cybersecurity

New FTC Safeguards Rule: What Insurance Agencies Need To Know

Another day, another regulation.

To keep pace with the ever-changing cybersecurity landscape, the Federal Trade Commission recently updated their Gramm-Leach-Bliley era 2003 Safeguards Rule. The new Standards for Safeguarding Customer Information are far more in-depth, and do a great job of bringing this regulation to the modern era.

Now, I know what you’re thinking: Does the FTC Safeguards rule even apply to Agencies? Well, that ultimately depends on what types of services your Agency provides. But before we make a decision, let’s review what’s involved.

Key Aspects of the new FTC Safeguards Rule:

Determine Applicability and Scope of the Safeguards Rule (Section 314.2(h)):

  • Understand whether your insurance agency qualifies as a covered entity under the FTC Safeguards Rule. The definition is quite vague, so I’d recommend erring on the side of caution.
  • Identify the types of non-public personal information (NPI) that your agency handles, including customer details, financial records, and medical information.
  • Ensure compliance with the rule’s requirements based on the size, nature, and scope of your agency’s operations.

Conduct A Risk Assessment (Section 314.4(b)):

  • Your Information Security Program should be based on an assessment of foreseeable risks.
  • Your risk assessment should include recommendations and requirements for mitigating discovered risks.

Develop a Comprehensive Information Security Program (Section 314.3(a)):

  • Establish an information security program specifically tailored to your insurance agency’s unique needs, risks, and compliance obligations.
  • Conduct a comprehensive risk assessment to identify vulnerabilities in your agency’s systems, networks, and processes.
    Implement robust security measures, including data access controls, encryption protocols, secure transmission methods, and secure storage of customer data.

Appoint a Dedicated Data Protection Officer (DPO) or Team (Section 314.4(a)):

  • Designate a competent individual or team responsible for overseeing the implementation and enforcement of your agency’s information security program.
  • Ensure the DPO or team possesses expertise in data protection, privacy regulations, and the insurance industry’s specific requirements.
  • Provide the necessary authority and resources to the DPO or team to effectively address data security concerns and communicate with stakeholders.

Design and Implement Safeguards and Controls (Section 314.4(c)):

  • Apply the Principles of Least Privilege.
    Implement encryption and multi-factor authentication.
  • Establish policies for data retention and destruction.

Regularly Test and Monitor Your Security Controls (Section 314.4(d)):

  • Implement solutions that deliver continuous monitoring.
  • Monitor for new vulnerabilities in the environment.
  • Consider the need for penetration testing.

Train Employees on Data Security Best Practices (Section 314.4(e)):

Implement Vendor Management Practices (Section 314.4(f)):

  • Evaluate the security practices of third-party vendors and service providers who have access to customer data or handle sensitive information.
  • Implement stringent vendor management procedures, including due diligence assessments, contractual obligations, and ongoing monitoring of vendor compliance.
  • Regularly review and update agreements with vendors to ensure they align with the FTC Safeguards Rule’s requirements.

Establish Incident Response and Data Breach Notification Procedures (Section 314.4(h)):

  • Develop an incident response plan that outlines the steps to be taken in the event of a data breach or security incident.
  • Ensure the plan covers incident detection, containment, investigation, mitigation, and recovery.
  • Familiarize yourself with relevant breach notification laws and establish procedures to comply with reporting obligations in the event of a breach.

Report Your Cybersecurity Status and Progress At Least Annually (Section 314.4(i)):

  • Your Data Protection Officer or Team should provide written updates to the Governing Body at least annually.
  • These updates should include the overall status of the Information Security Program (implementation, compliance, and effectiveness).
  • Material milestones and deficiencies should also be reported.

Regularly Assess and Update Your Information Security Program (Section 314.4(g)):

  • Conduct periodic reviews and assessments of your information security program to identify and address emerging risks, technological advancements, and changes in regulatory requirements.
  • Stay updated on best practices and industry standards for data security and privacy in the insurance industry.
  • Continuously improve your program based on lessons learned from incidents, audits, and feedback from employees and stakeholders.

As you can see, these new Standards for Safeguarding Customer Information closely resemble other industry regulations, such as NAIC Insurance Data Security Model Law and NY’s 23 NYCRR 500 (watch our recent webinar on the 23 NYCRR 500 changes) so we should already be well on our way to meeting these new requirements. So while the FTC Safeguards rule may or not apply to your Agency, I would strongly encourage you to bake these requirements into your existing Cybersecurity Program. It will be minimal effort for the reward of knowing there’s one less thing you have to worry about.

How Kite Technology Can Help

Ready to take proactive steps in ensuring your agency’s compliance with industry cybersecurity regulations? Let Kite Technology be your trusted partner in this journey. With our expertise in insurance industry regulations and cybersecurity, we are well-equipped to guide you through the evaluation process and implement a tailored Cybersecurity Program for your agency. Contact us today to discuss your specific needs and goals. Together, we’ll fortify your data protection measures and ensure your agency remains secure and compliant.

Jason Gobbel

Jason Gobbel

Chief Solutions Officer
Kite Technology Group

What You Should Know About the LastPass Breach

As you may have recently heard, LastPass (a popular password management software used by millions and recommended by KiteTech) was the recent target of a data breach involving customer data. This news release contains more information about what happened.

Virtually all businesses these days have some digital footprint, so any of them, especially those who deal directly with sensitive personal data, could potentially be targeted for data compromise. That said, KiteTech takes very seriously the trust our customers put in us and the importance of your personal data, and we want to make sure you are fully informed about what happened and what you should do about it.

