December 2024
continuous.net
Get What You WANT From Your Technology
Welcome to this edition of “What’s Tasty,” our monthly newsletter keeping you in the know on I.T. support news, cybersecurity trends, high-EQ leadership, company updates, and simple tips to keep you and your business cyber-safe. So what’s the deal with “tasty tacos”? First: We love tacos. (Who doesn’t?) Second: I.T. support shouldn’t be needlessly expensive, slow, unresponsive, rigidly packaged or uniform, inexperienced, passive, reactive, stingy, or a giant resource drain. It should be like a tasty taco: •
Customized – Tasty tacos are crafted for your perfect taco experience, just like our tech strategy that’s completely aligned with your business goals and needs.
•
Fast – Tacos are quick, and speed and efficiency are our mantras.
•
Flexible – Tacos are an “anytime” food: breakfast, lunch, or dinner. We offer 24/7 support, with no call unanswered.
•
Supportive – Like a sturdy taco shell cradling all its delicious insides, every solution we create for clients is interwoven with robust cybersecurity.
•
Seasoned – Our tailored IT solutions are like the perfect blend of taco seasoning, sprinkled with deep industry knowledge to fit your unique taste.
•
Proactive – Tacos are meant to be eaten fresh not left to fall apart. Our vigilant monitoring keeps potential issues at bay.
•
Loaded – Nobody wants a taco that’s half-full. We’re loaded with the solutions you want, and we don’t skimp on services.
•
Healthy – Nobody wants to pay for tacos twice (the second time in pain and discomfort). Our ROI is easy to digest.
At Continuous, we’re dedicated to providing IT services that are as enjoyable as your favorite taco. We don’t just want to be an indispensable part of your business operations but a critical reason for your success. If you have any questions about the “What’s Tasty” newsletter, I.T. news, or our services, contact us directly at tacos@continuous.net. Thank you for trusting us, Jason and Ross
Jason
Ross
P.S. We also accept taco recipe recommendations.
2
5 More Types of And how to each in Phishing Attacks spot the wild!! The purpose of this two-part list isn’t to scare you. Or make you lose all faith in humanity. Or make you want to smash your computer and sit in a dark room without any Wi-Fi until the end of days. The real reason we created it is to empower you. Because knowledge is most of the battle when it comes to protecting yourself against phishing attacks. To that aim, here are five more types of common phishing attacks: 1. Bulk email phishing: This strategy uses spam emails sent to as many people as possible, to work the odds of a few targets falling for the ruse. Scammers pretend to be legitimate businesses, banks, or online retailers to increase the chance of being taken seriously. Some of these emails look legitimate; they might even be copied from genuine emails. But there are a few key indicators that they’re fake. Red flags include: • Email subject lines that create urgency (e.g., “Problem with your payment”). • Instructions to take actions that would force you to give away sensitive action (e.g., “Update your profile”). • Timing around annual/holiday sales (phishing attacks on Amazon customers spike around Prime Day, for example). • Non-domain email addresses. Hover over the sender’s email address to detect this. Watch out for even slight variations. • Poor spelling and grammar. • File attachments. Most companies won’t attach a file to an email; they’ll direct you to download it directly from their website. • Shortened links. Bitly and TinyURL can hide malicious URLs. • An email from a company you haven’t dealt with or don’t recognize. 2. Quishing: This type of phishing uses fake QR codes, embedded in text messages, email, or out and about (a public parking meter, for example). Red flags include: • Signs the QR code was tampered with (e.g., a sticker slapped over the original). • Codes that are difficult to scan or don’t work because of poor design or a lowresolution image. • Typos or misspelled words. • Shortened, odd, or incorrectly spelled websites (if the preview shows the URL and it looks off, don’t click to visit the site). • Unsecure website (no https:// or missing padlock icon). 3. Hybrid vishing: These attacks combine voice phishing with other methods. A prime example is an email from the “IRS” telling the target there’s a problem with their tax return. The target is directed to call a phone number and speak with an IRS representative (cough, scammer, cough). The easiest way to prevent being taken advantage of is to find out the rules of engagement for that organization. Red flags for the IRS-based attacks, for example, include: • A big payday. • Poor/illegal tax advice. If you’re being encouraged to lie on your taxes or falsify credit claims, run. • Demands or threats. Usually arrest and deportation. • Odd or misspelled web links. continuous.net
201-579-2086
3
