Keep Your Data Safe From Phishing Attacks!
Cybercrime is on the rise, and hackers are using any opportunity to take advantage of an unknowing victim to gain access to personal information for financial gain. One commonly used tactic is phishing. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing a person’s sensitive data and can result in wire transfer fraud, credential phishing, malware attachments, and URLs leading to malware spraying websites. Phishing scams are getting more sophisticated on a daily basis, thus harder to detect and avoid. Here are five different types of phishing attacks to avoid: 1. Spear Phishing Attackers pass themselves off as someone the target knows well or an organization that they’re familiar with to gain access to compromising information (e.g., credentials or financial information), which is used to exploit the victim. 2. Whaling Whaling is a form of spear phishing with a focus on a high-value target, typically a senior employee within an organization, to boost credibility. This approach also targets other high-level employees within an organization as the potential victims and includes an attempt to gain access to company platforms or financial information. 3. Mass Campaigns Mass phishing campaigns cast a wider net. Emails are sent to the masses from a knock-off corporate entity insisting a password needs to be updated or credit card information is outdated. 4. Ambulance Chasing Phishing Attackers use a current crisis to drive urgency for victims to take action that will lead to compromising data or information. For example, targets may receive a fraudulent email encouraging them to donate to relief funds for recent natural disasters or the COVID-19 global pandemic. 5. Pretexting Pretexting involves an attacker doing something via a non-email channel (e.g., voicemail) to set an expectation that they’ll be sending something seemingly legitimate in the near future only to send an email that contains malicious links. What to do if you think you’ve received a phishing email? First, to help identify it as a phishing email, check to see if the signed-by field was generated by a DomainKeys Identified Mail (DKIM) or a service. For example, if you received an email from name@datto.com, you would see a DKIM in the signature that looks like this: datto-com.20150623.gappssmtp.com. This is how all emails through a domain are processed. Emails shared through a service (e.g., Drive, Calendar, Dropbox, Box, etc.) do not have a DKIM. Instead, you would see the signature of the provided service (i.e., signed-by dropbox.com). If you receive a file, and it is not signed by google.com, gmail.com, dropbox.com, it is likely phishing – delete it immediately. It’s important to remain vigilant and proceed with caution in these circumstances. Source: https://www.datto.com/resources/phishing-attacks-how-to-recognize-them-and-keep-business-data-safe
Common Cybersecurity Threats for Small to Medium Sized Businesses
October marks the beginning of Cybersecurity Awareness Month, a month-long campaign to raise awareness of the need for a collective and proactive approach to cybersecurity. The campaign comes when the threat to businesses is greater than ever. According to the FBI, since the beginning of the pandemic, there has been a 300% increase in reported cybercrimes, with a majority targeted at small-to-medium-sized businesses (SMBs). This increase is likely due to the global shift to remote work, with employees accessing company infrastructure from their home network and IT teams maintaining it remotely. Common Threat Vectors for SMBs A threat vector is a pathway or method used by an attacker to access the target system. These attackers can then steal data, information, or money from individuals or businesses by exploiting these vulnerabilities and gaining access to the system, such as the company’s IT infrastructure or employee’s email). Once they gain access, they are able to remotely control the IT infrastructure, install malware or ransomware, or steal data and other resources. Weak or Compromised Credentials Bad actors obtaining access to user credentials is one of the most common ways for cybercriminals to access target systems. There are several ways for them to obtain these credentials, such as when users fall victim to phishing attempts and provide their usernames and passwords to authentic-looking websites or use common/weak passwords that can be easily guessed. However, it is not only users who can have their passwords compromised. Network devices and servers also have credentials that can be compromised, where one compromised server can allow machine-machine movement throughout the network. To help avoid this risk, make sure that effective password policies are in place to avoid weak/common passwords and usernames, and enable multi-factor authentication (MFA) to reduce the possibility of breaches. Malicious Insiders A malicious insider is usually an unhappy employee who aims to sabotage or damage the organization that they work for. This type of threat is particularly difficult