Facebook-f Twitter Linkedin-in

Small Business

Scam of the Week: The Bad Guys Are Spreading Malware Through Popular Messaging Apps

by

The bad guys are at it again, using popular messaging apps to trick you into downloading malware. These scammers know you’re used to looking out for suspicious emails, so they’re hoping to catch you off guard in the messaging apps you often use.

The attack is simple: The bad guys send a malicious link in apps such as Skype and Facebook Messenger. If you click on this link, a complex attack begins and you’re left with a ransomware-infected machine.

Don’t fall for this messaging scam! If you receive a suspicious message from someone you don’t know, don’t open it!

Remember these tips to avoid malware attacks from messaging applications:

  • Never click on a link in a message unless you know the sender is legitimate.
  • Before clicking, always hover over links to see where they are taking you. If you’re unsure, don’t click!
  • At work, ask your IT team about the antivirus and endpoint protection tools they have in place. At home, be sure to establish a layer of defense on your personal devices.


Stop, Look, and Think. Don’t be fooled.

This Week in Breach: Roundup

by

Exploit: Form-jacking attack
Topps: Sports trading card and collectible company

Read more

Exploit: Unauthorized access of electronic health record system
St. Francis Physician Services: Health system based in South Carolina

Read more

Exploit: Third-party employee breach
Samsung Canada: Canadian arm of the Samsung Electronics company

Read more

Exploit: Theft of government employee laptop 
NWT Department of Health and Social Services: Health department for the Northwest Territories of Canada

Read more

In Other News:

How American companies can benefit from a global perspective

There’s a reason why we cover breaches from countries around the globe. Over the last few years, cybercrime has exploded into an international phenomenon, leaving no continent unturned. By examining how the cybersecurity measures of other countries, the US can borrow pages from their playbooks and predict the future. Here are a few thought starters inspired by China, India, Brazil, and the UK:

1. Improve authentication

Internal control measures are becoming a topic of discussion, given the climate of employee-related data scandals in recent years. By building in reporting systems that have fail-safes and multi-factor authentication, companies can stop fraud in its tracks.

2. ID proofing

Establishing added trust in a credential such as a mobile ID can go a long way in protecting consumers from identity theft. By authenticating devices and users and understanding common fraud patterns, companies can take their security to the next level.

3. Validation certificates

Image-based phishing is growing increasingly sophisticated and effective against consumers, and it’s up to businesses to help them navigate safely. By implementing secure browser certificates, users can feel reassured that they are logging into a trusted source while distinguishing your brand from the fraudsters.

Read more

The Modern Office and Business Continuity

by

What you need to know to protect your company

The modern office requires that all components of your business environment work together harmoniously to ensure the best use of your IT infrastructure and seamless scalability as your business grows. One of the major components of the modern office is business continuity. This is an imperative piece of a solid IT plan for every company regardless of size or industry.

Business Continuity                 

When IT professionals discuss business continuity, they are generally referring to a proactive approach of having the right processes and procedures in place to ensure mission-critical functions continue to work properly in the face of a disaster or while a business is recovering from one. When it comes to business, there are many moving parts that still need to continue operating smoothly whether your company experiences a devastating fire or a nasty data breach.

The IT and business statistics are shocking. In the last five years, one in three organizations were hit by a virus or malware attack, according to DataCore, and more than half of companies (54%) experienced downtime that lasted more than eight hours. That’s a full day of work lost! While DataCore shows only 35 percent of outages are caused by natural disasters, 45 percent of outages are operational and another 19 percent are due to human error. These site outages can cost businesses thousands of dollars in lost revenue and restoration costs for every incident. Gartner, Inc., a global research and advisory firm, estimates that only 35 percent of small and medium businesses (SMBs) have a comprehensive business continuity plan and the financial loss for every hour of downtime can reach into the thousands even for SMBs.

Business continuity requires comprehensive planning before tragedy strikes an organization to allow them to overcome long-term challenges that would otherwise stop them in their tracks. With prior planning, business continuity ensures your entire business returns to full functionality as fast as possible following a crisis. That means everything from vital employee records and payroll to stored data access and email.

Think Cybersecurity

One of the first steps in a complete cybersecurity plan is business continuity. To start, you’ll want to ensure your business employs the best technology to combat the latest threats from ransomware and malware to other types of breaches. This means updating protections such as antivirus and firewalls, using multifactor authentication, and engaging your employees in ongoing, meaningful cybersecurity training.

