Author: Silhouette Creatives

Posted on by

How to Secure Microsoft 365 for Remote Working

secure Microsoft 365 graphic

It seems that remote working won’t go away after the pandemic passes. In fact, organisations in most industries are working towards making it a permanent and viable option. 

Large enterprises and corporations like Facebook and Google plan to keep the model for a while. While others like Twitter, Slack, and Zillow decided to allow (most or all of) their employees to work from home permanently. Their decision-making points towards the likeliness of remote work becoming a permanent option in most companies.  

SMBs looking to secure work from home 

According to Intermedia’s survey, small to medium business owners believe the remote work model will stay permanently. The survey indicates there is an overwhelming preference in keeping remote work as a long-term option. With 57% of SMB owners stating that employee availability and life and job satisfaction have increased, and citing a drop in overhead costs as a benefit that enabled them to stay afloat during lockdowns. 

Those SMBs deciding to embrace the model are in the midst of preparations to make remote work permanent. 

The Microsoft 365 suite is heavily used among SMBs, as their subscription model offers industry-leading functionality at a reasonable price. With access to security and operational features previously available only to enterprises, Microsoft 365 also includes cloud-based services that can be used from anywhere. Making the suite a perfect choice for work-from-home teams. 

Compliance remains a core concern for work-from-home protection

Remote work comes with a new set of risks, especially for cybersecurity. Compliance acts and regulations don’t differentiate between in-office and remote work. 

They require that you have secure working-from-home policies for sensitive information and data, and that you secure staff when working from home. 

The most common regulations to comply with include: 

  • Health Insurance Portability and Accountability Act (HIPAA) for businesses offering health services 
  • EU’s General Data Protection Regulation (GDPR) for all businesses processing and handling personal data from EU citizens
  • California Consumer Privacy Act (CCPA) for all California-based businesses and those doing business in California
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) for everyone handling personal data from Canadian citizens

These acts require you to comply with Information Security Management Systems (ISMS) standards, most notably the ISO/IEC 27000 series, as well as the Payment Card Industry (PCI) Data Security Standard (DSS) for those who take card payments online. 

SMBs often struggle with acquiring the right security solutions because the budgets are low. 

Remote work and software spending

The graph below shows how expectations on software spending have changed from March to May 2020. 

As the impact of the pandemic stopped being an unknown variable, respondents have revised their expectations on spending, which is indicated by less spending than initially expected. 

Statistic: COVID-19 impact on software spending worldwide 2020 (Survey results comparison: March, April & May) | Statista
Find more statistics at Statista

While the highest percentage of respondents (40%) initially stated they will increase their spending on software, in May, 44% reported there were no changes compared to spending during the previous year. 

And while the overall spending seems to stay the same, there are big shifts on what type of software the funds are allocated to. 

Statistic: Where are businesses increasing software spending? | Statista
Find more statistics at Statista

With working from home being the new norm, conferencing takes the lead, followed by collaboration, remote desktop tools, and security software. 

Work-from-home protection is an important concern for SMBs, and as the newest data from Microsoft shows, everyone is trying to speed up their cybersecurity digital transformation. 

So how can you protect all the Microsoft 365 documents and communication that you work with daily when everyone is using different networks and devices to access it?

How to protect Microsoft 365 when working from home

In our experience, the most efficient option to cover both of these is to use Advanced Microsoft Information Protection (MIP), as it has the best cost-benefit ratio. 

Microsoft Information Protection uses built-in capabilities from Microsoft Office 365 and Windows 10, as well as additional solutions provided by Microsoft, to secure Microsoft 365 and all the digital information and data you work with in your business across the whole playing field: in the cloud by using Cloud App Security, as well as on devices and on premises. 

It allows you to detect sensitive information and locate where it’s currently stored, secure documents as soon as they are created, and even ensure that you dispose of them in a secure manner. 

What Microsoft Information Protection can do for SMBs: 

  • It will secure Microsoft 365 apps and services you use and all your business information from leakage.
  • It blocks malicious actors from access, and doesn’t allow access to untrusted actors.
  • The automatic classification protects all documents based on the criteria, trigger words, and phrases you set up. 
  • It actively tracks data through its lifecycle and gives you insight into who has access to data and a log of who accesses it and what they are doing with it.
  • It helps your employees stay productive and learn about working from home best practices. The system will suggest labels and teach them how to use and apply them correctly. 
  • It gives you overview over information flow, with valuable insight on patterns of data usage inside of your organisation. 
  • This allows to spot anomalies in data usage and access, enabling quick detection of potentially harmful actions by actors or malicious software.
  • It keeps all data secure even when sharing with vendors and third parties by not allowing forwarding, downloading, or copying information shared with them.

Such capabilities extend beyond securing your data – it also keeps your staff secure from making errors while handling data, and all the vendors you work with by not allowing them to forward any information you share with them further. 

Once set up, you’ll have a system that performs well in the cloud, covering the need to secure remote working, but on premises too, once you decide to go back into the office. 

See MIP in action with our email demo video here:

Why you need to secure Microsoft 365 for remote working

When you secure Office 365, you and your team can do remote work securely and are saving time and money. But that’s only one benefit of using such an extensive system: 

  • No changes in workload: The automatic classification and encryption of all documents you work on and share with remote staff, contractors, and other third parties means there is no need to increase workload for your staff and spending time on complex manual security checks that they need to learn to apply. 
  • You will secure Microsoft Office through compliance: Classification and encryption executes on the cloud level too and protects against human error, one of the most common reasons behind data leaks. Securing Microsoft 365 for remote working also helps you be compliant with all regulations. 
  • Security travels: The cloud-based protection extends beyond business devices – the protection remains with documents and data and travels with them, ensuring they are secure even if they end up in the wrong hands. 

Secure external consultant documents for Microsoft 365

Working with external consultants increases risk of data leakage and breach, since you are relying on them to practice good cybersecurity. 

Instead of hoping they are doing a good job, you can secure Microsoft 365 documents sent to and used by external consultants through MIP. With auto classification, the options for downloads and further sharing will be disabled, ensuring the data can never be accessed by anyone but your external consultants. 

Secure internal sensitive and confidential information when working from home

Secure Microsoft 365 data with MIP’s extensive labeling and trigger system based on labels. You can classify all information into specific categories, and set up sensitivity labels for each of those categories. 

The trigger system activates based on the rules you set up. For each rule, there is a condition that must be met in order to trigger the second part, the action, something that will happen automatically when the condition is matched. 

For example, when a user without permission tries to access a sensitive document, the rule sends an email to the user and administrator of your system about the incident. 

