Improving password security

Still relying on traditional password policies like forced resets and complex character requirements? Those rules are outdated. It’s time to take a more modern approach with guidance from the National Institute of Standards and Technology (NIST), simplifying security without compromising protection.

Why should your business listen to NIST?

NIST is a US government agency that sets cybersecurity standards. Although originally created for federal agencies, its influence now extends to the private sector. Industries that handle sensitive data, such as healthcare, finance, and software, often adopt NIST guidelines because they are based on rigorous real-world testing and an understanding of human behavior.

In fact, many modern compliance frameworks, including HIPAA and SOC 2, now incorporate NIST’s approach to identity management, establishing its recommendations as the gold standard for any security-conscious business.

Outdated practices vs. new NIST standards

To strike a balance between security and ease of use, organizations must abandon old password policies and adopt NIST’s latest password security guidance.

Prioritize password length over complexity

One of the biggest changes in password security is the move from strict complexity rules. This means organizations no longer need to require combinations of uppercase letters, numbers, and symbols. The reason is simple: users find predictable ways to meet these rules (e.g., “Password123!”), making passwords incredibly easy to guess.

Length is now the most important factor in password security. Longer passwords are harder for cybercriminals to crack, even with powerful hardware. While NIST guidelines suggest a minimum of eight characters for standard accounts, security experts recommend 12 to 16 characters for a better balance of security and usability.

To support this shift, systems should now accommodate passwords up to 64 characters long, enabling users to create memorable passphrases. A passphrase, which is a string of unrelated words (e.g., “bluecoffeetrainsunset”), is now considered one of the most secure and user-friendly authentication methods. Because they are easier to remember and significantly harder to crack than short, complex passwords, passphrases offer superior security and convenience.

Furthermore, NIST now mandates that systems accept all printable ASCII characters, spaces, and Unicode symbols. This allows users to create longer, more memorable passphrases using native language characters or even emojis, which can also help reduce the frequency of password reset requests.

End forced password resets

Mandatory password changes every 60 or 90 days are an outdated practice. This policy often leads to security fatigue, prompting users to create weaker, more predictable passwords.

Instead, NIST now recommends a more practical approach:

  • Require password changes only when there’s evidence of a compromise.
  • Actively monitor accounts for suspicious activity.
  • Trigger password resets based on actual risk, not a fixed schedule.

Screen passwords and monitor for compromised credentials

Attackers often rely on leaked password lists rather than randomly guessing. That’s why the NIST recommends organizations do the following:

  • Block the use of common passwords (e.g., “123456”).
  • Prevent employees from using passwords exposed in past breaches.
  • Continuously monitor for exposed credentials.

Use password managers

Since every account needs a long, unique password, remembering them all is practically impossible. That’s why NIST highly recommends the use of password managers. These tools act as a secure digital vault, generating and autofilling strong passwords so your team doesn’t have to.

Beyond the password: MFA and biometrics

Passwords alone aren’t enough to ensure security. NIST recommends that when a password is required, it must be paired with an extra layer of verification:

Phishing-resistant MFA

Multifactor authentication (MFA) fortifies accounts by requiring more than just a password for account access. However, NIST now advises against using SMS text codes for MFA, as hackers can intercept these. Instead, they recommend using authenticator apps or hardware security keys (small USB tokens). With these methods, the “key” to your account remains securely on your physical device.

Safe and accurate biometrics

For biometric security such as facial recognition and fingerprint, NIST sets high standards for:

  • Accuracy: Systems must have a false match rate of less than 1 in 10,000 to ensure reliability.
  • Privacy: Your actual fingerprint or face image is never stored. Instead, the system generates a unique digital map (a template) and immediately deletes the original biometric data, protecting your identity.

Connect with our experts to bolster your cyber defenses against emerging threats and explore the future of password security.If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by
, ,

Avoid these business continuity mistakes before it’s too late

Unexpected disruptions, such as natural disasters and cyberattacks, can knock your business off course. Thus, it’s critical to develop a strong business continuity plan (BCP), but having one isn’t enough. How you create, maintain, and execute it is just as important. Unfortunately, many businesses make avoidable mistakes during the planning process that leave them vulnerable in a crisis.

Below are the top pitfalls businesses face when crafting their continuity strategies, along with practical ways to avoid them:

Skipping a thorough risk review

Business owners tend to zero in on one or two risks, such as cyberattacks, while overlooking others, including severe weather, supply chain disruptions, or staffing shortages. These oversights can leave their BCPs unprepared, making their operations vulnerable. To prevent this, conduct a comprehensive risk assessment that identifies all potential threats and their impact on your business.

