SMBs

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

The Future of Work: Being Successful in the COVID Era and Beyond

Working from home is no longer something some of us can get away with some of the time. It’s become essential for our health and safety. So, what does the future of work look like in a post-COVID world?

We asked some of our cybersecurity and tech experts for their insights, which we’ll be presenting in a series entitled The Future of Work. In this installment, we’ll cover the qualities that will separate companies able to make smooth transitions to new ways of working from those that can’t. Plus, we’ll examine the effects the pandemic and our response to it have on workplace culture.

What are hallmarks of organizations that will successfully navigate our new workplace realities?

The COVID-19 crisis has forced employers to more fully consider the broader humanity of their employees. With parents becoming teachers and caretakers for ill, often elderly loved ones, greater levels of empathy are required of management. Now, with a lagging world economy and even experts unsure of what shape the current recession will take, financial stress will likely be added to the long list of anxieties facing the modern workforce.

As remote work continues to be a norm in industries like tech, boundaries between home and work life will continue to be murky. This, says Webroot product marketing manager George Anderson, presents opportunities for effective leaders to stand out from their peers.

“Leadership matters now more than ever,” says Anderson, “and being truthful matters even more. Your staff is worried, and platitudes won’t help. They need real communication based on real facts explaining why a company is making certain decisions. Being empathetic, sharing in employee concerns, involving and demonstrating how you value your staff—whether at executive or managerial level—will impact loyalty, dedication, and future business performance.”

Forbes notes that a more empathetic work culture is a silver lining arising from the pandemic that won’t be easily undone. We now know not just our coworkers’ personalities, but also their home office setups, their pets, children, and even their bookshelves. That fuller understanding of the person behind the position will hopefully lead to an enduring human-centric shift in the workplace. 

Long-term, how will office culture change? What policies should change once everyone is physically back at work?

Relatedly, office cultures are likely to change in irreversible ways. Even as we return to physical offices, large events like company all-hands meetings may be attended virtually from personal workspaces, and large team lunches may become rarities. Companies may even choose to alternate days in and out of the office to keep the overall office population lower.

“People will become more comfortable with video calling, screen sharing, and online collaboration,” predicts Anderson, “even between colleagues present in the same office. Boundaries will become blurred and we will find new ways to stay in touch and maintain our human connections by leveraging advanced collaboration solutions in new but secure ways.”

Personal hygiene will also undoubtedly become a bigger aspect of physical office culture. In its guidelines for safely returning to work, the CDC recommends installing a workplace coordinator charged with implementing hygiene best practices office wide. Suggested measures include increasing the number of hand sanitizing stations available to workers, relaxing sick leave policies to discourage ill workers from coming to the office, modernizing ventilation systems, and even daily temperature checks upon entering the building.

“Some of these hygiene measures will be single events, not the future of office work,” notes Anderson. “Others will have more long-term impacts on the way we work together.”

Given the visible impact some measures will have around the office, it will be impossible for them to not affect culture. Because routines like temperature checks may be considered intrusive, it’s important the reasoning behind them be communicated clearly and often. Stressing a culture of cleanliness as a means of keeping all workers healthy and safe can enforce a common bond.

Cybersecurity remains imperative

Cyber resilience isn’t the only aspect of overall business resilience being tested by COVID-19, but it’s a significant one. The cyber threats facing today’s remote workforces differ in key ways from those faced in the past, so its important companies reevaluate their cyber defense strategies. To do our part to help, we’re extending free trials on select business products to 60 days for a limited time. Visit our free trials page or contact us for more information.

Why Your Cyber Resilience Plan Doesn’t Include Windows 7

Our 2020 Threat Report shows increasing risks for businesses and consumers still running Windows 7, which ceased updates, support and patches earlier this year. This creates security gaps that hackers are all too eager to exploit. In fact, according to the report, malware targeting Windows 7 increased by 125%. And 10% of consumers and 25% of business PCs are still using it.

Webroot Security Analyst Tyler Moffitt points out that a violation due to a data breach could cost a business $50 per customer per record. “For one Excel spreadsheet with 100 lines of records, that would be $50,000.” Compare that with the cost of a new workstation that comes pre-installed with Windows 10 at around $500, and you quickly realize the cost savings that comes with offloading your historic OS. 

Windows 10 also has the added advantage of running automatic updates, which reduces the likelihood of neglecting software patches and security updates. Continuing to run Windows 7 effectively more than doubles the risk of getting malware because hackers scan for old environments to find vulnerable targets. Making matters worse, malware will often move laterally like a worm until it finds a Windows 7 machine to easily infect. And in a time when scams are on the rise, this simple OS switch will ensure you’re not the weakest link.

While businesses are most vulnerable to Windows 7 exploits, consumers can hardly breathe easy. Of all the infections tracked in the 2020 Threat Report, the majority (62%) were on consumer devices. This does, however, create an additional risk for businesses that allow workers to connect personal devices to the corporate network. While employees work from home in greater numbers due to COVID-19, this particular security risk will remain even higher than pre-pandemic levels.

Layers are key

As Moffitt points out, no solution is 100% safe, so layering solutions helps to ensure your cyber resilience is strong. But there is one precaution that is particularly helpful in closing security gaps. And that’s security awareness training. “Ninety-five percent of all infections are the result of user error,” Moffitt says. “That means users clicking on something they shouldn’t thus infecting their computer or worse, a entire network.” Consistent training – 11 or more courses or phishing simulations over a four- to six-month period – can significantly reduce the rate at which users click on phishing simulations.

Also, by running simulations, “you get to find out how good your employees are at spotting scams,” Moffitt says. “If you keep doing them, users will get better and they will increase their efficacy as time goes on.”

