Towner’s cyber security experts have put together an advisory of security best practices to help protect businesses from the most common attacks they might experience. This guide aims to break down security into key categories that are easy to understand and easy to implement.
Use this checklist to ensure the highest levels of protection from all potential threats. Check in frequently to ensure practices are being enforced, passwords are being updated and security remains top of mind.
ACCOUNT SECURITY
SET PASSWORD REQUIREMENTS TO PREVENT USERS FROM CHOOSING EASILY GUESSABLE PASSWORDS
We recommend looooong vs complex passwords/passphrases. Choose a password expiration policy that is long enough that users don’t resort to writing down or reusing similar passwords frequently. Discourage users from using unsafe passwords by enforcing the “compromised password” policy.
PURCHASE LICENSES FOR A PASSWORD MANAGER (LIKE LASTPASS) FOR YOUR EMPLOYEES
IMPLEMENT ACCOUNT LOCKOUTS WHEN THE WRONG PASSWORD IS ENTERED TOO MANY TIMES
ENABLE AND CUSTOMIZE SUSPICIOUS LOGIN ALERTS TO USERS AND ADMINS
RESTRICT ACCESS TO YOUR COMPANY RESOURCES BASED ON IP'S (FOR EXAMPLE, LIMIT IT TO RANGES AND COUNTRIES YOU KNOW YOUR USERS WILL CONNECT FROM)
Tip: Encourage the use of passphrases instead of passwords. They are longer, more complex and may be easier to remember. Need some help suggesting a passphrase?
Ask these questions: • If you walked outside, what is the first thing you would see? • Close your eyes. I say the word “awesome” – what’s the first thing you think of? • What would be included in your last meal? • What makes up your ideal vacation?
ENDPOINT SECURITY
ENCOURAGE OR ENFORCE THE USE OF VPN FOR REMOTE USERS (WITH 2FA)
INVEST IN MOBILE DEVICE MANAGEMENT (MDM)
ENCOURAGE USERS TO ENABLE AUTOMATIC UPDATES OF APPS AND MOBILE OS
ENCOURAGE THE USE OF SECURE FILE SHARING AND BACKUP THAT CAN BE MONITORED BY AN ADMINISTRATOR AND THAT INCLUDES ADDITIONAL PROTECTION AGAINST RANSOMWARE ATTACKS
REMOVE ADMIN RIGHTS FROM STANDARD USER ACCOUNTS
LIMIT USE OF ROOTED PHONES OR INSTALLATION OF APPLICATIONS FROM NON-STANDARD APP STORES
EMAIL SECURITY
REVIEW YOUR EMAIL SECURITY SETTINGS AND OPTIONS ON A REGULAR BASIS
ENABLE TAGGING OR IDENTIFICATION OF EXTERNAL EMAILS TO HELP EMPLOYEES FOCUS ON POTENTIAL EXTERNAL THREATS
ENABLE ACTIVESYNC OR OTHER MOBILE SYNCHRONIZATION POLICIES TO BETTER PROTECT DATA STORED ON MOBILE DEVICES AND CONSIDER FURTHER FULL MOBILE DEVICE MANAGEMENT (MDM)
IMPOSE DELIVERY RESTRICTIONS ON EMAIL DISTRIBUTION LISTS THAT DO NOT NEED TO RECEIVE MESSAGES FROM EXTERNAL SENDERS
REMOVE ADMIN RIGHTS FROM STANDARD USER ACCOUNTS
ENABLE AN EMAIL ARCHIVING SOLUTION THAT IS INDEPENDENT FROM YOUR PRIMARY EMAIL MAILBOX
Tip: Set up an annual review of all account security settings to keep security top of mind
HUMAN SECURITY
ENCOURAGE EMPLOYEES TO CALL THEIR PERSONAL MOBILE PHONE PROVIDERS, AND TURN-ON EXTRA SECURITY VERIFICATION STEPS, LIKE A PIN
ENCOURAGE EMPLOYEES TO NEVER RE-USE THE SAME PASSWORD TO THEIR EMAIL WITH ANY OTHER SYSTEMS OR APPLICATIONS THEY USE
DISCOURAGE USERS FROM STORING PASSWORDS IN THEIR BROWSER
MANDATE ALL EMPLOYEES TAKE SECURITY TRAINING (EX: HTTPS://WWW.KNOWBE4.COM/PRODUCTS/ ENTERPRISE-SECURITY-AWARENESS-TRAINING/)
Tip: Reward users for reporting anything suspect, this will make them more likely to come forward if they do fall for a phishing or other malicious attack
Cyberattacks become more sophisticated and hackers more aggressive. Business communications such as telephone calls, voicemails, text messages, video meetings and file sharing are targets of attacks. (Emails remain one of the top vectors.) Communicating, collaborating and sharing information are at the heart of every business. Hybrid work is driving a growing reliance on cloud technology, connecting stakeholders in the organization. Your organization’s ability to withstand security attacks and avoid breaches is critical to the ongoing success of the business. Your cloud communications provider should be as focused on security as they are on product innovations. Here’s a Comprehensive Security Guide to help you keep your security on lock.
