The Havoc Shield Blog
13,354 Reasons for COVID-era Internal Network Scans
When the COVID-19 era began, many offices emptied out. Companies cancelled their coffee deliveries. They reduced the frequency of cleaning services. They even turned off cardkey access for some personnel transitioning permanently to remote work. And, they forgot to do their internal network scans for vulnerabilities. Oops.
Although we’re ok with the coffee, cleaning, and cardkey changes — the omission of internal network vulnerability scans is a mistake worth avoiding. Here’s why.
When IT Asset Inventory is the Missing Link
I.T. Asset Inventory is the log, spreadsheet, document, or database that keeps track of who in your company has which device(s). It can also extend beyond hardware sometimes, but today we’re going to focus on the hardware (laptops / workstations / tablets) type of asset tracking.
You already know where this is heading: nobody (and we know a lot of IT folks) loves spending time on catching up on a backlog of asset tracking work. So, that begs the question: does it matter? Should we bother with an asset inventory at all? Won’t employees just fundamentally know what hardware they’ve got in their possession, and keep us apprised of any changes or needs?
Probably. But that’s not the point.
Your Incident Response Plan depends on Talent Acquisition
If you are a Havoc Shield client, we hope you’ve rolled out an Incident Response Plan in the Policy Manager section of the platform. Whether you accept our battle-tested templates outright, or you choose to make some surgical modifications, it’s important to get the plan into the hands of those who will participate in it. You know the drill: planning for the worst, hoping for the best, as they say. If you aren’t a Havoc Shield client, we hope you’ve rolled out a similarly battle-tested plan.
With your plan in the hands of your team members, now is also a good time to talk about the hidden connection between Incident Response Plans and Talent Acquisition. Especially if you are at the type of company that we typically serve – angel-backed, venture-backed, and growth companies.
5 Easy Shortcuts on Enterprise Security Questionnaires
Every day we talk with small businesses struggling with enterprise security questionnaires. And every day we hear some of the same underlying anxieties… What if I don’t have everything the enterprise asked for? What if I don’t have SOC 2? Should I elaborate on this answer? Should I attach supporting evidence for that question? For ventures that haven’t been through the enterprise security questionnaire process before, the process can feel arbitrary, cumbersome, and ambiguous. This article has five of our top “easy wins” for saving time and frustration when filling out an enterprise security questionnaire.
Weekends are where Shadow IT starts
If you are a loyal follower of this blog and are reading this when it is hot-off-the-presses, the weekend is upon us — and one thing that means, is that a whole bunch of Shadow IT is about to be born. We’ve covered Shadow IT before on this blog, but today’s post is different. It’s about — specifically — why weekends are an extremely common time for Shadow IT to expand.
Insecure Email Wall of Shame: Banking Edition
Welcome to the insecure email hall of fame. What we’re about to show you is a real email. From this week. Sent from a bank to a client.
In a world where email accounts get hacked all the time (e.g. credential stuffing), and there’s no telling whether the sender or receiver has laptops, tablets, and phones sitting around unlocked. And we’ll bet anything communicated on this email chain remains in the Sent Items folder of the sender for decades, and possibly in the Inbox of the receiver for decades. Did we mention there was an unrelated party on cc?
Totally Avoidable Work-From-Home Security #Fails
For years, work from home security took a backseat to office security. Then suddenly, everything changed. Work from home security became just as important (and sometimes more important) than office security. As companies grapple with how to make the dream of work from home security a reality, there are a handful of totally avoidable work from home security failures that have come to the forefront. Here are some of the biggest ones.
The 3 Most Misunderstood Cybersecurity Terms
We’ve got a problem with the cybersecurity terms that we see in industry articles and whitepapers. The language of cybersecurity has become so nuanced and intricate that it’s enough to frighten away everyone other than industry insiders. And that’s exactly the opposite of what we all need. A more inclusive discussion around cybersecurity — one that draws in curious non-experts — helps spread an understanding of cybersecurity that improves all of our safety. Here are the worst three terms that deserve a place on the “wall of shame” in the cybersecurity dictionary.
Budget Denied: Information Systems Security Officer Role
We spend most of our time talking with small businesses that do not have an Information Systems Security Officer. In fact, most small businesses we work with have never contemplating getting one. ZipRecruiter refers to the Information Systems Security Officer role as a role with an average annual salary of approximately $108,686/year, having the following responsibilities: “An information systems security officer (ISSO) protects the IT infrastructure of companies, organizations, or agencies. Your duties include taking proactive security measures, assessing risks, and responding to security breaches.”