Fight cyber-risks with cyber resilience

The best way to close any gaps in protection you may have is to deploy a multi-layered cyber resilience strategy, also known as defense-in-depth. The first layer is perimeter security that leverages cloud-based threat intelligence to identify advanced, polymorphic attacks. But since cyber resilience is also about getting systems restored after an attack, it’s also important to have backups that enable you to roll back the clock on a malware infection.

With so many people working from home amid the global coronavirus pandemic, it’s increasingly critical to ensure cyber resilient home environments in addition to business systems. Find out what major threats should be on your radar by reading our complete 2020 Threat Report.

Pay Attention to the Hacker Behind the Hoodie

There’s a pretty common misconception among small businesses and medium-sized businesses (SMBs) that hackers only target large organizations. Unfortunately, this belief couldn’t be further from the truth. In fact, according to the most recent Verizon Data Breach Investigations Report, more than 70% of cyberattacks target small businesses. Additionally, many attacks are now shifting to target managed service providers (MSPs), specifically because breaching an MSP can give hackers access to their entire SMB customer base.

Why are hackers targeting SMBs?

Simply put— it’s easy money. First, the smaller the business is, the less likely it is to have adequate cyber defenses. Moreover, even larger SMBs typically don’t have the budgets or resources for dedicated security teams or state-of-the-art intrusion prevention. On top of that, smaller businesses often lack measures like strong security policies and cybersecurity education programs for end users, so common vulnerabilities like poorly trained users, weak passwords, lax email security, and out-of-date applications make SMBs prime targets.

What’s more: some hackers specialize in breaching specific business types or industries, refining their expertise with each new attack.

Which business types are in the cross hairs?

Realistically speaking, the majority of businesses face similar amounts of risk. However, some industries do tend to be targeted more often, such as finance or healthcare. Here are some of the business types that are currently topping hacking hit lists.

Managed Service Providers

MSPs hold a lot of valuable data for multiple customers across industries, which makes them desirable targets. Hackers use a technique known as “island hopping”, in which they jump from one business to another via stolen login credentials. MSPs and their SMB customers are both potential targets of these attacks.

Healthcare Organizations

Hospitals, physical therapy offices, pediatricians, chiropractors, and other healthcare practices are easy targets for cybercrime because they can have such chaotic day-to-day operations, and because they often lack solid security practices. In addition, medical data and research can extremely valuable. Patient records alone can sell for up to $1,000 or more on the dark web.

Government Agencies

There are many reasons that cybercriminals, particularly nation-state terrorists, might target local and national governments. In particular, small governments and local agencies generate troves of sensitive information, while large governments can be victims of nationwide disruption, either for financial gain or sheer destruction.

Financial Institutions

You probably aren’t surprised by this list item. Banks, credit unions, and other financial institutions have long been targets for hackers due to a wealth of data and money. Only a few years ago in 2018, over 25% of all malware attacks targeted banks––that’s more than any other industry. More recently, automation has further enabled cybercriminals to run advanced attacks on financial institutions at scale.

Celebrities, Politicians, and High-Profile Brands

Hacktivists, who are usually politically, economically, or socially motivated, like to seek out politicians, celebrities, and other prominent organizations as targets. They may even attempt to embarrass public figures or businesses by stealing and disseminating sensitive, proprietary, or classified data to cause public disruption, or for private financial gain via blackmail.

What are your next steps?

The only real requirement for becoming a hacking target is having something that hackers want, which means all businesses are at risk. Luckily, a few relatively straightforward tips can go a long way in keeping your business secure.

Think Like a Hacker

Cybersecurity awareness training with phishing simulations is a vital component of an effective protection strategy. In fact, Webroot’s own research found that regular training over just 4-6 months reduced clicks on phishing links by 65%. Understanding hacker practices and motivations can help you predict potential threats and thwart attacks.

Lock Down Your Business First

The right security layers can protect you from threats on all sides. If you haven’t already, check out our free Lockdown Lessons, which include a variety of guides, podcasts, and webinars designed to help MSPs and businesses stay safe from cybercrime.

Embrace Comprehensive Cyber Resilience

Being resilient in the face of cybercrime doesn’t just mean having powerful, automated endpoint threat detection in place. It also means having security layers that can protect your business and clients front and back. That includes layers like security awareness training, as well as network protection and strong backup and disaster recovery services. The best defense is prevention, and by preventing attacks and planning your recovery proactively, you’ll be ready to bounce back right away at the first sign of trouble.

Hackers have diverse means and motives, so it’s up to you to know their methods and prepare your business and customers to block advanced threats.

To get started on the road to cyber resilience, you can learn more about Webroot® Business Endpoint Protection or take a free trial here.

AI and ML in Cybersecurity: Adoption is Rising, but Confusion Remains

If you’ve been working in the technology space for any length of time, you’ve undoubtedly heard about the rising importance of artificial intelligence (AI) and machine learning (ML). But what can these tools really do for you? More specifically, what kinds of benefits do they offer for cybersecurity and business operations?

If you’re not so sure, you’re not alone. As it turns out, although 96% of global IT decision-makers have adopted AI/ML-based cybersecurity tools, nearly 7 in 10 admit they’re not sure what these technologies do.

We surveyed 800 global IT decision-makers across the U.S., U.K., Japan, and Australia/New Zealand about their thoughts on AI and ML in cybersecurity. The report highlighted a number of interesting (and contradictory) findings, all of which indicated a general confusion about these tools and whether or not they make a difference for the businesses who use them. Additionally, nearly 3 out of 4 respondents (74%) agreed that, as long as their protection keeps them safe from cybercriminals, they really don’t care if it uses AI/ML.