THE NEED
Conversations taking place in your company cover so many topics that should remain confidential. From product development and customer information to employee data, company strategy, and more. In short, your company’s intellectual property (IP) is threaded throughout the communications between your employees, customers and suppliers. All of this information is valuable to cybercriminals who will use it against you if they gain access.
The IP footprint created by business conversations is vast. This information is vulnerable for bad actors to steal and use maliciously. It’s common for an unknown caller to join an audio or video conference to listen in on a company meeting. The history of chats and emails can virtually live forever on phones, PCs or company servers. What about secure files containing contracts, customer or employee information, confidential presentations and more? Are they really secure?
The moment any technology is offered on the open market, cybercriminals are looking for weaknesses to exploit. Your business communications provider plays a pivotal role in helping keep your proprietary data safe. If you are not working with a supplier who is continually advancing security as the product evolves, you are at risk.
THE SOLUTION
Intermedia Unite provides affordable, cutting-edge business communication tools with top-notch security features. Small and medium-sized businesses gain Fortune 500-level reliability and security through Triple Shield Security and a Comprehensive Security Guide.
With over 25 years of experience, our cloud service prioritizes security. Our certified staff and advanced technologies protect against cyber threats. Triple Shield Security safeguards user access, applications, and data infrastructure.
1 | USER ACCESS SECURITY
User and administrator access – whether from laptops, desktops, smartphones, or even desk phones — if misplaced, misused, or compromised — can become the access point for cybercriminals to access your entire company’s proprietary data.
That’s why user and administrative credentials are a primary target for hackers. Compromised access is frequently used by hackers for lateral movement to get access to other users and other systems, and administrative access is among the most prized target for hackers.
Intermedia’s user access security shields your company from unauthorized access, regardless of device or location. Easy-to-operate access controls allow your administrators to better manage user security — whether through authentication, sophisticated password management, geo-fencing, suspicious login or account compromise detection.
2 | APPLICATION SECURITY
Data is particularly vulnerable when it flows between the safe confines of your secure cloud and your users’ mobile and desktop applications. Cybercriminals can exploit vulnerabilities of in-transit data across complex environments and applications for malicious intent.
Intermedia’s Triple Shield Security helps you foil attempts to access your company at the application layer. We employ encryption, both in-transit (using TLS encryption) and at-rest (using AES 256-bit keys), as an essential component of our “secure-by-design” product architecture to help keep your data private and secure. Data encrypted while at rest includes voicemails, call recordings, meeting recordings/chat/notes, chat and SMS history, chat attachments, and f iles. Applications are penetration tested and reviewed against NIST and ISO security standards.
3 | CLOUD SECURITY
Our cloud is hosted in geographically dispersed, highly secure and monitored datacenters by certified tier-three providers. All of the datacenters are either ISO 27001-certified or are subject to regular SOC security audits.
