EI3PA Requirements - Build And Maintain A Secure Network

EI3PA, which is an acronym for “Experian Independent Third Party Assessment,” is a list of requirements that they enforce with third parties who have access to credit history information.

EI3PA is based entirely on PCI DSS – or PCI data security standard – and it demands that any business who handles credit histories complies with all twelve requirements.

This essentially means that any company seeking to do business utilizing credit histories must build and maintain a secure network in order to do so.

What Are The 12 EI3PA Requirements?

Although we are only going to deal with the first two in this article, there are twelve EI3PA requirements in total.

Each of these twelve requirements fall under six sub-categories, which you will find below.

Build & Maintain A Secure Network

Requirement 1: Install & maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain A Vulnerability Management Program

Requirement 5: Use and regularly update antivirus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor & Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain An Information Security Policy

Requirement 12: Maintain a policy that addresses information security

EI3PA

Each of the above is critical to your business achieving EI3PA compliance. In this article, we’ll talk about the first two.

So let’s start at the beginning.

Requirement 1: Install & maintain a firewall configuration to protect cardholder data

The first requirement covers installing and maintaining a firewall to protect the cardholder data – further, it needs to be configured for both inward and outward traffic, and is preferably configured within different wireless networks for security.

It makes recommendations regarding the configurations of firewalls and routers, mobile devices, and employee-owned devices that access the network.

It asks that you ensure untrusted networks are not gaining access to any of your system components in the cardholder data environment – direct public access from the internet to any system component in the cardholder data environment should be prohibited entirely.

When it comes to personal devices, they should have personal firewall software that remains running and cannot be altered by either the carrier or the employee.

To ensure tampering doesn’t happen, we recommend a periodic audit of a sample of employee-owned devices to ensure compliance with standards.

As well, the EI3PA requirements make the excellent point that all the security policies and operational procedures that a company implements regarding EI3PA be well documented, kept up to date, and is communicated properly to all stakeholders.

This point is particularly important, because once the setup is completed, businesses sometimes forget that use, customer needs, and vulnerabilities change over time, thus affecting the rules that need addressing to keep you up to date and compliant.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

While it may seem obvious, you’d be surprised how often people forget to update passwords.

Requirement number two requires all vendor-supplied defaults for system passwords and other security parameters be changed, because these are known to hackers and can be easily guessed.

Standards should be set in place for configuring system components, and should be consistent with industry standards.

Utilize strong cryptography for non-console administrative access, and appropriate technology for web-based management, or where called for.

Remember, as well, that any shared hosting providers must protect each hosted environment, especially the cardholder data.

Once again, documentation is important, because it allows a company to monitor the parts of the whole to ensure that no weak links are left untended.

When auditing this requirement, you should check to ensure that each system component has their functionality included.

If you wish to go the extra mile, and ensure the list of hardware and software components that you are verifying are being kept updated by personnel at all times, a survey or interview with employees is a best practice to ensure their commitment to the updates.

Contact 1st Secure IT

No matter whether you need help preparing for EI3PA or managing your business once you are in partnership, 1st Secure IT can help you achieve EI3PA compliance and stay that way.

Your job is to manage your business – we exist because experts are needed in this field, and we are dedicated to insuring that your network is both secure AND compliant with requirements.

Call 1st Secure IT now to schedule an audit and discussion about vulnerabilities and opportunities.

Continue reading
380 Hits
0 Comments

What Is EI3PA?

Consumers today are becoming more and more savvy when it comes to their personal information.

Worries of credit card fraud and identity theft mean that companies have to be diligent with the information entrusted to them.

After seeing news of large data breaches with companies such as Facebook and Equifax, people want to know that the companies that are using their data are taking all possible and reasonable measure to protect their information, and to guard against identity theft.

If your company deals with credit information from Experian, you will need to ensure you meet EI3PA compliance guidelines.

What Is EI3PA?

EI3PA stands for Experian Independent 3rd Party Assessment.

It is an assessment of the ability of Experian resellers to protect the customer information they purchase from Experian.

This standard is closely related to the Payment Card Industry Data Security Standard (PCI-DSS).

The requirements of the EI3PA assessment include the following:

  • Build and maintain a secure network
  • Install a firewall to protect customer data
  • Ensure system passwords are changed from the defaults
  • Protect credit history information
  • Encrypt transmission of data when sending over unsecured networks
  • Maintaining a vulnerability management program
  • Keep anti-virus software up-to-date
  • Implement strong access control
  • Restrict access to customer data to those who have a need-to-know
  • Assign a unique ID to any person who has access to the systems where this information is stored
  • Monitor and test networks regularly
  • Maintain an Information Security Policy, and ensure all employees are familiar with this policy

These are the minimum standards for protecting Experian customer information.

It is important for Experian to ensure that all vendors and resellers with access to customer information are taking adequate measures to protect customer information from the possibility of fraud and identity theft.

After all, a data breach can have wide-reaching consequences, both financially and for your company’s reputation.

Who Needs To Be EI3PA Compliant?

Any organization which transmits, stores, processes, or provides consumer credit data from Experian is considered a Level 1 reseller and must comply with this standard.

Essentially, if you have access in any form to consumer data from Experian, you need to comply.

Level 1 resellers of Experian information cannot perform self-assessments, a third-party must be used.

As the EI3PA is closely based on the Payment Card Industry Data Security Standard (PCI-DSS), any organization which already meets this requirement is most likely already compliant, or comes close to it.

Resellers, as well as Experian themselves, face large risks if customer data is not adequately protected.

Who Can Do An EI3PA Assessment?

EI3PA assessments for Level 1 resellers must be performed by a 3rd party Qualified Security Assessor (QSA), such as 1st Secure IT.

Additionally, Experian will sometimes perform random security compliance audits to verify that providers are meeting all security policy requirements.

If you do not meet the conditions for being a Level 1 reseller, and have approval from Experian Information Security you may be able to perform a Level 3 Self-Assessment.

In addition to the EI3PA assessment, there is a requirement for quarterly scans of resellers networks for vulnerabilities.

These scans must be done by an Authorized Scanning Vendor (ASV) which will often be the same as your QSA.

Note that quarterly scans are required for both Level 1 and Level 3 vendors.

Contact 1st Secure IT

Is EIP3A compliance a concern for you?

If you are dealing with consumer credit history information, it should be.

Do you need a level 1 assessment performed, or guidance for performing a self-assessment?

1st Secure IT can help.

Contact us today to help you become EI3PA compliant, or to prepare for an audit.

Acting as an Experian reseller without being EI3PA compliant can have a major impact on your business if you’re found out, and can be even worse if you suffer a data breach while being noncompliant.

Contact 1st Secure IT today, and take the steps you need to keep your business secure in an uncertain digital world.

Continue reading
375 Hits
0 Comments

Cyber Security For Small Businesses On A Tight Budget

Cyber Security is definitely a 21st century problem, and it knows no limits.

No matter the size of your business, you must take the threat of a data breach seriously and protect your data.

Small businesses face a challenge because they must be just as compliant as a large business, without having the resources of their larger competitors.

Nevertheless, there are steps a small business can take to improve cyber security without blowing the budget.

1. Have A Good Password Strategy

The number one thing you can do is to have strong passwords and keep them safe.

These two recommendations may seem obvious, but it needs to be said: don’t use the same password for everything, and don’t leave passwords on post-it notes.

Having a long password may be annoying, but with every additional character, it takes more time for a hacker to break through using brute force.

In order to keep many passwords safely, you may want to use a password manager application such as LastPass or 1Password.

This is will save you the hassle of resetting emails constantly or getting locked out of your accounts with too many unsuccessful attempts.

Even with a tight budget, the cost of a password manager application is well worth the $15-40 yearly subscription.

2. Use 2-Factor Authentication

Two-factor authentication is becoming more and more popular as hackers get more and more clever. In fact, this option may be a legitimate reason for you choose one supplier over another.

All 2-factor authentication does is ask you for a second layer of proof that you are who you say you are. Often this looks like a text message to your cell phone or an email to your email address, but it can also mean a unique code provided through an authentication app like Google Authenticator.

Two-Factor authentication prevents a hacker from getting into your account, because merely figuring out your password isn’t enough.

And since services that offer 2-factor authentication don’t generally charge for it, you can fit this in to your budget easily.

3. Use The 3-2-1 Backup Rule

The 3-2-1 Backup Rule was invented by Peter Krogh, a photographer, who didn’t want to lose any of his work.

Although at first glance, it might seem excessive, it is a best practice that has been picked up by many and has been recognized and recommended by governments.

The 3-2-1 backup rule is simple. To follow it, all you need to do is:

  • Have THREE copies of your data
  • Keep those copies on at least TWO different media
  • Store one of these copies off-site

Saving your files to an external hard drive and a safe server are both a good place to start.

Establishing a schedule for doing your backups is a great idea to ensure you’re never left unprepared.

Even if you don’t do your backups every day, you can take the precaution of emailing yourself that document you just finished working on.

Doing that will save you if your computer itself is lost or irreparably damaged.

Truly, this practice can be priceless, when looking at the cost of having a company or consultant try to pull your files off a broken computer.

4. Make Sure You’re PCI DSS Compliant

The Payment Card Industry Security Standards Council (PCI SSC) has many recommendations that protect the security of your business, should you process, transmit or store credit card transactions.

1st Secure IT is authorized to perform PCI Data Security Standard (PCI DSS) assessments of any level, but we will provide you with more than mere action items.

