How many cookies does your website have? The General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) take effect on May 25, 2018, making it necessary to know how many cookies are on your website. Cookies are small pieces of text that websites place on your browser to recognize you when you return. They can track information such as your online activity, location, and the devices you use to visit the site.
In Which Countries do These Laws Apply?
What is the Difference between GDPR and CCPA?
The General Data Protection Regulation (GDPR) is a set of regulations that member states of the European Union must implement in order to protect the privacy of digital data. The California Consumer Privacy Act (CCPA) is a set of regulations that California businesses must implement in order to protect the privacy of digital data. Both GDPR and CCPA compliance are required for companies that do business in the EU or California, respectively.
So, what do these regulations actually require?
Categorization Based on the Size of an Organization (SME, Corporate, Service Providers)
Depending on the size of your organization, you may be required to have a cookie banner on your website. For SMEs, the General Data Protection Regulation (GDPR) applies. This regulation requires companies to notify users about the cookies they use and obtain consent before using them. For service providers, the California Consumer Privacy Act (CCPA) requires companies to provide a Do Not Sell My Personal Information link on their website.
Problem with User Consent Checkboxes
One common issue website owners face when it comes to cookies is user consent. In order to be in compliance with GDPR, you must have a user’s explicit consent before setting any cookies. This can be done through a variety of methods, but most commonly seen is the use of checkboxes. The problem with using checkboxes for consent is that it’s not always clear what the user is agreeing to. For example, if you need to set two different types of cookies on your site – one related to marketing and one related to tracking shopping cart items – then the user needs to know this before checking the box. If they are not aware of both uses, then they will likely agree without knowing why or how these cookies will impact their experience on your site.
The Final Word
If you have a website that collects personal data from users in the European Union or California, you must comply with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This means having a cookie banner on your website. Non-compliance can result in heavy fines. So if you’re not sure if your website is compliant, it’s better to err on the side of caution and put a banner up.
A recent analysis by Cybersecurity researchers has brought to light a zero-day exploit in Microsoft Office that can be used for code execution in Windows environments. Nao_sec, an independent cybersecurity research team has uncovered this vulnerability by uploading a Word document (”05-2022-0438.doc”) to VirusTotal from an IP address in Belarus.
Named after the Italian commune, Follina, this vulnerability is considered a high-risk threat since it does not require Macros to be enabled. “All that’s required for the exploit to take effect is for a user to open and view the Word document, or to view a preview of the document using the Windows Explorer Preview Pane. Since the latter does not require Word to launch fully, this effectively becomes a zero-click attack”, Nikolas Cemerikic of Immersive Labs said.
Security researcher Kevin Beaumont tweeted that the vulnerability uses “Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code”. “The maldoc leverages Word’s remote template feature to fetch an HTML file from a server, which then makes use of the “ms-msdt://” URI scheme to run the malicious payload”, he added.
With this vulnerability, malicious users can have Microsoft Word execute code via Microsoft Support Diagnostics Tool (MSDT), a utility typically used to troubleshoot and collect diagnostic data for analysis by support professionals to resolve a problem. Furthermore, Protected View does not seem to provide any real protection. When the document type is changed to RTF, the code runs, even without opening the document.
Bad actors are already on the move. An advanced persistent threat (APT) conductor originating from China has executed code on affected systems using URLs to carry ZIP archives that include Word Documents,” enterprise security firm Proofpoint stated in a tweet.
Affected systems include Office, Office 2016, and Office 2021. Other versions are likely to be at risk as well. Office Professional Pro with April 2022 patches running on an up-to-date Windows 11 machine with has been shown to execute this code when the preview pane is enabled.
It is worth noting that the MSDT utility cannot execute payloads without a passkey, which is typically possessed by support technicians only. This may explain why Microsoft does not consider this vulnerability a security threat. Nevertheless, admins are advised to turn off the Preview Pane in File Explorer and disable the MSDT URL protocol to prevent the attack vector, at least for the time being.
A secure email system is essential to maintaining a good reputation as well as protecting your business’s livelihood, especially if you send or receive confidential information via email on a regular basis. Here are seven ways to boost your company’s email security so that your critical business communications don’t end up in the wrong hands.
1) Create Strong Passwords
Creating strong passwords is one of your best bets against hackers who attempt phishing attacks and ransomware. Phishing is a fraudulent email designed to steal information, while ransomware encrypts files or programs on your computer until you pay a ransom fee. Always create strong passwords using random strings of numbers, symbols, and upper-and-lowercase letters that are at least 14 characters long. Use different passwords for each account, and change them every three months. Never write down your password in an obvious place—such as on a sticky note attached to your monitor—as it could be easily stolen by someone else. If you’re ever unsure about whether an email is legitimate, contact customer service directly; never click any links in emails from unknown senders.
2) Set Up Two-Factor Authentication
For a small business, one of your biggest vulnerabilities is email. Email is a vector that hackers use to gain access to larger networks and eventually your entire network of systems. Two-factor authentication (2FA) can protect you from these types of attacks and even prevent ransomware from infecting your devices. Before you set up 2FA, ensure that any essential services (like payroll) have failover protection in place so that you don’t lose key information if hackers cripple your system.
