Sample – Security Emails
The following is a series of emails I designed for a 52 week email project
for an IT security firm. It was a series targeting
C-Level business owners to upgrade their fractional IT services.
Security Action Item #3: Your smartphone is no longer listening
Have you ever had a conversation with a coworker about your vacation plans, only to find your smart devices deluging you with ads for that very place? Creepy, right? Does it make you wonder who’s watching you?
Smart devices aren’t going away. We have them everywhere. We carry them in our pockets, they’re sitting on our desks in our offices, they’re in patient rooms where privacy is a must.
A lot of your smart devices come with sensors you might not be aware of. They come programmed to either be on or off.
Want to protect yourself further? Take two action steps now.
Skip dedicated video and audio apps – we’re in a world of working remotely right now. To make our lives easier, programs like Google Hangout, Skype, and Zoom are prominent on our desktops and mobile devices. Think twice before adding any app with dedicated video or audio. Use it from a browser window instead.
Check your device permissions – every app you use has set permissions to access various features, such as the camera and microphone. Make sure you understand what permissions you give each app, and turn them off when not in use. You’ll find the ability to toggle on or off in your device’s settings.
Security Action Item #6: Don’t just communicate, overcommunicate
Communication is always important, but especially as more people are working from home. It’s easy to assume everyone is well-informed, reading the right documentation, and being kept in the loop of policy discussions.
But working from home isolates office talk. It’s easy to miss important changes, especially when it comes to security.
Are you patching potential problems? Have you downloaded the latest fixes? Have your policy guidelines been updated to ensure work-from-home procedures don’t leave your data vulnerable?
Does your entire team know?
Whether it’s a simple upgrade to make things run smoother, or a response to a data breach, every team member needs to understand the response and what it means to the team.
Email is often ignored and overlooked. New protocol and good communication are the only way to ensure everyone on your team is on board.
Security Action Item #11: Stopping credential stuffing in its tracks
Do you or your employees use common user ID’s across platforms? How about passwords? Do you use the same ones over and over again to make life easy? How often is the information changed?
Hackers are counting on that as a way to gain information.
Credential stuffing is growing in popularity because of its relative ease to gain valuable data. Here’s how it works. A hacker gains access to stolen data. Using the stolen usernames and passwords, they attempt to login to the company website. When they gain access, they grab as much data as possible, either for future use, or to sell or trade with other hackers.
Then hackers release bots to conduct thousands of hits to find ways in. And once they do, that’s when your troubles begin.
This problem isn’t going to go away. This means your job is to detect credential stuffing attacks and stop them in their tracks, before any damage occurs.
- You can watch site traffic and notice when higher-than-usual login failure occurs.
- You can monitor multiple login attempts and their outcomes.
- You can watch for changes in downtime caused by sudden increases in site traffic.
And you can use bot screening technology to stop bots, and detect malware on your devices as it is attempting to break in.
Do you have bot screening technology? If not, make today the day you tighten security by adding this to your security toolbox.
Security Action Item #21: Let’s collaborate
This past year has taught us that the concept of office is changing. It no longer requires commercial office space where every team member is sitting at a desk eight hours a day.
While we may be returning to a new normal, we’ll never see businesses operating as they once did, especially in healthcare. Technology in medicine is here to stay: C-level managers in healthcare centers around the US agree it’s our new level of normal.
Whether your teammates are in the office by your side, or halfway around the world, collaboration tools are becoming more sophisticated and necessary. But rather than choosing one because you’re familiar with the name – Microsoft 365 – or jump on an app because you’ve seen an online review, it’s important to ensure you’re selecting one based on your needs.
Start with three questions:
What problem am I trying to solve?
Take the time to really understand what you need in a collaboration tool. Then evaluate the tools you already have in place to see if you’re getting all you can from them. Only invest in new software where it makes sense. Otherwise, it may just be a shiny new toy nobody uses to its fullest extent.
