9 Cognitive Biases Hackers Exploit During Social Engineering Attacks

Cybersecurity is not just a technological challenge but increasingly a social and behavioral one. No matter their tech savviness, people are often duped by social engineering scams, like CEO fraud, because of their familiarity and immediacy factors.

Bad actors have the know-how to tap into the “mental shortcuts” called cognitive biases and manipulate employees into compromising sensitive information or systems. Here are the top cognitive biases hackers use the most:

1. Hyperbolic Discounting: Choosing immediate rewards over rewards that come later.
   Example: Free coupon or special deal scams
2. Habit: The tendency of users to follow recurring habits. 
   Example: Phishing emails delivered at a specific time of day
3. Recency Effect: Remembering the most recently presented information or events best.
   Example: Phishing attacks referencing current events
4. Halo Effect: When positive impressions of a person, company, etc., influence your overall feeling of that person or company.
   Example: Scam messages from well-known brands
5. Loss Aversion: The tendency to prefer avoiding losses to acquiring equivalent gains.
   Example: Phishing attacks threatening credit score damage
6. Ostrich Effect: Avoiding unpleasant information (hiding your head in the sand).
   Example: Phishing emails warning action should be taken quickly, or else
7. Authority Bias: Attributing greater accuracy to the opinion of an authoritative figure.
   Example: Hackers spoofing important messages from the CEO
8. Optimism Bias: Overestimating the probability of positive events while underestimating the probability of adverse events.
   Example: Phishing emails will offer fake job opportunities or insider information
9. Curiosity Effect: Acting to resolve curiosity even if it could lead to negative consequences.
   Example: Phishing attacks offering limited-time offers or secret information

A comprehensive security awareness training program can help employees understand these behaviors and spot social engineering attacks. Contact us to learn more.

Information used in this article was provided by our partners at KnowBe4.

According to Statista, an estimated 22 billion IoT devices were in use worldwide in 2020, projected to increase to 31 billion by 2025. With IoT devices growing in number, IoT cyberattacks are also on the rise.

What does the IoT include?

• Smart thermostats, appliances, and lighting
• Smart speakers like Google Home and Amazon Alexa
• Fitness bands and smartwatches

People living in large urban environments are surrounded by thousands of trackable objects every moment.

The IoT is growing faster than our ability to secure it.

The increasing number of IoT devices being connected to the internet has led to significant cybersecurity concerns, including:

• Inadequate security controls: Many IoT devices are not designed with security in mind and may lack basic security controls such as encryption, secure passwords, and regular software updates.
• Data privacy: IoT devices collect a vast amount of data, including personal and sensitive information. If this data is not adequately secured, hackers can intercept or steal it.
• Lack of visibility and control: IoT devices may be deployed in remote or uncontrolled environments, making it difficult for organizations to monitor and manage them.

As more employees work remotely using IoT devices, companies must ensure that their networks and data remain secure. Here are some actions that companies can take to improve cybersecurity for remote and in-office workers in the IoT world:

• Develop a comprehensive cybersecurity policy: Companies should develop a cybersecurity policy that covers remote work and IoT devices. This policy should include guidelines for securing IoT devices, using secure networks, and accessing company data from remote locations.
• Use secure networks: Employees should be required to connect to company networks using Virtual Private Networks (VPNs) or other secure methods. This can help to prevent unauthorized access and data breaches.
• Turn off IoT devices during meetings: These devices constantly collect data; you never know who may be listening or when. Keep your clients’ and organizations’ information safe by encouraging employees to turn off their devices during meetings and calls.
• Provide cybersecurity training: Companies should regularly train employees on best practices for cybersecurity, including how to identify and respond to cyber threats.

With the increasing prevalence of smart devices, taking proactive steps to protect your organization and employees is crucial. If you have any questions or concerns about cybersecurity, please do not hesitate to contact us. Our team of professionals is here to help you safeguard your data and stay safe online.

Information used in this article was provided by our partners at KnowBe4.

Cybercriminals use increasingly sophisticated techniques to bypass security. So, the more barriers you put in their way, the harder you make it for them to break into your systems. According to Microsoft, MFA prevents 99.9% of automated assaults on its platforms, websites, and online services. If that wasn’t enough, here are our top 6 reasons to adopt MFA in your business today.

1. It can protect your business from weak passwords

According to Cybernews, passwords like ‘123456’ and ‘Passw0rd’ are amongst the most commonly used. Weak passwords open the door to all kinds of data breaches. ‘Password-dumper’ malware, which steals login credentials from victims’ devices, was involved in a third of malware-related data breaches in 2020. And 80% of hacking-related breaches involved passwords in some way.

MFA prevents this. Because while cybercriminals may still try to steal your password, they are less likely to have access to your second and third identification factors – such as your fingerprint.

