cybersecurity

Note-to-self: 2020 IDG Security priorities study

Source: https://f.hubspotusercontent40.net/hubfs/1624046/2020_Security%20Priorities%20Executive%20Summary_final.pdf

End 2020 IDG published a study on Security priorities, and it provides important guidelines to the priorities of securing yourself and your company

  1. Protection of confidential and sensitive data
  2. End-user awareness
  3. Corporate resilience
  4. Enhance access control
  5. Understand external threats
  6. Application security
  7. Plan for unexpected risks

This pretty much confirms that your customers, stakeholder’s and staff interest in protecting personal data is driving security from business perspective.

If you see the increase of cyberattacks and ransomware hitting the business, it’s pretty obvious that Business Continuity Management and Disaster recovery must be on top of your priority list.
You need to have a tested plan against successful cyberattacks and ransomware, to avoid extended business damage and massive (ransom) costs … afterwards.

To put a plan together, you need to understand who is your adversary and what the current state of cybersecurity is.
And this study is a simple but smart guide to define your priorities.

The better you prepare, the less it will cost.
But you’ll only be able to tell when it goes wrong.

Don’t get caught by surprise, be ready.

Note-to-self: Crowdstrike has published their 2021 Global Threat report

Crowdstrike has published their 2021 Global Threat report.

It’s always an interesting reference to see what the world in cybersecurity is about, certainly with the turbulent pandemic year.

They look at:

  • cybersecurity during COVID19
  • cybersecurity in health care
  • significant political, state based attacks
  • evolution of ransomware

And no one has to tell you, we’ve not seen the end yet.

Hang in, get ready, protect yourself for more bad stuff to come.

Keep patching your systems, all of them, all the time.

And by the way, don’t ay with your personal data for the download. Direct download is available at:

Click to access Report2021GTR.pdf

Note-to-self: #ZeroTrust #maturity model assessment by #Microsoft

Have you ever assessed the maturity of #cybersecurity implementation?

The #ZeroTrust #maturity model assessment by #Microsoft provides you with great insights, where to start or which part of your security needs improvement.

Easy to use, easy to understand, great results and great guidance.

You can find the assessment tool here:

https://www.microsoft.com/en-us/security/business/zero-trust/maturity-model-assessment-tool

And if you need more info, then bookmark this Zero Trust resources page: https://www.microsoft.com/security/blog/2021/05/24/resources-for-accelerating-your-zero-trust-journey

Cyber security challenge voor het weekend: Hoeveel #phishing indicators kun je identificeren in de onderstaande mail?

(English version of article published on LinkedIN: https://www.linkedin.com/pulse/cybersecurity-challenge-finding-phishing-indicators-peter-geelen/)

De uitdaging

Vind zoveel mogelijk phishing-indicatoren in de e-mail die ik onlangs heb ontvangen. Screenshot hieronder.

Hoeveel indicatoren kun je vinden?

Het nummer om te verslaan is 12.

Kun je ze vinden, of kan je het beter doen? (zo ja, twijfel niet om de indicatoren die je vond te melden in een commentaar).

Tip: Stop met verder te scrollen als je de uitdaging wilt aangaan, voordat ik hieronder de oplossing verklap.

Snelle oplossing: overzicht van de indicatoren

  1. Belangrijk: De bizarre (onverwachte) naam van de afzender
  2. Belangrijkste: Het e-mailadres van de afzender komt niet overeen met de naam
  3. Heel belangrijk: Spelfouten
  4. Zeer belangrijk: Slechte grammatica
  5. Belangrijk: Verkeerde leestekens
  6. Belangrijke fouten in het ontwerp / de lay-out
  7. Uiterst belangrijk: URL komt niet overeen en wijst naar een phishing-website
  8. Belangrijk: Gevoel van dringendheid: “Wachtwoord verloopt binnen (0) dagen”
  9. Verdachte instructies (contra-intuïtief)
  10. Productfouten
  11. Verkeerde bedrijfsreferenties
  12. E-mail voettekst ontbreekt (of afmeldlink ontbreekt of privacynote ontbreekt)

En aan het einde: een bonus (die is niet weergegeven in (en niet van toepassing op) het huidige voorbeeld screenshot).

