The Havoc Shield Blog

Totally Avoidable Work-From-Home Security #Fails

Totally Avoidable Work-From-Home Security #Fails

For years, work from home security took a backseat to office security.  Then suddenly, everything changed.  Work from home security became just as important (and sometimes more important) than office security.  As companies grapple with how to make the dream of work from home security a reality, there are a handful of totally avoidable work from home security failures that have come to the forefront.  Here are some of the biggest ones.

read more
The 3 Most Misunderstood Cybersecurity Terms

The 3 Most Misunderstood Cybersecurity Terms

We’ve got a problem with the cybersecurity terms that we see in industry articles and whitepapers.  The language of cybersecurity has become so nuanced and intricate that it’s enough to frighten away everyone other than industry insiders.  And that’s exactly the opposite of what we all need. A more inclusive discussion around cybersecurity — one that draws in curious non-experts — helps spread an understanding of cybersecurity that improves all of our safety.  Here are the worst three terms that deserve a place on the “wall of shame” in the cybersecurity dictionary.

read more
Budget Denied: Information Systems Security Officer Role

Budget Denied: Information Systems Security Officer Role

We spend most of our time talking with small businesses that do not have an Information Systems Security Officer.  In fact, most small businesses we work with have never contemplating getting one. ZipRecruiter refers to the Information Systems Security Officer role as a role with an average annual salary of approximately $108,686/year, having the following responsibilities: “An information systems security officer (ISSO) protects the IT infrastructure of companies, organizations, or agencies. Your duties include taking proactive security measures, assessing risks, and responding to security breaches.”

So why aren’t small business owners on the hunt for talented cybersecurity professionals to file a role of this title and description?

read more
How can I limit G Suite Calendar Sharing to Free/Busy?

How can I limit G Suite Calendar Sharing to Free/Busy?

G Suite calendar sharing can lead to the leakage of confidential information.  As a G Suite administrator, you can help your employees avoid accidentally disclosing sensitive information by putting some reasonable guardrails on what sharing settings they are (and aren’t) allowed to use to share their calendar.

read more
5 Small Biz Cybersecurity Survival Tips for Cyber Monday

5 Small Biz Cybersecurity Survival Tips for Cyber Monday

This year, for many small businesses, a strong Cyber Monday is crucial for survival.  With the wild gyrations in purchasing patterns and demand for particular products or services this year, there are a great many small businesses who have a lot of ground to make up on Cyber Monday 2020.  With online sales.  And it CAN’T go wrong.  With that in mind, this post is for those of you that have an especially “high stakes” Cyber Monday ahead.  Amongst all of the pressures related to your email and web promotional materials, your online ads, and your communications with existing customers and prospects, we know it’s easy to forget about cybersecurity.  The problem is that if cybersecurity goes wrong on Cyber Monday, there is no way to turn back the clock and regain the opportunity to “win big” on that incredibly high-traffic online shopping day.  With that in mind, here are the five things that you absolutely need to do to get ready for a strong (and SAFE) Cyber Monday:

read more
9 Foolish Ways to Erode Your Password Manager Security

9 Foolish Ways to Erode Your Password Manager Security

If you roll out a password manager in your business, there are many great benefits that should improve the security of your organization.  Password managers make it easy to generate strong, unique passwords.  Password managers make it easy to revoke access to passwords to key company resources when an employee leaves the company.  Password managers reduce the frustration of trying to mentally develop memorization systems or notepad / post-it style approaches to recording / recalling passwords.

Still, to get the full benefit of a companywide password manager rollout, there are some common mistakes that are important to avoid.  The mistakes that we’ll describe here are ones that significantly erode password manager security.  So, without further ado, here are nine mistakes to avoid in your organization’s password manager practices.

read more
How BYOD Policies Catch You Up to Reality

How BYOD Policies Catch You Up to Reality

Does your company have BYOD policies?  For those unfamiliar with the term, BYOD is “Bring Your Own Device” — and BYOD policies relate to what the company does (and doesn’t) allow in terms of handling company business from your own devices.  When the term BYOD first entered the vernacular of IT and compliance teams, it often referred to employees using their own smartphone or tablet.  However, more recently it’s adopted a meaning that includes any personal device — including laptops, tablets, smartphones, and anything else.

read more
Email Security Best Practices for Employees

Email Security Best Practices for Employees

We learn as kids not to talk to strangers, but as adults, we sometimes forget this lesson when we engage with emails. That’s why it is so crucial to put email security best practices in place in order to protect your data, customers and company as a whole.

read more
The Hidden Link between UNC Path Injection and Phishing

The Hidden Link between UNC Path Injection and Phishing

UNC Path Injection is an attack that we consider to have originated in the 1990s.  It’s exact origins are difficult to trace, but the mid-1990s were a period of tremendous growth in terms of adoption of the Windows NT operating system, and anecdotally that seems to be the operating system that some of the early UNC Path Injection attacks occurred on.

read more
Phishing Training: A Holistic Approach

Phishing Training: A Holistic Approach

Phishing training requires a holistic approach that is often overlooked by companies racing to “check the box” in terms of offering training on this increasingly important topic.  A big mistake would be to treat phishing training the way that companies treat many other kinds of training.  We’ve heard of far too many company training events that involve a manager speaking for 30 minutes, with slides in the background, followed by everyone going back to what they were doing.

If that approach sounds a bit like what your company does for phishing training, please read on.

read more
Business Email Compromise 💗s Urgency

Business Email Compromise 💗s Urgency

Business Email Compromise is an interesting waiting game.  At first, it might involve a high degree of patience on the part of the cyber attacker, but then, an incredible amount of urgency.  That pattern is central to some of the most effective Business Email Compromise attacks we’ve seen.  We’ll explain.

read more
HIPAA & Media Sanitization: Clear, Purge, and Destroy

HIPAA & Media Sanitization: Clear, Purge, and Destroy

If you are subject to HIPAA (either as a Covered Entity or as a Business Associate), you may have heard that you have Media Sanitization obligations.  Anytime you take a storage device (like a laptop with a hard drive) and dispose of it, sell it, or otherwise transfer it, you need to pause briefly to make sure you follow your media sanitization obligations.  We find much of the material on this to be written in a way that is extremely hard for anyone but an IT / HIPAA specialist to understand, so we’re writing this article in plain language to cover some of the key points.

read more
Protected Health Information: A Cybersecurity Perspective

Protected Health Information: A Cybersecurity Perspective

If your organization has HIPAA obligations — either as a Covered Entity or a Business Associate — you’ve probably heard the term Protected Health Information. Often referred to as PHI amongst industry insiders, understanding this term is crucial to standing up a strong cybersecurity perimeter to honor your HIPAA obligations. Although your HIPAA obligations are a mix of privacy and security obligations (and beyond), here we’ll talk mostly about security of three particular types of information that are definitely a part of the patient records covered by HIPAA.

read more
We promise we don’t send spam