This is a listing of my posts on cybersecurity (and privacy) to the Kelowna (Tech) and/or Built in Kamloops Slack workspaces, starting June 2021, when I started keeping track of my posts. My posts to these two workspaces are headed with "Cybersecurity tip of the week (or so)". I'm logging my posts here because all posts disappear very quickly in Slack free workspaces.
A great article on the 2022 TELUS Canadian Ransomware Study.
of Canadian businesses reported attempted ransomware attacks and 67% have
average ransom paid by Canadian organizations is $140,000. However, the
real cost of a ransomware breach can be much higher.
data shows that while the ransom payment often gets a lot of attention, it
accounts for only 16% of the direct costs of an attack. The total costs
can exceed $1 million, which includes downtime for the company, the cost
of mitigation and recovery, and regulatory fines."
those [organizations] that paid the ransom, only 42% told the TELUS survey
that they had their data fully restored.
If your org hasn't
standardized on a password manager, hasn't issued it to all employees, and/or
hasn't required its proper use (and the proper use of credentials) in the org's
information security policy(ies), you absolutely should.
Here is a good article
explaining why and how. (And BitWarden
is widely regarded as an excellent choice for a password manager.)
Why your remaining IT budget should be used on a company
password manager | Bitwarden Blog
This month's tip is
actually an event: a free talk I'm doing at ORL Kelowna downtown at lunch time
on November 9 (this Wednesday).
ORL's event page:
Cybersecurity Essentials for Small Businesses and Professionals, https://orl.evanced.info/signup/EventDetails?EventId=67626
It's a dangerous (cyber) world! Join cybersecurity
consultant Garland Sharratt for an hour-long lunchtime talk covering the most
common security threats faced by businesses and how to protect against them.
Among the mitigation topics covered will be passwords,
two-factor authentication, email and cellular, cloud services, websites, remote
work, devices, user awareness, training, and finally, considerations for larger
Cybersecurity Awareness Month! Phishing
is one of the top risks for most small and medium businesses, and the GOC has a
page with resources on fighting it: October is Cyber Security Awareness Month in Canada - Get
Only one in 10 worried about cyber attacks and that's a
concern | National Post
This is probably
because, it's been shown many times, most people think they are above average
intelligence (which is statistically impossible).
If your employees fit
the description in this article, despite the high level of cybersecurity risk
today, you'll have to work hard to ensure they are properly trained in security
awareness, e.g., how to detect phishing and other attacks. And as a manager/owner you need to make sure
you give your employees the right tools, such as a password manager (e.g.,
Bitwarden, 1Password, LastPass) and, at a minimum, a TOTP 2FA authenticator app
Or maybe there's no need
to worry at all: "almost half [of business owners] said they were not
concerned because they think their company isn’t an attractive threat to cyber
criminals." Don't believe it!
If a security-minded
organization like Twilio (you might know them for their excellent Authy 2FA
authenticator) can be breached by phishing, your organization can be too. Make sure your employee security awareness training
program is very strong. A slide deck or
video once a year is not enough.
Twilio hacked by phishing campaign targeting internet
companies | TechCrunch
According to the company, the as-yet-unidentified threat
actor convinced multiple Twilio employees into handing over their credentials,
which allowed access to the company’s internal systems. It
The attack used SMS phishing messages that
purported to come from Twilio’s IT department, suggesting that the employees’
password had expired or that their schedule had changed, and advised the target
to log in using a spoofed web address that the attacker controls.
Twilio said that the attackers sent these messages
to look legitimate, including words such as “Okta” and “SSO,” referring to
single sign-on, which many companies use to secure access to their internal
Privacy and security
are quite related, but unlike security, privacy is a legal requirement. So it pays to pay attention to privacy
compliance and privacy incident response.
This article (by a vendor) has a nice checklist that all organizations
Today is World Password
a reminder that all your passwords (except for a few exceptions like
device passwords/PINs) should be strong: random, long (a minimum of ~15
characters but why not choose 30), and unique (i.e. no password ever used
for more than a one account). This
may sound hard to do but it's easy with a password manager (e.g.,
BitWarden, 1Password, LastPass).
go along with strong passwords you should enable two-factor authentication
(2FA) on all your accounts that support it. For most users the TOTP type of 2FA
(e.g., Authy, Google Authenticator) is a good balance of security and
usability; use the SMS type of 2FA only if there is no other type
you do nothing else, make sure your primary email account follows the
above guidelines: if an attacker can take over that account, they can take
over most of your other accounts by doing a password reset on them.
larger organizations, Single Sign-On (SSO) is a nice way to get rid of
most passwords for users.
The Office of the Chief
Information Officer (OCIO) of the Province of British Columbia publishes a nice
weekly Security News Digest. It's a
quick read and a great week to learn more about cybersecurity and the threats
facing BC businesses.