De aanpak voor een gedetailleerde analyse

Over het algemeen zijn er 4 niveaus van indicatoren waar je op moet letten

  • het gemakkelijke deel, duidelijke zichtbare fouten
  • verborgen indicatoren, gemakkelijk te vinden (bijv. muisaanwijzer over de links, ZONDER te klikken!)
  • geavanceerde onderdelen, waarvoor je een beetje kennis nodig hebt
  • deskundige kennis / ervaring vereist

Ten eerste, het makkelijke deel.

De gemakkelijkst te vinden en meest zichtbare #phishing  indicatoren

1. Belangrijk: De bizarre (onverwachte) naam van de afzender

In dit specifieke geval wordt de naam van de afzender gevormd uit:

  1. het ontvangerdomein dat als voorvoegsel wordt gebruikt (ALARM!)
  2. onvolledig e-maildomein achtervoegsel (ALARM!)

Taak: controleer de naam van de afzender.

Evaluatie: gealarmeerd zijn, als

  1. de naam van de afzender heeft een vreemd, abnormaal formaat (
  2. de afzender is niet bij u bekend,
  3. de post wordt niet verwacht, een verrassing uit het niets

2. Het belangrijkste: Het e-mailadres van de afzender komt niet overeen

Het eenvoudige deel is om te controleren of de naam van de afzender overeenkomt met het e-mailadres van de afzender.

Dit is niet altijd zichtbaar, zeker niet op smartphones.

Taak: controleer expliciet het volledige e-mailadres.

Evaluatie: gealarmeerd zijn, als

  1. de naam van de afzender komt niet overeen met het volledige e-mailadres

3. Heel belangrijk: Spelfouten

Hoewel phisher steeds meer “professioneel” wordt, zijn spelfouten een belangrijke indicator. Marketingbedrijven besteden (meestal) enige tijd om de grammatica goed te krijgen.

4. Zeer belangrijk: Slechte grammatica

In de voorbeeldmail ziet u de instructie “Gebruik hieronder om te bewaren” (EN: “Use below to keep…”)

Wat gebruiken??

Een goed gebruik van grammatica zou zijn: “Gebruik onderstaande link om uw wachtwoord te behouden.”

5. Belangrijk: Verkeerde leestekens

Naast slechte grammatica zijn verkeerde leestekens (spaties, stippen, komma’s, …) een belangrijke indicator voor spam, hoewel spammers tegenwoordig de neiging hebben om betere zorg te gebruiken om inhoud te bouwen.

6. Belangrijke fouten in het slechte ontwerp / lay-out

Controleren op belangrijke lay-outproblemen of HTML-fouten

De gevaarlijkste

7. Uiterst belangrijk: URL komt niet overeen en wijst naar een phishing-website

Een veel voorkomende phishing-techniek om u op malwarelinks te laten klikken.

Taak: controleer zorgvuldig de bron-URL door met de muis over de koppeling te gaan en de bron-URL weer te geven. Maar KLIK NIET op de link.

Taak: Controleer ALTIJD de bron-URL.

Evaluatie, moet u gealarmeerd zijn als

  • de URL komt niet overeen met het e-mailadresdomein van de afzender
  • de URL is een volledig onbekend domein

De phisher gebruikt mentale druk om je te laten klikken

8. Gevoel van urgentie: “Wachtwoord verloopt binnen (0) dagen”

De phisher probeert je hersenen te verkorten en dringt er bij je op aan om op de phishing-link te klikken, door het bericht zeer dringend te maken, waardoor je onmiddellijk actie moet ondernemen.

Niet doen.

NIET KLIKKEN, NIET HAASTEN.

Neem de tijd, een mail NEVER is urgent (denk aan het netiquette principe van het reageren op mail binnen 24 of 48 uur…).

