Let’s be honest, nearly all of us have been victims of a friendly April Fool’s prank at some point. The day (and month!) is full of (mostly) harmless pranks and jokes by friends and family. But let’s not forget that getting targeted by hackers and cybercriminals is also very much a reality. Pranksters love to play jokes on businesses and unsuspecting individuals, but cybercriminals like to take advantage of this time to cause serious security incidents with unforeseen costs.
April Fools’ Day is not the only day these cybercriminals use to take advantage of people’s naivety and lack of awareness, the frequency of these cybercrimes has been growing for a while. With a reported 150% rise in ransomware attacks between April 2020 and July 2021, it is becoming increasingly essential for people, especially employees to learn more about how they can protect themselves as well as their organizations from hackers and different types of cyber criminals.
This April Fool’s Day, Thrive would like to raise awareness around cyber-attacks, share with you some common examples of the tactics used by cybercriminals, and discuss how you can identify scams and protect yourself, your businesses, your employees, and your customers.
Let’s get right into it. Here are some of the most famous internet and telephone scams that you must have heard of:
The CRA Scam:
This is a very common scam in Canada, especially during tax season. You might receive calls or emails that may seem to be from the Canada Revenue Agency (CRA). You might be told that you owe taxes or that you are in trouble with the tax department and that you must make payments or give out your credit card or banking information. Sometimes they might even send you links to fake websites that might look exactly like the real CRA website. It is best to just hang up on the call or delete these emails. The real CRA will never call, email, or text you asking for this kind of information.
The Prize / Lottery Scams:
In these types of scams, you might get a phone call or email saying that you have won a prize, such as cash, a car, an iPhone or a vacation. The scammer will tell you that you need to make a payment to collect your prize, and they might ask for your credit card or banking information. You obviously won’t receive the prize that you were promised but now the scammer can make charges on your credit card, or worse drain your bank account. Once you lose the money, you probably will not get it back.
The Nigerian Prince / Emergency / “Grandparent” Scams:
In these types of scams, the scammers pretend to be close friends or relatives in trouble. A very common one is when the scammer pretends to be a long-lost relative who is a Nigerian prince who needs your help to save his life or to move large sums of money internationally. This scam is so popular and successful at reeling in victims that it’s earned the name, ‘cat fishing.’ They might ask you to send money because of an accident, an injury, an arrest, or a robbery. And just like with all the other scams, this is likely just a way for scammers to get access to your bank account. They often target seniors but anyone of any age can be the victim of these kind of scams.
Other examples include phishing, social media account hacking, fake cryptocurrency, fake charities, fake lotteries, fake surveys, fake kidnapping, fake tech support, fake free stuff, identity theft, and the list goes on and on!
Now that we’ve talked about how hackers commonly target individuals and employees, let’s discuss what you could do to prevent yourself from falling for their tactics. Here are some ways you can ensure that you, your data, and your systems are protected:
1. Adopt a strong Password Management strategy:
It is always advised to use strong, unique, and difficult-to-guess passwords for all your accounts and devices to ensure your data is protected across all different systems. We understand that it can be hard to remember numerous unique alphanumeric combinations (which aren’t a combination of your dog’s name and your birth date) for different accounts and devices, that’s why we recommend using a reliable password manager service. A secure password manager can automate the process of creating, encrypting, and storing individual passwords so that you don’t have to remember dozens of them at all times. Also, don’t forget to keep updating these passwords now and then as another precautionary measure.
2. Utilize Multi-factor Authentication features:
Using a multi-step verification/ authentication process while logging into your accounts and devices adds another layer of security to your data protection strategy. Using a reliable authenticator app or using built-in application-based unique one-time-passwords (OTP) through email, text messages or calls are very helpful in this process. They are used to add another layer of protection to prevent access in case hackers somehow gain access to your passwords.
3. Do NOT click on links or attachments from unknown email addresses:
It only takes ONE wrong click to download viruses or give hackers access to your entire computer system. So, if you receive suspicious emails with links or attachments, don’t click on them unless you’re sure they are from reliable sources.