2. It prevents other methods of password theft

Even if a cybercriminal can’t break into your network to steal passwords, they have other methods that are equally successful. ‘Phishing’ attacks trick victims into giving away sensitive information using scam emails, SMS, or phone calls. And ‘pharming’ involves redirecting a website’s traffic to a fake site, run by criminals, where they steal data or install malware.

So even if you’re tricked into entering credentials in this way, the fraudsters still won’t be able to access your accounts without another form of authentication.

3. It makes using unmanaged devices more secure

Ideally, all your remote and hybrid workers will be on secure devices and internet connections, using security managed by your IT professional. But be honest – how many times have you logged onto your email account during the weekend using your personal laptop?

It might feel harmless, but it could allow an intruder to access not only your unmanaged device but also your router and, eventually, the company network. If you use MFA, you can be less concerned about a cybercriminal gaining access this way, thanks to the additional layers of security.

4. It allows your other security tools to perform properly

If a criminal steals over-simple login credentials, they can bypass antivirus software and firewalls like an authorized employee could – with some knowledge. This allows them to disarm your security and wreak havoc, all without you noticing anything is amiss.

With MFA in place, this can’t happen. Cybercriminals can’t use stolen credentials to access your network because they can’t pass these second and even third identity checks. MFA can also act as an alert that your accounts are at risk. If someone attempts to log in, you’ll receive a secondary authorization prompt you didn’t request. This can be immediately reported to ensure everything is safe and sound.

5. It keeps you compliant

When you handle and store sensitive data, your business must comply with local laws stating that you need robust authentication processes in place. MFA is a strong tool to keep the private data of customers, suppliers, and employees out of the wrong hands.

6. It can save a lot of stress

There’s always something to worry about as a business owner. Putting strong security measures like MFA in place can take a lot of weight off your shoulders. Better still, there’s less chance of an employee making an innocent mistake and revealing their credentials to a fake login site (we still highly recommend regular cybersecurity awareness training, though.)

Adopting MFA

MFA isn’t the answer to all your cybersecurity prayers. But it slams the door on most of today’s cybercrimes. So, if you don’t already have it enabled across your network and its systems, you might be leaving that door open to a cyberattack anytime.

MFA solutions are just one of the services we provide our clients daily. If you’re worried about protecting your business, get in touch now.

Information used in this article was provided by our partners at MSP Marketing Edge.

New data provides a multi-faceted look at the changing face of phishing attacks. This data includes who’s being targeted, the tactics used, and why phishing attacks continue to work.

If 2022 is any indication of what the remainder of this year will hold for organizations fending off cyberattacks, cybersecurity efforts are going to need a whole lot more emphasis.

According to Zscaler’s newly-released ThreatLabz 2023 Phishing Report, we get a view into the attack trends throughout 2022 that provide insight into what we should expect more of this year.

According to the report:

• The number of phishing attacks rose 47% overall
• The United States and the U.K. were the top two targeted countries
• Education, finance, and government were the top three sectors, with attacks on education skyrocketing by 576%
• Microsoft, OneDrive, and Binance were the top three impersonated brands

We’ve seen growth in phishing attacks for the last number of years. So, the increased growth Zscaler highlights cumulative year-over-year growth. It’s why we continue to see phishing as the most common form of cyberattack. This is also why no cybersecurity defense is complete without including Security Awareness Training to protect the organization when security solutions can’t.

Information in this article was provided by our partners at KnowBe4.

What’s the best way to ensure my people follow security best practices?

If you have good security in place and you’re regularly training your people – but find you’re still seeing human-error security issues – consider creating a strict policy that sets out the rules they need to follow and the consequences of not doing so.

How can I tell if all my applications are up to date?

It can be a big task to ensure everything is up to date and patched as required. An IT health check will show you everything you need to do. We can help with that. Just get in touch.

I have an in-house IT tech, but I need extra help. Should I outsource it all? 

It doesn’t have to be an either/or solution. An external IT specialist can work seamlessly with an in-house team with great results.

Information used in this article was provided by our partners at MSP Marketing Edge.

Professional instructors from the SANS Institute recently detailed what they cite as the most dangerous forms of cyberattacks for 2023. Some of the key themes included the intersection of AI with attack patterns and the ways that attackers are taking advantage of flexible development environments.

1. SEO-Boosted Attacks

Just as regular businesses utilize search engine optimization (SEO) to boost the rankings of certain terms for the sake of marketing their products and driving traffic to revenue-generating sites, the bad guys also turn to SEO. In their case, they use it to boost the rankings of their malware-laden sites to send more victims their way.

2. Malvertising

Similar to how marketers utilize both organic search techniques via SEO and paid search techniques utilizing advertising, cybercriminals are doing the same. Drive-by attacks are also similarly fueled by malicious advertising (malvertising) campaigns that artificially boost the rankings of sites for certain keywords.