What happened?

A threat actor was able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data. These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password. The master password is never known to LastPass and is not stored or maintained by LastPass. The encryption and decryption of data is performed only on the local LastPass client.

Out of an abundance of caution, LastPass is still requiring all users to reset their master passwords.

LastPass has provided the following instructions for resetting your master password:

“To reset your master password, please visit https://lastpass.com/ and click on “I forgot my password”. You will be guided through the process of resetting your master password, which will require you to verify your account using either your email address or a recovery one-time password.”

What should you do about it?

  1. The first thing we recommend is that you immediately change your Master Password in LastPass. While the Master Passwords were not compromised, all LastPass encryption is derived from the Master Password. Changing the Master Password will “re-key” the Password Vault with new encryption.
  2. Equally important, make sure that Multi-Factor Authentication (MFA) is enabled on your LastPass account. We recommend that you enable MFA on all of your accounts anyway, but if you do not have MFA enabled on your LastPass account you are at extreme risk for your passwords being compromised.
  3. We also recommend you change the passwords of each account you have stored in LastPass. Again, it appears that passwords were not fully compromised in unencrypted form, but it is prudent to be abundantly cautious and change your passwords (after you have changed your Master Password). LastPass is advising that the likelihood of the threat actor decrypting this data is slim, but we do think it is in your best interest. We understand this can be a time-consuming task. We would recommend prioritizing any credentials that protect financial data (banks, insurance, etc). For accounts that do not protect sensitive data, you may choose to change those as you access them during the normal course of use.
  4. Lastly, be on the lookout for phishing attempts related to this compromise. With LastPass not storing the Master Password, the only source of that password is you. It is important to remember that LastPass will never call, email, text, or send you a link requesting your Master Password.

Conclusion

While data breaches are always a worrisome subject in the realm of cyber security, the steps listed above will help you remain secure. By using a strong, unique master password and utilizing multi-factor authentication, you are doing your part in staying protected.

As always, if you have any questions or further concerns, KiteTech is here to help. If you’re already a current client, feel free to reach out to your account manager for further discussion. If you’re not currently working with Kite Technology and would like to learn more about how our Managed IT and Security Services can help you operate more effectively and secure your business, please contact us to schedule a conversation. We’re here to help!

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Tips for Staying Safe from Cyber Attacks

As the world around us becomes increasingly digital, it has never been more crucial to know the cyber threats that we face and how to avoid them. Threat actors are continuously looking for any vulnerabilities in our systems that they can exploit. Make sure that you are staying aware of the dangers out there and taking steps to strengthen your security posture. Here are 4 tips that you can leverage for staying safe from cyber attacks.

Tip #1: Avoid Being Tricked by MFA Fatigue

MFA fatigue is when a threat actor persistently attempts to log into an end user’s account using legitimate credentials until the user approves the MFA request on their phone or authenticator app. The constant request to approve the login is used as a tactic to annoy the end user and trick them into approving the login to stop the requests.

If you aren’t currently attempting to log into the service where the request is coming from, always choose to deny and change your password to stop the requests.

Tip #2: HTTPS Does Not Mean the Website is Safe

HTTP is an internet protocol that is used to communicate to a webserver from your browser. When you browse to a website using HTTP, all of the data requests that are used to communicate to the webserver are in plain text. HTTPS is the secured version of that protocol. This means that the network traffic from your local browser to the website is encrypted and cannot be deciphered without the appropriate key.

However, the big takeaway is just because the traffic to a website is secured by HTTPS, does not mean that the website is safe. Always confirm by double checking the URL and be sure to research the legitimacy of the website before entering any credentials.

Tip #3: Keep your Operating Systems up to Date

Whether it’s Windows, Mac, or mobile device, keeping the operating system up to date is one of the most important steps you can take to protect your data. These updates contain security patches for your device, which are used to fix the vulnerabilities in the operating system that are commonly exploited by threat actors.

It’s understandable that updating can cause some hinderance during your workday. To combat this, be sure to schedule these updates during your off hours so that it doesn’t cause any interruption and you can ensure the device is secured.

Tip #4: Implement a Call-back Procedure for Financial Transactions

Whether it’s a wire transfer or a credit card transaction, handling this type of data can be scary. You want to confirm that when you are processing these types of transactions, the money is coming and going from the correct place and person. This is why it’s important to have a call-back procedure in place to confirm the person is who they say they are, and that the communication is legitimate before moving forward.

Conclusion

These are just a few of the many steps that you can take to stay safe from cyber threats. While, the threats that endanger our security will never be eliminated, there are fortunately many strategies that you can use to mitigate them. Taking the time to stay informed on the latest security best practices will go a long way in protecting you and your business. 

If you’re not currently working with Kite Technology and would like to learn more about how our Managed IT and Security Services can help you operate more effectively and secure your business, please contact us to schedule a conversation. We’re here to help!

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

The Dark Web, Deep Web, and Surface Web: Understanding the Difference

Over the past several years, cybersecurity awareness has become much more prevalent in mainstream media, and for a good reason. The uptick in stories about the latest data breaches and rampant identity theft has brought about the use of terminology that was not well-known to the general public but commonly used throughout the infosec (Information Security) community. 

To the uninformed ear, these cybersecurity terms can be confusing and sound intimidating as they are commonly used as a scare tactic to sell you a product or service. While these products and services are valuable assets to leverage, it is essential to understand precisely what these terms mean, so you can make an informed decision on the services you need to protect your organization. In this article, I want to demystify a common cybersecurity term “the Dark Web” by discussing what makes the Dark Web different from the Deep Web and Surface Web. I’ll also share what you need to do to protect yourself and your data.

