen human error is another very common one again we can't blame people for that but it's important to make sure that if someone does accidentally delete something or if they accidentally give out a password or someone calls them and they accidentally give up this information that you have that countability in place and you can find out where this issue arose from and then you can derive whether or not it was a malicious thing
Where it was an accident and how you can work with your team to make sure it doesn't happen again so when when a fire happens firefighters come in they sift through the rubble they find out what the problem was they figure out how to make sure that they can tell the community what happened and they can make sure it doesn't happen again we want to have the same mindset when it comes to IT security and also negligence so my favorite example with this is you have
Accidental discharge and you'll negligent negligent discharge with a firearm if you are someone walking around and you have something go wife--your if you're carrying a loaded gun you don't have safety on and it goes off that's a negligent negligent discharge if you're someone that has an unloaded gun and just something happens where it's a total accident maybe as you're loading the firearm it goes off that would not be considered a negligent discharge so there are a lot of things in place and a lot of policies
And rules in place that people need to follow and if they are blatantly violating those policies that would fall under negligence which in my opinion is not as severe as malicious activity but it's a lot worse than an accident if someone accidentally forgets to lock a door it's not as big of a deal as if they were to just let someone walk through it so very important to keep that in mind so move on to the next slide here I'm going to be trying to make
This very quick today so as I mentioned earlier and social engineering
Social Engineering
Is a way that 91 percent of modern cyberattacks occur so it's really important that we're able to identify these five different types here and we're gonna go through them very briefly before I show you guys some examples of what those look like and then we'll show you how to protect yourself from these
Phishing Scams
So looking at phishing scams most phishing scams I'm sure people are familiar with you get a text from RBC you get a fake email from your boss Microsoft says they're gonna delete your account unless you change your password in the next 15 minutes so a lot of these phishing scams as you can see fraudulent communication so they're pretending to be something or someone that they're not they use email text phone or web phone is very common these days I'm sure a lot of people have got
A call from Microsoft offering to fix your computer it's not what they're doing and there's a lot of people that will personate trust it sources they'll try to spark an emotional response again they'll tell you everything in your account is going to get deleted unless you change your password in the next 15 minutes it includes a call-to-action so it'll say change your password right now and they'll then install malicious software or collect information from you to move on to the next form of phishing which would
Be spear phishing so we're gonna go over all these very shortly but just keep in mind if you see any of these things in an email and it seems a little bit fishy it's best to call your IT provider speak with them maybe get a second opinion from a co-worker and then you can delete the email or or forward it off to an authority figure in the organization that can help you out with
Baiting
That looking at baiting I haven't seen anyone fall for a baiting scam since probably probably 2007 or 2008 it's been probably 10 or 12 years that's when you go to a website and you're the millionth visitor so you've got a thousand dollar gift card to Amazon it's very very difficult for people to fall for these these days most people are aware that that's a scam but just to go over quickly it will bait the user will say hey you've gotten this thing if you do this
So click here you win $1,000 digital bait again it's the most common one physical bait is also quite common maybe you'll get a phone call from somebody who says they're from the government and they need you to answer ten quick questions and then they're gonna send you 50 bucks you know I've seen I've gotten calls like that from Microsoft where they're doing an audit and they'll say we just need you to tell us how what's your complex that you set on your password do you have
Multi-factor authentication set up for your users and it's they're just collecting information they're just seeing do you have these security measures in place are you gonna be an easy target for us to hit and then if not they'll move on to someone else so if you get a call from anyone asking for this sensitive data hang up there no one is gonna call you that's a serious professional and start asking you questions like this and again the goal with baiting is to collect information and to
Install malicious software on your devices their networks your cloud services or to collect data from your users so the next thing we're going to
Quid Pro Quo
Talk about quickly is quid pro quo so again this is another and kind of interesting way that people collect data so they exchange services for critical data so again I'll give you 50 bucks you give me some data they can impersonate a trusted source I've seen a lot of again Microsoft or another common scam is starting to go around now is people will call in from your IT provider so it'll be somebody goes on to the IT providers website they see some of the reviews on
The website they'll call that Association say hey this is Bill with this company I just started here what's your password for this thing it's very important make sure you're never giving your passwords out online over the phone even in person is okay but over the phone online texting I don't recommend it the only time I recommend it is if you're able to verify someone in another method so so many emails you saying Hanna your password you can call the person but you have to make sure