Whenever someone creates a new document, no matter where within your organisation, it will automatically be protected based on the category and labels applied to that type of document. 

These labels are document-based, meaning they persist with it and are transferred anywhere the document ends up. If the document ends up being in an insecure environment, your security policies will continue being enforced, and won’t allow usage by anyone who isn’t a trusted source. 

The system allows you to track all data and documents as it moves through and outside of your organisation. In case you ever suspect foul play, you will be able to revoke access to the document, rendering it useless to anyone who is trying to get it. 

In such cases, the MIP can, based on your setup, respond with a real-time email alert, or a report on the dashboard.

Microsoft Information Protection includes Data Loss Prevention (DLP) capabilities, with policies against accidental sharing. With it, you can also label documents for information retention, set an expiry time and apply deletion policies that will execute automatically when requirements are met. 

Secure email communication when working remotely

The labeling system goes beyond Office apps, and you can secure Microsoft Outlook in the form of Office 365 Message Encryption. 

It allows you to classify and secure email messages as well. When labeled, the policies for that specific label will be applied to the email. This includes policies such as: 

  • Encryption
  • Watermarks
  • Access restriction
  • Disabling forwarding

The label that is applied will persist with the email and keep security policies on the email even when it leaves your organisation. It helps employees work from home securely by preventing phishing attacks and disclosing information accidentally. 

Secure BYOD for remote working

By having online-only work, your employees will use a number of devices to access business data, like Windows and Mac OS machines and mobile devices. A comprehensive security suite such as Microsoft Information Protection has encrypting standards that will work on all of them. 

If you’re unsure on the right way to secure BYOD for remote working and set up policies, we can discuss other ways of working with BYOD. For example, we offer Windows Information Protection setup services that secure employee-owned devices from data leakage and other security incidents. 

The MIP setup takes time and IT knowledge

Microsoft Information Protection is definitely an all-encompassing solution that addresses the risks of remote work well. It secures access to sensitive data and documents, grants permissions to the right stakeholders, and ensures all your business data is safe even if it’s somehow accessed without authorisation. 

But there is a downside to it: It takes a lot of time to set up such an extensive system for someone who never had to deal with it. Even if you have an IT professional on your team, chances are, they will need to ask for help. Only those with knowledge in Active Directory, a good comprehension of Microsoft licensing, and previous experience with Microsoft or Azure Information Protection itself can set it up. 

One error in permissions and labeling, and you can lock yourself out from your own documents, even if you are the admin. Or if you miss it during setup, the system might not flag important documents correctly, making them easily accessible by someone without permission.

Learn more about how we can help here:

Advanced Office 365 Security for Remote Working

Professional setup saves time and money

Towerwatch has many years of real-world experience with encryption. We have been working with Microsoft Information Protection and setting up automatic encryption protocols for global brands even back when MIP was still known as Azure Information Protection. 

Now you can rest easy knowing it’s set up properly and that all documents and communications are secure. You will efficiently eliminate the risk of costly mistakes that could result in regulation breach fines or loss of customers. 

To find out more about how we can secure your business operations with a future-proof cloud-based solution that will continue working even if you decide to go back into office, book a consultation with Microsoft Global Professionals for MIP, and our initial session HERE

Our initial session is priced at £250, and for this investment, you will not just cover the session cost, but also get a comprehensive overview of the current state of your cybersecurity solution and work-from-home compliance status. When you decide to move forward to the next stage, this investment will also be deducted from the project fee. 

Book your initial session HERE.

Posted on by

The Importance of IT and Cybersecurity in Hospitality

cybersecurity in hospitality

Hospitality businesses are at a higher risk of suffering a data breach because of the nature of the industry. 

The most recent case that made rounds is the massive data breach Marriott International suffered, especially because the breach has remained undetected for over 3 years. In that time, data such as credit card numbers, home addresses, loyalty points, birth dates, passport numbers, and other valuable information were stolen. 

Imagine something like that happening to your cafe, restaurant, or hotel. 

Could you handle the aftermath of a breach? 

It’s not just about the massive damage payouts. The real aftermath is dealing with the trust that will be damaged beyond repair. 

How safe are your current systems? Are you sure you could deter or detect a breach?  

The high risk of the hospitality industry

Hospitality businesses are a high-value target of malicious intent. The first part of the issue revolves around the characteristics of the industry: 

  • You work in a people-centred industry where competition is fierce. 
  • To succeed, your hospitality business has to stand out from the crowd by providing your customers with the very best service.
  • You also have to deal with a lot of stored sensitive information about your clients. 
  • This data can help you provide a streamlined and personalised experience. Unfortunately, such data is highly valued on the black market, which makes you a prime target to hackers. 

The other part of the problem is your back office: 

  • It’s a highly dynamic industry that requires a centralised system with lots of connection and access points. 
  • Any of these can become a potential point of access.  
  • The turnover rate of hospitality businesses is higher than in other industries. 
  • Any old, forgotten, and inactive accounts from former staff are security threats.

How can IT and cybersecurity solutions help hospitality? 

Hospitality businesses are highly vulnerable to cybersecurity threats. Even large enterprises will succumb to a data breach without advanced cybersecurity solutions. 

Instead of sticking to incident response and passively reporting on a security breach, hospitality businesses have to implement proactive measures that will make a breach unlikely and data unreadable. 

The right IT solution keeps your business efficient and your customer and employee data safe. Our IT and cybersecurity solutions and services will: 

  • Standardise your whole network infrastructure – We can take care of everything – from network hardware installation and setup, to VPN and token solutions.
  • Streamline your operations – This will reduce errors and data mismanagement, and will speed up your whole system. 
  • Encrypt data and documents – While you should aim to avoid a data breach, encryption helps you remain compliant and make data unreadable and unusable in case it does happen. 
  • Report any red flags – Advanced monitoring solutions help detect any irregularities in your database, payment system, or loyalty programs immediately. Your data stays secure, and your services stable.
  • Create and maintain backups – Your whole systems and operations backed up, ready to weather any storm.  
  • Train your staff – Even the best systems remain vulnerable if your staff isn’t up to date on how to use it, or isn’t informed about the latest security threats and policies.
  • Provide ongoing support – From helpdesk and remote support to onsite interventions, we got you covered. 

Responsive IT Support 

We go well beyond simple network setup, optimisation, and one-time security protocol setup.

Cybersecurity is an ongoing task, and TowerWatch Solutions offers ongoing IT support for your hospitality business. 