How Search Engines Work

Before we talk about the Dark Web, Deep Web and Surface Web, it is important to understand search engines and how they work. For those born before 2000, navigating the internet was a bit different. Google was just starting out, and Bing hadn’t even been invented yet. While there were other search engines available, they weren’t as well-known or as useful as the ones available today. If you wanted to find something on the internet, you needed a direct link to get there, as you couldn’t just search for a topic and have a list of relevant websites show up in your browser. Sounds cumbersome, right? Well, luckily for us, Google thought the same thing and acted by creating their search engine.

Crawling and Indexing Explained

There are two terms you should be aware of regarding search engines: crawling and indexing. Without getting too in-depth, crawling is the process of scouring the web in order to upload discovered websites to an ever-growing list in a database. This process is usually programmed so that newly created websites are automatically found and added to the database. Indexing, in its basic form, is just organization. The websites in the database are reviewed and organized based on different parameters such as keywords, topics, malicious vs. non-malicious, and many others. Crawling and indexing are the core features that allow search engines to work the way they do.

If you’re a bit confused, think of it like a library. A library crawls the world to purchase books worth adding to their shelves (the database). The books are then organized (indexed) based on genre. You then query the librarian (the search engine) for the type of book you are looking for, and they know exactly where to find it.

The Difference Between the Surface Web, Dark Web, and Deep Web

Now that you understand how search engines work, let’s decipher the terminology behind the Surface Web, Dark Web and Deep Web. We’ll start with the one that everyone is familiar with, the Surface Web, otherwise known as the Open Web.

The Surface Web

The surface web is what most people use daily. It consists of publicly available websites that a search engine has indexed. You are already familiar with how it works. You enter a keyword into Google, and all of the websites related to that topic will show up. You choose a website to visit, and the data on that website will be made available to peruse at your leisure. It’s as simple as that.

The Deep Web

The Deep Web is a little different because search engines do not index websites associated with it. This is important to understand before we can explain the Dark Web. Surprisingly, most websites available on the internet today are actually a part of the Deep Web, so you’re more than likely navigating to these resources daily. Since you can’t find these websites by searching for them, how exactly do you find them? A lot of the Deep Web consists of private databases and internal networks that require specific permissions to access. You are either invited to create an account for the website or utilize proprietary software that connects directly to the resource.

Some examples of this would be checking your bank account online. While you can search for Bank of America and access their public site, you can’t directly search for your bank account, right? Therefore, when you go to Bank of America’s website, you must click on a separate link to log in and enter your credentials to access your account. You have now moved from the Surface Web to the Deep Web as your account is a part of their internal database, which cannot be found by searching on Google. Another example would be accessing email through the Outlook application or web interface. You can navigate to the Outlook website directly or install the desktop client, which is publicly available to anyone who wants to download it. But, to gain access to your account, you must enter your username and password, which transfers you directly to a Deep Web resource as your data is not accessible directly through a Google search.

The Dark Web

Last is the infamous Dark Web. The Dark Web is actually a part of the Deep Web as a whole because it consists entirely of unindexed content. However, there are significant differences between the Dark Web and the Deep Web. The differences have to do with how the Deep Web and Dark Web are accessed, the anonymity of network traffic while browsing, and the types of data/activities they are commonly used for. To access the Dark Web, you need a particular browser that is developed specifically to talk to the servers hosting Dark Web content and link all of those services together through a proxy. The most common browser in today’s world is called TOR (The Onion Router) which was developed by the United States Navy to protect state intelligence. These browsers are designed to encrypt all traffic for privacy reasons, which is why many threat actors look to this type of web navigation to carry out illegal activities.

So, what types of things can you find on the Dark Web? Unfortunately, there are many distasteful themes, but for the purpose of helping you understand how to protect your data, I want to focus on the stolen credentials that are available for sale on the Dark Web. There are specific forums for the sole purpose of making money off of your stolen data. From usernames and passwords to credit cards and social security numbers, it all has a price, and people are willing to pay.

Protecting Your Data from the Dark Web

So, how do we stop your data from being sold on the Dark Web? Unfortunately, unless you work for a government agency with authority to decommission the websites hosting these forums, there isn’t much you can do to stop this data from being sold. Most people who aren’t in the infosec community won’t even be aware that their data is compromised.

That’s why you need to take a preventative approach. Awareness is key. That’s where Dark Web monitoring solutions come in. These solutions are designed to monitor the Dark Web and alert you to compromised credentials and stolen data. Knowing which credentials are compromised enables you to get ahead of the problem and take the appropriate action(s) to mitigate the risk.

Using identity theft protection through a third-party or your bank of choice can also play a huge role in keeping your identity safe. As I said earlier, awareness is key. Understanding what and, more importantly, how the data was compromised is critical for developing processes to prevent it in the future.

Kite Technology Can Help

At Kite Technology, we take a security-first approach in everything we do. As one of few Managed IT Service Providers in the country with the CompTIA Security Trustmark+ certification, KiteTech demonstrates our commitment to following security best practices and adhering to industry-recognized security standards and measures.

Our clients can focus on their business with peace of mind–knowing that we employ industry best practices and tools to keep their business systems and data safe and secure. To learn more about KiteTech’s Managed IT and Security Services, please reach out to schedule a conversation. We’d love the opportunity to talk with you and learn how we can help you protect your organization.

