'My company is not interesting enough to be hacked' people often think (43% of SMEs, to be exact). Unfortunately, nothing could be further from the truth, and the consequences are no small thing either. Here's why phishing affects your organization, too.
Source: Central Management by Ipsos, 2018
Why do companies think "this won't happen to me anyway"?
While we like to stay positive and optimistic, with IT (and especially security) it is also important to be aware of the risks and thus stay alert. People often think they are well aware of the dangers of cybercrime. They also think it doesn't happen to them but only to others. In practice, however, the opposite is true. So don't become overconfident or nonchalant and stay aware of the risks you face, with substantial consequences.
What we also often see is that people think they are well protected when they purchase a particular product or service. In our previous blog, we described why this is not the case. Security is not a one-time investment of time or money, but an ongoing process. So a spam filter or security training is not enough.
The enemy does not stand still
Phishing does happen to your organization. Hackers are getting smarter. You no longer just receive an email from someone from a faraway country to accept a donation; hackers do real research.
So how does that work? For example, they look on LinkedIn, Instagram, company website (with the name, position, LinkedIn profile, email and address on the team page) or Indeed to learn more about you and your company. That way they know who works there and what these people are interested in. For example, do you have an employee who travels a lot? Then the hacker can send a phishing email in which your employee can win a world trip or get a discount on certain flights. It goes much further than you might think. Some of the hacking process is automated, but adding or targeting personal information also occurs.
What do people fall for most often?
In our earlier blog we already listed some phishing examples. As a summary, here are some phishing emails that people often fall for:
- Simple emails: that you received a message through Teams or that a package is on its way
- Someone has been watching you: a phishing email that we have often seen pass by is that someone has been watching you through your computer, turned on your webcam and then watched you. This is nonsense, but people still get an unpleasant feeling from this.
- With a leaked password: at https://haveibeenpwned.com/ you can look up whether your password has been leaked in the past. Depending on how long you've had your e-mail address, there's a good chance this has happened once. Hackers then send you an email with that password as the subject, to get your attention and make you open the email.
- Scanned documents: we often see a simply drafted e-mail saying that your scanned documents are ready and that you can view them through the link. This often includes a logo of a large corporate (such as a software company) when your printer is not even of this brand.
This is how you can cover yourself
We previously wrote an extensive blog explaining how you can recognize, prevent and resolve spam or phishing emails. We encourage you to read it so you know what to look out for.
Most importantly, spam and phishing mail cannot be completely prevented. You can block certain terms in the spam filter, but you can never completely avoid it. The key is to be alert and know that spelling mistakes, email address and carelessness errors, for example, can be indicators.
We are here for you!
We are passionate about technology. Security is very important to us - so is fighting cybercrime and helping you do it. To "prevent" phishing, we do our best to inform you, for example by explaining how you can recognize phishing mails. Generally, companies have their own policies or training for this, but we can also help you. Send us a message and we will look for a solution together!
We also set up your environment as securely as possible. Again: security is not a product like Office 365, but setting up your Office 365 environment securely is a good start. We've set it up using the methods we think are secure and have added some policies.
Does it go wrong? Have you been hit by phishing? We then follow a standard procedure in which we obtain answers to the following questions:
- What happened?
- Was data leaked? What data was leaked?
- How can you be secured next time? How can you prevent this from happening?
- (How) should the data breach be reported?
- How do you write a report on the incident, which helps with insight, reports or your insurance?
- What areas for improvement are there?
In terms of information, we want to give you some final helpful links and tips:
- Check out our blogs on security (for example, on strengthening your security or backups)
- Check out our frequently asked questions about security (and the answers ;))
- View our webpage on working safely
- View our white paper on working safely from home
We provide IT services and products for the SME! We combine our passion for IT with knowledge and experience to help your business perform in a secure way. We work according to the 'secure by design' principle, whereby the IT security of your environment is central to every process, service or product.
Do you also want to outsource your IT?