Thrive provides superior protection against ransomware, viruses, malware, spear phishing, email DDOS and undesirable emails. Our Fully Managed Anti-Virus and Anti-Spam Services are just what you need to strengthen your multi-platform threat prevention strategy.
4. Look for the ‘S’ in https:
Continuing with the above-listed point, another good indicator of a potential problem is if you receive a URL in an email without the ‘S’ after the http in the link. The ‘S’ literally stands for ‘secure’ and indicates that the website has an SSL (Secure Socket Layer) certificate. You should always hover your mouse over any link to see its true destination and if you can’t see the ‘S’, you definitely should NOT click on the URL.
5. Invest in Cybersecurity Awareness Training programs:
The National Security Agency reports that over 90% of cyber-attacks are preventable with basic Cybersecurity Awareness Training. So, by just taking a cybersecurity awareness course and keeping in mind all the points listed in this article, you might already be a few steps ahead of those cyber-criminals and save yourself from serious issues and huge losses!
No matter how large or small a business is, it’s a target for cybercriminals. That’s because it can only take a single unwitting click on a phishing link to grant criminals access to everything on a given network and, in some cases, beyond. It’s also why security awareness training and phishing simulations are essential for organizations who want to transform end users from the weakest link in the security chain, into a truly resilient first line of cyber defense.
Thrive’s Cybersecurity Awareness Training provides the continuous, relevant, and measurable testing and education that businesses need to minimize risky user behaviors and resulting security incidents.
6. Schedule regular Data Backups:
Thrive’s Backup as a Service (BaaS) solutions provide Complete Data Protection for VMware, Hyper-V and Physical Systems among other things.
World Backup Day falls on March 31st every year, the day before April Fools Day, which is perfect timing to make sure all your regular data backups are scheduled are running properly across all devices and platforms. The “I’ll do it tomorrow” approach on World Backup Day could land you in some serious trouble in case you get fooled the very next day on April Fools’ Day!
7. Have a Disaster Recovery Plan ready:
No matter the size, location, or industry, organizations need to take the time to put together a well-thought-out and practical strategy for implementing DR best practices and scheduled maintenance.
Organizations should have an easy-to-understand step-by-step guide on what to do in a data emergency so that employees, partners, and vendors understand their roles, responsibilities, and the resources available to them before, during and after crisis strikes.
We hope you can now better understand how common and dangerous cyber threats, hacking, viruses, malware, ransomware and other cyber attacks are. However, more than 90% of these incidents are preventable with the right kind of Cybersecurity Awareness Training.
If you spend some time learning more about how these cyber-attacks work, how hackers and scammers approach people, what kind of tactics they use, and how you can deal with them, you can prevent cyber attacks and protect yourself from becoming one of their victims.
The World Wide Web is an incredible source of information, innovation, and entertainment! Have fun with it, and keep learning new things, all while staying vigilant and safe on the internet!
Have any questions? Contact Us to learn more about all our services!
Happy April Fools’ Day! We promise we won’t fool you though!
Understanding the SEC’s Proposed Cybersecurity StandardsCybersecurity represents an ongoing challenge for alternative investment firms and the financial industry. And this challenge continues to grow in scope, complexity, and cost. According to IBM and the Ponemon Institute, the 2021 average cost of a data breach in the financial sector was $5.72 million.
In response, the U.S. Securities and Exchange Commission (SEC) has recently proposed new standards for cybersecurity management. According to the SEC’s February 2022 press release, “the proposed rules and amendments are designed to enhance cybersecurity preparedness and could improve investor confidence in the resiliency of advisers and funds against cybersecurity threats and attacks.”
While greeted favorably among cybersecurity professionals and the financial community, the news represents a significant course change for the SEC. To date, there have been no SEC rules or regulations that require financial firms to implement cybersecurity programs. However, the wide-ranging SEC proposal addresses advisor and fund cybersecurity risk, establishes new required elements of policies and procedures for advisors and funds (including disclosure of risks and reporting of cybersecurity incidents), and concludes with a detailed economic analysis.