If you’re unsure whether to trust a communication you received, check the website of that entity. To use the IRS as an example again, their very specific rules around communication methods are listed in full: • Email - We email you only with your permission. • Mail - Typically, we contact you first by U.S. mail. Most IRS letters include a letter or number. To verify it’s us, search for a letter or notice. Some letters might be from IRS-assigned private debt collection agencies. • Social media - You can follow us, but we never contact you about your taxes on social media. Check with a trusted tax professional. • Text message - We only send you text messages with your permission. • Phone call - Typically, we mail you first. We might call about an audit or to verify information. • Fax - Sometimes we send a fax to verify employment or request reported income or withholdings. • In-person visit - Generally, we notify you by mail before we visit your home or business. 4. Pharming: There are many different types of pharming, some incredibly sophisticated, but the gist of this type of attack is: The victim gets malicious code installed on their computer. This code then sends the victim to a fake website designed to gather their login credentials. Red flags include: • Unusual site layout or suspicious prompts. When you visit a familiar website, something(s) feels off, whether it’s the logo, formatting, or pop-up prompts. • Unsolicited emails or text messages. Especially if they have a link to an unknown website. • Pop-ups or warnings. Often asking you to enter personal info. • Incorrect web addresses or URLs. These often include weird characters, extra subdomains or misspellings galore. • Redirect. When you try to visit a website, you’re redirected to one you didn’t intend to visit. Bye, Felicia! • Certification warnings/errors. If the website you’re visiting previously had no related certificate issues, this is, as the kids say, “sus.” • Sudden network or internet connectivity issues. These could be an indication of compromised DNS settings. • Unusual account activity. Examples include financial transactions you never made. 5. Whaling: These go after the “big catches” — the senior executives or other C-suite players who have access to sensitive areas of an organization’s network, info, and/or financials. Red flags include: • Urgent requests. “I need a wire transfer ASAP!” or “I need access to such-and-such account.” • Unexpected communication from those people. • Requests for sensitive information. Especially ones that should never be done by email. • Suspicious sender. The email address doesn’t match the company’s domain or the email is from an address you’ve never seen before. • Trying too hard. Scammers often try to build trust with the recipients by talking about personal details gathered from social media or other publicly available information. It’s a little like digital “love bombing.” • Spelling and grammar mistakes. • Weird or misspelled URLs.
For more information, visit: ibm.com/topics/phishing; upguard.com/blog/types-of-phishing-attacks; fortinet. com/resources/cyberglossary/types-of-phishing-attacks
4
Get Free Money in 3 Easy Steps
Score $500 for every qualified referral you make We help SMBs located in New Jersey, NYC Metro, Connecticut, and Pennsylvania. Know someone who needs IT services? Getting $500 for that connection is as easy as 1, 2, 3: 1. Introduce us. You can use the form at https://www.continuous.net/referral once they’ve agreed to meet with us. 2. We meet them, hear their needs, and offer solutions without being pushy or obnoxious. 3. You get $500. Make it rain. (And repeat.*) *There’s no limit to the number of referrals you can make and get paid for. If #1 and #2 happen, #3 keeps happening, whether each referral becomes a client or not. We’re grateful for your support! Questions? Need help planning how you’ll spend all those Benjamins? Email us at tacos@continuous.net or call (201) 579-2086.
Leadership Resource Spotlight: Legends of I.T. Ross Brouse: YouTube Influencer
Does anyone really want to read boring, corporate-jargon-filled “resources”? No, especially when there’s a dandy, video-based alternative. Check out Ross Brouse’s YouTube channel, which is currently being relaunched to feature regular I.T. gold nuggets and cybersecurity smarts. In the meantime, here are some goodies from the vault: •
•
•
• •
No Longer Hacked Hacked Baby: The Vanilla Ice hit parody you never knew you needed. We guarantee your life isn’t complete without it. HIPAA Police: 89% of medical practices had patient data lost or stolen from 2020-2022. Learn the risks of ignoring cybersecurity and compliance, what to do instead, and one piece of advice specifically for small healthcare practices. Featuring Brandis Kelly, President of The Technology Specialist. Stopping Cyber Attacks with Two Uncommon Methods: Covering two critical topics related to cybersecurity: network diagrams and dwell time. Plus, a common mistake people who’ve hired I.T. vendors are making and how to keep your business better protected from cybercriminals. Featuring Greg Scasny CTO of Blueshift Cyber. The Best Way to Secure Your Business’s Data: We’re not giving away any secrets. You’ve got to watch. Does Your I.T. Company Really Have Your Back?: The odds aren’t great. Learn why.
Note: If you’re short on time and want a laugh, watch these at 2x speed. And don’t forget to subscribe! https://www.youtube.com/@legendsofit continuous.net 201-579-2086
5
Taking Your Vitamins With a Soda Aka, Why I’m Super Frustrated On some level, we’re all hypocrites. I get that. But boy, does it chap my hide a little when a business asks for cybersecurity advice. Not the question. It’s what the question is predicated on. Once they ask the question, it’s clear that they don’t really care about the answer. Lots of people ask for help, but what they really want is a magical, silver bullet. That’s a little like saying you want to be healthy, but the only action you take is to chug a handful of vitamins with a soda. • • • • •
Getting enough sleep? Psshhh. Eating healthy, whole foods instead of loads of processed ones? For the birds, baby. Exercising three to four times a week? Naw. Avoiding recreational drugs and daily alcohol consumption? Meh. Finding a qualified trainer and/or nutritionist for custom guidance and support? Preposterous!