Network-based monitoring detection systems are configured to detect attacks or suspicious behavior, and vulnerability scans are performed to identify potential weakness in the security and confidentiality of systems and data. We also run advanced, next-generation antivirus technology across our systems to help detect and deter malicious computer usage that often cannot be caught by conventional methods. The technology monitors for unusual patterns and behaviors, alerting security engineers of suspicious activity, 24×7. This endpoint technology can also help prevent attacks against vulnerable services, data-driven attacks on applications, host-based attacks such as privilege escalation, unauthorized logins and access to sensitive files, and malware (e.g., viruses, Trojan horses, and worms).
If most or all of these questions cannot be answered affirmatively by your cloud communications provider, your data may be at risk. Contact us today to learn about our Triple Shield approach in securing your business communications.
Trying to make sense of fraud, robocalling, and spam can be overwhelming (and more than a little exhausting). Combat telecom fraud: Understand types, regulations, and protect business and users.
Types of telecom fraud
While there are almost too many different types of telecom fraud to list them all, there are five (5) main types that we, and our customers, see most often [source]. They are:
International Revenue Sharing Fraud (IRSF)
Traffic Pumping
Domestic Premium Rate Service
Interconnect Bypass
Arbitrage
While we won’t go into detail about each of these (check out our Fraud Overview post for a more in-depth look at each type), it’s important to know that taking proactive steps to protect yourself and your users is one of the best ways to stop telecom fraud from happening.
Illegal robocalling
Robocalling has (perhaps rightfully so) built a reputation as being spammy, used mainly by scammers to try and defraud individuals and businesses out of money or sensitive information. There are, however, legitimate (and legal) use cases for robocalls. These can include receiving updates you’ve opted into, like a flight update or getting an update that your prescriptions are ready to be picked up. Sports teams have even been known to use robocalls to remind players to come for practices.
The new STIR/SHAKEN regulations, which go into effect June 30, 2021, rely on a technology framework designed to help prevent scammers from taking advantage of businesses and individuals by reducing fraudulent robocalls and illegal number spoofing. It verifies that the caller ID you see on your phone matches the calling party’s phone number.
Bandwidth deployed STIR/SHAKEN in their network well in advance of the June 2021 deadline. Today, Bandwidth signs over 4.5B calls each month for top UCaaS and CCaaS brands, allowing them to bypass the lengthy STIR/SHAKEN token application and implementation process and rely on Bandwidth for call signing and authentication.
You can learn more about STIR/SHAKEN by visiting our STIR/SHAKEN Regulations page.
Spam (no, not that one)
If you’ve had an email address for more than five minutes, you know what spam is. In the world of telecom, it’s mostly associated with unwanted messaging traffic that’s sent unsolicited to a user’s phone.
Companies work hard to detect and prevent spam.24/7 Fraud Team blocks more than 500,000 spam texts every day through a combination of hands-on analysis and the use of automated tools to monitor traffic and identify trends and anomalies that signal fraudulent and spam activity.
Using call blocking to mitigate toll fraud
The use of call blocking tools can enable carriers to prevent numbers with specific unlawful characteristics from traversing their networks. These tools aim to take a proactive approach to preventing telecom fraud, by stopping the traffic from ever entering a network.
Fraud teams use advanced analytics to continuously monitor traffic patterns and potential robocalling campaigns that identify bad actors at work. Once detected, we work to aggressively leverage modern tools to block the offenders from reaching our network, protecting our customers and the entire ecosystem.
Telecom sector prime target for complex DDoS attacks, warns Lumen Technologies’ cybersecurity report.
In its third Quarterly DDoS Report, Lumen revealed that 34% of the 500 largest DDoS attacks in Q3 took aim at the telecommunications sector. That figure compared to 9% of attacks in Q1 and 32% in Q2.
All told, the telecommunications industry faced 956 incidents in Q3, including both the largest bandwidth attack (612 Gbps) and the largest packet-based attack (252 Mpps) overall across all the segments Lumen tracked. The bandwidth attack marked a 49% increase from the largest seen in Q2, while the packet-rate attack was a whopping 91% bigger than the largest in the previous quarter. Just over half (52%) of attacks against telecommunications companies used a multi-vector approach and the longest incident lasted 6 days.
