Coleman Technologies Blog

What Makes Spear Phishing Different?

As a rule, spear phishing is a much more precise and personalized process. To keep to the “fishing” analogy, a generalized phishing campaign casts a wide net, trying to snare as many victims as possible with their scam. Utilizing vague and generic language, the ‘typical’ phishing attack is made to appear to come from a large organization, informing the user of some need for the user to take action, resulting in the hacker gaining access to the user’s information. This methodology makes the typical phishing attack fairly effective against many people, while simultaneously easier to spot if one knows the warning signs.

By comparison, spear phishing is far more precise. Instead of trying to find value in the quantity of targets snared in a trap, spear phishing takes the opposite tack. Using a highly targeted approach, spear phishing attacks are directed toward a specific individual within an organization.

This specified approach means that the generic messages that many phishing attempts leverage simply won’t be enough to fool the intended target. Instead, the hacker has to play investigator, seeking out as much information as they can about their intended target. Where do they work? What is their position in the company? Who do they frequently communicate with? Once the hacker has collected enough information to create a convincing message, they will typically spoof an email to their target. This email will usually contain some reference to a known contact or some in-progress project to make it more convincing and will request that the recipient download a file via a provided link.

However, while the link will direct to what appears to be a Google Drive or Dropbox login page, it is just another layer to the deception. Entering credentials into this page will give them right to the hacker for their use, breaching the user’s security and putting the entire business at risk in one fell swoop.

What Methods Do Spear Phishers Use?

Due to how spear phishing works, the messages sent by hackers need to be as convincing as possible. Combining extensive research with some practical psychology, a hacker has more ammunition to power their attacks.

As mentioned above, spear phishing is far less generic than the average phishing attempt. By referencing specific people, things, and events that mean something to the target, or appearing to come from an internal authority (a manager, perhaps, or even the CEO), the hacker can create a message that is less likely to be questioned. If the hacker writes their messages without any spelling or grammatical errors, as many spear phishers do, it only becomes more convincing.

These hackers are so reliant upon their target being fooled; many will purchase domains that strongly resemble an official one. For instance, let’s say you owned the domain website-dot-com. If a hacker decided to pose as you to launch a spear phishing attack, they might purchase the domain vvebsite-dot-com. Without close inspection, the switch may not be noticed - especially if the hacker creates a good enough lookalike website.

Am I A Target?

Of course, the research that a hacker has to do to successfully pull off a spear phishing attack is extensive - not only do they have to identify their target, they also have to figure out the best way to scam this target. Generally speaking, a hacker seeking to leverage spear phishing will focus their efforts on anyone in an organization who could potentially access the information that the hacker wants but isn’t high up enough in the organization to question an assignment from above.

Or, in more certain terms, a business’ end users.

In order to minimize the chances that a spear phishing attack will be successful against your company, you need to make sure that everyone subscribes to a few best practices. For example:

• Pay attention to the finer details of an email. Is the message actually from This email address is being protected from spambots. You need JavaScript enabled to view it., or does the email address actually read This email address is being protected from spambots. You need JavaScript enabled to view it.? Did Christine/Kristine include any attachments? As these can be used to spread malware via email, you should avoid clicking on them unless you are certain the message is legitimate.
  
  
• Is the message written to sound overly urgent? Many phishing messages, especially spear phishing messages, will try to push an action by making it seem as though inaction will lead to a critical issue. Another warning sign to look out for: any deviation from standard operating procedures. Don’t be afraid to question a sudden switch from Google Drive to Dropbox - it may just be the question that stops a spear phishing attack.
  
  
• Speaking of questioning things, don’t hesitate to make sure that any messages you suspect may be spear phishing aren’t actually legitimate through some other means of communication. A quick phone call to the alleged sender will be well worth avoiding a data breach.
  
  

While spear phishing is a considerable threat to your business, it is far from the only thing you need to worry about. Coleman Technologies can help your business secure its IT solutions and optimize them for your use. To learn more, subscribe to our blog, and give us a call at (604) 513-9428.

Today’s world is driven by data. As a result, information systems have to be secured. That really is the bottom line. Business is all about relationships and without proper security protocols in place, there are some very serious situations that could completely decimate the relationships you’ve worked so hard to forge. While today’s hackers have a lot of different ways to breach an organization’s network, data breaches that occur as a result of lax security are unforgivable from a customer standpoint. Some organizations can spend more on security than others, but it with the landscape as it is today, it has to be a priority, no matter your IT budget.

