We're Too Small to Hack" and Other Famous Last Words
We hear it all the time. "We're just a small shop -- why would anyone come after us?"
Here's the thing: hackers don't care about your company size. They care about easy targets. A new report out this week from Cybersecurity Ventures found that small and midsized businesses are in a full-blown cybersecurity crisis -- not enough people, not enough tools, and way too much confidence that "it won't happen to us."
Think of it like locking your doors at night. You don't skip it just because you live on a quiet street. The guy checking door handles at 2 AM isn't looking for mansions. He's looking for the one house that forgot to lock up.
Automated attacks don't browse your website and think, "Nah, only 12 employees, not worth it." They scan millions of targets at once and pounce on whoever left the door open. That could be an old password, an unpatched system, or Bob in accounting who clicked that "FedEx delivery" email.
The good news? You don't need a Fortune 500 budget to protect yourself. Start with the basics: strong unique passwords, keep your software updated, and train your team to spot sketchy emails. That alone puts you ahead of most.
You're not too small to hack. You might just be small enough to think you don't need to worry. And that's exactly what they're counting on.
Sparrowhawk Technology -- Making your technology safe and easy to use.
Someone's Watching Your Phone Right Now. Maybe.
You unlock your phone, check your bank balance, scroll through texts, snap a photo of your kid. Normal stuff. Private stuff.
Now imagine someone else seeing all of that. In real time.
That's not science fiction. It's a spyware toolkit called ZeroDayRAT, and security researchers just flagged it as one of the most complete mobile surveillance platforms they've ever seen. It works on iPhones. It works on Androids. And it's being sold openly on Telegram to anyone with a credit card.
Let me say that again — you don't need to be a hacker to use this thing. You just need to know where to buy it.
Once it's on your phone, the attacker gets a dashboard — think of it like a control panel for your entire digital life. They can read your texts, see your notifications, watch which apps you open, and track how long you spend in each one. They can turn on your camera. They can turn on your microphone. They can watch your screen while you type your banking password.
It even builds a timeline of your daily habits. Who you talk to. When you're most active. When you're asleep.
If that doesn't make your skin crawl, read it again.
This isn't just surveillance for kicks. ZeroDayRAT specifically targets banking apps, Apple Pay, PayPal — the apps where your money lives. It intercepts banking notifications and can even hijack cryptocurrency transfers by swapping wallet addresses when you copy and paste.
You think you're sending crypto to your buddy. You're sending it to some guy in a basement halfway around the world.
The way it gets on your phone is the same way most malware does — you let it in. A sketchy app you sideloaded. A link you tapped in a text message. A "security update" that wasn't really a security update.
There's a reason Apple doesn't want you installing apps from outside the App Store, and Google is tightening the reins on Android sideloading too. The official app stores aren't perfect, but they're a whole lot better than downloading random files from the internet.
Here's the part that keeps me up at night.
How many of your employees use their personal phone for work email? For Teams? For two-factor authentication? If one of those phones gets compromised, the attacker isn't just in their personal life — they're in your company. Reading emails. Intercepting login codes. Watching screens during confidential meetings.
Most small businesses don't have a mobile device policy. They don't think about it until something goes wrong. And by then, "going wrong" means someone's watching everything through your employee's pocket.
Your phone gives you clues. You just have to pay attention.
Battery draining way faster than normal? Phone running hot when you're not even using it? Data usage spiking for no reason? Apps you don't remember installing? Your camera or microphone indicator lighting up when it shouldn't be?
Any one of those is worth investigating. All of them together? Back up your photos and contacts, factory reset the phone, and start fresh. Don't restore from a backup that might carry the infection right back in.
Stick to official app stores. Period. That "free" app your coworker found on some website isn't worth the risk.
Keep your phone updated. Those annoying software updates patch the exact kind of holes that spyware exploits.
Watch for weird behavior. Trust your gut — if your phone is acting strange, something might be strange.
If you run a business, have a conversation about mobile security. It doesn't have to be complicated. Start with the basics: don't sideload apps, use strong passwords, enable two-factor authentication on everything.
And if something feels really wrong — your accounts are getting hit, your phone is doing things on its own — disconnect it from WiFi and cellular immediately, change your passwords from a different device, and call a professional.
That's what we're here for.
Sparrowhawk Technology — Making your technology safe and easy to use.
Six Zero-Days, One Update Button
Last week, Microsoft dropped its February Patch Tuesday update. Fifty-four vulnerabilities fixed. Six of them were zero-days — meaning hackers were already using them before the patch existed.
Let that sink in. Six doors were wide open, and the bad guys already had the keys.
Here's what bugs me: most small businesses I talk to treat Windows updates like that weird noise their car makes. "It's probably fine. I'll deal with it later." Later turns into never, and next thing you know, someone in accounting clicks a link and your whole file server is speaking Russian.
These weren't exotic, nation-state-level exploits either. They hit Windows, Office, and Azure — the stuff you use every single day. The stuff your receptionist uses. The stuff your QuickBooks runs on.
The fix? It's literally one button. Start menu, "Check for updates," go get coffee. That's it. Your IT person (hi, that could be us) can even automate it so you never have to think about it.