Here’s a recap of key findings based on responses from all 4 regions.

  • 91% say they understand and research their security tools, and specifically look for ones that use AI/ML.
  • Yet 68% say that, although their tools claim to use AI/ML, they aren’t sure what that means.
  • 84% think their business has all it needs to successfully stop AI/ML-based cyberattacks.
  • But 86% believe they could be doing more to prevent cyberattacks.
  • 72% say it is very important that cybersecurity advertising mention the use of AI/ML.
  • However, 70% of respondents believe cybersecurity vendors’ marketing is intentionally deceptive about their AI/ML-based services.

AI and ML matter because automation matters

As we’ve all had to adjust to “the new normal”, IT professionals have had to tackle a variety of challenges. Not only have they had to figure out how to support a massive shift to working from home, but they also have to deal with the onslaught of opportunistic online scams and other cyberattacks that have surged amidst the chaos around COVID-19.

With all of us working to adapt to these new working conditions, it’s become clear tools that enable automation and productivity are pretty important. That’s where I want to highlight AI and ML. In addition to how AI/ML-based cybersecurity can drastically accelerate threat detection—and even predict shifts and emerging threat sources—these technologies can also make your workforce more efficient, more effective, and more confident.

While many of our survey respondents weren’t sure if AI/ML benefits their cybersecurity strategy, a solid percentage saw notable improvements in workforce efficiency after implementing these tools. Let’s go over those numbers.

  • 42% reported an increase in worker productivity
  • 39% saw increases in automated tasks
  • 39% felt they had more time for training, learning new skills, and other tasks
  • 38% felt more effective in their jobs
  • 37% reported a decrease in human error

As you can see, the benefits of AI and ML aren’t just hype, and they extend well beyond the cybersecurity gains. Real numbers around productivity, automation, time savings, and efficacy are pretty compelling at the best of times, let alone when we’re dealing with sudden and drastic shifts to the ways we conduct business. That’s why I can’t stress the importance of these technologies enough—not only in your security strategy, but across your entire toolset.

Where to learn more

Ultimately, AI and ML-based tools can help businesses of all sizes become more resilient against cyberattacks—not to mention increase automation and operational efficiencies—but it’s important to understand them better to fully reap the benefits they offer.

While there’s clearly still a lot of confusion about what these tools do, I think we’re going to see a continuation of the upward trend in AI/ML adoption. That’s why it’s important that IT decision-makers have the resources to educate themselves about the best ways to implement these tools, and also look to vendors who have the historical knowledge and expertise in the space to guide them.

“Realistically, we can’t expect to stop sophisticated attacks if more than half of IT decision makers don’t understand AI/ML-based cybersecurity tools. We need to do better. That means more training and more emphasis not only on our tools and their capabilities, but also on our teams’ ability to use them to their best advantage.”

– Hal Lonas, SVP and CTO for SMB and Consumer at OpenText.

For further details about how businesses around the world are using AI and ML, their plans for cybersecurity spending, and use cases, download a copy of the full AI/ML report.

And if you still aren’t sure about AI/ML-based cybersecurity, I encourage you to read our white paper, Demystifying AI in Cybersecurity, to gain a better understanding of the technology, myth vs. reality, and how it benefits the cybersecurity industry.

Hackers: Fact vs. Fiction

Have you ever watched a movie and seen a character doing something you know how to do, and thought to yourself, “jeez, that’s totally wrong. Couldn’t they have done a little research?”

That’s exactly what hackers think when they watch movies, too. For most of us, the image that comes to mind when we hear the word “hacker” is pretty stereotypical: probably a young guy wearing a hoodie and headphones, in a basement, surrounded by fancy displays full of unintelligible code that looks like it’s straight out of the 1999 movie the Matrix, with only nefarious intentions at heart. We have that image for a reason; that’s how many films have portrayed such characters.

But, just like those times when you see a movie or TV character totally screwing up the thing you know how to do, this stereotype just isn’t accurate. Not all hackers have the same motives. In fact, not all of them are even “bad guys.” Misunderstanding leads to fear, and acting out of fear is never a good thing. If you want to stay safe from cyber-related risks in the modern world, it’s important to understand the myth vs. the reality.

Common Myths

  1. Every hacker is a criminal with evil intentions, who wants to break systems, steal information, steal money, cause destruction, commit cyber-espionage, or engage in other illegal activity online
  2. All hackers are male
  3. Hackers work alone, exclusively
  4. Hackers have to work really fast, or else they’ll get caught by the authorities
  5. There isn’t much money to be made, so hackers have to send lots of attacks to make their efforts worthwhile
  6. Hackers only go after large corporations and government systems.

