Because the majority of security breaches at small businesses are the result of people clicking on phishing emails, cyber criminals are taking advantage of the COVID-19 pandemic with scam emails and text messages leading to fake websites that harvest personal information.

How to educate workers
Cyber criminals are increasingly sophisticated and professional in their approach, and it can be difficult to detect fake emails or scams. Training staff, as well as managers, to recognise scams is crucial so they don’t fall for them. The Australian Cyber Security Centre has a useful free quiz tool to help educate people on what to look for, from spelling issues to URLs that don’t match the sites they’re supposed to be from.

It’s also vital to make sure that people understand the implications of risk. The reality is that carelessness or apathy can bring a business to its knees – and that means their job could go. It’s good business practice to run a test phishing scam on your staff from time to time. The aim isn’t to catch people out but to remind them to pay attention to emails, SMSs and messages on social platforms.

Securing devices
With the increase in employees working from home due to COVID, there’s a corresponding rise in connected devices. Many of these devices are personally owned by employees and may already be compromised. They include not only phones, tablets, laptops and desktops but also modems, routers, webcams and other connected “smart home” devices from TVs to home automation systems.

It’s not practical to audit all of these devices and lock them all down. But helping employees secure home routers and WiFi networks with strong passwords, firewalls and encryption, and providing staff with VPN access to the company network, is a good start. Employees should also be required to have strong passwords and change them regularly.

The same goes for second-hand hardware that a business may invest in. Hard drives should be fully wiped or replaced. The BIOS should be flashed to ensure no malware is lurking on the motherboard.

What if you fall victim to ransomware?
Getting hit with a ransomware message is a terrifying prospect. However, all is not necessarily lost. As with real viruses like COVID-19, a critical first step is to limit the spread – shut all systems down to prevent more devices and your backups from being affected. Then you need to establish whether it’s actually a hoax, and if it’s wise to employ experts at this point. Even if the threat is real and your systems have been compromised, it may be that your backups are sufficient to restore everything without needing to pay off the attackers.

Bear in mind that you are legally required to report breaches in most jurisdictions, and laws may vary between states and different industries. In Australia, under the Notifiable Data Breach (NDB) scheme an organisation or agency must notify affected individuals and the OAIC about an eligible data breach.

No matter how many precautions you take, some companies will fall victim to cybercrime. But taking a proactive approach, educating employees and closing as many holes as you can will reduce your overall risk. And as simple as it sounds, make sure you always back up relevant (sensitive) data that can be swiftly recovered so if ransomware or a cyber-attack happens, your business can keep running.

Time to revisit as working-from-home continues. Speak with the team at Webmax 365 about Cyber Security solutions for your business.

Source: Inside Small Business

The post How SMEs can secure themselves against cyber threats post-COVID-19 appeared first on webmax365.

If you don’t keep paying attention to your website, someone else will

An analysis of e-commerce stores around the world has revealed thousands of them are unwittingly running a dangerous payment skimming malware stealing thousands from users, with 50 new stores being infected each day.

The infection was uncovered by prominent Dutch security blogger and researcher Willem de Groot, who dubbed the malware ‘MagentoCore’, due to it infecting the popular e-commerce software Magento.

On his blog, de Groot said the skimmer had been placed on 7,339 online stores in the last six months, turning them into “zombie money machines to the benefit of their illustrious masters”. The blogger labelled the skimmer as the “most successful to date”.

“The victim list contains multi-million dollar, publicly traded companies, which suggests the malware operators make a handsome profit. But the real victims are eventually the customers, who have their card and identity stolen,” de Groot said.

De Groot says the malware often infects the website through a classic brute-force attack, which continuously tries to guess the password used by the website’s Magento admin panel over and over, sometimes for months. Once access is gained, the software injects a crafty piece of code into the website’s HTML.

An infected website will then record all keystrokes from customers on the website and beam them back to the hacker’s main server, capturing things such as usernames, passwords, credit card information, and personal details.

However, the malware also implements a recovery mechanism, which deletes the code after it has run, before redownloading it to run again later.

An analysis of 220,000 sites running currently by de Groot showed 4.2% of them were leaking customer data.