Mark Dehus, Lumen’s director of information security and threat intelligence, told Fierce there’s been an uptick in attacks on voice-over-IP services using a combination of different methods. The two most common are reflection and application specific attacks, he said.
In the former, an instigator sends a request to a server, prompting it to respond to and overwhelm the targeted IP address with a large amount of traffic. Application specific attacks, meanwhile, go after the specific protocols – like the Session Initiation Protocol (SIP) – that enable voice services and remote collaboration tools. Examples of entities and services which use SIP include mobile virtual network operators, which sometimes use SIP-enabled VoIP services to offload cellular traffic to their own networks; managed voice infrastructure and the operators that supply it; and video conferencing services, he said.
Dehus noted reflection attacks don’t necessarily require a lot of skill, meaning “actors that are not as sophisticated can launch” them and demand money either in advance of or during the incident to halt the attack. He added threat actors are increasingly using multi-vector attacks to amplify their impact and bypass the protective countermeasures companies might take.
Lumen is working to track misconfigured reflectors and what services are being abused in an effort to try to help prevent future attacks, Dehus said. “The more the telecom industry in general can do to help clean up these open reflectors, the more it will take away from the malicious actors in terms of their ability to launch extremely impactful DDoS attacks,” he added.
New remote workers unaware of risks, while experienced ones may feel hopeless amidst the situation.
Remote work is all the rage, and it’s easy to see why. Employees want flexibility and freedom while executives want less overhead and more productivity. Since most businesses have already transitioned communications to the cloud, it just makes sense.
Rise in remote teams and hybrid work has led to a surge in cybersecurity breaches. For example, Google registered more than 2 million phishing sites in 2020, up from 1.7 million in 2019 (a 27% increase in one year). The number of identity thefts reported by the FTC doubled from 2019. In addition to this, CybSafe reported that one-third of UK businesses have suffered a data breach in the past 12 months because of remote work.
According to a recent IDG Research Services survey commissioned by Insight Enterprises, almost 80% of senior IT workers believe their organizations lack sufficient protection against cyberattacks despite increased IT security investments in 2020 and according to Shred-it, 86% of C-level executives believe that the risk of a data breach is higher when employees work remotely.
There is hope, however. Implementing strong cybersecurity practices ensures protection, avoiding financial loss and headaches for your business.
The Unique Security Challenges Of A Hybrid Workforce
Cybersecurity is essential, whether your workers are in the office, hybrid, or remote. However, in-office workers are generally protected by layers of security when it comes to data and communication. Once workers move outside the office, new vulnerabilities appear. For example, an office network will likely be secured by firewalls, VPNs, antivirus software, and other measures to ensure VoIP security.
Home routers lack firewalls, and even those doubling as firewalls may be less secure than business counterparts. Employees bear software responsibility when working remotely.
Minimize remote work security vulnerabilities with policies, training, and IT support for your remote workforce.
Checklist Of Best Practices
Cybersecurity professionals recommend these practices to prevent or minimize breaches. Inform and enforce them for optimal protection.
1. No Public Wi-Fi Working out of a Starbucks may seem idyllic, but using their Wi-Fi can cause a host of problems. The lack of firewalls allows anyone using that network to easily hack into your company’s data. In fact, hackers that are on public networks anywhere that your data hits between you and your office can monitor traffic as it goes by. If you still want to work from Starbucks, set up a personal hotspot and VPN.
2. Be Aware of Surroundings According to a study done by Code 42, a laptop is stolen every 53 seconds in airports alone. Losing a laptop is bad enough, but if there is a data breach on top of that, it could be a catastrophe.
Instruct your remote workers not to be careless with their work laptops. If they happen to be working in a public space, they should remain alert. They should make sure that their sightlines are blocked, meaning, no one can sit behind them and watch/record everything they are doing.