There are 12 PCI DSS requirements that you must adhere to if you process, transmit or store credit card data.

However, when we assess your company, we will also provide helpful suggestions regarding your systems and processes, recommending best practices and improving your overall cyber security.

Contact 1st Secure IT

Being PCI DSS compliant is crucial for merchant businesses, which means that finding the best value for money will be the critical factor if you’re on a tight budget.

1st Secure IT can help. Our team of experienced qualified security assessors (QSAs) will help you understand what your business needs to do to achieve and maintain PCI DSS compliance.

We can also help you with a number of other IT security concerns, from training your staff on the implementation of IT security best practices, risk & fraud analysis, and more.

Call 1st Secure IT today, and keep your business safe and secure in an uncertain digital world.

Continue reading
606 Hits
0 Comments

Cyber Security: Beyond The Password

“You’re only as strong as your weakest link.”

This old proverb might be cliché at this point, but it’s also the key to your organization’s cyber security.

As more and more employees are working remotely, carrying company-issued smartphones and laptops, and thus walking around with company and client information at their fingertips, this statement is truer than ever.

If the passwords protecting these devices aren’t strong enough, then your own employees will be the biggest cyber security risk you’ll face.

Worried about information getting into the wrong hands?

Finding your employees writing down passwords on scraps of paper, not changing them regularly or making them too easy to guess?

If so, there are steps you can take to improve your company’s cyber security and protect your clients from a data breach.

Read on for some solutions to common cyber-security related problems.

How To Choose A Good Password

Uppercase letter, lowercase letter, number, “special symbol”, and at least 8 characters long.

These are the types of requirements often used for setting a password.

But not everyone understands why.

One of the traditional methods of password cracking is called “brute force” cracking – it’s essentially the process of using an automated tool to try a large number of randomized passwords over and over again until you get the right one.

Your standard QWERTY keyboard is capable of producing 96 characters using normal keystrokes, so if your password is one character long, there are 96 possible passwords you have. A password cracker can break into this in the blink of an eye.

Add another character, and it’s 96×96 possible passwords – 9,216.

Three characters, and it’s 884,736 possible passwords. And so on.

Most password crackers can attempt millions of passwords per second, so while 884,736 possible passwords may seem like a lot, software tools can make short work of them.

But the more characters you add to a password, the harder it becomes to crack, and exponentially so.

Nine character passwords have just over seven trillion possible combinations – that can be cracked in less than a week.

But a ten character password has 66 quintillion possible combinations, which will take several months.

Add two more characters, and you’re looking at 613 sextillion possible combinations, which will take nearly 200 years to crack.

The first step in ensuring your employees have a strong password is setting a password policy, such as the one listed above.

Have your IT staff ensure passwords on company systems must meet the minimum requirements.

However, these sorts of requirements can result in passwords so complicated that employees feel compelled to write them down, thus defeating the purpose.

We talked about this in a previous article about the Hawaii missile warning earlier this year, where it was revealed that the people in charge of Hawaii’s Emergency Management Agency had left the passwords to their accounts on a post-it note on their computer monitor, which then ended up on television.

So offer them some tips to combat this behavior.

Making passwords easy for the user to remember but hard for anyone else to doesn’t have to be rocket science.

One technique is to use an “inside joke” or special memory. Remove the spaces and trade out some of the letters for numbers (try using “3” for “E”, “6” for “G”, and “$” for “S” in order to substitute special characters).

This will make it easy to remember, but hard for someone else to guess.

How To Manage Your Passwords

Some organizations have chosen to take back control over passwords, by using password managers or password vaults.

These are programs which assist in generating and storing complex passwords in an encrypted database.

These types of applications require the user to create and remember one “master” password to gain access to the information stored in the encrypted database.

Using a password manager can prevent employees from using the same log-in and password across multiple devices and accounts – so long as they can remember the password for the manager itself.

Using 2-Factor Authentication

When it comes to protecting very sensitive information, a single password alone may not be enough.

Two-factor authentication can make it much harder for a hacker to gain access to a system.

Even if a hacker is able to determine a user’s password to log-in to the system, two-factor authentication adds an extra step, or “authentication factor” which needs to be used before access to the system is granted.

The 3 types of authentication factors are knowledge, possession and inherence (also called biometrics).

Knowledge factors are based on something the user knows (such as the password or PIN).

We’ve already talked about passwords above.

Possession factors use something the user has, such as an ID card, smartphone or security token.

For example, this might involve having a special code sent to the user’s smartphone which must be entered before access to a system can be gained.

Or the user carrying a smart card or key fob that must be presented or swiped in addition to the password.

Inherence (or biometric) factors have to do with something the user IS.

This could be a fingerprint swipe, face or voice recognition, or as often seen in the movies, an eyeball scan.

Two-factor authentication requires using two different types of authentication.

Requiring a user have a password and then enter a pin code would only count as one, as this only uses knowledge authentication.

Requiring a user have a password, but also use a fingerprint swipe to unlock a device is two-factor authentication as it uses both knowledge and inherence factors.

Contact 1st Secure IT

Worried about data breaches?

Need help setting up a two-factor authentication tool so your company’s information stays safe and secure?

Or maybe you’re looking for employee awareness training, on the importance of strong passwords.

1st Secure IT can help.

Contact us today to discuss your options for keeping your company secure in an uncertain digital climate.

Continue reading
380 Hits
0 Comments

Do You Need Cyber Security Insurance?

Life insurance.

Car insurance.

Home insurance.

These are all “no-brainers” right?

But what about Cyber-security insurance?

Are you prepared if you face a data breach?

Are you ready to pay-out those whose information may be compromised if your systems are hacked?

Keep reading to learn more about data breach protection and how it could benefit you.

What Is Cyber Security Insurance?

Cyber insurance, cyber risk insurance or cyber liability insurance coverage are different names for the same thing.

This insurance will assist your organization in covering costs associated with cyber-security breaches and other related cyber-security issues.

When creating a risk management plan, organizations will determine on how to handle potential risks they face, by either accepting, avoiding, controlling or transferring them.

Cyber Insurance is one method to transfer risk by offsetting costs associated with response and recovery after a cyber-security related breach occurs.

Choosing A Cyber Security Insurance Policy

Many well-known insurance companies offer cyber-insurance policies.

If you have an insurance provider you know and trust for your other policies, start there and see if they have cyber-insurance suitable for your needs.

When researching policies, be certain to be very clear about what is covered and what is not.

Find out about special circumstances and any limits as well.

Some questions to ask include:

  • Is the coverage standalone, or is it an extension on an existing policy?
    (Often times, a standalone policy will be more comprehensive.)
  • Can the policy be customized to my organization?
  • What are the deductibles?
  • What sorts of breaches or cyber-attacks are covered?
  • Is there a time-frame to which the coverage applies?

What Does Cyber Security Insurance Cover?

There are 4 key areas cyber-security insurance can help you with.

Let’s take a look at what they are:

1. Investigation

In the event of a security breach, often times a third-party company will need to be brought in, to discover the causes of the breach.

A forensics investigation will determine what occurred, how to fix it, and how to prevent it from happening again.

This insurance will help with costs associated with this investigation.

2. Business Losses

The terms of a cyber-insurance policy might be similar to those of policies that cover errors due to negligence or other similar reasons.

Business losses can also include losses due to network downtime, business interruption, data recovery and damage to reputation.

3. Privacy and Notification

In most jurisdictions if a company has a data breach which affects their customers or clients it is required they be notified.

Additionally, customers whose information has been breached may now require credit monitoring to guard against identity theft.

This coverage can help with these expenses.

4. Lawsuits and extortion

If a company is faced with cyber-extortion, for instance after ransomware is installed on their system, cyber-insurance can help cover these costs.

If you have this type of insurance be sure to read your policy carefully, as sometimes disclosing you have this coverage can make it null and void, as it makes you a target for cyber-thieves who know their demands will be paid for with the insurance.

What Does Cyber Security Insurance NOT Cover?

When choosing Cyber Security Insurance, it is important to read the fine print and understand what is, and is not, covered.

For example, the way the policy defines a breach, or fraud, could make the difference in being covered or not covered should an incident occur.

Read your policy carefully and thoroughly to understand what is, and more importantly what is NOT covered.

What Kind Of Cyber Security Insurance Do I Need?

Factors such as the size of your company, the type of information you are storing and the industry you work in will determine what type of cyber-insurance you will need.

For some, a rider on their existing policy may be sufficient, and for others an entire separate policy may be required.

If you’re on the hunt for a policy, and are overwhelmed by the choices on-offer, an insurance broker might be beneficial to help navigate your options.

When looking for a broker, the relationship between your Chief Information Security Officer (CISO) and the broker is important.

Ensure the broker has your best interest, and not that of their partners, in mind.

Look at the services being offered and their ability in the arena of cyber security.

The right broker can help you navigate the finer points of the options available, so long as they are experienced and honest.

Contact 1st Secure IT

Are you worried about a data breach?

Do you want to beef-up cyber security so you can be eligible for lower cyber-insurance premiums?

Are you worried about maintaining compliance with the requirements for your existing plan, or need help looking at your cyber-security options?

1st Secure IT can help. Contact us today for a cyber-security consultation.

Continue reading
413 Hits
0 Comments

How To Avoid A Lawsuit Over A Data Breach

Ride sharing. Credit Scores. Retail.

Although in three completely different industries, these companies all have something in common.

They have all suffered large, public, data breaches.

