Jonathan Roy

Jonathan Roy is the Director of Security and Compliance and has been providing IT and cybersecurity services with designDATA since 2004. He has extensive experience in information technology best practices, the ITIL framework for running IT operations, and how to secure IT environments. Jonathan now focuses exclusively on cybersecurity, data privacy, and related regulatory compliances for his customers. He regularly works with business leaders on risk mitigation and avoidance, cybersecurity consulting, incident response and recovery, incident preparedness, and compliance audits. At designDATA, Jonathan leads the organization's cybersecurity mission: Protecting small- and medium-sized organizations from cyber-crime.


SolarWinds Attack Exposes Microsoft 365 Security Vulnerabilities


Toward the end of 2020, a team of sophisticated cyber attackers, most likely funded by a hostile nation-state, inserted malware into the SolarWinds network monitoring and management platform. The announcement of this SolarWinds security breach sent shockwaves through business and IT communities.

The attackers’ ultimate goal was to use this malware as a backdoor into SolarWinds customers’ networks, including multiple U.S. government agencies, certain branches of the U.S. military, and many high-profile private companies.

The SolarWinds supply chain attack was the most successful and devastating cyberattack in history – but the story isn’t over yet. We’re still learning more about the techniques used by the attackers, the damage caused, and the repercussions for the future of cybersecurity.

In one of the most concerning revelations so far, researchers at Fire Eye subsidiary Mandiant released a report detailing how the attackers exploited several Microsoft 365 security vulnerabilities to hack into the SolarWinds infrastructure. This is an important discovery because so many companies have recently migrated their data and many of their essential applications to the cloud via Microsoft 365.

Let’s take a look at what the Mandiant report reveals about how the SolarWinds attackers targeted Microsoft 365 vulnerabilities and the lessons you can learn to help keep your company networks secure.

Understanding the four methods used to breach the Microsoft 365 cloud

1. Forged Active Directory Federation Services (AD FS) tokens

To infiltrate the SolarWinds network, attackers stole AD FS token-signing certificates from on-premise servers and used them to forge authentication tokens. The generated tokens could be assigned to any user the attackers chose and used to access resources like Microsoft 365 without entering a password or triggering any multi-factor authentication (MFA) processes.

2. Modified trusted domains in Azure AD

Attackers modified or added trusted domains in Azure AD. This method, also known as the Azure AD backdoor, allowed them to add a federated identity provider to forge tokens and assign them how they wished.

3. Compromised credentials for privileged accounts

The SolarWinds attackers targeted privileged on-premise user accounts for IT administrator roles. These accounts were synced to Microsoft 365, so attackers could use them to move from on-premise to the cloud-based environment.

4. Hijacked Microsoft 365 applications using forged credentials

Once the attackers had forged credentials, they added them to existing Microsoft 365 applications. This allowed them to bypass MFA procedures and hijack the applications’ abilities to send messages and access sensitive company data.

Four lessons cybersecurity teams can learn from the SolarWinds Microsoft 365 cloud attack

1. Your network is only as secure as the weakest member of your supply chain.

The SolarWinds attack has opened our eyes to the devastating effects of a successful supply chain attack. The government agencies and other real targets of the attack were too well protected, so the attackers opted to go after their trusted vendors. This backdoor attack was amazingly successful. It is a sobering reminder that working with vendors and partners to secure the entire supply chain should be a vital part of your cybersecurity strategy.

2. MFA isn’t enough to keep you safe.

MFA is rightly acclaimed as a crucial part of securing your company network, but it’s not a magic formula that stops all cybersecurity attacks. The SolarWinds attack has clearly shown that a keen and determined attacker can bypass MFA. Your team should look beyond MFA and make sure that both your on-premise and cloud environments are properly secured and hardened.