ITNews reports that, according to site source code search engine PublicWWW, there are just over 100 websites with the .au domain currently infected with the malware, however the real number could be higher as not all local e-commerce websites use .au domains.

Strong passwords and regular patching needed

Speaking to SmartCompany, founder of IT services firm Combo David Markus said these sorts of malware attacks can often stem from business owners not keeping their websites and software up-to-date, as well as general poor practices when it comes to password security.

Markus recalls a time where he had fallen behind in keeping his company’s website up-to-date, which led to some hackers infiltrating the site and changing some of its text. While not anywhere near as serious as payment-skimming malware, Markus said it taught him a lesson.

“If you don’t keep paying attention to your website, someone else will,” he says.

“It’s quite prevalent, and anyone in the business of e-commerce has a responsibility to manage your payment gateway software and any other software you use.”

Markus encourages businesses to keep a stringent patch schedule of at least once a week, but he says that should increase if businesses are operating active online environments such as e-commerce stores.

On his blog, de Groot advises any business that finds itself infected to follow some key steps, including finding how the malware got into the system in the first place and closing all points of access immediately.

“Analyse backend access logs, correlate with staff IPs and typical working hours. If suspicious activity is recorded from staff IPs, it could be that a staff computer is infected with malware, or that the attacker has hijacked an authorised session,” de Groot said.

Once that’s done, he advises restoring the website to an earlier trusted code version and then implement secure procedures that cover “timely patching [and] strong staff passwords”.

This article appeared in Smart Company.

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Zombie Money Machines: Infection Causes Sites to Skim Payment Details appeared first on webmax365.

Paige “Erratic” Thompson – a former Amazon Web Services employee – hacked an AWS sever storing an insurance company’s customer information. Once Erratic gained access to the server, she was able to obtain information on more than 100 million customers.

Most of the data she was able to collect was non-critical, such as names, email and physical addresses. That said, we shouldn’t minimize the severity of the breach. Thompson was able to get her hands on 1 million Canadian Social Insurance numbers, 140,000 Social Security numbers and 80,000 bank account numbers. Keep in mind, having someone’s name, address and Social Security number is all you need to steal their identity and establish loans in their name.

What’s The Lesson for ANY Business

Irrespective of the size of your business, there’s a lesson to be learned… this breach is just one of many that could have been easily avoided.

The AWS server was simply misconfigured, which allowed the hacker to access sensitive customer data. All they needed to do was apply a security patch that had been released three months before they were attacked!

Sadly, for everyone today, the other lesson to be learned from the ever increasing number of breaches: If you share your personal information online, you should expect that one day it will end up in a data breach.

The post Breach Compromises 100 Million+ Customers appeared first on webmax365.

So, in terms of your perception of cybersecurity, optimism bias can lead you to believe that your website is more secure or less likely to be attacked than it actually is.

It sounds crazy, yet nearly 70% of businesses believe they have above-average cyber defences in place while, in reality, less than 40% of businesses are using anything more than a cursory measurement of their cybersecurity readiness, and a further 20% of businesses, particularly in retail, financial services, and e-commerce, lack a strong self-assessment process of any sort.

The Optimism Bias in Small Business

Our optimism is fuelled from multiple sources. But, one that impacts us the most is what we see and hear in the news. Typically, the breaches we hear about impact large companies, which reinforces our belief that, if it’s not happening to other small businesses, it won’t happen to me.

And the result of this optimism? Only about 16% of small business owners say they’re concerned about potential cyberattacks, despite the fact that 43% of all cyberattacks target small businesses!

Even more disturbing is that small businesses are typically much less likely to recover from an attack. Small business data breach statistics suggest that 60% of them will go out of business within 6 months of a successful attack.

Optimism Is Not A Valid Security Option

To correctly determine your business’s true cybersecurity risks you need to measure your level of security. You should analyse as many variables as possible, including the size and complexity of your site, the software it’s built with, and the volume and source of traffic it receives.

Gaining a clear and accurate understanding of your cybersecurity risk will help you balance your natural optimism bias against the steps you need to take to enhance your cybersecurity.

You can take those steps yourself, or you can partner with webmax365 and we’ll take care of the heavy lifting.