Whether from hackers, or poor cyber security practices it seems no one is immune.
It goes to show that if these giants can be susceptible to data breaches, anyone can be.

So let’s take a look at data breach protection and how you can protect yourself and your business if it happens to you.

Do you know what to do in the event of a breach?

Have you trained your employees on how to respond?

Do you have a plan in place?

Read on for more information about what to do to be ready.

1. Report The Breach As Soon As Possible

Waiting too long to report the breach once you become aware of it could literally cost your company hundreds of thousands of dollars.

Settlements are generally based on the number of people affected by the breach, and the scope of the damage, and part of this calculation is how long the company took to disclose the breach.

Besides, most jurisdictions today have laws about the requirements for reporting data breaches.

While it may be tempting to go hide under your bed for a few months and hope nobody notices, being forthcoming with the issues as soon as you find them will help you maintain some semblance of your good reputation and help you minimize losses.

2. Control How Your Staff Communicates Publicly

It’s very important to control the message your company communicates to the public after a data breach occurs.

The wrong claim or promise could come back to haunt you in court.

Plan in advance what you would say in various scenarios (for instance, if you were hacked vs finding out about a disgruntled employee leaking information) and have statements ready to be modified according to the specifics of the situation.

You should have a specifically trained Public Relations person or team in place to handle all inquiries related to the breach, and employees should be directing all inquiries to this person or team, rather than answering questions themselves.

But what happens of one of your other staff members are contacted about the situation?

This is where training comes into play.

A good response might be something like “We are not authorized to comment on the situation” and then directing the questioner to the proper contact.

Avoid having people say “No comment” as this can often be misconstrued as a confirmation of information.

3. Go Through Data Breach Training

The first line of defense is always doing everything possible to prevent a breach from occurring in the first place, but if it does happen you want to be prepared.

Proper planning and training can help to catch breaches faster and limit the exposure of sensitive information.

Equipping your employees with cybersecurity training and education so if any one person suspects a breach they know exactly what steps to take is important.

Running simulations of a data breach, and practicing the steps to take can help ensure employees are confident in their ability to respond to incidents.

4. Consider A Cybersecurity Insurance Plan

In the event you do experience a data breach, a cyber security insurance plan could be a lifesaver.

In addition to offering financial resources to help you through a breach, it can also provide technical, legal, and other resources.

The right policy could save you from financial disaster.

5. Focus On Your Vendors

Links between your company and your vendors could result in links between your IT networks.

Thus, a gap in the security of your vendors cyber security could also compromise your own systems.

Ensuring the vendors you do business with have acceptable levels of cyber security is a way to minimize your own risk.

Set standards and hold your vendors to those same standards, as a condition of doing business with you.

Contact 1st Secure IT

Are you worried about the potential of a data breach?

Do your employees know the correct actions to take if they suspect a breach has taken place?

Does your company have an action plan in place, ready to jump into action if you find out there has been a gap in your cyber security has occurred?

If you would like a consultation on any of these issues, 1st Secure IT can help.

Contact us to discuss your business, the risks you face and the best options for your company.

Because being prepared for a breach can be the difference in it being an inconvenience and a business-ending disaster.

Continue reading
921 Hits
0 Comments

What is the Dark Web?

When you read the phrase “The Dark Web” what do you picture?

Is it a sinister place where criminals run rampant?

A haven for anarchists, ne’er-do-wells, and other unsavoury types?

Or a bastion of free speech in a world where many worry about censorship?

Depending on who you ask, it might be described as any of the above, and more.

If you’ve been the victim of a data breach, your personal information may be there, waiting for someone to come along and pay the right price to steal your identity.

You might think it’s something you don’t have to worry about, but are you as good at analyzing risk as you think you are?

Let’s dig into the dark web to learn more.

What Is The Dark Web?

The Dark Web is the part of the internet that cannot be found through a typical “Google” search.

It requires the use of a special browser such as Tor which keeps you (relatively) anonymous.

As a result, it presents a particular challenge for law enforcement.

On the dark web, you can find a wide range of illegal activity, including trafficking in stolen goods, illicit substances or weapons, murder for hire, and other things far too horrible to be mentioned here.

Benefits Of Using The Dark Web?

When many people think of the dark web, they think of an epicentre of criminal activity with little reason for a law-abiding citizen to ever venture there.

While this is often the case, not all activity on the Dark Web is illegal.

In countries where internet access is controlled and monitored by the government, the Dark Web can help people to communicate without fear of repercussions.

Those concerned with their personal privacy on the internet can find lots of tips and tricks to incorporate into their lives.

And it can be a safe place for whistleblowers to share information – some mainstream media organizations even monitor these dark web whistleblower sites, including a version of Wikileaks.

Even law enforcement can find benefit from monitoring the dark web as part of a larger threat analysis and situational awareness strategy.

Accessing The Dark Web

Accessing the dark web is not as hard as one might imagine.

You don’t need a secret code-word or to have a special contact to be let in – you just need the right software.

The most popular is Tor but Freenet and I2P may also be used.

Just be prepared to deal with slow and unpredictable performance.

Tor uses special encryption – so when a message is sent over the network each computer in the network only receives the information of where it came from, and where it is going next thus ensuring anonymity.

Because the signal is bouncing around through many different volunteers’ computers and not a set network, the speed can be slow and bottlenecks often happen.

The naming structure of Dark Web site URLs typically are scrambled to make them near-impossible to remember and end in .onion which designates a hidden, anonymous network that can’t be accessed through regular browsers.

Of course, if the content of the message contains identifying information (such as an email address) it becomes less anonymous.

Illegal Activity On The Dark Web

Do you wonder what happens to information after data companies like Equifax, Uber or Facebook are breached?

What’s the goal behind taking the risk to steal all this data?

In many cases it ends up on the dark web, for sale to the highest bidder.

Everything from login details for underused Netflix accounts to bank and credit card accounts giving access to thousands of dollars in funds can be found for those willing to pay the price.

If you go searching and happen to find your own information on the Dark Web, there may not be much you can do to remove it, but by knowing it’s there you can take steps to protect yourself.

Of course, a data breach may not seem like a big deal compared to some of the other uses of the dark web we talked about earlier.

But if you’re the one whose information is breached, credit cards and ID stolen, it can be devastating.

And if your company suffered a data breach due to negligent IT security practices and are as a result directly responsible for perhaps thousands of people losing their data, it can be exponentially worse.

Contact 1st Secure IT

Are you worried that your personal or company information may have appeared on the Dark Web after a security breach?

Or are you worried that employees may be using company resources to access this illicit corner of the internet?

Even worse – has your company suffered a data breach, and that information is being bought and sold across the Dark Web?

If so, 1st Secure IT can help.

Call us today to speak with one of our knowledgeable IT security consultants.

We can help you find the weak points in your IT security infrastructure to avoid a data breach or catastrophic leak from occurring.

We’ll help you avoid becoming just another statistic, just another company who, through its own negligence, caused millions of dollars in damage as their customers scramble to contain the damage to their lives.

Contact 1st Secure IT today, and keep your business and your customers safe and secure in an uncertain digital world.

Continue reading
405 Hits
0 Comments

How Easy is it to Get Hacked?

Contrary to what the movies would have you believe, hacking is not done as you chase virtual rabbits across a screen through a graphic interface.

Nor is it something you can simply defend yourself from with a piece of software that comes with your computer.

You can be fully compliant with PCI DSS, EI3PA, and employ the latest known security tactics, but how easy will it be for someone to break through that security?

Are You At Risk?

A few years back, The National Cyber Security Alliance estimated the odds of any small being hacked in a year are about 20%.

That means if you run a small business, and four of your friends also have small businesses, one of you is statically likely to be hacked in the next 12 months.

In Britain, in 2014, there were 2.5 million reported cybercrimes.

That adds up to about 10% of the population being hit in a 12 month period.

Noted accounting firm KPMG, however, believes that because so few of these crimes are actually reported, the statistics are in reality much higher.

They place the odds closer to 1 in 3 of being hacked on an annual basis.

So why are so many organizations vulnerable to hacks?

1. Weak Passwords

One of the easiest ways for hackers to gain access to secure accounts is through cracking a password.

Because it’s so hard to remember different passwords for different accounts, many people use the same password for almost all their accounts.

So, if a hacker gets access to one, the hacker has access to them all.

It comes down to a numbers game for hackers.

A simple five-character password such as 12345, or even a basic word can be cracked in under 10 seconds, just by trying combinations and common passwords.

A seven-character password, meanwhile, takes an entire day to get through.

Jumping to nine characters means it takes about a week to crack, but a ten-character password will take several months to get through.

If you really want to be secure, adding just two more characters to your password will make it so difficult that a hacker will take nearly 200 years to crack into it.

Now these numbers are, of course, an average.

The list of the top 10, most commonly used passwords does contain some nine, and ten character passwords, but any reasonable hacker will try them first and get into your account.

These top 10 passwords are:

  • 123456
  • 123456789
  • qwerty
  • 12345678
  • 111111
  • 1234567890
  • 1234567
  • password
  • 123123
  • 987654321

If you’re using one of these passwords yourself, it’s time to change to something more secure.

2. Viruses

Viruses are not as common as they used to be but are still prevalent.

While we no longer live in a world where one emailed virus goes viral seemingly every six months disabling major networks, they are a threat.

According to the Microsoft Security Intelligence Report, 16 million American households have experienced a viral infection on one of their machines at some point over the last two years.

