Have you ever felt frustrated by the flood of notifications from your multi-factor authentication (MFA) app?
Well, cyber criminals have too. And they're taking advantage of “MFA fatigue" to try to gain access to your sensitive business data.
MFA is essential for keeping your data secure. It adds an extra layer of security to your apps and accounts by asking you to verify your identity in two or more ways, such as a password and a code sent to your phone.
The constant alerts can be overwhelming though.
Attackers know this and will bombard employees – sometimes in the middle of the night – with a constant stream of MFA notifications. Which makes it more likely someone will authenticate a login attempt through frustration, tiredness, or just to get the notifications to stop.
But now there's a new weapon in the fight against MFA fatigue.
Microsoft Authenticator has introduced number matching as a way of making sure your MFA notification is from the correct login attempt, preventing cyber criminals from taking advantage of notification fatigue.
How does number matching work?
When you receive an MFA notification, the app will display a randomly generated number. You then need to input this number to authenticate the login attempt and prove you're not a cyber criminal trying to access your business data.
That's not all. Microsoft Authenticator also allows for biometric authentication, which means
you can use your face, fingerprint, or other unique physical features to prove your identity and combat the threat of MFA fatigue attacks.
With these security measures in place, your business can stay ahead of cyber criminals and keep your sensitive data better protected.
If you already use Microsoft Authenticator, number matching is ready to use. Simply make sure your app is up-to-date, and you'll be protected.
If you use another MFA system and want to look at how to make your security better or easier, we can help. Get in touch.
Airports, hotels, cafés, even shopping malls, offer public charging points where you can boost your phone or laptop battery on the go.
They’ve been in the news after the FBI recently tweeted advice to stop using them. Crooks have figured out how to hijack USB ports to install malware and monitoring software onto devices as they charge.
The security risk of “juice jacking” was long thought to be more theoretical than real, but the tech needed to carry out an attack has gotten smaller and cheaper and easier to use. This means less sophisticated criminals are now turning their hand to it.
So how does it work?
The most common charging cables – USB-C and lightning – are dual-purpose. They have pins for charging and pins for data.
When you charge your device, you only use the charging pins. But a compromised charging port – or a cable that someone has left behind – could use both charging pins and data pins without you knowing.
When they use the data pins, criminals can install malware onto your device that gives them access to your credentials and other data. It’s a little like plugging your phone into someone else’s laptop.
To avoid the risk, the best solution is to always carry your own charger and cable, and plug it into a power outlet. If you have no choice but to use a public USB port, invest in something called a USB data blocker. This prevents data being transferred, but the device will still charge.
We help businesses stay secure and productive at the same time. If we can help you, get in touch.
One of the many cool things about the new wave of Artificial Intelligence tools is their ability to sound convincingly human.
AI chatbotscan be prompted to generate text that you’d never know was written by a robot. And they can keep producing it – quickly, and with minimal human intervention.
So it’s no surprise that cyber criminals have been usingAI chatbotsto try to make their own lives easier.
Police have identifiedthe three main ways crooks have found to use the chatbot for malicious reasons.
1. Better phishing emailsUntil now, terrible spelling and grammar have made it easy to spot many phishing emails. These are intended to trick you into clicking a link to download malware or steal information.AI-written text is way harder to spot, simply because it isn’t riddled with mistakes.
Worse, criminals can make every phishing email they send unique, making it harder for spam filters to spot potentially dangerous content.
2. Spreading misinformation “Write me ten social media posts that accuse the CEO of the Acme Corporation of having an affair. Mention the following news outlets”. Spreading misinformation and disinformation may not seem like an immediate threat to you, but it could lead to your employees falling for scams, clicking malware links, or even damage the reputation of your business or members of your team.
3. Creating malicious code AI can already write pretty good computer code and is getting better all the time. Criminals could use it to create malware.
It’s not the software’s fault – it’s just doing what it’s told – but until there’s a reliable way for the AI creators to safeguard against this, it remains a potential threat.