3. Remediation and hardening go hand in hand.

When a cyber-attack is detected, the first step is to regain control of your environment and kick the attackers out by doing remedial actions like issuing new authentication tokens, removing suspicious domains, and rotating passwords. These steps are necessary, but they’re insufficient if you don’t follow them up with hardening measures to ensure long-term security. You and your team must stay up to date on the most recent recommendations for hardening both on-premise and cloud environments and take proactive steps to implement them.

4. You need a detailed cloud security plan.

Many IT teams have taken a simplified approach to cloud security. They’ve set up their environment, enabled a few password and MFA policies, and then migrated their critical data and mission-critical applications to the cloud. If that sounds like your company’s approach, let the SolarWinds Microsoft 365 breach motivate you to take the time to lock down your Microsoft 365 environment fully. Your company’s security depends on it.

Do you have a plan for Microsoft 365 security?

Microsoft 365 has quickly become essential to many companies’ operations, especially in the current remote work environment. The chances are high that much of your company’s most valuable data is stored in your Microsoft 365 cloud.

That’s a tempting target for cybercriminals trying to access your network for a direct attack or as part of a supply chain attack. The vulnerabilities that enabled the SolarWinds attackers to breach the Microsoft 365 cloud still exist, but there are strategies to mitigate the risk and keep your data safe.

Companies have spent years securing their on-premise environments. Keeping cloud-based environments secure requires the same level of effort and additional work to ensure that there are no vulnerabilities that would enable attackers to move between the two. You also need to stay up to date on all the latest attack methods and the hardening measures to combat them.

That’s where an experienced cybersecurity consultant can make a difference. At designDATA, our business aims to understand how to keep our clients’ IT environments safe and secure. If you want to understand better your risk and the steps your team can take to secure your Microsoft 365 environment, schedule a consultation with one of our experts. We’ll be happy to help prepare your team so that you feel confident that your business won’t fall victim to the techniques used in the SolarWinds attack.


Understanding Hidden UEFI Spyware

Some cyber attack methods are well known. Both IT professionals and regular employees know to be alert for phishing scams, suspicious attachments, and compromised USB drives. Cybersecurity teams guard company networks against more sophisticated schemes like supply chain attacks. They monitor systems and machines and deploy antivirus software to sniff out malware. If malware is found or suspected on a device, a hard drive reformat and reinstall can wipe clean any infection… or so we thought.

The efforts listed here are effective against most cyberattacks, but determined criminals have developed advanced methods that evade traditional cybersecurity efforts and even the popular wipe-and-reload: Hiding spyware in the Unified Extensible Firmware Interface (UEFI) on company laptops. This type of spyware is rare, but researchers recently discovered hidden malware in the UEFI on some Windows 10 business machines.

Read on to find out everything you need to know about hidden UEFI spyware.

A Clever Firmware Attack

The UEFI is a pre-boot environment stored on firmware rather than on a hard disk or a solid-state drive. The recently discovered UEFI spyware makes it possible for criminals to directly deliver hacking tools or malware to the infected computer from this pre-boot environment. These tools could allow hackers to steal documents, log keystrokes to steal passwords, and exfiltrate the stolen info via the Internet.

Hiding malware in the UEFI is particularly clever because antivirus and anti-malware software has virtually no ability to scan this memory type. UEFI malware evades both traditional detection methods and standard remediation practices because it is stored on firmware in the pre-boot environment. The malware discovered in a recent attack could reinstall the hacking tools on the operating system of the computer even if it were found and removed. A concerning consequence of this is that the malware would also remain even if cybersecurity teams wiped and reloaded a machine or swapped out the hard drive, as it doesn’t live on the hard drive at all.

The good news is that it’s tough for cybercriminals to load malware into a machine’s UEFI. The malware has to be customized to a specific machine model. For example, malware intended to infect the EUFI of a Dell Latitude E6320 would only work on that model and no other. It’s also difficult to load the malware. To inject an infected version of the firmware into the UEFI memory requires malicious actors to abuse a Firmware Update such as a BIOS Flash. Firmware updates aren’t everyday activities and are generally performed by IT teams rather than users, which is another reason these extremely effective UEFI attacks are rare.