to protect against as employees need access to critical systems and sensitive data in order to operate the business. An employee with bad intentions can potentially disrupt business operations with actions such as deleting critical data or backup or providing secret information to a competitor. To try to mitigate this threat, limit access to critical systems to a minimum number of employees, monitor data and network access, and keep frequent backups of critical infrastructure Phishing Emails & Ransomware Phishing is a tactic used by cybercriminals to gain access to users’ credentials, banking details or to convince users to download potentially malicious malware or ransomware onto their machines. Many phishing emails share common features, such as attention-grabbing offers and statements, portraying a sense of urgency, and unexpected attachments. Even attachments with familiar file types should not be clicked on unless the authenticity of the sender is known, as it may contain viruses like ransomware. Ransomware is a growing concern for SMBs. Not only is ransomware becoming more and more prevalent, but the ransom to be paid is increasing as well. There are numerous ways ransomware can infect a system, from phishing attacks that depend on user error to more targeted attacks that depend on exploiting vulnerabilities in a business’s network. In the fight against ransomware, it is important to keep operating systems and applications patched and up-to-date to minimize vulnerabilities—install proper antivirus software and implement a solution for business continuity to quickly failover in case of a ransomware attack. Focusing on Cyber Resilience It is almost impossible to eliminate these attack vectors completely. As user error is a large component of all these common threat vectors, cybersecurity measures alone are not enough. Implementing a proper cyber resilience strategy to quickly and effectively recover from attacks is the only way to ensure that your business does not become the victim of a cybercrime. Datto’s Unified Continuity solutions can enhance your cyber resilience strategy by providing point-in-time restores to quickly recover and minimize downtime from events like disasters, malicious insiders, and ransomware. Interested in learning more about our Cybersecurity solutions? Give us a call or shoot us a message here: https://boring.com/contact-us/ Source: Nina Novak, Datto Blog
Facts about Cloud Security And How You Can Protect Against Data Loss
As cybercriminals continue to take advantage of the public cloud in their attacks, Sophos commissioned an independent survey of 3,521 IT managers across 26 countries* to reveal the reality of cloud security in 2020. The 2020 cloud security reality The survey provides fresh new insight into the cybersecurity experiences of organizations using the public cloud, including: Almost three-quarters of organizations hosting data or workloads in the public cloud experienced a security incident in the last year. Seventy percent of organizations reported they were hit by malware, ransomware, data theft, account compromise attempts, or cryptojacking in the last year. Data loss/leakage is the number one concern for organizations. Data loss and leakage topped our list as the biggest security concern, with 44% of organizations seeing data loss as one of their top three focus areas. Ninety-six percent of organizations are concerned about their current level of cloud security. Data loss, detection and response, and multi-cloud management top the list of the biggest concerns among organizations. Multi-cloud organizations reported more security incidents in the last 12 months. Seventy-three percent of the organizations surveyed were using two or more public cloud providers and reported more security incidents as those using a single platform. European organizations may have the General Data Protection Regulation (GDPR) to thank for the lowest attack rates of all regions. The GDPR guidelines’ focus on data protection, and well-publicized ransomware attacks have likely led to these lucrative targets becoming harder for cybercriminals to compromise in Europe. Only one in four organizations see lack of staff expertise as a top concern despite the number of cyberattacks reported in the survey. When it comes to hardening security postures in the cloud, the skills needed to create good designs, develop clear use cases, and leverage third-party services for platform tools are crucial but underappreciated. Two-thirds of organizations leave back doors open to attackers. Security gaps in misconfigurations were exploited in 66% of attacks, while 33% of attacks used stolen credentials to get into cloud provider accounts. For the details behind these headlines, and to see how your country stacks up, read The State of Cloud Security 2020 report. Secure the cloud with Sophos However you’re using the public cloud, Sophos can help you keep it secure. Secure all your cloud resources. Get a complete inventory of multi-cloud environments (virtual machines, storage, containers, IAM Users etc.). Reveal insecure deployments, suspicious access, and sudden spikes in cloud spend. Learn more Secure your cloud workloads. Protect virtual machines, the virtual desktops running on those machines from the latest threats, including ransomware, fileless attacks, and server-specific malware. Learn more Protect the network edge. Secure inbound and outbound traffic to your virtual network, virtual desktop environments, and provides secure remote access to private applications running in the cloud. Learn more Protecting your data starts here We work with only the best, enterprise level cloud vendors to ensure your data is always secure and always available. Contact us to find out more. Source: Sophos.com, Rajan Sanhotra
