While lucky shamrocks and leprechauns make for charming tales over a pint, they make dangerous cybersecurity strategies.
Protect your data with more than wishful thinking.
Many businesses operate with the “luck of the Irish” approach to cybersecurity: “Sure, but we haven’t been breached yet, must be our lucky shamrock,” or, “We’re too small for hackers to notice us, it’d be like finding a four-leaf clover in a field.”
The truth? Digital tricksters don’t care about lucky charms. They care about vulnerabilities, and they’re searching for them 24/7 with automated tools.
The “Paid Once, Marked Forever” Curse
In Irish folklore, leprechauns were known for mischievous trickery. Today’s cybercriminals have their own version of mischief, and it’s far more costly.
When you get ransomwared and proceed to pay a ransom, you might think you’ve avoided catastrophe. Unfortunately, what you’ve done is painted a giant sign on your door that says: “PAYS RANSOMS–COME BACK ANYTIME!” On top of that, you may not get all your data back.
Here’s why you’ll likely become a repeat target:
You’re on the Map: Ransomware groups maintain detailed databases of organizations that have paid and sometimes sell that to other groups on the dark web. If you don’t fix the underlying vulnerability, it’s a big rainbow leading to your data.
“Golden Shamrock” Effect: To cybercriminals, your organization now represents guaranteed income. Each time you pay, attackers increase their demands, knowing you lack proper defenses and will likely pay again. Repeat attacks will often occur under a year after the first.
This St. Patrick’s Day, replace wishful thinking with strategic planning:
Defense in Depth: Layer multiple security controls so if one fails, others catch the breach.
Backup, Test, Repeat: Implement backups and regularly test restoration (we do this for our managed services customers).
Train Your Human Firewall: Your employees are either your strongest defense or your greatest vulnerability–there’s no in-between. We have employee training available to help you—just ask for information, or forward Cyber Treats to your team weekly!
Incident Response Planning: Know exactly what you’ll do if you face a security incident.
Remember: In cybersecurity, as in life, we create our own luck through preparation, vigilance, and smart investments in protection.
May your networks stay secure and your data protected! Cheers to that!
Try Your Luck: Enter the Cyber Treats Gift Card Giveaway! We’re giving a lucky winner a $50 Visa Gift Card. Click here to enter.
Cybercriminals are scanning for targets across every industry and every size of business. Let’s explore who they’re targeting and, more importantly, how to keep your organization off their radar.
Industries Commonly Targeted by Cybercriminals:
Government and Public Services: Hackers want access to classified information or aim to slow down or cut off government services. Healthcare: Cybercriminals steal patient data or extort healthcare providers for large ransoms. Finance: Financial businesses have access to high-value data. Agriculture: Criminal groups looking to disrupt the food supply target the ag industry. Additionally, industries’ busy seasons create a sense of urgency.
Cyber fact: the number one category for attacks is actually small-to-medium size businesses of any kind, making up 43% of all events, according to a recent report by the SBA. Only 14% of small businesses are adequately secured.
More important than industry: these three common things contribute majorly to cyberattack risk.
Unsupported Legacy Hardware and Software: Updates are key to keeping your business secure. Legacy systems have vulnerabilities that can be exploited by cybercriminals.
Security Un-Awareness: Between 88 and 95% (depending on your source) of cyber attacks are caused by human error. The solution? Training your team to spot phishing attempts and creating a culture of good security practices. Security awareness training has been proven to reduce your risk.
Compromised Credentials: Using the same password/email combo for multiple websites means if one site is hacked, others likely will be, too. Use unique passwords for each website and enable multi-factor authentication where possible.
Need some tech advice?
The Facet team is here to help with custom IT solutions. Call us or schedule a discovery call to see what your options are for managed services and cybersecurity. Schedule a call by clicking here.
What was it Ben Franklin said? Maybe that the only two certain things in life are phishing scams and taxes? Something like that…
According to IRS data, tax scams spike in January and February and intensify through April. Last year, scammers targeted numerous business owners by misrepresenting the Employee Retention Credit (ERC)–a credit for which many victims didn’t qualify–charging hefty fees for assistance with applications.
Continue reading for three common tax scams businesses are facing today:
? Phishing and Smishing Threats Scammers posing as the IRS will send emails or texts threatening legal action. They often target tax professionals and businesses.
Prevent it: The IRS never initiates contact via email. Report suspicious tax e-mails to phishing@irs.gov (and to Facet through your “Report Phishing” button or by emailing dispatch@facettech.com), and always verify messages directly with the IRS through official channels.