Our IT support range includes 1st, 2nd, and 3rd line support. No matter what type of IT-related issues you are dealing with, we can help you resolve it quickly and have you up and running in no time. 

  • Your employee lost their password? Our helpdesk will help them retrieve it. 
  • Your POS can’t connect to the network? We can get it up and running remotely. 
  • Your customers can’t order ahead through your app? Our engineers will find the reason as soon as possible. 

Our IT support is available around the clock, and you can choose between: 

  • Helpdesk support – A solution for any minor issues that keep disrupting your daily operations is just a phone call away. Our helpdesk support will quickly resolve POS connection issues, account lockouts, or network drops. 
  • Remote assistance – When you can’t take care of the problem on your own, our IT support agents can quickly resolve minor inconveniences with remote access. 
  • Onsite IT expert and engineer teams – Have issues with hardware or software setup? Your Wi-Fi system is down and routers aren’t responding? No worries. We’ll deploy our onsite IT experts to take care of all your IT worries in no time. 

Already have an in-house IT team? 

Nothing to worry about. Besides 1st to 3rd IT support, we also offer full IT management support. 

We will take care of in-house team hiring, management, and training to keep your team up to date on the latest security practices and threats, and work alongside them and offer a helping hand. 

Let us deal with technicalities so you can stay focused on your customer and the experience you provide. 

Project Implementation 

The IT projects and solutions we implement are all based on the latest technology and security standards. 

The hospitality industry works with high volumes of sensitive data, and our solutions warrant it stays safe – we will make sure all your operations are GDPR-compliant too.

Project implementation preparations

Our experts and engineers have over 10 years of experience in IT management and project implementation. Before we draft a project for your hospitality business, we will take a look at your current setup. 

TowerWatch Solutions will ensure your IT systems can handle your business demands, follow the latest hospitality trends, and battle security threats. 

We can make the project as simple or complex as you need it to be. We can implement a simple backup solution for your current operations, or reinvent your whole IT infrastructure and offer a streamlined digital dining journey. 

Your IT needs should never take the back seat. Today, IT solutions are the driving force of successful hospitality businesses. We can help you with:

  • Implementing full server systems, communications, and platforms. 
  • Physically relocating your sites and helping you open new sites.
  • Moving your physical servers to safer virtual environments.
  • Converting your local data and operations to the cloud.
  • Installing and implementing encryption solutions for your customer data and loyalty programs. 
  • Taking care of GDPR and PCI compliance.
  • Implementing access control measures. 
  • Setting up Backup and Data Loss Prevention (DLP) measures.  

Fully custom solutions, tailored just for you 

Because no two hospitality businesses are alike, we focus on getting to know you first. Your long-term goals become our long-term goals.

When we are familiar with your strengths and weaknesses, we will know how to design an IT system that will emphasise the former and eliminate the latter. 

  • A custom-designed IT system will cover all your needs and provide a streamlined experience to your customers and patrons. 
  • We will implement new hardware, software, and full IT solutions with minimal disruptions to your operations. 

With our IT services, you’ll be ready for rapid expansion and franchising: We will future-proof your IT infrastructure so you can easily open new locations locally, regionally, and globally, and deploy your whole system instantly.

Streamlined Setup 

Do not worry about business disruptions while we implement our IT and security solutions. 

We have streamlined our setup routine so you can continue working without losses in uptime, efficiency, or staff and guest satisfaction. We’ll start with upgrades that are easiest to implement and work our way to the more complex solutions. 

Continue impressing your guests and customers while we update, improve, and optimise your whole IT system with:  

  • Equipment standardisation – Differences in hardware, procedures, and policies across franchises are a common reason for disjointed operations. We will standardise all your equipment. 
  • The best guest Wi-Fi solutions – Your systems are not the only thing that benefits from being connected. Your customers will keep coming back to enjoy not just your services, but also an amazing, lightning-fast, and most importantly, secure Wi-Fi in any of your establishments. 
  • Cloud solutions that sync across your whole franchise – No matter how many locations you have, relocating your operations to the cloud will allow your staff to work efficiently from any branch and sync data across all your locations.
  • Active network monitoring – Proactive approach to possible issues is the only way to deal with them before they become serious. Our IT solutions can monitor your whole infrastructure and network, and alert our IT support in case of irregularities. 
  • GDPR compliance implementation – Unsure about GDPR compliance and worried about possible legal risks? We got you covered here too. 

TowerWatch Solutions is your one-stop shop for implementing cybersecurity and IT systems that will make you fully compliant with the GDPR. 

Our compliance strategy includes data mapping and auditing. We will uncover where your data is stored and review all your software for possible security gaps. 

We will implement security measures such as system monitoring and advanced data encryption to keep data safe.  

  • PCI compliance implementation – PCI compliance helps you protect your customer’s credit card data and reduce fraud attempts. By making sure your new IT setup is compliant with PCI DSS standards, your customers and guests will know you place the highest emphasis on their security. 
  • Future-proofing – Our IT solutions ensure your systems are future-proof and you won’t have to worry about substantial investments down the line. When you migrate your operations to virtual environments and the cloud, all the updates are handled by the provider, guaranteeing your systems are always up to date and safe.  

Your IT security is only as good as its weakest link. Unintended data disclosure can easily be prevented with the right staff training. Leave it to us to teach them how to use the newly implemented systems and foster a culture of security. 

Consultancy & Research 

Are you opening a new restaurant and want a good IT infrastructure right away?  Or are you an established franchise that could use some updating in the IT department, but you’re not sure where to start? 

Start by consulting with our experts 

TowerWatch Solutions offers consulting services on hospitality IT systems and cybersecurity. We’ll help you plan out every detail of IT system implementation and assist your in-house IT teams on every step of the way. 

No in-house teams? No problem. We can manage your IT projects on our own too. 

If you are more comfortable with having in-house IT experts, we also provide consulting on IT Training and Recruitment. We can help you set up, recruit, and train an in-house IT team for you. We can set up, manage, and recruit new members to your team. 

Our dedicated IT experts and engineers will help you with a boost of specialised knowledge right where you need it:  

  • IT project management – From implementing ePOS systems to handling guest Wi-Fi options, we’ll help you manage the whole project.  We consult you on the best ways to implement it, and what the needed security measures and best practices are.
  • IT security requirements – We can help you and your team set up staff authentication, BYOD policies, GDPR, and PCI compliance, and consult you on the latest industry standards. 
  • Data safety and recovery options – Our experts will be happy to explain all the solutions you can implement to prevent data leaks and losses and help you pick the best mix of options. Learn about:
    • Differences between backup solutions
    • The importance of business continuity strategies
    • How data loss prevention (DLP) works 
    • What disaster recovery options would be best for you
  • Cloud computing solutions – We’ll guide you through possible cloud computing options and advise you on the one best suited to your particular needs, be it private, public, or hybrid. 
  • Migration services – We can help you move your data and operations from one location to another, or to a virtual environment. We will also ensure that any risks – privacy, security, and data access – are eliminated in the process.  