Volwassen, openbare systemen sturen je ver van tevoren een heleboel meldingen. En “Wachtwoord verloopt binnen (0) dagen” is de verkeerde manier om u te vertellen “Wachtwoord is verlopen”.

9. Verdachte instructies

Denkt u echt dat een bedrijf u zou vragen om uw wachtwoord???

Integendeel, u wordt vaak gevraagd om uw wachtwoord te wijzigen of extra beveiligingsfuncties toe te voegen, zoals MFA.

Deze hebben wat meer onderzoek nodig

10. Productfout

Een tijdje geleden verplaatste Microsoft de Office online suite van “Office 365” naar “Microsoft 365″… dus de gebruikte productreferentie, is verkeerd. Microsoft verwijst in de huidige communicatie niet naar ‘Office 365’.

Toch kunnen sommige meldingen verwijzen naar Office 365… dit is dus niet altijd duidelijk of gemakkelijk te detecteren.

11. Verkeerde bedrijfsreferentie

Niet altijd te gemakkelijk te detecteren, maar in de e-mailvoettekst verwijst Microsoft niet naar zichzelf als gewoon “(C) 2021 Microsoft”, maar het moet “Microsoft Corporation” zijn en heeft een link naar de privacyverklaring en / of afmeldopties

Er is meer

12. Mail footer ontbreekt

Wat u van een gerespecteerd bedrijf kunt verwachten, is een e-mailvoettekst met aanvullende instructies, zoals privacyverklaring, afmeldfunctie, raadpleeg uw profiel of open de beheerdersinterface om uw profiel en beveiliging te beheren.

Enkele voorbeelden:

E-mails van het Microsoft 365-beheercentrum eindigen op :

Wanneer het e-mailreputatiesysteem u helpt…

Mail wordt in de spam folder gestoken

  • wanneer de e-mail is gedetecteerd als spam, als gevolg van een slechte e-mailreputatie van het afzender- of afzenderdomein, zal uw e-mailsysteem (server/client) de e-mail markeren als spam. Ter informatie gebruikt Microsoft de e-mailclient, Microsoft smartscreen en defender intelligence om e-mails te markeren voor spam.
  • controleer beter de e-mails in de spammap, omdat deze vals-positief kunnen zijn (legitieme e-mails gemarkeerd als spam)

Antimalware tagt de e-mail als [spam]

  1. veel anti-malware / anti-virus programma’s hebben een spam / phishing-controle, die de e-mail als verdacht markeert en naar spam verplaatst. Deze programma’s gebruiken de virus-/spamdefinities van de leverancier.

Wat moet je doen met phishing mail?

ZORG ER ZEKER VOOR dat

  • je de mail aangeeft bij lokale cyberautoriteiten (bv. in België, stuur verdachte post door naar SafeOnWeb, via  suspicious@safeonweb.be)
  • je de e-mail markeert als spam in uw e-mailclient of antivirusprogramma’s (zodat Microsoft of uw antivirusprogramma de e-mail kan analyseren om hun spamdefinities bij te werken.)
  • je jouw contacten/afzenders waarschuwt als ze u spam- of phishingmails sturen. Hun systeem kan geïnfecteerd of gehackt zijn.
  • verwijder de mail zo snel als mogelijk

NOOIT

  • de e-mail doorsturen naar uw contactpersonen
  • klikken op links in de mail

Referenties

Engelse versie van het article: https://www.linkedin.com/pulse/cybersecurity-challenge-finding-phishing-indicators-peter-geelen/

Security & Privacy Life Hack: advantages of a personal mail alias

Table of Contents

Introduction

You’ve probably got one or more personal and professional mail addresses. Who doesn’t?

And you probably want to keep that mail address safe from spammers, scammers or data theft.

Althoug you primarily use mail to communicate (send/receive messages), many platforms also use your mail address for authentication.

Security remark: It’s not always the best option to use single sign-on with platforms like LinkedIn, Facebook, Microsoft Account, Google, …

What’s the security issue?