Frequently asked questions about security
Is your question not listed? 1 email or 1 phone call is enough to get it answered. 010-2121806 | info@limenetworks.nl
We can make your staff aware of risks and risky behaviour. For security awareness we can give your staff a training (external or internal) with a partner who has experience in this. In addition, optionally a tool can be delivered to the workstations that measures knowledge, keeps it up to date and reports to the responsible persons. This way, you get a continuous improvement in risk awareness and avoidance of risky behaviour.
Yes and no. Cloud in itself has no security. Apart from the fact that on the outside (and sometimes on the inside) it is not visible what the physical location of your data is in the whole. But the more fish in the sea, the more fishermen on the water & the bigger the fish, the more effort one puts in to catching it. So it is with valuable data. So a cloud service is a valuable object for hackers because of the large amount of data. Your network is much less interesting.
Wrong. IT is complex and securing it is even more so. So it takes time, knowledge and skill to make you work in it safely - mostly in the background so you don't notice. 20 years ago, passwords were rare. 10 years ago, everyone knew some colleagues' passwords. 5 years ago, MFA was known but little used in SMEs. And we are only talking about passwords. We make IT simple for customers so that secure working becomes feasible and we can minimise your risks.
Retention literally means "to hold on to". With data and backups, retention is a very important factor. It is not only about retaining your data, but also about how much your data changes. If you have a backup every month and keep it for a year, this means that the retention goes back a maximum of a year and can result in a month's loss of data. It seemed like a good plan, but in practice it is not enough. Different backup strategies can make your data retention perform a lot better. In the Netherlands, SMEs are required to retain data that is directly linked to the added value of their products or services for at least 7 years. A backup of no more than 7 years is a big disappointment.
Working safely is a top-class sport. But your employees are not all top sportsmen. It is a complex problem that cannot be solved just like that. Your company has to deliver and your people have to perform. So you need help from someone with experience and focus on safe working. A reliable IT party can be a good starting point. They arrange the basics and help you further with safety, where necessary specifically in your company. For example, with procedures for staff turnover or the physical security of your company.
How secure you work can be measured. With a technical security test or pen test you can always look for weak spots in the security of your IT equipment, software and network. But also your website or developed application can be extensively tested. You can also have a procedural security test carried out. This has little to do with IT; it means testing how secure the actions are within your company. In other words: are your procedures in order?
Call your IT manager. These people will (probably) know what to do, provided they are familiar with the matter. Calling in your IT party, internal or external, is the first step. They will find out where the hack took place, know how to stop it immediately or cut it off and make sure the damage is limited as much as possible. You also want to secure data about the hack, such as log files of servers, network equipment, etc. This way you can also find out what went wrong or discuss this with a specialised security company (e.g. Northwave). This may also be important to see how you can prevent further security breaches and your insurance may ask about it.
Yes, it is. It's all about the purpose of your data and its security. It can range from a data room for sharing data with multiple parties for a company takeover - but also setting up labels on data in Office 365 so that your company and your data are compliant for regulatory or legal purposes. Above all, you must be able to work safely. Efficiently without being at risk.
Very secure. They do this by securing data storage and sending data. LastPass secures your data, sends it encrypted, stores it encrypted and lets you use MFA to use this data. So your login credentials and data are absolutely safe in this procedure. In addition, they have a clear bounty program for bugs, allowing you and other users to report bugs immediately. So LastPass does not sit idle until something goes wrong but works continuously on improvements to optimize security.
We believe that customers should own the IT that they have. We make customers aware of the risks they run and the solutions that are available to them. Of course, we point this out and indicate where things could possibly go wrong if you make other choices. We choose to work safely, but we understand your choices. That is how we work together and share knowledge and experience.
Every customer request that has to do with security or rights to data/systems is always discussed with the person in your organisation who is authorised to do so. This may be a member of the board, an IT manager or another director. This way, this is neatly recorded and controlled. This prevents someone from borrowing someone else's password, temporarily accessing a colleague's mailbox or giving an external person access to the CRM software without this being desirable.