Failing to prepare the team

Your business continuity plan is only effective if employees know how to carry it out. That said, a smooth response during a crisis depends on everyone understanding their roles. Through regular training sessions, walkthroughs, and drills, you can reinforce that understanding and build the confidence to act under pressure.

Not testing the plan in realistic scenarios

Businesses often create a BCP and set it aside, assuming it will work as intended during a disruption. However, unless you test it with realistic simulations or mock incidents, there’s no way to know how well it will actually hold up. That’s why routine testing is vital; it helps reveal gaps, refine processes, and confirm the plan’s feasibility.

Underestimating your tech reliance

Technology drives nearly every part of modern business, from internal communication and sales to logistics and customer service. However, many organizations overlook just how dependent they are on specific systems, software, or data. Failing to account for this reliance can leave you unprepared when an important platform goes down.

You can avoid this by identifying your mission-critical systems and putting clear contingency plans in place. Whether it’s a data backup platform, a manual workaround, or a preconfigured recovery setup, document your measures in your BCP.

Poor communication planning

In the event of an emergency, effective communication is key to executing a strong response. Without a clear strategy for keeping staff, vendors, customers, and stakeholders informed, confusion can spread quickly. Thus, to keep everyone on the same page, define a communication chain and prepare reliable channels, such as group messaging platforms, SMS alerts, automated call trees, or dedicated emergency apps.

Ignoring your supply chain

Suppliers and vendors are vital to your operations, yet they’re often left out of business continuity planning. This oversight can have serious financial consequences. Consider a manufacturer that relies on a single supplier for a critical part. If that supplier goes offline, that production line grinds to a halt, resulting in missed deadlines and lost revenue.

You can reduce such risks by including suppliers in your continuity strategy. That means establishing clear communication protocols for disruptions, understanding each partner’s recovery timeline, and lining up backup vendors if necessary.

Relying too heavily on insurance

Insurance can support recovery after a disaster, but it won’t prevent operational disruptions or financial losses. Even more concerning, many businesses assume they’re fully covered, only to realize too late that their policies don’t cover key risks. To avoid surprises, review your policies regularly to ensure coverage aligns with how your business actually operates and the risks it faces.

Making the plan too complicated

When every second counts, simplicity matters. A business continuity plan full of jargon and complex flowcharts might seem comprehensive, but it’s useless if your team can’t understand it. Focus on clarity and ease of execution to ensure the plan works when it’s needed most.

Letting the plan get outdated

A business continuity plan that worked last year may no longer be effective. As your business evolves — with new systems, additional users, or expanded services — its needs change. On top of that, new threats can emerge at any time. Therefore, it’s important to revisit your BCP, especially after major organizational or environmental changes, to make sure it still addresses your new risks and priorities.

A business continuity plan is your company’s lifeline during uncertain times, but even small mistakes can weaken it. By avoiding these common pitfalls, you create a plan that’s not only comprehensive but truly reliable when it matters most.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by
,

Why firmware updates keep your business secure

Every business relies on office equipment to run smoothly. Yet, many companies overlook the invisible software powering those machines. Firmware operates quietly in the background to keep everything functioning, and ignoring its maintenance leaves your network vulnerable to cyberattacks. Updating these systems protects your sensitive data and keeps operations running without a hitch.

What firmware actually does

To understand the value of regular firmware updates, we need to explore how your devices operate on a fundamental level. Think of firmware as the permanent memory or the brain of a piece of hardware. Unlike the applications you download on your computer, the programming is built directly into the machine itself.

The embedded code controls the specific physical components and tells them exactly how to behave. For example, the programming tells a security camera how to focus its lens or a wireless printer how to connect to your network. Without the code, your office equipment would just be a useless collection of plastic and metal. Firmware acts as a seamless translator between the physical parts and the software you interact with daily. As technology evolves, that programming needs periodic adjustments to keep pace with changing standards.

Why keeping your equipment updated matters

Many business owners assume their devices are perfectly safe right out of the box. The truth is that manufacturers discover flaws in their programming over time. Upgrading your equipment solves hidden issues and provides several major benefits for your organization.