Do I want to spend money?
We often make choices based on appearances, and assume we can lowball it and see what we can get for free. There are a lot of great tools out there giving you benefits without a hefty price tag. But you might also be missing what makes a good tool great. Dig into it and discover all the ways it can help you before you make a final decision.
What do I wish to learn during a free trial?
Many collaboration tools have demos to learn more about the system. But if you don’t have goals in mind, you might miss features that make the system great. Strategize first to ensure you know what you want in a plan, and go to the demo prepared to find the right solution for your team.
Security Action Item #30: I think the email is real …
Email phishing is still one of the most popular ways for cybercriminals to attack. Why? It works. How can you tell if an email is real or fake?
Look at the domain – fake emails won’t use the company’s domain
While individuals’ most common email domains are places like @gmail.com and @yahoo.com, legitimate companies always use email from their own email or company domain. For example, mary@MyMedicalPractice.com looks more professional than email@example.com.
You receive options to join lists you didn’t sign up for
It’s an easy way in; scammers send an email imitating a verification to accept an offer to sign up for a newsletter or other email information. The trouble is, you didn’t ask for it. Think before you click. Is this something you’ve visited and have an interest in?
Masked email addresses can be a red flag
An email looks like it’s coming from a legitimate place, but is it? Hover over the display name in the “From” section of the email. Is the “real” email address the same as the one displayed? Note, that in some cases, companies use email delivery services such as Infusionsoft. When in doubt, check it out. It’s better to verify first and click second.
The domain is misspelled
Instead of Paypal.com, it’s Paypall.com. It looks right at first glance, but it makes all the difference. Legitimate correspondence from companies will never misspell their domain information. If it’s asking to click for information, you can always visit the site directly and login from your browser. If the correspondence is real, you should find the exact information after you logged in.
Scare tactics aren’t always true
You’re overdrawn. Your account has been hacked. When a message comes in with scare tactics like this, your gut reaction is to click. Slow down. Assess the situation before acting. Scammers try this by using the biggest companies in the world, knowing the odds of you having an account with one of them is favorable. But would a legitimate company send you something that says “click now?” The easiest way to determine if it’s real is to forgo the email, head to your browser window, and access your account. If it’s true, the same information will be there when you login.
Security Action Item #39: Ransomware will be bigger than ever …
Cyberattacks against healthcare facilities grew at an alarming pace in 2021. It’s setting the stage for 2022.
Ransomware attacks locked 68 facilities out of their respective networks, threatening both patient safety and privacy. While you may assume the major threat would lie with data, other issues are at stake. As healthcare facilities modernize, legacy systems are left in the wake. Water, HVAC, electrical, and other critical systems may not be ready for such an attack. And when it impacts a critical care operation, the situation can quickly go from bad to worse.
The two things you can do right now include:
Take ransomware seriously. If this means adding more money to your cybersecurity budget, that’s where you start. If it means creating a better system to thwart criminal activity, that’s where you begin. Take the time now to learn where your starting point lies, and take action to make improvements.
Think big picture. Many practices are now aware of the impact of ransomware attacks and have created backups and basic level security plans. For every action you take, criminal behavior is beefing up too. Make sure your entire perimeter is safe. Have a system to detect any potential threat. Create a plan that allows you to take immediate action if you suspect you’ve been breached.
If you don’t have the staff necessary to maintain 24/7 coverage, it may be time to seek out a team who can.
Security Action Item #54: The next disaster …
A disaster recovery plan provides a structured document to help an organization recover quickly in the event of an unplanned disaster.
Disaster recovery plans typically are built around unforeseen but predictable events that provide high risk. In the past, they’ve included things like:
- Application failure
- Communication failure
- Backup recovery
- Datacenter infrastructure
Take a look at yours. Does it have anything about working through a pandemic?
What would you tell yourself right now … for the next time?
Your security action step for today: Review your disaster recovery plan and start making changes.