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Insurance Technology Trends and Challenges Webinar Recording

Ready to learn more about Kite Technology Group? Our Managed IT and Consulting Services are designed to help organizations across the country operate at a high level. Our team of IT and business professionals are passionate about helping businesses like yours leverage technology to improve performance and security. 

To get the conversation started, please reach out to schedule a complimentary consultation. We look forward to talking with you!

Managed IT and Consulting Services

Technology professionals looking at computer monitors

Managed it services

Learn how our Managed IT Services can benefit your organization. We can help you improve business performance, operate more securely and better support your remote workforce. We are eager to help you meet your technology goals.

Technical consultant meeting

technical consulting

A well-planned cloud adoption strategy is more important than ever. Our Technical Consulting team can help you develop and execute a strategy that meets your objectives and enables your team to work better and faster from anywhere.

business meeting with consultant

Agency consulting

Our Agency Consulting team is eager to help your team get the most from your Applied Epic investment. We’re here to help your agency optimize your system, improve utilization and maximize your overall efficiency.

How a Password Manager Can Help You Store and Secure Your Passwords More Effectively

The world is filled to the brim with technology. From smartphones to laptops, almost everyone has a presence in this technologically encompassed society we have built for ourselves. Our day-to-day consists of constantly logging in and out of devices, applications, and websites. While cumbersome, it’s necessary to do our jobs and move through the persistently growing tasks that require such a process. However, the sheer number of individual accounts tied to these responsibilities is becoming more and more overwhelming with each passing day. How are we expected to remember our credentials for every account we use? Better yet, how do we retain this information securely? Well, that’s where password managers come into play. 

What is a Password Manager

Password managers have been available for quite some time but are just now becoming ubiquitous in the workplace. Before the adoption of this solution, end users would commonly use a Microsoft Excel datasheet or hand-written notes to store their passwords. And while an Excel document can be password protected and a notebook locked behind a cabinet, this was far from secure. That is why developers created the password manager. A noteworthy response to an inevitable problem that we are all reminded of daily; our brains can only retain so much information, especially if it’s information that’s accessed infrequently. Password managers are a simple way to securely store your usernames and passwords. Whether it’s a service that you sign into regularly or a random website that you have to Google just to remember the name, all the information is stored under a single pane of glass. 

How Password Managers Work

The way password managers work is simple. First, you need to install the password manager software. This may be through a browser extension or a mobile/desktop application. Credentials used to authenticate against the various websites and services you use are tied to a master account associated with the password manager. This master account is the only username and password that you must remember. Once you’re signed into this account, websites that you visit and applications that you use will talk to the password manager, automatically filling in your saved credentials. If the information is not yet saved within the backend of your account, it will notify you to either add a new account or update an existing account with current information. It’s as simple as that. 

Other Password Manager Features

Password managers aren’t only a place to store your credentials. Top of the line offerings from the most popular branded solutions usually offer a robust feature set that includes various other perks. A popular example of this would be LastPass. LastPass is a very common password management solution that offers more than just storing credentials. It includes a dark web monitoring tool that checks your usernames and passwords against the latest data breaches and warns you when your passwords should be changed due to potential compromise. They also offer other features such as secure storage of bank accounts and credit card information which provides a simple way to pay online without having to pull out your wallet. Finally, they include a way to generate a random but secure password for all your accounts. This entices the consumer to stop reusing passwords across different services and aids in preventing compromise by brute force attacks.

Security Considerations 

However, you may think to yourself, what’s the catch? How can my usernames and passwords be stored under one roof and still be secure? Well, it’s completely reasonable to have these doubts. As a cybersecurity professional, I was skeptical myself. In the world of information assurance, we implement policies, processes, and solutions within our environments based on a risk management strategy. Within this strategy, we ask ourselves if the potential loss from a risk outweighs the benefit of using the solution in question. In this case, I objectively believe it does, although there’s a catch. 

Password Manager Security Best Practices

For the benefit to outweigh the risk, this type of tool requires maintenance. It’s the user’s responsibility to routinely check and ensure the data they provide is secured. Begin by initially logging into all the different websites and services that you use. Update your passwords with a strong and randomly generated phrase created by the manager itself. Ensure no single password is being reused across another site. Check your account information against their compromise monitoring service. If something is flagged, change it as soon as possible. Most importantly, ensure that you lock down the master account with an industry standard passphrase and configure multi-factor authentication. If someone were to compromise the master account, they will have the keys to the castle. 

Conclusion

There are a wide variety of answers when it comes to password management and storage. No single solution fits everyone’s needs. However, if you haven’t had the chance to use one yourself, I highly suggest you give a password manager a try and see just how convenient such a simple product can be in your everyday workflow.

To learn about the latest technology trends and best practices, check out the KiteTech Blog. We are constantly updating it with valuable resources to help you improve the way you work. If you’d like to learn more about Kite Technology’s IT Services, please reach out to schedule a conversation. We are here to help!

Dillon Fornaro

Dillon Fornaro

Security Engineerr
Kite Technology Group

Zero-Day Vulnerabilities – What They Are and How to Protect Yourself

Before discussing how you can protect yourself and your organization from Zero-Day vulnerabilities, it’s helpful to understand the term vulnerability as used in the cybersecurity industry. The National Institute of Standards and Technology, commonly referred to as NIST, defines vulnerability as “Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” So, anything that threat actors can exploit in your environment is considered a vulnerability, even employees. 

What is a Zero-Day Vulnerability?

Zero-Day vulnerabilities are vulnerabilities in software actively being exploited in the wild but have not yet been disclosed to the software developer, or a patch has not yet been provided to fix the issue. These vulnerabilities are usually kept secret by threat actors and sold on the Dark web for a hefty price. Depending on how much damage this exploit would cause, they can be sold for thousands and even millions of dollars. 