The Truth about Hackers

  1. The word “hacker” really just refers to an individual who uses computers, networking, or other technology and related skills to accomplish a particular goal. That goal may not have anything to do with criminal activity, even if it involves gaining access to computer systems. In fact, some hackers use their skills for good, helping businesses and individuals become better able to prevent attacks by malicious hackers
  2. Just like their varied motivations, hackers come in all shapes and sizes. While the average self-proclaimed “hacker” is likely to be male and under 35, they can be of any gender, age, ethnicity, etc.
  3. As with most pursuits in life, hacking tends to be most productive when conducted by a team. It’s actually pretty common for hackers to be involved in larger groups or organizations. Some of them even have salaries and set holidays, just like the rest of us in the non-hacking working world, and may have customers and sales arrangements that include things like reseller portals and component rental
  4. A rushed job is a bad job, plain and simple. Hackers have the time to take a slow and methodical approach to accomplish their aims. They know they’re more likely to be successful if they research targets, do recon, and take the time to work out the best angles of approach. In contrast, victims of attacks typically have a very short amount time in which to react or recover, especially in the case of ransomware.
  5. There’s a lot of money to be made in hacking. As of the most recent Cost of a Data Breach Report, the average cost of a data breach is $3.92 million, and nearly 3 in 4 (71%) of breaches are financially motivated. In fact, the average hacker can earn up to 40 times the median wage of a software engineer.
  6. Although large corporations can be desirable targets, they often have larger security budgets and teams of security professionals dedicated to protecting the business. You might think hackers have bigger fish to fry, but small and medium-sized businesses (SMBs) are prime targets. More than 70% of cyberattacks target small businesses. In particular, more attacks are focusing on MSPs specifically because of their SMB clients. Breaching a single MSP could open up data access to their entire client base.

So what do you do?

You’re already on your way. By better understanding the true methods and motivations behind the myths, you can begin to lock down your business and protect your customers against today’s biggest threats. If you haven’t already, check out our Lockdown Lessons, which include a variety of guides, podcasts, and webinars designed to help MSPs and businesses stay safe from cybercrime.

The next step is to ensure your security stack includes a robust endpoint protection solution that uses real-time threat intelligence and machine learning to prevent emerging attacks. Learn more about Webroot® Business Endpoint Protection or take a free trial here.

World Backup Day: A Seriously Good Idea

“Cold Cuts Day,” “National Anthem Day,” “What if Cats and Dogs had Opposable Thumbs Day”…

If you’ve never heard of World Backup Day, you’d be forgiven for thinking it’s another of the gimmicky “holidays” that seem to be snatching up more and more space on the calendar.

(Did you know that single quirky duo, Ruth and Tom Roy, are responsible for copyrighting more than 80 of these holidays, including Bathtub Party Day, held annually on December 5?)

Not so, though, for World Backup Day. While, according to WorldBackUpDay.com, it was founded by a few “concerned users” on the social media site reddit, the day’s dedication is a decidedly serious one.

March 31 was established as “a day for people to learn about the increasing role of data in our lives and the importance of regular backups.”

Each April Fool’s-eve, the site invites humans all over the planet to not be fools and to back up their data. In celebration of World Backup Day, we sat down with Webroot Product Marketing Director George Anderson to see how users can ensure they stay cyber resilient by adhering to good data backup practices.

For World Backup Day, what’s the one piece of advice you’d give to a small or medium-sized business? An everyday computer user, like a parent?

Losing data used to be something that happened because a hard disk failed, a device was lost or stolen, or some other unforeseen accident made a device unusable. These remain risks. But these days, it’s just as likely your data is being held for a ransom or some nasty infection has destroyed it for good.

Up-to-date backups are essential. Remember: it’s not if something will happen to your data, but when. So, prepare for the unexpected. Easily restored data backups let you be more resilient against cyber-attacks and better able to recover customer data, financial information, business-critical files, and precious memories. Anything irreplaceable should be regularly backed up without a second thought, or worse, a passive “it won’t happen to me.”

Thankfully, many of today’s backup solutions are easy-to-use and affordable. My advice is to not become the next data loss or ransomware victim. Simply invest a little into backup software and rest easy knowing you’re covered.

Why is it important that World Backup Day be celebrated year-round? How can we keep the spotlight on backup and cyber resilience?

For those with backup technology in place, World Backup Day should be a reminder of the importance digital information plays in our daily lives, and to check up on existing backups to make sure they are being properly made and that they can be easily restored.

Unfortunately, “set-and-forget” technologies like automated backup and recovery solutions are rarely revisited – until we need them to be 100 percent. So, checking regularly that they’re correctly configured and working properly is important.

For those not currently backing up their data regularly, the day should bring into focus a glaring hole in your home or business data security. Perhaps take the time to consider the impact losing your data forever would have? Then take action.

Back up is no longer a “nice-to-have” capability. In a world where our lives are increasingly digital and our data is threated at lots of different angles, backup is crucial aspect of data security.

What’s the difference between backup and cyber resilience? Should companies be putting more of an emphasis on cyber resilience?

Backup is a key component of cyber resilience, though it’s not the only one. But it does make what could be an existential event, like a total loss of business or personal data, a setback that can be recovered from.

Cyber resilience is first and foremost about detecting, protecting and preventing attacks on your data in the first place. But then, even if your attack detection, protection and prevention defenses fail, your backup and recovery solutions ensure your data isn’t lost for good.

Cyber resilience is not a choice between security and backing up your data. It’s about covering both bases, so if a serious data compromise does occur, recovery is quick and painless to the business

This World Backup Day, take the pledge:

“I solemnly swear to back up my important data and precious memories on March 31st.”

And don’t forget to make sure that both cybersecurity and backup and recovery solutions are in place for your business or home office.

5 Must-Haves When Working Outside the Office

When you’re running a business, it’s important to stay connected, whether you’re in the office or not. Modern technology has made this easier than ever, ensuring you can answer emails and stay on top of tasks in hotels, coffee shops, wherever. Social media influencer and serial entrepreneur Gary Vaynerchuk has even said, “The airplane is disproportionately the place where I get the most tangible amount of work done.” 

But if you’re going to get anything done outside the office or on the road, there are a few essentials to have on hand. Here are five must-haves to make sure you are prepared and productive.

#1 Protect Your Devices and Your Data

No, this is not at the top just because you’re reading this on a security blog. Anytime you’re accessing the internet in a hotel, coffee shop, or other public space, your data and devices are at risk. While security may not be at the top of your list of concerns, a whopping 58% of data breaches happen to SMBs, and 60% of those who are attacked fold within 6 months.