That same study found that 95% of American households said they use antivirus software.

But with an estimated 126 million American households in existence, 16 million is actually closer to 13% of the total.

What this means is that people who use antiviruses are sometimes still vulnerable – that, or they were lying about using an antivirus.

Modern antivirus software, along with automatic account lockouts after two or three wrong passwords are responsible for much of the decline in popularity in viruses, but occasionally, a new powerful one proves effective and sneaks through.

3. Phishing

Part of the decline in viruses is due to the rise in phishing scams.

It’s now generally more profitable for a hacker to send out an email to an unsuspecting mark, telling them that they have either come into an inheritance, or are needed to help abandon an abandoned fortune, or pay a fee to accept an inheritance, or pay to help a Nigerian prince recover a fortune.

These are generally written in broken English, but people fall for them, and often wire thousands of dollars to the hacker/scammer.

Sometimes they come from fake email addresses that seem as if they are tied to legitimate clients, or businesses, until you read the actual email address.

For more on how to recognize a phishing scam, see one of our previous articles on the subject

Contact 1ST Secure IT

If that prediction from KPMG is accurate, you have a one in three chance of being hacked this year.

Spread that out over a long enough timeline, and you’ve got a 100% chance of being hacked sooner or later.

You don’t want that to happen.

1st Secure IT can help.

Call us today and speak with one of our experienced and knowledgeable IT security consultants.

They will take the time to better understand your business and your needs, and from there help you understand what you need to keep things running smoothly and, more importantly, securely.

Contact 1st Secure IT today and keep your business safe and secure in an uncertain digital world.

Continue reading
419 Hits
0 Comments

Is Windows Defender Enough to Keep You Safe?

Windows Defender really has a great name, doesn’t it?

Defender, it’s the kind of word that makes a computer user think of an invisible guardian protecting your computer from all potential harm.

But is it as good as its name suggests?

Will it protect you from all manner of IT security threats?

Read this guide to find out more

What Is Windows Defender?

Windows Defender Antivirus is the anti-malware portion of Microsoft Windows.

It utilizes a firewall to help strengthen its antivirus capabilities.

What does Windows Defender Do?

Through Windows Defender Security Center, you can:

• Control your security preferences
• Control live scans of your browsers
• Control your firewall
• Update your family controls
• Monitor the general security status of your computer and network.

If you just need basic web security, like to protect your home network from threats, Windows Defender can help you remain safe and secure.

And if you have young children and would like to restrict the content they have access to, Windows Defender is helpful.

What Does Windows Defender Not Do?

Windows Defender is a nice, well rounded, anti-malware system that offers, low to medium level protection.

However, it’s far from a perfect system.

PC Magazine, Techradar Pro, Tom’s Guide, and PC World all gave Windows Defender a 3 out of 5, with Tom’s Guide writer Brian Nadel calling it “better than nothing”.

System scans run by Defender are also known to slow down computer performance to an achingly slow crawl when being performed.

Windows Defender is designed to work primarily with Microsoft Internet Explorer, or more recently, Microsoft’s newest browser, Edge.

This means that other browsers, like Opera, Chrome, and Firefox, all are slower to be scanned for threats, and are delayed in getting updates on the latest malware when working with Defender as their primary anti-malware system.

And because Internet Explorer and Edge have such a small browser market share – just over 16% of desktop users use one of the two, according to Net Market Share – this makes Windows Defender less useful for the vast majority of us who prefer a different browser.

Defender also is known to have leaks through plugins like Java.

And given how much of the internet is still based around Java, it makes Defender far from the ideal solution for heavy internet users.

What Do You Need?

Microsoft is so popular that its users have a tremendously broad set of needs.

At one end, you may have a senior citizen who uses their computer to only play candy crush or solitaire and send notes on Facebook to relatives.

At the other, you have people who spend their entire workday on computers managing high level IT environments.

What works for some is not necessarily adequate for others.

If you don’t download much from the internet, and the only videos you watch are from YouTube, Amazon, or Netflix, you’re likely fine with Microsoft Defender.

But, if you spend a huge chunk of your day working on your computer sending dozens of emails a day, reviewing content in a multitude of formats, or doing constant research, you’ll want to upgrade to a stronger protocol than Microsoft Defender.

This is especially true in corporate environments where IT security is paramount – like when processing sensitive information or complying with industry regulations, like the PCI DSS.

As soon as you install a new security suite, Windows Defender will shut itself off to let the new system take over, because that is what it is designed to do.

It protects your system until you have something more secure.

Contact 1st Secure IT

If your needs are no more significant than that of someone who uses their computer for little else than emails, social media, and shopping, you likely are fine running Windows Defender – just make sure to keep it up to date.

But in a corporate environment, Windows Defender is not our recommendation.

Here at 1st Secure IT, our motto is “compliance is not enough”.

That means we don’t recommend the bare minimum – which includes Windows Defender.

If you use your computer for business, contact 1st Secure IT today to find out how you can better protect your company’s sensitive information from the bad actors out there.

Don’t get caught unprotected – there are a lot of cyber security threats which could potentially cost you dearly in the form of lost revenue, lost respect, lawsuits, and more.

But it doesn’t have to be that way.

1st Secure IT can help.

Contact 1st Secure IT today, and keep yourself safe and secure in an uncertain digital world.

Continue reading
635 Hits
0 Comments

Suffered A Data Breach? You're Required By Law To Report It

Reporting Data Breaches | 1st Secure IT | data loss prevention cyber and IT security services risk management protection firm

The phrase “data breach” is terrifying.

Not only for the question of your security, but especially now that there are extremely strict legal regulations regarding how your company notifies affected customers and when you do so.

The team at 1ST Secure IT has put together this handy guide the latest legal updates about data breach reporting.

Alabama's New Legislation

The State of Alabama put Bill SB 318 into law on April 3, 2018 and it took effect on May 1.

This new law requires that companies inform customers within 45 days of a breach of their personal data.

Under Alabama state law, personal data is considered a person’s first name or first initial with last name if combined with any of the following:

  • Social security number
  • Personal medical information
  • An employment id number/password/biometric data used for login
  • A username/email address/password that provides access to online accounts
  • A credit or debit card number/CVC code found on the back of a credit card/a PIN
  • Any government issued identification number like a driver’s license number.

This law exempts information “reasonably determined that the breach will not likely result in harm to the affected person”, information that has been made public, encrypted information, redacted information, or any other unusable data.

Failure to alert customers within the allotted 45 days results in a fine of $5,000 per day and the potential for the state’s attorney to file suit.

If 1,000 Alabamans are affected, then the attorney general must be notified, as do credit reporting agencies.

Yikes.

 South Dakota's New Legislation

South Dakota’s new law SB62 is nearly identical to the legislation in Alabama.

There are, however, a few key differences.

Firstly, companies have 60 days to notify those who are affected, not 45.

Next if 250 South Dakotans are affected, the state’s attorney must be notified in that same time frame.

Credit agencies do not have to be notified.

Lastly, the fines are much higher in South Dakota, set at $10,000 per day plus state’s attorney fees, and a potential $10,000 for each violation.

Reporting Data Breaches | 1st Secure IT | data loss prevention cyber and IT security services risk management protection firm

 Federal Laws On The Subject

Alabama and South Dakota were the last two holdouts.

Now, every state in the Union has their own laws about data breach reporting.

But in February, a bill called The Data Acquisition and Technology Accountability and Security Act began being passed around Capitol Hill.

This bill would overrule the laws each state has developed for itself.

While many states and professional organizations support the idea of a single unified set of rules and regulations to best protect Americans, it is facing opposition from those who feel it would make things harder for state governments to protect their citizens.

 Canadian Regulations

Believe it or not, Canada does have internet, and that means that the data of Canadian customers is also something that is to be protected.

Under new Canadian laws, beginning November 1st, companies will have to follow protocols for informing people when their data has been leaked.

The issue is, those protocols have not been released by the government yet.

As of now, the regulations are somewhat fleshed out.

The law requires that companies determine how harmful the data that has been breached is, and how it could be misused.

Does it pose a real risk of significant harm?

If so, they must inform the customers who have had their data leaked, as well as the Privacy Commissioner of Canada.

They must then notify any company that can help mitigate harm to affected individuals.

Companies based in British Columbia, Alberta, and Quebec are all covered by their own provincial legislation that has already been established.

Surprisingly, though, Ontario – the most populous province in Canada and home to nearly 40% of the country's population – has no such regulatory framework.

It is currently proposed that companies will have to keep a 24-month record of breaches.

This same proposal also suggests that companies notify customers of a breach they will have to disclose:

  • The circumstances of the breach
  • When it occurred
  • The compromised data
  • What steps are being done to minimize any risk to the affected customers
  • What steps the customer can take to protect themselves
  • Contact information to answer any questions about the incident
  • Information about the internal complaints process, and how to file a complaint with the Privacy Commissioner.

Contact 1st Secure IT

Of course, these are only some of the many different data breach reporting regulations on this planet of ours.

Many European nations have their own set of laws around data breach reporting, as do some Latin American countries like Uruguay.

If you're doing business with people based in foreign countries, it's a good idea to be familiar with their data breach regulations. That way, when you're writing your disaster response plan, you can be sure you're prepared for all the potentialities.

If you're wondering whether your company is liable in different jurisdictions, we can help.

Contact 1st Secure IT today and keep your customers and your data secure in an uncertain digital world.

Continue reading
441 Hits
0 Comments

What Is A Firewall

There are many different words related to IT security which have snuck their way into mainstream vocabulary.