  • Unlock new tools: Upgrades often introduce brand-new capabilities that enhance your daily operations. Installing these improvements ensures your team always has access to the most innovative features available on the market.
  • Boost daily performance: Routine patches fix underlying bugs and improve overall hardware stability. You will likely notice a smoother experience and fewer frustrating glitches during your busy workday.
  • Maintain seamless compatibility: Your older machines need updates to communicate properly with modern applications. Keeping the internal programming current prevents software conflicts that can slow down your entire business.
  • Stop dangerous security threats: Cybercriminals constantly look for outdated software to exploit for easy network access. Regular maintenance builds a strong defense against data breaches and keeps your sensitive information safe from unauthorized users.

Best practices for installing updates safely

Installing new software can sometimes cause temporary glitches if done incorrectly. You must approach the process carefully to avoid disrupting your staff or breaking essential equipment. Try these proven strategies for a smooth and stress-free transition.

  • Save everything: Always back up your important data before starting any major changes. This simple precaution protects your files in case an unexpected error occurs during the installation process.
  • Check the notes: Take a moment to read the release notes to understand the upcoming changes. Manufacturers provide specific details so you know exactly which bugs they fixed and what new features to expect.
  • Follow the guide: Stick to the official instructions provided on the manufacturer’s website. Skipping steps or guessing the right procedure can lead to broken equipment and costly repair bills down the line.
  • Plan for downtime: Schedule your maintenance during evenings or weekends to minimize workplace disruptions. Handling administrative tasks outside of normal operating hours ensures your employees stay productive while the machines reboot.
  • Test on one device: Run the upgrade on a single noncritical machine first. A trial run gives you complete peace of mind before applying the changes to your entire office network.

Secure your business infrastructure today

Keeping your equipment up to date requires a proactive approach, but the long-term benefits far outweigh the temporary inconvenience.

If you manage multiple devices, keeping track of every new patch quickly becomes overwhelming. Our IT experts serve as your dedicated partner in achieving your security goals, providing proactive monitoring and timely upgrades across your organization. We handle the technical details so you can focus entirely on growing your company. Contact our team today to learn how we can secure your office equipment and give you total peace of mind.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by

Hackers and the use of AI

Hackers are harnessing AI to exploit security flaws faster than ever.

Hackers are getting faster and growing more successful at exploiting vulnerabilities, all thanks to deeper integration of Gen AI tools into everyday operations, experts have warned.

The 2026 IBM X-Force Threat Intelligence Index report listed a few rather worrying statistics about the state of enterprise security, claiming a 44% increase in cyber-attacks exploiting public-facing applications (including websites and ecommerce portals, email services, online banking apps, APIs, and similar) compared to the year before.

These attacks are driven by an increase in vulnerability exploitation which, as per IBM, is to blame for 40% of all cyber-incidents observed in 2025. At the same time, the number of active ransomware operators increased by almost 50%, while the number of publicly disclosed attacks grew by 12%.

Reassessing traditional security assumptions

“Attackers aren’t reinventing playbooks, they’re speeding them up with AI,” said Mark Hughes, global managing partner for cybersecurity services at IBM. “The core issue is the same: businesses are overwhelmed by software vulnerabilities. The difference now is speed.”

These days, threat actors are primarily targeting large supply chains and third-party partners, IBM added, saying that the number of incidents against these entities increased by almost four times in half a decade.

Software, deployment environments, SaaS integrations, and CI/CD automation in development workflows seem to be the number one targets in these attacks.

Discussing how AI fits in this narrative, IBM says it primarily lowers the barrier to entry, making even low-skilled ransomware actors a huge threat. Small groups, with limited resources, can use AI to automate parts of their operations, becoming faster and more disruptive.

Looking ahead, IBM expects miscreants to start using AI for research, data analysis, and attack path refinements, all in real-time.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from techradar.com SOURCE

/by
,

Identifying Phishing Emails in the Age of AI

Phishing attacks have evolved dramatically in recent years, and the rise of artificial intelligence (AI) has made them more sophisticated than ever. Gone are the days of poorly written emails with obvious spelling mistakes. Today’s phishing attempts often look legitimate, leveraging AI to mimic corporate branding, write flawless text, and even personalize messages based on publicly available data. This makes identifying phishing emails a critical skill for individuals and organizations alike.

Why AI Makes Phishing More Dangerous

AI-powered tools allow cybercriminals to:

  • Generate convincing content: AI can craft professional-looking emails that mimic tone and style of real companies.
  • Personalize attacks: By scraping social media and public profiles, attackers can tailor messages to specific individuals.
  • Automate scale: AI enables mass phishing campaigns with minimal effort, increasing the likelihood of success.