Overall…

Hospitality is an industry that handles huge amounts of sensitive data on customers, guests, and patrons. Hospitality cybersecurity is more important than ever before. As a restaurant, cafe, or hotel owner, it’s your responsibility to keep their data safe. 

How up to date is your current IT setup? Have you taken care of your GDPR compliance? Do you know who has access to sensitive data? 

Here are some of the latest facts and figures on hospitality data breaches, and just how much damage they can do: 

  • Restaurant group Earl Enterprises data breach from May 2018 to March 2019
    • Data affected: Over 2 million credit card numbers were stolen
    • Attack vector: Malware on their POS system
    • Brands affected: Buca di Beppo, Earl of Sandwich, Planet Hollywood, Chicken Guy!, Mixology, and Tequila Taqueria
    • Damages paid: Unknown
    • The company launched a website so guests can check whether their details were stolen.
  • RMH franchise security breach in 2018
    • Data affected: Guests’ names, credit or debit card numbers, expiration dates, and card verifications codes
    • Attack vector: Unauthorised software placed on the POS system
    • Brands affected: 167 Applebee’s restaurants
    • Damages paid: Unknown
  • Wendy’s data breach of 2015 and 2016
    • Data affected: Name, card number, expiration date, security, and service codes, and other payment card-related information.
    • Attack vector: Malware on POS system
    • Brands affected: Wendy’s restaurants
    • Damages paid: $50 million
  • Dunkin’ Donuts data breach
    • Data affected: Usernames and passwords for loyalty programs
    • Attack vector: Third-party breach
    • Brands affected: Dunkin’ Donuts
    • Damages paid: Unknown
  • Hilton Hotels data breach of 2014 and 2015
    • Data affected: Credit card numbers, names, addresses
    • Attack vector: Cash register computers
    • Brands affected: Hilton Hotels
    • Damages paid: $700,000
  • Marriott data breach: The biggest breach up to date
    • Data affected: 500 million customers’ information, including names, addresses, phone numbers, email addresses, passport numbers, account info, birth dates, gender, and arrival/departure information
    • Attack vector: Unauthorised access to the hotel database
    • Brands affected: Ritz-Carlton, St. Regis, JW Marriott, W Hotels, Sheraton, Delta Hotels, Le MERIDIEN, Westin, Renaissance Hotels, Four Points, SpringHill Suites, Fairfield Inn, Residence Inn.  
    • Damages to pay: $915 million GDPR 

Digital technology and data safety have become an integral part of the hospitality and dining experience. 

How IT Solutions Influence the Dining Journey

Technology is affecting the hospitality industry, and those who don’t embrace IT solutions are bound to fall behind fast. 

According to the Windstream Enterprise-BRP Consulting digital restaurant study that focused on preferences of Millennials and Gen Z, shows that digital technology affects the hospitality sector, particularly restaurants, quite a lot. 

Here are some of their most interesting finds: 

  • 74% find that ease of ordering and payment is extremely important.
    • only 45% of restaurants have excellent execution for this preference
  • 60% place importance into Wi-Fi availability 
    • only 44% of restaurants have a good solution in place 
  • 42% actively look for contactless and mobile payment availability
    • only 33% of restaurants have it 
  • 41% look for mobile and web order ahead options
    • only 26% of restaurants offer a good solution

The following infographic by Deloitte from 2016 shows just how important technology has become in hospitality:

Source

Some key findings include the fact that 40% of people prefer to order online, and when technology is used to place orders, customers will spend an extra 20% on an average per visit.   

The findings clearly show that the customer journey and experiences are heavily influenced by the convenience of new tech solutions. The only way forward for your business is to implement IT solutions that will be convenient but also safe. 

Do you have the right IT solutions in place? Get in touch to see how we can help you streamline, boost customers with technology projects, and improve your security.

Posted on by

Five Ways to Avoid Hotel Phishing Scams

Seeing headlines about yet another hotel hacked have become commonplace and statistics are looking grim. A staggering 64% of US citizens have already had to deal with stolen data. Hotel phishing has become way too common.

Hotels are the perfect targets due to the amount of sensitive data they are processing each day and the tech they are using. Lots of high profile breaches that have happened lately signal that many of them do not have the right cybersecurity solutions in place. 

Hotel phishing scams are a common attack, and Verizon’s 2019 data breach report shows that out of all the data breaches detected, 32% involved phishing. 

What’s even more worrisome, 56% of those breaches weren’t discovered for months

Avoiding attempts of such scams is impossible, but lowering the risk of becoming a victim is. Here are five ways to detect and avoid phishing scams.  

#1 Staff Training 

Hotels often skip cybersecurity training because they wish to invest in other areas, yet a single successful phishing scam can lead to a breach that will tank their reputation and customer trust, which results in high fines.

Because emails are the primary trajectory attackers are using for their hotel phishing scams, it’s important that your employees are able to recognise such scam attempts right away. 

A single click is enough to infect the system. The same report from Verizon gives insight that internal actors were responsible for 34% of breaches. Every misclick will result in having your hotel hacked again and again.  

Cybersecurity training for the hotel staff must be a top priority. 

When staff members know how to detect a suspicious email, check the sender and double-check all domain names, the risk of them clicking on it becomes considerably lower. 

#2 Have an External Mail Warning System 

Creating a hotel phishing email is easier than ever, as people are more than willing to share their personal information online.

A well-constructed phishing email can look like a genuine company email from a well-known staff member.

An external email warning system helps identify suspicious emails by displaying a warning when the email originates from an external source. 

This will prompt the staff to double-check the sender and the actual address before opening the mail or clicking the link and report the suspicious email to the IT office. 

#3 Implement a Sandbox

Sandbox in IT is basically a completely isolated environment that fools malicious code into thinking it got access to actual systems. 

Sandboxes are used to test links and attachments and execute them without risking the security of your network. 

If the system detects malicious code or link, it will show a warning and remove the attachment/link so the user and systems stay safe. 

#4 Keep Your Network Secure 

Have antivirus, antispyware, and malware software on your network and all devices, as well as commercial firewalls. 

Keeping your main network inaccessible to outside devices will reduce the vectors of attack.

