Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: It’s time for hugs: Today is ‘Hug Your IT Provider’ Day. Wednesday will be ‘Hug Your Data Protection Officer’ Day. And some day soon, it may be time to hug Microsoft.
This week’s action: Check that your browser is up-to-date.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: Today is ‘Hug Your IT Provider’ Day
Today, May 20th, is ‘IT MSP Day’, in case you didn’t already know. First introduced five years ago by Barracuda Networks (an IT security vendor), and not yet on Hallmark’s list, it is described as “a day to recognize and celebrate [IT Managed Service Providers] around the world, while providing an opportunity for MSPs, vendors, and end-user customers to collaborate, interact, and share success, best practices, and key industry insights.”
When I start working with a new client, I frequently encounter a difficult relationship between my client and their IT managed service provider. While the symptoms may be different, the core issue is lack of trust. For whatever reason, the client has lot trust in their IT provider. As a result, the IT MSP has either withdrawn completely from the partnership role that they promised at the outset or is only engaging with the business when it is absolutely necessary.
But it’s not always the IT provider’s fault. Sometimes – not always, but sometimes – the root cause is because of a disconnect between what the client assumes the IT provider is responsible for, and what the IT provider is actually responsible for.
In a recent article titled “It’s not me; It’s you”, I delve into this in more detail, and identify possible ways to recover the relationship.
Read more: https://codeinmotion.ie/its-not-me/
2: Wednesday will be ‘Hug Your Data Protection Officer’ Day
Four years ago, on May 25th, GDPR came into effect.
Depending on your perspective, it either marked the beginning of a new level of Cookie Consent Hell or the beginning of a new regime that now forces organisations to consider how they can achieve their business objectives while minimising their use of data about us.
On the topic of Cookie Consent Hell: If you want to see how cookies are still a ‘thing’, just look at the cookies used by the website of any prominent and GDPR-compliant business.
In a recent article titled ‘The Cookie Obesity Problem’, I used the website of Formula 1 as an example, because this site is very transparent about the cookies that it wants to store and this transparency is very revealing. In total, there are more than 100 cookies stored by the site on your device if you click the easiest ‘Accept All’ option. Putting aside the data protection aspect of this, any site that lands cookies from over 100 third party services sounds like a site that is happy to facilitate extensive online tracking of its visitors. Or perhaps its suggestive of an over-engineered site. Some cynics may say that reflects the sport itself, but let’s not go down that rabbit hole.
3: Some day soon, it may be “Hug Your Microsoft Representative” Day
I don’t usually promote one particular security product over another. But, the reality is that the majority of businesses still rely on Microsoft Windows and Microsoft Office, so when Microsoft makes a proven security feature available to SMEs at a reasonable price point, I’m prepared to make an exception.
If you are in a large enterprise, you are probably already benefiting from the numerous security services provided by Microsoft. But if you are in a smaller organisation, these services were not always available to you.
But that has now changed, with the release of a product called ‘Microsoft Defender for Business’.
Before I start, a common issue with Microsoft is their use of the same name to describe different products, and Defender is their latest naming disaster. You may think you already know about Defender, as it’s also the name attached to the anti-virus product that comes free with Windows. But Microsoft Defender for Business is not that. It is described by Microsoft as ‘specially built to bring enterprise-grade endpoint security to businesses with up to 300 employees’.
I recently relied on the enterprise version of the tool while helping a regulated firm to improve their security defences. I was very impressed with the insight it gave on the security of the organisation’s Windows laptops, as well as the pragmatic recommendations that it provided. In many cases, it spotted vulnerabilities that the firm’s IT MSP was not even aware of.
I won’t give the full list of features here, as it’s already described in Microsoft’s press releases and documentation. And I know there are other products out there that do something similar, and possibly better. But when a security tool can be easily integrated into an organisation’s existing IT environment, especially when it’s a good product and at a compelling price point (currently €30 per user per annum), ‘selling’ the business case and getting approval for its rollout becomes far easier. Microsoft’s approach may be unfair or anti-competitive, but it is what it is.
If you are in a business with up to 300 staff that currently has no clue about what versions of software are running on each of your Windows devices, and can’t say for sure if any device or user behaviour may be increasing the likelihood of a successful cyber-attack, then you should be discussing Microsoft Defender for Business (or a recommended alternative) with your IT provider.
1: $10 million
$10 million was the ransom demanded from the government of Costa Rica by the Conti ransomware gang. When the president refused to pay, the attackers stole “at least 672 GB of data from the national government, and posted nearly all of it to the Conti ransomware dark web portal”.” The Conti ransomware that has been plaguing Windows systems around the world has ripped through the Costa Rican government since April, and has become such a persistent and damaging issue that the country has declared it a national emergency.”
2: $15 million
$15 million is the reward offered by the US government, prompted by the declaration of a national emergency in Costa Rica, “for information that leads to identification or arrest of the [Conti] group’s organizers”.
1: Check that all of your browser software is up to date
Following on from last week’s action, which focused on Windows updates, this week it is time to check that you are running up-to-date versions whatever internet browsers you use.
You may spend the majority of our online day using your internet browser, so making sure it does not have any known security vulnerabilities is an important thing to do.
Unlike Windows, which usually receives updates (aka ‘patches’) on Patch Tuesday (the second Tuesday of each month), browser updates tend to arrive as-and-when needed.
Thankfully, most browsers these days update themselves automatically, but it’s no harm checking on a regular basis that this is happening.
The process to check for updates is different on each browser. If the links below don’t suit, search online for instructions.
- Google Chrome: https://www.google.com/chrome/update/
- Microsoft Edge, Brave browser, or other Chromium-based browsers: https://www.tenforums.com/tutorials/143911-how-check-updates-microsoft-edge-chromium.html
- Safari (on Mac or iOS): https://support.apple.com/en-us/HT204416