Helpful Tips About Disaster Recovery
The Truth About Disasters They can happen to any business at any time and the downtime they cause is truly catastrophic, many of which never recover. The strength to avert disasters and effectively handle the ones that occur starts with knowledge. Downtime is Common 90% of companies experience some form of downtime, which may result in loss of data, security, productivity, and revenue. (Down) Time is Money An hour of downtime costs $8,000 for a small company, $74,000 for a medium company, and $700,000 for a large enterprise. Planning Ahead The most powerful and flexible disaster recovery plan is local virtualization for SMBs and enterprises with physical or virtual servers. Disastrous Situations Disasters that cause downtime may be a result of hardware failure, human error, software failure, or natural disaster. Recovery is Painful The average time it takes a business to recover from disaster is 18.5 hours, but 43% of companies never totally recover. What could happen? Disasters of all kinds cause downtime that is damaging to a business. Disaster planning must encompass disasters of all types and sizes: fires, floods, fraud, ransomware, cyber-attacks, power or IT system failure, human error, acts of terror, and other unthinkable scenarios. While the type of disaster varies, the impact is typical: data and operational downtime that is truly disastrous. The devastating effect of downtime caused by disaster include irreparable damage to data, reputation, customer relationships, income, and business vitality. The best offense is a good defense; you must protect your business by understanding your vulnerabilities, safeguarding against the risks, and preparing for the worst possible business disruption with a plan for business continuity and disaster recovery that will shield your data, protect your business, and keep your systems available and reliable no matter what happens. Solutions They can happen to any business at any time and the downtime they cause is truly catastrophic, many of which never recover. The strength to avert disasters and effectively handle the ones that occur starts with knowledge. Datto SIRIS Disaster Recovery as a Service (DRaaS) for local, virtual and cloud environments, within a single platform. SIRIS is the leading BCDR platform for businesses. Datto ALTO Datto ALTO is the only continuity solution designed specifically for small business. Using image-based backup and a hybrid cloud model, ALTO delivers enterprise-grade functionality at a small business price. Datto NAS Data backup, recovery and business continuity for local, virtual, and Cloud environments, within a single platform. Keep every file safe and accessible with Datto NAS. How can I protect my business? Your disaster recovery plan must ensure that your entire business infrastructure can be recovered within seconds. You need a holistic, integrated disaster recovery plan that is reliable, simple, and quick. DRaaS offers a disaster recovery plan that is visible, scalable, and affordable. Business-critical data, systems, desktops, servers, and the entire infrastructure must be protected and recoverable. With secure local virtualization solutions, if disaster strikes, your entire infrastructure (physical or virtual) is virtualized instantly, empowering you to continue your business operations without losing any data, incurring any damage, or experiencing any downtime. Get DRaaS With Datto Datto SIRIS Disaster Recovery as a Service (DRaaS) for local, virtual and cloud environments, within a single platform. SIRIS is the leading BCDR platform for businesses. Explore Datto SIRIS Datto ALTO Datto ALTO is the only continuity solution designed specifically for small business. Using image-based backup and a hybrid cloud model, ALTO delivers enterprise-grade functionality at a small business price. Explore Datto ALTO Datto NAS Disaster Recovery as a Service (DRaaS) for local, virtual and cloud environments, within a single platform. SIRIS is the leading BCDR platform for businesses. Explore Datto NAS Need help learning about preparing for a disaster? Give us a call and we’ll examine your existing systems and see what will work best for you. Lakeland office: (863) 686-3167 | Tampa office: (813) 289-8805 Source: Datto.com
Five Things Your Company Needs To Do Now To Prepare For A Hurricane