Employees should take their device with them to the restroom and avoid leaving it in a car (even a locked car). It is also important that remote workers keep the doors of their homes locked just as the office is locked up every night.
3. Encrypt Stored Data
In the case that a device is stolen, you can avoid the disaster of a data breach if the data on your device is encrypted. Make sure that remote workers are all using devices that are set to encrypt all stored data.
4. Do Not Use Personal Devices for Work
If your remote workers are using their own personal devices to conduct work on, chances are, they are exposing the company to a security breach. The protocols that your company has for keeping data safe such as regular updates, virus scans, and malicious site blocking are likely not being kept up by remote workers on their personal devices.
Your remote worker may not be aware of all that your company does to keep data safe, for one, and secondly, your remote worker likely does not have the same budget for cybersecurity that you have for your business.
5. Enable Email Encryption
Emails are another point of vulnerability for remote workers. Just as you want to ensure that all stored data is encrypted, it’s also a good idea to encrypt the data attached to any email, as this will prevent an unintended recipient from viewing the information.
6. Don’t Allow Non-Employees To Access Work Devices
When it comes to cybersecurity, it’s important to keep as much control as possible over devices. Remote employees should never share their devices with non-employees. Even if it is someone they know, a non-employee who doesn’t understand your company’s security policies could unknowingly open up a pathway for malicious actors.
This is true even if the non-employee only wants to use the employee’s work device as a temporary “charging station”. Additionally, some of your employees may be too trusting, and it is easier just to have an “employee only” policy than to have rules about who can and can’t use work devices.
7. Disable All External Drives
USB thumb drives are some of the most popular vehicles for bad actors to use to install malware. These malicious actors would install malware onto 30 or 60 thumb drives and then distribute them where an unsuspecting worker would pick one up and, thinking it was theirs, plug it into their device. With the advancement of cloud storage solutions, there is almost never a reason to use an external drive of any type, USB or otherwise. Unless your employee is a photographer or videographer, you should disable all external drives on work devices.
8. Password Policies
Your employees may unknowingly invalidate several expensive security measures if they have weak or repetitive passwords. Make sure that your company has a password policy in place instructing employees to choose strong, unique passwords and to have different passwords for different applications that they need to use for work. Work passwords should also be different from any personal passwords.
9. Train Employees To Recognize Signs of a Breach And Report Immediately
The sooner your IT or security team finds out about a breach, the better the outlook will be. Train your employees to recognize the signs of a security breach and to report it as soon as possible to your IT or security team. Some things that should tip off your remote workers to a breach are:
An alert from the anti-malware software indicating that a virus or malware is present.
A new homepage or default search engine comes up unexpectedly.
There is a sudden and significant decrease in performance.
There is a sudden increase in spam and pop-ups.
They are receiving frequent error messages.
10. Consider a Secure Access Service Edge (SASE) solution
SASE is essentially an “as-a-Service” cloud solution that combines wide-area networking (WAN) with network security functions, cloud access security broker (CASB), firewall as a service (FWaaS), and zero-trust network access (ZTNA). SASE tools can identify malware, decrypt the content, and continuously monitor sessions for risk.
11. Keep Your Employees Away From Nefarious Websites
Torrent and pirating websites will obviously expose your business to a host of malware. Most companies will have a prohibition against employees going to such sites on work devices, but if it ever happens and one of your employees accidentally downloads a file of malware from a website of ill repute, firing them for breaking company policy will be of little solace.
Here is a creative tip to keep your employees from ever breaking this very important rule in the first place: Use some of the money you save from transitioning to a remote or hybrid workforce to buy your employees subscriptions to reputable music and movie websites such as YouTube Premium, Disney+ or Netflix. This investment will serve double duty as a fun perk for your team as well as a strong deterrent to visit nefarious entertainment sites.
Final Thoughts
Remote and hybrid work has become more appealing than ever to both employees and business owners, but the threat of a security breach is a big drawback. To address this, consider investing some of the savings you receive by going remote into a solid cybersecurity plan. If you implement the best cybersecurity practices now, you and your team will be able to enjoy all the benefits of remote work without the dark cloud of a security breach looming overhead.
