The Human Factor

If you haven’t noticed a large part of cybersecurity is based on the Human Factor. It is by far the weakest link in the chain of securing your IT environment.  If you choose to ignore this fact and neglect to implement a Cyber Security Awareness Plan then you are risking more than you can imagine. But if you decide that a Cyber Security Awareness Plan is the smart choice and the right thing to do you will not only help keep your Business IT secure but your most valuable asset – your employees – will benefit as well.

Educate your employees to be cyber savvy at work and they will enjoy the benefits at home as well. There are a few ways to get started with your Cyber Security Awareness plan.  I feel the most important first step is to let them know why you are doing it and how they will benefit. This way you are being up front with them that Cyber Security is paramount to the operation of business. You are also showing them their personal and family security is important to you. But it will be hollow succor unless you follow through.

When you implement your Cyber Security Awareness training program make sure you:

    • Explain how they can use your tips and techniques at home to keep their loved ones secure online.
    • Share your experiences and encourage them to participate with ideas.
    • Let them know if they make a mistake the best thing they can to is to report it immediately – don’t try to hide or ignore it.
    • Have them vote for a Cyber Security Awareness Champion. (or you can appoint one)
    • Have a plan to ensure your program will be an ongoing part of your company’s culture.

This is not a definitive list of what you will need to do but it is a good starting point.

If you would like some help teaching your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Amazon Scam | A New Twist

Watch Out for Latest Amazon Scam

This new twist for the Amazon scam. It does not contain any links. It does have an attached file which I am sure includes malicious code.

Do you, your family and your employees know how to spot an email scam or phishing attempt? Someone who is an Amazon affiliate may just fall for this one. There are giveaways that are generally consistent with phishing or scams. This one is no exception.

The most glaring one is the from email address. While the shown name is Amazon Marketplaces which may fool some even though is says Marketplaces – should have been Marketplace. The actual email address is not from the Amazon domain., as shown below.

Amazon Marketplaces <reservations@thebistr********dale.com>

Your Amazon Seller Fees VAT Invoice for 6/2019-ID (New-ID: 112-5591137-4708119)-[05/2019]

Dear email.address.was.here,

Please find enclosed an electronic tax invoice for the month of 6/2019 in HTML format. Please note that this invoice is not a request for payment.

To review your account summary or request other copies of your tax invoices, please log into your Seller Central account.

If you have any questions, please contact Seller Support.

Best regards,

Amazon Payments Services

Learn how you can teach your employees to avoid phishing and other scams. This not only helps protect your company but your employee and their family as well from possible scams that can lead to Identity Theft or serious security breaches. Contact us HERE

Quest Diagnostics Data Breach

Quest Diagnostics Data Breech

The most recent Data breach involves Quest Diagnostics. Quest is among the largest medical testing labs on the planet. The unfortunate thing about this breach is the magnitude. Over 12 million people may have had Personal, financial and other information compromised. What’s more Quest was not the party that was hacked. In fact it was a subcontractor who worked for the company Quest contracted with to handle their billing.

Third Fourth Party

This is really bad in many ways other than the 12 million Quest customers who had their information stolen. While Quest was not hacked they are still seen as the responsible party by the customers. Quest uses Optum360 for its billing collections. Optum360 in turn uses AMCA(American Medical Collection Agency) for those services. Apparently AMCA told quest of the breach in mid May but were unsure of when the breach/hack occurred. The story is longer and more involved than I am going to engage in here, but this is the 30,000 foot overview.

Outsourcing

The point here is that you need to be specific when outsourcing operations. You need to know and agree to exactly who is going to be doing the your work. This is especially true when it involves PII, PHI or Financial information. The reason should be clear. The news and other media top stories all imply on the surface that Quest Diagnostics was the company whose systems were compromised. As you know media always wants the most compelling headlines.  If they were to say AMCA was breached, fewer readers/viewers would pay attention.

My question is who else uses AMCA for their collection services. How many other peoples information may have been stolen. What if anything will AMCA, Optum360 and Quest be required to do if identities are stolen.  Can this information be sold to insurance companies? Could it be used against the victims in the future. Perhaps for health care related situations or to increase their premiums.

Are Your Systems at Risk

The details of the breach are still unknown. The fact remains that no business with an online presence is at risk of their systems being compromised. The biggest threat to most businesses is not of being hacked by some nefarious character. It is from inside its own employee base. It could be a disgruntled employee intent on causing as mush damage as possible. Possibly someone who feels they don’t get paid enough exfiltrates proprietary information and sells it to the competition. The biggest insider threat is an uninformed employee. Careless actions like inserting a thumb drive that is of unknown origin or clicking on a link in an email.