3. Developers as a Target

Developers are an extremely enticing target as they usually have elevated privileges across IT and business systems. Many systems they use can be subverted to poison the software supply chain, and they tend to work on machines that are less locked down than the average user to enable them to experiment with code and ship software daily.

4. Offensive Uses of AI

With the explosion of large language models (LLMs) like ChatGPT, defenders should expect attackers — even very non-technical ones — to ramp up their development of exploits and zero-day discovery utilizing these AI tools. 

5. Weaponizing AI for Social Engineering

In addition to technical offensive uses of AI, expect attackers this year to drastically ramp up their use of AI to make their social engineering and impersonation attempts highly believable, warned Heather Mahalik, director of digital intelligence for Cellebrite and digital forensics and incident response lead for SANS.

Protect Your Organization

Organizations must stay vigilant and implement robust security measures to safeguard against these evolving threats. From security awareness training to XDR and SIEM solutions, Yeo & Yeo Technology is here to help. Get in touch.

Source: https://www.darkreading.com/attacks-breaches/sans-lists-top-5-most-dangerous-cyberattacks-in-2023

Several shocks have hit a world economy already weakened by the pandemic: higher-than-expected inflation worldwide, which is triggering tighter financial conditions, along with further negative impacts on supply chains from the war in Ukraine.

In fact, two-thirds (63%) of adults are worried about their finances now, compared to one-third (36%) during the pandemic, and 57% expect their financial worry to continue to rise.

This worry translates into pressure on salary increases by employees seeking to offset the increasing cost of living. Yet at the same time, companies may face pressure to halt hiring and reduce headcount costs.

As organizations navigate ongoing uncertainty and unpredictability, business resilience has never been more critical. As caretakers of the organization, there are multiple ways HR can support the business and its employees while building business resilience.

1. Manage fixed costs tightly

Your people are your biggest asset and, therefore, the highest cost – but keeping your top talent will pay dividends, as they could be the linchpins needed to ride out the economic storm successfully.

If you’re fearful that valued employees might be at risk of being laid off, look at your data to see if you can create a strong business case for retaining them. Any key performing indicators (KPIs) or productivity stats might be beneficial here.

Likewise, if their requests for a salary increase will cause them to leave, can you be smart and offer other incentives such as a four-day work week or a training course or qualification if there’s pressure on fixed costs?

Focus on productivity – ensure you’re paying for performance – and look at ways to boost employee productivity sustainably.

2. Increase total compensation through variable cost incentives

Consider using bonuses, stock grants, and other incentives to offset lower base salaries, and offer gift cards or equivalent (company-branded items, especially clothing) to help maintain motivation.

Be open and transparent about pay and benefits, communicating how the grading system works and how wage levels and salary increases are decided. If employees understand what’s happening at the top, they are more likely to respond better than if they feel they are being kept in the dark.

Finally, consider well-being incentives, offer additional paid time off, and remember recognition and spot awards as additional ways of recognizing successes in your workforce.

3. Offer flexibility as a financial incentive

Flexibility is a strong bargaining chip for most employees. A shorter working week – condensing someone’s hours into four days, for example – or offering an employee the chance to work part-time could hold a lot of weight with some employees.

Likewise, unpaid sabbaticals can be the perfect motivator for an employee considering traveling or taking some unpaid leave.

Although remote hybrid working feels like the norm, perhaps your company isn’t offering it as freely as possible. Investigate to see if there’s even more flexibility in how employees work that could be offered as an incentive.

4. Personalize employee experiences

Adjust management styles and deploy situational leadership where necessary to suit individuals and teams or squads and communicate early and often. Being open and transparent in discussing company performance will make employees feel valued.

Providing employees with more autonomy in decision-making where possible and creating a listening culture so you can act on feedback and communicate necessary actions or suggestions are all ways of generating personalized employee experiences.

Also, look at offering stretch assignments, growth opportunities, and meaningful and worthwhile work, as well as automating low-value or tedious work.

Behind every downturn is the chance to innovate

These things are just some of the tools are your disposal to enable you to not only support your employees but create an adaptive organization that’s agile, flexible, and resilient and one that can quickly respond to ongoing uncertainty and changing priorities.

Coupled with an agile, flexible cloud HR platform, you can enable rapid, data-driven decision-making, easily tailor employee experiences for individuals and teams, and support changing global policies and local compliance. Being prepared is always a smart move in uncertain times. That much is certain.

Information used in this article was provided by our partners at Sage.

ChatGPT is a chatbot that uses artificial intelligence, allowing you to talk to it in a very human way. It’s been making the news worldwide for some of the remarkable possibilities it seems to be creating. But what exactly is it, and why is it making such waves?

