The Havoc Shield Blog

When the COVID-19 era began, many offices emptied out.  Companies cancelled their coffee deliveries.  They reduced the frequency of cleaning services.  They even turned off cardkey access for some personnel transitioning permanently to remote work.  And, they forgot to do their internal network scans for vulnerabilities.  Oops.

Although we’re ok with the coffee, cleaning, and cardkey changes — the omission of internal network vulnerability scans is a mistake worth avoiding.  Here’s why.

I.T. Asset Inventory is the log, spreadsheet, document, or database that keeps track of who in your company has which device(s).  It can also extend beyond hardware sometimes, but today we’re going to focus on the hardware (laptops / workstations / tablets) type of asset tracking.

You already know where this is heading: nobody (and we know a lot of IT folks) loves spending time on catching up on a backlog of asset tracking work.  So, that begs the question: does it matter?  Should we bother with an asset inventory at all?  Won’t employees just fundamentally know what hardware they’ve got in their possession, and keep us apprised of any changes or needs?

Probably.  But that’s not the point.

Welcome to the insecure email hall of fame.  What we’re about to show you is a real email.  From this week.  Sent from a bank to a client.

In a world where email accounts get hacked all the time (e.g. credential stuffing), and there’s no telling whether the sender or receiver has laptops, tablets, and phones sitting around unlocked.  And we’ll bet anything communicated on this email chain remains in the Sent Items folder of the sender for decades, and possibly in the Inbox of the receiver for decades.  Did we mention there was an unrelated party on cc?

We’ve got a problem with the cybersecurity terms that we see in industry articles and whitepapers.  The language of cybersecurity has become so nuanced and intricate that it’s enough to frighten away everyone other than industry insiders.  And that’s exactly the opposite of what we all need. A more inclusive discussion around cybersecurity — one that draws in curious non-experts — helps spread an understanding of cybersecurity that improves all of our safety.  Here are the worst three terms that deserve a place on the “wall of shame” in the cybersecurity dictionary.

We spend most of our time talking with small businesses that do not have an Information Systems Security Officer.  In fact, most small businesses we work with have never contemplating getting one. ZipRecruiter refers to the Information Systems Security Officer role as a role with an average annual salary of approximately $108,686/year, having the following responsibilities: “An information systems security officer (ISSO) protects the IT infrastructure of companies, organizations, or agencies. Your duties include taking proactive security measures, assessing risks, and responding to security breaches.”

So why aren’t small business owners on the hunt for talented cybersecurity professionals to file a role of this title and description?

G Suite calendar sharing can lead to the leakage of confidential information.  As a G Suite administrator, you can help your employees avoid accidentally disclosing sensitive information by putting some reasonable guardrails on what sharing settings they are (and aren’t) allowed to use to share their calendar.