Protecting your staff from getting “Hooked”

Small businesses face an ever-present threat: phishing attacks. These deceptive cyber schemes can wreak havoc, leading to data breaches, financial losses, and severe reputation damage. To safeguard your small business and ensure your team stays clear of phishing traps, it’s essential to implement robust security strategies and educate your staff about the dangers of these scams.

Unveiling the Phishing Menace

Phishing attacks involve cybercriminals sending convincing emails or messages that appear to be from trusted sources, often mimicking renowned companies, government entities, or colleagues. The sinister objective? To manipulate recipients into disclosing sensitive information, such as login credentials, credit card details, or personal data, or to dupe them into downloading malicious software.

Safeguarding Your Small Business

Employee Training: Your workforce is the first line of defense against phishing threats. Empower them with the knowledge to spot common phishing indicators, like unexpected emails requesting confidential data, misspelled website URLs, or generic greetings. Encourage a cautious approach and emphasize the importance of verifying unusual requests.

Implement Top-notch Security Software: Get strong antivirus and anti-malware software to protect your computers. Keep this software up to date to make sure it works properly.

Harness Email Filtering: Set up email filters to catch phishing emails before they reach your team. Filters can find and flag suspicious messages, making it harder for phishing attacks to succeed.

Activate Two-Factor Authentication (2FA): Activate Two-Factor Authentication (2FA) for important accounts. This means you’ll need to confirm your identity using a second method, like a text message or an authentication app. It adds a layer of protection.

Regular Updates: Make sure all your software, operating systems, and apps are always up-to-date. Cybercriminals often use weaknesses in outdated software to attack.

Create an Incident Response Plan: Create a plan for what to do if you suspect a phishing attack. The plan should include steps to stop the attack, tell the right people, and investigate what happened.

Embrace Encryption: Use encryption to keep your important information safe. Encrypting emails and files makes it very hard for cybercriminals to steal your data.

Check Your Vendors: If you rely on other companies for services or software, make sure they have strong security measures. A breach at one of your vendors could hurt your business too.

Stay Informed: Stay updated on the latest phishing tricks and trends. Cyber threats change, so it’s important to keep learning to stay safe.

Regular Testing: Regularly test your team with fake phishing emails to see if they can spot them. It helps find areas where more training is needed.

Conclusion

By prioritizing employee education, implementing robust security measures, and staying vigilant, your small business can protect its valuable data and reputation from cybercriminals aiming to get your staff “hooked” in their phishing schemes. Contact HCH Sales to access our support and expertise.

SecurityBeat: Software Security Needs Validating

By Donald Borsay, Director of Security Solutions, HCH Enterprises

Software Security: A Critical Concern for Businesses in 2023

In March, HCH strongly recommended that clients prioritize addressing the Top 8 Cybersecurity Challenges of 2023. Among these, Software Security emerged as a critical concern, particularly for businesses undergoing Digital Transformation.

The complexity of Software Security is intensified when dealing with Outdated Security Technologies and inadequate responses to Zero Day Events. A valuable approach to bolster Software Security confidence is through Web Application Penetration Testing (WAPT).

Our trusted partner, Cobalt, a ‘platform-as-a-service’ WAPT provider, has recently unveiled The State of Pentesting 2023. In response, HCH is issuing this advisory to provide actionable insights into Software Security, leveraging the insights from this newly released report.

Resource Allocation is a Key Concern

A significant overarching concern is resource allocation. Clients with established Software Security processes are striving to achieve more with limited resources. This often involves outsourcing, deferring remediation efforts, and compromising validation processes. Conversely, clients without existing Software Security measures face challenges in securing adequate resources for software development, let alone validation.

HCH acknowledges this dilemma and has chosen to collaborate with Cobalt due to their innovative delivery model, which optimizes Return on Investment (ROI) and cost savings for clients.

Instill a Software Security Mindset

Instilling a Software Security mindset within your organization can be transformational. Unlike functional requirements, Security is largely non-functional. While system design, infrastructure configuration, and software coding address functional needs, they might not inherently ensure security. At the very least, development teams should familiarize themselves with the OWASP Top Ten vulnerabilities. Cobalt’s assessments have revealed critical vulnerabilities like SQL Injection, Remote Code Execution, and the use of Default Credentials. To effectively address these threats, HCH suggests implementing a comprehensive checklist within your software release process.

Get the Most Out of Your Penetration Testing

To derive maximum value from your investment in penetration testing, it’s essential to empower your penetration tester. Collaborate with HCH to enhance your preparedness, or alternatively, utilize the Pentest Preparation Checklist outlined in the Cobalt report. Avoid potential hindrances during testing, such as:

  • Testers lacking necessary credentials or access prior to the test initiation.
  • Misalignment of the testing scope.
  • Insufficient ongoing collaboration throughout the testing process.
  • Inadequate brief or asset information.

Remediate and Retest Critical Findings

While Cobalt offers free retesting for resolved findings, less than 25% of identified issues undergo retesting. Although this might be reasonable for lower-severity findings, it’s concerning that 61% of critical vulnerabilities remain untested again, likely due to unresolved issues or a decision to forgo validating crucial fixes. HCH firmly advocates for the remediation and retesting of critical findings. Moderate findings should not be accepted without formal documentation of compensatory controls.