Be optimistic, but within a realistic framework! This’ll give you the best chance of beating the hackers.

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Your Optimism Bias WILL Impact Your Website Security appeared first on webmax365.

So, backing up your site regularly and keeping it malware free by applying all relevant updates are two ways to minimise your chances of becoming another statistic.

However, herein lies another problem. Doing these things is great but doing them consistently is critical!

Every Update Brings Hackers Closer to Cracking Your Website

When WordPress updates their core files to fix exploitable vulnerabilities, they also lay down a roadmap for hackers highlighting their weak spots. The same goes for patches issued by developers for themes and plugins.

The moment updates go live, hackers update their malware injection bots, and this brings them one step closer to accessing your website.

Your Biggest Exploitable Vulnerability Remains A Lack of Time

Hackers send out these bots to infect any and all sites they find that haven’t been updated. So, if you’re not backing up your website or staying on top of updates the moment they go live, you’re potentially in very serious trouble.

As a small business owner, we know how strapped you are for time. Unfortunately, so do hackers. In fact, your “lack of time” remains your primary exploitable vulnerability, and one that hackers won’t think twice about taking advantage of.

The solution: Invest in a webmax365 Plan and we’ll make sure the hackers’ maps are “out of date”!

(*US National Cyber Security Alliance)

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Website Updates Are A Roadmap For Hackers! appeared first on webmax365.

We all understand how important having a back-up of your website is. Ironically, even the people who don’t maintain a current back-up still know how important it is!  

However, unless you have a specific plan in place that you’re paying extra for, web hosting companies, even the most respected in the industry, aren’t responsible for backing up your website. Check out the Terms & Conditions of most hosting companies and you’ll find clauses like this –  

“You acknowledge and agree that it is your responsibility to regularly backup all your content in order to prevent potential data loss.”

Even when you pay for a separate back-up service you still may not be fully covered…“If you purchase Backup Services from us, you acknowledge and agree that due to technical reasons a backup copy may not be available for restore upon your request.”… which is when you’re going to need it most!

The above examples were taken from actual T&C pages on reputable web hosting sites. 

Here are some other questions to be considered with “catch-all” back-up plans that are added to your hosting account –

Availability: Some will only back-up your site automatically if it’s within their website size limit.

Coverage: WordPress websites consist of both databases and files. It’s important to know exactly what’s being backed up and whether you have access to it all.

Frequency: How often your site needs to be backed up varies. If your hosting provider only takes a backup once a week, you could lose important data if your site crashes.

Storage: While the backup of your site might be regular, do they store multiple versions? Are the backups they do store encrypted to avoid the site being tampered with in the case of a security breach at their end.

This is in no way an indictment on web hosting companies. However, much of the confusion stems from what each party understands a back-up to be, and why it’s made.

Your host makes back-ups for their convenience, not yours. Most websites are maintained on shared hosting equipment. In this situation your website runs on a web server alongside dozens and even hundreds of other sites. You share the server resources like memory, internet connections, CPU etc.

In most cases, the host makes back-ups not of each website, but only of their own infrastructure settings, so these can be easily restored should anything go wrong. It’s up to individual website owners to make and maintain copies of their own sites.

Sadly, the assumption that your website is being safely backed up by your hosting provider is held by the vast majority of small to medium businesses, and is one that will leave you entirely exposed at the worst possible time!

Conclusion

Having a specialist, high-end backup solution in place, optimised for your WordPress website is fundamental. Once it’s set up, you can stop worrying about losing your site’s data and get on with the important job of growing your business.

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Your Website Host IS NOT Automatically Backing Up Your Site! appeared first on webmax365.

Cyber criminals don’t discriminate, so stop wondering if you’ll be attacked, that’s already happening. What we need to do is prevent them from getting through and damaging your business!

Malware Trends

“Noisy” and conspicuous website attacks that are easier to spot are giving way to more insidious weapons that often show no symptoms at all. As such, malicious files are less likely to be detected and removed once your site has been compromised.

In the past, many cybersecurity professionals have maintained that a basic review of all files on your site should allow you to detect suspicious and unusual content. But, what most don’t appreciate is that, today, hackers often bury their “attacks” several layers deep, easy to miss with just a surface scan.

