How Does a Password Manager Work? 

A password manager requires one master password to manage all your accounts. The password unlocks your “Vault” to ensure your data is safe. Thus, you don’t have to keep a tab on many passwords. But, you can also take further security measures like two-step verifications and logging in your data on secure computers. 

Password managers offer both convenience and a high level of security. You use secured and unique passwords across all devices and manage these passwords. But, how do you trust a password manager to handle such sensitive information? 

The best password manage does “manual autofill”; where the password manager waits for the user to interact with the page.  It allows the user to select from a list of passwords. 

Why password autofill is so dangerous 

This feature isn’t completely safe. If you enable this feature and hackers gain access to your computer or web browser, it will be easier for them to infiltrate your accounts because the autocomplete feature will fill in all saved credentials. 

Tricking a browser or password manager into providing saved information is incredibly simple. All a threat actor needs to do is place an invisible form on a compromised webpage to collect users’ login information. Once the browser or password manager enters the user’s information, the hacker will gain access to that data. 

Using autofill to track users 

Shrewd digital marketers can also use password autofill to track user activity. For instance, they can track people based on the usernames in hidden autofill forms they place on websites and sell the information they gather to advertisers. While they don’t intend to steal passwords, there’s always the likelihood of exposure. 

One simple security tip 

A quick and effective way to improve your account security is to turn off autofill. Here’s how to do it: 

On Microsoft Edge – Open the Settings window, click Profiles, and then select Passwords. Disable “Offer to save passwords.” 

On Google Chrome – Open the Settings window, click Autofill, and disable “Offer to save passwords.” 

On Firefox – Open the Settings window, then click Privacy & Security. Under the Logins and Passwords heading, untick the box next to “Autofill logins and passwords.” 

On Safari – Open the Preferences window, select the Auto-fill tab, and turn off all the features related to usernames and passwords. 

The easiest way to protect yourself is to disable autofill in any browser you use. If you use a password management service – which we highly recommend – then they will instruct you on how to disable the browser autofill. It’s important to complete this step, because password management services will help you to address this serious security flaw by first verifying the authenticity of the website that you are trying to log in to, and then require your input to fill in the credentials before safely logging in. 

Having good password security habits can significantly protect your sensitive data.  

For more information on password manager tools or any other cyber security concern, reach out to us.  402.330.3600 or feedback@csiomaha.com. 

Some content provided from TechAdvisory.org. Source. 

Here’s a cyber security keywords list to help you out if you’re just getting started with cyber security: 

• Cyber-attack: A cyber-attack is any attack carried out by an individual or organization against the computer and information systems of another individual or organization. Common examples of cyber-attacks include computer viruses and email spoofing. 
• Malware: A broad term referring to malicious software that, once installed on your device, could enable hackers to gain access to it. Once that happens, cybercriminals may be able to control your device, steal your identity and commit fraud. 

• Spyware: Spyware allows cybercriminals to track and record all your online activities, as well as capture sensitive information, such as passwords.  

• DDoS: A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. 

• Vulnerability: Vulnerabilities are potential weaknesses in your company’s cyber security, which could be a superuser or admin account, third-party software, and more. 

• Exploit: An exploit is a term in cybersecurity meaning a code to reap the benefits of a software weakness or flaw in the security of any application or system. Cybercriminals use exploits to remotely access a network and deeper into the network. It is known as a piece of software or a sequence of commands that cause unintended behavior. There is a zero-day exploit as an advanced cyberattack defined.  
• Ransomware: Ransomware is a type of attack where information or services are held for ransom by the attackers. Once the victim of the attack has paid the ransom, they can continue using their computer or gain access to their accounts again. 
• Social Engineering: This is a deceptive tactic that uses social interactions—and often psychological manipulation—to obtain your personal information or gain access to your accounts. The fraudster behind a social engineering scam may pretend to be a representative of a legitimate organization. 
• Email Phishing: Email Phishing refers to the practice of masking your email with a fake email address. Using phishing, an attacker can send a malicious message via email that looks like it came from a legitimate email address. 
• Spoofing: With a spoofed phone call, the incoming number on your caller ID may falsely display the number of a well-known company or government agency.   

• Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.  
• Multi-factor authentication (MFA): Also known as two-factor authentication, MFA requires you to provide at least two credentials when accessing your account—making it more difficult for hackers to gain access. 
• Unified Threat Management:  Unified threat management (UTM) describes an information security system that provides a single point of protection against threats, including viruses, worms, spyware and other malware, and network attacks. It combines security, performance, management and compliance capabilities into a single installation, making it easier for administrators to manage networks. 
• Endpoint Detection and Response:  Is a form of technology that provides continuous monitoring and response to advanced cybersecurity threats against enterprise networks and systems. EDR provides enhanced visibility into your endpoints (employees’ computers or smartphones) and allows for faster response time to these threats. 

• Business Continuity and Disaster Recovery Plans: Business Continuity Plan is predetermine process and procedures on how to run the business following a disaster. Disaster Recovery provides the plan on how to respond to a catastrophic event, such as a natural disaster, fire, act of terror, active shooter or cybercrime.  Businesses need both. 
• NIST: The National Institute of Standards and Technology is a company that helps set standards to protect consumers and keep industries competitive. 

This cyber word list doesn’t cover everything, but you can find out more by checking out the NIST glossary. 

You might not be a cyber security expert but knowing a few cyber security terms can help you be a better, more secure business owner. Knowledge plays an important role in the ongoing battle against cyberthreats.  

MFA is usually done in one of three ways and often times the user can pick which one they want. 

1. A PUSH notification – which means you have the MFA app installed on your phone and when you login to the application your phone automatically pops up the option to APPROVE or DENY the login request.
2. Revolving Token – which means you have the MFA application installed on your phone that creates a code called a revolving token.  The typical 6-digit code changes every minute of so in the app hence ‘revolving’.  When you login to an application with username and password, it asks you for the MFA token and you enter in that number from the phone app.
3. Text or Email you a code – when you login to the application it sends a random number code to your email or text and you enter that code during the login process.

If you are following that advice and using MFA, as you should be, you are likely getting a little fatigued by the seemingly constant need to approve your sign-ins on your phone or entering MFA codes.   

The bad guys are counting on the fact that you are getting “MFA Fatigued”. If they do have your compromised credentials, they are hammering away with the hope that you accidentally approve one of their sign-ins through your MFA push notification. Want to learn more about multi-factor authentication, here is a good article for you to read click this link. 

Here are 5 important things to remember about MFA notifications. 

1. If you receive an MFA push notification on your phone, be sure that it came immediately in response to a login event that you know you created.  Don’t approve an MFA notification on your phone if it was even a few minutes after your known login event, because that could have been enough time for the bad guy to have received your phished credentials and be trying to use them on their end.
2. Never approve an MFA notification just because your phone is blasting you with a bunch of them.  Don’t APPROVE just to make it go away and then later try to figure out why.
3. Always contact your IT managed service provider or network administrator when you get MFA notifications that you do not believe you triggered yourself.  Because remember that if you get an MFA notification that you didn’t trigger then the bad guy already knows your username and password, so your credentials are compromised, and something needs to be done.
4. Likely getting your password changed and monitoring for more malicious login attempts.
5. Eliminating PUSH notifications and always requiring a revolving token to be entered for MFA is one way to reduce the risk of MFA fatigue.  But it is understandable that users often do really like the push notifications for ease of use and so that needs to be considered also for the applications you are protecting.   

In the meantime, keep diligent and don’t let your guard down.  We do not want MFA fatigue to be the reason you get compromised.   

The employee receives an email appearing to come from their boss asking them to act “right away”.  Often the request is plausible so the employee needs to make a decision on taking action or questioning the action.  Will your employees pass this test? 

Sure, the firewalls, antivirus and encryption software can provide protection but your biggest asset for preventing a phishing scam threat is your employees. At the end of the day, your employees are your greatest defense against intruders — or your greatest weakness. 

