Author: westlake

Microsoft’s Office 365 is inherently very safe, with high levels of encryption, but cyber criminals are using increasingly sophisticated ways to circumnavigate security measures and convince users they are genuine with the aim of extorting money or extracting valuable data from organisations or from their customers.

Chris Apperley, MD explained, “These policies are not documents or processes you need to follow, but are in fact a combination of rules and criteria that your IT provider can configure and apply to your Office 365 tenant to make it harder for cyber criminals to hack your user accounts and perform malicious activities. We are increasingly seeing attempts to ‘spoof’ our customers email accounts and either engage a supplier or customer with the aim of diverting funds to new accounts.”

A Sign-in Risk Policy is designed to analyse each user sign-in and automatically spot and block any malicious sign-in attempts by, for example, checking if the sign-in attempt is being made using an anonymous IP address or from an unfamiliar location.

The User Risk Policy is designed to spot potentially compromised user credentials and will automatically block any user account that the system believes to be a risk. An account might be blocked because of ‘impossible travel,’ typified by one login attempt in France one minute then a login attempt in India the next. Another trigger could be a login attempt from a country in which the business has no operations or to which employees don’t travel.

Chris concluded, “These policies are a brilliant feature of Office 365’s Azure licensing and although there’s a slight increase in license cost the actual features don’t cost you anything to put in place. We’re implementing them as a matter of course for all our Office 365 clients and we advise you do the same.

“If you are concerned about your email security and would like some advice, please call us on 02392007850. We’d be happy to help.”

With a current No 10 position on their worldwide leader board, Buzzword and Westlake are thrilled that Westlake’s rebrand has resonated with so many voters.

Chris Apperley, Managing Director commented, “Buzzword did a fabulous job. They understood what we were about and translated that into a powerful logo, strapline and visuals.”

The Drum wrote “The company (Westlake) required branding that reflected its USP: namely the combination of the no-nonsense-get-it-done attitude of an SME with the skilled, corporate business backgrounds of their expert team.

“Buzzword aimed to develop a timeless logo with a direct strap line that captures the distinct personality of Westlake. Using the angles derived from the logo symbol, it developed a creative platform using a palette of cooler shades that supports the full suite of Westlake communications and positions it firmly as a cutting-edge provider of IT services.”

Adam Smith, Managing Director, Buzzword said, “The Drum is the No.1 marketing trade magazine and for the Westlake rebrand to have been selected by it, as one of the best design projects of the year is high praise indeed, particularly as the category is worldwide.

“We thoroughly enjoyed working with Westlake to develop their rebrand and recognise that this achievement is a joint one. As a corporate branding agency, our main objective is to create brands that build business and we look forward to seeing how the brand continues to help Westlake to grow”.

Chris concluded, “We’re asking our clients and partners to vote for us by visiting The Drum website and who knows we could even reach the No 1 spot!”

What is spam, phishing and spoofing?

E-mail spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information, such as a password. Spam and phishing emails typically use spoofing to mislead the recipient about the origin of the message.

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money). This is often for malicious reasons; by disguising as a trustworthy entity in an electronic communication. The two most common types of phishing attacks are Deceptive Phishing and Spear Phishing:

• Deceptive Phishing is the most common type of phishing scam. It refers to any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding. The success of a deceptive phish hinges on how closely the attack email resembles a legitimate company’s official correspondence. As a result, users should inspect all URLs carefully to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.
• Spear Phishing is much cleverer as it uses a high degree of personalisation. For instance, in spear phishing scams, fraudsters customise their attack emails with the target’s name, position, company, work phone number and other information. This is done in an attempt to trick the recipient into believing that they have a connection with the sender. The goal is the same as deceptive phishing: lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.

How to spot malicious emails

Keep Informed About Phishing Techniques

New phishing scams are being developed all the time. Without staying on top of these new phishing techniques, you could inadvertently fall prey to one. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one.

Think Before You Click!

Phishing emails, purporting to be from a genuine person whose name you recognise, will often contain a mismatched URL. If you are suspicious, hover your mouse over the top of the URL and you should see the actual hyperlinked address. If the hyperlinked address is different from the address that is displayed, the message is probably fraudulent or malicious.

Example: The link shows https://secure.login.microsoft.com… however if you hover over the link, the URL is shown www.montemaq…

People who launch phishing scams often depend on their victims not knowing how the DNS naming structure for domains works. The last part of a domain name is the most important piece of information to check:

Example: info.brienposey.com would be a child domain of brienposey.com because brienposey.com appears at the end of the full domain name (on the right-hand side).