You can use this link
to subscribe: mailto:OCIOSecurity@gov.bc.ca?subject=Security%20News%20Digest%20Subscription%20Request
- "A quarter of
Canadian businesses say they have already been the victim of a cyber
attack in 2021"
- "more than half
(56 per cent) of Canadian organizations targeted by malware have paid the
money demanded by cybercriminals"
- "surprised that
only 40 per cent of respondents plan to train their employees in
Good cybersecurity hygiene measures
would prevent most cybersecurity attacks.
If you have a mobile
phone and use SMS (text messaging) for authentication or two-factor
authentication (2FA) -- and everyone does -- I recommend this great article on
SIM swapping attacks.
I'll add these
protections you should implement that are not mentioned in the article:
1. Put a strong, unique
password on your cellular account login.
(The article mentions "variation of unique passwords" but
that's not secure.)
2. Call up your
cellular carrier and tell them you want to place a special password on your
account to block malicious porting (= SIM swapping) of your phone number.
3. Put a PIN on your
phone's SIM card. (You do this from your
phone. This is actually to protect you
in case your phone gets stolen, not to prevent SIM swapping. The effect of a stolen phone is essentially
the same as that of SIM swapping: your accounts that use SMS for authentication
can get taken over.)
4. As for all
passwords/PINs you have, make sure you store the three passwords/PINs above in
your cloud-based password manager, and make sure you can access your password
manager from all of your devices.
This is actually a
request, not a tip like usual. Over the last three years I've been doing
lots of talks about cybersecurity and information security, almost one every
two months -- and it's time for another one.
So if you're an SMB, my
request is: What would you like to learn about? I often speak about
the basics such as passwords, password managers, two-factor authentication,
data backups, device hardening, and user awareness. But maybe there's
something more advanced that you'd like to hear about?
If so, please DM me
This Security Planning
tool from Consumer Reports is a great way to easily work on improving your
cybersecurity over time:
If you're looking for a
Xmas gift to help friends and family with cybersecurity:
There's a 50%-off link
in the article for 1Password Families.
1Password is probably the best password manager on the planet, and it's
This is a good
high-level view (and a quick read) of how to secure your business:
Being prepared for the storm: maintaining a proactive
cybersecurity strategy | LinkedIn
1. Understand the cyber
threat landscape of your business
2. Conduct a
comprehensive risk assessment -- and implied is: implement mitigations for the
3. Train employees to
detect potential threats
4. Evaluate and test
cyber incident response plan
This is a great article that applies
to any password manager (PM). If you've implemented a password manager
for you or your org, there is more to do! Here are some additional
suggestions that build on the article:
- Treat as a crown jewel the email
account that owns your PM account and all your other cloud accounts.
If baddies can take over that account, they can take over almost all your
accounts by doing password resets.
- You have to properly use a
PM to get the value: it's not enough to just have a PM
account and store your logins in it. For starters, for your
important accounts, change their passwords to long random strings, and use
the PM to autofill your credentials into web login pages; that will make
you very resistant to phishing.
- Two-factor authentication (2FA) is
critical for your important accounts, including your PM and email
accounts. Authy is an excellent 2FA authenticator
- Backing up your vault is a great idea,
but be aware that if you're on a Windows PC, your main drive is not
encrypted unless you have enabled BitLocker (or the
Device Encryption found on Microsoft Surface-type devices); so you'll need
to store your PM vault export somewhere else.
If you or your org haven't yet
implemented a PM, it's usually the very first thing to do (along with 2FA) to
improve your cybersecurity. Three excellent PM to consider are BitWarden, 1Password,
and LastPass. Check out their business tiers if your org is
Information security tip of the month (or so):
For many organizations the plague has resulted in
employees joining and leaving more frequently.
This article is a good reminder that departing employees can be a
security risk and tells you how to reduce the risk.
A good overview of the security risks when
employees leave the organization, especially when the offboarding process is
If you think that ransomware is just about
malicious data encryption in place and that you can mitigate a ransomware
attack by backing up your data, think again:
Criminals now typically use as many as four
different techniques to squeeze victims into paying the ransom.
2. Release of data…
3. Denial of service attacks…
4. Harassment… the attackers contact customers,
business partners, employees and news media to alert them to the attack, thus
embarrassing the victim.
If ransomware worries you, and it probably should,
this is a nice list of actions to take. It's aimed at critical infrastructure
providers, but the Short-Term list applies well to any business.
One thing missing is security awareness training
for all employees, execs, directors, etc.
I'd put this close to the top.
You’ve likely heard that passwords need to be
strong and unique across your accounts, but you may not fully understand why.
This excellent post will tell you everything you need to know.