ChatGPT is trained on real human language. It can answer questions and compose documents, like emails, essays, and computer code. The exciting thing is that it allows you to have a natural-feeling conversation with it to generate different responses – perhaps adding more detail or asking it to use less technical language.

It was created by the research company OpenAI and funded and managed by some of the most influential names in tech. And while it’s still in its research and feedback-collection phase, it’s currently free to use (with limitations).

It’s different from a search engine because it’s designed with conversation in mind. While it can answer questions, it doesn’t search the internet for information. Everything is learned from training data (it has no knowledge past 2021). So, while many people have started using ChatGPT to write essays and articles, the facts may not be accurate. In fact, the tech media website CNET recently had to issue multiple major corrections after it created 78 articles using the chatbot.

Because it’s trained on vast amounts of text published online by humans, it’s had trouble telling fact from fiction and has also been found to reproduce some unwanted biases.

It’s not changing the world just yet. But it’s already clear that there is massive potential for individuals and businesses.

Information used in this article was provided by our partners at MSP Marketing Edge.

A threat is considered any malicious software or attack attempt launched at a vulnerability or weakness in your network infrastructure. There are nine major threat categories affecting most organizations today. They are:

• Human error. This is the most common source of cyber threats. Most of these are social engineering attacks that play on the emotional state of endpoint users within the network’s infrastructure. Phishing is a prime example.
• Unauthorized access. Hackers constantly use the latest techniques, tactics, and tips to infiltrate networks. These unauthorized users can potentially wreak havoc on internal infrastructure if they successfully bypass cybersecurity measures. Endpoint user error can also allow unauthorized access to the network through clicking a malicious link or opening an infectious file.  
• Unauthorized users misusing data. Once inside, threat actors, unscrupulous employees, or employees without the proper knowledge of cybersecurity best practices may change, remove, or misuse data without proper approval or authorization.
• Data breaches and leaks. Hackers, incorrect cloud configurations, and careless endpoint users can all lead to data breaches or leaks. If sensitive data like personally identifiable information is leaked, this could be potentially catastrophic for your business. Depending on your industry, the breach could land you in legal trouble – potentially owing large sums of money in fines or sanctions. Data loss prevention investment is essential to mitigate or avoid these consequences.
• Loss or corruption of data. If hackers successfully execute a data breach or your backup and disaster recovery (BDR) processes aren’t up to par, it could result in significant data loss or corruption. 
• Service disruption. In business, time is money. Any downtime for your system could cost future business and current revenue. Whether the downtime was accidental or intentional, service disruption costs you both money and reputation.
• System failure. Digital threat actors may try to overwhelm and crash a system rather than send a malicious file or link. Any system failure, much like service disruption, can cause data loss or a costly pause in business operations.
• Weather events or natural disasters. Natural disasters can cause significant damage and outages to critical server hardware and cloud resources. Fortunately, cloud technology alleviates this risk since business owners can migrate their important digital assets to cloud storage out of harm’s way.
• Adversarial threats. These threats include any outside actors who maliciously and intentionally attack your systems. They can be perpetrated by hacker groups, unauthorized users, unscrupulous inside users, careless endpoint users, and more. 

Cybersecurity risk management can help your organization

Cybersecurity risk management is an ongoing process of identifying, analyzing, evaluating, and addressing your organization’s cybersecurity threats. Your systems can be compromised in several ways, and, unfortunately, that list continues to grow. Effective cybersecurity risk management is about adopting an attitude of – “it’s not a matter of ‘if’ your networks get compromised; it’s a matter of ‘when.’”

How cybersecurity risk management works

While every business is different, there are general steps that can help organizations align to cybersecurity and risk management best practices. Professionals agree on four main stages of a sound cybersecurity risk management plan:

1. Identification – gauge the ability of your organization to identify current or future cyber threats. Call out and inventory any loopholes or vulnerabilities to the digital infrastructure that could affect daily business operations.
2. Assessment – Once risks are identified, they should be evaluated to see the level of threat they pose to your business. You and your team should also consider the potential impact of each identified threat.
3. Control – Suggest tools, techniques, tips, and technology that can be used to help you and your team minimize your organization’s cybersecurity risk.
4. Review – Take time to constantly review, update, and improve your controls to mitigate your cybersecurity risk. Adding, removing, or recalibrating security protocols will improve the system over time.

Getting started with cybersecurity risk management

One of the simplest ways to get started with cybersecurity risk management is to choose the right partner, and Yeo & Yeo Technology is here to help. We can help you choose the best tools for your business model and your team. Get in touch.

Information used in this article was provided by our partners at ConnectWise.

Your security stack is the foundation of your cybersecurity protection. Whether you’re building a stack from scratch or making updates and changes to your existing setup, it’s a task that needs to be done correctly and with cybersecurity best practices in mind.