State-Sponsored Groups Behind UEFI Spyware

UEFI spyware attacks require custom written hacking tools and determined effort to infect victims’ machines. So far, all known attacks of this type have come from state-sponsored hacking groups with very specific, high-value targets.

A UEFI attack discovered in 2018 is suspected of having come from Russian state-sponsored hackers. More recently, UEFI spyware victims were people associated with African, Asian, and European diplomatic entities and NGOs. Based on clues in the malware code, experts suspect the attack came from a group sponsored by North Korea.

UEFI Cybersecurity Best Practices

Depending on your industry, it may be unlikely that you’ll be targeted by a state-sponsored UEFI attack. However, it’s always a good idea to follow best practices when working on your own machines or those of your customers. Here are some simple but effective ways to protect against UEFI attacks:

  • Ensure Computer Security By Making Sure Your Machines Are Running Legitimate Firmware Versions

    When you download new firmware or drivers to install on a machine, check to ensure the files are digitally signed to ensure authenticity. If they are not signed, check the hash value of the file against the hash provided by the vendor to make sure they match. Taking these steps significantly reduces the risk that you’re running firmware infected with malware

  • Regularly Re-Flash Pre-Boot Environments Of High-Profile Or Vulnerable Machines

    If you suspect malware on a machine, beyond just wiping-and-reloading the hard drive with a fresh copy of the Operating System, consider adding a flash of the pre-boot environment as part of your wipe-and-reload procedures. Flashing the pre-boot environment with a digitally signed copy of the files from the device manufacturer will clean out any malware living there (essentially doing a wipe-and-reload of the pre-boot environment in addition to the hard drive). You can also perform this step specifically when travelling users return from high-risk countries as part of the cleaning process for that device.

  • Leave Updates To Your IT Services Team

    Employees often decide to “save time” by installing software and updates on their own. Users are much less likely to follow your security and validation procedures, ensuring that the updates they are installing are relevant, meaningful, compatible with current systems, and digitally signed by hardware and software manufacturers. When not following these procedures, there’s a much greater chance that they’re installing illegitimate updates full of spyware, ransomware, or other nasty malware you don’t want on your system. Provide Cybersecurity Awareness Training to reinforce that your team should rely on the IT department or provider for software patches and updates and should NOT install these things independently.

Secure IT Solutions

Maintaining good cybersecurity requires time, people, resources, and constant vigilance. At designDATA, we do the hard work of keeping up with all the latest cyberattack methods and the most effective cybersecurity solutions to protect our customers from cyber-crime. Check out our free cybersecurity resources for some great steps you can take to protect your organization. Ready to take the next step? Book a Security Assessment with one of our cybersecurity experts to see how we can help you.


SolarWinds Orion Security Breach: What You Need to Know Now

SolarWinds announced a major security breach of their Orion Platform software in what’s quickly becoming the most significant cybersecurity story of 2020. SolarWinds is coordinating with the Cybersecurity and Infrastructure Security Agency (CISA) Computer Emergency Readiness Team (CERT) of the Department of Homeland Security (DHS) to investigate and respond to the attack. In addition to the SolarWinds security advisory, CERT released an Emergency Directive on December 13. Both alerts are being updated as new information becomes available. Keep reading to find out more about what happened and what it means for you and your business.

What Happened?


A successful supply chain attack targeted SolarWinds Orion IT monitoring and management software. The cyber attackers created a backdoor vulnerability in the Orion software via an earlier cyberattack to insert malware known as SUNBURST into the system. The exploited backdoor communicates with third-party servers, which allowed the attackers to access the systems that had SolarWinds Orion software running on it (SolarWinds’ customers). The practice of attacking one organization to launch further attacks against the organizations’ customers is known as a supply chain attack.