That you know the person you have their number safe somewhere else you're not clicking a link in their email and then calling them that way and even then I really don't recommend giving out passwords your IT provider should have your password information already or they can reset your password and forward that to you through official channels again it's very important to have these policies in place so that you don't have a miscommunication you're not opening yourselves to this liability and again what they want to do
They want to collect information they want to install malicious software on your machine so a quid pro quo type of social engineering is you scratch my back I scratch yours very important to keep that I wouldn't mind looking at piggybacking
Piggybacking
Unauthorized access so again there's a lot of people maybe it's someone who's being the janitor it's a very actually common threads a lot more common than people think it is it's called an evil maid attack where someone will it's a cleaner and they'll go into your business and they'll get access to your computers maybe they'll steal data maybe they'll plant ransomware on your machine etc etc so you want to make sure that you are physically restricting access to your devices if your computers are just out
And about you don't want to go home for the night and leave it unlocked you have to make sure that it's locked your passwords on the screen you've got a BIOS password protecting it maybe it's fully encrypted it's very important to make sure that you're preventing people from using unauthorized access to getting to access to your machines a lot of another common way people do this is hold the door so someone will be coming into a office maybe you're a law firm and you've got a
Shared Lobby maybe you're a film production studio or maybe you're just an accounting firm or a bookkeeping firm and someone will try to get into your shared space by just saying hey hold the door and friends with the guy who runs this company and then you let them in and then they get physical access to an area they shouldn't have physical access to another common way people do this is can I borrow your laptop people will just say hey I just need to send a quick
Email can I use your phone to make a quick phone call hey can I can you text this person for me hey can I use your computer really quick I've seen it Google something or I need to send an email don't give people access to your personal devices it doesn't end well for anybody and again the goal here collect information install malicious software pretexting is
Pretexting
Another one as well this is probably my favorite icon but in real life phishing that's what this is so someone will actually show up very similar to kind of like a Hollywood movie where people are all dressed up in a plumbing outfit and they come in and say oh and you know access your pipes or whatever so what they'll usually do is impersonate your IT provider this happens in major corporations this doesn't happen very commonly with SMBs or with nonprofits this happens in like ICBC they've
Been hit by this a couple of times a larger organizations not ICDC specifically but looking at this you can see what they do is in real life phishing so they'll say hey I'm an IT provider we're doing a free audit I just need access to your systems for the day I'm from Shaw I need access to your networking room and people will let them in because hey you're from Shaw you have a shot shirt okay come in they'll let the guy into the networking room he
Plugs in a couple of cables he's gained access to your network can becomes very dangerous in a very slippery slope so it's important to make sure that if people are getting access to areas that they shouldn't be you've verified them in many different ways so what they'll do again is establish trust with you well personate a trusted source and they'll get access to information and install malicious software so again these are the five most common ways people will hack you instead of your technology so it's
Very important to keep these in mind when you're interacting with people or giving them information or giving them access your machine so moving on I just really want to quickly get into the four most common types of phishing scams so number
Deceptive Phishing
One most common is deceptive phishing so this is where you get an email from PayPal Microsoft maybe any generic source that exists that most people use Facebook Twitter Instagram etc and it's asking for your password it's giving you a call to action like we talked about earlier in this slide here where it is saying that you need to get an emotional response it includes the call to action they're trying to install malicious software or they're trying to get access to your systems so that's the most
Common form of deceptive phishing is a generic message with a call to action that's trying to get an emotional response out of a user so very important to double-check that stuff if you get an email saying your stuffs gonna get deleted don't jump the gun spear
Spear Phishing
Phishing very very interesting this is incredibly common this has worked on a couple of my clients this has worked on a number of people that I know this is getting very advanced and very scary so spear phishing is when they've already collected information on you and then they go ahead and contact someone else in your organization using the information you gave them and they gain access to information or install malware so a very common example that's a good example of this that happened one of my
Clients is one of their partners a vendor was hacked so let's say that they were a construction company and one of their parts suppliers was hacked the part supplier that was hacked the hackers got access to all of their emails and the hackers responded to an email that came in from the construction company within a half hour so the construction company sent them a spreadsheet and said here's the budget for this or we good to go can we make this purchase and the hacker responded saying
I think that looks great but I've made some Corrections here's the excel file and they sent him an excel file that was actually a hyperlink to ransomware so as soon as the construction company clicked on the excel file that was a direct response to a trusted vendor that they've been working with for years we got about 50 different alerts all across the network on their devices that ransomware was detected on over 50 different works day it was detected on their networks and it's very scary getting