According to 2022 data from the Ponemon Institute, employee negligence causes about 56% of security incidents, and each incident costs companies an average of $484,933. Your unsuspecting, friendly, and helpful employees are like sitting ducks in the cross hairs of a high-powered hunting rifle. They are perhaps the weakest point of attack and will almost certainly be taken advantage of… unless they are trained to be vigilant and alert. 

Having a comprehensive security awareness training program that each employee must participate is a grand goal. Getting the employees to internalize and live by what they learned is the challenge. Here are three ways to turn your employees from your greatest weakness to your biggest asset. 

Develop A Culture of Security. Cultures are defined and lived from the top down. Leadership and Management teams must commit to these cybersecurity policies, procedures, and processes. They must communicate the importance of good cybersecurity protocol. Employees should understand why it is critical that they be good cybersecurity stewards. Management should proactively police to make sure everyone is following protocol and often communicate the importance. 

Educate And Train. Create and implement a Security Awareness Training program that is mandatory, meaningful, and relevant. Teach your employees about common threats and dangers such as Social Engineering attacks. Make the training simple to understand and engaging by telling stories your employees can relate to. Show them how to use software and computers in a secure fashion. Explain what the correct processes and procedures are. Provide them with the critical training they need to effectively fight cybercrime. 

Evaluate The Effectiveness. There are only two ways to find out. One, wait for a real attack to occur and hope for the best – or – two, launch a simulated attack yourself. Controlled Phishing attacks, penetration tests, tabletop incident response exercises or even a Monday morning pop quiz can all be effective exercises to evaluate your employees’ level of understanding and compliance. Use the test results as an opportunity to re-engage with employees or even re-tool training efforts. Everyone will get better with practice.  

By putting a strong cybersecurity policy in place, you can be assured that your weakest link will become your strongest asset.  At CSI we offer robust email filtering and encryption tools as well as security awareness training and phish testing to help you and your team build a defense against phishing scams.  Reach out to us and we can tell you more.  

On a regular basis, businesses should access their vulnerability to being a victim of an attack.  This is known as a Vulnerability Assessment or Vulnerability testing.  Vulnerability Assessment is the practice of identifying, classifying, remediating, and mitigating vulnerabilities within an organization’s network. Once the vulnerabilities are discovered you can correct them and lower your risk of becoming a victim of a cybersecurity attack.  

A vulnerability assessment will discover common security weaknesses such as: 

• Operating systems and applications that are not current with the latest security updates or patches. 
• Unsecure legacy operating systems that are no longer supported by manufacturers.  

• Open ports on perimeter defenses and other devices that allow malicious attackers to easily gain access to your private computer network.  
• All Common Vulnerabilities and Exposures (CVE) that exist on the computer network. 

Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed information security issues. The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities. 

It is important to conduct vulnerability assessments regularly, at least every quarter if not more frequently. Typically, a vulnerability assessment can be completed in a day or two.  

There are benefits to performing regular vulnerability assessments that include:  

• Identify known security exposures before attackers find them. 
• Create an inventory of all the devices on the network, including purpose and system information. This also includes vulnerabilities associated with a specific device. 
• Create an inventory of all devices in the enterprise to help with the planning of upgrades and future assessments. 
• Define the level of risk that exists on the network. 
• Establish a business risk/benefit curve and optimize security investments. 

The results of a vulnerability assessment are documented and provided to the business with recommendations around remediating any weaknesses found. Your reports often need the interpretation and insight of a security veteran. Working with an IT Managed Services Provider, like us, who know which fixes will be most effective in bringing your business databases, servers and other IT assets back to good health. 

Because the extent and variety of cybersecurity risk that businesses are trying to manage is overwhelming and resources to mitigate or eliminate the risks are scarce, businesses are searching for a solution.   

Cybersecurity liability insurance cover expenses that a business would incur directly because of a cybersecurity attack or incident. Examples of these expenses include:  

• Associated legal fees.
• Digital forensic services.
• Negotiation and payment of ransom to bad actors.
• Incident response and recovery services.
• Restoration of systems and applications.
• Public relations services.
• Breach notification and credit monitoring services.