June 1 marks the official beginning of the Atlantic hurricane season. Most people do some prepping on a personal level but is your business ready? Here is a list of five things your company needs to do in June before the first storm heads our way. Establish a plan. If you have not already created a disaster plan, now is the time to get it done. This plan needs to include the various scenarios you might encounter should you be at ground zero. Some of the items you need on this plan include: Will you need to close and evacuate? How do you notify your staff and customers? Do you have an alternate location to operate your business should your building be without utilities or be inhabitable? How will you access company data such as customer or patient records? Check your backups. It is so easy to get complacent with backups. Whether you are backing up to media or backing up to the cloud, now is the time to evaluate it. Not only do you need to ensure you are getting proper backups, you also need to ensure you are backing up everything critical. More than once, we have helped a company recover a backup only to learn a critical directory or database was left out. If you are still backing up to media, you need to do a test restore to be sure the backup is valid. Develop a communications plan. If there are power outages, landline phones, and cell phones may not work. If your business is mission-critical, you need to ensure you have an alternative means of communication such as satellite phones. Texting is also a great means of communication after storms. When bandwidth is scarce, you might not be able to make a phone call, but you will likely be able to send texts. Create an emergency response team (ERT). It is good to define a skeleton crew that can carry out your disaster plan. You must develop clear roles and responsibilities for each team member. You must also ensure the team has contact information and instructions on how to proceed should they be unable to reach someone on the ERT. Once the storm passes, you should have the ERT contact your entire staff to ensure they are safe and do not have any immediate needs. Be sure to not only train this team but consider doing some role-play exercises to be sure everyone is on the same page. Secure your building(s). Before leaving for the storm, it is smart to walk through your building and unplug any mechanical or computer equipment to protect it from surges. You may also want to consider covering key equipment with plastic tarps or bags in case of moisture intrusion. Also, if you have confidential paper files or portable media, be sure these are stored in a locked cabinet or safe. Should your building become insecure, you want to know your data is safe. Depending on your location, you may also want to install hurricane shutters. If you have a generator, be sure you test that early in the season and insure you have fuel ready. This is by no means an exhaustive list but should give most small businesses a good start. If you would like help developing a comprehensive list, we’d love to help. Contact us for a free consultation.
What is Business Continuity & Disaster Recovery?
What Is Business Continuity? Business continuity is the process, policies, and procedures related to preparing for recovery or continuation of business infrastructure critical to an organization after a natural or human-induced disaster. Whether the business is small or a global enterprise you need to know how you can keep going under any circumstances. Business Continuity Vs Disaster Recovery Disaster recovery is a subset of business continuity. While business continuity involves planning for keeping all aspects of a business functioning in the midst of disruptive events, disaster recovery focuses on the IT or technology systems that support business functions. A Complete Disaster Recovery Solution A proper business continuity solution should proactively protect clients’ systems and data against disasters of all type. An MSP should offer a business continuity solution that can rescue businesses and get them back online within minutes of any of these disasters: Hardware and software failures Natural disasters Unintentional human error or malicious actions Ransomware and other cybersecurity threats What to Look for in a Business Continuity a Solution? Here are some more key things to consider when looking for a solution: Hybrid cloud backup: A hybrid approach fixes the vulnerabilities that a cloud-only or local-only possess. Superior RTO and RPO: Think in terms of business continuity rather than simply backup, and calculate how much downtime your business can endure and still survive (RTO) as well as how much data you can afford to lose (RPO). Image-based backup: Make sure that the backup solution takes images of all data and systems rather than simply copying the files. Interested in learning more about our Business Continuity & Disaster Recovery Solutions? Give us a call or shoot us a message here: https://boring.com/contact-us/ Source: Datto Blog
Are your credentials in the Dark Web?