This is why security, at the very least endpoint security, should be your number one consideration when working on the go. But not all endpoint security solutions are created equal.

Explore fast and effective endpoint security designed for business.

Modern endpoint security is cloud-based, lightweight (won’t slow your device down), and is powered by 24/7 threat intelligence to make sure you are protected against all known threats. In fact, some do what is known as “journaling” when they encounter an unknown threat so if it is deemed malicious, every action the malware took can be rolled back, step by step.

It’s also worth considering implementing a VPN to secure your connection to your office software and data as well as secure your communications with colleagues. Public WiFi is a favorite target of malicious attacks, including man-in-the-middle attacks, so the more you can anonymize your activity, the better.

#2 Stay Connected

When you’re on the road, there’s no guarantee that you’ll have reliable WiFi. Coffee shop WiFi can vary depending on how many people are using it, and hotel WiFi often costs money. To make sure you can always stay connected to high-quality WiFi, you’ll want to invest in a mobile WiFi device, which will work much better than using your smartphone as a hotspot. Plus, using a mobile WiFi device will help save your phone battery and will free it up for any phone calls you need to make. 

In addition, by using your own WiFi hotspot, you will avoid some of the security risks that come from using public WiFi

#3 Stay Charged

The last thing you want when working on the go is for your devices to run out of battery. Of course, you must remember to bring your basic laptop and smartphone chargers. However, you might not always have convenient access to an outlet. In which case, you’re going to want to bring a portable charger. Smartphones and laptops have different battery needs so you might want to get a portable charger for each.

Here is a list of the top portable chargers for smartphones and another for the top power banks for your laptop.

#4 Stay in the Zone

If you’re out of the office, chances are it might be more difficult to find some peace and quiet. Because of this, you’ll want to make sure you have a good set of headphones to help you get in the zone. 

If you’re choosing headphones, you’ll need to consider whether you want to go with over-the-ear or in-ear models. Over-the-ear models tend to have higher sound quality and better noise canceling features, but there are a variety of high-quality earbuds these days that may be easier to travel with. Whichever you go with, they’ll be useless without productivity-enhancing music to go along with them.

study published on the psychology of music found that those who listened to music completed their tasks more quickly and experienced better creativity. If you want to make your own playlist, it’s largely accepted that classical and other instrumental types of music work best for productivity. However, there are a variety of curated work playlists already in existence that you could use.

#5 Travel with the Right Bag

Now that you have your laptop, smartphone, chargers, portable batteries, headphones, and WiFi hotspot, you’ll need a way to carry it all around. But not just any bag will do. Since you’re traveling, you’ll want something that is compact, organized, and comfortable to carry, even if it’s heavy.

While the briefcase is a classic, it is not very efficient and can be cumbersome when also trying to carry coffee or talk on the phone. Backpacks are definitely the way to go if you want to carry everything comfortably while keeping your hands free. Just make sure to choose a bag made of durable materials with adequately wide and cushioned straps. The last thing you want in a bag is one you wince at the thought of carrying again after a long day.

Smishing Explained: What It Is and How to Prevent It

Do you remember the last time you’ve interacted with a brand, political cause, or fundraising campaign via text message? Have you noticed these communications occurring more frequently as of late?

It’s no accident. Whereas marketers and communications professionals can’t count on email opens or users accepting push notifications from apps, they’re well aware that around 98% of SMS messages are read within seconds of being received

Phishing has evolved. Learn all the ways hackers are angling for your data with our 11 Types of Phishing eBook.

As with any development in how we communicate, the rise in brand-related text messaging has attracted scammers looking to profit. Hence we arrive at a funny new word in the cybersecurity lexicon, “smishing.” Mathematical minds might understand it better represented by the following equation:

SMS + Phishing = Smishing

For the rest of us, smishing is the act of using text messages to trick individuals into divulging sensitive information, visiting a risky site, or downloading a malicious app onto a smartphone. These often benign seeming messages might ask you to confirm banking details, verify account information, or subscribe to an email newsletter via a link delivered by SMS.

As with phishing emails, the end goal is to trick a user into an action that plays into the hands of cybercriminals. Shockingly, smishing campaigns often closely follow natural disasters as scammers try to prey on the charitable to divert funds into their own pockets.

Smishing vs Vishing vs Phishing

If you’re at all concerned with the latest techniques cybercriminals are using to defraud their victims, your vocabulary may be running over with terms for the newest tactics. Here’s a brief refresher to help keep them straight.

  • Smishing, as described above, uses text messages to extract the sought after information. Different smishing techniques are discussed below.
  • Vishing is when a fraudulent actor calls a victim pretending to be from a reputable organization and tries to extract personal information, such as banking or credit card information.
  • Phishing is any type of social engineering attack aimed at getting a victim to voluntarily turn over valuable information by pretending to be a legitimate source. Both smishing and vishing are variations of this tactic.