Have a different network for your guests, and keep all personal IT devices from your staff on a separate network too. 

#5 Stay Informed About Phishing Techniques & Have Procedures In Place

New phishing scams appear all the time, so make sure your IT department follows all new developments closely.  Ask them to regularly send internal newsletters on threats and distribute them to everyone.

Plus, make sure you have strict procedures in place when it comes to payments and authorising new transactions. For example, change of details must be confirmed by a vendor over the phone (rather than email), requests for money are escalated to a higher management level, and links aren’t clicked on unless they are expected.

Hotels Must Be Hypervigilant

The reason why so many hotels fall victim to hotel phishing attacks is the lack of updates to their systems, operations, and standards. 

When coupled with lack of staff training and monitoring solutions, a data breach might already be in progress without them having the slightest clue about it.

Posted on by

Steps To Respond To a Ransomware Attack

steps after a ransomware attack

Cybersecurity is an important topic for any business now. In the last 12 months, 32% of businesses experienced some sort of cyber attack or data breach. That means that every third business had to deal with a cyber-attack, according to the Cyber Security Breaches Survey 2019 by the UK Department for Digital, Culture, Media, and Sport. It goes without saying that every business should prepare for a ransomware attack and other types of cyber-attacks.

Keeping your assets secure against cyberthreats needs much more than installing firewalls and anti-virus software. Today’s cyber threats are sophisticated and use every possible loophole in your security settings to get access.While there are different types of attacks, ransomware is one of the most malicious attacks businesses have to deal with. 

What’s a Ransomware Attack? 

Ransomware is a type of attack where malicious software (malware) takes over a computer or whole systems and denies any type of access until you pay a ransom. The ransom demand usually requires payment in cryptocurrency like Bitcoin, as it’s impossible to trace it. 

It is one of the most dangerous types of attacks, as it can stop a business dead in its tracks. In case the ransom is not paid, all data will be deleted from the system. 

This is bad enough if it happens to an individual. Imagine this happening to your company – you will lose all business and operational data, and you’ll have to start all over again. Some businesses never recover.

Preparing for a Ransomware Attack

The bad news with ransomware attacks? It can happen to anyone, and once it does, there’s not much you can do. 

But you can prepare for it. Here’s how: 

Data backup should be your number one priority.

It can save you thousands and millions, but it has to be done right by protecting your data storage properly. Ransomware attacks are carefully executed and attackers will often have access to your systems for months before they attack. 

Why? Because they want to make sure they hijack everything, including any possible backups you might have. 

This is why you should keep backups on another location. It would be best to have backups in the cloud but also have at least one backup offline – completely disconnected from any network – as even cloud backups can sometimes be affected.  

Make sure IT keeps all systems and software up to date.

Although updates are often a hassle, they exist for a reason. Most updates are released to take care of security vulnerabilities. When software and operating systems are not updated, you are basically inviting hackers to access your systems. Your IT department should ensure every device is up to date. 

Start implementing user restrictions.

Not all of your employees need access to all your data. Ask your IT provider to implement user restrictions so that your employees have access only to data they need. In case they need more, they can request special and temporary access that is revoked as soon as they don’t need it anymore. This way, in case their accounts are compromised, the breach will be limited. 

Invest in monitoring software. 

You can get powerful software solutions that can monitor your whole systems for suspicious activity. This goes beyond the regular antivirus monitoring – it can monitor what users are doing, what data they are accessing, and alert you in case something is out of the ordinary. 

Don’t forget about employee training.

No matter what type of security software and solutions you utilise, if your employees are not aware of best practices on cybersecurity, you’re always just one bad click away from a ransomware attack. Make sure your employees know how to spot suspicious email, and know that they should never click on the links in such emails or download attachments.  

Work on your BYOD policies.

Many businesses, especially small- and medium-sized ones, often allow employees to bring their own devices (BYOD) to work. Without a good policy in place, however, this becomes a security issue. 

If an employee brings an infected device and connects it to the same network, you’re looking at a possible spread of infection – and ransomware – to all other devices and the whole system. Because of this, any device connecting to your system should be up to date, have antivirus software, and be cleared by the IT department regularly. This goes for smartphones too.

First Steps After a Ransomware Attack 

1. Take a photo of the note

This will help the IT determine what type of ransomware you’re dealing with. 

2. Determine the extent of the attack 

Your IT provider should be able to determine whether the ransomware has infected a single device, or if the infection is spreading through your network.

3. Isolate infected devices and disable sharing

All infected devices should be removed from the network to stop the spread. Any type of sharing that’s active should be shut off immediately. 

4. Notify employees

Send an email to all employees so that they can report whether their devices are working. Those who can work can continue, but those affected can help in other areas while IT deals with the issue. 

5. Let IT remove ransomware from infected devices 

IT should scrub the devices that were infected completely. Sometimes, a local backup on the device can solve the issue, but oftentimes, even that will be unavailable. 

6. Restore data from backups

Once you reinstall the operating systems, your IT can restore data on affected devices from a cloud or offline backup.

To Pay or Not to Pay? 

If you’re not prepared and have no backups, you might be tempted to pay. Take this year’s ransomware attack on the City of Baltimore’s government. Their systems were infected by ransomware that stopped numerous important systems: ATMs, airports, even hospitals. 

The attackers demanded the city pays about $76,000 in Bitcoin. The city refused to pay, only to realise many of their systems weren’t backed up. They lost huge amounts of data, and the attack ended up costing them $18 million

It seems that in the case of Baltimore, it would have been much better if they simply paid the ransom. Well, not really. 

Why? 

You’re dealing with criminals. Even if the city paid the ransom, there’s no guarantee that they would have gotten the access back. If they did, they would have become a prime target for future attacks too, since they paid the ransom already. This is why it’s so important to prepare – it will minimise damages.

Conclusion

Everyone’s at risk of a ransomware attack. Preventing it is next to impossible, but preparing for it is more than possible. Your IT provider should back up your data regularly, and you should make sure your employees know how to spot suspicious phishing attacks. When you prepare for a ransomware attack properly, you can minimise the impact of such an attack and save you from monetary and reputation damage. 

Posted on by

IT Managed Service Providers vs In-house IT Teams For Hospitality

IT Managed Service Providers vs In-house IT Teams For Hospitality feature image

As businesses are undergoing digital transformations, IT is becoming a critical part of their business success. With consumers expecting hospitality to match the digital era with new customer experiences, it’s often one of the things that are left behind!