Digital credentials are at risk 39% of adults in the U.S. use the same or very similar passwords for multiple online services, which increases to 47% for adults ages 18-29. Passwords are a twentieth-century solution to a twenty-first century problem. Unfortunately, usernames and passwords are all that stands between your employees and vital online services. A good security practice is to use a completely different password for every service. How are credentials compromised? Phishing – Send emails disguised as legitimate messages. Malvertising – Inject malware into legitimate online advertising networks. Watering Holes – Target a popular social media, corporate intranet. Web Attacks – Scan Internet-facing company assets for vulnerabilities. How does a hacker use credentials? Send spam from compromised email accounts. Deface web properties and host malicious content. Install malware on compromised systems. Compromise other accounts using the same credentials. Exfiltrate sensitive data (data breach) Identity theft Data is sold at auction For those who make credentials available on the Dark Web, the financial rewards can be significant. A criminal dealing in stolen credentials can make tens of thousands of dollars from buyers interested in purchasing them. And by selling those credentials to multiple buyers, organizations that experience a breach of credentials can easily be under digital assault from dozens or even hundreds of attackers. The numbers are staggering The average number of data records per company, including credentials, compromised during a data breach is 28,500! Protecting against compromise While there is always a risk that attackers will compromise a company’s systems through advanced attacks, the fact is that most data breaches exploit common vectors such as known vulnerabilities, unpatched systems and unaware employees. Only through defense in depth – implementing a suite of tools such as security monitoring, data leak prevention, multifactor authentication, improved security awareness and others – can organizations protect their credentials and other digital assets from seeping onto the Dark Web. We keep you out of the Dark Web Small businesses need Dark Web Monitoring for today’s cybersecurity risk. Protect your business and secure your assets. We make Dark Web Monitoring affordable enough for small businesses to take advantage of enterprise-level actionable intelligence. Contact us to learn more about our Dark Web Monitoring services.
5 Common Social Engineering Scams
Social engineering scams have been going on for years and yet, we continue to fall for them every single day. This is due to the overwhelming lack of cybersecurity training available to the employees of organizations big and small. In an effort to spread awareness of this tactic and fight back, here is a quick overview of common social engineering scams. Managed service providers (MSPs) have an opportunity to educate their small and medium business clients to learn to identify these attacks, making avoiding threats like ransomware much easier. Phishing Phishing is a leading form of social engineering attack that is typically delivered in the form of an email, chat, web ad or website that has been designed to impersonate a real system, person, or organization. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data. A phishing message might come from a bank, the government or a major corporation. The call to actions vary. Some ask the end user to “verify” their login information of an account and include a mocked-up login page complete with logos and branding to look legitimate. Some claim the end user is the “winner” of a grand prize or lottery and request access to a bank account in which to deliver the winnings. Some ask for charitable donations (and provide wiring instructions) after a natural disaster or tragedy. A successful attack often culminates in access to systems and lost data. Organizations of all sizes should consider backing up business-critical data with a business continuity and disaster recovery solution to recover from such situations. Baiting Baiting, similar to phishing, involves offering something enticing to an end user, in exchange for login information or private data. The “bait” comes in many forms, both digital, such as a music or movie download on a peer-to-peer site, and physical, such as a corporate branded flash drive labeled “Executive Salary Summary Q3” that is left out on a desk for an end user to find. Once the bait is downloaded or used, malicious software is delivered directly into the end users system and the hacker is able to get to work. Quid Pro Quo Similar to baiting, quid pro quo involves a hacker requesting the exchange of critical data or login credentials in exchange for a service. For example, an end user might receive a phone call from the hacker who, posed as a technology expert, offers free IT assistance or technology improvements in exchange for login credentials. Another common example is a hacker, posing as a researcher, asks for access to the company’s network as part of an experiment in exchange for $100. If an offer sounds too good to be true, it probably is quid pro quo. Piggybacking Piggybacking, also called tailgating, is when an unauthorized person physically follows an authorized person into a restricted corporate area or system. One tried-and-true method of piggybacking is when a hacker calls out to an employee to hold a door open for them as they’ve forgotten their