SUNBURST requires manual activation by the attackers to exploit a single instance of the vulnerability. Once activated, SUNBURST can be used to access servers, transfer files, execute commands, map the system,

reboot the machine, and disable services. SUNBURST is a highly sophisticated piece of malware. It cleverly disguises its actions to blend in with legitimate SolarWinds activity and actively works to block detection efforts.

Investigators believe the infected version of SolarWinds Orion’s software (with the SUNBURST vulnerability) was inadvertently distributed by SolarWinds starting March 2020. Furthermore, they believe this is the work of a hostile nation-state, specifically Russia.

Who's Affected?

Orion is a popular monitoring and management software platform used by 425 Fortune 500 companies. It is also used by multiple government agencies, including the US Departments of Homeland Security, Treasury, Commerce, and Energy and all five US Military branches. Officials at SolarWinds and the other agencies investigating the incident believe that government agencies and contractors are the main targets of the attack, but any system with Orion products downloaded, implemented or updated between March and June 2020 could be affected.

The SUNBURST attack affects Orion versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF1. SolarWinds estimates that as many as 18,000 of their 33,000 Orion customers could be affected. On December 17, Microsoft confirmed that their systems had been compromised by the Orion security breach, prompting the NSA to issue a cybersecurity advisory for Microsoft Azure customers. Multiple companies and government agencies across North America, Europe, Asia, and the Middle East have also reported data loss and security breaches related to the SolarWinds attack.

What Should I Do If My Company Uses Orion?

designDATA recommends immediately shutting down all systems with Orion software installed on them until you can begin executing a remediation plan. Both SolarWinds and CERT are regularly updating their security alert pages as new information becomes available. SolarWinds has released hotfixes to repair the security vulnerability exploited by SUNBURST. They recommend upgrading to the latest version immediately. Details, installation instructions and answers to other questions can be found on the SolarWinds Security Advisory FAQ page. We recommend checking for updates frequently and immediately implementing the action items advised by SolarWinds.

If you believe your environment has been compromised, your threat response actions should include analyzing your stored network traffic for telltale signs of a breach, such as new external DNS domains. You should also take a close look at the system memory or host operating systems for all instances of the SolarWinds Orion Platform. If you have the expertise, this can be done in-house. If not, consult with a cybersecurity vendor to get advice on investigation and mitigation actions.

What Is The Community Doing?

A federal response force, including the Cybersecurity and Infrastructure Security Agency (CISA), is working with technology companies that include SolarWinds, Microsoft, and FireEye (the latter of which was hacked last month from this same exploit, and it was their own internal investigation that helped uncover this vulnerability and its scope) to help affected organizations determine the impact to them, to clean infected systems, and to safeguard critical infrastructure. Specifically, Microsoft has leveraged its capabilities and standing to get a court order to seize ownership of a public domain attributed to the attackers’ command and control architecture. They will also use it to scan for infected versions of the SolarWinds Orion software with its Microsoft Defender antivirus software (and immediately quarantine it), which has empowered other antivirus companies like Sophos and Symantec to follow suit.

What Are The Lessons Learned?

Cybersecurity experts acknowledge that this attack is frightening in its sophistication, scale, and potential impact on safety and security. This supply-side attack against SolarWinds, used as a means to an end to enable breaches at other, even-larger targets, shows us that the resources and capabilities of APTs continue to grow and that cyber defenses need to continuously evolve to keep pace.

This event can serve as a helpful wake-up call for all business leaders choosing technology providers: We should strongly consider the internal cybersecurity maturity of our providers and suppliers as a critical factor in picking a technology implementation. One of the biggest drivers for an organization to implement better cybersecurity controls comes from its customers, members, or donors demanding cybersecurity excellence. If we all require that excellence, then that will raise security standards for everyone.