Key Indicators of Phishing Emails

Despite their sophistication, phishing emails often share common traits. Here’s what to look for:

  1. Suspicious Sender Address
    • Check the email domain carefully. Attackers often use addresses that look similar to legitimate ones (e.g., support@micros0ft.com instead of support@microsoft.com).
  2. Unexpected Requests
    • Be wary of emails asking for sensitive information, urgent payments, or login credentials. Legitimate companies rarely request this via email.
  3. Generic Greetings
    • Even with AI personalization, some phishing emails still use vague greetings like “Dear Customer” instead of your name.
  4. Links and Attachments
    • Hover over links before clicking. If the URL looks strange or doesn’t match the sender’s domain, it’s a red flag.
    • Avoid opening unexpected attachments, especially if they prompt you to enable macros.
  5. Sense of Urgency
    • Phrases like “Act Now” or “Your account will be suspended” are common tactics to pressure quick action.
  6. Inconsistent Branding
    • AI can replicate logos and colors, but subtle inconsistencies in design or formatting may indicate a fake.

How to Stay Protected

  • Enable Multi-Factor Authentication (MFA): Even if credentials are stolen, MFA adds an extra layer of security.
  • Use Email Security Tools: Advanced filters and AI-based detection systems can help identify suspicious emails.
  • Educate Your Team: Regular training on phishing awareness is essential.
  • Report and Verify: If in doubt, contact the sender through official channels—not by replying to the suspicious email.

The Bottom Line

AI has made phishing smarter, but vigilance and layered security can keep you safe. By combining human awareness with advanced security tools, organizations can stay ahead of these evolving threats.

/by

Microsoft ends support for Office 2016 and 2019: What this means

If your business uses Microsoft Office, take a moment to check which version you have. Microsoft recently announced that support for Office 2016 and Office 2019 has ended. What does that mean? Your programs won’t disappear, but Microsoft has stopped providing security updates for them. For any business, ignoring this change is dangerous.

Why this is a big deal for your business

“End of support” isn’t just a sales pitch to get you to upgrade. It’s a serious security warning. Your software will keep working, but it’s now a sitting duck.

Losing support means you’ve lost three key things:

  • No more security updates: Hackers and viruses love finding old, unprotected software. Without new security updates, your business is exposed. It’s like knowing criminals have a copy of your office key but deciding not to change the locks.
  • No more bug fixes: If PowerPoint crashes during a big presentation or an Excel glitch corrupts your file, there will be no fix. Think of it as your car’s manufacturer deciding to stop making spare parts. When something breaks, it stays broken.
  • No more help: Are you having problems? Microsoft’s technical support team can no longer help you with Office 2016 or 2019 issues. Your product’s warranty has expired, so you’ll need to find other support options.

What are your options?

Fortunately, you have clear choices to protect your business. Continuing to use the old software shouldn’t be one of them.

Option 1: Move to Microsoft 365

Microsoft 365 is the subscription version of Office, where you pay a monthly or yearly fee to access various apps. It’s best for businesses that want to “set it and forget it” and always have the latest, most secure tools.

Pros

  • You are always up to date and always secure.
  • You get new features as soon as they are released.
  • It often includes other tools such as cloud storage (OneDrive) and communication (Teams).

Option 2: Buy Office 2024

If you prefer the “old” way, you can buy Office 2024 once and own it. Keep in mind that this version will be supported until 2029, so you’ll need to plan for another upgrade after that.

Pros

  • It’s a single, one-time cost.
  • You get the classic apps you know (Word, Excel, Outlook).
  • It’s perfect if you don’t want or need cloud features.

Option 3: Get Office LTSC 2024

You might also hear about a version called Office LTSC 2024. LTSC stands for long-term servicing channel, which is a special, one-time purchase version of Office built purely for stability. It’s designed not to get new feature updates over time, only essential security fixes.

It’s made for specific commercial or government situations. Think of computers that run medical equipment, control machinery on a factory floor, or operate in a lab — devices that need to stay exactly the same for years and often aren’t connected to the internet.

Like the regular Office 2024, it’s supported until 2029. However, it is typically sold through volume licensing and won’t get any of the new tools or features that Microsoft 365 or even the standard Office 2024 might get. For nearly all small businesses, Option 1 (Microsoft 365) or Option 2 (Office 2024) is the simpler and better choice.