Determining your needs

The first step in properly building your security stack is assessing your needs. In general, there are six areas of business risk most organizations are likely to face:

• Network perimeter security. This is a business’s first line of defense. It concerns risks of initial threat detection, remediation, and hardening endpoint terminals.
• Internal security. Human error and data mismanagement can often lead to leaks or breaches from the inside. This usually happens when information is passed back and forth during internal communications. Internal security seeks to limit those occurrences and other internal threats – widely considered the most dangerous threat to cybersecurity.
• Physical security. This risk area concerns the security of a system’s software and hardware. Mitigating this risk involves cybersecurity frameworks like Access Control and Zero Trust.
• Incident response. No matter your cybersecurity setup, it won’t always offer 100% protection. How to respond to threats that get through the defenses is an integral part of a business’s risk and overall cybersecurity plan.
• Long-term response. Businesses also need to focus on learning and reporting after successful attacks. Cyber forensics and in-depth reporting of previous cyber threats provide the necessary knowledge to strengthen defenses moving forward.
• Cloud security. As the interest in cloud technology grows, so does the potential risk. 95% of security professionals have expressed some concern about the security of public cloud systems. This means that cloud security systems will need to keep pace as these environments become more complex.

Keep these six key areas in mind as you assess your current cybersecurity infrastructure and look for opportunities to optimize your security stack.

Essential tools for your security stack

One thing remains constant no matter how different security stacks can be. That constant is the fact that you need to use the right tools. As mentioned, it’s easy to become overwhelmed by the wealth of options and include too many tools when building your stack.

Here are five must-have tools when building your security stack (in alphabetical order):

1. Cloud security posture management (CSPM)
2. Endpoint detection and response (EDR) tools
3. Mobile device management (MDM)
4. Penetration testing capabilities
5. Remote access platform

Building your cybersecurity stack effectively is a balancing act. In theory, it’s easy to assume that the more tools you include, the better your protection will be. While this is true to a point, there is a point of diminishing returns.

Along with that, adding too many tools can make your stack overly complex and, ultimately, leave your system open to vulnerabilities. The goal is to build an IT security stack that includes as many useful tools as possible but doesn’t take away from its primary purpose.

Are you interested in building a comprehensive security stack for your business? We’re here to help. Contact us today.

My employees want fewer video meetings. Should we cut down?

Yes, if you can condense or combine them. Follow in the footsteps of big tech companies like Shopify and reduce the number of big meetings you hold. Your people will be happier, and you’ll likely save a lot of time.

 I think I’ve clicked an unsafe link. What should I do?

The faster you act, the less damage or data loss you’ll have. Get in touch with your IT support partner immediately. It’s always a good idea to have a response and recovery strategy in place for when this happens.

I know I need a password manager, but which is best?

Good question… and there are lots of options. Different businesses have different requirements, so it all depends on you. We’d be happy to make a recommendation once we understand your needs. Get in touch.

Information used in this article was provided by our partners at MSP Marketing Edge.

Even as employees return to the office or enter a hybrid work schedule, wellness, and productivity remain top of mind for most organizations.

Why Does Employee Wellness Matter?

One of the biggest health concerns impacting wellness is physical inactivity. According to the World Health Organization (WHO), people who lead a sedentary lifestyle are at an increased risk of:

• Cardiovascular diseases
• Diabetes
• Obesity
• Colon cancer
• High blood pressure
• Osteoporosis
• Depression
• Anxiety

Another employee health concern is work-related musculoskeletal disorders (MSDs). About 1.8 million workers report MSDs like carpal tunnel and back injuries, and about 600,000 workers must take time off to recover from those injuries.

The work environment can positively or negatively impact these health risks and more, including productivity and overall satisfaction. That’s why employee wellness, which also encompasses mental health, is important to the individual and the company.

How to Improve Employee Wellness

One way employers can improve the work environment and positively impact employees’ well-being is through ergonomics. This means replacing a one-size-fits-all approach to an office set-up with individual accommodations that support employee safety, comfort, and health anywhere they work.

Enabling Well-Being at Home

For many, working from home means finding quiet corners and carving out workspaces in crowded homes shared by multiple workers or students. As a result, it’s not unusual to have a makeshift workstation that doesn’t provide good ergonomics.

As an employer, try these tips to help improve wellness for work-from-home employees:

• Learn more about each employee’s working environment
• Ask workers about their individual workspace needs
• Provide ergonomic standing desks and monitor arms to encourage more movement
• Schedule virtual lunches or social events to lift morale

Enabling Well-Being at the Office

Ergonomics is also essential for traditional office spaces where many employees struggle to create a comfortable, personalized set-up like they have at home.