Examples of Smishing Techniques

Enterprising scammers have devised a number of methods for smishing smartphone users. Here are a few popular techniques to be aware of:

  • Sending a link that triggers the downloading of a malicious app. Clicks can trigger automatic downloads on smartphones the same way they can on desktop internet browsers. In smishing campaigns, these apps are often designed to track your keystrokes, steal your identity, cede control of your phone to hackers, or encrypt the files on your phone and hold them for ransom.
  • Linking to information-capturing forms. In the same way many email phishing campaigns aim to direct their victims to online forms where their information can be stolen, this technique uses text messages to do the same. Once a user has clicked on the link and been redirected, any information entered into the form can be read and misused by scammers.
  • Targeting users with personal information. In a variation of spear phishing, committed smishers may research a user’s social media activity in order to entice their target with highly personalized bait text messages. The end goal is the same as any phishing attack, but it’s important to know that these scammers do sometimes come armed with your personal information to give their ruse a real feel.
  • Referrals to tech support. Again, this technique is a variation on the classic tech support scam, or it could be thought of as the “vish via smish.” An SMS message will instruct the recipient to contact a customer support line via a number that’s provided. Once on the line, the scammer will try to pry information from the caller by pretending to be a legitimate customer service representative. 

How to Prevent Smishing

For all the conveniences technology has bestowed upon us, it’s also opened us up to more ways to be ripped off. But if a text message from an unknown number promising to rid you of mortgage debt (but only if you act fast) raises your suspicion, then you’re already on the right track to avoiding falling for smishing.

Here are a few other best practices for frustrating these attacks:

  • Look for all the same signs you would if you were concerned an email was a phishing attempt: 1) Check for spelling errors and grammar mistakes, 2) Visit the sender’s website itself rather than providing information in the message, and 3) Verify the sender’s telephone address to make sure it matches that of the company it purports to belong to.
  • Never provide financial or payment information on anything other than the trusted website itself.
  • Don’t click on links from unknown senders or those you do not trust
  • Be wary of “act fast,” “sign up now,” or other pushy and too-good-to-be-true offers.
  • Always type web addresses in a browser rather than clicking on the link.
  • Install a mobile-compatible antivirus on your smart devices.

A Cybersecurity Checklist for Modern SMBs

The landscape of digital security is rapidly shifting, and even the largest tech giants are scrambling to keep up with new data regulations and cybersecurity threats. Small to medium-sized businesses (SMBs) are often left out of these important conversations, leaving themselves — and their users — vulnerable. In an effort to combat this trend, Webroot conducted a survey of more than 500 SMB IT leaders in the UK, revealing common blind spots in SMB cybersecurity practices. As businesses around the globe grapple with similar change, our Size Does Matter: Small Businesses and Cybersecurity report offers insight and guidance for companies regardless of geography. 

The biggest takeaway? We turned to Webroot’s Senior Director of Product Strategy Paul Barnes for his thoughts.

“The damage from data loss or downtime often means substantial financial and reputational losses, sometimes even leading to a business no longer being viable. A key learning for all small businesses should be to stop hiding behind your size. Instead, become educated in the risks and make your security posture a differentiator and business driver.”

When you’re putting together a cybersecurity checklist, you’ll need to do one thing first: check your preconceived notions about SMB cybersecurity at the door. Your business is not too small to be targeted. The data you collect is both valuable and likely vulnerable, and a costly data breach could shutter your business. More than 70% of cyberattacks target small businesses, with 60% of those going out of business within six months following their breach. With both the threat of hackers and the looming possibility of increased GDPR-style data regulatory fines, your small business cannot afford to be underprepared.

The first step to a fully realized cybersecurity program? An unflinching look at your company’s resources and risk factors.

“Understand what you have, from a technology and people perspective, and the risks associated with loss of data or operations, whether through externally initiated attacks or inside threats,” advised Barnes. “This will allow you to plan and prioritise next steps for protecting your business from attack.”

For established SMBs, this type of internal review may seem overwhelming; with so many employees already wearing so many hats, who should champion this type of effort? Any small business that is preparing to modernize its cybersecurity protocols should consider bringing in a managed service provider (MSP) to do an internal audit of its systems and to report on the company’s weaknesses and strengths. This audit should serve as the backbone of your cybersecurity reform efforts and — depending on the MSP — may even give you a security certificate that can be used for marketing purposes to differentiate your brand from competitors.

With a strong understanding of your company’s strengths and weaknesses, you can begin to implement an actionable cybersecurity checklist that will scale as you grow, keeping your business ahead of the data security curve. Each SMB’s checklist will be unique, but these best practices will be integrated into any successful cybersecurity strategy.

Continuous Education on the Latest Threats

A majority of small to medium-sized businesses rely on software systems that are constantly evolving, closing old security gaps while potentially opening new ones. With a tech landscape in constant flux, one-off security training will never be enough to truly protect your business. Comprehensive employee training that evolves alongside cybersecurity threats and data privacy regulations are your company’s first line of cybersecurity defense. Include phishing prevention practices in these trainings as well. Although seemingly old hat, phishing attacks are also evolving and remain one of the largest causes of data breaches globally. Continuous training of employees helps build a culture of security where they feel part of the team and its success. 

Regular Risk Assessment and Security Audits

Just as one-off training is not sufficient in keeping your staff informed, a one-off audit does nothing to continuously protect your company as it grows. Depending on your industry, these audits should take place at least annually, and are the best way to detect a security flaw before it is exploited. Factors such as the sensitivity of the data your business houses, and the likely impacts of a successful breach—your risk profile—should guide decisions regarding the frequency of these security audits.

Disaster Response Plan

Having a prepared disaster response plan is the most effective way to mitigate your losses during a data security breach. Backup and recovery tactics are critical components of this plan. It should also include a list of security consultants to contact in order to repair the breach, as well as a communications plan that notifies customers, staff, and the public in accordance with data protection regulations. An MSP can work with your company to provide a disaster response plan that is customized to your business’ specific needs.