The main issue with single sign-on is: when your mail address is breached or hacked, the hacker can use the breached mailbox fairly easily to login to the linked platforms.

And from a practical point of view, if you use that single personal mail address to subscribe to newsletters or you use that mail address for downloads protected by a “registration” wall, you’ll quickly experience a mailbox overload because of ‘spam’, eh.. .sorry commercial messages you didn’t ask for.

Another issue is, you usually have only 1 (one) personal mail address available on your mail platform, certainly for enterprise systems, you can’t create other alternative mail addresses at free will. Unless you own the domain name, of course, but that’s rather possible for personal use or small companies…

And except for the mail overload, you’ll notice that many companies sell your mail address to address brokers. And even with the GDPR in place, many of these address brokers have bad habits to scrape mail addresses from the internet, incl. public sources, government sources…

So, the question is, how do you manage this, to protect your personal data, to protect mailbox overload and abuse of your mail address?

First option is using MFA to increase security and block illegal authentication.

But MFA does not stop mail abuse. The mail alias to the rescue!

Implementing the mail alias

What is a mail alias?

A mail alias is an alternative name for the master mailbox. Usually a mail alias is forwarding mail to the target mailbox.

In many cases, that mail alias can also be setup or used as a temporary name for the target mailbox. It’s pretty cumbersome or difficult to switch a master mailbox on or off when you need it.

Purchase a Custom domain name

The most interesting option is purchasing a custom domain name (by preference a short URL).

In most cases, local domain registrars can offer you a custom mail domain of choice for a few bucks a year. It’s worth the money, I promise. Further explanation below.

Just a practical hint: make sure to use a domain registrar that offers unlimited mail aliases.

When you control the mail domain, you can forward any mail alias of the custom domain to your mailbox (eg news@short.url to subscribe to newsletters and filter them in your mailbox in a subfolder for newsletters).

Furthermore, when you own a domain, you can enable/disable a mailbox or alias. Meaning: block mail reception without deleting the mail address (keep the address, but desactivate it.)

Using the “+” mail alias option

If purchasing a custom domain is not an option, you can check with your mail platform or mail administrator to use a “+” alias.

That’s format supported by the internet standards (RFC 5233: https://tools.ietf.org/html/rfc5233), that allows to extend a master mail address with receiver suffixes (BEFORE the @ sign), that still deliver the mail to the receiver. Google calls it “task based” variations of the mail address.

You’ll generally find it back on the internet as “+” aliases (“plus” aliases).

Some examples:

See the references section at the end of the article, for details how this “+” alias works for the well known mail platforms… Google, Microsoft, … and the major free mail providers support the plus-alias.

Using dummy or temporary addresses against spam and registration walls

I don’t know how you do it, but it frequently happens that I need to download a “free” white paper, which only seems to be free if you ‘pay’ with your contact details.

In most of the cases, they force you to “consent” with the requirement to send you marketing,… in GDPR terms it’s not considered consent if it’s forced… But essentially they force you to submit your personal data.

If you don’t want to disclose your data, just for that single download, or … if you want to avoid getting too much spam, what do you do?

One-time use, temporary mail domains (not your own domain)

First and easy option is to search the internet for “temp mail”, “temporary mail addresses” or “disposable mail“, … synonyms for one time use mails.

You use these addresses for quick use, one shot hit.

Samples:

  • mailinator.com
  • temp-mail.org
  • guerillamail.com
  • mail.tm
  • many more…

Use your custom domain

An easier, but less free, but still cheap option, is to purchase your own custom domain (on the condition you can have multiple mailbox aliases).

The quick and dirty: create an alias like download@yourdomain.url, keep it disabled by default and only enable it when you need to receive a download link. Afterwards, disable it again.

In some cases you literally need to have a mail address just once. Eg, when you want to download a “free” white paper, many companies harvest your mail, put it in a CRM system and keep spamming you afterwards. It’s fairly difficult to escape the forced consent or registration.

