Here are 10 things to consider if you are thinking about using Office 2016 for Mac:

1. YOU NEED OS X 10.10 AND LOTS OF MEMORY

Office 2016 for Mac requires Mac OS X 10.10 or a later version. It also requires 6 gigabytes of hard disk space in the Mac OS Extended Format (HFS+).

To operate, Office 2016 for Mac needs 4 gigabytes of memory. This is four times more memory than Office 2011 for Mac requires.

2. YOU CAN GET IT AS PART OF A SUBSCRIPTION OR AS A STANDALONE PRODUCT

Office 2016 for Mac is available through Microsoft Office 365 subscriptions for consumers and businesses. It is also available through Microsoft’s Volume Licensing Service Center. Office 365 and volume-licensing users do not have to pay extra for Office 2016 for Mac, as they are paying for the software as part of their subscriptions.

If you do not want an Office 365 or volume-licensing subscription, you can buy Office 2016 for Mac separately. Microsoft offers a one-time-purchase version.

3. ONENOTE IS INCLUDED BUT NOT ACCESS OR PUBLISHER

Like its predecessor, Office 2016 for Mac includes Word, Excel, PowerPoint, and Outlook. There is also a new addition to the suite: OneNote. You might already be familiar with OneNote. It has been available as a free download from the Mac App Store since March 2014. OneNote lets you enter text, add images, and even record audio clips in digital notebooks.

Office 2016 for Mac does not include Access or Publisher. Microsoft has not created Mac versions of these programs.

4. IT SUPPORTS MANY OS X TECHNOLOGIES

Office 2016 for Mac supports more OS X technologies than its 2011 counterpart. One noteworthy improvement is that you can use OS X Multi-Touch gestures in all the productivity suite’s programs. For example, you can pinch to zoom in on a specific part of a Word file or Excel spreadsheet.

The productivity suite also fully supports the Retina display screens found in many Apple products. Its Retina-optimized graphics provide high-definition images and text to users running the suite on a Mac with Retina display.

5. IT LOOKS AND FEELS A LOT LIKE OFFICE FOR WINDOWS

Office 2016 for Mac looks and feels a lot like Office for Windows, thanks in large part to the redesigned ribbons at the top of the programs. Gone are the hybrid gray ribbons that integrated elements from both the Mac and Windows worlds. The redesigned ribbons sport a streamlined look and each program’s traditional colors (e.g., blue for Word, green for Excel).

Making the Mac version look and feel like the Windows version did produce some critics. Some Mac users are unhappy with the loss of Mac’s distinctiveness. They are concerned there will be a steeper learning curve for Mac users new to the productivity suite. However, it will help users who need to work with Office on both the Mac and Windows platforms.

6. RIBBONS FEATURE NEW TABS

Ribbons provide an easy way to access programs’ commands and tools, which are grouped into tabs. Office 2016 for Mac includes some new tabs in its programs’ ribbons. For example, Microsoft added the Mailings tab to Word for Mac. Although the Windows version of Word has had this tab for a long time, it was not present in past Mac versions.

Microsoft also added a new Design tab to both the Mac and Windows versions of Word. It contains the graphics and formatting tools previously found in the Home tab.

7. COLLABORATION IS EASIER

Some new features in Office 2016 for Mac make collaborating with colleagues, friends, and family easier. For instance, with the co-authoring feature, you and several colleagues can work on the same document or presentation at the same time. Threaded comments can help you keep track of the feedback in that document or presentation. When you need to set up a meeting with your colleagues, Outlook for Mac lets you see their calendars side-by-side, making the scheduling process quicker.

8. MOST BUT NOT ALL FEATURES ARE COMPARABLE

Most of the features in Office 2016 for Mac are comparable to those in the Windows counterpart. There are exceptions, though. One notable exception is that you cannot import PDF files and create editable documents from their contents.

A few features have disappeared in Office 2016 for Mac. For instance, you can no longer rearrange the tab order in ribbons or save a PowerPoint presentation as a movie.

9. SPAMSIEVE DOES NOT WORK WITH OUTLOOK 2016 FOR MAC

SpamSieve is popular client-side spam filter among Mac users. This third-party software will not work in Outlook 2016 for Mac. Microsoft dropped the ability to run AppleScript scripts in Outlook 2016. SpamSieve relies on this type of script to catch and handle spam.