All the rewards, none of the investment. All the benefits, none of the responsibilities. I get it. I too, am “a material girl, and I live in a material world.”* The people who work to prevent bad things from happening are often the people who’ve had bad things happen before. The risks are real to them. The prices are present in their memories. The costs are cutting. They’ve learned the lesson and got the diploma. But most people are so desensitized to their daily pain level, whether it’s physically, financially, operationally, or emotionally, that they don’t bother acting. They have accepted the discomfort, the workarounds, the lost time, the low energy, the decreased impact, the risk upon risk upon risk as “normal” or “okay.” But if you want to protect your business (or change any harmful habit), you need to seek out the experts, ask them questions, and pay for their knowledge. If you want to avoid the headaches of clunky tech, regular outages, glitchy software, churn from tech-induced burnout, fragmented operations, and out-of-control I.T. budgets and timelines, you’re going to need more than a couple B12 pellets and a soft drink.** Investments, whether in time, money, or effort, are costly. But those costs pale in comparison to the price you’re paying over the long haul and the bill that comes due all at once when the vitamins hit the fan.*** So I guess the real question you should start with is: How much pain do I want to experience**** and for how long? *figuratively speaking **figuratively speaking ***figuratively speaking ****figuratively speaking
6
HIPAA Email Compliance: Cybersecurity Edition 5 Requirements for HIPAA Compliant Email Cybersecurity
The upside of vague rules is they leave room for changes in technology, nuance, and unexpected events, such as a pandemic. The downside of generic rules is they leave room for varied interpretation, flippancy, and ignorance. And regardless, you’re left with the bill for breaking them. Ambiguity is a slippery slope when it comes to HIPAA compliance. Just because a security measure isn’t specifically called out in the General Rules of the Security Rule doesn’t mean you’re not required to implement it. In fact, one of the standards includes the requirement that you protect against any “reasonably anticipated threats or hazards to the security or integrity of PHI, and any reasonably anticipated uses or disclosures that are not permitted.” So in our past two newsletters, we covered the three main components of HIPAA email compliance and detailed the six pillars of a HIPAA-compliant email system. (We’d call them page turners, but they were single page articles. And let’s face it, HIPAA compliance content isn’t exactly Nobel Prize-worthy material.) The next piece of this puzzle is email cybersecurity. (Try to contain your excitement.) Here are outlines of the five requirements for HIPAA-compliant email cybersecurity. 1. Encryption. All emails containing PHI should be secured from end to end. Some older encryption standards are no longer considered sufficient. Check out The National Institute of Standards and Technology to find the most up-to-date, appropriate encryption standards. You might use a standalone HIPAA compliant email system or upgrade your existing email system for full HIPAA compliance. 2. Email phishing protection. This includes using email filters and spam protection systems to detect and block phishing emails by using known phishing characteristics. 3. Spam protection. Designed to detect and block harmful (or simply unwanted) emails. Spam protection should filter out ads, phishing attempts, and malicious emails containing viruses or malware. 4. Virus protection. Your software should be automatically updated to include the latest virus definitions and continuously monitor email traffic. It should also quarantine and delete infected files for your protection. 5. Ransomware protection. This security protection prevents, detects, and responds to ransomware attacks. It ups the ante from the previous four measures to include endpoint protection, which monitors and protects specific devices within a network against attacks. specifies the safeguards that protect PHI. We’ll cover HIPAA friendly email technology, the final part of this series, in our next newsletter. *These pillars are summarized from the HIPAA Journal’s article on HIPAA compliant email services. continuous.net
201-579-2086
7
Continuous Networks LLC., 1 Meadowlands Plaza, Suite 200, East Rutherford, NJ 07073
Prefer email only? Shoot us an email at tacos@continuous.net, so we can update your preferences.
Win a $25 Chipotle Gift Card The first recorded mention of the term “phishing,” was found in a hacking tool called: A. AOLess C. A-LOL
B. D.
AOHell AWOL AOL
The first person to email: tacos@continuous.net with the correct answer wins!
CLIENT HIGHLIGHT:
MD Manage
Professional and thorough, that’s how I’d describe Continuous. They’ve got their process down to a science. And over the years, they’ve come to understand our business environment, our systems, our team, and our clients as well as we do. Whenever we hit a technical snag, their response is quick and efficient. They’ve been doing a great job giving us the peace of mind we need without having to worry about security breaches or other IT issues. With Continuous, we know we’re in safe hands and can just concentrate on what we do best. Kumar Reddy CEO, MD Manage