Alerts like that for the business themselves when all of a sudden people are working away and you just have all these red triangles start popping up on all these different machines so just because it's coming from a trusted source you don't want to download information or upload or access information that is not expected so again that doesn't mean you need to be paranoid about every interaction every time someone sends you a file but it's very important not give out sensitive information so that these hackers cannot
Trick you or your staff because in my experience 99% of people will fall for that if you get a response to an email threat that you're already in the middle of and someone says yeah I know Jim's on vacation here's his timesheet you can take a look at it and you're already talking to someone about about Jim's timesheet you're gonna respond to that you're gonna click on that email it just happens so again it's very important to make sure you're using proper antivirus proper anti ransomware
Anti-malware software and it's important you have backups because a lot of people get targeted by this stuff because they're using the sensitive data they've gathered on your organization to target specific members of your organization to gain access or install malware the other
Whaling
Type of threat that happens nowadays it's becoming again very very common this happens a lot with a lot of our clients is that they will go after the leading members of your association by pretending to be other leading members of your association so let's say they go on LinkedIn they look up who the CEO with a CFO the CMO of your company is or they could just know your small business with five people they figure out with you all the staff are and they'll send a
Spoofed email so for example we have tech tips at Umbrella IT Services dossier they can go on GoDaddy and purchase a spoofed or a similar domain so maybe its umbrella I I T services dossier or it's an I with a slightly different language character etc and they would be able to send an email to one of my staff or to myself impersonating tech tips or impersonating one of my staff and they're going to go after me saying hey Jake I'm on insight I got stuck here
I lost my wallet can you give me 20 bucks can you wire me 20 bucks or 500 bucks or whatever for this piece of equipment or I need to get a cab ride home etc so whaling is something that's becoming increasingly common where there spoofing someone there impersonating a member of leadership there contacting other members of leadership trying to get funds out of an account they're trying to get access to again sensitive information or they're trying to gain access to your accounts maybe it's your boss
Saying what's your password I need you right now there's a lot of different examples of this and another common scam
Vishing/SMiSHing
Again that most people don't fall for anymore is Microsoft calling in doing a phishing scam so voice phishing scam or a submission scam which would be SMS or texting scam so you'll get a text message from RBC or TD saying or Wells Fargo if the American people you've got $5,000 rebate you just need to click here or the government messed up you've got a $600 tax rebate click here I don't know a lot of people to fall for that anymore most people getting phone calls for
People from Microsoft know that it's a scam nowadays so again not to too concerned about this type of threat anymore but the spear fishing and the whaling threat they are becoming increasingly common very very complex so it's very important to keep an eye out for those now we're really quickly gonna go over deceptive phishing scams but I'm gonna show you guys how you can protect yourselves from all of these threats that we've discussed today and then we'll be wrapping up so like I said I want
To keep this a lot shorter today so moving in quickly to deceptive phishing attacks these are the types of messages you'll get in the original type of fishing that we discussed so you'll get people doing these deceptive phishing scams these generic messages and the spear phishing scams where they use information they've gathered to target your association so official communication this is very common I've seen this a lot where someone goes on your company website they download your logo they find out what color scheme you have
Maybe they do business with you they send an email and they figure out what your signature it looks like and then they'll go ahead and send a big email to everyone in your staff saying this is this is a member of leadership I've attached this document for everyone to review please click here and again it usually includes company branding and it is a the call to action is usually saying complete this internal task we've upgraded your healthcare click here we've got a big bonus for every
One click here to download it here's a new policy you need to read click here here's your report for the month click here etc looking at the shipment notification this is also very common and I've seen this be very effective as well where you'll get a phone call from a vendor and they say hey we're gonna deliver $6,000 worth of toner printing toner to your business and a lot of people do say ok who ordered that oh it was this person that I found on LinkedIn
They go okay yeah that's fine then and as soon as you say yes over the phone you're then liable for that order that happened to one of our clients that a new receptionist on it was his first day and it becomes very very convoluted and messy so again very important to make sure that the data that you are giving out stays private and if someone's calling you and you get a little bit fishy vibes it's always best to just hang up and call the vendor directly
And see what's going on with that so shipping notifications also can come from ups they know that you order something from UPS because they maybe they get your emails or maybe they just again whatever you're posting online if you're posting something on Instagram saying oh I'm setting for this or you post on Twitter saying oh we've done a big order with Cisco we're excited about this then they can impersonate purolator or UPS or FedEx etc and you'll get a fake email that says here's the tracking