ID card. Another method involves a person asking an employee to “borrow” his or her laptop for a few minutes, during which the criminal is able to quickly install malicious software. Pretexting Pretexting, the human equivalent of phishing, is when a hacker creates a false sense of trust between themselves and the end user by impersonating a co-worker or a figure of authority well known to an end user in order to gain access to login information. An example of this type of scam is an email to an employee from what appears to be the head of IT support or a chat message from an investigator who claims to be performing a corporate audit. Pretexting is highly effective as it reduces human defenses to phishing by creating the expectation that something is legitimate and safe to interact with. Pretexting emails are particularly successful in gaining access to passwords and business data as impersonators can seem legitimate, so it’s important to have a third-party backup provider. For all employees to be aware of the various forms of social engineering is essential for ensuring corporate cybersecurity. If users know the main characteristics of these attacks, it’s much more likely they can avoid falling for them. Aside from education and awareness, there are other ways to reduce the risk of being hacked. Employees should be instructed not to open emails or click links from unknown sources. Computers should never be shared with anyone, even for a moment. By default, all company desktops, laptops, and mobile devices should automatically lock when left idle for longer than five minutes (or less). Lastly, ensure your business is prepared to quickly recover from this kind of attack in case an employee does fall victim to one of these schemes. Humans are humans after all. By leveraging a solid backup and recovery solution, everyone can rest easy. Source: Datto.com, Courtney Heinbach
Humans And Cybersecurity Practices
Based on a comprehensive survey of 5,000 IT managers across 26 countries, Cybersecurity: The Human Challenge provides brand new insights into the state of cybersecurity skills and resources across the globe. It reveals the realities facing IT teams when it comes to the human-led delivery of cybersecurity, and explores how organizations are responding to the skills challenges they face. The study also exposes unique insights into the relationship between an organization falling victim to ransomware and their day-to-day cybersecurity practices. Key findings IT teams are showing progress in many battles IT teams are on top of patching. Three-quarters of IT teams apply patches to desktops, servers, applications, and internet-facing assets within a week of release. Servers and internet-facing assets are patched most quickly, with 39% of respondents patching them within 24 hours. Prevention is prioritized. On average, IT teams dedicate nearly half their time (45%) to prevention. After that, 30% of time is spent on detection and the remaining 25% is spent on response. IT managers are keeping up to date with cybersecurity. The majority (72%) say that they and their teams are up to date with or ahead of cybersecurity threats. Just 11% think they are significantly behind. Improving cybersecurity requires people – who are in short supply There is an urgent need for human-led threat hunting. Forty-eight percent of respondents have already incorporated human-led threat hunts in their security procedures and a further 48% plan to implement them within a year. The cybersecurity skills shortage is directly implementing protection. Over a quarter (27%) of managers said their ability to find and retain skilled IT security professionals is the single biggest challenge to their ability to deliver IT security, while 54% say it is a major challenge. Organizations are changing the ways they deliver security Improving operational efficiency is a key priority. Four in ten (39%) respondents said that improving operational efficiency and scalability is one of their biggest priorities for the IT team this year. Outsourcing IT security is rising fast. Currently, 65% outsource some or all of their IT security efforts. This is set to rise to 72% by 2022. The percentage of organizations that exclusively uses in-house staffing will drop from 34% to 26%. Ransomware victims display different behaviors and attitudes than those who haven’t been hit Ransomware victims are more exposed to infection from third parties. Twenty-nine percent of organizations hit by ransomware in the last year allow five or more suppliers to connect directly to their network – compared to just 13% for those that weren’t hit. Ransomware damages professional confidence. IT managers whose organizations were hit by ransomware are nearly three times as likely to feel “significantly behind” on cyberthreats than those that weren’t (17% vs. 6%). Being hit accelerates implementation of human-led threat hunting. Forty-three percent of ransomware victims plan to implement human-led hunting within six months, compared to 33% for those that didn’t suffer an attack. Victims have learned the importance of skilled security professionals. More than one-third (35%) of ransomware victims said recruiting and retaining skilled IT security professionals is their single biggest challenge when it comes to cybersecurity, compared to just 19% who hadn’t been hit. Download the full PDF report for more findings, including results for each of the 26 countries surveyed. About the survey Sophos commissioned specialist research house Vanson Bourne to survey 5,000 IT managers during January and February 2020. Sophos had no role in the selection of respondents and all responses were provided anonymously. Respondents came from 26 countries across six continents: Australia, Belgium, Brazil, Canada, China, Colombia, Czech Republic, France, Germany, India, Italy, Japan, Malaysia, Mexico, the Netherlands, Nigeria, the Philippines, Poland, Singapore, South Africa, Spain, Sweden, Turkey, UAE, the UK, and the US. Fifty percent of respondents were from organizations of between 100 and 1,000 employees, and 50% were from organizations of between 1,001 and 5,000 employees. Respondents came from a range of sectors, both public and private. Source: Sophos.com, Sally Adam