The cost of these policies has traditionally been very reasonable and benefit of transferring complex cybersecurity risk was very convenient.  As attacks increase and more businesses are realizing they could be vulnerable to an attack, the demand for coverage continues to increase.  

According to a special report published by FitchRatings in May of 2021 the cybersecurity insurance market grew by a whopping 22% in 2020. The same report indicated that the average paid loss for a cybersecurity claim grew to $359k in 2020 from $145k in 2019. Insurance carriers are excited about the growth of the industry but recognize that underwriting efforts need to be more stringent.  

Cybersecurity insurance will continue to be an available option for businesses looking to transfer risk, but insurance carriers are going to be much more stringent about their underwriting process. Here are some of the expected changes: 

1. Expect a more comprehensive application process. Organizations will have to provide proof of specific controls such as: 

• Written information security plans, incident response plans and disaster recovery plans 
• Formal cybersecurity awareness training programs 
• Strict access controls 
• A sound data backup strategy
• Adoption of Endpoint Detection & Response (EDR) software
• Current operating systems, firmware and applications all patched regularly. 

2. Expect underwriters to require proof of cybersecurity controls being implemented and functioning as intended.

3. Expect automatic declines if key underwriting requirements are not in place. Insurers will be careful to not issue coverage to organizations that have do not have the appropriate plans, controls, and processes in place to mitigate cybersecurity risk. 

4. Expect premiums to increase, significantly.  The sharp increase of the average claim paid for cybersecurity insured has underwriters concerned about profitability.  

These changes being made to the underwriting process should encourage businesses to be more diligent about mitigating cybersecurity risk.  It is no longer good enough to purchase a policy, but businesses will need to allocate the proper resources (time, money, or human capital) required to build an effective cybersecurity program.  

Last fall we held a Cyber Security Awareness Webinar where we partnered with a national cyber security insurance company.  Click here to watch our webinar.   If you want to find out if you are meeting the necessary protocol to get insurance, contact us. 

With world focused on the Russia-Ukraine situation, cyber criminals see this as an opportunity to wreak havoc on the international business world.  Business owners and executives should be preparing for such attacks. 

Many executives believe that their company or industry is safe or not inclined to cyber-attacks. 
They must realize by now that the any organization can be a target of malicious hackers. Additionally, executives must recognize that successful cybersecurity attacks can have impact revenue, credibility with customers and even threaten business solvency 

There are two simple truths related to cybersecurity.
1.The risk and exposure related to cyber threats is at an all-time high and it is only getting worse.
2.Most organizations are struggling to build and maintain effective cybersecurity programs. 

Even as awareness is heightened about cyber-attacks, business owners are still not taking action or keep putting off adding additional layers of security.  Cyber attackers know this and love those businesses that keep putting off protecting themselves. 

 It means that these cyber attackers will continue to seize upon technology environments that have minimal defenses and target organizations that are unprepared to respond to cyber-attacks. Hackers love procrastination because it enables them to be successful. 

 So why are so many Executives procrastinating? The most common reasons why humans delay the start or finish of any given task are: 

• They lack the confidence or expertise to accomplish the job.
• They have a bias against the task itself.
• They have a fear of failure 

 Let us share with you ways to overcome this lack of action and develop an effective cyber security program for your company. 

• Face the inevitable – Addressing cybersecurity concerns can be hard, annoying, unattractive, or downright overwhelming. But you must appreciate the fact that it needs to get done. Learn more about why businesses need to invest in multiple layers of IT security.  
• Don’t worry – Do not worry about creating the perfect cybersecurity program, it will evolve and improve over time. The most important thing is to get started. 
• Contact us – Call or email us immediately and schedule a complimentary consultation session with our team. We can evaluate your current systems and provide recommendations based on our understanding all the nuances of cybersecurity.