If, at first, Zero Day vulnerabilities are widely undiscovered, how are they initially found? That’s a great question! There are many different ways that Zero Day vulnerabilities are uncovered, but some of the more common tactics are Threat Research and Vulnerability Disclosure Programs (VDPs). Not all Zero-Day vulnerabilities are found by malicious actors. There are legitimate organizations whose sole purpose is to research threat indicators in the wild and correlate them to potential vulnerabilities in the software being exploited. After confirming or even potentially confirming that a vulnerability exists, they would then reach out to the software vendor in question and disclose this information. This is usually done by following the organization’s Vulnerability Disclosure Program (VDP). These programs are designed to encourage Threat Researchers to come forth as well as anyone else who may have information regarding vulnerabilities in a software product. Most of these programs offer a monetary reward, and just like selling on the Dark web, the amount paid is substantial. These programs aren’t always available, but more organizations are adopting this tactic to fight back against the cybercrime industry. There has even been legislation adopted to push companies toward creating their own VDP. If you ever notice a software bug that you can replicate, it’s worth reporting it. You may just end up with some money in your pocket!

Protecting Your Business From Zero-Day Vulnerabilities

Unfortunately, due to the nature of the threat, we can only mitigate the risk, not completely eliminate it. But don’t worry; implementing the proper controls, processes, and procedures can significantly reduce the risk of compromise. The first step in protecting your business from Zero-Day vulnerabilities and attacks is simple patch management. Your company’s IT provider should be on top of issuing the latest updates to all of your software. Whether it’s your line of business application(s) or your computers’ operating systems, applying the latest security patches is crucial. The process for managing these updates to your company’s software should be written down in its own policy and, if possible, automated. 

Another way to protect yourself against these threats is even easier than patch management – you need to be aware of what’s going on. Researching the latest threat trends and keeping yourself up to date about active exploits will provide you with the information needed to proactively patch your systems or isolate that specific software inside your network. I recommend subscribing to a security newsletter if you aren’t actively working in the Cybersecurity industry where threat research is a part of your job. On another note, while vulnerability scanning won’t necessarily provide you with insight on Zero-Day vulnerabilities affecting your network, it does give you a clearer picture of the threat landscape of your environment. More visibility offers you greater control, and greater control gives you better protection. 

Last but not least, start depreciating your legacy software. Any applications that are no longer supported by the vendor won’t be receiving further security updates. It is extremely risky to continue utilizing end-of-life (EOL) software inside your environment, so it’s crucial to move away from these solutions as soon as possible. If your business is dependent on a product that’s in EOL and depreciating in a timely manner is not feasible, be sure to isolate any devices that contain the software from other areas of your network. Doing this will aid in preventing either malware or threat actors from moving laterally across your network in the event of a compromise. 

Vulnerabilities can be scary, especially when Zero-Days are thrown into the mix. However, with the proper security controls, processes, and procedures, you can significantly mitigate the risk to your business. If you would like to learn more about how Kite Technology’s Managed IT and Security Services can better secure your organization, please reach out to schedule a conversation. We would welcome the opportunity to discuss your company’s IT and security needs and help you develop a plan to improve your performance and security posture. 

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Cyber Liability Policy Resources

Cyber Liability Policy Requirements
are Changing.
Is Your Business Prepared?

What your business needs to know About New Cyber Insurance Requirements

Cyber crime is now one of the largest industries worldwide, costing companies a combined $100-billion or more each year. Small and midsized businesses are preferred targets because these attacks are automated, allowing criminals to easily infiltrate them with viruses and ransomware.

As a result, insurance carriers are leading the charge in security measures and have significantly increased the underwriting requirements of cyber liability coverage. Though requirements vary somewhat depending on the carrier, we know that they are all beyond what’s currently required under NAIC and various statewide regulations. New policy and existing policy renewals for cyber liability coverage will be impacted and meeting these requirements will likely include changes in process and the addition of new technology tools and management.

Examples of changes being requested by many cyber liability carriers include:

Watch the video to hear from Ryan Emerick, Client Experience Manager at Kite Technology on the latest regarding the changing cyber liability requirements. It is vital that you take the time to ensure that your organization is prepared to comply with the changing regulations. 

How Kite Technology can help

Kite Technology’s security offering utilizes a comprehensive, multi-layered approach that ensures your business is protected, in line with best practices and meeting regulatory compliance. Our Cybersecurity Services are designed to provide organizations 24×7 cybersecurity threat detection and compliance reporting. 

Our security engineers and client experience managers work closely with our clients to ensure that we are staying on top of their cyber liability carrier’s requirements and in compliance with any state or federal regulations they are subject to.

To learn more about how Kite Technology can help your business operate more securely and achieve compliance, please complete the form. A member of our team will reach out to schedule a complimentary consultation.

Contact Us

 

CompTIA Security Trustmark+Kite Technology has earned the CompTIA Security Trustmark+ certification. The CompTIA Security Trustmark+ is the highest level of recognition for IT service providers that consistently follow security best practices, demonstrate a commitment to industry recognized security standards and adhere to prescribed security compliance measures.

Earning the CompTIA Security Trustmark+ offers our clients peace of mind–knowing that we employ industry best practices and tools to keep their business systems and data safe and secure. It also confirms our commitment to quality, assuring our clients that we have what it takes to help them meet their industry and government compliance obligations.

Security Resources

Download our resources to get started evaluating your organization's cyber security practices and identify gaps.