Then you can use a temporary mail alias:

  1. you enable an alias or dummy address,
  2. register for the download with the alias/dummy,
  3. then disable the alternative mail address again.

That way the address cannot be harvested for spam or marketing you don’t need. Easy.

(When a address broker tries to use the disabled alias, they will get an NDR, non-delivery report, and delete the invalid mail registration from their farm…)

Advantages

Keep your inbox clean : Mail filtering using simple mail rules

One the most prominent advantages of using aliases is that most of the mail clients can use the receiver address (or alias) to filter and manage incoming mail.

Based on the target receiver alias, you can set simple rules to move incoming mail from your inbox to another folder.

Basically an mail alias offers a simple mailbox optimization technique to make your life easy.

Securing internet logins

Another major advantage of aliases: use it as an alternative identifier for single sign-on.

Instead of logging in to multiple platforms with the same mail address, you better use 1 unique alias address per platform.

For example:

Of course it’s quite important to use different passwords or authentication methods too (incl. MFA).

The main reasoning behind this approach is: if 1 login is breached or leaked, the other accounts are not impacted. If you don’t think you can manage this collection of passwords, there is one good tip: use a password manager to replace your memory.

Use a password manager anyway.

Detecting data breaches

When you use 1 mail address (alias) for every internet login, you can also trace very easily if a website is selling your data to partners, other companies or personal data brokers. You can simply see who sends mail, if that source domain is correctly linked to your alias… or not. If your login is used by unauthorized party you can initiate GDPR subject data access request to track how it got there (against both the original data controller and the secondary party).

And when using a custom domain (or some “+” alias mail providers), you can simple disable or remove the mail alias, so it becomes useless for the perpetrators.

On/Off Temporary mail (when using your custom domain)

In some cases you literally need to have a mail address just once. Eg, when you want to download a “free” white paper, many companies harvest your mail, put it in a CRM system and keep spamming you afterwards. It’s fairly difficult to escape the forced consent or registration.

When you can use a temporary mail, you enable an alias or dummy address, register for the download with the alias/dummy, then disable the alternative mail address again. That way the address cannot be used for spam or marketing you don’t want. Easy.

One-time use temporary mail domains

First and easy option is to search the internet for “temp mail” or “temporary mail addresses”

You use these addresses for quick use, one shot hit. No hassle, no admin. Quick and dirty.

Some more advantages

You can also link your custom domain to shortener tools like bit.ly. This way you can manage your social media and easily track your popularity or maintain statistics on your articles and views. (For Bitly, search for “bitly custom domain”)

Disadvantages

Custom domain management

Managing your own custom domain might be cumbersome, depending how user friendly the management of aliases is. Certainly managing dynamic aliases for multiple users… can time consuming. Certainly if you have a large volume of mailboxes and/or aliases to manage.

But managing a custom domain for own personal use, for a few bucks a year, is really worth the time and money. 

If you cannot disable “+” aliases …

… then you might be in trouble, because you cannot stop the abuse once the senders have registered the alias in their mail system.
In many cases, you’ll need to unsubscribe or directly contact the platform owner and demand to remove your data, which can be cumbersome or time consuming… Or you need to excercise your right to be forgotten in the official way. (Ref. GDPR, …)

Temporary mail domains blocked & open access

The major disadvantage is that a lot of spam (eh sorry), marketing websites that offer these ‘free’ downloads, will recognize and block public temporary mail domains (like mailinator, guerilla mail, temp mail, …).

In most cases you’ll have to try a few options, as some of these temporary mail domains have alternative mail domain options, like dynamic domains not only hosting main on the master domain.

VERY IMPORANT SECURITY NOTICE: whatever mailbox you use on these temporary domains, anyone can read or access these mailboxes, so make sure nothing important or private is sent to these mailboxes.

Bonus: the “oh shit rule”

While I’ve been focusing on the security & data protection features of the mail alias, I still want to mention an important principle to protect your reputation: the “oh shit rule”.

The principle is simple: delay the sent articles with one or more minutes before the mails are actually sent to the receiver.