It’s not just Office — check these apps too

This end-of-support announcement also affects other related Microsoft programs. It’s a great time to do a quick check-up on all your software.

Make sure you have a plan to upgrade these if you use them:

  • Project (2016 and 2019)
  • Visio (2016 and 2019)
  • Skype for Business (2016 and 2019)

The same thinking also applies to other major products such as Windows 10 and Exchange Server 2016/2019, which are also at or near their end of support.

Don’t wait for a problem, and make a plan today

Your old Office software will keep working, but the risk of a security breach, data loss, or a major glitch is now very high.

Switching systems can take time, so we recommend starting your upgrade plan now. Whether you choose the flexibility of Microsoft 365 or the simplicity of Office 2024, upgrading is a small step that protects your business from big problems. Contact our experts today for help.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by

Is using Windows 10 still safe after the End of Life deadline?

Windows 10 is about to pass into the realm of unsupported operating systems. On October 14, 2025, the final security update will be piped through for Windows 10, and after that, Microsoft won’t supply any more. Well, not unless you sort out extended updates (and I’ll come back to that).

There are plenty of people still using Windows 10, and at this point in time, right before the big deadline, they might have lots of questions. How safe is it to just remain on Windows 10 after the support deadline has passed? You may have heard it’s risky, but is that just an exaggeration – is it really that bad to stick with an unsupported OS?

And what about the extended support program that I just mentioned – how does that fit in? If you avoid paying for this scheme, you may have heard that Microsoft requires you to sync the files on your PC with its servers – is that true? (No, in a word – there are nuances here).

In this article, I’m going to answer these, and some other pressing queries that you may have regarding Windows 10’s End of Life, and how safe the operating system remains as it shuffles onwards in Microsoft’s post-support era.

Is it safe to simply keep using Windows 10 after October 14, when support ends and Microsoft stops providing updates?

No, do not use Windows 10 without updates, or for that matter, don’t continue using any operating system beyond its support deadline. With no security updates, it’s just too much of a risk that you might be compromised.

Software like an operating system is a massive, sprawling, complex affair, and the problem is over time, vulnerabilities will be discovered in the codebase. What normally happens is that Microsoft fixes those security flaws in its monthly updates, so without those, you’re not getting these problems resolved – they remain as gaping holes in your OS. Gaps that a hacker or other nefarious types could exploit.

But I’ve heard that these risks are overblown and exaggerated – how dicey can it be, really?

It’s true that people continue using an operating system without security patches all the time. This happened with Windows 7, and it will happen with Windows 10 (indeed, Windows 7 only went below 10% of Windows market share three years after its End of Life, and Windows 10 is very likely to be a worse situation).

And admittedly, it’s also true that initially, right after the deadline expires, you’re not going to be in much peril. After all, you get a security patch on October 14, anyway, which will last you through to November – that’s when the first update will actually be missing for Windows 10. Even in the month following that, nothing much might happen in the way of vulnerabilities being uncovered – but the key word here is might.

While there may not be many holes left open to exploit in the early days after Windows 10’s support expires, gradually, these will mount up, and staying unprotected on the operating system will become increasingly risky. As security flaws become more widely known, and still unpatched, more hackers will be looking to find and exploit these vulnerabilities in Windows 10 PCs out there.

Frankly, I wouldn’t want to take any risks at all beyond the first month, because I just don’t think it’s worth it – and it’s definitely unwise to run Windows 10 without patches for very long.

What if I’m really careful online and I have a good antivirus, won’t I be safe then, even without Windows 10 updates?

In fairness, packing one of the best antivirus apps and being very cautious about what you do online will go a long way to keeping you safe – that’s true, even without any security updates from Microsoft. But you’ll have to be really careful, and essentially stop following most links (all of the ‘ooh, I’m curious about that’ variety, certainly) – but who has that kind of willpower and steadfastness? Not that many people frankly.

Realistically, you’re likely to slip up from time to time and put your unpatched operating system in danger. Even if you don’t, and you are incredibly careful, sometimes you can be hit by malware from out of nowhere – these things happen and may not be your fault at all (a compromised web server somewhere that pushes a malware-laden advert, for example).

Unless you are going to keep your Windows 10 PC entirely offline, there’s always a chance of compromise, and that risk is somewhat higher if your system doesn’t have security updates. So, I’d really advise that you don’t gamble that you’ll be fine without Windows 10’s monthly updates, as the reality is you may not be – and if your PC does fall prey to malware, it’s a world of hurt.