Here are some of the regulations all business owners and IT administrators should know:

• GDPR: The European Union’s General Data Protection Regulation is as comprehensive a data protection law as there is. Its aim is to protect the citizens of EU-member countries from data breaches. The GDPR applies to every organization that processes personal information of people residing in the EU.
• GPG13: Known as the Good Practice Guide 13, it is the U.K.’s general data protection regulation for organizations that do business in the U.K.
• HIPAA: The Health Insurance Portability and Accountability Act puts several guidelines on how patients’ data is shared and disseminated by insurers and health maintenance organizations.
• SOx - The Sarbanes-Oxley Act requires corporate records to be kept for seven years to ensure that there is transparency in the accounting. For IT this means being able to have access to data to run reports when called upon.
• PCI-DSS - Payment Card Index Data Security Standard are regulations enacted to try and reduce fraud by protecting an individual’s credit card information.

That’s just a few of the regulations business owners and IT administrators have to be cognizant of. For business owners there are several more, like the federal and state tax codes, and the adherence to the Affordable Care Act. All these regulations seem pretty straightforward and necessary until you begin to roll them out for your business. Then they just get expensive. In the first-ever Small Business Regulations Survey conducted by the National Small Business Association, the numbers reported, although not comprehensive by any means, weren’t pretty. To put it frankly, the cost to the small businesses that reported, would sink as many or more new businesses.

“The average small-business owner is spending at least $12,000 every year dealing with regulations,” NSBA President Todd McCracken said, “This has real-world implications: more than half of small businesses have held off on hiring a new employee due to regulatory burdens.” The report goes on to state that the average regulatory costs to start a new business venture add up to a whopping $83,019. These figures don’t take in to account the dozens of man hours each year spent on these very complex problems. It should be stated that the NSBA has been a long-standing advocate of reducing regulations on small businesses.

Regulators are paid to be skeptical, but overall they are put in place for a purpose, as oversight to ensure sustained adherence to data protection laws. How much can they demand from a small business? The question begs for analysis, as to listen to entrepreneurs talk about them regulations are unnecessary, but as stated before, these regulations aren’t just implemented willy-nilly. They have empirical evidence of immoral or unethical wrongdoing attached to them. Moreover, it becomes clear that the financial pain these entrepreneurs are in is indefinite, which means that it is highly debatable. The truth is that each scenario needs to be seen in perspective in order to understand just how much certain regulations are costing a business.

One thing is certain: that the average small business pays more for their regulatory compliance programs than larger businesses in the same market do. That disparity is a main point of contention for many small business owners, as it directly affects a company's ability to compete. Some studies have seen organizations that have less than 20 employees charged nearly 60 percent more than slightly larger businesses. Getting into which regulations are onerous and which are necessary would take an examination of each one in detail, so it’s worth it to repeat that these regulations were bred out of situations where individuals were hurt, making them an important part of the oversight process.

To Comply or Not To Comply? That Is the Question
Small business owners who have been reprimanded or fined as a result of a lack of regulatory awareness have a tendency to get the message, but if an organization is notoriously noncompliant and has slipped past regulators, there is a tendency for them to stay the course; and, that course is filled with nothing good. Many european and multinational corporations are expecting to invest $1 million toward their GDPR compliance. Obviously this figure, despite being higher per user, will be substantially lower for small and mid-sized businesses. The cost, however, remains significant, and while an organization could probably get around it for a bit, when it hits, it could just sink the whole business.

According to Infosecurity Magazine, the average cost of compliance with GDPR is costing enterprises and average of $5.5 million, which comes in about a third of the estimate cost of noncompliance, $14.82 million. That’s a lot of cheddar. It stands to reason that if you are going to spend upwards of 10 percent of your yearly IT budget on ensuring your organization is compliant, that you meet the criteria under the regulation. The best way to do that is by finding affordable solutions that won’t take as big of a chunk out of your operational budget every year.

More than the capital, a business that doesn’t adhere to simple IT regulations probably isn’t adhering to other regulations. Would you want to do business with someone that you know won’t do what’s asked of them to protect YOUR data? Unreputable businesses that are looking to gain an edge by not meeting regulations will pay later for not spending now, end of story.