The average person may not have heard of phrases like PCI DSS compliance, SSAE 18, or even TLS, but you can bet most of them have heard of a firewall.

The word firewall ends up in a lot of the technobabble in science fiction and police TV shows featuring a hacker, because it sounds fancy and sophisticated. You’ll hear a phrase like “resetting the TCF of the external firewall will allow us to resync the NAT devices.”

This is just to make a TV show sound exciting, of course, but is a firewall a real thing? Yes, it is.

Read this article to find out more about how firewalls work and how they can improve your company’s IT security.

What Is A Firewall?

To put it as simply as possible, a firewall is a digital wall between your electronic devices and the malware rampant across the web.

When data moves from the internet into your devices, your firewall screens it and makes sure what comes through is clean.

Think of it like security at the border. If you want to take a vacation to Canada, security agents let cars through one at a time while they confirm your identity, your passengers, and your travel intent.

A firewall works the same way, only it’s scanning data, not cars. The data will come into your computer in small chunks called packets. These are designed to be manageable for your firewall to scan as it passes through. If malware scans come back negative, the data is allowed to pass through, but if it finds something harmful the packet is rejected and you get a notification.

Types Of Firewalls

There are many different types of firewalls, but broadly speaking, there they can fit into two categories: network firewalls and host-based firewalls. Here’s what each of them do.

What Is A Network Firewall?

The idea behind a network firewall is to filter any traffic coming from the internet to make sure that only the data that should be coming into your system does so.

Your IT department will configure your firewall to monitor traffic, which can, among other things, block access to certain websites to prevent your staff from accidentally infecting your system from known malicious sites or wasting time on their social network of choice when they should be working.

But rather than manually configuring it (an exhausting endeavour), you can use an external service that keeps your firewall updated with the latest definitions to recognize cyber attacks and screen them. If we continue with our border analogy from before, this is like keeping your drug-sniffing dogs trained on how to recognize new types of drugs being invented on a regular basis, except it happens automatically.

Like the name suggests, these are useful for larger networks made up of multiple devices.

What Is A Host-Based Firewall?

A host-based firewall works in much the same way as a network firewall, but instead of protecting a network they protect only the device on which they’ve been installed.

These firewalls are often paired with a hardware firewall built into what they use to connect to the internet, like a wireless router. The downside of these firewalls is that they need to be manually updated, but because they’re used on a smaller scale it isn’t as much of a hassle.

Why A Firewall?

A firewall is a simple, relatively painless way to improve the cyber security of your company. If configured right, your firewall will serve as your first line of defense against the malicious stuff floating around the internet.

But it’s only your first line of defense.

The internet is a constantly changing place, and cyber criminals are constantly discovering new ways to break into your systems and steal your data.

If you’re having trouble keeping up or you feel a little vulnerable to all the various security risks out there, you’re not alone.

1st Secure IT is there for you.

Give us a call and book a consultation with one of our IT security experts. We can help you recognize the gaps and weaknesses in your cyber security and shore up your defenses against the threats to your business that exist online.

Don’t get caught by the latest malicious attack. Contact 1st Secure IT today and enjoy the peace of mind that can only come from working with one of the top IT security firms on the market today.

Contact 1st Secure IT to stay safe and secure in an uncertain world.

Continue reading
475 Hits
0 Comments

Phishing Vs. Spoofing: What's The Difference?

1st Secure IT data loss prevention cyber and IT security services risk management protection firm

Phishing and spoofing are no longer a threat that is limited to aunts who cover their Facebook walls in wine memes and grandfathers that type in all caps and send chain emails.

They’ve evolved to become a legitimate threat to your entire staff and can grievously compromise the security of your company and your clients. Because of this it’s a good idea to hire on an IT security company to protect yourself against these threats.

For now, enjoy this handy guide to better understand what phishing and spoofing are, and how you can protect yourself from them.

What is Spoofing?

Phishing and spoofing are often mixed up. To keep things simple, let’s start with spoofing.

This is a technique used by crooks where an email is received that claims to be from a trusted individual or institution.

Sometimes it comes from a trusted, verified email account that has been hacked, or it comes from a fake account that seems to be from a respected company.

This email encourages a person to click on a link that generally downloads malware, a Trojan virus, or something else malicious that can cripple your network, and infect your clients.

What is Phishing?

Now, phishing is like spoofing in that it often comes from emails, but these emails contain forms, or links to forms.

These forms look very official, but are in reality, used by criminals for nefarious purposes.

They ask for everything from banking information, to passwords for online accounts. It only takes a few pieces of data to do anything from identity theft, to emptying your corporate accounts.

Take care of your information | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

How to Recognize a Phishing Or Spoofing Scam?

These scams are often extremely convincing, using stolen graphics from official companies, or even using hacked accounts of trusted professionals.

Always go with your gut. If your accountant sends you an email asking you to download a document with a weird name and weird format that is making you uncomfortable, call their office, and make sure it’s legitimate.

Scammers will often purchase domain names that are slight corruptions of domains used by trusted companies like stores, or banks. Copy and paste this into a separate document and compare it to the URL used by these companies normally.

These crooks will even go so far as to register a normal domain name but with a different ending such as .RU or .JP. Russia and Japan are often where these scam domains are registered, so unless you are doing business with banks in those countries, it’s a scam.

The same goes for their email addresses. They will often register a normal Gmail or Hotmail account with a name like Apple Support or Microsoft Support, or VISA Customer Service, but if you right click the name you will see the actual registered email address. Usually it is a nonsense name @gmail.com

In emails, keep your eyes peeled for broken or bad English. These scams are often orchestrated by people who learned English as a second language. This often leads to poorly written messages.

Be wary of demands of urgent action or demands for quick payment in the form of a bank transfer, or electronic currency. If a normal, legitimate institution, like a bank, or the IRS, needs payment, they send requests through registered mail.

Lastly, if the URL starts with http: and not https: then that means that the site you are using is not secured with TLS, which is a guarantee that you are dealing with a scam.

Contact 1st Secure IT

An IT security company like 1st Secure IT can help protect you, your staff, and your customers from phishing and spoofing.

Give us a call to keep safe, especially if you just responded to an email from a Nigerian prince, or a foreign business official informing you of a massive inheritance.

Continue reading
660 Hits
0 Comments

These PCI DSS Changes Took Place On June 30th. Are You Ready For Them?

For anyone who has a businesses that regularly uses POI and POS the new PCI SSC guidelines for TLSare of massive importance.

Are you prepared for them?

New PCI SSC Guidance For SSL/TLS

The PCI SSC (Payment Card Industry Security Standards Council) has taken their old set of guidelines, Migrating from SSL/Early TLS Information Supplement, and replaced it with two new sets.

This was done because of the new guidelines, PCI DSS V3.2.1 and the passing of various official deadlines for how systems are managed include June 30, 2018, the deadline for Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration.

The first new guide, Information Supplement: Use of SSL/Early TLS and Impact on ASV Scans explains the impact for PCI DSS and ASV scans to retailers and service providers, and information for those using early SSL/TLS after the June 30,2018 deadline.

The second new guide, Information Supplement: Use of SSL/Early TLS for POS POI Terminal Connections is more information for retailers and service providers using those tame systems that incorporate card-present POS POI terminal connections.

These guidelines also define terms like “early systems”, while providing in depth requirements for the new technology.

Why Is The PCI SSC Publishing This?

As we stated above, the June 30 milestone is a tremendously important one.

Beginning July 1, SSL and Early TLS may not be valid as security controls for PCI DSS, except by POS POI terminals that have been verified as not being susceptible to verified exploits.

In May 2018, PCI DSS was updated to v3.2.1, with new security requirements.

What Merchants Need To Know

If you're a merchant, you'll need to check how old your TLS systems are and make sure they comply with new security standards.

To find out whether they are, you can get in touch with your POS/POI supplier, or call us at 1st Secure IT.

It's worth noting that any new installs of POI and POS terminals cannot use SSL or early TLS, so if you've just set up your POS systems with a new product you're likely okay.

If any new vulnerabilities emerge that affect POI terminals and that can't be addressed by a software patch or updated controls, you'll need to immediately update them.

If you use SSL or early TLS for purposes other than as allowed for your POS POI terminal connection, note that your systems are out of date. You'll need to update your controls to minimize any risks and remain PCI DSS compliant.

Contact us here at 1st Secure IT if you need help with this.

If you're using SSL/early TLS but have other security protocols in place to meet a PCI DSS requirement, however, you can maintain your current protocols.

But you really should update to a modern encryption protocol as soon as possible, as SSL and early TLS have a number of vulnerabilities in them these days.

On top of that, having SSL or early TLS in a system can often result in ASV scan failures.

Either way, contact us here at 1st Secure IT and we'll help you find out whether you're still compliant.

What Acquiring Banks Need To Know

If you're an acquiring bank that provides termination points for POS and POI terminal connections, you should follow the same advice listed above.

You should also be ready to help your merchants and retailers to ensure their systems are in compliance and secure against threats.

After all, if your merchants are found to be noncompliant, you could be liable for a fine as well.

If you require your merchants and retailers to provide you with ASV Scan Reports as part of their compliance reporting, be sure to familiarize yourself with how to handle false positives triggered by older technology protocols.

Contact 1st Secure IT

Did all that make your head spin?

If so, you're not the only one.

The world of PCI DSS compliance can be overwhelming even if you already specialize in IT.