I get it — updates are annoying. They restart your computer at the worst possible time. But you know what's more annoying? Explaining to your customers why their data is on a hacker forum.
Patch your stuff. This week. Not next month.
Sparrowhawk Technology — Making your technology safe and easy to use.
That Text From Your Kid? It's Probably Not Your Kid
You get a text from an unknown number: "Hey Mom, I dropped my phone in the toilet. This is my new number. Can you send me $500 for the bill? I'll pay you back."
Your heart skips. Your kid is in trouble. You reach for your wallet.
Stop.
That's not your kid. That's a scammer who sent the same message to thousands of people, hoping a few parents would panic and wire money before thinking.
This scam has been around for years, but it's surging again. Scammers know parents don't think straight when they believe their child needs help. They use urgency and vague stories to bypass your common sense.
Here's how to protect yourself:
Call your actual kid. Use the number you already have. If they answer confused, you just dodged a bullet.
Ask a question only they'd know. "What did we name your first goldfish?" works better than "Is this really you?"
Never send money through gift cards, wire transfers, or Venmo to unknown numbers. Legitimate emergencies don't require iTunes cards.
Tell your parents. Older generations are heavily targeted because scammers assume they're less tech-savvy and more trusting.
Scammers are good at their jobs. They study human psychology and exploit the moments when we're most vulnerable. The best defense is a three-second pause before you act.
When your phone buzzes with an emergency, take a breath. Verify before you trust.
Sparrowhawk Technology - Making your technology safe and easy to use.
Do You Need a Virtual CISO? (Probably — Here's Why)
You can't afford a full-time CISO. You also can't afford to not have one. A virtual CISO splits the difference.
Do You Need a Virtual CISO? (Probably — Here's Why)
Let me ask you a question.
Who in your business is responsible for security?
Not "who installed the antivirus" or "who set up the WiFi password." I mean who is actively watching your security posture? Who reviews your firewall logs? Who makes sure your backups actually work? Who knows what to do when — not if — something goes wrong?
If the answer is "nobody, really" or "our IT guy, kind of, when he has time" — you're in the same boat as 90% of small businesses. And it's a boat with a slow leak.
You know you need someone focused on security. But a full-time Chief Information Security Officer costs $150,000 to $250,000 a year. You're a 40-person company. That math doesn't work. So the security stuff gets pushed to the bottom of the list, handled reactively, and hoped for the best.
That's where a Virtual CISO comes in.
What Is a Virtual CISO?
Strip away the fancy title. A virtual CISO (vCISO) is a security expert who works for your business on a part-time, ongoing basis. They do everything a full-time CISO would do — assess your risks, build your security strategy, manage your defenses, handle compliance, and respond to incidents — but on a schedule and budget that fits a small business.
Think of it like this: you probably don't have a full-time lawyer on staff. But you have a lawyer you call when you need legal advice, when you're signing contracts, or when something goes wrong. A vCISO is the same thing, but for security.
They know your environment. They know your systems. They know your people. And when something happens at 2 AM, you're not scrambling to find someone on Google — you're calling the person who already has your network diagram pulled up.
What Does a Virtual CISO Actually Do?
Here's what it looks like in practice:
**They assess where you are.** The first thing a vCISO does is understand your current security posture — what you have, what's missing, what's misconfigured, and what's going to cause a problem if it isn't fixed. Not a one-time audit that gathers dust — a living, ongoing understanding of your environment.
**They build a plan.** Based on what they find, they create a security roadmap. What to fix first. What can wait. What to budget for next year. It's prioritized by actual risk to YOUR business, not some generic checklist.
**They manage your security tools.** That antivirus you installed last year? Is it still working? Are the definitions current? Is it on every machine? What about your email filtering, your DNS protection, your MFA configuration? A vCISO makes sure the tools you're paying for are actually doing their job.
**They handle compliance.** Whether it's cyber insurance requirements, HIPAA, PCI-DSS, or client contracts that require certain security controls — your vCISO makes sure you meet the requirements and can prove it.
**They respond to incidents.** When something suspicious happens, you call them. They already know your environment, so they're not wasting the first two hours asking what kind of firewall you have. They investigate, contain, and guide recovery.
**They keep up so you don't have to.** New vulnerabilities. New threats. Changes in compliance requirements. Microsoft pushing a security update that breaks something. Your vCISO stays current on all of it and translates what matters into action items for your business. You don't have to read cybersecurity news — they do it for you.
How Much Does It Cost?
A full-time CISO: $150,000 – $250,000/year plus benefits.
A virtual CISO: $1,500 – $4,000/month depending on the scope.
At the mid-range — $2,500/month — you're paying $30,000 a year for security leadership that would cost you eight times that as a full-time hire. And you're getting someone with deep expertise who does this across multiple clients, which means they've seen more environments, more threats, and more incidents than someone who's only ever worked at one company.
That's not a cost. That's leverage.
"But We Already Have an IT Person"
Good. Keep them. A vCISO doesn't replace your IT person — they complement them.
Your IT person handles the day-to-day. Help desk tickets. Printer issues. Setting up new laptops. Software installs. Password resets. That's valuable work, and it keeps your business running.