10. YOU CAN EXPECT LARGE UPDATES

Microsoft published an update for Office 2016 for Mac about three weeks after its release. This update mainly fixes bugs and improves features. More updates are likely. This is something to consider if you have a slow Internet connection. The updates are very large in size. They are basically full re-installations of each program in the suite.

Using Microsoft Auto Update for Mac is the easiest way to update the productivity suite, as it automatically updates the programs. Another option is to download the updates for each program manually. Each program has its own updater, though. This means you will need to download five updaters before you update the suite the first time.

Here are five reasons why you should invest in a CRM system:

1. PROVIDE BETTER CUSTOMER SERVICE

CRM systems let staff members quickly and efficiently access information. This ability to easily find a customer’s details means that your company can provide a higher level of customer service. With a CRM system, your customers will never end up in a situation in which they explain their details to one customer service representative only to have to go through them again when a different customer service representative answers the phone the second time they call in.

2. GET A BIRD’S-EYE VIEW OF YOUR AUDIENCE

Sometimes it can be difficult to take a step back and look at the big picture. Thankfully, this is not a problem if you use a CRM system. You will be able to view the details of all your customers as a group. You can then divide them into different subsets based on characteristics such as location and purchase histories.

By analyzing your audience like this, you can identify business trends. You can then use this information to find new customers and keep existing ones.

3. CREATE EFFECTIVE MARKETING CAMPAIGNS

Some CRM systems let you develop, test, deploy, and measure the results of marketing campaigns. The results can help you determine which marketing campaigns are the most effective. For instance, you might discover that your email campaigns are more successful than your direct mail ones. In light of this information, you might decide to invest more in email marketing in the future.

4. TRACK IMPORTANT FINANCIAL METRICS

Some CRM systems integrate with companies’ financial software. This integration lets you keep track of revenue and operating costs as they relate to sales and performance metrics.

5. PROVIDE AUTOMATED TOOLS TO HELP STAFF MEMBERS DO THEIR JOBS

Many CRM systems include automated tools that can help keep your staff members at the top of their game. These tools can be as simple as an automatic alert feature that reminds sales representatives to reach out to a prospective customer after a month or two.

There are also more sophisticated automated tools. Some CRM systems have tools that automatically send marketing materials to potential customers through email or social media sites. There are even tools to automatically track all communication between sales representatives and customers.

Sophisticated CRM systems may require an experienced professional to configure them correctly. Talk to your IT provider for guidance.

Cookies are used throughout the Internet because they let websites communicate with their visitors in a more personal way. For example, suppose you buy shoes from an online retailer. The retailer’s web server will assign an identification (ID) number to you. Besides storing this ID number in a database, the web server will send it to you in a cookie.

The next time you visit the online retailer’s website, your web browser will send this cookie back to the retailer’s web server. The web server will then personalize the page that it displays for you. In this case, it might showcase shoes that are similar to the pair you bought last time. This personalization means that online advertisers do not have to run the same ads over and over again. It also means you can save your preferences when visiting a particular website.

WEB TRACKING

While many organizations use cookies in a positive way, some companies are harnessing them for more shady purposes. In November 2014, The Washington Post reported on how telecommunication giants AT&T and Verizon were using so-called supercookies to track their customers’ web activity, even when they were using their browsers’ privacy mode. Unlike their normal counterparts, supercookies cannot be deleted. Consumers and privacy advocates condemned AT&T and Verizon for using supercookies. The companies were eventually pressured into allowing customers to opt out of their use.

Facebook also allegedly uses cookies for monitoring users’ browsing habits. The Belgian Privacy Commission published a report in February 2015 that claimed Facebook was tracking European users’ web activity, even when they chose not to sign up for the tracking option. According to the report, the social network was even tracking people who did not have accounts and users who had already logged off of the site. A Facebook spokesperson said that the report contained factual inaccuracies.

HOW CYBERCRIMINALS USE COOKIES

Cookies themselves are harmless. However, cybercriminals can use them to impersonate you online and thereby gain access to your accounts. By hiding code in stolen cookies, cybercriminals can also spread malware and manipulate you into visiting malicious websites.

Cybercriminals can also use cookies to make websites look unavailable to web browsers. As mentioned previously, when you return to a given website, your web browser will send a cookie back to its web server. A cybercriminal can alter this cookie so that the web server receives hundreds of cookies instead of just one. When the amount of cookie data exceeds what is allowed in the connection setup, the server closes the connection. You will not be able to visit the website until you delete your cookies.