It isn’t worth the risk, so if you are sticking with Windows 10 past October 14, then you need to ensure you keep getting updates. And here’s the other thing with Windows 10 – you can get an extra free year of support for free (with a slight catch), as mentioned at the outset. So you’d be foolish not to avail yourself of this offer.

So, to stay safe, the best thing to do is get extended support then – how does that work?

Undoubtedly this is the safest path forward. Microsoft’s year of additional support is provided in the form of the Extended Security Updates (ESU) scheme. Normally, this is only an option for businesses in a post-support deadline scenario, but with Windows 10, consumers are also getting this choice for the first time ever.

You can access three available options for the ESU by clicking the link to enroll which you’ll find in the Windows Update panel in Windows 10 (underneath the ‘Check for updates’ button – see the screenshot above). To sign up, you’ll need a Microsoft account, and one option is to pay $30 for the scheme. If you don’t want to fork out any cash, you can use 1,000 Microsoft Rewards points instead (if you have them).

The final option, the one I’d recommend, is free, but it does come with a slight catch…

Ah yes, the catch – I’ve heard that you must sync files with Microsoft to get the ‘free’ updates – does that mean the company’s sticking its nose in my business?

It is true that Microsoft requires you to sync some data to get the ESU with the third (free) option, but there’s some misinformation online about this indicating that you’re somehow syncing your personal files to Microsoft’s servers.

To be clear, what’s actually required is that you sync your PC Settings (to OneDrive, Microsoft’s cloud storage service) via the Windows Backup app. So, yes, it is true that you’re allowing Microsoft to store some of your data, but a very limited amount – just your setting choices. All your personal data – files on your PC like your documents, photos, videos and so on – isn’t included in this syncing arrangement.

In my book, this isn’t a particularly intrusive ask, and is a relatively small price to pay for an additional year of security for Windows 10. But if you’re really against the idea of sharing anything related to your PC with Microsoft, you can simply pay the $30 fee as mentioned, and I’d still recommend doing that if you want to remain on Windows 10 – don’t just plough on with no security updates.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechRadar.com SOURCE

/by
, ,

Cyber Insurance Preparedness for Small Businesses

Having the right technology controls in place can vastly impact the cost of cyber insurance and claims eligibility.

Hackers are aggressively targeting small and medium-sized businesses: One in every three SMBs was hit with ransomware in 2024, according to research from Microsoft.

The luckiest businesses will never get breached or will have the incident response and backup and recovery plans in place to walk away unscathed. But even they are at risk of liabilities such as business disruptions, exposed data and fines. Not to mention, 94% of all ransomware attempts against SMBs in 2024 targeted backups, according to Sophos.

Enter cyber insurance. As more SMBs investigate first- and third-party coverage, they’ll encounter a slew of technical prerequisites. It’s crucial that they know what risks to cover and the requirements to qualify for that coverage in order to ultimately be eligible for a payout. 

Upfront Risk Assessments Save Time and Money

Many cyber insurance providers provide free risk assessments for businesses, but John Candillo, field CISO at CDW, recommends doing a little upfront work to smooth out the process and avoid getting blindsided.

“Insurers want to know how your business looks from the outside looking in,” he says. “A focus on this ahead of time can greatly improve your situation when it comes to who’s willing to underwrite your policy, but also what your premiums are going to be and how you’re answering questionnaires,”

Conducting an internal risk assessment and engaging with cybersecurity ratings companies such as SecurityScorecard or Bitsight can help SMBs be more informed policy shoppers.

“If you understand what the auditor is going to ask you and you’re prepared for it, the results of the audit are going to be way different than if you’re caught off guard,” Candillo says.

These steps get stakeholders thinking about what type of risk requires coverage. Cyber insurance can broadly be put into two categories. First-party coverage will protect against things such as breach response costs, cyber extortion costs, data-loss costs and business interruptions. Third-party coverage insures against risks such as breach liabilities and regulatory penalties.

The more you know up front about your risk profile, the easier it is to advocate for yourself during the underwriting process.

Proper Security Controls Are Necessary for Coverage

Inadequate cybersecurity controls can be a dealbreaker for cyber insurers, resulting in outright rejection or prohibitively expensive premiums.

“They’re going to have anywhere from 15 to 30 controls they’re going to ask about,” Candillo says. “But we call the most common things they ask about the big 12.”