We're Here to Help

The SolarWinds Orion security breach is a sobering reminder that cybersecurity is both critical and challenging. Cybercriminals are constantly devising new ways to infiltrate your systems, disrupt your operations, and steal valuable data. To remain safe, you must be alert and stay up to date on the most effective cybersecurity defenses. At designDATA, we pride ourselves on providing cybersecurity advice and solutions that are just right for you.

Is your business secure?
Download our free cybersecurity resources to find out

Do you have questions about this breach or other cybersecurity concerns?
Talk to one of our cybersecurity experts today


Public WiFi Security Myths, Facts & Best Practices


For many workers, the ability to work from anywhere is one of the most appreciated perks of modern wireless technology. Are you feeling trapped inside with lots of work to do on a beautiful sunny day? No problem – you can pack up your laptop and finish your work from a table on the patio at your local coffee shop. Dog begging for attention while you try to work? Take her to the dog park and write a report from a picnic table while she runs around. Need to send a last-minute work email before flying off for vacation? You can take care of it from the airport waiting area. 
The ability to work remotely gives workers and companies unprecedented flexibility, but, like many benefits of technology, working from anywhere can be a double-edged sword. The public WiFi networks that enable employees to work from coffee shops, parks, and restaurants also present a security risk to company data.

Millions of people are working remotely due to COVID-19 precautions. As restrictions ease in some locations, more workers will seize the opportunity to get out of the house and work from other places, often using public WiFi. Companies need to understand the risks of using public WiFI and develop best practices to protect company networks and data.

Most people are aware that there’s some risk associated with using public WiFi. There’s a lot of helpful information on this topic, but there are also some myths. In this article, we’ll take a look at three common statements about public WiFi security and examine the truth of each. We’ll wrap up by discussing some best practices for working safely via public WiFi.

#1. When working on public WiFi, other devices can communicate with your device without your knowledge

This statement is true. On some public WiFI networks, hackers can gain access and initiate communication with your device. They don’t even have to be anywhere near you. Malicious actors can do this from hundreds of miles away. The risk is real, but there are mitigations. You should make sure that all company devices have the latest security patches and updates. Another effective tactic is to use a software-based firewall (such as the Windows Defender Firewall built into Windows 10) and implement hardening policies to disable services that may be listening for remote requests (such as remote registry and remote desktop).

#2. Anyone can snoop on your Web browsing and traffic on public WiFi

This one is a partial myth. Traffic to regular http:// sites is visible to anyone, but https:// sites are encrypted. This is critical knowledge for workers using public WiFi. To avoid prying eyes, be aware of whether the sites you visit are http:// or https://. On laptops, this is indicated by the presence of a padlock icon in the browser bar. Some browsers will give you a “not secure” message if you visit http:// sites. Pay attention to these indicators and don’t view or type sensitive information on an unencrypted site.

Additionally, some other services are also not secure. FTP and Telnet are two examples where all communication (including passwords) is sent in clear text for anyone willing to listen in to hear.

#3. The only way to work safely on public WiFi is to use a VPN connection.

This statement is widespread, but it’s not true. Using a VPN is an effective way to reduce the security risk of using public WiFi, but it’s not the only way. If a VPN is not required to access internal company servers or applications, it may be redundant since traffic to and from https:// sites is already encrypted. Other security strategies can reduce the attack surface available to hackers and protect devices, even without a VPN. A few of these strategies include reconfiguring vulnerable legacy Windows features and using secure browsers and applications that enforce Transport Layer Security (TLS) for all communications. You should investigate all the available options before deciding the best path for your company.

For Companies

The first step for companies is to establish a clear policy about working with public WiFi. Whatever policy you choose, make sure your employees have what they need to work productively under company best practices. One of the most effective ways to do this is to provide adequate training resources and on-demand help desk support.

If you choose to allow your employees to access the company network and data via public WiFi, make sure company devices are well protected. Managed security patching, a managed software-based firewall, and managed endpoint-based antivirus protection are all essential.