A vCISO handles security strategy. Risk assessment. Vulnerability management. Compliance. Incident response. Threat monitoring. These are specialized skills that most generalist IT people don't have the time, training, or bandwidth to handle properly — and they'll be the first to tell you that.
The best setup is a vCISO working alongside your IT person. The vCISO sets the security direction and identifies what needs to happen. Your IT person helps execute it. Everybody stays in their lane. Nobody's overwhelmed.
How Do You Know If You Need One?
Answer yes to any of these and you probably need a vCISO:
- You don't have anyone whose job it is to think about security
- You have cyber insurance but aren't sure you'd pass an audit of your application answers
- You handle sensitive data — financial, medical, personal, or client information
- Your clients are asking about your security practices
- You've been breached before and never want it to happen again
- You're growing and your technology is getting more complex
- You're worried about security but don't know where to start
- You have compliance requirements and no one managing them
- Your IT person is great at IT but security isn't their specialty
If none of those apply to you, you might genuinely be fine. But if you read that list and felt a little uncomfortable, that's your answer.
What to Look For
Not all vCISO services are created equal. Here's what matters:
**Experience matters more than certifications.** Certs are great — but you want someone who has actually built security programs, responded to real incidents, and managed real environments. Ask about their background. Ask for examples.
**They should know your environment.** A good vCISO takes the time to learn your systems, your people, your workflows, and your risk profile. If they're treating you like a ticket number, find someone else.
**They should explain things in plain English.** If your security advisor can't explain a risk to a non-technical business owner in a way that makes sense, they're not doing their job. Security isn't useful if nobody understands it.
**They should be proactive, not reactive.** You're not hiring someone to wait by the phone. You're hiring someone to catch problems before they become incidents and keep your security posture moving forward.
The Bottom Line
You can't afford a full-time CISO. You also can't afford to have nobody watching the store. A virtual CISO gives you enterprise-level security leadership at a price that makes sense for a real business with a real budget.
It's not about being paranoid. It's about being prepared. And it's a lot cheaper than finding out the hard way that nobody was paying attention.
*Sparrowhawk Technology — Making your technology safe and easy to use.*
What Does a Penetration Test Actually Cost? (And Is It Worth It?)
Penetration tests aren't cheap. Getting breached is a lot more expensive. Here's what a pentest actually costs and what you get for the money.
What Does a Penetration Test Actually Cost? (And Is It Worth It?)
"How much does a pentest cost?"
I get this question at least once a month. And the honest answer is: it depends. Which I know is the most annoying answer in the world. So let me actually break it down in a way that makes sense.
First — What Is a Penetration Test?
If you already know, skip ahead. If you don't, here's the plain English version.
A penetration test is when you hire someone to try to hack your business. On purpose. With your permission.
That's it. You're paying a professional to find the holes in your security before a real attacker does. They use the same tools, the same techniques, and the same mindset as an actual hacker — but instead of stealing your data, they write you a report telling you exactly how they got in and what you need to fix.
Think of it like hiring someone to break into your house to test your locks, your alarm system, and your security cameras. Would you rather find out your back door doesn't lock from a professional you hired, or from the guy stealing your TV at 3 AM?
What It Actually Costs
Here are realistic ranges for small and midsize businesses:
**External Penetration Test: $3,000 – $8,000**
This tests everything visible from the internet — your website, email server, VPN, remote access portals, anything with a public IP address. The tester tries to break in from the outside, just like a real attacker would. For a small business with a simple external footprint, you're looking at $3,000-$5,000. More complex environments with multiple sites or applications push it higher.
**Internal Penetration Test: $4,000 – $10,000**
This simulates what happens after someone gets inside your network — either through a phishing email, a compromised credential, or a rogue device. The tester starts from inside and tries to escalate privileges, move laterally, and access sensitive data. This is where most of the really scary findings live.
**Combined Internal + External: $5,000 – $15,000**
Most businesses get both, because testing only the outside is like checking if your front door is locked while ignoring the fact that every window is open.
**Web Application Test: $5,000 – $15,000**
If you have a customer-facing web application — a portal, an e-commerce site, a SaaS product — this tests the application itself for vulnerabilities like SQL injection, cross-site scripting, authentication bypass, and data exposure. Complexity and size of the application drive the cost.
**Wireless Assessment: $2,000 – $5,000**
Tests your WiFi security — encryption, authentication, rogue access points, and whether someone in your parking lot could connect to your corporate network.
What Drives the Price?
The biggest factors:
**Scope.** How many IP addresses, applications, and locations are you testing? A single office with one public IP is simpler (and cheaper) than three offices with a web app and a VPN.
**Depth.** A basic scan-and-report is cheaper than a full manual test where someone spends days trying creative attack paths. You generally get what you pay for.
**Compliance requirements.** If you need the test to meet PCI-DSS, HIPAA, CMMC, or cyber insurance requirements, the methodology and reporting need to align with those frameworks. That adds rigor and cost.
**Retesting.** Some firms include a retest after you fix the findings. Others charge extra. Ask upfront.
What You Get
A good penetration test delivers:
- **An executive summary** that a non-technical person can understand — here's your risk level, here are the big issues, here's what to do first
- **Technical findings** with evidence — screenshots, proof-of-concept, step-by-step reproduction
- **Risk ratings** for each finding — critical, high, medium, low
- **Remediation guidance** — not just "fix this" but specific steps to fix it
- **A retest** (ideally) to verify you actually closed the holes
A bad penetration test gives you a 200-page automated scan report with your company name pasted on the cover. If someone quotes you $500 for a pentest, that's what you're getting. Don't bother.