  1. Multifactor authentication
  2. Privileged access management
  3. Remote access controls (such as VPNs)
  4. Endpoint protection and response
  5. Security information and event management
  6. Incident response plan
  7. Business continuity plan and disaster recovery
  8. Backup strategy
  9. Email security
  10. Security awareness training
  11. Third-party risk management
  12. Patching and vulnerability management

“They’re going to ask you no very pointed questions,” Candillo says. “For example: Is every application accessible only through multifactor authentication? And they’re going to expect a yes or no answer.”

Phrases such as “yes, no, always, never, every and all” fall into a category Cardillo calls absolutist language. Covering your bases isn’t just a matter of getting coverage; it’s also a matter of meeting certain requirements should you need to submit a claim.

“Don’t just answer yes or no,” Candillo says. “Take the PDF they gave you with the yes or no questions, export it into another format where you can actually qualify your answers and give as much information as possible.”

This added context helps businesses have a more complete picture of the controls they have in place and can round out answers in questionnaires as a possible defense in the event that an insurer attempts to deny a claim.

In terms of implementing the prerequisite technology, Candillo recommends working with a partner such as CDW with access to solutions from a variety of vendors.

“There are cheap ways to do it and there are expensive ways to do it,” he says. “SMBs are probably going to opt for the affordable way, as long as they know what that looks like.”

Cyber Insurance Isn’t a One-Time Thing

Most cyber insurance policies will need to be reviewed on an annual basis. Businesses will therefore have to complete questionnaires annually, and the questions being asked could change depending on shifting conditions in the threat landscape.

What’s more, many businesses will create an “insurance tower,” as they may require more than one insurer to achieve the desired level of coverage. While a common practice, this does multiply the work that goes into renewing policies each year. Candillo says this further underscores the importance of adding context to checklists.

“It’s something they have to deal with every year, and you may only hear about it once a year,” he says. “Without that additional context, it’s hard to get a lot of knowledge and experience around how the answers you give impact insurability, not to mention premiums.”

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from BizTechMagazine.com SOURCE

/by

Safeguard your SMB from password manager attacks

Staying secure online is becoming trickier by the day, especially for small or medium-sized businesses (SMBs). While tools like password managers are designed to protect sensitive information, cybercriminals are now targeting them. A recent study reveals a startling threefold increase in malware targeting password vaults and credential stores over the past year.

The rising threat of infostealers

Infostealers, also known as information stealers, are a type of malware designed to hijack and transmit sensitive data from a victim’s computer. They can come in many forms, such as keyloggers or spyware, but their main goal is to collect login credentials and other valuable information.

The study by Picus Security uncovered alarming growth in infostealers designed to target credential stores, including password managers. By analyzing one million malware samples, researchers confirmed that 93% of malicious actions use just 10 common hacking methods.

Why are password managers a prime target? Their centralized nature makes them convenient for users but equally appealing to cybercriminals. By breaching just one password vault, attackers can gain access to a wealth of credentials across multiple accounts and platforms.

Malware in action: RedLine and Lumma Stealers

Two notorious infostealers leading these attacks are RedLine Stealer and Lumma Stealer, each targeting victims in unique ways.

  • RedLine Stealer is often spread through phishing attempts or fake websites. It specializes in extracting data from web browsers, email applications, and other credential storage locations.
  • Lumma Stealer operates as a Malware-as-a-Service (MaaS), allowing criminals to rent the malware and use it to steal payment credentials, cryptocurrency wallets, and other sensitive information.

Malware tactics are changing. With operating system defenses improving, old methods such as credential dumping are less effective. Modern infostealers now target weaker but valuable areas, such as password managers.

The dark web surge

The stolen credentials don’t just stop with the initial hacker; they often end up being posted for sale on the dark web. Initial access brokers profit by reselling credentials that give hackers easy access to enterprise systems. These stolen credentials are then used in major ransomware attacks.

Why password manager attacks are increasing

Cybercriminals are adapting their tactics to target password managers for several reasons, including their effectiveness and ease of execution.

  • Minimal skill requirement – Most infostealers only need basic user-level access to scrape stored credentials, making attacks fast and easy.
  • Automation – Many attackers leverage automated tools to extract information, streamlining cyber theft.
  • Password reuse – If businesses use repeated passwords across accounts, stolen credentials can lead to broader credential stuffing attacks, exposing an entire network.