Bring Your Own Device

Never scrimp on mobile security. Many companies now tolerate some degree of bring-your-own-device (BYOD) policy, giving employees increased convenience and employer accessibility. But convenience is a compromise and, whether it be from everyday theft or a malicious app, mobile devices are a weak point in many company’s security. Including mobile security guidelines like automatic device lock requirements, strong password guidelines, and failsafe remote wipe access in your BYOD policies will save your company money, time, and heartache.

Layer Your Security

Finally, ensure your business has multiple layers of defense in place. Accounting for endpoint devices is no less critical than it’s always been, but businesses are increasingly learning that networks and users need protection, too. DNS-layer security can keep employees from inviting risky sites onto your network, and security awareness training will help your users recognize signs of an attack. No one solution is a panacea, but tiered defenses make a business more resilient against cybercrime.

Survey says: We don’t have time for this

One of the largest impediments to SMBs adopting these modern cybersecurity protocols is the perceived time cost, with two-fifths of IT leaders surveyed by Webroot stating they simply do not have the time or resources to fully understand cybersecurity threats. The uncomfortable truth is that, if you can’t find the time to protect your data, a hacker whodoes have the time is likely to find and exploit your security gaps. But there is a silver-lining, the smaller size of an SMB actually allows for a certain level of agility and adaptiveness when implementing cybersecurity policies that is inaccessible to tech giants.

“SMBs can no longer consider themselves too small to be targets. They need to use their nimble size to their advantage by quickly identifying risks and educating employees on risk mitigation, because people will always be the first line of defense,” said Barnes.

You’ll find additional benefits beyond the base-level protection a comprehensive cybersecurity plan provides. As 33% of SMBs surveyed by Webroot say they prefer not to think about cybersecurity at all, demonstrating that your company is ahead of the problem can be a powerful way to distinguish your business from its competitors. With consumer data privacy concerns at an all-time high, a modern cybersecurity checklist may be one of the best marketing tools available. The best way to stay ahead of cybersecurity threats is to stay informed. Read the entire Size Does Matter: Small Businesses and Cybersecurity report for an in-depth look at how your SMB contemporaries are handling data protection, and stay up-to-date with Webroot for additional cybersecurity reports and resources.

Top 5 Things SMBs Should Consider When Evaluating a Cybersecurity Strategy

SMBs are overconfident about their cybersecurity posture.

A survey of SMBs conducted by 451 Research found that in the preceding 24 months, 71% of respondents experienced a breach or attack that resulted in operational disruption, reputational damage, significant financial losses or regulatory penalties. At the same time, 49% of the SMBs surveyed said that cybersecurity is a low priority for their business, and 90% believe they have the appropriate security technologies in place. Clearly, SMBs are not correctly evaluating cybersecurity risk.

Many of us can relate – each day we ignore obvious signs that point to a reality that is in direct contrast to our beliefs. For example, as each year passes, most of us get a little slower, muscles ache that never ached before, we get a bit softer around the middle, and we hold our reading material farther away. Yet, we are convinced we could take on an NBA player in a game of one-on-one or complete the American Ninja Warrior obstacle course on the first try. 

While it’s unlikely that most of us can make the improvements needed to compete with elite athletes, the same can’t be said for enterprise cybersecurity. The journey is not an easy one given the security talent vacuum, a lack of domain understanding at the executive level, and the complexity of implementing a long-term, metric-based strategy. But, if you are an SMB struggling to run up and down the proverbial court, here are five things you should consider when building a better security practice:

1.   Experienced staff are valuable, but expensive, assets. 

Although enterprise cybersecurity is a 24/7/365 effort requiring a full roster of experienced professionals, many SMB cybersecurity teams are underequipped to handle the constant deluge of alert notifications, let alone the investigation or remediation processes. In fact, only 23% of survey respondents plan to add staff to their security teams in the coming year. For many SMBs, the security staffing struggles may get worse as 87% reported difficulties in retaining existing security professionals. To fill this gap, SMBs are increasingly turning to MSPs and MSSPs to provide the expertise and resources needed to protect their organizations around the clock.

2.   Executives understand what is at stake, but not what action to take. 

As the threat landscape becomes more treacherous, regulatory requirements multiply, and security incidents become more common, executives at SMBs have become more acutely aware of the business impact of security incidents – most are feeling an urgency to strengthen organizational cybersecurity. However, acknowledging the problem is only the first step of the process. Executives need to interface with their internal security teams, industry experts and MSPs in order to fully understand their organization’s risk portfolio and design a long-term cybersecurity strategy that integrates with business objectives.

3.   Security awareness training (SAT) is low-hanging fruit (if done right). 

According to the 451 Research Voice of the Enterprise: Information Security: Workloads and Key Projects survey, 62% of SMBs said they have a SAT program in place, but 50% are delivering SAT on their own using ‘homegrown’ methods and materials. It should be no surprise that many SMBs described their SAT efforts as ineffective. MSPs are increasingly offering high-quality, comprehensive SAT for a variety of compliance and regulatory frameworks such as PCI-DSS, HIPAA, SOX, ISO, GDPR and GLBA. SMBs looking to strengthen their security posture should look to partner with these MSPs for security awareness training.

4.   Securing now means securing for the future. 

The future of IT architecture will span both private and public clouds. This hybrid- and multi-cloud infrastructure represents a significant challenge for SMBs that require a cybersecurity posture that is both layered and scalable. SMBs need to understand and consider long-term trends when evaluating their current cybersecurity strategy. With this aim in mind, SMBs can turn to MSPs and MSSPs with the experience and toolsets necessary for securing these types of complex environments. 