?Online Account “Help” Calls Scammers offer help setting up an IRS online account. Their goal? Getting personal and tax information they can use for identity theft.
Prevent it: Only create your online account directly through IRS.gov and avoid any unsolicited offers for third-party help. If someone reaches out offering to assist, it’s likely a scam.
? Fuel Tax Credit Emails and Calls Common email and call scams push Fuel Tax Credit claims, which are only available for farming or off-highway use. They will fabricate documents or receipts for fuel to make false claims, often charging hefty fees in the process. While the scammers profit, you are left with the risk of facing IRS scrutiny.
Prevent it: Make sure you’re eligible for tax credits to avoid fines or criminal charges–it’s often best to consult with a qualified tax professional to ensure legitimacy.
The Facet team is here to help with custom IT solutions. Call us or schedule a discovery call to see what your options are for managed services and cybersecurity. Schedule a call by clicking here.
Cold Weather? Check. Snow? Check. New Year’s Tech Tips? Check.
Staying busy this January? Here are some quick tech tips to help you stay safe and work more efficiently. Maybe consider tacking these onto your resolutions?
✅ Restart PCs and phones regularly. If your device seems faster after a restart, that’s likely because it IS faster. Shutting down a device forces apps and background processes to reset, getting rid of some resource-hungry noise and helping you work more efficiently.
✅ Organize your files and folders. Establishing hierarchies and clear organization helps you save time and LOTS of frustration (your coworkers might appreciate it, too)! While you’re at it, make sure that you’re saving your documents in the right spot, i.e. your company’s cloud storage, not local storage (or anywhere not backed up).
✅ Review your privacy settings on social media. Given the rise in whaling email scams (more on this in the link below) using information from personal social media accounts to target victims, it’s prudent to be picky about who you add as a friend or what you share online. Sharing personal information can make you a prime target for scammers.
Need some tech advice? Our team is here to help with custom IT solutions. Call us or schedule a discovery call to see what your options are for managed services and cybersecurity. Schedule a call by clicking here.
We don’t have one… but we can get pretty close by examining the top cybersecurity concerns of business and IT leaders as we enter the new year.
Why gen-AI tops the list of technology concerns:
The rise of generative AI has resulted in powerful, flexible tools that can make your workplace more efficient—but it comes with some risks.
Free large language models (LLMs) like ChatGPT, Copilot, Claude, and others are only free because your prompts (and any documents you upload) are used to continue training the model. General questions, public marketing/sales materials, and everyday requests don’t really pose a security risk. However, if your team uses an LLM to summarize, say, financial reports, you could be in a more dangerous territory.
Back in 2023, a Samsung employee accidentally leaked internal source code, confidential meeting recordings and sensitive hardware specifications when asking ChatGPT to help debug a program. The incident led to a temporary company-wide ban on generative AI tools, and new AI usage policies.
One solution: source an AI model with built-in data privacy.
An option for businesses looking for AI capabilities is Microsoft 365 Copilot (not to be confused with the free version of Copilot anyone can access). With 365 Copilot, you can manage the use of chatbots for work purposes and protect your data.
With your own Microsoft 365 Copilot instance:
Prompts entered in Microsoft 365 Copilot are not used to train LLMs.
Users may only reference documents to which they have full permissions
Get flexibility to create custom chatbots that scan your knowledge base, including documents, emails, Teams chats, and more
You have all the capabilities of generative AI, but with reduced risk.
Copilot for Business can be added on to most existing 365 plans.
Want some advice on business cybersecurity for the new year? Our team is here to help with solutions to keep your business’ data safe. Call us or schedule a discovery call to see what your options are for managed services and cybersecurity. Schedule a call by clicking here.
The FBI’s Warning Against Texting – Here’s What to Do.
What the FBI’s advice on encrypted messaging means for your business.
Back in October, there was a large-scale cyber attack on Verizon, AT&T, and Lumen. The NSA has since said that this was an attack supported by China with the goal of accessing phone call and text information from high-ranking US government officials.
As the hack remains unresolved, the FBI recently issued guidelines warning against texting and urged the public to switch to encrypted messaging instead.
What’s Affected?
While iPhones and Androids have their own secure messaging apps, (Google Messages on Android and iMessage on iPhone), these are only secure when messaging others who use the same messaging service, i.e.: Android to Android and iPhone to iPhone. Texting between Androids and iPhones is not secure.
The hack is ongoing, so business leaders should take precautions to secure their internal communications.
A More Secure Option
For personal use, the FBI recommends using an app like Signal to protect your conversations.
