Anyone with an email address has, at one time or another, received email attempts to con you into giving up information, buying into a scam, or clicking on malicious links or files. They are often sent to spam (where you know you can’t trust the mail), but what about the ones that aren’t?

These attempts cannot be taken lightly and it is vital to always be aware. Do you know the person you are receiving the email from? Were you expecting this email? Can you trust what the email is saying? Even if you said yes to all of these, the email could still be corrupted.

They come in many forms, however, the most common are: too-good-to-be-true schemes (business/investment opportunities, luxurious trip winnings, or lotteries/prizes), crisis alerts (either someone seeking help or indicating you are at risk), or “phishing” for account/personal details by impersonating a trusted institution.

With the ease of hacking (considering work put in and the low-risk factors), these attempts have become increasingly sophisticated. Scammers can create convincing emails that appear to come from trusted sources, including your bank and even universities. They mimic the trusted sources email presentation so that you would never be able to tell otherwise.

We have created guidelines that, if followed regularly and correctly, will dramatically reduce the risk of falling victim to email and phishing scams.

How to spot a phishing message?

Before clicking on a received email message, please consider these points:

• Are there red flags?
  • • Does the message ask for any personal information (password, credit cards, SSN, etc)?
  • • Hover your mouse over the links in the email. Does the hover-text link match what’s in the text?  Do the actual links look like a site with which you would normally do business?
  • • Does the message ask you to immediately open an attachment?
  • • Does the message ask for sensitive information about others?
  • • Bulk commercial solicitation: Are there lots of recipients to whom the email is addressed?
  • • Click ‘Reply’ – Does the address in the ‘To’ field match the sender of the message?
  • Does the “From” email address look like either someone you know, a business you work with, or a proper email account?

Is there a lack of positive indicators?

• • Is the email from an entity/person with whom you do not do business?

• • Is it difficult to think of how the sender legitimately obtained your email address?

• • Is the message missing a digital signature/certificate?

• Were you not expecting an email of this nature (e.g. password reset, account expiration, wire transfer, travel confirmation, etc)?

If you are unsure about the legitimacy of an email sent to you we will gladly help you decipher it.

DOs and DON’Ts to protect against email and phishing scams

DON’T send passwords or any sensitive information over email

There is no reason that a legitimate business or organization will ask you to send your password, account information, social security number, or other sensitive data over email. NEVER respond to an email requesting personal, financial, or other protected information, even if it appears to be from your bank or another trusted institution.

Rather, you should directly contact the institution that the email appears to be coming from. Ask them if they sent out something such as what you received.

DON’T click on “verify your account” or “login” links in any email

ALWAYS open a new window and use the institution’s official homepage to log into any account.

Links in an email may appear to go to the trusted site, but actually, redirect to a page that steals your login information.

DON’T reply to, click on links, or open attachments in spam or suspicious email

Send spam straight to the trash or immediately report it the FTC at [email protected]. Don’t even click on it if you can avoid it. Clicking through or replying to spam can verify your email address and encourage more such attempts in the future. NEVER open attachments from senders you don’t know.

DON’T call the number in an unsolicited email or give sensitive data to a caller

The risks associated with email phishing apply equally to phone calls. By using Voice over Internet Protocol technology, scammers can disguise their true phone number just like they can disguise their email or web address, so don’t assume that a familiar area code or prefix is safe to call.

Phone phishing can be even harder to detect than email phishing. Callers may impersonate institutional personnel, employees (or students) needing your assistance, or even police officers. Never give sensitive information to a caller you don’t know personally. If the need is legitimate, you will be able to call the person back using trusted numbers or email addresses you find on the official institutional website.

DO report impersonated or suspect email

As stated above, if you receive an email asking for personal, login or financial account information and appearing to be from your bank, or another trusted institution, forward the email to the FTC at [email protected]. Also forward the email to the organization being impersonated. (Most organizations have information on their websites about where to report problems. You might start by searching on the website for “fraud protection” or “spam” to find the correct email address.)

You also may report phishing email to [email protected]. The Anti-Phishing Working Group is a consortium of ISPs, security vendors, financial institutions and law enforcement agencies that is building a database of common scams to which people can refer.

DO be cautious about opening attachments, even from trusted senders

Email accounts can be hacked or impersonated by scammers. Files and attachments that have been infected with viruses and malware can be embedded in your account or email. If opened, these can access your data and/or harm your computer. Be wary of opening unsolicited attachments or downloading materials from an email, even if they appear to come from someone you know.

If you cannot find the information in the attachment elsewhere, examine the file extension on the attachment before opening it. If the extension is among the extensions listed below, it is more likely to be malicious. (This list is non-exhaustive.)

• • .exe

• • .msi, .bat, .com, .cmd, .hta, .scr, .pif, .reg, .js, .vbs, .wsf, .cpl, .jar

• • .docm, .xlsm, .pptm (may contain macros).