Conversely, brienposey.com.maliciousdomain.com would clearly not have originated from brienposey.com because the reference to brienposey.com is on the left side of the domain name.

Phishing scams try to convince victims that a message comes from a company like Microsoft or Apple. The scammer simply creates a child domain bearing the name Microsoft or Apple, for example. The resulting domain name looks something like this: Microsoft.maliciousdomainname.com

When in doubt, go directly to the source rather than clicking a potentially dangerous link. Do NOT open suspicious emails from addresses that you don’t recognise, or emails purporting to be from inside your organisation that you were not expecting. Mark them as Junk within Outlook or delete them immediately. Remember a genuine organisation will try to contact you again if their email is urgent.

Verify a Site’s Security

It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” (the inclusion of the s is important). There should also be a “closed lock” icon near the address bar. Check for the site’s security certificate as well.

If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If a user makes purchases at such a website, the credit card details will be accessed by cybercriminals.

Check Your Online Accounts Regularly

If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too. To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

Keep Your Browser Up to Date

Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

Be Wary of Pop-Ups

Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

Never Give Out Personal Information

As a general rule, you should never share personal or financially sensitive information over the Internet. When in doubt, visit the main website of the company in question, get their number and give them a call. Most phishing emails will direct you to pages where entries for financial or personal information are required. An Internet user should never make confidential entries through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.

It’s too Good to be True

If you receive an email message informing you “…you’ve won the lottery…” or “…congratulations you are the winner…” – however you have not bought a lottery ticket or entered a competition, it’s likely to be a malicious email. If something seems too good to be true, it probably is. If you receive a message from someone unknown to you, making big promises, the message is probably a scam.

You’re Asked to Send Money

One sign of a phishing email is that you will eventually be asked for money. You might not be asked in the initial message, but sooner or later, phishing criminals will likely ask for money. They will claim it is to cover expenses, taxes, fees, or something similar.

These emails can appear to come from your Managing Director or someone very senior in your organisation, and will often carry a sense of urgency. Never respond to such emails. If you think it really is genuine, double check by phoning the sender; do not reply to the email itself.

You Receive Threats and there is a Sense of Urgency

Most phishing scams try to trick people into giving up sensitive information or cash by promising instant riches. However, some phishing criminals use intimidation to scare victims into giving up information. If a message makes unrealistic threats, it is probably a scam.

Example: You receive a letter stating “your account has been compromised and if you do not submit a form (which asks for your account number, along with two signature samples) your account will be cancelled and your assets will be seized”.

If you get an email telling you that if you act now you will get 50% discount or a free gift, be wary. One of the ways cyber criminals achieve success is by offering you incentives to act in a tight timeframe.

Poor Spelling and Grammar

When a large company sends out a message on behalf of the company as a whole, the message is usually reviewed for spelling and grammatical errors. If a message is filled with poor grammar or spelling mistakes, it probably didn’t come from the genuine major corporation.

Protecting your data from cybercrime

The weakest link in any business is its people. Unfortunately, we can all fall victim to cybercrime. Phishing attempts are becoming ever more sophisticated and we must be ever more vigilant. There are things you can do to protect your data, as follows:

• Implement our customisable IT Acceptable Usage Policy
• Share this Guide with your staff
• Implement a Password Policy
• Implement a Document Encryption Guide
• Use Antivirus Software and regularly back up your data

We can help!

For further advice or to talk to an IT professional, please email [email protected] or call 02392 007850.

What does GDPR say?

There are no specific requirements under GDPR regarding passwords in terms of minimum length, capital letters, numbers, maximum periods of validity or required change frequency. However, you do have to demonstrate that you have data access procedures in place. We advise that all our clients have a password policy as part of their approach to managing safe and secure access to data.

GDPR does not preclude the use of usernames and static password logins. But, one of the biggest risks with passwords is that if they are too difficult to remember, or change too frequently, people write them down or require resets because they’ve forgotten them. It’s important to bear this in mind when you create your Password Policy.

We may have passed the cut-off date for having plans and processes in place, but compliance is an ongoing journey. Furthermore, some areas, like password policies, are open to interpretation. The true work is just beginning in ensuring you are compliant with GDPR.

CREATING YOUR PASSWORD POLICY

We help our customers to create and implement Password Policies. If you don’t currently have this support, it’s important to get the right advice to put a policy in place. The most important thing to do is ensure:

• You have a Password Policy in place that details password requirements and validity periods
• Your employees know their obligations regarding the safe storage of their passwords via encryption, for example
• You document your password creation and reset procedures. It’s vital that password resets can only be authorised by specific personnel. Upon login, a user should be prompted to change their password immediately from the one provided temporarily.