Based on public WiFi security risks, you may choose to disable or restrict access to company systems. If you go this route, make sure to provide your employees with other remote connectivity options such as a VPN, a work-issued hotspot, or reimbursement for the use of their personal phone’s hotspot. When choosing a VPN, make sure to evaluate the pros and cons of options such as full-tunnel vs split-tunnel and make the best choice for your company.

For Employees

First and most importantly, make sure you cooperate with your company’s established best practices. The next step is to do a little research and educate yourself on the most recent expert tips for safely using public WiFi. The recommendations include things like making sure you only visit websites you know are fully encrypted (https:// only), refraining from downloading any new updates or software, and logging out of accounts once you’ve finished what you’re doing. Recommendations are continually changing as the technology evolves, so check frequently to ensure you’re up to date.

Interested in Learning More?

This article should help you figure out if your company is headed in the right direction with its public WiFi policies and precautions, but that’s only one small part of the bigger cybersecurity picture.  If you would like more information, check out our free cybersecurity resources.  Ready to take action?  Book a consult with one of designDATA’s cybersecurity experts today.

How To Protect Your Company From Business Email Compromise

Phishing scams have been around for a long time. You’ve probably received an unexpected email telling you that one of your accounts has been compromised or that one of your friends is stuck in a foreign country and needs you to wire money immediately. Maybe you’ve been notified that you’re being evicted or that your computer antivirus protection needs to be updated.

The emails direct you to click a link to download software or to enter your banking information. If you follow the instructions, you end up with malware on your computer or fraudulent charges on your credit cards. Phishing emails are annoying, but, in most cases, a trained eye can spot the fakes.

Phishing emails often have misspelled words, domains that don’t seem quite right, missing signatures, grammatical mistakes, or other telltale signs that tip you off to the scam. As long as you know what to look for and stay alert, you and your employees can avoid becoming a victim of traditional phishing scams.

What if the usual telltale signs are missing from a phishing email? What if the attack email looks 100% legitimate because it really came from the email account of a person or organization you trust? The chances that you or someone in your company would fall for the trap are much higher. Unfortunately, that’s what happens in a business email compromise, or BEC. This article will help you understand business email compromise and how you can take steps to protect your company.

Understanding Business Email Compromise

According to the FBI, business email compromise schemes resulted in $1.7 billion in losses to companies in 2019 alone. Data from Check Point Research suggests that the numbers for 2020 are even higher, as cybercriminals have taken advantage of the disruption caused by the global pandemic to launch hundreds of thousands of cyber attacks on distracted workers.

A business email compromise happens when a bad actor gains full access to someone else’s email account. There are many ways the attacker can gain this access. They can guess usernames and passwords on a popular email platform like Microsoft 365 or Google Mail or use stolen credentials from a data breach. They can also try tricking an individual through a conventional phishing attack to type their password into a malicious Web site that harvests the password. However it happens, a business email compromise allows a cybercriminal to exploit both the organization that owns the account and other organizations they do business with.

Once an attacker gains access to an email account, they patiently research their targets’ habits, contacts, and email patterns. This allows them to avoid the mistakes that traditionally give away phishing emails. BEC attacks are rarely carried out via mass emails. Instead, malicious cyber actors choose a limited number of targets and work to maximize their profits before they are discovered.

BEC attack emails always look like they’re from a trusted source because they are from that trusted source: They are, from a technology perspective, indistinguishable from legitimate emails, meaning spam filters cannot catch them. The attack email requests that you take action such as paying an invoice, purchasing gift cards, modifying direct deposit information, providing personal information, or opening an attachment. They can be sent to other individuals in the same organization as the compromised account or external parties. They can even intervene in the middle of a legitimate email exchange requesting to modify a transaction you are already approving, such as by changing the account number to send the payments to. The attacker’s goal is generally to profit financially from the email immediately, but some forward-thinking actors may use these attacks to gain information that will let them steal even more valuable data or gain further access to the company network to profit later.