3) Encrypt Sensitive Data
When it comes to sensitive data, there are a few things that you can do in order to keep your business safe from phishing scams. If a scammer is trying to get information from your business, they’ll often ask for credit card or banking details—information which should never be provided by email. Credit card numbers, social security numbers and any other data that might be used by someone who isn’t an employee at your company should always be encrypted when it’s being transmitted via email.
4) Use a Password Manager
A single weak password can be devastating, opening you up to phishing scams and other attacks. Utilize a password manager such as LastPass or 1Password or an SSO solution such as OneLogin and create strong passwords that are unique for each site you visit. With a password manager, you only need one good password that unlocks everything else.
5) Limit Auto Logins
All companies that offer some form of email protection—whether it’s a webmail system or an external service—also limit auto-login opportunities and reinforce two-factor authentication (or other forms of security verification) when they do provide login access. In most cases, you don’t want your employees logging in to their accounts without reason; it should only be done for emergencies, not for those quick checks on current sales numbers.
6) Backup Data Regularly
A good rule of thumb is to keep two or three backup copies of your data in different places. These backups could be on an external hard drive, in a cloud storage account like Dropbox or Google Drive, and even on another computer at home or in a remote location. If you use a web-based email provider, back up your emails by exporting them and storing them locally.
7) Monitor Connections
If you use an Internet connection that isn’t your own, like at a library or cybercafe, it’s important to monitor connections. Hackers often take advantage of unsecured connections and can trick your browser into connecting to dangerous sites. If you aren’t certain what kind of system is in place at a particular cybercafe, bring along antivirus software and keep it running throughout your time online.
We Can Help
At NetResults, we can help small businesses boost their email security with a comprehensive suite of tools that not only combat phishing attacks but also prevent them from even happening in the first place. Give us a call. nrtg.net
Cybersecurity isn’t just important to large corporations; it’s essential to every small business, too. Whether you run an online store or have an offline brick-and-mortar shop, cybersecurity measures can help ensure that your business has the protection it needs against hackers, malware, and other digital threats. These measures might take some time and effort to put in place, but they’re worth the investment to make sure your company’s information doesn’t get compromised or stolen. Read on to learn more about why cybersecurity is so important for small businesses like yours.
Why SMBs are an inviting target
Small and medium-sized businesses (SMBs) are more likely to fall victim to cyberattacks, because they don’t have extensive security procedures in place. Ransomware attacks—when hackers encrypt a company’s files, demanding a ransom be paid to unlock them—are on the rise: 45% of SMBs experienced a ransomware attack in 2021, according to Ransomware Defense Study.
Why you shouldn’t ignore the threat
Cybersecurity is a big deal these days, but when you have little to no security in place at all, it can be easy to shrug off. Cybercriminals are constantly evolving their tactics and using a growing arsenal of tools and methods. With that said, we’re seeing three main ways they’re breaking into businesses’ IT systems: phishing, malware and SSO attacks.
How cybercriminals find targets like yours
Cybercriminals, also known as hackers, are always on the lookout for new victims to exploit. How do they find them? Small businesses typically aren’t protected by enterprise-level defenses that big companies use, leaving them susceptible to attacks by phishing and social engineering (also known as social or spear phishing). Because they’re vulnerable, cybercriminals can easily target these kinds of businesses with little fear of getting caught. So what is a social attack exactly?
How do you know if you were hacked?
The first sign that you might have been hacked is a sharp spike in server load or network activity, which can cause severe lag. Even worse, if a hacker has gotten into your WordPress-based site and is using it to host malware or phishing pages, you’ll likely see an increase in spam email going out from your domain. In most cases, you’ll notice that something is wrong with one of these things happening – but that doesn’t mean there isn’t a problem.
What can you do to protect yourself?
Put your data on cloud storage using something like Dropbox or OneDrive. You can also utilize password sharing sites to help you manage unique passwords that are still difficult to crack. Two-factor authentication is also an option if you want to prevent brute force attacks against your business’ accounts. Lastly, it may be time to invest in a security solution that offers SSO (single sign-on) with centralized administration across different devices and platforms.
There’s no such thing as being too careful
Cybersecurity is vital to protecting our personal information, as well as that of our clients and customers. Cyber criminals are constantly evolving their methods, often combining attacks with other threats, like malware and phishing. Don’t risk falling victim—make sure you stay up-to-date on security best practices at all times. Here are a few easy steps to take
Start with these steps from a security professional
- Back up all of your data frequently (daily) and check them regularly
- Encrypt sensitive information on laptops and other devices
- Use an SSO solution with a built-in password manager to create strong passwords and secure access to your business applications
- Avoid opening email attachments from people you don’t know
- Use Two-Factor Authentication when available
- Always update security software
- Monitor network activity
- Have a disaster recovery plan in place
- Train employees on how to detect phishing scams and attacks
- Ensure all endpoints that connect to your company’s critical apps and data
- Regularly test your backups
- Make sure everyone understands what they should do if they suspect a breach
- Keep track of who has physical access to your office
- Protect against social engineering
- Take advantage of free tools like O365 Advanced Threat Protection
- And finally, never forget: You can never be too careful with cybersecurity!
- Get help from a professional security consultant
MSSP Serving Small and Medium-sized Businesses