Cybersecurity plans, which are typically handled internally by the chief information security officer (CISO) in larger businesses, should be designed as a living document that can expand and adjust when necessary to meet the changing needs of your business. Small to medium enterprises often don’t have a dedicated CISO so they can outsource this responsibility to organizations like ORAM Corporate Advisors.

Written Information Security Plan

As part of your business continuity plan, you’ll need a written information security plan (WISP), which also happens to be a requirement of many regulatory bodies, especially for businesses who contract or subcontract with the government and financial institutions. While government regulations vary from state to state and with the federal government, in Massachusetts this written document should contain, “certain minimum administrative, technical, and physical safeguards to protect” personal information such as names, driver’s license numbers, social security numbers, and financial account numbers. You’ll need to check with both your state and federal government to determine which regulations impact you as well as any industry-specific regulations. This is another place a CISO or third-party IT vendor can help.

Your WISP should designate an individual responsible for maintaining your IT program. This may be a business owner, CISO, or even a trusted advisor such as ORAM. It will also need to identify any reasonably foreseeable data security risks as well as protect and restrict access to electronic data that may include personal information for your employees and/or clients. This plan should also outline the oversight of third-party service providers and ensure those providers comply with local, state, federal, and industry regulations as well.

Because your business and its processes, risks, and procedures are unique, your WISP will be very specific to your organization. It cannot effectively protect you from culpability in the event of a breach or loss if it doesn’t address the particular risks of your company or if it includes practices that have not been put into practice in your business. Through coordination with your IT team and/or third-party IT vendor, you will need to identify “reasonably foreseeable risks” to ensure your WISP includes the practices your business adheres to.

In addition to IT functionality, your WISP will also address the non-technical operations that will still need to work in a disaster situation to keep your business moving forward. For example, it might address the accounting measures you have in place to keep employees and bills paid and clients invoiced if the worse should happen.

What Crisis Looks Like

Stolen laptops, lost cell phones, and an employee clicking on a phishing email that infects your entire network. These are all crisis that can and often do occur in the business world. Think of all the critical information that can be lost, stolen, or even held ransom. What do you do and who do you talk to? This is where planning ahead and having a WISP helps. It will outline how to respond to a variety of incidents.

Lost your company cell? Your WISP will inform you of who to call to wipe the lost phone and deactivate it before serious damage can be done. Did your organization experience a data breach? Your WISP will have identified a data backup plan so that nothing is completely lost. Has a virus made accessing email impossible? Your WISP will have determined if your email is stored locally, in the cloud, or both to decide how to get it up and running again fast. This thinking ahead with recommendations by your IT team or third-party vendor will help ensure you have continued access to business email which is the lifeblood of most commerce today.

Recovering from Incidents

One of the best things your WISP will do is outline policies and procedures for how to react and recover in a crisis situations. Regardless of the disaster that strikes, your WISP will point you to who to contact and how to react. Part of your WISP will address incident response and crisis management to minimize the impact when things do go awry, as they inevitably do.

Incident response and crisis management involves having the ability to maintain critical business functions during a disaster scenario. It also encompasses having plans in place for a rapid recovery from catastrophic incidents. If your business were to experience a flood, fire, or data breach today, would it be able to recover quickly and efficiently? Business continuity is all about having a plan in place that expects the unexpected and is prepared to handle it.

When it comes to IT and business continuity, the big question is, “How do you operate tomorrow?” If you don’t know the answer, it’s time to get a plan in place starting with an evaluation of the foreseeable risks your organization may face and a WISP to address them. Think of it as an insurance plan that also helps your business with regulatory compliance. When disaster strikes, your business’s IT team, CISO, or third-party IT vendor should have already given you advice. Hopefully, you have followed it. Then you know who you can call when things go wrong so they can tell you how to react to keep your business moving full-steam ahead.

If your company or organization needs assistance with risk assessment, developing a WISP, and planning for business continuity, call the trusted advisors at ORAM today at (617) 933-5060 or visit us online. Our experienced professionals are here to help and we are dedicated to partnering with small businesses to assist them in achieving success.

This Week in Breach: American Consumers

by

American consumers: Online users in the United States

Risk to Small Business: Severe:A malvertising campaign by the eGobbler group targeting U.S. users was launched over Presidents Day weekend, February 16-18, garnering some 800 million impressions. Those who clicked on the ads were redirected to a wide range of phishing sites that attempted to trick consumers to enter personal details, including financial information.