Consider these options for your office:

• Offer a standardized set of ergonomic products for employees to choose from
• Provide personalized ergonomic assessments with a certified professional to ensure workspaces meet the needs of each user
• Ask for feedback from employees about changes

Remember, the investment is worth it if employee wellness helps increase productivity and morale.

Enabling Well-Being for Hybrid Workers

Hybrid workers may be the employees who need ergonomic support the most. A 2022 survey showed that employees with a hybrid schedule reported that it was more emotionally draining than fully remote work and more taxing than full-time office-based work.

A hybrid worker has a different working environment and routine on different days of the week, making it difficult to adjust to each setting. Many hybrid employees use shared workspaces, which takes time and effort to adjust.

Try offering these solutions to meet the needs of hybrid workers:

• Mobile standing desks that can be moved around the office for individual work or collaboration
• A height-adjustable standing desk converter so each employee can quickly find their most comfortable working height, sitting or standing
• Monitor mounts, monitor stands, and monitor arms that support personalized screen views

How to Put an Employee Wellness Plan in Place

Every organization and employee culture is different, so there’s no set way to implement an employee wellness plan. That said, here are a few steps to get you started:

1. Assess the current state of employee wellness and where to improve.
2. Plan for changes that need to be made and prepare management accordingly.
3. Implement changes through communication and culture shifts.
4. Evaluate the effectiveness of changes and adjust for future success.

In ever-changing work environments, it is vital to support employee wellness to care for employees, and to help boost productivity and efficiency. Want to learn more about ergonomic solutions for your organizations? Contact us today.

Information used in this article was provided by our partners at Ergotron.

Are you looking for a new HR system but know you face an uphill battle to get sign-off from the powers that be? Do the words ‘return on investment’ (ROI) and ‘total cost analysis’ fill you with dread?

The good news is that calculating ROI has evolved. There is so much more value you can extract from a cloud HR system that you can’t put a figure on.

We like to think of these as the non-quantifiable or intangible benefits – things like better employee experiences, faster decision-making, and improved engagement. They are just as important, if not more, than the quantifiable ones – but are often overlooked or not considered when it comes to investing in a new HR system. This is because they are harder to quantify. But the beauty is they deliver increased value over time and offer continual payback.

Read on for the four ways a modern HR system can deliver repeated value beyond the quantifiable.

1. Empowering HR to be leaders of change

During the pandemic, 65% of HR leaders say their teams had a vital role to play, driving change, enabling remote working, and supporting well-being. Responding swiftly to change remains critical for organizations to thrive in the constantly evolving climate, so having a flexible system is key.

A highly configurable cloud solution will let you customize and create additional fields, which allows you to instantly start capturing new employee data without the need for IT or technical support. A flexible HR system also empowers HR leaders to lead change quickly and easily through automation, actionable insights, and redesigning the way people work – value you can’t put a figure on.

2. Helping you invest now for the organization you want to become

To get continual payback and value from your HR tech, you need the ability to look ahead and establish what you want your chosen platform to do in the next three, five, or even 10 years.

You may need your system to help solve current and urgent challenges, but what big challenges are coming over the horizon? Is merger and acquisition (M&A) activity likely in your company’s future?

Having a system that can scale with you as you grow is vital and means you won’t have to buy a new system in the near future. You want one that’s future-proofed for whatever’s ahead, not just right for now.

3. Supporting you to experiment and test

For real tangible business transformation, the days of doing things once and then ticking them off your to-do list are far gone. Revisiting, testing, iterating, and trying new things are commonplace for progressive companies that want to get ahead.

The in-built features of your HR platform – such as 360 feedback, customizable dashboards, and flexible workflows –make it easy for HR and People leaders to adopt a ‘test and learn’ approach.

For example, HR and People leaders looking to deliver great hybrid experiences with well-being at the center might survey their employees every month to gauge sentiment on their return-to-work policy and then continually refine and tweak their policy based on the feedback.

The right HR system makes it easier to communicate with your entire workforce, wherever they are, gathering employee feedback in real-time and speeding up your ability to respond not just now but in the future too.

4. Enabling you to drive and accelerate digital transformation

Digital transformation allows your organization to become more employee-centric and provide consumer-like experiences to your workforce, helping you attract and retain the best talent.

Using a cloud HR platform, onboarding becomes a complete digital experience.

The solution empowers managers to improve the manager-employee relationship with digital tools to seamlessly manage performance reviews and connect more easily with their remote teams. You might not be able to put a number on that, but it continuously enriches the entire employee experience within the organization.

Choosing the best global cloud HR platform for your needs will also support your organization in having the right mindset, the right culture, and the right skills to create lasting change across the organization through digital transformation.

It’s time to go beyond the numbers

ROI, in the traditional sense, is one way of measuring the payback from your chosen tech – and it’s important to request those numbers from your chosen vendor.