Read more: How CXOs View Cybersecurity
Breaking Down the Proposed SEC Cybersecurity Compliance Requirements
The recommendations of the SEC compliance proposal can be divided into five areas:
- User security and access
- Information protection
- Incident response and recovery for cybersecurity
- Threat and vulnerability management
- Risk assessment for cybersecurity
Here is a brief description of each area and how the prescribed changes could impact your organization:
User Security, Access & Information Protection. Pandemic-driven remote working and the resulting extended security perimeter have driven significant changes to security requirements, including an increase in multi-factor authentication use. The SEC’s recommendations will require organizations to employ updated security technology and vulnerability management capabilities. These include additional controls for data loss prevention and known registered devices. Many financial organizations have already begun adopting these measures.
Incident Response & Recovery. The SEC’s proposal will require the reporting of threats and other security events (like a vendor breach or a cyber incident). These are similar to GDPR privacy breach reporting requirements but go further. The SEC will also require an activity paper trail and detailed record-keeping around cybersecurity due diligence. If adopted, the SEC proposal will mandate advisors and fund owners to publicly disclose cybersecurity risks and incidents that have occurred in the last two fiscal years.
Vulnerability Management & Risk Assessment. According to the SEC, “Advisers and funds of every type and size rely on technology systems and networks and face increasing cybersecurity risks. The rules would therefore require all of these advisers and funds to consider and mitigate cybersecurity risk.” The SEC’s proposal mandates the categorization, documentation, and prioritization of cybersecurity risks based on a comprehensive information systems inventory.
Read more: Why CISSP Cybersecurity Certification Is Strategic
Effective and Flexible — Striking the Appropriate Balance
The proposed rules and amendments seek to deliver short-term effectiveness while acknowledging the need for flexibility as requirements and capabilities evolve. “The balance is achieved in recognition of the speed of technology change,” explains Ian Bowell, EMEA Information Security Manager. “Being too specific or restrictive and referring to a particular technology standard would be like requiring 4G, and not permitting 5G.”
In short, the SEC is working hard to avoid getting tied up in regulations that could quickly become outdated. Changes in cyber threats and the discovery of new vulnerabilities must also be addressed promptly, and even for the most prepared organizations, continuous change will require ongoing improvements and adjustments.
As a leading Managed Service Provider for the alternative investment industry (including hedge funds, private equity, and family offices), Thrive is well-versed in the industry’s demanding cybersecurity requirements. Thrive’s capabilities, existing framework, and certifications (like NIST and ISO 27001) will help simplify and expedite your firm’s adoption and compliance with the new SEC standards.
Contact us to learn how Thrive can help you meet the SEC’s proposed cybersecurity standards.
Boost Your Collaboration with Microsoft 365’s Real-Time Co-AuthoringBy Christian Wilmot, Client Technical Manager – EMEA
Effective collaboration is critical for organizations pursuing digital transformation. Gartner estimates that almost 80% of workers used collaboration tools in 2021, up from just over half in 2019 — a 44% increase.
COVID-19 and the subsequent shift to a remote workforce have accelerated this adoption. According to Christopher Trueman, principal research analyst at Gartner, “a long-term hybrid workforce model, cloud-based, personal and team productivity technologies, along with collaboration tools, will form the core of a series of new work hubs that meet the requirements of various remote and hybrid workers.”
Microsoft has responded by enhancing the collaboration capabilities of Microsoft 365. The ubiquitous cloud-based service (formerly Office 365) now allows users to share and edit the same documents together — all in real-time.
Real-Time Co-Authoring
Many users have experienced a common roadblock when editing a document in Microsoft 365: “The document is locked for editing by another user.” This automatic message, a Windows file server version of control restraint, appears when multiple team members simultaneously require access or editing rights to the same documents.
With real-time co-authoring in Microsoft 365, once documents are in SharePoint Online or OneDrive, multiple team members can work on the same document at any time without affecting each other’s changes. All edits are automatically saved to the cloud.