• .rar, .zip, .7z

Caution: no file types are  100% safe – especially if your operating system or any of your programs/apps have not been adequately patched. Consider verifying the legitimacy of the email and attachment with the sender before opening it.

DO install antivirus and firewall programs

Anti-virus software and a firewall can protect you from accidentally accepting malicious files on your computer.

We can provide antivirus software that will keep your computer safe. Anti-virus software scans incoming communications and files for malicious content. It is important to find an antivirus software that updates automatically and can perform real-time protection.

A firewall helps make you invisible on the Internet and blocks all communications from unauthorized sources. It’s especially important to run a firewall if you have a broadband connection.

DO check financial statements and credit reports regularly

This should be done for security purposes in general. Read your monthly bank account and credit card statements to be sure all charges are authorized and request free annual credit reports to be sure there are no unauthorized accounts open in your name.

Other Tips:

• • Do read the small print. Get all promises in writing and review them carefully before you make a payment or sign a contract.

• • Do protect your personal information. Share credit card or other personal information only when you’re buying from a company you know and trust.

• • Do take your time. Resist any urge to “act now” despite the offer and the terms. Once you turn over your money, you may never get it back.

• • Do know who you’re dealing with. Don’t do business with any company that won’t provide its name, street address, and telephone number.

• Don’t pay for a “free” gift. Disregard any offer that asks you to pay for a gift or prize. If it’s free or a gift, you shouldn’t have to pay for it. Free means free.

Through these preventative steps, you will be prepared for any sneak attacks on your email. Don’t make it easy for hackers to access your information. Education and action are key! We can help you get started!

Human error in the workplace is not something to take lightly. A simple mistake made by an employee that has access to sensitive data could mean the demise of your business. Not all employers realize how dangerous human error can be. When it comes to cybersecurity, employee mistakes can lead to serious breaches in your information security and should be considered as threats.

Typical employee cyber security mistakes are associated with poor password handling, careless handling of data, use of insecure software, and general lack of knowledge about potential threats and best practices to prevent them.

Although there are many situations that can lead to mistakes, there are five main categories of human error security threats.

Human Error Threats

1.Weak Password Security

Passwords are the most basic security technique that can provide a very reliable protection if handled with care and do not share with anybody. However, when passwords are not handled with proper care and procedures, they can be easily cracked, guessed or otherwise obtained by malicious perpetrators, allowing them full access to the system.

• Using simple passwords. A typical example of human factors in security is a simple password that is easy to remember. Sometimes, employees may even use default credentials. Such passwords are easy to guess or crack by a brute-force attack.
• Sharing passwords. Sharing passwords among employees is a careless mistake that can easily give malicious insider access to the data they should not have access to. One look at the famous example of information security breach by Edward Snowden reinforces the fact that this is a bad idea for security. Another security mistake is to share the same password across different services and accounts. This means that if one of those services is compromised, all of them are also potentially compromised.

2. Careless handling of Data

There are some positions within companies in which employees routinely work with large amounts of data or handle sensitive data. Those that work in such a field can sometimes leak and compromise its data out of carelessness. It is quite amazing how one small mistake while working in such a position can result in a major data crisis and nearly ruin a company. Such carelessness may be the result of a simple mistake, or it may be caused by the fact that the employees do not realize the importance of said data. This is where employee education is vital. This education should continue past initial orientation. Some common mistakes include:

• • Sending data via email by mistake. Most white-collar employees send a lot of emails during work. It only takes a single mistake while typing recipient address in order to send sensitive data to the wrong person.

• Accidentally deleting files. Employees may delete some files to clear space without realizing how important they were.

3. Inadequate Software Security

Employees tend to become careless when they are performing the same task daily. This turns their work into something that they aim to do efficiently rather than carefully. This causes them to neglect following proper security procedures. As a result, they often put convenience ahead of the security of software they use and data they are working with. However, such approach can often compromise cybersecurity of the whole organization. These employees tend to:

• Neglecting updates. Employees often neglect updates because they take too long or pop up in inconvenient moments, leaving software vulnerable to an attack. Use of legacy software with known vulnerabilities is also a very widespread issue. Such software is often used not because it has exclusive necessary features, but rather as a force of habit.
• Intentionally disable security features. Employees can disable security features that they think is hindering their work efficiency without realizing their importance. Such actions can easily compromise the security of the whole system.

4. Low Security Awareness

Hackers attempting to install malware or ransomware often do so through unprepared employees. Employees often have very low awareness about phishing and social engineering practices that can make them inadvertently help malicious agents get access to company data.

• • Using and downloading unauthorized software. Just because an unauthorized software certainly not malicious, it can still contain vulnerabilities that can serve as a gateway in your system for the malicious threatener. Make sure your employees only download authorized software.

• • Clicking on malicious email links. Emails containing malicious links are very dangerous and hard to filter. With the latest resurgence of ransomware delivered via malicious email links, it is vital to educate your employees on ways to be aware of and avoid malicious emails.