Compliance and Your Business
Finally, we get to your business. How are you going to plan for your compliance burden? The best way is to educate yourself on what exactly your business needs to plan for by looking at the regulatory mandates, sure, but more often seeking out organizations who have already insulated themself from the risks associated from noncompliance. This is where a managed IT service provider (MSP) can be a godsend. Since we take security compliance extremely seriously, and deal with multiple businesses that represent several vertical markets, we have the perspective that can provide a clear strategy on how to avoid problems staying compliant.

Moreover, MSPs like Coleman Technologies use extremely sophisticated monitoring, management, and reporting software to reduce risk and put our clients in the best position to prepare for any audits or assessments that need to be completed by regulators. Since the regulatory landscape is constantly changing, our IT professionals are in a unique position to serve as both IT administrator and regulatory consultant.

If you are searching for a way to control your compliance situation, look no further than the IT professionals at Coleman Technologies. We can deploy our strategies made up from tried and true industry best practices to virtually eliminate any risk your organization would have as a result of compliance concerns. Call us at (604) 513-9428 today to get started.

The Word is Proactive

When something bad happens, you might look back to see what you could have done to prevent the issue from happening in the first place. The word to remember here is “proactive.” Being proactive requires risk assessment, which demands that you analyze the greatest possible threat to your continued existence and prepare for it. In the event that your business’ IT is unable to function as intended, your business would stop functioning. All it takes is a single component failing to leave your employees unable to do their jobs. This is why you need to be as proactive as possible--to ensure that you have plans in place for when your systems inevitably fail.

Proactive IT Maintenance

For the past decade, proactive IT maintenance has been making strides in the office environment. When one of the most important parts of running a business--your IT infrastructure--no longer works as intended, you lose out on profits and shell out for repairs more often. Furthermore, downtime can be a major cost that your business suffers from due to technology malfunctions. If you can keep your hardware operating properly, your network safe from threats, and your business productive, you can eliminate potential problems before they have time to escalate into the expensive kind.

Coleman Technologies’s proactive IT services provide your business with monitoring and management software. With our expert technicians behind these tools, you can rest easy knowing that we are monitoring each and every critical component of your technology for any telling inefficiencies. This gives you the opportunity to address them before downtime occurs.

Patch Management

Security troubles such as software vulnerabilities can also lead to problems for your business. If you can’t rely on your software tools to get the job done without issue, then you’re doing yourself a disservice. Furthermore, you will need the latest threat definitions and software patches to keep your solutions secure from threats that could derail productivity. A major part of our proactive maintenance platform is deploying patches as they are released, eliminating the chances of known vulnerabilities affecting operations.

For more information on how your organization can be more proactive with its IT maintenance, give Coleman Technologies a call at (604) 513-9428.

For this experiment, we’re going to assume that we are starting from scratch. The optimism and cautious excitement that goes into starting a new business endeavor is palpable. Let's assume for our purposes that you’ve determined that you need to support the following applications:

• Email
• Voice over Internet Protocol
• Line of business applications
• Productivity applications
• HR and operations software
• Storage (enough to support above)
• File sharing
• Backup

It’s not hard to ascertain the surface costs of implementing these technologies, but when trying to figure out the total cost of ownership, it may be a little more difficult. Objective comparison of the two platforms has to begin at their core needs. On one hand, In-house computing comes with several, including power, maintenance, management, and redundancy (and the management and maintenance of that platform), while cloud computing may need enhanced bandwidth and redundancy to work for a business. These costs have to be figured in when trying to plan your next steps.

Then there is the question of who is going to use your data, and what kind of protections need to be put in place as a result of that qualification. What compliance regulations does your organization have to meet? How many users does the network and infrastructure have to support? What software do you need to run? There are literally dozens of questions you have to ask before making any definitive decisions about what kind of hardware you are going to need, let alone what kind of hardware solutions you plan on using.

Once you’ve ironed out the particulars, you will then have to make the big choice. Do you want to buy physical hardware, cloud-based hardware, or some combination of both? Let’s analyze all three options:

In-House Computing

The first thing you have to be cognizant of is that once you decide that your organization needs in-house server infrastructure, you have to know that it is going to cost you a pretty penny. In order to support a full-scale communications solution, all the applications your business uses to do business, email, and backup you are looking at a seriously hefty price tag. Not only are you looking at a few thousand dollars per server, costs that are incurred in configuring the servers, warranties, and maintenance to that server could push the cost into untenable territory, especially if there isn’t a good deal of upfront capital available.