So why aren’t small business owners on the hunt for talented cybersecurity professionals to file a role of this title and description?
How can I limit G Suite Calendar Sharing to Free/Busy?
G Suite calendar sharing can lead to the leakage of confidential information. As a G Suite administrator, you can help your employees avoid accidentally disclosing sensitive information by putting some reasonable guardrails on what sharing settings they are (and aren’t) allowed to use to share their calendar.
5 Small Biz Cybersecurity Survival Tips for Cyber Monday
This year, for many small businesses, a strong Cyber Monday is crucial for survival. With the wild gyrations in purchasing patterns and demand for particular products or services this year, there are a great many small businesses who have a lot of ground to make up on Cyber Monday 2020. With online sales. And it CAN’T go wrong. With that in mind, this post is for those of you that have an especially “high stakes” Cyber Monday ahead. Amongst all of the pressures related to your email and web promotional materials, your online ads, and your communications with existing customers and prospects, we know it’s easy to forget about cybersecurity. The problem is that if cybersecurity goes wrong on Cyber Monday, there is no way to turn back the clock and regain the opportunity to “win big” on that incredibly high-traffic online shopping day. With that in mind, here are the five things that you absolutely need to do to get ready for a strong (and SAFE) Cyber Monday:
9 Foolish Ways to Erode Your Password Manager Security
If you roll out a password manager in your business, there are many great benefits that should improve the security of your organization. Password managers make it easy to generate strong, unique passwords. Password managers make it easy to revoke access to passwords to key company resources when an employee leaves the company. Password managers reduce the frustration of trying to mentally develop memorization systems or notepad / post-it style approaches to recording / recalling passwords.
Still, to get the full benefit of a companywide password manager rollout, there are some common mistakes that are important to avoid. The mistakes that we’ll describe here are ones that significantly erode password manager security. So, without further ado, here are nine mistakes to avoid in your organization’s password manager practices.
113 of our Favorite Phishing Simulation Emails
What makes a great phishing simulation email? We’ll share our perspective, and reveal the top 113 phishing simulation emails that we use at Havoc Shield.
How BYOD Policies Catch You Up to Reality
Does your company have BYOD policies? For those unfamiliar with the term, BYOD is “Bring Your Own Device” — and BYOD policies relate to what the company does (and doesn’t) allow in terms of handling company business from your own devices. When the term BYOD first entered the vernacular of IT and compliance teams, it often referred to employees using their own smartphone or tablet. However, more recently it’s adopted a meaning that includes any personal device — including laptops, tablets, smartphones, and anything else.
Good Security Programs Begin and End with Policy?
You may have heard the advice “Good Security Programs Begin and End with Policy” — an assertion that is being popularized by at least one online cybersecurity training program. We disagree. Here, we’ll share why.
Email Security Best Practices for Employees
We learn as kids not to talk to strangers, but as adults, we sometimes forget this lesson when we engage with emails. That’s why it is so crucial to put email security best practices in place in order to protect your data, customers and company as a whole.
The Hidden Link between UNC Path Injection and Phishing
UNC Path Injection is an attack that we consider to have originated in the 1990s. It’s exact origins are difficult to trace, but the mid-1990s were a period of tremendous growth in terms of adoption of the Windows NT operating system, and anecdotally that seems to be the operating system that some of the early UNC Path Injection attacks occurred on.
Culture Club: Creating a Company Culture for Security
Everyone knows how important security is to companies and organizations. There were about 1,500 data breaches in the US in 2019 alone. But there are a number of organizations out there that have not adopted a security culture.
Phishing Training: A Holistic Approach
Phishing training requires a holistic approach that is often overlooked by companies racing to “check the box” in terms of offering training on this increasingly important topic. A big mistake would be to treat phishing training the way that companies treat many other kinds of training. We’ve heard of far too many company training events that involve a manager speaking for 30 minutes, with slides in the background, followed by everyone going back to what they were doing.
If that approach sounds a bit like what your company does for phishing training, please read on.
What does WFH minus DNS Filtering equal?
Here’s a math problem (sort of). What does “WFH” minus “DNS Filtering” equal? Before you answer, let’s get the basics out of the way on the terminology front.