The biggest buzz words in business and in our government are CYBER SECURITY and CLOUD. The evolution of the “cloud” has gone from where we’ve stored pdf and pictures to hosting our telecommunications and basically storing our entire business. Critical and sensitive business and personal information is exchanged and stored making it a hacker’s personal heaven. One do non-tech people really understand what “The Cloud” is, and two if you don’t really understand what the cloud is how can you really have piece of mind that you’re safe and protected? Brace yourself, but the easy and unpleasant answer…You are never nor will you ever be 100% safe. Now, hold on to your pants because there are very basic and very key steps that you can take to ensure that your exposures are reduced almost down to nothing. The key is, hire experts and then listen to your experts! Here’s why Towner Communications the Cloud Telecommunications Experts in the Midwest…Yes we can claim that, are telling you to get in the cloud.
Here’s our top 3 reasons we propose Cloud Solutions to almost if not all of the small to medium size partners we consult for.
1. Physical Real estate in their office: Premise telecom solutions can be massive and take up more space in your office than you can give up. The entire concept the cloud is that everything is off site and tucked into a server in a far off land. Use that extra room for your ping pong table, or an extra office.
2. Cost Savings: Unlike on premise solutions, unless you purchase the equipment you’ll be using, there is little to no upfront major cash lay out. Flexible plans mean you can rent the equipment and ALL your telecom services and needs are wrapped into one nice tight little monthly payment.
3. Flexibility: As your business grows so can you’re solution. As you’re business becomes seasonal so can your solution.
These are all great selling points of the cloud and are the apex of what small and medium companies need to grow and stay competitive. HOWEVER please proceed with caution when you’re evaluating a provider!!! You have to ask the right questions and receive the responses that are clear and accurate and fit the culture of your business. Not all carriers are created equal and not all fire sale tactics (like tossing in phones for free) or promising the lowest prices in the industry mean you’re getting a great deal. Usually these companies deal in volume and aren’t concerned about your specific business needs. This is why you’ll experience more frequent outrages, less than desirable customer service, and more importantly cookie cutter cyber security measures that leave you exposed to costly attacks.
These are the exact questions you have to ask when looking for the perfect telecom partnership:
What solution offers the most cyber security VIOP or cloud?
Best Answer: It’s important to understand that VoIP is a universal term for Internet based telephony which also includes cloud. If they don’t tell you that VOIP and Cloud are virtually the same RUN. Both terms mean that the calls are delivered via the internet. Now here’s the key point…Any call that is made over public internet is going to have a high level of exposure.
Who has control of your data if you go cloud?
Best Answer: Here’s the deal…Cloud is a sexy word that everyone throws around to seem like their on the cutting edge and super with it. The magical cloud is simply a system (much like you would have on site) that resides in a data center somewhere in a location that doesn’t even have to be remotely close in proximity to your physical location. This means that any and all security concerns are no different to when there is a physical phone system. What’s really important is the promise of the security level that your partner is giving you. On site the it would equate to the level of security your IT guy is promising you.
Is VOIP more vulnerable to hacks?
Best Answer: HECK YES! Analogue phones are by definition secure. Often times when companies think about cyber security and getting hacked, the last thing they realize is that their phone systems are one of the most vulnerable. Because of this, they don’t encourage their staff to update passwords as frequently as they do with their computers, they don’t educate their team members on the things to look for to identify possible security breaches. The key here is that any expert provider knows that they can give you that ISDN security with call encryption on VoIP.
Key take aways here are that you don’t buy on price or promise. That you buy on reputation. Cloud solutions are amazingly reliable and secure and can take most if not all of the headache of the telecom portion of your business off your plate. However it’s not the solution that you need to evaluate it’s your provider. Look at reviews, talk to your peers. Throw the lowest and highest prices out and by all means, pick a local vendor who can give you customized and speedy service and solutions!