Cybersecurity Checklist

Protecting your business from modern threats requires a layered strategy.  Are you missing critical components? Download our comprehensive checklist to learn how your organization is doing when it comes to security.

Managed Security Services Flyer

Learn more about Kite Technology’s Managed Security Services. Experience the peace-of-mind that comes with knowing Kite Technology is using industry best practices and tools to keep your business systems and data safe and secure and compliant.

Download Cyber Checklist

 

Download Security Flyer

 

Webinar Recording: Navigating the Changing Cyber Liability Landscape

The dynamic threat landscape has resulted in cyber insurance carriers to alter their underwriting standards, with many carriers increasing rates, limiting coverage, and limiting capacity for certain risks. Business technology requirements that need to be met in order to even qualify for coverage have also increased substantially.

Watch the webinar to learn more about the current cyber threat landscape and to get a stronger understanding of the technology requirements you and your clients will need to meet in order to purchase or renew your cyber liability policies going forward.

Kite Technology's Services

Steps to Improve Your Security in Light of Russian Cyber Threats

As news of Russian forces launching an attack on Ukraine hit the headlines on February 24th, it is vital that you keep security top-of-mind as the risk of cyber attacks and state-sponsored advanced persistent threats (APTs) is increasing substantially. We urge everyone to take steps to improve their security posture and stay extra vigilant.

Here at KiteTech, we persistently monitor new and ongoing cyber security risks like this and develop a plan of action to ensure that our clients’ resources and data are fully protected. Below is a list of recommendations for security services that are vital in protecting your business from cyber threats. 

Security Services That Protect Your Business

Multi-Factor Authentication

If we had to make a single recommendation for protecting your online accounts, it would be multi-factor authentication (MFA). Not only confirming this is turned on for your business, but ensuring your personal accounts are protected behind MFA as well.

Security Awareness Training

While industry standard security products are critical to protecting your organization, end users will always be your greatest risk. It’s crucial that you require employees to complete their annual security awareness training.

Antivirus/Endpoint Detection and Response (EDR)

Keeping antivirus signatures up to date is essential to protecting against known malware. Automatic updates should always be enabled for these products.

Geo-IP/Geolocation Filtering

Restricting access to accounts based on location has proven to be a very successful way of mitigating threats. While there are ways to circumvent these restrictions, its use in protecting against automated attacks is considerable. We encourage adopting this when available.

Cybersecurity Tips for End-Users

Now is the time to build a stronger line of defense against increasingly sophisticated cyber threats. Below are steps that end-users can take to ramp up their security practices.

  • Make sure MFA is turned on for all eligible accounts and working properly (can’t emphasize this one enough).
  • Keep an eye on your finances. Check for suspicious transactions and set up credit monitoring alerts.
  • If you have any backup emails or phone numbers tied to an account for recovery purposes, make sure they are updated with relevant information and MFA if applicable.
  • Utilize websites such as haveibeenpwned.com to check for compromised passwords. We have a subscription to ID Agent’s DarkwebID which features a live search function to check for password compromise tied to an email address. If you would like access to that, let me know.
  • If you aren’t using a password manager, I highly recommend moving towards the migration. It can be a lot of work, and some may be skeptical having all your passwords in once place, but the security features outweigh the risk. Some examples of password managers are LastPass and Dashlane.
  • Be wary of approving logins on the Microsoft Authenticator app. If you didn’t initialize authentication, deny the approval.
  • Take your time when reviewing emails with urgent or suspicious requests. Reach out to that person directly to validate. To those who may not be as tech savvy as others, don’t hesitate to ask for help. You’re not a burden for doing so whatsoever.
  • Be careful with what apps you allow to have access to what data, and consider only accepting necessary cookies for websites.
  • Make sure shared accounts are limited and all passwords for those are complex.
  • Be careful with pre-filling passwords, many websites don’t properly encrypt those and they have been common targets for keyloggers.
  • Most importantly, be extra cautious. Even with all the security controls out there, you as the end user will always have the keys to the castle.

It is more important than ever to make it a priority to improve your organization’s cybersecurity practices and train your employees to stay conscious of any suspicious activity. If you notice anything questionable, reach out to KiteTech immediately so we can investigate.

If you are not currently working with KiteTechnology and would like to learn more about our Managed IT and Security Services, please reach out and schedule a conversation. We are here to help!

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Preventing Mobile Cyber Attacks

Did you know that 40% of all mobile devices are vulnerable to cyber-attacks and exploits? 

As smartphones and tablets become increasingly common in the workplace, hackers aren’t necessarily just using your device to infect it with malware, but also to infect devices on the same network as you. 

In this post, we share a few helpful tips to help you stay secure when using your mobile devices.  

Apps

Applications are the lifeblood of a smartphone. However, not all are created equal. Make sure you are only installing apps that are available through your dedicated App Store. Depending on your device, this would either be Google Play for Android or Apple App Store for iPhones.

Wi-Fi

Set your applications to automatically update to ensure they have the latest security. If your wireless carrier is limiting the amount of data you are allowed to use on a monthly basis, consider turning on the feature that will only update your applications if you are connected to Wi-Fi. You can even set a schedule for when you know you’ll be home.

Browsers

The browser on your smartphone works the same way as it would on a desktop PC or a laptop. You should never save a username or password inside of a browser. If you are someone that is juggling a lot of different accounts like a lot of people today, consider using a password manager. 

Pay close attention to URLs. Just like when you’re browsing the web on a laptop or desktop, you always want to make sure that you’re on the correct site before inserting any information. 