Beyond all that there are HVAC and security costs that need to addressed the first time around. The biggest expense, by far, is the cost of management. If you outsource your IT services management to a company like Coleman Technologies, you may be able to mitigate some of the recurring costs and get expert management, but ultimately the facts point to on-premise hardware rollouts costing a substantial amount more than utilizing cloud, especially with today’s IaaS costs.

Implementing an in-house server room does provide you with some pretty stark benefits, however. They include complete management over the systems within, the resulting comprehensive data security, and access to data without an Internet connection. It also front-loads the costs associated with the environment, so if the big capital expenses don’t cut into your operational budget considerations, you will be paying less per month. The infrastructure costs (which are fixed costs) and the management and maintenance of it, and operational costs (that are very often variable), all have to be taken into consideration, as does your organization’s regulatory compliance needs.

Cloud Computing

For the start-up that doesn’t have any overreaching data compliance issues, utilizing cloud computing is a no-brainer. Not only are there limited set up costs, there are so many different service-based computing plans that it is now possible to strictly use the cloud for all of your organization's central computing.

For the established company, it may be a little more difficult, so before we go “all hail the cloud!” on you, we have to admit that there are plenty of considerations you have to make if you were to go ahead with a completely virtualized computing infrastructure for your business. Here are a few:

• Migration Time and Cost: Getting started with cloud computing may not come with the enormous capital costs that an inhouse server would, but there is cost, especially if you are migrating data. For an established business to move from physical servers to cloud infrastructure there is a substantial investment. It takes a lot of bandwidth and time to move all if an organization’s data over, and in doing so, you will likely incur a fair amount of cost.
• Dependability and What Uptime Really Means: Cloud providers like to measure their effectiveness in uptime; and, in doing so, don’t properly represent what customers want from their cloud provider. Businesses need ubiquitous access to data and applications stored on a cloud construct, and sometimes that can be a problem. The VM running the server may be up, but if there isn’t access to critical information and applications, a business deals with their own downtime, which is a major problem.
• Problems Estimating Costs: The cloud’s cost to a business seems simple enough, but a lot of business owners do a poor job of estimating the true cost of the service. With cloud computing pricing costing businesses so many cents-per-service-unit, they often fail to multiply this cost over months and years. By moving the least utilized applications over first, a company can save more money than just moving it all over at once.
• Trusting Your Architect: Well before cloud implementation, a company would have a cloud architect make them a map (of sorts) so that decision makers can see how the data flows. A problem arises when you’ve trusted the plan and mid-implementation, the migration team wants to change everything. To avoid a complete cloud migration failure, your best bet is to consult with the architect to make certain that everything goes to plan.
• Cloud security: For companies that migrate over to the cloud, they will have to know beforehand that all of the solutions they had deployed to protect their systems from threats are probably not going to be deployed by the cloud provider. As a result, it may initially feel as if the cloud construct is lacking security. Hiring a third-party to test your security will go a long way toward alleviating (or reaffirming) the concerns you may have about your cloud’s security.

As costs go, it’s pretty evident after considering all the factors, that deploying new infrastructure is always going to be costly. An organization can save money by moving to the cloud as long as the migration is done properly and meets all the file sharing, data security, and deployment needs that an organization has. In fact, most organizations have some sort of cloud project on the books for this very reason. The benefits outweigh the detriments for a lot of what companies do.

The Hybrid Approach

Nowadays, the Hybrid Cloud approach is becoming more popular. As data regulations increase and legacy software is still mightily functional, the best option is often to deploy both a cloud platform and keep an on premise server. Essentially, finding ways for the two to work in unison is called a hybrid cloud. While this seems like a match for nearly every business, it comes with a great deal of design and implementation headaches, and can cause significant cost overruns.

In order to design and deploy an effective hybrid cloud, you first have to know what the potential pitfalls can be. Two include:

• Utilization uncertainty: When moving part of an organization’s data and infrastructure to the cloud, there should be a baseline of utilization that is acceptable. If you overplanned for cloud utilization, you could be looking a pretty hefty bill in the face for computing resources your organization will never use.
• Development costs: The two computing constructs often won’t “play nice” and as a result you may be looking at substantial development costs during the integration. These costs are variable and are difficult to plan for, so like everything else IT, plan to spend more than you will and you won’t be left disappointed.