Real-time co-authoring addresses many of the issues associated with server-based document collaboration. For example, it helps eliminate multiple document versions by reducing attachment sharing.
Microsoft’s co-authoring capabilities also provide a streamlined user experience. Users simply open and edit a document from Sharepoint; if another user also has the document open, both can edit it simultaneously.
When a document is saved, other users receive a notification that there are new edits and can view those changes immediately. SharePoint Server’s versioning and tracking tools allow authors to protect document integrity by rolling back any unwanted changes.
Instant Notifications With The @mention Feature
Microsoft 365’s @mention is another powerful collaboration feature. Users commenting on a document or presentation can add the ‘@‘ sign with another person’s name, and that user will then receive an email notification with a link to the document. This enables multiple stakeholders to comment or work on the document in real-time.
Reaping The Benefits of Real-Time Collaboration
Even though much of the workforce continues to work remotely (or in hybrid models), organizations are still seeing significant benefits from real-time collaboration. These include:
Enhanced Productivity. By collaborating on a single shared cloud-resident document, users can eliminate the confusion and needless communication associated with managing multiple document versions.
Improved Knowledge Sharing. Simplified collaboration allows teams to capture the knowledge and feedback from all team members, regardless of location. Broader collaboration creates more team ‘buy-in’ and typically yields more effective results.
Increased Job Satisfaction. Real-time collaboration supports a culture of inclusivity, especially for remote workers who may feel isolated from their teams.
Cost Reductions. Legacy collaboration methods often require physical infrastructure (equipment and office facilities) or travel. Virtual collaboration eliminates much of the cost and logistics associated with traditional teamwork.
Extended Reach. Digital collaboration tools allow users to easily collaborate with other teams, even outside their organization. This extended collaboration could include contractors, vendors, and customers.
Optimizing Your Microsoft 365 Collaboration
While Microsoft 365 provides powerful tools to increase your collaboration and productivity, proper setup, configuration, and user training are critical to getting the most out of the platform.
At Thrive, our team is uniquely qualified to help you optimize your Microsoft 365 environment. As a Direct Reseller of Office 365 products and Global IT leader, our team of experts can advise you on the products and services to generate efficiency and improve performance in your organization. Our tailored solutions and deep-domain expertise make Thrive an industry-leading, award-winning MSP to the alternative investment industry.
To learn more about optimizing Microsoft 365’s enhanced team collaboration, check out Mastering Microsoft Teams or contact us here.
Nimbus Virtual Cloud Nimbus Data Recover Nimbus Data Recover for Office 365 Nimbus Site Recover Nimbus Veeam Cloud Connect How CXOs View the Risks and Rewards of CybersecurityMost CEOs and CFOs in the financial industry will tell you that cybersecurity isn’t cheap. And it’s true — a recent study by Deloitte found that, on average, financial services companies spend 10% of their IT budgets on cybersecurity. A commonly held view among executives is that cybersecurity spending is an expensive precaution. The challenge for IT professionals is to help reframe that discussion with their C-level team and position cybersecurity as an investment, not an expense.
Balancing the Rewards and the Risks
The first question many C-level executives ask when allocating budgets is ‘how will this help grow the business?’ For example, CFOs will invest in increasing production, acquiring new customers, or bringing new products to market faster. At the same time, they’ll seek to contain costs in areas that don’t directly contribute to the revenue line.
A second and equally important consideration is risk. CXOs will ask, ‘what are the circumstances that could prevent us from achieving our business goals, and how do we minimize or eliminate them?’
There are many nuances to the risk discussion. What is the nature of the risk? Security risks can run the gamut from vulnerabilities in cloud platforms, web applications and email services to bad actors exploiting your environment from within. Next, how likely are risk events to occur? What are the financial and operational impacts? What will it cost to address them? Finally, do the benefits of mitigating the risks outweigh the costs?
IT professionals should be prepared to have fact-based discussions with their executive team when reviewing cybersecurity requirements. Industry-specific data, such as the frequency and impact of cyberattacks or the cost of downtime, is always helpful.