However, going beyond the numbers to explore the broader value-adds is key to ensuring you get sign-off on the tech investment and reap the continual value of your HR tech both now and in the future.

Information used in this article was provided by our partners at Sage.

Focusing on employee health and well-being is not a new initiative for most companies. Organizations are increasingly valuing the holistic needs of their workforce and noting the link to productivity, engagement, and satisfaction—all markers of a successful company and key drivers for talent retention.

It’s up to each company to identify strategies to help keep employees healthy. Not sure where to start? Here are some tips and considerations:

• Rethink your space: Build quiet, individual work areas and larger collaboration spaces. Consider investing in mobile desks, which offer a flexible workspace option that can easily adapt to each team’s needs and each space.
• Build a culture of movement: Offer a variety of sit-stand workstations that allow workers to easily alternate between sitting and standing throughout the day. Encourage walking check-ins and normalize standing during longer meetings.
• Bring back ergonomics: Home workspaces often lack the proper ergonomic equipment or positioning. In the short term, this can cause minor discomfort. For the long haul, a less-than-ideal set-up or posture can lead to more significant health concerns. Consider offering a standardized set of ergonomic products for employees to choose from to meet their work-from-home and in-office needs.

Employee health and safety will remain important in the years to come. Set the foundation for a healthy workforce to ensure your team is ready to work at their best to reach your organization’s goals.

Interested in learning more about how ergonomics can boost health and wellness? Visit our booth #213 at the Michigan Safety Conference (MSC) at DeVos Place in Grand Rapids, April 18-19. Or contact us today.

New data from security vendor Lookout’s The Global State of Mobile Phishing report shows that phishing mobile devices as an attack vector is growing in popularity – mostly because it’s increasingly working… in exponential terms.

We all know phishing is the number one attack vector. But we should wonder whether phishing attacks that hit a corporate desktop email client or a mobile device are more impactful – and the users falling for the attacks are the cause.

• 21% of enterprise users experience mobile phishing attacks
• 36% of US users encounter mobile phishing attacks
• More than 50% of all mobile devices were exposed to a mobile attack in 2022

Why is mobile so prevalent and why are attacks working?

Let’s start by looking at some of the data around users engaging with mobile attack. According to the report, the percentage of users that engage with six or more phishing emails when using an enterprise device was only 1.6% back in 2020. Last year that number jumped to 11.8% – more than a 6x increase! When it comes to personal devices, the increase isn’t as staggering, but the numbers are still horrible – back in 2020, 14.3% of users clicked on six or more phishing links, with 27.6% doing so in 2022, a 93% increase.

According to the report, it appears that remote use of mobile devices is a part of the problem, with a greater issue being the use of personal devices (makes sense, as the user certainly isn’t thinking about protecting the organization when on their own mobile phone, etc.)

This data makes it clear that Security Awareness Training designed to educate users on the need to be continually vigilant, regardless of the device, is critical to an organization remaining protected against attacks.

Surprising data highlights a material security gap that enables cybercrime. According to MFA hardware vendor Yubico in their State of Global Enterprise Authentication Survey, less than one-third of organizations use some form of additional authentication factor:

• 33% use Mobile/SMS pushes
• 30% use a Password Manager
• 29% use a mobile push authentication app
• 20% use hardware keys

What’s more shocking is that 59% of employees rely on simple username and password combinations to authenticate. And according to Hive Systems, any 8-character password can be cracked in less than an hour through brute force. Further, any password containing less than seven characters can be cracked instantly.

All it takes is one really good social engineering phishing attack, and threat actors will have one or more sets of your employee’s credentials. And with no additional authentication factors, cybercriminals have the keys to whatever corporate kingdom the compromised employee has access to.

Whenever possible, use multifactor authentication (MFA) to provide another layer of security. The best tactic a user can do to prevent password hacking (after using MFA) is to avoid being socially engineered, which takes a good, in-depth combination of policies, technical defenses, and end-user education.

Security Awareness Training can educate your users on the state of phishing and social engineering attacks and help avoid providing threat actors with usernames and passwords. Contact Yeo & Yeo Technology to learn more.

Information in this article was provided by our partners at KnowBe4.

Research by Deloitte found that 91% of all cyberattacks begin with a phishing email (an email that looks like it’s from someone you know but is actually from criminals).

That’s how web giant Yahoo was targeted a few years ago, exposing the contents of half a billion user accounts to criminals. And though we often only hear about these high-profile cases, small and medium-sized businesses are prime targets for these attacks.

Your business email needs to be as secure as possible.

What’s the damage?