Is It Worth It?
Let's do some math.
The average cost of a data breach for a small business: **$150,000+** when you add up downtime, recovery, legal, notification, and reputation damage. Some studies put it much higher.
The average cost of a ransomware incident: **$200,000+** including ransom (if paid), recovery, downtime, and business loss.
The cost of a penetration test: **$5,000-$15,000** once a year.
If a pentest finds even one critical vulnerability that would have led to a breach, it just paid for itself ten times over. That's not marketing — that's math.
Beyond the direct financial argument:
- **Cyber insurance** increasingly requires or rewards annual penetration testing with lower premiums
- **Client contracts** — if you work with larger companies, they're starting to require proof of security testing
- **Compliance frameworks** (PCI, HIPAA, CMMC) mandate regular testing
- **Peace of mind** — knowing someone actually tested your defenses is worth something
When You Don't Need a Full Pentest
I'll be honest — not every business needs a $10,000 penetration test every year. If you're a 15-person office with basic cloud services and no customer-facing applications, a vulnerability assessment ($1,500-$3,000) might be the right starting point. It scans for known vulnerabilities without the full manual exploitation. It's faster, cheaper, and still catches the majority of common issues.
A pentest makes the most sense when:
- You handle sensitive data (financial, medical, personal)
- You have customer-facing web applications
- Your cyber insurance requires it
- A client contract requires it
- You've never had one and have no idea where you stand
- You want to actually know what an attacker could do, not just what's theoretically vulnerable
The Bottom Line
A penetration test isn't an expense. It's an investment in knowing the truth about your security. You can either pay a professional to find the holes now, or pay an attacker's price when they find them later.
One of those options comes with a report and a fix list. The other comes with a ransom note.
*Sparrowhawk Technology — Making your technology safe and easy to use.*
5 Signs Your Business Has Already Been Hacked (And You Don't Know It)
The average breach goes undetected for over 200 days. Here's what to look for — because by the time it's obvious, it's already bad.
5 Signs Your Business Has Already Been Hacked (And You Don't Know It)
Here's a number that should keep you up tonight.
**194 days.** That's the average time it takes a business to even realize they've been breached. Not to fix it — just to notice it happened. Nearly seven months of someone sitting inside your network, reading your emails, copying your files, and mapping your systems before anyone raises an eyebrow.
By the time ransomware locks your screen or a customer calls asking why their data is on the dark web, the attacker has been inside for months. The explosion is just the last step. The fuse was lit a long time ago.
So how do you catch it earlier? You pay attention to the warning signs that most people explain away or ignore.
1. Employees Getting MFA Prompts They Didn't Request
This is the big one. And it's the one people dismiss the fastest.
Someone in your office gets a push notification on their phone asking them to approve a login. They didn't try to log in. They hit "deny" and go back to their sandwich. Maybe it happens again the next day. They ignore it.
That's an attacker with their password, trying to get past MFA.
Let me say that again — if someone is getting MFA prompts they didn't initiate, **someone else has their password.** Full stop. That's not a glitch. That's not the system being weird. That is an active attack in progress.
What to do: Change the password immediately. From a different device. Review the account's sign-in logs. Check if any MFA methods were added that the user doesn't recognize. And report it — don't just ignore it.
2. Emails Going Out That Nobody Sent
A client calls and says they got a weird email from someone on your team. The email has a link or an attachment. But the person it "came from" never sent it.
This means one of two things: either someone's email account has been compromised and the attacker is sending emails from inside your actual mailbox, or your domain is being spoofed (which means your email authentication — DMARC, DKIM, SPF — isn't set up properly).
Either way, it's bad. If it's a compromised account, the attacker can see every email, every attachment, every contact. They're usually looking for invoices, financial details, or anything they can use for a business email compromise scam — the kind where they send your CFO a convincing email saying "wire $47,000 to this new account."
What to do: Check the sent folder and deleted items. Review mail flow rules for any forwarding rules you didn't create (attackers love setting up hidden forwarding rules). Check sign-in activity. If an account is compromised, force a password reset and revoke all active sessions immediately.
3. Your Systems Are Slower Than Usual — And Nobody Knows Why
Computers take longer to boot. Applications lag. The network feels sluggish. IT runs some speed tests, shrugs, and says "it's probably Windows update."
Maybe. But it's also what it looks like when something is running in the background that shouldn't be. Malware, cryptominers, data exfiltration tools, or an attacker actively moving data off your network — all of these consume system resources and network bandwidth.
This isn't a "call IT when you get a chance" situation. If multiple people are noticing performance degradation at the same time, and there's no obvious explanation like a software update or a backup running, it's worth investigating.
What to do: Check running processes for anything unfamiliar. Review network traffic for unusual patterns — especially large outbound transfers during off-hours. Run a full endpoint scan with updated definitions. And don't just restart the computer and call it fixed.