5.   A metrics-based security approach is needed for true accountability. 

In a rush to shore up organizational security, SMBs might make the all-too-common mistake of equating money spent with security gained. To be clear: spending not backed by strategy and measurement only enhances security posture on the margins, if at all. To get the most bang for each buck, SMBs need to build an accountable security system predicated on quantifiable metrics.Again, this is an area where SMBs can partner with MSPs and MSSPs. This serves as an opportunity to develop cybersecurity strategy with measurable KPIs to ensure security gains are maintained over time. MSPs can help SMBs define the most applicable variables for their IT architectures, whether it be incident response rate, time-to-response or other relevant metrics.

The strategic reevaluation of organizational security is a daunting task for any organization, but given the risks SMBs face and their tendency to be underprepared, it is a necessary challenge. These key points of consideration for SMBs embarking on this critical journey underscore the importance of building an accountable and forward-looking security system and highlight the ways in which SMBs can work alongside MSP or MSSP partners to implement the right cybersecurity system for their organizations. I hope this will be the wake-up call all SMBs need to unleash their inner cybersecurity all-star.

If you’re interested in learning more about how other SMBs are approaching cybersecurity, read my report Security Services Fueling Growth for MSPs.

Reducing Risk with Ongoing Cybersecurity Awareness Training

Threat researchers and other cybersecurity industry analysts spend much of their time trying to anticipate the next major malware strain or exploit with the potential to cause millions of dollars in damage, disrupt global commerce, or put individuals at physical risk by targeting critical infrastructure.

However, a new Webroot survey of principals at 500 small to medium-sized businesses (SMBs), suggests that phishing attacks and other forms of social engineering actually represent the most real and immediate threat to the health of their business.

Twenty-four percent of SMBs consider phishing scams as their most significant threat, the highest for any single method of attack, and ahead of ransomware at 19 percent.

Statistics released by the FBI this past summer in its 2017 Internet Crime Report reinforce the scope of the problem. Costing nearly $30 million in total losses last year, phishing and other social engineering attacks were the third leading crime by volume of complaints, behind only personal data breaches and non-payment/non-delivery of services. Verizon Wireless’s 2018 Data Breach Investigations Report, a thorough and well-researched annual study we cite often, blames 93 percent of successful breaches on phishing and pretexting, another social engineering tactic.

Cybersecurity Awareness Training as the Way Forward

So how are businesses responding? In short, not well.

24 percent of principals see phishing scams as the number one threat facing their business. Only 35 percent are doing something about it with cybersecurity awareness training.

One of the more insidious aspects of phishing as a method of attack is that even some otherwise strong email security gateways, network firewalls and endpoint security solutions are often unable to stop it. The tallest walls in the world won’t protect you when your users give away the keys to the castle. And that’s exactly what happens in a successful phishing scam.

Despite this, our survey found that 65 percent of SMBs reported having no employee training on cybersecurity best practices. So far in 2018, World Cup phishing scams, compromised MailChimp accounts, and opportunist GDPR hoaxers have all experienced some success, among many others.

So, can training change user behavior to stop handing over the keys to the castle? Yes! Cybersecurity awareness training, when it includes features like realistic phishing simulations and engaging, topical content, can elevate the security IQ of users, reducing user error and improving the organization’s security posture along the way.

The research and advisory firm Gartner maintains that applied examples of cybersecurity awareness training easily justify its costs. According to their data, untrained users click on 90 percent of the links within emails received from outside email addresses, causing 10,000 malware infections within a single year. By their calculations, these infections led to an overall loss of productivity of 15,000 hours per year. Assuming an average wage of $85/hr, lost productive costs reach $1,275,000 which does not necessarily account for other potential costs such as reputational damage, remediation cost, or fines associated with breaches.

One premium managed IT firm conducted its first wave of phishing simulation tests and found their failure rate to be approximately 18 percent. But after two to three rounds of training, they saw the rate drop to a much healthier 3 percent.1

And it’s not just phishing attacks users must be trained to identify. Only 20 percent of the SMBs in our survey enforced strong password management. Ransomware also remains a significant threat, and there are technological aspects to regulatory compliance that users are rarely fully trained on. Even the most basic educational courses on these threats would go a long way toward bolstering a user’s security IQ and the organizations cybersecurity posture.

Finding after finding suggests that training on cybersecurity best practices produces results. When implemented as part of a layered cybersecurity strategy, cybersecurity awareness training improves SMB security by reducing the risks of end-user hacking and creating a workforce of cyber-savvy end users with the tools they need to defend themselves from threats.

All that remains to be seen is whether a business will act in time to protect against their next phishing attack and prevent a potentially catastrophic breach.

You can access the findings of our SMB Pulse Survey here.

1 Webroot. “Why Security Awareness Training is an Essential Part of Your Security Strategy” (November, 2018)

Top 3 Questions SMBs Should Ask Potential Service Providers

It can be daunting to step into the often unfamiliar world of security, where you can at times be inundated with technical jargon (and where you face real consequences for making the wrong decision). Employing `

In a study performed by Ponemon Institute, 34% of respondents reported using a managed service provider (MSP) or managed security service provider (MSSP) to handle their cybersecurity, citing their lack of personnel, budget, and confidence with security technologies as driving factors. But how do you find a trustworthy partner to manage your IT matters?

Here are the top 3 questions any business should ask a potential security provider before signing a contract:

 

 

 

 

 

While these are not all of the questions you should consider asking a potential service provider, they can help get the conversation started and ensure you only work with service providers who meet your unique needsservice providers who meet your unique nee.

  1. Ponemon Institute. (2016, June). Retrieved from Ponemon Research: https://signup.keepersecurity.com/state-of-smb-cybersecurity-report/
  2. Ponemon Institute Cost of Data Breach Study: (2017 June) https://www.ibm.com/security/data-breach