Individual Risk: Moderate: Cybercriminals can use the information collected to conduct spear phishing email campaigns or they can sell the stolen credentials on the Dark Web to other criminals.

Customers Impacted: Unknown

How it Could Affect Your Customers’ Business: Malvertising campaigns can expose sensitive customer and employee data, or cause mistrust in websites hosting the infected ads leading to brand erosion and customer churn.

Read more

In Other News

The U.K. has seen its first group litigation case concerning data breach, and the organization in question, the supermarket chain Morrisons, was found vicariously liable for the actions of one of its employees.

A disgruntled employee posted a file on a file-sharing website that included data on nearly 100,000 of his colleagues. That employee was found guilty of several charges related to the incident, including fraud and gaining unauthorized access to computer materials, and sentenced to eight years in prison.

Then 5,518 of the individuals whose personal data was published sued Morrisons. In this class-action-type suit, Morrisons — which was determined to have been compliant with data security laws at the time — was found vicariously liable for its rogue employee’s actions. It now faces large compensation costs.

Notable not only for being the first of its kind around data breach in the U.K., this case is also interesting for setting a high standard of responsibility among companies for their employees’ actions. As data breaches increase in both frequency and scope in Europe, those affected by them are likely to look to class-action claims under the provisions of the GDPR, which gives data subjects’ more rights and increases defendants’ penalties.

A side note: Similar claims but concerning nonmaterial damage like emotional distress may be enabled by the GDPR and the Irish Data Protection Act 2018 to be brought to Irish courts.

Read more

The Value of Remote Assistance

by

Who is managing your business when you take time off?

Who provides back up when your IT team is unavailable?

What if you come across a problem that is beyond your technician’s scope of knowledge?

A dedicated remote support service team can make sure that your business’s IT network runs smoothly 24/7.

Even if your in-house team is capable of managing any IT related problems, a remote service support provider can offer several advantages:

  • TIME:

Customers usually expect an immediate response to their questions. A lag in response time can create customer dissatisfaction. ORAM Corporate Advisors offer prompt responses to any IT question. Our team of qualified and experienced IT professionals ensures immediate and on-demand customer service.

  • COST:

Why waste your internal resources and money on buying the tools and technologies that don’t work? IT consulting companies in Boston come equipped with knowledge as well as the latest equipment to ensure that your organization doesn’t suffer because of downtime. Consulting IT companies in Boston come without the burden of additional costs associated with regularly training the in house team. ORAM Corporate Advisors remote support will ensure your business runs efficiently and within your budget.

  • EXPERTISE:

What happens when your network issue seems unsolvable? ORAM Corporate Advisors have a proficient team of industry experts who will quickly identify and resolve the issue. Expert advisors will always be at your beck and call to solve every IT related problem with remote support service.

  • MONITORING:

Real-time monitoring and maintenance can be costly. With a remote assistance provider like ORAM Corporate Advisors, your IT network will always run smoothly and with the highest security protocols available,

So what are you waiting for?

If you operate a business and are looking for IT consulting companies in Boston that can provide you timely and adequate remote assistance, ORAM Corporate Advisors is your one-stop solution.

ORAM Corporate Advisors offer strategic and comprehensive IT consulting and business solution services across all industries from medical, finance and hospitality. They provide competent, 24/7, 365 remote support services to ensure your business keeps running with less downtime.
For any and every IT consulting and remote assistance support service, reach out to an industry specialist at ORAM Corporate Advisors.

Scam of the Week: Dangerous Office Attachments Bypassing Email Security

by

As always, you must be suspicious of all email attachments, because attackers are finding new ways to get around email security filters. The latest attack includes Microsoft Office attachments containing hyperlinks to dangerous websites.

If you unknowingly download one of these attachments and click on a link from within the document, you will be brought to a malicious website that steals your sensitive information. This particular attack is usually carried out with Microsoft Word attachments, but dangerous links are certainly not limited to files with .docx file extensions. This attack could occur with almost any file type.

Always remember the following to prevent this type of attack from happening to you:

  • Never open attachments from people you don’t know.
  • Don’t open any attachment unless you have asked for it, or have verified with the sender (through a channel other than email) that it is legitimate.
  • Before clicking any link within an email or an email attachment, hover over it to see where it will take you.


Stop, Look, and Think. Don’t be fooled.