Take a network, for example. If you build and manage a network, you have to standardise on security. By minimising the number of variations in the number of solutions, you can spend more time on testing, settings, basic configurations with optimal security, documentation. Also, different configuration options for customers are now much better researched and easier to support and secure. We research different security options and engage third parties to verify them. A setup that is properly standardised and configured reduces security risks and makes installation in the office much faster. We then provide controlled and timely updates to the software and settings. We monitor and measure what happens on your network. This way, it is easier to see when things go wrong. Separating guests, customers and non-company equipment from the company network is also essential to prevent abuse. We regularly review and adjust security for all customers in a single operation through central control. Finally, configurations are neatly stored and backed up. This way, you can immediately install replacement equipment if things ever go wrong. Secure by design' is not a method or a set of measures. It has to be in your DNA. This is how we at Lime Networks make the most complex IT simple.
The AVG is for personal data. In other words, data that you store or process that is directly related to people. Think of name and address data with bank account numbers or, for example, data about sick leave, insurance, remuneration, etc. That you have this data or process it is not the problem. But not thinking about who can see it or who can provide access to it or how it is stored and backed up, that's exciting. By thinking about this and gaining insight, you can design adequate processes.
It is an anagram that hones in on the amount of effort required. Everyone can jog for a while, some a little farther than others. But the marathon within 3 hours is already pretty tough. Practice, training, technique, good gear, experience takes years to achieve. It's the same with Safe Working. It's not setting up a firewall and installing antivirus. We are years past that stage. With this seriousness, you may also recognize that you don't have time, business-wise, to do top-notch engineering yourself, and turn to us for these things. We are trained, experienced and go for the medal so you can work safely.
That is a sober approach. But with your data, your company or others may be considerably disadvantaged. So always pay attention to how and where you share data.
If you are asked to log in somewhere, do not click on the link in the e-mail. It is that simple. If it's about banking, go to your bank's website and check the message service there. If it's about your documents online from a cloud service, go to your own login page that you know and log in there. If it's about a service from a customer, you can call them to confirm. Never log in with your own data, but only with the data they have provided. This prevents you from clicking on wrong links, accepting wrong proposals or downloading programs or giving permission that is malicious or illegal. It ensures that you are smart.
Take the example of Maastricht University in December 2019. Then a hack with a nasty piece of software rendered the entire university network with most of the server structure and workstations unusable. What was the damage:
- FOX-IT was called in on weekends, Christmas, New Year's Eve etc. to investigate and share knowledge with the hack, its clean-up and how to recover.
- A very large proportion of the computers had to be reinstalled. These computers also had to be checked for traces of the virus in parts that you cannot easily see (bios or secret partitions on the hard disk/SSD drive).
- Almost all production servers and backups locally became unusable. Only reinstallation was going to help for the recovery.
- A ransom was paid to the hackers to decrypt the network structure/Active Directory (the Volkskrant speaks of tons of ransom).
- A large part of the servers had to be reinstalled and data from backups had to be restored where possible.
- In-house and external employees spent many days doing all the repairs... This also happened during the December holidays.
- The damage to image was enormous. As a company, something like this can also cost many customers or scare off investors.
- One backup is no backup.
- Make sure you have at least three copies of your data, in 2 different locations, one of which is minimally secure.
- Check regularly that it really works and the data can be restored.
Not always. Sometimes backups also get infected or are not sufficient to get back to work quickly. How much data do you lose? What is the recovery time? How bad is it if the whole company can't work for 24 hours... or maybe longer? Dealing with retention is also important. If you were hacked last week and the consequences only become visible today, do you have enough backups/retention to look back into the past? An employee who left the company last year and deleted or compromised data is also a hack. Can you go back a year with your backup? Finally, you also need to have a plan if things go wrong and see how quickly you can get back on your feet. A continuity plan helps with that.