If your team uses texting to communicate internally, consider switching to Microsoft Teams. Microsoft Teams offers encrypted messaging (and many other features) and works across your mobile devices and workstations.
While email is not affected by this hack, it’s also a good time to review your email security and filtering. Our team can set up secure messaging through Teams and advanced email security to help protect your business against data breaches.
Want faster collaboration and more efficient work? Let’s get Teams set up for your business. We decode tech-speak for business leaders and can help you increase uptime with the right tools. Schedule a call by clicking here.
Enter the Cyber Treats Santa’s Helper $100 Giveaway!
We’re giving away a $100 Visa gift card to a Cyber Treats subscriber!
Fill out our form to enter. Get an additional entry for each person you refer to Cyber Treats. Simply have them fill out the entry form and mention your name as their referrer.
Paying a premium? Make sure you qualify for the payout.
Cyber liability and data breach insurance policies can protect your business in a cyber attack, but only if you have the required protections in place.
Picture this: A mid-sized manufacturing company felt their cyber insurance requirements were mostly “paperwork.” They had basic security in place but skipped implementing the EDR solution their insurer strongly recommended. Fast forward three months, and they’re dealing with a ransomware incident that their insurance won’t fully cover because their security didn’t meet the baseline requirements.
It’s more than box-checking…
Requirements are based on real attack patterns insurers are seeing right now (and trust me, cyber insurance payouts only keep rising, so the goal is to prevent expensive attacks)
Each requirement typically protects against multiple threats – like a 2-for-1 deal on your security controls
Insurers spend millions gathering threat intelligence, so the recommendations are generally sound
It’s not uncommon to detect and stop an attack in progress while implementing insurers’ requirements, like upgrading from antivirus to endpoint protection!
Pro tip: Don’t wait for your renewal to check your compliance. Make sure you have the necessary protections in place to qualify for payouts if you experience a breach.
Do you pay for cyber liability or data breach insurance, but aren’t sure if you’re meeting requirements? We decode tech-speak for business leaders and can help strengthen your defenses to avoid that claim in the first place. Schedule a call by clicking here.
Cyber Treats Bonus Links
A good reminder when you’re Googling to find holiday gifts (from Wired): Malicious Ads in Search Results are Driving New Generations of Scams Side Note: this is also a decent argument for including your company name as a keyword if you do any pay-per-click advertising. Not only does it prevent competitors from occupying that top spot, but also prevents malvertising under your name.
The same group behind the MGM hack also orchestrated a phishing scheme that cost businesses millions (from ArsTechnica): 5 charged in “Scattered Spider,” one of the most profitable phishing scams ever What may be most interesting to business leaders here is the attack vector: text messages that claimed to be from internal IT departments, instructing victims to click on a link to avoid account deactivation. Phishing schemes often cultivate a sense of urgency to lower victims’ defenses.
Thanks for reading Cyber Treats. See you next week!
“Thanks so much to (insert VPN provider here) for sponsoring this video.” Sound familiar?
VPNs bill themselves as a safeguard against getting your identity stolen on the internet, but many popular VPN providers promise total security, then sell or even steal your data.
What’s a VPN?
Personal VPN products connect your device to another network, “bypassing” your ISP (internet service provider) and encrypting your traffic. With a VPN, potential attackers on the same network (say, on public WiFi at a hotel or coffee shop) can’t steal passwords, credit cards, or other data. There’s also off-label usage: some people use VPNs to hide illegal activities, or bypass content blocks in their country.
Here’s The Issue With Personal VPNs:
Many VPN apps either ask for or are implicitly given permission to log or sell your data, and that can go to anyone at their discretion. Businesses targeting ads toward you, online services, even, ironically, your ISP. If it’s free, they’re almost certainly staying in business by selling your data (hardly any worthwhile security product is free). Bad actors may also set up “free VPN” services just to steal data.
There are tradeoffs when searching for a personal VPN provider, so do thorough research if you choose to use one. If you would like more guidance, just reply to this email and we can send some resources to you.
Now, About Your Business Data…
If you’re using a personal VPN solution for work, or no VPN, it’s time to explore alternatives. Ideally, your work-from-home setup should connect employees to your company network and firewall, where corporate traffic is filtered and protected by your security stack.
This safer option removes third party VPNs altogether, and protects your employees, even on public or mobile networks (remember, you never know who has their home WiFi wide open for the rest of the neighborhood).
Interested in having Facet configure a VPN or cybersecurity plan for your business? Schedule a call with Trey by clicking here.
⭐ Special thanks to Facet team members Zach Jacobson, Karol Burton and Tyler Greenleaf for their technical advice on today’s newsletter topic!