The impact of phishing attacks can vary, but the criminals have three main objectives:

• Data theft – scammers will use ‘credential phishing’ to steal your customers’ personal information.
• Malware – some attacks will install malicious software onto your device, which can potentially spread through your network. This could include spyware, which can log your keystrokes and track you online, or ransomware, which encrypts your data and demands a ransom to get it back.
• Wire transfer fraud – CEO fraud and Business Email Compromise (BEC) attacks, in particular, attempt to persuade a target to transfer money to an account controlled by the attacker.

It’s a people problem

All email attacks rely on someone in your business falling for the con. So, it’s important to create a culture of security within your business to reduce the chances that a ‘social engineering attack’ – a scam that convinces someone to act – will succeed.

• Everyone should know what to look out for and what to do if they think an incident has occurred. This includes who to report it to and what immediate action to take.
• Have an email use policy that describes how your people should use their business email accounts and the importance of following the rules.
• And consider putting your team to the test from time to time, maybe by simulating a phishing attack or holding refresher sessions where you quiz them on their knowledge.

Failure to make your whole team aware of the importance of good cybersecurity can be a costly mistake.

How we can help

Staff training will be one of the strongest tools in your arsenal, but we can also help by putting technical measures in place to lessen the chances of an attack and to reduce the impact if it does happen.

We can create a gateway to block or quarantine suspicious emails, scanning incoming and outgoing emails for malicious content. We can install software to help protect you from email spoofing and your email being used in BEC attacks, phishing scams, and spam emails.

And we can deploy end-to-end encryption, which stops anyone from reading the content of your email unless they have the correct encryption key. That means your email is only ever received by the intended person, and data can’t be tampered with.

It’s a lot to think about, but email attacks are one of the biggest security threats to businesses. They need to be taken seriously.

So, if you need expert support or are worried that making these changes might cause disruption, get in touch. We do this every day.

Information used in this article was provided by our partners at MSP Marketing Edge.

The human layer continues to be the most enticing attack vector for cybercriminals. Sadly, most organizations neglect this easily penetrable entry point. Throughout 2022, the world continued to see significant increases in phishing attacks. No industry vertical, size of business, or geography was immune.

Read Now

The use of email, phone calls, texts, social media, and other outreach methods all work together to evade an organization’s secure infrastructure as workforces and individuals remain more distracted and exposed than ever.

In this eBook, we discuss:

• Industries and their phishing risk level
• How phishing tests can drastically decrease vulnerabilities
• The value of security awareness training

Ready to start phishing your users? We offer baseline testing to assess the phish-prone percentage of your users through a simulated attack. From there, we can provide access to the world’s largest library of training content, including interactive modules, videos, games, posters, and newsletters, so you can start educating and building your human firewall. Contact us to get started.

Should I monitor my remote employees?

If you want to maintain a culture of trust in your business, probably not. But you will want to understand their productivity. Many apps can help with this. Get in touch for recommendations.

Where should I focus my IT spending?

Security is critical, but beyond that, more businesses are looking at cloud solutions. It’s an in-depth subject, so you should take expert advice before making big decisions.

Should I allow my employees to install apps on work-issued phones?

Yes – and they’ll need some apps to do their job. However, you should make sure they install only what’s needed. And make sure they’re genuine downloads from the main app stores – there are a lot of malicious apps in the wild!

Information used in this article was provided by our partners at MSP Marketing Edge.

Windows Server 2012 and Windows Server 2012 R2 will end on October 10, 2023. After this date, these products will no longer receive updates, bug fixes, or technical support. As the upgrade process often takes upwards of a year, we urge users not to delay the transition further.

Why do I need to upgrade?

• Cybersecurity: The older an operating system gets, the more exploitable it becomes, making it easier for cybercriminals to gain access. Once Microsoft stops supporting a product, an attacker can easily find and download exploits from the internet almost immediately. The lifespan of this operating system is well-publicized, which means cybercriminals are aware of it too.
• Compliance: If your business must meet regulatory compliance standards, such as CMMC or HIPAA, running an unsupported operating system means you’ll fail compliance checks. The minute an operating system is out of support, you’re out of compliance and can experience substantial fines.
• Cyber insurance: Your cyber insurance policy might also stipulate that you must run supported software to qualify for coverage. If a cyberattack happens and you need to file a claim, it may be denied.

Additionally, newer versions like Windows Server 2019 and 2022 offer more features and better performance.

Your options for migrating to the latest operating system include the following:

1. Spinning up a new virtual server using existing server hardware
2. Buying new server hardware (if needed)
3. Moving to the cloud

The good news is that you don’t have to do it alone. If you need help planning, scoping, or implementing your Windows Server 2012 migration, give us a call. We’d be happy to help you determine the best next steps for your organization and accomplish your IT goals.

Sources:

Accent Computer Solutions, Inc.: Windows Server 2012 End-of-Life: What’s Happening, Why it’s Important, and What to Do Next

Microsoft.com: Windows Server 2012 and 2012 R2 Reaching End of Support