For your item and you click on it it's a hyperlink you've got ransomware I think this is probably the scummiest type the nonprofit requests I think this is the scum of the earth I hate these people I've seen this happen more than a few times where people impersonate the BC SPCA or they impersonate to burn fund or they impersonate like kids wrong McDonald's kids hospitals these people are disgusting what they do is they pretend to be someone from that organization requesting a donation and then they
Steal your credit card or then again they gain access to your information or they install malware to do ransomware I've seen the ransomware equivalent with this where they say that
Deceptive Phishing Attacks
There are nonprofit and they need to set have you go in and do a donation and they steal your credit card information and then they send you a receipt when you click on the receipt installs malware so you get hit twice and it's really really gross but it is important to make sure that if someone calls you from a non-profit get the person's information call the nonprofit back and then go ahead through those channels it's just always better to call people back through the official channels
Looking at the application
Application Notifications
Notifications again as we mentioned earlier PayPal Microsoft Adobe etc may be your account passwords reset it'll imitate the application branding it'll lead you to a fake landing page you'll reset your password you'll enter your password and then you're in trouble so important to not trust those always log in to your account reset your
Important Announcements
Password if you need to do that important announcements again doesn't come from internal leadership this can come from a company like myself that's partnered with your company so again it's important to make sure that you're just betting that call to action and you're making sure that it seems legitimate you're making sure that you've talked other people or you call the company or the person that sent the email themselves and you just verify that they've actually sent this to you before you you go ahead and access
It and the final thing is the last reminders which are laced with urgency again your password is gonna need to be reset the next 15 minutes you're getting locked out of your account all the information in your accounts about to be deleted you need to log in right now so don't fall for this kind of stuff move
Security Strategies: Best Practices
On to the next slide here and this is the best practices this is what you can do to protect yourself so again if you want to take a picture of this screen be my guest shared this around this is something that's very important for people to know make sure that as you're going throughout your day you're being wary of phishing scams make sure you're aware of any information you're providing for different people over text email or phone make sure you're not accessing suspicious links or advertisements
Again you didn't win a million dollars because you're the millionth visitor I'm really sorry but you didn't use pop-up blockers we recommend using the brave browser you can get that on Umbrella IT Services da /c TV and we do get a little bit of a kickback from brave for that but the brave browser will block pop-ups that'll block trackers it's very privacy based so very important make sure you're using popup blockers don't plug unknown USBs into your machine this is another very common threat is someone
Will get your company branding put them on a USB stick go into your office to do something drop it leave it on the receptionist table and people will plug that in it'll automatically run a script and it'll try to break into your computer so don't plug unknown to play USB devices into your machine if you can avoid it avoid giving the internal Wi-Fi password to guests that's very important make sure you're deleting emails from unknown or flagged sender centers a lot of things in Microsoft 365
And G Suite now will actually tell you this is a suspicious email and it'll get rid of it do not access or download unexpected files from trusted sources make sure your forwarding requests for help via text email or phone to your team for us we use the Umbrella button maybe you have an email or maybe you have another way to reach out to your team and you can do that but most important is that if someone has sent you a request for help unsolicited you're not
Gonna respond to that you're gonna reject the unsolicited offers for help via text email or phone and you're gonna go back and just send in an email to the provider you want to make sure that you're never leaving devices unattended unlocked and you want to make sure that you're reporting irregularities malfunctions or other problems to IT so they're able to catch this stuff if they're not already aware of it make sure you're never giving out personal information via email or phone if you're talking to a
Vendor and you're having a good time don't tell them you're going on vacation next week don't tell them your kid's name don't like they don't know a lot of people don't need to know this stuff and they do use that maliciously so it's really important again don't give out personal information via email or phone and absolutely do not give out your passwords via email text or phone finally we're going to come up to this user activity checklist before we get into the backup checklist and then
We're all done so looking at the user activity
Devices
Checklist for devices make sure you're using an on administrator account so if you are trying to install a piece of software you should get a little box that comes up and says enter in your admin password you shouldn't be able to install applications directly makes things a little bit safer puts up another barrier for viruses to get in make sure you've got scheduled software updates to make sure you're gonna stay up to date and secure make sure that you're installing anti-malware software on your machine to
Protect from ransomware and viruses make sure you're utilizing full disk encryption so what that means is that if someone were to steal your device or goes missing they're gonna be able to not access all of your data I went to a local business here recently and I was going to clone their machine onto a new device and I had forgotten that we set this up for them three years ago or four years ago when they purchased the machines and I plugged in the device to my