The creators of AI tools are not the ones responsible forcriminals taking advantage of their powerful software. ChatGPTcreator OpenAI, for example, is working to prevent its tools from being used maliciously.
What this does show is the need to stay one step ahead of the cyber crooks in everything we do. That’s why we work so hard with our clients to keep them protected from criminal threats, and informed about what’s coming next.
If you’re concerned about your people falling for increasingly sophisticated scams, be sure to keep them updated about how the scams work and what to look out for.
If you need help with that, get in touch. Published with permission from Your Tech Updates.
Our phones are a goldmine of private information. Just think of all the financial details, personal messages, banking apps, photos and contact information that live behind that little glass screen.
And if your team use phones for work, they’ll often have access straight into company systems– email, contact lists, network access, file systems. So if they’re not kept as secure as any other device in your workplace, they can become a gaping hole in your cyber security.
Criminals know this, of course,which is why they target us through our phones just as much as they do through our networks and servers.
But cyber crimeisn’t the only concern. Just losing your phone, or having it stolen, can put your data at huge risk.
So, whether you issue company smartphones, or your employees use their own, you should make sure everyone implements some simple security steps to protect your data and avoid disaster.
Start with making sure your people set up a PIN and a biometric login (like a fingerprint or face scan) to open the device.
Only install apps from trusted sources to make sure you’re using genuine software.
And enable Multi-Factor Authentication on all apps that store even a small amount of sensitive data.
Be careful about where you connect to Wi-Fi. If you work remotely or often connect to public networks, consider using a VPN – a Virtual Private Network – to add another layer of security. You never know who’s monitoring traffic on a public network.
Finally, ALWAYS make sure your phone is running the latest version of its operating software, and keep all apps up to date.
Smartphones have changed so much about the way welive – at home, and at work – but it’s too easy to take them for granted. And that could be a costly mistake.
If you need help to keep your smartphones safe, just get in touch. Published with permission from Your Tech Updates.
Have you ever tried to buy tickets for a hugeevent and found that the seller’s website has collapsed under the weight of thousands of people all trying to do the same thing at the same time?
The ticket site falls over – usually temporarily – because the server is overloaded with traffic it doesn’t have the capacity for.
Criminal Distributed Denial of Service attacks – DDoS, for short – exploit the same principle.
When a DDoS attack targets a business, it floods it with internet traffic in an attempt tooverwhelm the system and force it to fail.
This results in the business and its customers being unable to access services. That may trigger a temporary failure, or it could be more serious. Last year, the average DDoS attack lasted 50 minutes.
That may not sound like a long time, but it’s enough to create angry customers, or to bring business to a grinding halt. And downtime can be costly.
The really bad news is that DDoS attacks are not only lasting longer, but they’re becoming bigger, more sophisticated and more common.
Recently, the biggest ever reported DDoS attack was reportedly blocked. At its peak, it sent 71 million requests per SECOND to its target’s servers. Prior to that, the biggest reported incident stood at 46 million requests per second.
Worse still, more businesses are reporting being targeted by DDoS attacks where criminals are demanding huge ransoms to stop the attack.
What does this mean for you?
It’s important you check all your security measures are up-to-date and working as they should be. Are your firewalls up to the task, with DDoS monitoring and prevention tools set up? And is your team fully aware of the importance of staying vigilant?
We can help make sure your business stays protected. Just get in touch.
AI chatbots have taken the world by storm in recent months. We’ve been having fun asking ChatGPT questions, trying to find out how much of our jobs it can do, and even getting it to tell us jokes.
But while lots of people have been having fun, cyber criminals have been powering ahead and finding ways to use AI for more sinister purposes.
They’ve worked out that AI can make their phishing scams harder to detect – and that makes them more successful.
Our advice has always been to be cautious with emails. Read them carefully. Look out for spelling mistakes and grammatical errors. Make sure it’s the real deal before clicking any links.
And that’s still excellent advice.
But ironically, the phishing emails generated by a chatbot feel more human than ever before – which puts you and your people at greater risk of falling for a scam. So we all need to be even more careful.