4. Unexpected Password Reset Emails
Your accountant gets an email from Microsoft saying their password was changed. They didn't change it. Your office manager gets a notification that a new device was added to their account. They didn't add one.
These notifications exist for a reason. They're the system telling you that someone accessed the account and made changes. If the actual user didn't make those changes, someone else did.
Attackers who compromise an account will often change the password, add their own MFA device, or set up an app password — all to maintain access even after the original user notices something is wrong. By the time you reset the password, the attacker has already created a back door.
What to do: Reset the password AND review all authentication methods on the account. Remove any devices, phone numbers, or authenticator apps that the user doesn't recognize. Check for app passwords. Review the account's recent activity log for logins from unfamiliar locations or IP addresses.
5. Files, Folders, or Settings That Changed on Their Own
A shared folder that was accessible yesterday now requires a password. Files disappeared from a network drive. A firewall rule changed that nobody remembers changing. A new admin account appeared in Active Directory.
These are signs of someone actively working inside your environment. They're exploring, testing access, setting up persistence, or staging data for extraction. The changes might be subtle — a new scheduled task, a modified Group Policy, a service that wasn't there before.
The scariest version of this: you find files with names like `mimikatz.exe`, `psexec.exe`, or `lazagne.exe` on a server. Those are hacking tools. If they're on your systems and nobody on your team put them there, you are actively compromised. Stop what you're doing and call for help.
What to do: Document what changed, when, and on which system. Check audit logs for who made the change. Look for new user accounts, especially admin accounts. If you find hacking tools on any system, disconnect it from the network immediately and engage an incident response professional.
What To Do If Any of This Sounds Familiar
Don't panic. But don't ignore it either.
If you're seeing one of these signs, it might be nothing. If you're seeing multiple — especially unexpected MFA prompts combined with email issues or unexplained changes — you need to treat it seriously.
Here's the short version:
1. **Don't tip off the attacker.** Don't announce to the office that you think you've been hacked. Quietly investigate.
2. **Preserve evidence.** Don't wipe machines or delete logs. You'll need them.
3. **Isolate affected systems.** If you can identify a compromised machine or account, disconnect it from the network.
4. **Call a professional.** This isn't a DIY situation. An incident response specialist can determine the scope, contain the threat, and guide recovery.
5. **Notify your cyber insurance carrier.** Most policies have a notification window. Don't wait.
The worst thing you can do is nothing. The second worst thing is assume it's nothing and hope it goes away. It won't.
*Sparrowhawk Technology — Making your technology safe and easy to use.*
Your Cyber Insurance Application Is Lying (And Your Insurer Knows It)
You checked 'yes' on MFA, backups, and endpoint protection. But can you prove it? Your insurer is going to ask.
Let me paint a picture.
You're renewing your cyber insurance. The application is 12 pages long and full of questions like "Do you enforce multi-factor authentication on all remote access?" and "Are your backups stored offsite and tested regularly?" and "Do you have endpoint detection and response deployed on all devices?"
You check "yes" on all of them. Because you're pretty sure you do. Your IT guy set that stuff up. Probably. At some point.
Six months later, you get hit with ransomware. You file a claim. And that's when the insurer sends in their forensics team — not to help you recover, but to verify every single answer on that application.
MFA? It was enabled on email but not enforced on VPN. That's a no.
Backups? They existed, but they were on the same network as the encrypted servers. Ransomware got them too. That's a no.
EDR? The subscription expired in October. Nobody noticed. That's a no.
**Claim denied.**
This is happening to businesses every single day. And it's not because insurers are trying to screw you — it's because they tightened the rules and most businesses haven't kept up.
## The Questions Got Harder
Two years ago, a cyber insurance application was half a page. "Do you have antivirus? Do you have a firewall? Great, here's your policy."
Those days are gone.
Today's applications are detailed, technical, and specific. They're not asking if you *have* MFA — they're asking if it's *enforced* on all remote access, email, VPN, RDP, and cloud admin portals. They're not asking if you *do* backups — they're asking if they're encrypted, offsite, immutable, and tested within the last 90 days.
And here's the part that matters: your answers are warranties. That means if you say "yes" and the answer is actually "sort of" or "we used to" or "I think so" — you've just voided your own policy.
## The Most Common Lies (That Aren't Intentional)
Nobody's trying to commit insurance fraud. But the gap between what businesses think they have and what they actually have is enormous.
**"Yes, we enforce MFA."**
What they mean: We turned on MFA for Office 365 last year.
What the insurer means: MFA is enforced — not just enabled — on every remote access point. Email, VPN, RDP, cloud admin consoles, and any externally facing application. No exceptions. No "optional" enrollment.
**"Yes, we have endpoint protection on all devices."**
What they mean: We installed antivirus on the computers when we bought them.
What the insurer means: You have active endpoint detection and response (EDR) — not just antivirus — deployed on every endpoint in your environment, including servers. It's monitored, alerts are reviewed, and the subscription is current.
**"Yes, our backups are tested and stored offsite."**
What they mean: We have a backup drive. It's in the closet. Bob set it up.
What the insurer means: Backups run on a schedule, are stored offsite or in the cloud, are encrypted, ideally immutable (meaning ransomware can't touch them), and someone has actually restored from them recently to verify they work.