A simple example – missing a hidden spam attack can decimate your search engine results, meaning lost customer trust and income. Without proper maintenance and protection, you’ll never be alerted, you won’t know what’s causing your problems and, as a result, you won’t be able to fix them!

Bots – What Are They?

By now you’ve heard of “bots”, but what is a bot? Firstly, it comes from shortening the word robot and, in computer terms, is defined as an autonomous program which can interact with systems or users by behaving like a human.

Did you know that in excess of 60% of all website traffic is generated by web bots masquerading as humans, and not real humans! Scary isn’t it…

Good bots do exist – like search engine crawlers that index your website pages – but, sadly, far more bot traffic has malicious intentions!

What makes it easy, also makes it vulnerable

Let me assume you’re always working to make your business better and more profitable. Sadly, cybercriminals are also constantly working to hone their craft. They’re getting better at their jobs meaning their attacks are getting harder to detect.

Plus, while advances in technology and automation have made it so easy to build a website (literally anybody can do it!), these same advances have made it simple to launch attacks – clicking a single button can automatically scan thousands of websites at once and exploit any vulnerabilities that are found.

Web robots launching coordinated and automated attacks might sound like science fiction, but they’re a real and growing threat to websites of all shapes and sizes.

And you can’t respond to these threats effectively without automation of your own, otherwise, to use an analogy from pre-internet days, it’s like taking a knife to a gunfight!

Don’t take it personally

All websites, regardless of size, are inherently at risk of attack. Short of removing everything about yourself and your business from the internet, there’s no way to completely eliminate the risks associated with being online. The best you can do is minimise those risks and mitigate the consequences.

Don’t take it personally, cybercriminals don’t discriminate based on a website’s size, industry or traffic.  In fact, smaller sites often provide easier targets due to the fewer security precautions in place.

At webmax365 we have the resources to provide Maximum Security and Maximum Performance. Our single, all-inclusive monthly investment, makes it easy to budget, with no headaches and no surprises!

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Malware Trends appeared first on webmax365.

Did you know that your business is more likely to experience a data breach or cyber attack than you are to get the flu? According to WebMD, less than 10% of the population gets the flu each year. Compare this to:

67% of businesses report being victims of cyber attacks, according to a Ponemon Institute study.

Over half of businesses have experienced data breaches in the past 12 months.

83% of respondents to ProofPoint’s 2019 State of the Phish Report said they experienced phishing attacks in 2018.

What does this mean for small businesses and website owners? Similar to how you take precautions for your personal health (eat healthily, get the flu shot, etc.) savvy business owners take pro-active steps to avoid becoming a cyber victim.

4 Ways to Protect Your Business Against Cyber Attacks

A full-fledged cybersecurity program is a big undertaking, but every business can start the journey one step at a time. Here are four things you can implement today to improve your company’s cybersecurity:

1. Use secure passwords. Train employees to choose passwords that are:
– Unique for every website.
– Long: 12+ characters.
– Not commonly used passwords (like password123, etc.)

2. Set a schedule to update your software. Outdated, insecure software is a favorite way for hackers to compromise websites and computers. Regularly checking and updating the software components on your websites and computers is essential to keep your business secure.

3. Activate HTTPS everywhere. Install SSL certificates and activate HTTPS on all of your web URLs, including subdomains (eg. for webmail and other services). These subdomains are often the most important to protect because they’re accepting admin passwords that must be kept confidential.

4. Fight phishers! The majority of cyberattacks start with a phishing email (a fake email designed to trick you into giving your password or other confidential details). There are a few things you can do to help your staff identify and delete phishing emails:
– Provide training for employees on how to recognize and react to phishing emails.
– Install and use email signing certificates across your company. Be sure to train staff to look for the digital signature on important emails.
– Install and configure a spam filter that’s capable of blocking most phishing emails.

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Cyber Attacks Are More Common Than The Flu appeared first on webmax365.

itnews – May 16, 2019… Highlighting the danger of not keeping your CMS up-to-date!

The Australian Competition and Consumer Commission (ACCC) has pinned the blame for its embarrassing premature disclosure of the TPG and Vodafone Australia merger rejection on an as yet unspecified glitch in its website content management system, which the regulator says has now been patched.