For SMBs, such attacks can be devastating, resulting in operational disruptions as well as financial losses and reputational damage.

Protecting your credentials with secure technologies

SMBs must take decisive action to protect themselves from these growing threats. Here’s how you can stay ahead of attackers and secure your password management systems effectively.

  • Adopt zero-knowledge encryption password managers. With zero-knowledge encryption, even if the vault is breached, no one can read the stored credentials.
  • Enable multifactor authentication. Do this across all user and administrator accounts, making it harder for hackers to gain access.
  • Train your users. Educate employees about phishing attempts and other malware entry points. Teach them to recognize suspicious links and avoid downloading attachments from unknown sources.
  • Regularly update software. Make sure all software, including operating systems, browsers, and password managers, is updated with the latest patches to minimize vulnerabilities.
  • Review logs for unusual activity. Monitor activities in password managers and look for suspicious access or login attempts outside regular patterns.

Password managers are indispensable tools for managing multiple accounts safely, but they’re not invincible. For SMBs, proactive security measures should be part of a broader strategy to strengthen operations against emerging threats.

Safeguard your business from various threats — contact our security experts to get started.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by

AI is great, but it creates a security blind spot

You’re focused on leveraging the latest technology for growth and innovation, but there’s a hidden risk that comes with it. The software, automated systems, and AI tools that power your business each have their own non-human identity (NHI). Managing these digital identities was a significant challenge even before the AI boom, but now, with intelligent agents capable of independent action, NHIs represent a critical threat that demands immediate attention.

Your company’s biggest, most overlooked security risk

Think about every piece of software, cloud application, and automated script your company uses. Each one needs credentials and permissions to access data and perform its tasks. That’s a massive, often invisible, digital workforce.

The problem here is that these NHIs are often created for a specific purpose and then forgotten, leaving a digital door wide open for attackers. This oversight leads to several common security gaps:

  • Ghost accounts: These are accounts and app credentials that are never disabled, even after a project ends or an employee leaves. Orphaned accounts like these are prime targets, as they are unmonitored and can provide persistent access to your network.
  • Weak credentials: Attackers use automated tools to constantly scan for easy-to-crack credentials, making them a significant vulnerability.
  • Lack of visibility: Most businesses have no clear picture of how many NHIs exist in their environment or what they have access to. If you don’t know an identity exists, you can’t secure it, monitor it, or recognize when it’s been compromised.

How AI supercharges the threat

If unsecured NHIs are like a key left under the doormat, then AI is like a team of burglars who can check every doormat in the city in a matter of seconds. AI-powered tools allow attackers to find and exploit these forgotten credentials with alarming speed and efficiency, turning a minor vulnerability into a major breach in minutes.

But the risk goes even deeper. The introduction of autonomous AI agents creates a new layer of complexity. AI agents are designed to act independently to achieve certain goals, which means they require broad access to your company’s systems and data. This can lead to:

  • Unpredictable actions: An AI agent given a simple task could find an unexpected and potentially destructive way to accomplish it. In a recent security test, an AI given access to company emails discovered it was going to be replaced. It then tried to blackmail the engineer in charge to save its “job.” Imagine the potential for data leaks or operational disruption if such an agent had access to your critical systems.
  • Shadow AI: Employees are increasingly using new AI tools without company approval or IT oversight. Each of these tools creates a new, unmanaged identity with access to your data, creating security gaps that your team can’t see.

Secure your business for the AI era

The rapid evolution of AI-driven threats can feel daunting, but you can take proactive steps to protect your business. The strategy starts with a few foundational principles:

  • Gain full visibility: You can’t protect what you can’t see. The first step is to discover and inventory every NHI across your entire digital environment. Utilizing specialized tools can help automate this process and provide a complete picture of your NHI landscape.
  • Enforce the principle of least privilege: Ensure every application, script, and system has only the absolute minimum level of access required to perform its function. If a tool doesn’t need access to sensitive customer data, it shouldn’t have it.
  • Manage the full life cycle: Implement a clear, automated process for creating, managing, and, most importantly, securely decommissioning NHIs when they are no longer needed.

Online threats may be sophisticated and constantly evolving, but a strong security plan can still keep them at bay. Our team of cybersecurity experts can help you gain a clear understanding of your current risk posture and develop a robust strategy to secure your business against the latest threats.

If you are looking for an expert to help you find the best solutions for your business talk to GCInfotech about a free technology assessment

Published with consideration from TechAdvisory.org SOURCE

/by