But you don't have to go through it alone.

At 1st Secure IT, we're here for you.

We'll take you by the hand and walk you through every step you need to take in order to make sure you remain PCI DSS compliant.

Whether you're a merchant, an acquirer, or a service provider, we've got your back.

Call us at 866-735-3369 or email us at info@1stsecureit.com, and keep your business safe and secure in an uncertain digital world.

Continue reading
535 Hits
0 Comments

How Small Businesses Can Protect Themselves From Hackers

If you read much about the world of IT security, you likely mostly see articles reporting on data breaches from larger corporations.

And that makes sense – after all, more people are impacted by a data breach at a multinational with millions of clients than one at a local mom-and-pop shop.

But all this news may lull small business owners into a false sense of security, and that can be dangerous.

While most IT security companies perform penetration tests and other security audits on large businesses, small businesses are also vulnerable to hackers, data breaches, phishing scams, and the like.

If you’re a small business owner, though, there are some steps you can take to protect yourself from being vulnerable online.

Small Business IT Security Breach: How It Happens

When it comes to a big corporate office, security is usually pretty high.

Many buildings employ a full staff of security personnel and electronic surveillance systems with the goal of keeping their staff, data, and systems safe.

And yet, social engineering tricks can still sneak their way through.

By manipulating front desk and security staff, a clever social engineer can get someone to step away from their desk long enough to slip a piece of malware onto company systems via a USB key.

Big corporations also generally have IT security practices they teach their staff.

This includes things like how to recognize a phishing email, a proper password strategy, and protocols on what devices are allowed to connect to the company network.

And yet, phishing scams are still effective, and the most commonly used password in the world is still “password”.

So if larger corporations, with all their tight security and data management strategies, can’t manage to stave off these attacks, what hope does a small business have?

A storefront with a single staff member at the front desk can easily be manipulated.

A company email address can easily have some phishing attacks that slip through the spam filter.

Any attack that hits larger corporations can hit a small business too.

Small Business IT Security

When it comes to protecting your small business from IT security breaches, the steps are similar to big businesses.

The first step ought to be to review with your staff how to recognize a phishing scam or other social engineering hack.

Most of us imagine a hacker sitting at their desk in a ski mask, banging away on an old grey IBM keyboard as dozens of strings of numbers fly past their screen like in The Matrix, cracking passwords and finding vulnerabilities in software.

This sort of thing definitely happens (though maybe without the ski mask), but it’s not as common as you might think. Far more common, in fact, is the phishing scam, the social engineering trick, or the poor security set up by the user.

In short, it’s people that cause most IT security breaches, not a programming weakness. You should also do what you can to protect your network.

While it might be unrealistic to expect you to roll out a multi-million dollar IT security plan, there are measures you can take right now which are relatively inexpensive.

Aside from training your staff, make sure your wireless network is secured with a strong password and that your router’s software is up to date.

If you run a business where customers frequently connect to your wireless network, like a coffee shop, it’s a wise idea to have a separate network for your customers.

Make sure you have a data backup plan as well. 1st Secure IT recommends the 3-2-1 backup rule. For more on that rule, see our previous article on the subject.

Contact 1st Secure IT

To a large corporation, a cyber security incident is a PR nightmare. But to a small business, such an attack can cause major issues, sometimes even bankrupting the business altogether.

If you’re a small business who’s concerned about taking your IT security more seriously, contact 1st Secure IT.

Our team of cyber security experts can consult with you, helping you discover the gaps in your security and how you can better protect yourself from the digital malcontents and bad actors of the world.

Don’t let your guard down. Contact 1st Secure IT today to keep yourself secure in an uncertain digital world.

Continue reading
439 Hits
0 Comments

How to Respond to a Data Breach`

There are few things that frightens both companies and their clients as much as the phrase “data breach.”

Corporations face this threat now more than ever, and this can be seen in new stories seemingly every week.

The first line of defense when it comes to data breaches is to implement the proper security precautions to help you avoid a data breach in the first place. But if it’s too late for that, there are steps you can take when it comes to recovering from a data breach.

Here are five steps you can take to recover from a data breach.

1. Review And Implement Your Data Breach Response Plan

You do have a plan for dealing with data breaches, don’t you?

Every company that deals with digital information should have a data breach response plan. This plan should cover your defenses and your strategies of how to deal with these breaches.

It should include incident reporting policies and response procedures that include members from:

  • Management
  • General IT
  • IT security
  • Physical security
  • PR
  • Legal counsel

If you don’t already have a plan to respond to data breaches, reach out to an IT security company to help create one.

Speaking of legal counsel, that brings us to our next point.

2. Talk to your Lawyers

It’s typical in this situation to let the outside counsel to take the lead as they can better ensure compliance with all applicable laws and maintain attorney-client confidentiality.

Act as quickly as possible to limit any fallout. The longer you wait, the more you put your clients, your company, and your data at risk.

It’s at this stage that you should be also speaking to your insurance providers to determine your liabilities.

3. Notify The Affected Parties As Soon As Possible

The longer you wait before notifying the parties who have been compromised or potentially compromised by the data breach, the more you’re potentially exposed to consequences.

When you don’t inform your clients of their risk, they remain completely open and vulnerable.

By informing your clients, not only are you limiting your PR liabilities and losses, you may also be avoiding legal fines for violating strict timelines for this procedure that exist in certain jurisdictions.

This is a critical step. How and when people are notified is the difference between a landmark example that is eventually taught in business school demonstrating how to handle these events, or just another mess that ends up getting people sued.

4. Implement Your Data Backup Recovery Plan

You have been backing up your data, right?

A data breach is a frightening event, but while your company deals with the PR and client fallout from this event, you also need to continue your regular operations.

The easiest way to recover from such an attack is to have a robust data backup plan in place. Here at 1st Secure IT, we recommend the 3-2-1 backup rule. Here’s how that works

  • Have at least 3 copies of your data
  • Store it on at least 2 different types of media
  • Have at least 1 of them stored off-site

While no data backup plan is 100% perfect, the 3-2-1 backup rule offers a good combination of security, robustness, and simplicity.

Restoring your backups from your data backup recovery plan means you can resume company operations much more quickly.

5. Contact An IT Security Company

If you have been carefully reading this article and finding yourself saying, “I don’t have one of those,” or “We, need to hire a firm like that”, then you should be looking into hiring an IT security firm.

If by some chance you or your company are incredibly well-prepared for data breaches, and are reading this article nodding along, enjoying the list-oriented affirmations that you have all your digital ducks in a row, then you likely already have a firm on contract for IT security.

If you fall into the first group, then you should strongly consider this last step of hiring an IT security firm like 1st Secure IT.

Here at 1st Secure IT, we’re prepared to take you by the hand and help ensure that every aspect of your company is prepared to prevent this type of incident from ever happening to you, or if it just has, to prevent it from happening again.

Don’t let your business end up as just another statistic. Contact 1st Secure IT today, and keep yourself secure in an uncertain digital world.

Continue reading
482 Hits
0 Comments

5 lessons to learn from Facebook’s Recent Scandal

Whoever said there’s no such thing as bad publicity had obviously never heard of Cambridge Analytica.

A tiny, virtually unknown company up until March, Cambridge Analytica was a data mining company that many consider to be responsible for the Brexit “leave” vote, and the presidential campaigns of Ted Cruz and Donald Trump. They got their hands on the data of around 87 million Facebook users, which they used to create “psychographic” profiles about voters.

From an IT security perspective, nothing that happened was illegal. Nobody was hacked, no new protection against data breaches is needed, no one broke any laws, and, at the time of this writing, no charges have been filed against anyone.

But that isn’t to say the situation is without consequences.

Cambridge Analytica has since disbanded and the exploration is still ongoing. But in the end, it’s Facebook that is feeling the repercussions here.

What Can We Learn From This?

Facebook is, and remains, a secure platform. When you’re the third most popular website on the internet (Google and YouTube are #1 and 2, respectively), you need to make sure your door locks tightly.

But there’s more to it than that.

Technically, we all agreed to this in Facebook’s terms and conditions. And yes, I know that nobody ever reads the terms and conditions for every digital service they sign up for, but unfortunately that’s not an excuse.

Here are a few lessons you, as an owner of a business that collects user data, can learn from this.

1. Be Honest.

Facebook’s lack of transparency here is an important message for any business. If you’re going to collect data from your users (or clients, customers, etc), you need to be transparent about what you plan to do with it.

Was Facebook dishonest? That depends on how you look at it.

But in the court of public opinion, the verdict seems to be that dishonesty was the best policy at Facebook. This damaged their relationship with their users – the #deletefacebook movement has been gaining momentum, with 5% of Americans having deleted their Facebook account recently.

For any smaller company, this likely would have destroyed them, but Facebook had an ace up its sleeve – it’s addictive. We all know it, and we’re all hooked. That’s why, even though we really don’t trust Facebook anymore, we still use it.

Your company likely isn’t as addictive, and it likely isn’t where all your friends are gathered every day, so you don’t have that advantage. In 2018 and beyond, any company that collects personal information from its users will have to be very transparent with what they do with it, lest they risk alienating their user base.

 

2. Let Your Users Control Their Data.

Facebook is certainly not the only company to collect its users’ data, nor are they the first.

They won’t be the last, either; data collection is an essential part of most businesses, in just about every industry. It helps you gain new insights into what your clients want and how to help them.

But, to paraphrase Spiderman’s famous Uncle Ben: with great data, comes great responsibility.