If you read anything from us, READ THIS!!! People are having their Microsoft 365 accounts compromised at an alarming rate. It usually happens when you get an email from someone you know and trust. You click on the link they ask you to download, which eventually takes you to a webpage requesting for your Microsoft 365 credentials. The webpage looks just like the 365 login page but IT IS NOT. This would be a hacker’s web page, and if you just entered your 365 credentials, now they have your login info and everything in your email account is considered compromised.

These hackers usually then send out email from your account to people you know trying to accomplish the same thing. This attack is extremely difficult to prevent because these bad guys are using very legitimate websites to host their fake 365 login pages and the URLs are very dynamic, keeping them from easily being blocked by URL/Web security systems.

What can you do to stop this? 

1. The #1 way to stop these compromises is to have CSI help you enable Multi-Factor Authentication on your 365 accounts.  At this point, IT security pretty much requires that all important public login accounts should be using MFA. And your Microsoft 365 accounts definitely qualify as important accounts. storing tons of personal information and documents.  
2. Be extra cautious anytime you are prompted to enter in your Microsoft 365 credentials.  If you click on any links from an email that lead you to a web page asking for your 365 login info, assume it is likely a malicious website. Contact CSI to ask for help in identifying if an email is malicious. 
3. Don’t assume just because an email is from someone you know and trust that you should be OK clicking on links to access a file they supposedly sent you. Pick up the phone and check with them if you aren’t certain why they are sending you this email. 

If you do realize that you just entered in your 365 credentials after clicking on links in an email that didn’t really take you to anything you needed, then contact CSI RIGHT AWAY!  We can help you confirm the legitimacy of the email. If you contact us quick enough, we may be able to reset your password before the bad guys even have a chance to compromise the account. Like we always say, we are here to help you! 

Some of you may not know the HOW behind email encryption and that is perfectly fine. We do, however, want you to understand the WHY. 

What is actually contained in your office email is the most typical misconception surrounding encryption. It is a common belief that if you aren’t sending data sensitive emails that contain social security numbers, login information, credit card or bank account numbers, encryption is not needed. Unfortunately, hackers who gain unauthorized access to an email account can access attachments, content, and even hijack your entire email account. 306.4 billion emails are sent and received every day. Think of how many emails you alone send and receive every day. Email is a very common and trusted form of communication, but it can be extremely vulnerable.  

The 2020 Verizon Data Breach Investigations Report revealed small businesses account for 43% of breach victims. Additionally, the 2019 Varonis Global Data Risk Report revealed that only 5% of companies’ folders were properly protected. Is that shocking to you? We certainly think that it is… And the longer you use an email address, the more valuable that email address becomes. 

Emails are at risk when they are being sent and where they are stored. Encryption renders the content of your emails unreadable as they travel from one place to the next, so even if someone intercepts your messages, they can’t interpret the content. Do you want to become one of the breach victims or keep your data safe? It’s really that simple.  

As always, we are here to keep your data secure. For more information on email encryption, contact us today. 

Do you send sensitive data through email? And when we use the term “sensitive”, we are referring (but not limited) to names, phone numbers, account records, confidential documents, employee data, and so on…  

Email revolutionized communication, especially at the workplace. But with the reliance on email comes a responsibility to maintain the integrity of electronically distributed information.  

Do you take precaution to encrypt data such as credit card numbers, employee records and banking information? What about vendor credit applications, billing statements and other seemingly harmless documents? All of these could be used to compromise your company.  

As your Managed Service Provider, we are responsible for your data – all of it. By implementing email encryption, we can help you avoid identity theft, phishing, viruses and spam.  

According to Hosting Tribunal: 

• There is a hacker attack every 39 seconds 

• Cybercrime is more profitable than the global illegal drug trade. 

• Hackers steal 75 records every second. 

• 66% of businesses attacked by hackers weren’t confident they could recover. 

These are just a FEW of the statistics. In 2021, everyone is a target. Don’t allow yourself, your employees, or your business to fall victim to hackers. Let us keep your data and your email secure.  

For more information on data back-up, contact us today.