Conclusion

Trust in your Software Security demands verification. Make security a cornerstone of your software release strategy. Prioritize thorough testing of your software application and adequately prepare for the testing process to maximize its value. Lastly, prioritize the rectification and retesting of significant findings. HCH is dedicated to assisting you throughout this journey. Contact HCH Sales to access our support and expertise.

Grant Opportunity: Connect Your Community

By Chelsea Levesque, Director, Marketing and Communications, HCH Enterprises

In a groundbreaking move, the Broadband Equity, Access, and Deployment (BEAD) program has allocated a staggering $42.45 billion in grants to states, the District of Columbia, and territories. This monumental investment, a key component of the “Investing in America” agenda put forth by the Biden-Harris Administration, aims to provide affordable and reliable high-speed internet access to every American. By bridging the digital divide, this initiative, aptly named “Internet for All,” will reshape our digital landscape, unlocking new opportunities and enhancing competitiveness on a nationwide scale.

Today, high-speed internet is no longer a luxury but a necessity, indispensable for work, education, and healthcare. The “Internet for All” program will enable communities to connect, fostering economic growth and empowering individuals across the country.

Through the allocation of funds, states, the District of Columbia, and territories can establish grant programs specifically designed to deploy or upgrade broadband networks. This critical step ensures that affordable and dependable internet service becomes accessible to everyone.

For comprehensive information on funding allocations tailored to each state, as well as further details on the Biden Administration’s high-speed internet portfolio, we invite you to visit InternetForAll.gov. Stay tuned for the formal allocation notice, which Eligible Entities will receive on June 30, 2023.

At HCH, we are proud to be a part of this transformative initiative. Our organization champions equity and facilitates the grant process for communities. From acquisition to disbursement, we are dedicated to unlocking the full potential of our nation through the power of high-speed internet.

Join us on this journey as we pave the way towards a more connected and inclusive America. Together, we can harness the transformative power of high-speed internet, bringing us closer to a future where opportunities know no bounds.

#InternetForAll #NTIA #InvestingInAmerica #BroadbandEquity #PublicSectorConsulting #ConstituentsFirst #GrantHelp

SecureWorld Boston — Closing Thoughts

By Donald Borsay, Director of Security Solutions, HCH Enterprises

After a prolonged absence due to COVID-19 lockdowns and contract assignments, I was finally able to return to Boston’s Hynes Convention Center for SecureWorld Boston in late March. It was a great opportunity to reconnect with my New England peers, catch up on the latest products and best practices, and even share my thoughts on the next steps of threat intelligence.

I was reassured to see many of my long-lost friends on the speaker list and on the Advisory Council. One of my colleagues pointed out that I had spent two straight hours on the exhibit floor without moving, — as one longtime colleague departed another came. Each of us is busy working hard to tackle cyber risk.

I spent a significant amount of time on the exhibit floor or in special roundtable discussions within the Advisory Council. I learned a lot about the impact of artificial intelligence on cybersecurity and about the recent SEC rulings that may give the Board greater access to the chief information security officer (CISO). I also discovered new products and vendors that are ready to help in the battle for network security.

I had the privilege of leading a threat intelligence panel discussion on “The State of InfoSec Today.” The main takeaway: that with a clear vision, fewer false positives, and continued effort, we can eliminate threats. I offer special thanks to Katherine Chipdey and Jason Albuquerque for the answers and a packed, lively crowd that built upon the seed questions I offered. It takes a village!

When refining your InfoSec program, it’s important to consider how threat intelligence reveals your critical assets’ exposure. Also, be sure that asset vulnerability and remediation are equally prioritized within threat intelligence. If what you have lacks this clarity, seek the capability to add intelligence.

In the threat intelligence arena, it is important to derive both high-level strategic and operational information, as well as low-level technical and tactical information. The devil is in the evolving technical details, so it’s essential to integrate and transform other domains instead of creating threat management silos.

SecurityBeat: Culture Driven Cybersecurity

By Donald Borsay, Director of Security Solutions, HCH Enterprises

At HCH Enterprises, there is no one-size-fits-all approach to cybersecurity. While we all recognize the customs, arts, social institutions, and achievements framed within the culture of a particular country, we likely lack a perspective on cybersecurity. As digital transformation takes over every aspect of our lives, the core enabler remains people. HCH knows how to bring cybersecurity into the culture of your business.

According to ISACA’s The Business Model for Information Security, culture is the first factor that makes cybersecurity part of everything we do. Culture improves through a steady emergence of process.  Management recognizes the culture gap and supports incremental advancement.  According to the Security Cultures Report from Tessian, the proper security culture directly impacts employee behavior. 

The people also use technology directly and must have the skills to support their access and instincts to know when something is wrong.  These human factors of technology must be part of the plan. As a result, our People embrace the use of technology and operate it securely by applying their newfound awareness and skills and by following policy and procedure where appropriate.

Sounds good, right?  Unfortunately, 45% of users don’t know who to report a security incident to and only 30% of employees believe they play a personal role in cybersecurity. We have so much work ahead of us!

Delivering on the promise of cybersecurity can be a daunting task for high-risk startups, small businesses, and local government when faced with the typical one-size-fits-all toolbox persisted by other providers. HCH’s approach is purposefully tailored to fit your culture.  We will partner in your journey to a more mature cybersecurity posture.