Hard drive to do the clone and it actually came up with no data available and no matter what I did for about 15 minutes I wasn't able to get into the device I wasn't able to clone it I wasn't able to access any data and then I plugged it back in I turned the machine on and it was fully encrypted using veracrypt which is an open source piece of software so again that would have prevented me from breaking into their business getting access to all their
Accounting getting access to their passwords etc so make sure you're using full disk encryption your locking devices before you walk away from them I do this because it's Windows key L for those who don't know on Windows machines you can hit the Windows key and then l and that'll lock your device immediately so as I walk away I always just do the thumb and the pinkie in Windows key l you can do remote wipe functionality as well so if you're using Microsoft 365 or G Suite
And your device gets stolen you can click a button and next time the device connects to the Internet all of your sensitive data will be wiped off at that machine you also wanna make sure you're using the device appropriately so again acceptable use is very important you don't need to be installing like Diablo or Starcraft or video games or letting your kids to go on your work machine it's Londa the case that will cause a lot more problems then then it's worth so and also make
Sure using off-site backups for your devices so if you spill coffee you break it you get a virus on it whatever you're gonna be able to restore from the off-site backup for
Networks
Your network security make sure you're restricting physical access to infrastructure again you don't want to let random people into your networking room it should have a PIN code or a lock on the door it should be inside of a cabinet with glass or a full-on metal cabinet with some ventilation so that people can't just walk in your networking room and plug in you also want to make sure you're using secure networks whenever possible so if you're going to somewhere like Home Depot where you're going to
Starbucks you're going to an airport you want to make sure that you're using a VPN on an insecure network and if you're at work you're not using the public network you a private network also looking at the
Cloud Service
Cloud services you want to make sure that you're using multi-factor authentication on all of your devices you want to make sure that you're not giving out passwords over email phone or text and you want to make sure you're following acceptable use and data management policies and for the users
Users
You want to make sure that your staff and yourself are being trained regularly in social engineering and security awareness training I usually recommend once a quarter and you want to make sure that everyone is following best practices so even if that means that they just have a little printout of this or I print out of the phishing scams of the social engineering on their wall on the cork board that they pretend to look at every morning that's a lot better than not having that in their
Face where they can go okay I don't get a weird phone call that's I can we can get some some red flags here it sounds like it's a phishing scam or it's a spear phishing scam so it's really good to make sure that stuff stays present in people's minds my point and the next thing final slide here is
Backup & Disaster Recovery Checklist
The back with disaster recovery checklist so again feel free to make sure you go over this and the security checklist with your current IT provider make sure you have all these boxes checked but when you're choosing a
Data Storage
Backup you want to make sure that the you're considering the data storage you want to make sure you're considering the method of backup and the policies so you want to make sure that the amount of critical data that you're backing up is being considered the amount of non-critical data is being considered your AB the frequency of backups maybe you don't need backups every day you're live maybe you need that weekly the data retention policy is also very important the locations of the backup is very important
You need to make sure that if you need something from three months ago and it's on a Tuesday at 4 p.m. you're gonna be able to get that data if you only need one backup a month then set that data retention policy but these are these five points that I recommend everyone go through in terms of the storage of their data with their IT provider the location of backups is also very important if you're a Canadian company you cannot store your data in American servers there's
Something called a Patriot Act which allows the American government to just simply put in a request a warrant or I forget the term right now but the American government can essentially subpoena your data so if you're a lawyer or you're a financial advisor or you're an accountant or someone that has sensitive data the US government can simply pull your clients data if it's stored in a Microsoft US server if it's stored in Google's US servers or Backblaze or these other American providers so make sure that
The location of your backup server is also being considered method
Method of Backup
Of backups also very important you want to make sure you have an on-site solution if you need something fixed right away maybe all of your computer's backup to your server in your office and then you have a computer die you can then just quickly do an on-site restore an off-site solution is very important in case you get hit by ransomware because your entire business is gonna be locked down you can then download the backup soft site restore them to your machines and get back to work
You also need to make sure if you only need file backups maybe you're a small business you're an entrepreneur your startup you've only got one or two staff maybe it's just you and you don't care about your computer you know what programs are on it's gonna take you 20 minutes to set it back up if you have to reinstall windows and all you need is the files themselves backed up go with the file backup it's two five ten bucks a month why not if you go