HOW TO PROTECT YOURSELF

If you are uncomfortable with the idea of using cookies, you can turn off this setting in your web browser. If you do not mind cookies being used, it is still a good idea to delete your browser’s cookies every now and then. This makes it harder for companies to track your web activity.

There are other security measures you should take to keep yourself safe while browsing the Internet. You should be using up-to-date firewall, anti-virus, and anti-malware applications. These programs can block attacks that use cookies.

In addition, before you enter private information on a website, you should make sure the link is secure. To do so, look for a padlock icon somewhere in the browser window frame. When you click the padlock icon, you should see details about the site’s security, including information about cookies. You should also make sure the web address begins with “https”. Websites beginning with “https” use encryption to secure web connections. For more advice about using the Internet safely, talk to your IT service provider.

STANDARD ENSURES PRIVACY AND DATA PROTECTION

CSPs can use ISO 27018 to prove they are handling personal data in a manner that not only safeguards customers’ data but also protects customers’ privacy. For example, when CSPs follow this standard, they are guaranteeing that they will:

• Give customers control over their personal data
• Not use customers’ personal data for marketing or advertising purposes
• Not let third parties access customers’ personal data, unless a customer allows it
• Let customers know about any unauthorized access to their data as soon as possible
• Let customers know when subcontractors will handle their data

ISO 27018 has many other guidelines about how CSPs should protect customers’ privacy and data. They include the need for restrictions that limit or ban transmitting customers’ personal data over public networks and storing it on transportable media. CSPs even need to have proper data backup and recovery procedures in place to achieve ISO 27018 certification.

To become ISO 27018 certified, CSPs must go through an assessment process. During this process, independent third parties verify that the CSPs are properly handling their customers’ personal data. Once a CSP achieves certification, it must undergo annual audits to maintain that certification.

In 2015, Microsoft and Dropbox for Business were the first two major providers to achieve ISO 27018 certification. Other big-name companies are expected to follow their lead.

A MARK OF TRUST

When a CSP is ISO 27018 certified, you have some assurance that it is protecting its customers’ privacy and data. If your business is looking to store data in a public cloud, make sure you talk to potential CSPs about their efforts to adhere to the ISO 27018 standard.

Email mistakes in particular stand out as significant causes of data breaches. While these mistakes are understandable in many cases, they are still very costly.

MAJOR EXAMPLES OF EMAIL MISTAKES

One notable example of an email mistake that caused a data breach involved the Goldman Sachs investment management firm. In June 2014, a Goldman Sachs contractor accidentally sent a message to a gmail.com email address instead of the corresponding gs.com email address. The latter email address is connected to the company’s in-house email network.

The email contained a confidential document, and the mistake sent Goldman Sachs scrambling for a solution. To prevent the gmail.com recipient from opening the message, Goldman Sachs took Google to the New York State Supreme Court. In its petition, the investment management firm said that the message contained “highly confidential brokerage account information” and asked Google to help it prevent a “needless and massive” data breach.

The case was unprecedented, in that Goldman Sachs argued that email senders should have the right to “unsend” an email if it was sent by mistake. In the end, however, the court did not have to rule on the case, since Google voluntarily blocked the recipient’s access to the email.

Another noteworthy email mistake occurred in April 2014. An employee at the risk advisor and insurance brokerage firm Willis North America accidentally sent a spreadsheet to a group of employees enrolled in the company medical plan’s Healthy Rewards Program. The spreadsheet contained confidential information, including employees’ names, email addresses, birthdates, Social Security numbers, employee ID numbers, office locations, and the details of their medical insurance plans.

Willis North America agreed to pay for 2 years of identity theft protection for the 4,830 people affected by the breach. Although the leaked information did not include details about the victims’ health conditions or the health information of their dependents, Willis North America was still cited for violating the US Health Insurance Portability and Accountability Act (HIPAA).

A similar incident occurred in September 2013, when a Cisco employee accidentally sent an email to a “sept_training1” mailing list. The list included thousands of other Cisco workers. A large number of these workers replied to the email by asking to be removed from the list, and many of them accidentally clicked “Reply All” when responding to the message. This resulted in millions of unwanted email messages taking up space on Cisco’s network. The mistake severely damaged the employees’ productivity, and cost the company hundreds of thousands of dollars.