Bluetooth

Bluetooth is a pretty simplified connection method. However, there are still ways to secure yourself from attacks associated with it. Turning off automatic Bluetooth pairing is an effortless way to prevent someone from illegitimately accessing your device. Also, if you’re not using Bluetooth, it is best to just turn it off completely. This will help protect from unwanted connections.

Vishing (voice phishing)

Spam calls are becoming extremely common on a day-to-day basis. How do we protect ourselves from people pretending to be someone they aren’t? Make sure you do not reveal any personal information over the phone unless you are absolutely sure who that person is. If you are hesitant, it is best to just hang up and call the direct number of the company or person in question. Also, be wary of urgency as scammers will try tricking you into thinking that this must happen now. I can assure you it doesn’t. 

Smishing (phishing via SMS)

Text messaging is becoming the most popular communication method between individuals. This just means that more people will start using this form of communication for malicious intent. Never click links or respond. The messages sent from unknown recipients always go directly to the source. Also, standard text messages are not encrypted if nonpublic information is being requestedit is best to use another form of communication to provide these details. 

I hope that these quick tips on mobile device security have been helpful. Remember, it is important to stay just as vigilant on your mobile devices as you are on your desktop PC.

If you would like to learn more about our Managed IT and Cybersecurity Services, please feel free to reach out. We would be happy to schedule a complimentary consultation to learn how we can help you operate more securely and meet compliance regulations.

Dillon Fornaro

Dillon Fornaro

Security Engineer
Kite Technology Group

Cybersecurity Bulletin – Microsoft Vulnerability CVE-2021-40444

Microsoft has made us aware of a new threat against Windows operating systems and Office products. Known as CVE-2021-40444 this vulnerability is being actively exploited so it’s crucial that you stay informed and take the necessary measures to minimize your risk.

What's Happening

CVE-2021-40444 is a vulnerability that could allow a bad actor to take control of a system using malicious files or websites. Bad actors are sending out malicious emails and documents (Word, etc.) that leverage this vulnerability. An example of such a malicious document can be found below.

Example of Malicious Document
Example of a Malicious Document

While antivirus has been proven to respond to some of these threats, out of an abundance of caution for our clients, KiteTech is taking the extra steps of disabling the features that rely on the underlying MSHTML engine that’s being exploited. This may impact some carrier websites and advanced features in certain Word/Excel documents that you use.

How to Minimize Your Risk

We’re learning from our security partners that while Microsoft’s recommendations help a great deal, they do not completely mitigate the threat. There are still ways this exploit can be used.

Be sure to consult with your IT provider or internal IT team to ensure that you are well protected. As always, be extra skeptical of any emails, files, or web links that you weren’t expecting. If you do receive a document via email that you weren’t expecting, please don’t open it. If you have any questions, reach out to your IT Provider.

KiteTech is Here to Help

For additional information on this vulnerability, check out this article by KiteTech partner, Huntress: https://www.huntress.com/blog/cybersecurity-advisory-hackers-are-exploiting-cve-2021-40444. The Kite Technology team is also here to help. If you’d like to learn more about how our Managed IT and Security Services can help your organization operate more securely, don’t hesitate to reach out. We are here to help!

Jason Gobbel

Jason Gobbel

Chief Solutions Officer
Kite Technology Group

Why you Should Always Install Microsoft Updates

We’ve all been there. You sit down at your computer to get some work done when you receive a notification alerting you that Microsoft updates need to be installed. You think to yourself- “Didn’t we just do this 2 weeks ago?” So you hit Later and get started on your work.  

If this sounds like you, you’re not alone. We find that lots of people tend to put off or completely ignore Microsoft updates. Usually, the reasons fall into one of these categories: 

  1. Too Busy- I just turned on my device to get work done and don’t have time to do this now. I tell myself I’ll do it later when I’m not so busy. The problem is that I’m always busy!
  2. Not Needed- I don’t think I need that update; the system is working just fine. 
  3. Too Soon- I just did an update last week, so I question the necessity of installing another update so soon.

Can you relate?

The Bottom Line - Don't Ignore Microsoft Updates!

Microsoft updates should always be installed promptly. As inconvenient as they feel, Microsoft updates help shield you from hackers looking to exploit vulnerabilities they uncover in the Microsoft operating system. There is a great deal of personal and business data that can be compromised if a hacker gains access to your files. They could steal personal information like bank login credentials, personal pictures, as well as keystrokes to local and online accounts. They could also gain access to business files that include client and financial data, putting your business and clients at significant risk.

Businesses today, no matter the industry or size, are constantly being targeted by cybercriminals. Just a quick search will provide numerous statistics to scare even the most daredevil of a business owner. But don’t take my word for it. I would suggest searching “Hacking Statistics 2020” in your favorite browser just to get a snapshot of how Cyber Crime is an ever-increasing, growing threat. Many businesses falsely believe that they are not big enough or important enough to be a target. Cybercriminals are glad they think that way and are eager to take advantage of any opportunity they find.

Security reasons aside, installing your Microsoft Updates also ensures that you’ll have access to the latest and greatest features developed with your productivity in mind.

Additional Cybersecurity Considerations

Being diligent about installing your Microsoft updates is just one layer in the complete cocoon of safety we need to wrap ourselves in to protect our data. Some additional steps you can take to protect yourself and your business from cybercrime include:

1. Use MFA (Multi-Factor Authentication) wherever possible. MFA adds an extra layer of security by requiring you to verify your identity via SMS, phone call, or an app.  