While two-factor authentication is becoming increasingly advised and talked about as a way of safely resetting passwords, it is not mandatory. However, having a password policy in place is vital to meet GDPR requirements for the ongoing safe and secure storage of, and access to, personal data.

Creating a password policy should be a joint effort between IT, HR and Compliance within your business. This will ensure the legal and regulatory requirements of your business are met. Password Policies can be:

• A part of your Employee Handbook
• An addendum to your IT Usage Policy
• A part of your Employment Contract

Training is a core principle in GDPR. It’s essential that however you implement your Password Policy, that you ensure it is read, understood and adhered to by your employees, and that you have the right training and processes in place to make that happen.

Password Dos and Don’ts

The following checklist is a great starting point for drafting your Password Policy.

Password Security:

• Passwords should be changed every 90 days
• The 10 previous passwords used should not be available to reuse
• The system should automatically lock an account after 10 incorrect attempts, and unlock after 10 minutes
• Passwords should be a minimum of 8 characters, including 3 out of 4 of the following:
  • Upper case o Lower case
  • Numeric value
  • Symbol

A good password is:

• Private: it is used and known by one person only
• Secret: it does not appear in clear text in any file or program, or on a piece of paper pinned to the monitor
• Easily Remembered: so there is no need to write it down

Avoid:

• Words you can find in the dictionary of any major language. It should not be guessable by any program in a reasonable time, for instance less than one week
• Personal information, such as names and birth dates
• Keyboard patterns, like qwerty or 12345. Particularly avoid sequences of numbers in order
• Common acronyms
• All one type of character – such as all numbers, all upper case letters, all lower case letters, etc.
• Repeating characters, such as mmmm333
• The same password you use for another application

WE CAN HELP!

For further advice or to talk to an IT professional, please email [email protected] or call 02392 007850.

The rebrand has been a natural and seamless evolution, building on Westlake IT’s 12-year track record providing IT support services for SMEs.

Chris Apperley, MD, said “We’re delighted with our new look. It’s been a fascinating journey. We’ve had to turn the spotlight on ourselves, what we stand for, what we do and more importantly what our customers tell us, so that our new branding is authentic.”

Westlake has launched a new logo, strap line and website. In terms of the company’s ‘look and feel’, the branding has been carried through all their literature and their new office which is a vibrant, modern space designed to make employees and customers feel welcome.

Chris continued, “I love our new strapline. I’m a really straightforward person and if I’m sorting out an issue for a customer I’ll often say – ‘leave it with me’ or ‘I’ll sort it’ so Consider IT Done hits the nail on the head for me.”

With a leadership team comprising former corporate professionals and led by Westlake IT’s down to earth business founder and hands on MD, Westlake combines big business best practices and deploys them in a fast-paced way.

Susannah Jeffery, Business Development Director, explained, “Our company’s identity remains, at its core, that of an agile, forward thinking business but our positioning as an innovative IT services consultant is now also at the forefront. Our flat structure and team-based culture means we can genuinely flex quickly to meet customer requirements.”

Westlake has ambitious growth aims and its focus is to provide cost-effective and expert outsourced IT support and consultancy services that are grounded in its twin strengths; technical expertise and business acumen.

And the future is bright: over the next five years, AI and automation will not only reduce the churn of administrative tasks but also support better, faster workplace decisions.

Any business IT infrastructure upgrade should have one eye on tomorrow’s working world and at Westlake, we’re keeping abreast of every development that could make your life easier.

If you’d like to know more, we’re always happy to arrange a free consultation to tell you what we know and how it could help your business to grow. Call us on 02392 007850 or email [email protected]

Spending so much time in ineffective meetings means that we feel that our workload is poorly balanced between ‘we time’ to collaborate and ‘me time’ to think and create.

The key is to get the best out of meetings and where possible to cut dead travel time to and from them. Employees cite virtual meetings as the most efficient way to conduct a productive discussion.

Talk to us about the technology that your company needs to go virtual. Call us on 02392 007850 or email [email protected]

The future of work is about what we do, not where we do it and today’s technology can make almost any place a workplace. Modern workers want the freedom to decide how and where they contribute the most value and 44% expect to have that choice within three years.

Cloud technologies can absolutely enable workers to meet, share ideas and information quickly with access to all of the tools needed for them to do their jobs, regardless of device or location.

Interested? Talk to us about how Cloud technologies can help your business. Call us on 02392 007850 or email [email protected]