? Cyber Treats will be off next week for Thanksgiving so the dogs can beg for turkey and root for the Packers. We will return on December 5. As always, we are grateful for our clients and community. Thanks for being part of the Facet Family.
Think of traditional security like a castle with strong outer walls, moats, sentries, maybe a dragon – you get the idea. In this castle, once someone’s inside, they can move around freely.
But what if the castle’s not made of stone and sectioned neatly off on its own (I think we’ve taken the metaphor far enough here)? Your employees likely work from home occasionally. They access data on personal devices, maybe even on public networks.
As the perimeter of your castle expands, zero trust architecture offers a way to secure “anytime, anywhere” access to data, documents and more.
Why Look Into Zero Trust?
Protects against insider threats and compromised accounts (because many threats come through “disguised” as internal staff)
Limits damage from breaches – granular control over sensitive resources means attackers can’t freely move through your network
Supports remote work by securing access from anywhere
Allows your organization to meet tough compliance standards and can lower cyber liability insurance premiums
Start Today With These Quick Tips
If you don’t have the resources to implement a “full” zero trust security architecture, you can start by implementing a few key elements of the philosophy into your existing cybersecurity plan.
Zero Trust philosophies can be applied everywhere, at work and in your personal digital life.
Use multi-factor authentication everywhere, not just for “important” accounts
Treat your home and work networks as untrusted – secure each device individually
Regularly verify app permissions on your devices (and be picky about which apps you download)
Never save passwords in browsers or reuse them across accounts (I cannot stress this enough–once hackers have one email/password combination, they will try it on many sites across the web)
Let’s Talk Zero Trust for Your Business: Meeting Compliance Standards and More
Many industries are faced with new compliance standards. Facet, as your managed services partner, can work with you to implement a cybersecurity plan informed by zero trust principles to meet or exceed these standards so you can grow your business.
Designed properly, zero trust architecture doesn’t have to slow down your employees or affect performance. In fact, it can help you become more profitable as you can prove to potential clients that you take their data seriously.
Want to learn more?
Fill out the form below and mention zero trust in the message box. Our team will reach out with more information on securing your organization from threats inside and out.
According to the FTC, shopping scams were the second-most reported in the US in 2023–and they’re at their worst during the holidays. According to TransUnion’s 2022 Global Digital Fraud Trends report, there was a 127% increase in daily fraud attempts between November 24 and 28 compared to January 1 through November 23.
Volume of orders isn’t the only factor here. According to Norton’s 2022 Cyber Safety Insights Report, nearly one in three adults (32%) worldwide admitted to taking more risks with online shopping closer to the holidays, so if you find yourself clicking “add to cart” a bit quicker than usual, you’re not alone.
Below, we detail three common scams and how to avoid them for safer shopping this year.
The “Undeliverable Package” Text (or Email)
A text comes through alerting you that a package is not deliverable to your house or business. It’s the holidays. You’ve ordered at least 15 gifts in a coffee-fueled shopping push this weekend, so it seems plausible. You click the link. You get malware on your phone.
Avoid this by tracking orders directly through a retailer’s website or app. Avoid clicking links in suspicious messages (especially if they don’t mention a company name), and be cautious of unsolicited delivery messages.
The Gift Card “Deal”
You come across an amazing deal for gift cards at a steep discount. You purchase the cards as gifts. Once you’ve purchased the cards, the scammer uses the card, leaving you out fifty big ones with a worthless card. Alternatively, scammers will request payment for items via gift cards so they can continue these schemes.
Avoid this by purchasing gift cards directly from reputable retailers. Never use gift cards as a form of payment to unknown individuals.
The “Extreme Couponer”
You find an amazing coupon link promising steep discounts via e-mail, social media, or SEO-optimized pages on a Google search. What’s the scam? These coupon links can lead to phony websites made to mimic a legit retailer, or even sites that encourage you to download adware or malware.
Avoid this by looking for coupons with the retailer’s official site and/or app, or sign up for their email list. Also, install a good ad blocker.
Consider Mobile Device Management
Does your team use mobile devices for work? Perhaps the ones on which they also do their Cyber Monday shopping? If so, your business’s documents are right there with anything and everything on their phone—if their phone gets hacked, your company data can be left vulnerable.
The solution? Education and mobile device management. With an MDM solution, you get seamless security for iOS, Android, iPadOS and frontline worker devices. This native endpoint security detects SMS/email phishing, app management, identity management and more.
MDM along with good cyber awareness training can help build a strong security posture. Facet offers an MDM as part of our Advanced Security Suite of products that can be added on to any managed service agreement.