2. Regularly update all applications that you use on your various devices like tablets and cell phones. These updates add valuable security features, enable your device to operate better, and give you access to new and improved functionality. Microsoft Office is an example of applications that will prompt you to update.

3. Do not open or click on unexpected emails or texts. Criminals will often hack email accounts and then use the victim’s account to send phishing emails to their acquaintances and friends. The intention is to trick the recipients to click on links or open attachments that will infect their system and compromise their data.

How a Managed IT Service Provider can Help

If your business is working with a Managed IT Service Provider or you have an internal IT department, it is likely that they can or already have automated the Microsoft update process for you. For example, here at KiteTech, we manage all Microsoft updates for our clients. To ensure this happens seamlessly, we recommend that each day users save the documents they were working on and log off or reboot their computer, leaving it powered on. We install updates overnight and reboot covered devices automatically to ensure they are secure. Users can then get right back to work the next day without delay. If you’re not working with an IT Provider, I would urge you to take the time and always install Microsoft updates promptly to protect yourself.

I hope you have found the information I shared today helpful and are convinced of the importance of installing Microsoft updates. Be sure to check out my article next month on what you need to know before purchasing business-class device warranties. If you have questions about KiteTech’s IT services and would like to learn how we can help your business operate more effectively, please contact us.

Tom Brooks

Tom Brooks is the VP of Business Development at Kite Technology Group.  KiteTech provides Managed IT Services and Consulting to professional organizations and independent insurance agencies across the country.  KiteTech is proud to be to have earned the CompTIA Security Trustmark, certifying that KiteTech meets or exceeds security best practices. 

Top 3 Security Threats Related to a Remote Workforce

With so many businesses still having a distributed workforce, it is important to prioritize computer and network security.  While there are various security threats associated with employees working remotely, today, I will be focusing on the top 3 threats that you should be aware of and address to ensure that your employees and business are secure.

Home Networks

One of the main security risks of a remote workforce is the possibility of unsecured home networks. Did you know that according to PC Magazine, in a study of 2000 US residents, 23% of people reported that they are using default credentials on their router/modem, and 11% were not even sure of what their credentials are? That is very concerning with the number of cyber threats that are out there. Most home networks are set up by a local ISP and use a modem/router to provide WiFi. These home networks are often set up by a technician whose focus is function, but not necessarily security. Therefore, your network traffic may be open for anyone to snoop on without your knowledge. The best way to protect that data is to encrypt all non-public information you and your company send over the wire. This would require the use of a VPN (virtual private network). With the proper configuration of a VPN, your data will be encrypted in transit and unreadable to those who may be listening. To make sure you have a secure home connection, you will want to make sure that:

  1. You have encryption set up with a VPN to protect corporate data.
  2. Your WiFi has a secure password associated with it.
  3. Default credentials on all network devices are changed.

These three steps go a long way to ensure you have a secure home connection better defended from hackers with malicious intent.

Personal Computer Equipment

When the rapid shift to remote work took place last year, many employees started using their home PC to access company data and perform their business functions. While it is crucial to ensure that the devices in an environment that allow data to flow through the network are locked down, the machine that holds all your data- the PC, will be a hacker’s biggest target. According to Forbes.com, in a recent study, “56% of people were unable to bring equipment from their employer to work from home” and “a third admit to personally purchasing equipment to help them work remotely during COVID-19.”  That is an extremely high number of personal devices, considering how many people are still working remotely.  Furthermore, home PCs are often shared with children or significant others, further increasing your cyber risk. It is vital to your company’s security that remote employees use company-managed PCs or laptops. It takes the management out of the users’ hands and provides a higher level of security while handling the company’s data.

Cell phones and mobile devices are another component that need security when being used for company email and accessing files. Make sure your infrastructure management includes a plan for keeping these devices protected.

Security Updates

According to bleepingcomputer.com, “based on a sample size of 163 million computers, 55% of all programs installed on personal computers running Windows are outdated.” Whether it is a firmware update for your hardware or a software update for your line-of-business application, this is something that the typical end-user often does not take the time to do. What can you do about it? Turn on automatic updates. This can go a long way in ensuring that updates are installed, and personal devices remain secure. While many of the software companies’ releases may be feature updates, you will also get vital security updates that help prevent exploitation of vulnerabilities in the system. This brings me back to having company-provided hardware.  When your company provides and manages home devices, your IT department can manage, audit and ensure that updates are promptly and correctly installed, which will go a long way in protecting your company’s data. Keep your devices up to date!

These are just a few of the security risks associated with a remote workforce. Unfortunately, there are many more threats to consider as malicious actors continuously search for opportunities to access your company’s data. It is essential to keep security top of mind and continue strengthening your security posture. There are many resources out there that can help you evaluate your current environment and provide recommendations for improving your security standards. We at Kite Technology can be that resource and can help you identify vulnerabilities and provide the tools, like cloud solutions, you need to eliminate them. Contact us today to learn more.

https://www.pcmag.com/news/survey-shows-many-home-networks-are-insecure

https://www.forbes.com/sites/chriswestfall/2020/08/25/statistics-show-remote-workers-are-frustrated-many-still-unprepared-for-working-from-home/?sh=403987c848b3

https://www.bleepingcomputer.com/news/security/outdated-software-exposes-pc-users-to-security-risks-says-report/ 

adam atwell

Adam Atwell

Cloud solutions architect

Adam is passionate about consulting with organizations across the country to help them develop and execute a cloud adoption strategy that meets their business needs and future objectives. Adam oversees and manages our company strategy for Microsoft 365 adoption and is responsible for future growth and development inside Microsoft 365 and other cloud technologies.