Assessing Cybersecurity Risks for Alternative Asset Providers
Here are four industry-specific facts that will help position the security risk discussion with your executive team:
Financial services firms are 300 times as likely as other companies to be targeted by a cyberattack. This finding from the Boston Consulting Group is echoed by the 2021 IBM X-Force Intelligence Report, which states, “Financial institutions experienced 23% of all attacks we analyzed in 2020, up from the 17% of attacks the sector experienced in 2019.”
The probability of a cyberattack is very high for financial services companies. A survey of the UK financial sector found that 70% of financial companies have experienced a cyber security incident in the past year.
The threat is escalating. Attacks targeted at the financial sector increased by 238% between February and April 2020, and ransomware attacks on the financial industry increased ninefold.
The costs are unbearably high. According to IBM, financial services cyberattacks in 2020 due to data breaches cost organizations an average of $3.86 million and took an average of 207 days to identify. Accenture projects that cyberattack on banks in 2020 and beyond will result in banks losing $347 billion, and capital markets will lose $47 billion by 2024.
Cybersecurity as an Investment
While the impact of cyberattacks is all too apparent for the financial industry, articulating the business benefits of cybersecurity can help C-level executives justify budget and resource allocations. These potential benefits include:
Reduced downtime. Ransomware attacks almost always result in downtime or service interruptions. A recent Ransomware Marketplace report found that the average ransomware incident lasts 16.2 days. Every organization calculates downtime costs differently, but for perspective, the Gartner Group estimates average downtime costs at over $300,000 per hour.
Brand Protection. No financial services company wants to be in the news for a services outage or significant data breach. A robust cybersecurity infrastructure can minimize the frequency and impact of attacks and help protect and elevate the organization’s brand.
Customer Retention. Effective cybersecurity protects a company’s greatest asset — its data. Customers are less likely to do business with an organization that has been compromised, and the reverse is true. If your company has an excellent cybersecurity track record, you’re more likely to retain and even grow your customer base.
Taking a Long-Term Approach
Aligning cybersecurity requirements with business objectives is only the first step in establishing an effective security infrastructure. Cyber threats are rapidly evolving, and external events can create new paradigms that impact security requirements. Who would have thought two years ago that today, much of the financial workforce would be working from home?
It is essential to regularly assess your security strategy, priorities, and alignment with business objectives. Ongoing engagement with your executive team is critical, as is a proactive approach. Once a severe cyberattack impacts your organization, it’s too late.
Another proactive option for addressing risk is cyber security insurance. Also called cyber liability insurance, this is a policy that offers businesses a range of options to cover the expenses associated with data breaches and other cyber attacks. These can include costs for: recovering compromised data, lost income, notifying impacted customers, and restoring affected systems.
While cyber security insurance is not a solution that makes you whole, it will reduce potential expenses. Many cyber insurance plans also provide for pre-claim expenses to help mitigate a risk before it becomes an incident.
Partnering with a Trusted MSP
With the exception of larger funds greater than $8B AUM, most alternative investment firms operate without a CTO or CIO, and most funds under $30B AUM do not employ a CISO. Even those that do may not have the necessary in-house resources and expertise to develop and support a strong security infrastructure.
An experienced managed security provider (MSP) can offer services that you may not have the capability to carry out alone. For example, vulnerability assessments can systematically review your environment for security weaknesses. Penetration tests will evaluate your infrastructure by safely exploiting threats. And risk remediation analysis (RRA) can reduce your susceptibility to a cyber attack from a range of tactics, techniques, and procedures (TTPs).
A valued MSP like Thrive NextGen is also well-versed in investor needs and concerns. We help firms anticipate and respond to investor questions about cybersecurity and data protection requirements. Our experienced team has deep domain expertise in the alternative asset industry and can assist in aligning your security requirements with your business strategy and objectives.
With every decision, your C-level team must recognize and prioritize risk before you can reap the benefits. This is particularly true when assessing cybersecurity requirements. That’s why many leading alternative asset companies choose Thrive to help align business and cybersecurity requirements and keep their organizations secure.