**"Yes, we have an incident response plan."**
What they mean: We'd probably call our IT guy.
What the insurer means: You have a written, documented plan that specifies roles, responsibilities, communication procedures, containment steps, and recovery processes. And your team has been trained on it.
## Why This Matters More Than You Think
Here's the math that should scare you.
You're paying $5,000-$15,000 a year for cyber insurance. You think you're covered. You get breached. The average cost of a data breach for a small business is north of $150,000 when you add up downtime, recovery, legal costs, and customer notification.
You file the claim. The insurer audits your controls. They find gaps between your application and reality. Claim denied.
You just paid for insurance you can't use, and you're on the hook for the full cost of the breach. That's the worst possible outcome — the cost of the insurance AND the cost of the incident.
## What You Should Do Instead
Get assessed before you fill out the application. Not after.
Bring in someone who knows what insurers are actually looking for — not what the questions seem to be asking, but what the technical requirements really are. Have them verify your MFA, your backups, your EDR, your segmentation, your patch management, all of it. Against the actual application.
Where there are gaps, fix them before you check "yes."
Then when you submit that application, every answer is backed by evidence. Screenshots. Configuration exports. Test results. Documentation. Not hopes and assumptions.
And if you do get breached, the insurer's forensics team finds exactly what you said they'd find. Claim approved.
## The Bottom Line
Your cyber insurance application isn't a formality. It's a contract. Every "yes" is a promise, and your insurer will hold you to it at the worst possible time.
Don't guess. Don't assume. Get verified.
*Sparrowhawk Technology — Making your technology safe and easy to use.*
Keeping Your Technology Safe: A Laughing Matter?
Originally published: February 6, 2023
Most of us have heard the saying, "Laughter is the best medicine." But when it comes to keeping your technology safe, is laughter really the answer?
Well, maybe not, but it can certainly help you remember some important tips! Here are a few ways to keep your tech secure without taking yourself too seriously:
Use a password manager: Trying to remember all your passwords is like trying to remember every joke you've ever heard. Use a password manager to keep track of them all and make your life easier.
Update your software: Keeping your software up to date is like keeping your joke repertoire fresh. You don't want to be caught telling the same old jokes (or using outdated software) that could leave you vulnerable to attack.
Back up your data: Losing your data is no laughing matter. Make sure you regularly back up your important files to avoid a tech catastrophe.
Be wary of phishing scams: Phishing scams are like bad jokes - they're easy to spot once you know what to look for. Be careful of suspicious emails and never give out personal information.
So while laughter may not be the actual cure for all your tech woes, keeping a sense of humor can make the process of staying safe a little more enjoyable. And remember, at Sparrowhawk Technology, we're here to help keep your technology safe and easy to use - no joke!
Hackers target small businesses too!
Originally published: January 12, 2023
Here is a quick tidbit of information to think about. Hackers are not just targeting large corporations for cyberattacks! That statement is not meant to feed the FUD (fear, uncertainty, and doubt) monster. It is to give you information that if you are an employee of a small or medium-sized organization, you may be even more at risk of being targeted for cyberattacks.
These days cybercriminals target smaller organizations because they assume that these organizations have fewer defenses in place to protect their interests. Worse yet, many businesses wait until after something happens to try to protect their organization. This is a faulty way to think, I encourage you to take a moment and think about how much you have invested in your company's security... It may have only been a little or possibly none, which could be just for the past year, but a lot can happen in a year. I recommend taking a moment and ensuring that all your computers and equipment are up to date with all the fixes/patches that they have available to start your dive into your own security. Whether it be at home or at work you can become a victim of a cyber criminal but with just a little preparation you can stop 70% of the attacks that you could be vulnerable to.
Share these tips with your employer, with your friends, and with your family!
- Never share your password with anyone. Additionally, use complex passwords, and use different passwords using a password manager.
- Look for red flags in emails such as a sense of urgency or a request for sensitive information. Carefully check the domain of the sender's email address and remember that any domain can be spoofed.
We hope you continue to protect yourself in the future and if you ever need some assistance or want to have a conversation remember Sparrowhawk Tech is here to keep your technology safe.
Another Password Posting...
Originally published: November 10, 2022
Password security is sounding like a broken record these days. The news talks about yet another password breach, every site you need to log into requires a password and you are constantly reminded that it needs to be very long, very complicated, and ultimately something you cannot remember. I thought - maybe a bit more explanation would be needed to help explain this nightmare we call "Passwords".
The first thing you should know is that passwords are something very personal to you, typically people use something relatable to them such as a pet or relative, it includes important dates and things that would be most easy for them to remember. If you fall into this category, don't worry, you are not alone. Here is the problem with that line of thinking. Your social media profile (Facebook, Twitter, Instagram, etc.) probably has most of the information that your password contains already in it. No; someone is not going to be looking at your Facebook and instantly know your password. BUT: an experienced hacker may use a scraping tool to gather all the words from your social media profile and words used in your comments to build what is called a word list. This list contains every word you have put onto social media. They will then use a tool to "Brute Force" your password using different combinations of these words.
You may have read at one time that a 12-character password takes billions of years to crack. Well, computers have gotten a lot better at this over the years and the new estimate on how long it takes to crack a 12-character password is now 2 seconds if it is just comprised of numbers.