To solve the challenges that come with significant hybrid cloud costs, many organizations will abandon the idea, but really it’s about simplifying the whole process. New strategies, practices, and products are being formed that will simplify the hybrid cloud process, while allowing an organization to get the most out of their IT infrastructure. It won’t be long before there will be hybrid cloud services that will marry the two ends into one secure and dynamic IT infrastructure. Until then, however, controlling your computing costs, no matter the platform, will take careful consideration and thoughtful planning.

At Coleman Technologies, we have years of experience designing, implementing, managing, and supporting powerful IT infrastructures for businesses of all sizes. To learn more about cloud computing, including hybrid cloud implementations, reach out to us today.

Today, many of the largest and most lucrative companies in the world, Google, Apple, AT&T, Amazon, Verizon, Facebook and Microsoft are all, more than manufacturers of computer-based goods and services, data brokers. These data brokers create services that they then sell to advertisers that allow them to target you based on the information these companies have of you, which can accurately tell how and what to sell you.

Since nearly everyone has a near-ubiquitously-connected experience there is a lot of data collected, bought, and sold every year and it’s big business. Facebook, a company whose main revenue stream is from selling advertising, made a net profit of nearly $16 billion in 2017. This tells us that if you have people’s data, you have people’s hopes, fears, and dreams, which means you can pretty easily get someone to pay you for access to that information.

For small businesses it’s much less lucrative. In fact, all the data your organization needs to keep, is probably necessary to simply do business, not to sell to advertisers. Facebook voluntarily gets a lot of personal information from every one of their users, as where the typical small business often has to strategize to just get a name and a phone number. The information that is sensitive (mostly customer information that you collect) has a lot of value to the people looking to steal it. So while you aren’t making billions of dollars selling consumer profiles, it is still a mightily important part of doing business, and needs to be secured.

Is Data a Commodity?
Technically speaking, it isn’t. Since a commodity’s value is based namely on its scarcity and the amount of capital that needs to be put up to create it, in both resources and labor, the data that is being purchased isn’t really a commodity. In lieu of the dissolution of the U.S. Net Neutrality laws, this has created the argument in the U.S. that since now it’s up to the telecommunication companies how they want to manage (or more accurately bill) data consumption, that they would throttle and tier service, something that isn’t possible with a true commodity, where there are laws prohibiting those types of practices.

On the other hand, Internet access is something that a majority of the commerce requires, and delivering data is in itself an expensive endeavor (infrastructure spending, development, utility costs, etc.) so telecoms, who are seeing their would-be profits syphoned by over-the-top content providers, and publicly demonized as a result of a very public lobbying effort to gain control of the ability to implement some sort of prioritization strategy, have to find a strategy to sustain their ability to get a workable return on their investments.

Securing Your Organization’s Data
Regardless of what your view of data is, it’s an important resource for your organization, and as mentioned above, it needs to be secured. For one of your company’s most important resources, data can be lost relatively easily, so there needs to be a concerted effort to keep your network and infrastructure free from the threats that could put your data at risk. At Coleman Technologies, that’s what we do. We ensure organizations like yours get the professional IT expertise you need to work efficiently, effectively, and securely in what is the most turbulent time in computing history. With the litany of threats your business faces everyday, you need experts that have your back. We offer:

• Backup and disaster recovery: With a comprehensive backup and disaster recovery system in place, all of your organization’s data is safe, redundant, and able to be restored on demand.
• Proactive monitoring and management: By keeping a dedicated eye on your network and infrastructure, our technicians can be proactive.
• Patch management: By keeping all of your organization’s software up to date with the latest threat definitions, you can ensure that your software isn’t going to be a problem.
• Access control and threat detection: By having full control over who can access what, and a complete view of the entire network, we can keep people who aren’t supposed to see certain information from accessing it.
• Training: Most times, your own staff is responsible for data breaches and malware. We can train you all on what to look for to ensure that you are doing your best to keep your network and infrastructure free from threats.
• Around the clock support: If three out of every four businesses deal with phishing emails, and over 95 percent of all phishing emails deliver ransomware, chances are that if a mistake were to be made, you will need immediate IT support. Our support and help desk can remediate a lot of your security issues to keep downtime to a minimum.

With data such a major part of doing business today, ensuring you have the right solutions and support in place to be confident that any situation you face will be managed before it becomes a problem is in itself a benefit. Call Coleman Technologies at (604) 513-9428 for more information.