Crooks are using AI to generate unique variations of the same phishing lure. They’re using it to eradicate spelling and grammar mistakes, and even to create entire email threads to make the scam more plausible.
Security tools to detect messages written by AI are in development, but they’re still a way off.
That means you need to be extra cautious when opening emails – especially ones you’re not expecting. Always check the address the message is sent from, and double-check with the sender (not by replying to the email!) if you have even the smallest doubt.
If you need further advice or team training about phishing scams, just get in touch.
To protect your home from an intruder you make sure your doors and windows are all locked and secured. You might go further: build a fence around the perimeter, perhaps even get an angry-lookingdog to stand guard.
But there’s no point going to all that effort if someone’s already broken in and set up camp in the basement.
Yet that’s the security policy of thousands of big businesses trying to protect their data from cyber criminals.
They do many of the right things. They invest in security software. Theytake a strong,multi-layered approach to security – includingall the things we recommend, like multi-factor authentication, encryption, reliable backup systems and staff training.
But they don’t pay enough attention to detection and response.That involves constantly scanning systems for any sign that a crook may have gained entry somewhere, and having a process to stop an attack in its tracks. A new study shows that only a third of businesses place detection as their main priority, while two thirds say prevention is their primary focus.
That means, they could be building 10-foot walls around their systems with intruders already inside. In-house security teams might be super-confident in the security measures they’ve put in place. Butthe datasuggests that they’re being too complacent. The study reveals that more than eight in ten businesses experienced more than one data breach last year – even with good security in place.
Criminals are constantly finding ways to evade security. That tells us that we need to take a rounded approach, with strong prevention AND detection policies providing the best protection against today’s determined criminals.
If you need world-class security, get in touch today.
If you employ anyone aged between 16 and 19, you need to pay special attention to the cyber security training you’re giving your team.
A new study has revealed that a host of worrying online behavior has become almost normalized among many young people. And much of this activity is illegal. We’re not talking serious cyber crime such as ransomware attacks or stealing data. But one in three 16 to 19-year-olds have admitted to digital piracy;and a quarter have tracked or trolled someone online. Most of these behaviors may not directly affect your business. But some are so commonplacethat too many young people view them as apart of everyday life. That’s not something you want them bringing to work. Casual software piracy or illegal downloads on devices used for work could open the door to a massive security breach. The answer is simple: Hold cyber security training for all your employees on a regular basis. This trainingshould: • Highlight the impact of bad onlinebehavior and potential for security breaches • Help everyone understand how this kind of activity can harm people – and your business • Make everyone aware of the scams and attacks that your business is vulnerable to, as well as the part they play in keeping everyone protected • Make the consequences clear for anyone found to be engaging in this behavior If this is something you need some expert help with, it’s what we do. Get in touch. Published with permission from Your Tech Updates.
Another day, another scam. And this is a sneaky one. Cyber criminals are gettingsmarter. Thisrecentmalware threat is unusually smart. It impersonates a highly trusted brand name to get a foot in the door. Targetsreceivea convincing looking email that appears to come from a widely used e-signature platform. Attached to the email isa blank image that’s loaded with empty svg files, which are carefully encoded inside an HTML file attachment (stay with us here). In short, it’s veryclever and it’s tricking its way past a lot of security software. That puts businesses like yours at risk. Because code within the image sends people to a malicious URL. Open the attachment andyou couldunwittingly install malware onto your device – or even your network– which risks exposing your data and leaving you open to a ransomware attack. Recently, there’s been a wave of HTML attachment attacks on small and medium sized businesses, so it’s clear that companies need to take action to stay ahead of the criminals. If you use software to sign documents electronically, double-check that emails are genuine before opening any attachments. There’s a reason why the criminals have chosen to impersonate a trusted name. Taking things a step further, you could block all emails with this type of attachment, to prevent employees from being exposed to scam emails in the first place. If you’d like any further advice, or help implementing extra security measures, get in touch! Published with permission from Your Tech Updates.