What do I do!?!?! Don't worry, there is always a resolution for these issues. First understanding what the problem is will be the first step to resolving it. The problem being how in the world do I create a long and complicated password and then remember it? The good news is that its fairly easy. Think of a sentence, yes go back to grammar school and a properly punctuated sentence works. The password "sparrowhawk" takes 2 hours to crack, but what about the password: "Sparrowhawktechisawes0me!" well good luck cracking that in a trillion years. Better yet, using spaces is an amazing security measure in a password! A password such as "Sparrowhawk Tech is number 1!" works on every level and a secret that nobody tells you is that spaces in a password cannot be defined in a word list and therefore cannot be easily cracked!
But there is also the problem that everyone is supposed to use a different password for every site. This is something I fully condone! You should, you must! This protects you if that site is compromised and they get your password, if you use the same password to your bank you have given them access that quickly. Credential stuffing makes use of passwords gained from breaches against other sites trying to see if someone reused a password.
There is a solution for this as well! Use a password manager, something like LastPass is a password manager that you can use that will create a new password for you and remember this new password and even better it will automatically fill it out for you! There are many password managers and at the end of the day, a notepad at home with all your passwords is far more secure than using the same password for everything.
Some recommended password managers that come to mind are LastPass, 1Password, and KeePass. There are many more, these are amazing, you can install them on your smart phone, your computer, and your tablet. Remember one password and have much greater security than before!
Continue to protect yourself and if you ever need some assistance or want to have a conversation remember Sparrowhawk Tech is here to keep your technology safe.
Cybersecurity Awareness Month
Originally published: October 11, 2022
It's October and that means it's Cybersecurity Awareness Month! Promoted by the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cybersecurity Alliance (NCA) since 2004. October has been designated as Cybersecurity Awareness Month to help individuals protect themselves online as threats to technology and confidential data become more commonplace.
This month, I will write more and will try to help explain some of the cybersecurity concerns that face individuals and businesses alike. I hope this blog reaches people and helps put these issues and solutions into an easier form to understand.
Security Tip #1:
Install Software Updates as soon as they come out. These updates often include patches for security flaws. These vulnerabilities are used by hackers to compromise systems in order to do a variety of things from encryption (ransomware) to using your system as a resource (crypto-mining) and of course stealing data. Your computer, phone, and tablet can all be compromised using these methods. Keep them updated and protect yourself!
Physical Security overlooked?
Originally published: October 6, 2022
Did you know that one of the most often looked over aspects of IT security is actually Physical Security? With today's complex threats, physical security has unfortunately taken a back seat...
As few as 15 years ago, if you mentioned security to someone in the business world, they would immediately think about alarm systems, badge readers and door locks. The focus today is on logical security - threat management, breach detection, intrusion prevention, etc. With the threats we face today from all over the world, logical security is very important. Physical security has unfortunately been relegated to the realm of secondary concerns.
According to csoonline.com "the world of CISSP certification, physical/environmental security has historically been one of the nine domains. As of 2015, it was combined with another domain that includes other items, further evidence of its diminishing importance in the minds of many security experts." With physical securities role being diminished, in regards to the most sought-after technology security certification, the public has shown that they are starting to overlook it as a concern. However, I know that physical security is still of vital importance to information security, and is dangerous to overlook.
Whether it be through an open lobby where a person can walk into the business directly without someone to stop them, an unlocked data center where an intruder could get to your IT systems without anything stopping them, poorly secured doors, lack of surveillance, or inadequate intruder detection a person could cause havoc, steal valuable information, or gain full time access to your network without anyone even noticing. Many times the first instance of a foothold on a network comes from a form of physical breech. A company will spend hundreds of thousands of dollars securing their network perimeter but will leave computers unlocked and servers sitting on a shelf out for people to gain access to. All it takes is one person to have access to a server for less than 30 seconds and your entire business could potentially be taken offline or worse have all valuable information regarding the business and clients looted.
It sounds scary but it is the truth, overlooking your physical security at your business puts you at great peril.
It is always a wise idea to put defensive measures in place wherever possible, install doors and locks to prevent access to computers, enable screensavers that require passwords to unlock computers, enforce the Windows+L shortcut (Lock computer) when people leave their computer. Install security cameras such as Verkada cameras anywhere valuable information is stored. Even if the server room is locked there should be a camera located in it, looking at your servers.
If you want a physical security assessment please feel free to contact us and we will be happy to assist you in getting your physical security in order, whether it be through security controls or cameras we are specialized in finding weaknesses and teaching you how to counter them.
We stand by ready to help you keep your technology safe.
Do you know what Phishing is?
Originally published: September 26, 2022
Has anyone talked to you about Phishing lately? I am guessing that if you have been reading anything online or in a business article you have seen this mentioned at least once.
The real question is, do you know what Phishing really is and better yet do you know how to not fall victim to it?
Simply defined, Phishing is a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords.
So, what is Phishing? The word "Phishing" comes from the analogy that Internet scammers are using email lures to "fish" for passwords and financial data from the sea of Internet users. The term was coined in the 1996 time frame by hackers who were stealing America On-Line accounts by scamming passwords from unsuspecting AOL users.