So whilst basic IT knowledge goes a long way in hospitality, having a dedicated IT expert is still the best solution. Most business owners are now faced with a critical decision: to choose between an IT managed service provider vs in-house IT team.  How are they different? Which one is better? How safe is it to let someone else take care of your IT needs?

The choice between an IT managed service provider vs in-house IT team often boils down to the size of the company and its specific needs. Here’s a rundown of the pros and cons of each option.

In-House IT Team: Pros and Cons

In-house IT staff usually handle day-to-day IT operations and requirements. Startups and small and medium businesses will often start with a single IT expert who will handle their IT needs. As they grow, however, they will also need more than one IT expert to keep track of everything.

Pros

It’s not that in-house teams are without benefits:  

  • They will have intimate knowledge of your operations and know your infrastructure in and out.
  • They can be immediately available when you need them.

On the other hand, having a full in-house IT team is often limited to large enterprises only. A full IT team when you’re a small or middle-sized business is just not possible financially. Not only would they eat up resources but you need a place to put them day-to-day too!

Cons

The cons of in-house teams seem to be more prevalent when it comes to IT requirements of most hospitality businesses:

  • The costs run high: They will be your full-time employees, meaning you will have to cover their salaries, benefits, training, NI, and other expenses.
  • The emergencies increase costs even more: The cost of intervention often goes up considerably in case of emergencies that happen overnight, and you have to pay overtime.
  • Team members are not bound to your company: If they decide to leave for what they think is a better opportunity, they are free to do so. When they leave, they will take all their expertise with them and you’re stuck with tech you don’t know how to run, unless you employ a team – which is even more expensive!
  • In-house teams can rarely keep up with all the latest IT developments or industry trends, meaning that parts of your IT infrastructure will inadvertently become outdated. It’s their job to keep things running, not constantly innovate!
  • Often limited to reactive interventions instead of proactive IT strategy development.

Is an IT managed service provider better than in-house IT teams? Let’s see what they can offer.

IT Managed Service Providers: Pros and Cons

Business owners are often wondering how is an IT managed service provider better than in-house IT teams. It seems logical that hiring a third-party provider to take care of your IT needs would be less efficient.

But this is a common misconception.

Managed service providers actually improve efficiency. They deliver higher quality services because IT is their speciality; it’s all they do. They are experts who continuously improve their knowledge by following the latest developments.

Pros

When a business hires an IT managed service provider, they will reap the following benefits:

  • Paying a lower price for hiring them than you would for keeping an in-house team. Their services are available for a flat monthly rate, which makes budgeting for IT super easy. You benefit from economies of scale here, because ultimately, you won’t be the service provider’s only client – but that means they are more affordable!  
  • They are available around the clock and can monitor your systems at all times.
  • Your operations will rarely be disrupted: Managed service providers have service level agreements (SLAs) that are legally binding. They guarantee to provide the highest possible uptime and service quality. It also means that should you move to someone else, they should provide you with all the procedures and documentation necessary to ‘hand-over’ your day-to-day.
  • Managed service providers also have access to the latest technological solutions, software, and industry contact. This means that all your IT needs will be up to date as soon as there’s one available.

Cons

Of course, there are also some disadvantages of managed service providers:

  • Finding the right fit for your business needs takes time. Sometimes, trial and error is the only option to find a managed service provider who has everything you need.
  • Sometimes, service packages can be arranged in such a way that you might need to pay for some services you don’t really need. Still, many managed service providers will happily let you make a fully custom package.
  • The biggest concern is their on-site availability. Your MSP should always be able to provide some level of physicality! Particularly for 1st line support which often involves users directly.

IT Managed Service Provider vs In-House IT Team: Who Wins?

Is an IT managed service provider better than in-house IT teams? Our verdict is a big fat YES because they can offer everything an in-house IT team does, and more! Ultimately, you pay for a ‘service’ rather than a person when it comes to an IT managed service provider and therefore you know you’re always covered!

Comparing an IT managed service provider to an in-house IT team shows that you will ultimately save more money by opting for a managed service provider.

Having up-to-date software is also a crucial point – it ensures you are well protected against cybersecurity threats and attacks that are becoming more elaborate over time. Your IT managed service provider will make sure all your security definitions are up to date, that they never expire, and that your business and customer data is secure.

IT managed service providers free up the time you would otherwise spend on the challenging tasks related to your IT. They are not just your IT support, they are the technological catalyst for your business. Working with you to develop the right strategies to acheive your your long-term goals.

Posted on by

How to Make Technical Staff Training More Engaging

How to make technical staff training more engaging feature image

Technical staff training is crucial to keeping personnel up-to-date on the latest technological solutions you plan to implement in your business.

But.

When staff training is technical in nature, it can turn into a nightmare for both managers who organise it and staff members who attend it.

It’s hard to hold training on technical topics because they are often very dry and complex.

One of the common issues of holding technical staff training is that attendees often can’t grasp the topic so they don’t follow the lessons or they get bored and trail off easily. To efficiently battle these issues, you need to keep staff actively engaged.

Here’s some of the ways you can do this:

Include Multimedia

Your staff members have various learning styles, so, have an even mix of lessons that will accommodate each.

  • Visual learners will benefit from visual additions such as Powerpoint presentations, images, or videos.
  • Auditory learners will enjoy your presentations and engaging in conversation or sound clips.
  • Kinesthetic learners will benefit most from activities, testing or writing formats.

Gamification

Use game design elements to engage staff by applying game elements such as challenges (learning objectives), feedback (helps with progress), collaboration to achieve goals (a sense of community), competition (to keep staff motivated), and rewards for achieving them (gratification and sense of accomplishment).

Demonstrations

Using props or demonstrations are an easy way to make technical subjects more ‘real’. Often users can’t relate to new technical solutions and therefore don’t connect. If you can’t offer a tangible demonstration, show off benefits and changes in operations that they can relate to. 

Have Breaks

The more technical the training, the more breaks you need. The brain can’t process too much at once and it will actually hinder learning to try and cram everything in at the same time. Keep your lessons to 20 minutes max and then offer a breather by having a quick Q&A, telling a story, having an activity or giving free time. 

Real-Life Examples

Stories stick with people. If you use a compelling story to explain any concept of the new tech it makes it more memorable. Use real people, real examples and specific situations to engage with your staff. 

Role Play

When explaining concepts during your technical staff training, assign roles to your staff and help them explain the lesson through simple role play. They will interact with each other and remember new operations easier. Questions are also more likely to pop up and be dealt with on the spot when you’re acting things out. 

Blended Learning

A combination of digital and in-person learning can help all members. Not all staff members will be able to attend all lessons every time – the workload often doesn’t allow it. Allow members to learn remotely too, and make sure to keep tabs on their progress. Then, compliment their learning with meetings or in-person support. 