You have a responsibility to your users about how you use their data, as we talked about in the last point. But you also need to give your users autonomy over their data.

If you collect data, it needs to be with the knowledge of your users. And if you’re considering selling your users’ data, use the following three tips.

1. Don’t

2. Seriously, don’t. Nobody wants to find out their private information was sold

3. If you really have to, make sure your users are explicitly aware of the possibility.

3. Take Users’ Privacy Seriously.

It shouldn’t be difficult to keep your private information private.

Facebook was not at all transparent about how one could do this with their service.

Even worse, they offered the veneer of privacy. You could access your “privacy settings” which controlled which users could and couldn’t see your information on Facebook, but it did nothing to stop Facebook itself from collecting bucketloads of data from everything you did.

The fact is that Facebook makes its money from harvesting your data and selling it to advertisers, so on one hand it’s understandable that they would want to be somewhat covert with their privacy settings. But it’s this secrecy that led Facebook to its current PR nightmare in the first place.

When you collect user data, keep it secure, and take that security seriously. You should be entirely transparent with how you keep your users’ data secure.

Contact 1st Secure IT

Worried that what happened with Facebook could happen to your company as well?

Want to avoid the next #deletefacebook campaign to be about your organization?

Call 1st Secure IT.

Our team of cyber security experts will help you understand the risks inherent in your current data collection methods, and from there we’ll empower you with the knowledge you need to take your users’ data seriously and avoid a scandal, data breach or other IT security disaster.

Don’t get caught with your pants down. Call 1st Secure IT today, and keep yourself safe in an uncertain digital world.

Continue reading
473 Hits
0 Comments

The Consequences Of Being PCI DSS Noncompliant

The Consequences Of Being PCI DSS Noncompliant | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

The PCI DSS is mandatory for any business that processes credit card transactions. This is important stuff – not only are you taking a huge risk of a catastrophic data breach, there are stiff penalties for those who are found to be noncompliant.

But by whose authority is it mandatory? And where do the penalties come from?

This is a bit of a confusing subject for some people, and I hope this article clears things up.

Is PCI DSS The Law?

Strangely enough, unless you live in Nevada, PCI DSS is not actually a law. Many states have laws that directly reference the PCI DSS, but only in Nevada has it been specifically sworn into law.  The actual text of Nevada Senate Bill 227 can be found here and there are also no federal statutes that mandate PCI Compliance.

This seems strange though, doesn’t it? If, in general, the PCI DSS is not a law, then how is it mandatory?

The simple answer is that it’s a self-governing system set up by the PCI SSC on behalf of the card brands. It’s their primary criteria for your business being allowed to process their credit cards through your systems. No one is forcing you to comply with the PCI DSS, but if you refuse to play by their rules, they may not trust you with their credit card data.

On top of this, when you agree to process credit card data, you’re agreeing to the terms of the PCI DSS. And if you’re found to be PCI DSS noncompliant, you may be found in breach of contract.

It ought to go without saying, though, that I’m an IT security specialist and not a lawyer, and the above shouldn’t be taken as legal advice.

Repercussions For PCI DSS Noncompliance From Your Payment Processor

So, now we know that the PCI DSS is not the law, but you can still be fined as though it were a law. But what are the penalties?

First of all, if you’re found to be noncompliant, your payment processor will also be fined for working with a noncompliant company. These companies will likely pass that fine on to you, since the only reason they were found to be noncompliant was because of your negligence.

But there’s more than just financial penalties. Your payment processor and the credit card company may elect to end their relationship with you, which can be disastrous for a business that relies heavily on credit card transactions for its income. Your bank may also cut ties with you. Yikes.

Even if they do decide to keep you around, they may decide to raise your transaction fees, forcing you to either lose money on every transaction or raise your prices. This is bad news for anyone, but even moreso if you’re the type of business who relies on competitive pricing.

How Much Are The Fines?

The amount you’re fined for non-compliance varies depending on the card brand you work with. Each card brand has standard penalty system and while the exact amount you could be fined depends on many variables, it helps to get a general idea of how much you’re looking at. For more detailed information, consult the agreement you have with your payment processor and the various card brand security programs:

Visa US – Cardholder Information Security Program ( CISP )

MasterCard – Site Data Protection ( SDP )

Amex – Data Security Operating Policy ( DSOP )

Discover – Information Security & Compliance ( DISC )

JCB – Data Security Program ( DSP ).

 

The penalty system is laid out in a monthly fee system.  Generally, the longer you remain in noncompliance, the heftier your penalties will be. This provides extra incentive for you to become compliant as soon as possible.

Depending on how long it’s been since you’ve been noncompliant and how large your business is, the fees can range anywhere from $5000 to $100,000 a month. These fees aren’t widely discussed or publicized, but either way these aren’t small numbers, especially for a small business. On the heavy end, this could easily lead to more than $1 million in fines in less than a year.

The PCI SSC is serious about data security, and wants you to know about it.

The Consequences Of Being PCI DSS Noncompliant | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

Penalties If You Are Compliant

Believe it or not, you can be found 100% in compliance with the PCI DSS and still receive a fine. This is what happens when you experience a data breach, and it’s part of the risk every company has to take if they’re going to be trusted with credit card data.

The unfortunate truth is that you can be in compliance with the PCI DSS and still experience a data breach from an ingenious hacker. This is an incentive for businesses to not only meet the minimum requirements, but go beyond to implement the best known cybersecurity practices.

If you do experience a data breach that results in a loss of credit card data, you could likely face a fine of $50 to $90 per credit card lost. On top of this, you may lose your relationship with your payment processors and banks, even though you were compliant.

Of course, a data breach can result in external consequences too – bad publicity, damage to your reputation, costs associated with customer credit monitoring, and lawsuits from affected customers, for example.  This is precisely why companies should consider a data breach protection policy.

How To Avoid PCI DSS Noncompliance

The truth is that it’s difficult for small and medium businesses to recover from PCI DSS noncompliance fees. Even if you don’t lose your relationships with your payment processors, your bank, and the credit card companies, the fines will certainly sting.

If you don’t know if you’re PCI DSS compliant, the truth is you’re probably not. Which makes it even more important that you contact 1st Secure IT today.

1st Secure IT is a registered QSA, which means we’re qualified to perform PCI DSS compliance audits on your business.

We can also monitor your business to ensure it remains PCI DSS compliant, since new software, updates, and glitches can pull you out of compliance without your noticing.

Don’t’ get caught with PCI DSS noncompliance – there’s too much on the line.

Contact 1st Secure IT today.

Continue reading
808 Hits
0 Comments

IT Security Isn’t Just About IT

IT Security Isn’t Just About IT | IT isn't just about IT
| 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

Imagine if someone hacked your toaster.

Or your car.

Or your vacuum cleaner.

Seem absurd? Maybe, but with the prevalence of new technology like the internet of things, artificial intelligence, and robotics, cyberattacks have become more common in more areas of life.

Once upon a time, it was banks, big tech companies, and other multinational conglomerates who were vulnerable to cyberattacks. But these days, as more and more of our life goes electronic, we’re faced with more IT security risks than ever.

A Changing World

In 2017, WannaCry and NotPetya were some of the biggest threats to cyber security out there. In 2018 so far, it’s been KRACK attacks, Meltdown, and Spectre, as well as the perennial phishing scams you’ll see in your email’s spam box.

As the risks become more and more problematic, it’s becoming clearer than the current approaches aren’t working as well as they should be.

What’s the problem here?

Part of it is the lack of preparedness many companies have to modern security risks.

This includes small and medium size businesses as well as enterprise-level corporations like Deloitte, the poster child for cyber security failure in 2017.

Many companies haven’t bothered consulting with a team of cyber security experts, leaving their heads in the sand like the proverbial ostrich.

But what’s even more frustrating is the fact that some companies who have paid for a comprehensive cyber security plan haven’t implemented them.

As a business owner, it’s easy to look only at the bottom line and wonder whether or not these extra security measures are worth it. And in an ideal world, we wouldn’t even need to worry about them. But sadly, we don’t live in an ideal world.

Some IT security changes can be frustrating to implement. This includes things like multi-factor authentication, email encryption, and replacing outdated software that is no longer supported.

On top of this, employees who have enjoyed the ability to work remotely may be upset by the sudden requirement that they only be able to access the company intranet on-site.

This may make some executives reluctant to implement these, and instead hope for the best.

And while it is possible to run a successful business without these things and without ever suffering a cyberattack, the same could be said about the lock on your front door.

Sure, a lock doesn’t guarantee your house will never be robbed, nor does the lack of a lock guarantee that your house will be robbed.

But you’d be hard pressed to find someone who seriously argues that it’s a good idea to leave your house unlocked, and you’d be hard pressed to find a good IT security consultant who won’t suggest you encrypt your emails.

IT Security Isn’t Just About IT | Employees are hight part of IT security | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

So What’s The Point?

What can you do about it?

Part of the solution lies in how you look at your IT security.

Some executives leave their IT security to their IT department, assuming they’ll just take care of it. This may make sense on the surface, but the reality is that IT security isn’t just an IT issue.

It’s a risk management issue.

With more than a hundred billion lines of code being written each year by everyone from Microsoft employees to cryptocurrency coders to ne’er-do-wells online, you can be sure that at least a few million of those are malicious.

By treating IT security as a risk management issue, you’re recognizing the reality that cyber threats can pose your business. It forces you to look at the issue differently – rather than just shrugging it off, you recognize it as a legitimate cost of running a safe, secure, reliable business.