Thrive offers the most effective, purpose-built solution for the alternative investment industry. Contact Thrive for a free consultation about your cybersecurity strategy or to learn more about our CyberSuite offering.
Risky Business: Purchasing Grey Market Equipment Can Leave You ExposedFor many companies, 2021 has been a challenging year to procure networking and infrastructure hardware. Transforming networks to accommodate remote workers has stretched already thin IT budgets, and global chip shortages continue to impact product availability and lead times. As early as April, industry leader Cisco predicted that chip shortages would disrupt equipment production at least until the end of the year — guidance echoed by other manufacturers like HP, Dell, and Lenovo.
In this environment, some business leaders are tempted to explore other hardware procurement options, including the grey market. While the promise of lower hardware costs and apparent supply is appealing, the risks to security, network performance, and manufacturer support are considerable.
What Is the Grey Market?
‘Grey market’ products are new devices sold legally but not through a manufacturer’s authorized distribution channels. These products are often sold at low prices through discount websites, and typically sellers will have no local office or representatives. Used or refurbished equipment is sold similarly, sometimes by the same grey market sellers.
Both carry the same risks for prospective buyers.
Why ‘Buying Grey’ Can Be Bad for Your Business
While the initial purchase price of grey or secondary market equipment may be very attractive, customers should fully understand the business risks.
Here are some of the most common pitfalls encountered when purchasing gear from non-authorized sources:
Hardware has questionable origins. Grey market equipment may be counterfeit, stolen, illegally imported, or have damaged or substandard components. Questionable hardware may not perform as expected and can result in significant downtime for unsuspecting customers.
Invalid software licenses. Companies that buy from the grey or secondary market may not be purchasing valid software licensing for their equipment. As a result, they may not have access to manufacturer software updates or security patches. Maintaining updated security software is essential to protecting networks and sensitive data.
No manufacturer warranty or support. Manufacturers track hardware by serial number and often will not provide support or hardware replacement for equipment they determine hasn’t been procured through authorized channels. For example, a manufacturer may delay or even decline support for an end-to-end network issue if edge devices originate from the grey or secondary market.
Expensive inspection and licensing fees. Some manufacturers will provide hardware and software support for grey market equipment, but the process can be lengthy and costly. It often involves the physical inspection of equipment — a challenge if devices are deployed in multiple regional or branch offices. Customers may also have to purchase an authorized software license to gain support. The cost of inspection and licensing fees can run very high.
How Your Managed Service Provider Can Help
Procuring hardware through your Managed Service Provider (MSP) offers a wide range of benefits, including:
Pricing and lead times. Through established relationships with industry leaders like Cisco, HP, and Dell, your MSP can ensure you’re receiving competitive pricing (including any manufacturer incentives) and the best available delivery times.
Configuration and integration. Your MSP will help customize and integrate your equipment to perform optimally in your environment and in compliance with your firm’s security policies.
Flexible support options. MSP support options can be more comprehensive than manufacturer warranty and support. For example, hardware vendor support has specific deliverables (e.g., parts and labor) and may not cover device configuration or the integration of replacement devices. Many MSPs offer flexible, holistic service options that support your whole environment, not just individual manufacturer products.
Warranty, Licensing, and End-of-Life Support. Managing the warranty and support status of all devices in your network can be an administrative burden. Your MSP has the tools to track each device and report on warranty and support status. Your MSP can also alert you when devices require software upgrades or are approaching end-of-support or end-of-life and help build a plan for network additions or refreshes.
Plan Ahead to Tackle Long Lead Times
While ordering equipment through authorized channels will minimize the risk to your business, equipment shortages and shipping delays may be with us for some time. In response, companies should work with their MSPs to understand their device status (especially end-of-support and end-of-life dates), create a migration or upgrade plan, and place equipment orders well in advance of proposed installation dates. In some cases, your MSP may recommend you order equipment as early as year-end to ensure Q2 delivery.
At Thrive, our Procurement team works with manufacturers and distributors to deliver enterprise-level equipment. Our expert Engineering team can review your environment and equipment status and help manage your equipment refresh as needed.