Customise For Your Business Specifically 

Whatever your company culture is, include elements so that your technical staff training feels part of the organisation itself. This way it can show employees that the business has adapted to this tech already, making it more likely they will engage. 

Offer Choices

While you might have planned every detail of how training will go, give attendees some breathing room as well. Give them the freedom to rearrange the lessons to an extent. By having a say in how technical staff training is conducted, they will be more interested in actually attending.

Hopefully this has given you more insight into how to make technical staff training engaging. Check out our IT Staff training courses at The TowerWatch Academy Here for easy training courses that can relate to your employees. 

Posted on by

Top 10 Software and Tech Solutions for Small Businesses

Don’t shy away from technology in your business! It’s time to get acquainted with some of the best software and tech solutions for small businesses at the moment.

1. Encrypt emails for free with My Protected Mail

Of course we’re going to start with one of our own products! The introduction of GDPR has placed a renewed emphasis on email security. All small businesses have a duty to protect the data of their customers, clients, and employees. A reliable, straightforward way to protect data sent electronically is to use encryption.

Encrypted emails can only be viewed by the sender and specified receivers; they are protected from interception, even when an email is forwarded.

My Protected Mail is a tech solutions for small businesses that does this for free. There’s no software to install; simply send your email to a dedicated mailbox, and the platform will issue a Microsoft Protected Email that can be accessed only by the intended recipient. There’s also scope to add enhanced features for a reasonable monthly fee for developers to encrypt web portal or app communication. Try My Protected Mail here.

2. Defend your business from online attacks with Acronis Ransomware Protection

Ransomware attacks, in which malicious software blocks access to devices with the aim of extorting money from the owner, can completely devastate a small business. Not to mention the risk of a data breach. It’s critically important to proactively prepare; you can find out more by clicking here.

Ransomware protection software mitigates this risk, and it doesn’t have to cost the earth! Acronis Ransomware Protection monitors suspicious behaviour, blocks malicious applications, encrypts files, and recovers damaged data; all for free.

3. Organise every aspect of your business with Asana

Asana is a project management platform that helps your entire team to stay organised and efficient. It allows you to create projects and tasks, assign team members, set deadlines, allocate documents, run reports, and myriad other jobs. It’s suitable for use on computers and mobile devices; even when travelling, you can keep on top of your business!

Asana also interacts seamlessly with 100 other platforms, helping to manage emails, files, calendars, workflows, and dozens of other tasks from one place, simplifying your business processes.

4. Take storage to the cloud! 

Cloud-based storage has proven itself to be a reliable and economical alternative to traditional hard drives and servers. The key benefits to small businesses include cost-effectiveness, automatic backup and recovery, remote accessibility from all devices, and no ongoing server maintenance.

There are countless services to choose from, but our favourites are Dropbox, OneDrive, and Google Drive. All have common features, such as free storage (although the amount varies; 2GB for Dropbox, 5GB for OneDrive, and a whopping 15GB for Google Drive), document collaboration, link sharing, and file privacy. You can also upgrade to a monthly plan for expanded storage.

5. Automatically guard sensitive information with Azure Information Protection

Azure Information Protection (AIP) from Microsoft is a cloud-based tech solutions for small businesses that automatically encrypts emails and files. The system is managed across all Office applications using labels, which are configured to detect sensitive data and protect it. For example, if a credit card number is entered into an Excel spreadsheet, a rule can be set up to prompt the user to protect the information automatically.

Traditionally this can be quite difficult to set up for small businesses, but we created an Azure Information Protection for Small businesses online course to make it easy for you, regardless of whether or not you’re a techie!

6. Bring the team together with Zoom video conferencing

No matter how scattered your team is, video conferencing fosters the collaborative spirit that can otherwise be absent when working remotely. You needn’t be together to succeed together.

Zoom is a complete video conferencing service that includes high-definition online meetings, webinars, instant messaging, document sharing, whiteboards, virtual breakout rooms, calendar integration, and analytic data for meeting organisers. It can be accessed from computers and smart devices; so travelling team members can still participate!

There’s a free version of this tech solutions for small businesses with essential functionality that may be suitable for some small businesses, or there are monthly packages that include expanded features.

7. Protect your business with ESET antivirus

Malware attacks can be extremely disruptive to small businesses; leading to potential loss of files, equipment, and revenue. A high-quality antivirus is therefore essential.

ESET has a strong reputation for keeping computer equipment safe from malware, including viruses, ransomware, rootkits, worms and spyware. It’s easy to use, low in power-consumption, and backed by 30 years of experience and 110 million global users. A free trial is available, with the full version priced from £29.99 per year for one user.

8. Clean up your computer with MyDefrag

When we create files on a computer, they are broken up by a process called fragmentation; this is completely normal, and helps files to fit on a hard disk. However, repeated fragmentation makes reading and writing files a chore for your computer. Defragmentation is essentially a spring clean; a process that puts files back together, boosting your computer’s onward performance.

Windows comes with a built-in defragmentation program, but there are more efficient alternatives. MyDefrag is the best of the bunch; it works quickly and can accommodate external storage. Ultimately, this nifty little program helps your business to avoid slow equipment, repairs, and replacements. For more ways to speed up your computer’s performance, check out our free course here.

9. Cut your phone costs with VoIP

Voice over Internet Protocol, or VoIP, is the technology that facilitates phone calls via the internet. It’s cheaper to make calls by VoIP than a standard landline, and you’ll notice a huge improvement in sound clarity.

The best VoIP service for small businesses in the UK is VoipFone; it’s easy to set up, with excellent customer support, reasonable prices, and a free trial. Global businesses looking for similar features are recommended to try Ring Central or Vonage.

10. Keep on top of your finances with online invoicing

Invoicing is a critical aspect of small business management; online solutions make the process efficient by collating due payments, generating invoices, sending them, and overseeing the collection process.

Invoices contain sensitive information, so it’s important to work only with a trusted platform. Check out this post to find out how small businesses should protect their financial security when using online invoicing.

The most reputable platforms are Freshbooks, Due, Invoicera, And Co. and Harvest. All have at least one free option, whether a trial or essential version, and each has paid subscriptions, which vary in price according to the features you need.

Need help with your IT or tech solutions for small businesses or have a question on software to suit your small business? Join our free support community here.

Posted on by

Data Breaches Aren’t Just Your Users’ Fault (Infographic)

As IT guys, it’s very easy to blame users for data breaches but it’s not always just their fault. Sometimes, data breaches aren’t users’ fault.