• Plugging unknown or insecure devices. Make sure that your employees never plug in unfamiliar devices to any company devices. These can contain malicious code that will run automatically. Even if the device is the property of the employee, your company should forbid any outside devices. Even if the origin of the device is known, it can still harbor a virus, contracted from interacting with the outside network and therefore should not be allowed.

5. Ineffective Data Access Management

Controlling access to sensitive data is a basic part of any security. However, many organizations will grant all access to employees by default unless it is specifically restricted. This should not be done. Data access should be limited to only those who need access to complete their tasks. Even then, this should be closely monitored. Some examples of neglecting access management are:

• • Having too many privileges. Employees may end up having access to data or system configurations that they should not have. Such access can result in accidental data leaks.

• Performing unauthorized system changes. Employees may perform unauthorized system changes in order to speed up their job or make it easier. However, they are most likely unaware that such changes can disturb regular business procedures and even bring down the system. You should try to block attempts from being performed.

Best practices for preventing human errors and security mistakes

Some of these mistakes happen more often than others. While they may not cause any immediate damage to your organization, these lapses in procedure following, such security mistakes, are disasters waiting to happen. They cannot go unmoderated. These can cause cyber security breaches and data leaks that will cause a lot of money to recover and may damage your business. These are simple fixes that can prevent disastrous mistakes.  

By using a complex holistic approach to insider threats and cybersecurity, you can reduce human error percentage and prevent security mistakes. These practices will help you to effectively protect your company from employee security mistakes:

• • Create an efficient and strict security policy

• • Educate your employees monthly

• • Apply the principle of least privilege so that only authorized employees have access to certain data.

• Monitor your employees.

Conclusion

Human error threats can be prevented. By consciously applying yourself to learning how to prevent such errors and threats is the first step to making sure your security is tight. Through implementing strict policy and procedure, you are saving your company drastic time and money that could be spent on fixing mistakes. Don’t let it get to the point of a mistake happening in the first place. Take action for your data security with our help!

The Health Insurance Portability and Accountability Act comprehensively defines how patient data should be taken care of by medical practitioners, pharmaceutical companies and other members of the healthcare world.

Since it was first enacted in 1996, HIPAA has constantly gone through many permutations as new rules are added and expanding the scope of rules. This won’t end anytime soon. Compliance requirements are sure to change again over the next 12 months. How can organizations keep up with recent and soon-to-come updates in order to stay compliant in 2018 and beyond?

The Cost of Violating HIPAA Rules

Being HIPAA compliant is not something that healthcare institutions can take lightly. Violating HIPAA rules can be extremely costly. The cost can range from $100 for minor events involving first-time offenders to $1.5 million for immensely egregious cases. The final amount of the fine comes down to the level of negligence, the severity of the incident or data loss and the length of time it took the organization to respond. Being proactive and hiring management pays off if a data loss incident occurs. Companies are less likely to be given massive penalties if they demonstrate diligence and address a data breach and notify all affected parties.

What to Expect in 2019

Recently, President Trump’s administration has made numerous budget cuts to various federal agencies. The Department of Health and Human Services’ Office for Civil Rights – the department that oversees HIPAA compliance – will not be immune to this in 2019. It is posted that the OCR plans to remove more than $6 million from its financial year 2018 budget.

This budget cut could be seen as the federal government potentially having fewer resources to enforce HIPAA compliance. However, it’s important to recognize that the OCR may look to offset that budget reduction by actively policing the healthcare industry and aggressively fining offenders, meaning aggressive compliance is necessary possibly now more than ever.

It doesn’t stop there. Another expected a step-up in enforcement this year is a potential government response to the not-so-stellar Phase 2 HIPAA Audit Program results. Covered entities that participated did not fare well: 94 percent of participants’ information security risk management strategies earned a rating of “inadequate” or lower.

It’s crucial to enlist in aid to ensure that no violations are present. Nevada IT Solutions is a team of HIPAA experts that vigilantly review changes to the rules and regulations, keeping the team aware and ready to prevent violations.

Third Party Vendor to Ensure HIPAA compliance

The most important step a healthcare organization can take to comply with HIPAA guidelines is to stay proactive and continue to diligently check to make sure that their policies meet every requirement. This is something that should be considered a full-time job, that is how important it is. Waiting until an incident occurs to address an issue will only cause more financial and reputational damage.

When making preparations for HIPAA compliance, it is in medical practitioners best interest to hire managed services such as Nevada IT Solutions to ensure that they strictly adhere to HIPAA regulations. Don’t let anything slip through the cracks. Negligence is never a valid excuse when it comes to HIPAA.

NVIT offers HIPAA compliance assessments and crafts a roadmap to compliance. We are one of the pioneers in cultivating the culture of compliance in the Reno Tahoe Region.

For limited time, claim your free HIPAA assessment by contacting us here. Remember, HIPAA Compliance is a Law!