It gives you a bit of slack if you want to fix a mail, or in worst case scenario cancel the mail if you have second thoughts or regret sending the mail, to avoid embarrassment or being forced to search for a new job.

Some useful references

Below you’ll find some interesting articles on managing aliases on the well-known mail providers

Gmail

Microsoft Office 365 “+” alias

Yahoo

Other providers

Other providers, like Protonmail, … also provide the alias “+” option, sometimes by default. Carefully check if you can remove the “+” alias or not, in case the alias got listed by address brokers.

Custom mail address RFC standard

https://tools.ietf.org/html/rfc5233

BTW, did you know… that following the RFC standards, an email address is case sensitive. 😉

Note-to-self: public website/server certificate quick check.

Today my ESET Endpoint Security blocked my browser for what I know is (sorry, should be) a legitimate magazine website…

Using other browsers (Chrome, Firefox, Opera, Tor, …) on my machine, I had the same issue…

Microsoft Edge

ESET Endpoint Security is reporting

“Website certificate revoked

The certificate used by this server has been marked as untrustworthy and the connection is not safe

Try connecting again later or from a different internet connection.
Access to it has been blocked.

Tor

Using another pc or smartphone (not using ESET) … I was able to connect.

So what’s going on?

ESET protecting you…

Eset forums

When you look up the Eset message (“Website Certificate Revoked” eset), you’ll probably land on the ESET forums or knowledge base, … seems to be a pretty popular topic.
Like for example: https://forum.eset.com/topic/21531-eset-giving-website-certificate-revoked-message/

ESET knowledge base

https://support.eset.com/en/kb6258-website-certificate-is-revoked-is-displayed-when-visiting-legitimate-web-pages

ESET explains

“This warning is displayed when your ESET product detects that the security certificate for a website is revoked.

ESET cannot resolve the issue because only the owner of a domain can renew their security certificate. You cannot choose to continue to the site using the insecure certificate.”

How do you double check this information?

The ESET forums point to a very interesting and eays to use tool: SSLTest at SSLLabs.com

Open: https://www.ssllabs.com/ssltest/index.html

Then you can enter the URL of the website you want to visit or check…

Depending the status of the website (good…or bad), it will take a few seconds… to minutes… to scan the website and show the quality of the certificate.

In this case, it’s fairly clear why the website was blocked:

Just for your reference if you would check a website like: https://docs.microsoft.com, you’ll get A+ (that’s the other end of the scale..)

If you want to know more about the website rating, check the SSLLabs rating guide:

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

The grading results in a score from A (top), (B) good, (C) average .. to (F) big fail lowest score …

So, it’s a very handy and free tool to check your website for issues.

Why are these websites not blocked by other tools or browsers?

First of all, check if you have an anti-virus or antimalware tool that checks the URL.

Because other browsers, apps or URL filters will not always check for the CRL (the certificate revocation list, containing certificates that are no longer valid…).

Or the CRL is not updated or and old CRL is cached. The ESET KB article mentioned, explains how to clear the CRL cache on your system.

Other interesting tools

The website (or mail) certificate is just one of the security indicators …
If you want to check the reputation of your URL, domain, website, mail system, DNS, … there are some more interesting tools you should have at hand, like https://mxtoolbox.com/NetworkTools.aspx.

Quite a while ago I posted an article on web and mail reputation, there is some more interesting free tools you can use to check the domain reputation.

See here: (TechNet Wiki) Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Conclusion

This situation show how easy it is to land on a website using revoked or unverified certificates…

Make sure to use a decent anti-malware and anti-virus tool. It’s worth to spend a small bit of money to protect your systems.

And if you combine it with some free tools to check the health of (your) websites and systems… you can achieve a decent level of security without spending a lot of money.

