The Havoc Shield Blog
This blog is usually written with the small business audience in mind. We usually post about cybersecurity topics that we believe will be useful to small business owners, small business CTOs, small business IT directors, etc. Today is different. Today, we’d like to speak to the Enterprise Compliance Director audience — about their relationship with small businesses.
Many Havoc Shield clients work with a Managed Service Provider (MSP) for their broader IT needs — things like provisioning laptops, configuring telecom closet equipment, setting up VoIP phones, helping employees set up their bluetooth headset, etc. We love it when a client works with an MSP for those types of needs — it accelerates our ability to help on the cybersecurity front, with penetration tests, security awareness training, endpoint security, dark web scans, etc. The collaboration between Havoc Shield and MSPs has been great, enabling each of us to focus on what we do best.
Most companies craft their Acceptable Use Policy from a starting point of an Acceptable Use Policy Template. That’s wise: there is no reason to reinvent the wheel when creating a new policy, especially when it comes to structure, formatting, and the basic policy elements that are relevant to almost every company. At Havoc Shield we have a Policy Manager section in our platform to help companies get exactly that type of jumpstart: a solid, battle-tested policy baseline that lets organizations go from “no policy” to “defensible policy” in no time at all.
Cybersecurity awareness training for small business isn’t at all what many business owners fear it will be. We commonly encounter assumptions that it’s expensive, involves an external consultant, and involves the huge pain of working out a date/time and alternate date/times. None of that is true. Read on.
DNS Filtering, Malicious Traffic Filtering, and Phishing Protection are terms that are sometimes used interchangeably. That’s confusing for small business owners that want to cut through the terminology and simply know what action they should take to stay safe. Here, we’ll explore the subtle differences between these terms — in plain language that anyone can understand.
WFH cybersecurity is perhaps the fastest growing discussion in the security community this year, given the impact of COVID-19. A Gartner survey of HR leaders found that 91% had implemented work-from-home in their organizations as part of their COVID response. Along with WFH came new cybersecurity exposures — at Havoc Shield we started fielding calls and emails along these lines. Read on for the scoop on some of the Fact and Fiction that is floating around.
Why does Shadow IT exist? A starting point is to assume that employees felt they did not have the tools they needed to excel at their job.
At Havoc Shield, infosec dashboard best practices come up early and often in our conversations with technology leaders. Often it’s a lack of robust infosec dashboards that is the wake-up call that leads a CIO, CTO, or CISO to engage our team to get to a better place. Here are our most strongly-held views about what works best in an infosec dashboard in 2020.
Awhile back we wrote an article that was inspired by a question that we’ve heard from clients many times: “can macs get viruses?” … little did we know that it would become one of the most popular articles on this site. The follow-up discussions have been terrific, too. So, here’s Part 2 of an article that was originally meant to be a single-post piece.
With this post, we’re taking a hint that you (our readers) have been sending us. We’ve had an increasing number of readers arrive at our site after searching for how to “prove” that you are cybersecure. And, we get it. As small business owners and operators, it’s totally normal for a larger organization (an enterprise client, a bank, an investor, a partner) to ask you to “prove it” when you make a claim. And the fact that you are hunting around the web to find a way to prove it, means that we need to talk about that topic more on this blog.
UNC paths have been a very handy capability over the years. Before the days of Google Drive, Box, Dropbox, etc., it was extremely common to share files within a company by letting other employees browse certain folders/files/resources hosted on your laptop/computer. Authenticated, usually. But what happens when cyber criminals construct malicious UNC paths and try to fool you into clicking? Read on to learn more.
When does an SSL certificate expire? If you go by Murphy’s law, the answer is that it expires on a day that your website administrator is on vacation. Leading to clients, partners, and employees to all simultaneously complain (and for good reason).
We think that the more approachable cybersecurity topics are, the better work we can all do together to strengthen our cyber perimeter. Gone are the days where cybersecurity can be pushed aside to a brilliant IT professional configuring a telecom closet (if those days ever existed at all). In current times, cybersecurity is everyone’s job: from identifying and avoiding a phishing attack, to setting a secure Wi-Fi password for your home office, to being sure to use different/unique passwords for each website you rely on.
Infosec policy acknowledgement tends to become an urgent topic at the most inconvenient of times. During an audit, when your team realizes that new-hires haven't always been asked to sign all of the necessary policies. During a response to an enterprise security...
DNS Filtering has been a protective technique known to the infosec community since 1997. Many IT professionals would argue that it should go hand-in-hand with antivirus, password keepers, and cybersecurity training as part of any entry-level cybersecurity implementation. So why is it that DNS Filtering remains a lesser-known term, with few non-professionals being aware of its protective benefits? Let’s dig deeper.
You may have heard Information Technology professionals use the acronym CVE with increasing frequency recently. And, if you don’t come from an Information Technology background yourself, it might be time to learn a bit about what that term means. Why? Because this year is on-trend to be the largest year for CVEs yet, and a bit of understanding of what that means to you, could dramatically raise your cybersecurity awareness.
When our small business clients ask us about the dark web, they tend to ask with some trepidation. What is the dark web? How might it impact my small business? What can I do to keep my employees and my business safe? These and other questions have come up more and more frequently recently.
The premise of a Reflected Cross-Site Scripting attack is that certain websites accept user input that they “reflect” back to the user somewhere in their interface/portal. For example, imagine a website that asks for your first name, your job title, or your phone number. Think that input is shown somewhere in the interface, perhaps in an accounts page or somewhere else? It most likely is. And that’s not necessarily a problem. But, the problem is a half-step away, if the website’s developer was even slightly careless.
Check out our small business cybersecurity findings from our recent study of 2,099 small businesses, including dark web statistics and NIST trends.
We monitor reports of breached websites constantly. We track hundreds of breaches containing of millions of usernames. But, let’s back up. Let’s talk about what a 3rd party website breach means for you and your team. After all, it’s not your website. What trouble could it possibly cause for you? Read on.