Sure, they need to update their passwords, stop giving things out and clicking on the suspicious email links. But, the buck stops with you as their IT professional. We thought these statistics from the IS Decisions’ research into IT Security managers in both the UK and US were very enlightening.

It shows that, compromised credentials are one of the main causes of data breaches and we must remember our users are human! It’s up to us to help limit the risk by:

  • Forcing users to frequently change their password – even if they hate us for it
  • Making sure policy dictates a different password for each program or part of the system
  • To give regular training on Phishing or data security that affects them – and stop assuming they will know something is off when they see it
  • To be approachable so that any issues are quickly reported

Doing these small things can make a big difference in data security and protection to minimise the risk of a breach due to compromised credentials. Here is the infographic and statistics below with some interesting results:
Infographic: Security Breaches from Compromised User Logins

UserLock FileAudit IS Decisions Priorités en matière de sécurité d'accès
Posted on by

The True Cost of a Data Breach to Your Business

GDPR has placed renewed focus on the issue of information security, and the potential impact and cost of a data breach on involved organisations.

Obviously, a data breach can have substantial financial consequences. Depending on the severity of the GDPR infringement, administrative fines can reach up to €20 million, or 4% of annual global turnover, whichever is higher. Plus, it also leaves you liable to pay damages to individuals or businesses as a result of the breach. 

However, fines are not the only cost to a business; reputational damage can be devastating to long-term viability.

In this article, we’ll take a closer look at the wide-ranging costs that can be incurred in response to a data breach.

Bad PR

It is said that all PR is good PR, but it’s not always the case. Data security is intrinsically linked with an individual’s sense of personal safety, and any infringement of that will prompt a fiercely negative response from affected individuals. A business’ reputation can be destroyed by a data breach incident.

Trust is the foundation of customer loyalty. If that trust is compromised, your business may not be able to recover its former standing.

Loss of Revenue & Company Value

Reputational damage as a result of a GDPR breach will almost inevitably lead to a dip in sales. For service providers, such as lawyers or accountants, a breach can result in a loss of retainers or diminished customer loyalty. Larger corporations may find that their company value takes a hit.

In 2013 and 2014, Yahoo experienced several data breaches, which affected large swathes of customer accounts. At the time, they were in the process of being bought out by Verizon. After the breaches took place, Yahoo’s value was slashed by $300 million, which had a significant impact on its shareholders.

Even a giant like Yahoo is susceptible to the effects of a data breach. For smaller companies, this can be catastrophic.

The Pareto Principle

In business management theory, the Pareto Principle states that 80% of a company’s revenue comes from 20% of its customers. These tend to be long-term client relationships, allowing an organisation to take advantage of regular, repeat business.

If a data breach were to damage the trust of this crucial 20% of customers, which is feasible in such circumstances, it could jeopardise 80% of revenue. This can have a devastating impact on long-term business survival.

Future Business

Small businesses are particularly vulnerable to the long-lasting negative effects of a GDPR breach. They tend to rely on referrals, recommendations, and word-of-mouth marketing. After a data breach, the reputational damage may prove insurmountable.

Don’t forget; if a customer has a positive experience, they will probably tell a handful of people. If they have a negative experience, they will tell everyone they can.

The true cost

Ultimately, the true cost of a data breach to your business may be the business itself. That’s why it’s important to be well-trained in the best practices to protect the personal data you handle. 

Have any questions on how you can avoid a data breach? Check out our Smiley Geeks IT Help Membership from only $69 a month!

Posted on by

How Easy It Is To Steal Your Outlook & 365 Password

*This article originally appeared here on LinkedIn* How Easy It Is To Steal Your Outlook & 365 Password

During a penetration testing project, I was working on finding the weak spots in the IT system of the company and finding the best solutions to patch them up.

The client had most of the traditional security solutions such as firewalls and external penetration was not useful / efficient.

But when we did an internal penetration test  I saw something very disturbing in the way that Outlook works, and how due to poor design in Outlook’s security warning it’s easy to obtain a user’s password.

The same method allowed us to obtain outlook password outside the company perimeter as well.

It’s quite easy to steal your Outlook & 365 password.

Case study:

Environment:

·      Windows 7 Pro computers

o  Tested on Windows 10 Pro as well

·      Outlook 2016 connected to Microsoft 365

o  Tested on outlook 2013 connected to Microsoft 365 as well

Penetration testing:

We used a classic “Men in the Middle Attack” between the client and the gateway, see Diagram 1.

Diagram 1

Results:

Outlook’s behavior was very problematic,

Once we started poising the ARP the following Prompt, (See prompt 1) was shown to the user:

Prompt 1.

The advanced users who decided to push the “View Certificate” have seen the following screen,(prompt 2.)

Prompt 2.

The “injected certificate” is an outlook.com which is not trusted but to most users outlook.com is “good enough”

Most of the users didn’t give this small prompt a lot of thought and pressed YES to proceed:

 This caused outlook to send information on a non-encrypted method and any sniffing tool instantly showed us the Outlook password (Which is also the main active directory computer/domain login)

This exercise was done within the company network, later we decided to follow one of the users to a meeting at a coffee shop where is connected to a public WIFI which we have also joined, and we managed to do the same process outside the company perimeter.

Get IT Help For Freelancers, And Small Business Owners for $69!

Analysis:

1.   Outlook’s security prompt is very small, hardly noticeable, none alarming and doesn’t deliver the severity of the issue

  • Compare it with the prompt the Google Chrome provides when you try to send information at a non-encrypted method – the Google Chrome is “Scary” and makes the users stop and think

2.   Most of the users don’t understand the security prompt at all

3.   Most of the users will automatically press yes on this prompt to continue working

Is it a user behavior error – No! – the security prompt is poorly showed that only IT users are expected to understand the severity

Resolving the issue:

1.   We implemented a GPO settings that doesn’t allow outlook to work on non-secure layer at all

2.   We did user awareness cyber security training to show to the users how risky this little prompt is.

3.   We reported this vulnerability was reported to Microsoft  – Microsoft responded that it isn’t a real vulnerability because the user gets a prompt!, i think the prompt itself is not designed correctly and allows a big room for user error.

How to protect your outlook against this type of attack:

We deal with protecting yourself in our next article on How To Protect Your Password From Hackers

Written by Eli Migdal, CEO of TowerWatch Solutions Ltd (UK) and founder of Migdal Computing Solutions Ltd (Israel)

Have more questions? Check out our Smiley Geeks IT Help Membership from only $69 a month!