Free (ISC)² Exams flash cards all in one place (*)

(*) with respect for your privacy, no login, nor mail required for

CISSP

CSSLP

CCSP

SSCP

CAP

HCISSP

Sorry, (free) registration still required for:

CISSP-ISSAP:https://enroll.isc2.org/product?catalog=CISSP-ISSAP-FC

CISSP-ISSEP: https://enroll.isc2.org/product?catalog=CISSP-ISSEP-FC

CISSP-ISSMP:https://enroll.isc2.org/product?catalog=ISSMP-FC-2019

€750.000 per year for some onepager PDF, you can do that too.

scam-3933004_1920

(Image Credits: mohamed Hassan via Pixabay)

Dear Annie BG Mathews,

Dear CIO Applications Europe,

(quote, feb 2020) “I am Annie from CIO Applications Europe magazine and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the Information Security arena and have shortlisted them to be featured as one of the “Top 10 Information Security Consulting/Service Companies 2020”, <…> being one of them.”

(quote, apr 2020) “I am Annie from CIO Applications Europe magazine, and it is my pleasure to inform you that we have pre-screened the top players who have carved a niche in the GDPR arena and have shortlisted them to feature as one of the “Top 10 GDPR Consulting/Service Companies 2020”, <…> being one of them.”

Did you also get the same mail  from “CIO Applications Europe”, with their fabulous “Top 10” marketing, asking a small fee of €2500,- to be featured as top-player in the <see below> field, for which you get a fabulous … eh.. 1 single pager PDF. And using their top 10 logo in your marketing.

Top, you make me feel so special!

Just.. ehm… radio couloir says lots of my sector contacts and LinkedIn network contacts got the exact same mail.. So, top 10, my @§§.

Marvelous quick win

Just a bit of 12y-old math says: that is a smart turnover of 25.000 EUR per top 10 published. Knowing that they have published roughly 30 of their “top 10” articles for 2019, this means a quick win of €750.000 on one-pagers only.

The categories they have listed last year:

(Look it up yourself: https://www.google.be/search?q=inurl:cioapplicationseurope.com+%22Top+10%22+%22-+2019%22)

  • Agile Technology, Asset management, Automotive, Blockchain, Blockchain Solutions, Business Intelligence, CEM solution, Contact center, Cognitive consulting, ERP, FinTech Solution, GDPR Solutions, GDPR consulting, IBM Solution, Information Security, IoT solution, IT services management, Legal technology, Mar tech, Microsoft solution, Microsoft Consulting, Procurement, Proptech, Salesforce, Smart City Tech,…

Forgive me if  I forgot another €25.000,- in the 30x Top 10 of 2019 they listed.

But some important categories missing, so you can do that too, some ideas below.

If the “Top 10” on GDPR is completed, you create new categories like “GDPR consulting”, “GDPR legal advice”, “GDPR breach specialist”, “GDPR expert”, “GDPR Services”, that’s another 125K of revenue, easy deal to fill the 1 million bucket.

So, you can buy yourself a list in the Top 10.

So here’s the deal, for 2499 EUR, you can get listed in the 2020 Top 10 spam and scam companies, you get a full A6 print page (special 7pt Wingdings font) with a 3 minute made-up interview with your CSSO. (Chief Spam’n Scam Officer.)

Legit business??

For €2499,- you get an interview, a one pager and a logo for display.

I quote: “We want to work with you towards a single page article after an interview with the senior management projecting the unique story of your company. For a nominal amount of 2,500 Euros, you will own complete print and digital rights to use the pdf of profile in your process of acquiring new clients along with many other prominent benefits like rights to use the Top 10 logo in your communications, single page complimentary advertisement placement and many more which I would love to explain when we connect.

It’s not forbidden to make you a ridiculous offer, but do you really want to sponsor this scam and spam practice and keep it alive?

Fact is, this is not ‘just a spam’ campaign.. It’s setup as legitimate business, at first sight.

You can still ask yourself why CIO Applications “EUROPE” would have a phone number in the US.

#GDPR!

It’s not only about the scam, they are using personal data without notification.