I admit, everyone is prone to fall victim to this type of attack, in fact it is in our nature to act quickly when approached with vitally important issues that we believe may affect us personally. This is where Phishing "hooks" the user they have targeted. This is why these scammers have used these following 11 top subject lines in their Phishing emails:
1. Review or Quick Review
2. Bank of ; New Notification
3. Charity Donation for You
4. FYI
5. Action Required: Pay your seller account balance
6. Unauthorize login attempt
7. Your recent Chase payment notice to
8. Important: (1) NEW message from
9. AMAZON : Your Order no #812-4623 might ARRIVED
10. Wire Transfer
11. Assist Urgently
If you click on the links contained in these malicious emails you fall prey to these scammers and you can compromise your identity, your username/password, your network or computer security, and a slew of many other things.
The best word of advice for these is "Think before you click". If you look closely at the email you will find tell tale signs that it is not legitimate, whether it be a link that does not go to the actual website that is supposedly contacting you or bad grammar/spelling.
Be careful out there in the Wild West that we call the Internet these days, there is always a bandit wanting your money. If you want to know more contact us and we can conduct training for you and your employees or just have a candid conversation about Phishing.
Sparrowhawk Technology - Making your technology safe and easy to use.
Google is trying to help
Originally published: August 14, 2017
Google has recently released an update to iOS that will alert you to potentially harmful links. This helps you and your employees identify whether a link is legitimate or fake.
Sparrowhawk Technology - Making your technology safe and easy to use.
Complicated Passwords are not as complicated as you thought
Originally published: August 11, 2019
The person who first created the Password policy that we have all been using has admitted it was a mistake.
It turns out that long phrases that you remember are much better and far more secure than the complicated password with various special characters and random capitalization.
Sparrowhawk Technology - Making your technology safe and easy to use.
Read those pesky agreements when logging into a network
Originally published: November 5, 2018
As an experiment a UK based Wi-Fi provider added a "community service clause" to its usual terms that stated users may be required, at Purple's discretion, to carry out 1,000 hours of community service that may include: "cleansing local parks of animal waste," "providing hugs to stray cats and dogs," "manually relieving sewer blockages," "cleaning portable lavatories at local festivals and events," "painting snail shells to brighten up their existence," and "scraping chewing gum off the streets." – Of course, they did not follow through but it shows how much we overlook agreements when clicking through them to gain access to the Internet on a public system.
Sparrowhawk Technology - Making your technology safe and easy to use.
Don't forget to secure your computers!
Originally published: October 10, 2018
Malware and Ransomware news has begun to evaporate from the headlines. This does not decrease its threat – nor does it mean it is no longer a risk. This is furthest from the truth. Just one infected computer can cripple an entire organization, this can come from unpatched software or poor security controls on your systems.
Sparrowhawk Technology - Making your technology safe and easy to use.
Keep failing IT Audits?
Originally published: July 11, 2018
CIO.com has released their article outlining the 10 most common ways that have been related to an IT Audit Failure. (hint) Most of these are mindset going into the audit and out of touch with your IT equipment and/or staff.
Sparrowhawk Technology - Making your technology safe and easy to use.
Here we are again, another huge data breach - 150 million accounts compromised
Originally published: March 30, 2018
Unfortunately, in the digital world we live in it is a must that we use usernames and passwords for everything. The downside of this is that it brings a greater risk every time you enter a set of credentials you are giving someone else the keys to your castle in some ways.
In case you did not know, the popular app "MyFitnessPal" and website (which is owned by Under Armour) disclosed that in February their datastores were breached and 150 million user's sensitive data was stolen. This data included usernames, passwords, and email addresses.
The problem that I see with the reporting of this breach and the action that MyFitnessPal is taking to force users to change their passwords is that yes - you changed your password to their site, but what about all the other sites that you used the same username and password on? That is our problem - we reuse the same usernames and passwords for everything!
Unfortunately, the "bad guys" don't sit around thinking of different aspects of your life trying to figure out what your password is. Today's hackers normally operate in this way: a group of shady jerks target vulnerable websites that you may use, but are not protected nearly as well as, say, Bank of America. Sometimes, scoring access to a customer database is as easy as tricking a low-level employee with a fake email. Once a thief scores your information including email and password - usually acquired in bulk - the first thing they do is try it on every account linked to your email.
Do you see the problem now? I cannot stress this point enough - DO NOT USE the same password for everything important in your life.
Are you worried now? I sure am. The first thing to do is to see if your data has been included in any of the more recent hacks. A website called "Have I been Pwned" gathers the email addresses that were compromised in these hacks and formulates a database. You can enter your email address to determine if it was compromised. This service is free and has an option to be alerted if your email shows up in future hacks. DO THIS.
The next thing you need to do is change your password - not just on the site that was compromised but on EVERY site that you used that same email and password combination on.
If you have the option to enable two factor authentication (2FA) do so at this time, this is one sure fire way to keep some jerk from logging in as you.
This trend will continue as there is no true way to stop thieves from stealing, and the most vulnerable part of all technology tends to be the humans who interface with it.
Sparrowhawk Technology - Making your technology safe and easy to use.