Then, of course, we are here for you as well. Suppose you are hacked, for example, we immediately make sure that the attack is stopped and that log files and traces are preserved as much as possible. This allows us to see the impact of the attack and what data may have been captured. This often helps in the process of understanding or with insurance. We work with standard procedures where we work on a similar methodology to resolve issues. It can also be valuable with forensics. It would be annoying if a hack (without data being captured) leads to an apology letter to all your customers or suppliers and image damage.
You don't have to. With Bitlocker you can neatly secure the data on your laptop against theft. A stolen laptop is no problem this way and data stays safe. Did you know that we can remotely erase your data in case of theft, provided your stolen laptop or phone is connected to the internet? The decryption codes are stored by us in your business environment so that in case of an emergency or hard disk replacement, the data can be safely read again.
At Lime Networks we work according to the ISO 27001 standard. This means that we have thought about physical and virtual security and have actively set up our processes accordingly. This is improved annually and checked by the TüV. You can read more about ISO here: https://limenetworks.nl/iso We use our knowledge of IT and security to make your environment as safe as possible. From your workplace, your fixed and Wi-Fi network, your servers, smartphones and cloud services.
With MFA you have two ways of identification. This often comes down to login details (username and password) and a code via an app on your smartphone. Someone who has stolen your login details still can't log in to systems or services, because this also requires the code from your smartphone. Have you or your company/supplier been hacked? Then this need not be a problem. We use Microsoft Authenticator for this. The extra login codes are not your own systems but open. With the Microsoft app, you can therefore also set MFA on your Gmail account, your bank, Office 365, supplier of crypto currency or your Apple ID. It is a generic standard.
LastPass provides a safe place for storing passwords, a kind of password vault that you can only access with a master password. It also helps you in your daily work with logging into websites and services. It works on your desktop PC or laptop and on your smartphone. It is free to use. It allows you to work securely with complex passwords so that this becomes very difficult. The paid variant is also useful for business purposes. You can create and manage accounts for a supplier or a social media account, for example, and share these with colleagues or external parties. They can log in (via their free LastPass account) and not see the password, but they can use it. If the account is no longer relevant to others, you can withdraw the permissions individually without having to change passwords.
This is trickier than you think and cannot be put into words in a few sentences. However, we did write a blog about it and you can find it here. https://limenetworks.nl/spam-of-phishing-mail-herkennen-voorkomen-en-oplossen
You can start by being aware that you want to work safely. This question has succeeded, so let's mention the next easy steps right away. Use legal software! Make sure you have a good antivirus/antimalware solution on your PC (pay for it too; no freebies). Always make sure you have the most recent versions and updates for your system and software. Also make sure you have the latest security patches and updates. Use a password manager (like LastPass; free for private use) and do not use the same passwords for different systems and accounts. Use MFA (multi factor authentication) for all services/accounts that are online. We are far from there yet, but with these measures you are not a low-hanging fruit for hackers and certainly not for the majority of online crime.
Working safely is our top priority. It is not a core value, but an aorta that runs through our company. With 'secure by design', we continuously ensure that our products and our own internal processes are based on Safe Working and are also designed safely. The customer is our focus. We make complex IT matters simple; security and Safe Working are the basis for this.
If we assume a safe workplace, then keeping it safe is a serious task. Most importantly, the workplace should always be up-to-date. For the OS, hardware, installed programs, antivirus/antimalware. By using Bitlocker and MFA, we make sure access is difficult. With policies for the firewall and by using monitoring we keep a tight rein on things.
We are Microsoft Gold Partner in three areas, for which the employees of Lime Networks have successfully completed many training courses and for which current customer cases have been approved by Microsoft. In addition, there are many certifications in the areas of security, voice, networking and the like. We work according to the guidelines and standards of our suppliers. Our ISO 27001 certificate without comments also ensures the correct working method and attitude.
With 'secure by design', every choice of product or service is considered in terms of its implications for the IT security of your environment. This means that the highest security requirements are taken into account, such as encryption, MFA, AVG, access control, etc. This ensures that we always stand behind our products and we know about data security and availability.