This means evaluating multiple levels of cyber threats, from data breaches to gaps in your security to a lack of knowledge and training from your staff members. Unnecessary complexity can also cause issues and redundancies that can create unintended security gaps.

So choosing the right software suite, implementing the appropriate security measures, and consulting with the right people isn’t just about IT. It’s about taking the measures you need to make sure your business continues to run.

Contact 1st Secure IT

No one has 100% protection against any and all cyberattacks. But by implementing an appropriate IT security system, you can go a long way to staying as safe as possible online.

If you’re not sure about how you can protect your business online, contact 1st Secure IT today.

Our team of experienced and qualified IT security specialists will consult with you, illuminate the potential security risks in your organization, and help you implement the best practices you need to stay safe in the face of an uncertain digital landscape.

Don’t face the dangers of the internet alone. Contact 1st Secure IT and keep your business running smoothly, today.

Continue reading
538 Hits
0 Comments

How To Get Your Employees To Improve Your IT Security

Recently, we’ve been posting about the human factor in the world of IT security. The sad reality is that you can hire a team of ethical hackers to do as much penetration testing and security analysis as you want – all that will be for nothing if one of your staff members lets a hacker in themselves.

No matter what your business is, no matter what type of operation you run, your staff will always be your greatest liability when it comes to IT security. And they aren’t doing it on purpose either. With extremely rare exception, none of your staff members actively want to cause risk to your security.

No, they’re doing it out of simple ignorance.

Fortunately, there are things you can do to help mitigate those risks and get your staff on your team when it comes to shoring up defenses against hackers or other bad characters out there.

Here are some of 1st Secure IT’s top tips on how to train your staff to be more IT security savvy.

1. Train them. Over and over.

Some organizations just have their IT department worry about IT security, and nobody else.

These are the same organizations who end up getting hacked.

But it’s not enough just to have your IT head tell your staff about password safety and then forget about it. You need to be training your staff on an ongoing basis.

After all, repetition is the key to learning anything. Think back to your time in school – did you remember everything your teacher told you in lecture, or did you have to study before a test to make sure you remembered it?

Not only do you need to train on an ongoing basis, you also need to make sure your training is relevant to the position your staff holds. This means providing a higher level of training to those staff members who have higher levels of permissions on their account.

It also helps to implement some simple rules for your staff, like not accessing company servers anywhere other than at the office or approved locations. And of course, training everyone on how to recognize a phishing scam or a malware attack is a must.

2. Don’t just teach them. Test them.

If you want to learn how someone will handle an emergency situation, the only real way to know is by putting them in an emergency situation.

Medical students can’t go from reading books to performing open-heart surgery. They need to be eased into it and put into some “live fire” exercises where enough is at stake for them to care.

The same goes for your company’s IT security.

Contracting a third party to simulate some sort of data breach or cyberattack can help you better understand what would happen in case you’re faced with a real crisis. How will they react? Will they play right into the phishing email you just sent them? Will they innocently grant access to your company’s intranet? Or will the training you gave them be enough to protect your data and your IT infrastructure from attackers?

There’s only one way to find out.

This will not only help you understand how prepared you are for a cyberattack, it will also help your employees understand what’s potentially at stake and how an attack might look.



3. Plan, plan, plan.

Now that you’ve trained your employees and you’ve tested them, you may feel like it’s smooth sailing ahead.

And it might be, for a little while.

But hackers are crafty people. They’re always looking for new ways to crack into a company’s data, since the reward for them can be well worth the risk.

Ongoing communication is crucial here. If you can’t find a way to communicate your security needs to your staff, you can’t expect them to understand them. Whether this means getting your IT department to hold regular workshops on IT security or hiring a third-party firm to come in and train your people, communication is extremely important here.

You might want to consider some sort of incentive for your staff to report potential security risks as well – a phishing attack caught early can be significantly less damaging than one left for several days.

Contact 1st Secure IT

If you’re worried about whether your company is properly prepared for a cyber attack, that’s a good thing. Recognizing a threat is better than sitting confident when there’s an underlying problem that needs to be addressed.

But whatever your IT security needs, 1st Secure IT can help.

We can help you prepare your staff for any cyberattacks that may occur. And we can test your current IT infrastructure to help you understand the gaps in your armour which an attacker may be able to exploit.

Whatever your business, don’t leave it up to chance. Contact 1st Secure IT today and keep your business safe and secure in the uncertain digital world.

Continue reading
511 Hits
0 Comments

The Business Email Compromise Scam: What Is It And How To Protect Yourself From It

The Business Email Compromise Scam: What Is It And How To Protect Yourself From It

In our last article, we talked about the human factor in IT security, and how simple human error is responsible for the vast majority of IT security breaches.

A specific type of human error IT security breach is known as the business email compromise scam. This social engineering practice is responsible for a number of IT security breaches.

A 2016 statement from the FBI reported that from October 2013 to May 2016, business email compromise scams (BEC) have cost businesses more than a billion dollars in damage.

Is your company vulnerable to this type of security breach? Keep reading to find out.

What Is A Business Email Compromise Scam?

In a business email compromise scam, an attacker uses a simple social engineering trick to gain control of an email account. How does it work?

I’m going to walk you through the entire process of what a business email compromise scam can look like. To illustrate the point, we’ll talk about a fictional company, Grasshopper Industries.

One common method BEC scammers use is to purchase a domain with a slight variation to that of the company’s, create a convincing looking login page, and set up a form designed to store any information that goes into it.

I find out that the URL to login to their company intranet is login.grasshopper.com. So I purchase the URL www.grashopper.com (notice the missing s?), duplicate the intranet login page, and program it to save any login information inputted into the fields.

There’s my tool, all set up. Now all I need to do is get the employees of Grasshopper Industries to show up at my new scam website and try to log in using it.

There’s a simple way to do that too.

First of all, I need to find out the name of Grasshopper Industries’ IT manager. So I browse LinkedIn, and find out her name is Michelle Devereaux.

Then, I head over to a payphone (so they can’t trace the call back to me), and I call the reception desk and say:

“Hello, I’ve got some information I need to send to Michelle in IT. What’s her email address again?”

Simple. Now I know her email is mdever@grasshopper.com.

This tells me what the IT manager’s email address is, but more importantly, it tells me what the format for email addresses is – the first initial, and the first five letters of the last name.

So I’ll set up my own email address on the domain I just bought – mdever@grashopper.com.

If you think that looks like the same email address as Michelle’s email, that’s the point.

Next, it’s just a matter of finding a company directory. Again, LinkedIn can help here. So can Facebook, Twitter, and even a general Google search. There are a number of other tools out there you can use to find the employees of a company.

So let’s say we have a list of 1500 employees of Grasshopper Industries (it’s a big company, after all). Based on the formula we have for email addresses, we’ll create a list of emails. Some of them may not work, and that’s okay – it doesn’t cost anything to send an email.

Now we’ll send out an email from our bogus email account claiming to be the real Michelle Devereaux. It may say something like this:

Dear Will,

 We’ve recently had a security breach, and your information may have been compromised.

 I talked with Frank, and he agreed that everyone will need to change their passwords.

 To do so, please go to this link – login.grashopper.com. From there, input your username and your old password, and the screen will prompt you to change your old password to a new one.

 If you have any trouble, please let me know.

 Cheers,

 Michelle.


Now, of the 1500 emails we send out, do you think at least one of those people will fall for our little spoof?

This is just one possible angle a BEC scammer can take.

The Business Email Compromise Scam: What Is It And How To Protect Yourself From It

So Now What?

Eventually, Michelle in IT will catch on. And she’ll alert her superiors, who will then begin to take some sort of measures to mitigate the damage.

But by then, the damage may already have been done.

If the scammer got their hands on the login and password for someone in accounting, they may have access to Grasshopper Industries’ tax information, and even their banking information.

Even worse, if they managed to get hold of an account with sufficient privileges, they could set up a piece of ransomware on the company servers in order to extort money from them.

They could also browse everyone’s private emails until they found someone with an account on Ashley Madison, and blackmail them for money.

And if they were secretly sent by Grasshopper Industries’ main competitors, Cricket Cooperative, they could find out information about Grasshopper’s plans for the future and tailor their plans accordingly.

Messy stuff.

Why BEC Scams?

At the end of the day, hackers use BEC scams because they work great, and they can often get away with them without having to use malware or break through complex layers of security.

They’re also fairly cheap, and the barrier to entry is fairly low. All you need is a basic understanding of how to build a website and some outside-the-box problem solving.

They’re particularly difficult to trace where the attack comes from. There are enough anonymous web registrars out there that you can hide your information fairly effectively.

And finally, they can slip through a lot of your built-up security layers. After all, it’s just a simple email, with no attachments or anything fishy that would raise red flags.

Are You At Risk For BEC Scams?

While any company is at risk, those that wire money internationally are often considered high value targets.

This is because they can divert a wire transfer from its destination into a scam account, and because the transfer is international it may be more difficult to track where it ended up.

If you’re concerned about what to do about BEC scams, you’re not alone.

But you don’t need to face this risk alone, either.

1st Secure IT can help.

Contact 1st Secure IT today to book a consultation with one of our experienced IT security professionals. We’ll help you assess your risks and implement strategies to help you stay safe from BEC scams and other potential risks.

Contact 1st Secure IT today and keep your business safe in an uncertain world.

Continue reading
746 Hits
0 Comments

If you need help getting started... Contact Us!