With the full system backup that would be something that's more complex so if you're an editor if you're a lawyer if you're someone that an accountant or a bookkeeper that has a very very complex setup on the way your sage or your QuickBooks or your final cut or your Adobe premier is configured and you don't want to spend five and a half hours reconfiguring machine and trying to get into your workday and forgetting all these settings you have setup if you're CEO and you've got a
Very particular way of doing business you want to make sure you have a full system backup so people can just download your backup clone it on your machine and it's like nothing ever went wrong you also have to consider your downtime tolerance so again if you're a CEO or you're an editor and you've got a 16-hour day ahead of you you don't really have a lot of downtime tolerance if your IT guy comes to you and says it's gonna take us a week to get you
Back up and running that's straight-up unacceptable for a lot of my clients other clients if I say you know what this computer you broke the screen on it's gonna take us two weeks to get the parts in you didn't purchase the extended warranty from Lenovo etc they go okay I don't need it for a month so whatever we got the backup in the back room you already restored the backup I don't care if this takes a month to fix thank you very much and that's it
So make sure you're considering those as well when you're having the discussion with your provider and then the final
Policies
Thing would be the policies so as I mentioned before three to one policy so make sure your data is backed up in three places at all times two of those being different vendors one of those vendors being off sites so if you use Microsoft OneDrive you've got it in three different places using Microsoft and you've got it inside of your computer itself that means you need a third location so maybe that's gonna be jungle disk maybe that's gonna be dado maybe that's gonna be Backblaze maybe
That's gonna be your IT providers custom IT backup solution but as long as you've got Microsoft servers your workstation itself and the IT providers backup then you're okay you want to assign responsibility of your backups so again if it's HR because you're a small business if it is gonna be an IT provider because it's one guy or if it's gonna be a company like mine you need to have responsibility because whenever something goes wrong I can tell you this from experience people just go one me
Who's this guy and then they just point the finger at everyone else so make sure you have people that are assigned responsibility another thing that's important is determining unique threats for your business so again if you're a law firm just have a bit of a think and say okay I don't think we're gonna be targeted by the ice cream truck anytime soon but there is a chance that our vendors that we work with maybe it's an MRI clinic maybe it's if you're a personal injury firm
Maybe it's one of your corporate partners if you're a corporate firm you need to make sure that you're considering the unique threats that could affect again the devices the cloud services the networks or your users inside of your business so please consider those make sure you're identifying critical data and resources so again CEOs laptop that one firewall in the back your server your Microsoft office account those things are critical information you need to make sure they stay protected you also have to make sure you're specifying
Your backup solutions so you understand that what you're what's happening is your data is being backed up at this schedule with this amount of data at this date to this location make sure you understand that stuff and make sure you're scheduling recovery from backups I see a lot of IT providers go we've got the back up in the business never have to worry about anything uh CEOs computer gets smashed or coffee gets spilled on it and they go yeah well we didn't test your backups to
Last eight months and it turns out they weren't working properly so we're gonna have to wind you back to next year sorry very important to be doing at least monthly backups we do every week with our clients we've scheduled recovery from backup every week so very important make sure you're doing the same thing and regularly review your recovery procedures so again if you have a fire drill in your office and no one knows what the fire drill plan is that doesn't help anybody if you have
Things where people are running around and everyone's just running down the stairs because they don't reviewed the fire safety stuff in a couple of weeks that's not gonna help anybody during an emergency so make sure you're regularly reviewing your recovery procedures and that's it so yeah again thank you very much for attending this week's webinar about security I hope these tips were useful and we had a couple disruptions with the door and the phone and all these kind of things so I do apologize about that
This is my second webinar so I hope the next one will be a little bit smoother but yeah next week is gonna be about preserving data for small businesses and nonprofits and entrepreneurs thank you again to a friend on LinkedIn for requesting that so I'll make sure that we put something together for that and again probably later this afternoon there will be timestamps in the video description down below so if you just want to jump ahead and look at the best practices if you just want
To look at the different types of phishing scams if you want to just look at the backup checklist that will be down below in the description if you like this video please like it if you want to see more content like this please hit subscribe and yeah I hope you all have a great weekend I hope you have a great day if you're watching this later on and yeah best of luck to everybody and if you need anything else please send an email off to Umbrella
IT Services dot CA and reach out to tech tips at Umbrella IT Services dot CA or leave a comment down below with a video that you would like to see us do next time so again
Want this checked against your own setup?
Book a free IT assessment and a senior tech will review where your business stands, with no obligation.