In a statement issued on Thursday afternoon, the ACCC said it has now “conducted a full investigation into the incident and identified that it was caused by a flaw in its website content management system, which has been rectified.”

A quick perusal of HTML on the ACCC’s web pages, including its mergers section reveals Drupal 7 is used for public facing pages, including its mergers register, though it’s unclear what else is in the mix.

The ACCC went to market for a Drupal CMS in 2012 to replace its locally cut Sytadel CMS. Drupal also later became the open source software base for the GovCMS platform that was provided initially by Acquia for federal agencies.

The ACCC has declined to disclose the provider or version of the flawed CMS.

The ACCC’s premature online reveal caused TPG’s shares to dive on the day, angering the proposed merger parties who have since said they will fight to overturn the rejection in the Federal Court.

“The information became public when, following the normal practice ahead of announcements, the information was being input into the back end of the mergers register, a third-party user sought to access the existing webpage at the precise moment it was being updated,” the ACCC said in its statement.

“The ACCC’s information technology team has rectified the flaw by applying a patch to the software.”

However that revelation begs the question as to how and why a federal government market regulator in custody of sensitive and highly confidential information was running unpatched systems at all given the potential for damage from leaked or inadvertently exposed content.

“Instead of the new information being treated as draft content requiring internal approval, the flaw meant the content was live for eight minutes,” the ACCC said.

“Because the information went live just before 3pm, the ACCC worked quickly to issue a statement confirming the merger decision to both the ASX and the market.”

Chief Operating Officer Rayne de Gruchy drew the short straw to eat humble pie in public.

“We apologise unreservedly for this unfortunate and serious incident,” de Gruchy said.

“The ACCC has successfully managed highly market-sensitive commercial information for decades and this is the first time, to our knowledge, that a merger decision has been released in this manner.”

However the revelation that a flaw in an unpatched application can expose highly sensitive documents is certain to put other agencies on edge, especially if could be facing similar risks.

It is now routine for many regulators and authorities to publish market sensitive decisions and documents via their web pages as the primary distribution mechanism.

They include, but are not limited to the Reserve Bank of Australia, Australian Bureau of Statistics, Treasury and the Australian Securities and Investments Commission.

Those organisations are certain to be watching the ACCC’s statements and remediation efforts closely, especially for whether its problems could be more common across government.

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Even The Big Boys Need Help appeared first on webmax365.

“Companies must put cybersecurity and privacy at the forefront of business strategy to win their customers’ hearts” – PwC, Consumer Intelligence Report

While it’s critical to enhance your customer’s experience by getting your site to perform better, consumers are becoming more acutely aware of the risks associated with the internet.

The more a business can do to build trust in the security of their website, the more likely customers are to visit, stay, buy, return, and recommend.

That’s why security seals and shields are important. They provide reassurance to your customers that you’re aware of the risks and have invested in making your website secure.

Plus, very soon they’re going to start to notice when a site isn’t displaying one!

A call to action driven by customers’ concerns

As the frequency and scale of data breaches continue to rise, so do consumer worries. Companies must understand and address these concerns or risk losing business. To thrive in the new data economy, companies should:

Prioritise cybersecurity and privacy – Putting cybersecurity and customers’ privacy at the forefront of your business strategy—and backing it with proven security tactics—can help address consumer concerns and cement their loyalty.

Build trust through action – Rhetoric alone is not enough. Companies must implement robust data governance and give consumers more control over how their personal information is used.

Go beyond existing regulations – Consumers don’t think regulation is keeping up with innovation. Companies that do more than what’s required by law are likely to earn consumers’ trust.

Understand how consumers feel – Companies in industries considered less trustworthy should be particularly proactive in addressing consumers’ concerns.

Be transparent when using new technology – Companies that demonstrate they are using emerging technologies responsibly and transparently – and for consumers’ benefit – will not only strengthen customers’ trust, but also make it easier to engage with customers on a deeper level.

Partner with webmax365, invest in the Security and Performance Plan that best meets your needs, and we’ll make sure your site is available 24/7, without problems, without interruptions, and always looking fantastic!

The post Do Your Customers Trust You? appeared first on webmax365.