Preventing Business Email Compromise

The best way to mitigate the risks with BEC attacks is to prevent the attacker from gaining access to your users’ email accounts in the first place, which can be accomplished through foundational cybersecurity practices.  The following steps will help keep your network safe from BEC attacks and other schemes.

  • Require employees to use long, unique passwords and to change them frequently. No one likes having to invent strong new passwords, but this simple step is one of the strongest defenses against business email compromise.
  • Implement MultiFactor Authentication and make it mandatory.  MFA requires employees to take extra steps, but the cybersecurity payoff is worth the extra time and effort.
  • Have your users (or your IT staff, with management’s permission) review the automatic rules configured within your users’ email accounts. BEC attackers use these rules to help mask their activities (such as by automatically moving emails from banks to the deleted items folder) or to help gather and steal data (such as by automatically forwarding a copy of any email with the word “invoice” in the subject to an external email address for analysis)
  • Have your IT staff both review and manage email login policies. This can include reviewing logins to look for activity from countries or regions your users are known not to operate out of or to put restrictions in place for locations and times of day that you allow logins to your email system.
  • Train your staff to recognize suspicious emails and avoid sites that impersonate legitimate sites to ask for credentials. Your employees are crucial to defending against BEC, but they’re also a critical vulnerability if they’re not invested in your cybersecurity policies. Take the extra time to ensure that your employees understand why recognizing BEC schemes is essential and how it relates to your company’s overall success and security.

Identifying Business Email Compromise Attacks

While preventing BEC attacks in the first place is always preferred, it may not always be possible. Cybercriminals may find a way around your protections and compromise one of your users’ accounts, or they may compromise the account of an outside party (for which you can’t directly implement cybersecurity policies) and use that outside party to launch BEC attacks against your organization.

BEC attack emails are sophisticated, as the attacker has already invested the time to gain access to an email attack and doesn’t want to give themselves away before they get what they’re after. Employees must be vigilant to help spot these BEC attacks and notify the IT or cybersecurity team immediately if they suspect anything unusual. The following actions will help your workers successfully fend off BEC schemes.

  • Pay attention to the details. BEC email identifiers may include unusual word choices or sentence structure from what the sender typically sounds like.
  • Have verification policies in place. Having requirements like all wire transfers must be verified by at least two people (the requestor plus one other) before being made can stop many BEC attacks in their tracks.
  • Have validation policies in place. Even if your CEO is allowed to authorize writing a check without a second approver, you can still have policies in place to validate the request really came from the CEO. If you get such a request via an email, validate it by having a policy that also requires a voice validation: Call your CEO on the phone to confirm it was really them that issued this request. If you call the sender to validate the request, make sure you call them on a previously-verified phone number, not the one the attacker provided to you in their email signature!
  • Resist requests to bypass your policies. BEC attackers often make their requests (such as wiring money, writing a check) with a sense of urgency or requests for discretion. Be wary if you receive such requests – even if the sender is familiar – as the attacker may be using social pressures to get you to skip your verification and validation steps.
  • Listen to your suspicions. If you suspect a case of business email compromise, take precautions and immediately notify your IT or cybersecurity team so they can take appropriate action.

Take the Next Steps

Cybercriminals continuously devise new ways to attack companies. Business email compromise and other malicious schemes get more sophisticated all the time. You need to stay up to date on the latest cyber attacks and how to defend against them. Take advantage of the excellent free cybersecurity resources available to you. If you have questions or concerns about your current cybersecurity strategy, book a discussion with one of the experts at designDATA to get started.

Book a Cybersecurity Consult Today

Cybersecurity Solutions Pop-Up Forms

  • This field is for validation purposes and should be left unchanged.

Talk With Our Productivity Expert

Microsoft Forms Blog Post

  • This field is for validation purposes and should be left unchanged.