And you can argue they can use “legitimate interest”. Yes, for sure. But still they need to apply article 13 and 14, when collecting personal data. Their privacy notice (https://www.cioapplicationseurope.com/privacy-policy/) is not mentioned in the mail communication, it does not mention how they collect my data and how the process it. Neither do they refer to the required legal GDRP mentions (like DPA contact and so on…).

There is no reference how to file a subject-data access request… you can always spam their marketing department as mentioned in their privacy notice.

So, this could even be a valid reason for contacting your DPA and file a complaint.

I don’t want to unsubscribe to spam mail, because I don’t want to give you just more information if you don’t respect me from the beginning.

What’s the real problem then?

What do you think of a “Top-10” ranking, that is only based on the fee you pay? The first 10 that pay, are in the top 10. Number 11, bad luck. Oh wait, we’ll setup another top 10.

This feels like bribery. And mental pressure.

They send out the requests to new companies, struggling to conquer the market. They make your feel important, but it’s only about the money.

This type of practice puts other legitimate rankings in such a bad daylight… the smell of money on a “Top 10 …something”. This destroys the reputation of other communities, value papers and IT or security sectors. It’s not isolated to this one bad apple.

Be smart

Think. If it doesn’t feel right, it is not right. For a bare €2499,- you can achieve a lot more than a single page PDF and a top 10 logo.

For the same money and the support of a real marketing specialist, and some smart channel management, you can create real impact.

But most important of all, do what you do best. Create impact. Create great stuff, create buzz, let customers tell your story…

Stay out of the pile of bad apples.

#justthinking

Note-to-self: MNM van KSZ (Minimale normen – Sociale Zekerheid)

Minimale Normen / Normes Minimales van de KSZ (Kruispuntbank van de Sociale Zekerheid) gebaseerd op de ISO27001/ISO27002

“De toepassing van de minimale normen informatieveiligheid en privacy is verplicht voor instellingen van sociale zekerheid overeenkomstig artikel 2, eerste lid, 2° van de wet van 15 januari 1990 houdende oprichting en organisatie van een Kruispuntbank van de Sociale Zekerheid (KSZ). Bovendien moeten de minimale normen informatieveiligheid en privacy eveneens toegepast worden door alle organisaties die deel uitmaken van het netwerk van de sociale zekerheid overeenkomstig artikel 18 van deze wet. Tenslotte kan het sectoraal comité van de sociale zekerheid en van de gezondheid de naleving van de minimale normen informatieveiligheid en privacy ook opleggen aan andere instanties dan de hogervermelde.  ”

Bookmark:

(NL) https://www.ksz-bcss.fgov.be/nl/gegevensbescherming/informatieveiligheidsbeleid

(FR) https://www.ksz-bcss.fgov.be/fr/protection-des-donnees/politique-de-securite-de-linformation

(edit)

Opmerking: voor alle duidelijkheid, op zich zijn deze documenten geen nieuwigheid maar buiten de SZ zijn deze normen minder gekend… vandaar dat het toch nuttig is om ze bij te houden als geheugensteun en referentie. Je komt er sneller mee in contact als je denkt…

Cybersecurity voor vrijeberoepen en KMO (Webinar bij VLAIO)

Afgelopen vrijdag 21 februari, organiseerde Agentschap Innoveren & Ondernemen een praktisch webinar over Cybersecurity.

We toonden een vernieuwende aanpak die de zelfredzaamheid en veerkracht bij KMO’s inzake cybersecurity helpt vergroten.

Cybersecurity wordt beschouwd als één van de grootste bekommernissen in het huidige ondernemerschap. De veiligheid van (klanten)gegevens is een topprioriteit en een beleid hieromtrent uitwerken is noodzakelijk. Als adviseur zult u wel vaker de vraag krijgen van uw klanten over hoe ze hiermee aan de slag moeten gaan.

Hartelijk dank Melissa Gasthuys als gastvrouw en Eveline Borgermans voor de perfecte begeleiding en opname bij Agentschap Innoveren & Ondernemen

Hier de link naar de slides

De link naar de opname:

En je kan altijd nog even gaan kijken op cybervoorkmo.be voor meer tips en hints.