Top Security Mistakes And How To Avoid Them
From HP’s September 2014 Technology at Work Newsletter In the movies, hackers are easy to identify. The screen’s green glow reflects on their grizzled faces as they type furiously at their keyboards in the murky shadows. Of course, real-life hackers aren’t nearly so easy to spot. And they’re also likely not the biggest source of risk for your business. The truth is that most security breaches—over 80 percent—are crimes of opportunity [1]. The largest security threat many businesses face comes not from criminal masterminds, but their own employees. To help you keep your data and networks safe, we’ve compiled five common IT security mistakes, and what you can do to avoid them. Mistake 1: Not performing updatesSolution: Installing regular upgrades and software patches is one of the most important things you can do to keep your network and data secure, but 40 percent of users don’t always upgrade software when prompted to. In fact, about a quarter admit they need to be prompted at least twice before upgrading [2]. Don’t wait to make your network secure. Upgrade as soon as patches are available and conduct audits regularly. Mistake 2: Not disposing of data correctlySolution: Donating old equipment can be a great idea, as long as you’re making sure you’re not donating your company’s sensitive data as well. Merely deleting files doesn’t necessarily get rid of the information. To be sure it’s permanently deleted, the data needs to be actively overwritten with programs like Eraser. And HP Disk Sanitizer and File Sanitizer, available on select business PCs and notebooks, can help you erase hard drives and securely remove files, history, and data from a computer, and bleach the blank file space [3, 4]. Mistake 3: Not using encryptionSolution: Encryption isn’t just for databases stored securely in your network. Over half of all data harvesting by hackers was done not on stored data, but on data in transit [5] between systems, through a network, or to employees working remotely. Consistently employing secure, encrypted connections for employees accessing information outside the office is a key step in keeping your data protected. Mistake 4: Not using secure servicesSolution: When employees need to work late on a big project or access a file on the road, all too often what they end up doing is emailing the file to themselves, or putting it on an unsecured public website or notebook. If your employees are circumventing your security because they need more flexibility, one great alternative can be a service like HP Helion public cloud that can provide remote access while maintaining leading security practices. Mistake 5: Not educating employeesSolution: Having secure systems does little good if your employees give up sensitive information and credentials voluntarily. Cybercriminals are increasingly targeting employees in phishing attacks to get past firewalls and other security measures. These attacks use emails, fake websites, Trojan downloads, and social media to solicit the information they need to infiltrate your network. To avoid becoming victims, employees need to be educated on how to recognize—and avoid—suspicious websites, friend requests, and other risky clicks. The average cyber-attack can cost a business nearly $9,000—not including the impact of lost sales due to a damaged reputation [6]. And if you think your business data isn’t a target, you should think again. In 2013, more than half of all of the small businesses surveyed had experienced a security breach at some point [7]. But by taking a few simple steps, you can go a long way towards minimizing your risk. [1] Verizon, Data Breach Investigation Report, 2011[2] Skype, International Technology Upgrade Week, 2012[3] HP Disk Sanitizer is for the use cases outlined in the DOD 5220.22-M Supplement. Does not support Solid State Drives (SSDs). Requires Disk Sanitizer, External Edition for Business Desktops from hp.com. Requires Windows on business desktops and notebooks.[4] HP File Sanitizer is for the use cases outlined in the DOD 5220.22-M Supplement. Does not support Solid State Drives (SSDs). Initial setup required. Web history deleted only in Internet Explorer and Firefox browsers and must be user enabled. With Windows 8.1, user must turn off Enhanced Protection Mode in IE11 for shred on browser close feature.[5] Trustwave, Global Security Report, 2013[6] NSBA, Small Business Technology Survey, 2013[7] Ponemon Institute, Poll for HSB, 2013 Source: http://h30458.www3.hp.com/us/us/smb/Top-security-mistakes-and-how-to-avoid-them_1421521.html?jumpid=em_taw_US_aug14_pps-bps_2256652_hpgl_us_1421521_9701&DIMID=EMID_1005225296&DICID=taw_Sep14&OID=11097710&mrm=1-4BVUP