THE COSTS OF EMAIL MISTAKES

According to the Ponemon Institute, data breaches caused by careless human error cost companies on average $117 per compromised record. If an email mistake affected thousands of people, as was the case for Willis North America, then it could result in sizable losses. Several issues can cause these high costs.

As the Cisco case showed, losses in productivity can cost a company a significant amount of time and money. Another cost stems from paying for identity theft protection for the victims. Additionally, if the email mistake led to a data breach, then the company could find itself facing lawsuits or punitive fines. Data breaches like these could also reveal sensitive company information to the general public.

Email mistakes, especially those that cause data breaches, can also tarnish a company’s reputation, which can lead to lost business opportunities. As one example, Goldman Sachs faced substantial damage to its reputation after its email-related data breach in 2014.

AVOIDING CARELESS MISTAKES

To prevent any mistakes, create clear-cut policies and procedures about sending emails, especially those with sensitive information. You’ll also need to educate your staff members about the problems caused by carelessly sending emails. Employees are more likely to think twice about sending a message when they know just how costly a mistake can be.

By the same token, you should develop a workplace environment in which employees feel comfortable talking about their IT concerns. By making your staff members feel comfortable about discussing these issues, you can improve the odds that one of them will ask a question that could avert a mistake.

Data loss prevention (DLP) software can also help in this regard. This software can stop employees from sending confidential information by accident. Look to your IT staff or service provider for help when searching for a DLP solution that matches your individual needs.

Here are three things you can do to protect your business before the cloud goes down.

1. Make sure employees have software options that are not cloud-based. This way, they can perform essential functions even if the cloud is down. For example, back up files to a local networked drive or jot down notes in a traditional ledger. These options aren’t always possible for complex services. Yet, local backups are often enough for many companies to survive short-term cloud outages.

2. Have a fallback or secondary cloud that can take over if the primary fails. If your cloud services handle mission-critical processes or information that can’t be locally backed up, this option is essential.

3. Train employees on disaster mitigation plans. Keep any guides and training materials related to the process you now host in the cloud that predate the move to a cloud solution.

While cloud service providers have made our lives easier, risks remain. The biggest risk is that businesses may rely too heavily on the cloud and believe it replaces, rather than supplements, existing systems. However, with the common sense methods above, a cloud outage will not be any worse for your business than a power outage. In fact, it could be far less worse: at least the coffee machine still works without the cloud.

Modern technological developments have made it possible even for mid-range and small-scale businesses to implement such solutions. Today, a document management system (DMS) is essential for every business that wants to increase its efficiency and productivity. Let us look at some of the benefits you will reap if you decide to use a document management system.

DIRECT BENEFITS

No storage issues: In today’s world, every square-foot of space counts. So you would not want file cabinets taking up the precious space in your office. However, as your paper work builds up, you will require more space for these cabinets. This can troublesome for any business that wants to grow. The perfect answer for this problem is a document management system. With a DMS, you can store all your documents in a disk no larger than a few square inches.

Easier handling: Searching through a huge pile of files and paper can be extremely annoying at times. What is more problematic is that if a particular file or paper is being used, someone else who requires it cannot access it. A DMS makes such a task extremely simple. You can access any document you want to without even leaving your workstation. In addition, the same file can be viewed by multiple people without disrupting your work.

Better search options: Using a DMS, you can greatly reduce the time it takes for searching documents. A good DMS allows you to search for electronic documents based on the text inside them, something that is not possible with your paper-based documents. It also allows you to sort the documents under various categories, something that would require you to make multiple copies when dealing with paper.

Sharing is easy: When dealing with paper documents and microfilms, sharing can be quite a tedious task. With a DMS, you can simply share copies of the electronic documents with clients or colleagues through emails or a network. This saves a lot of money, which would otherwise have been spent on copying and postage. You should also remember that sharing takes place instantly through DMS, which is not the case when you send a document through postal services.

Reduced security concerns: A DMS offers greater control over your documents. It allows you to customize settings so that only selected people can view certain files. Traditional file cabinets, however, provide the same level of security for all the documents stored within them. Also, a DMS allows you to track the people who have viewed and changed a file. It also gives you details about the date and time when the changes were made.

Disaster management and lost files: Hard copies are prone to damage because of fire, floods and other natural disasters. DMS is a great way to secure the data against such natural calamities, as it allows you to backup your data easily.

INDIRECT BENEFITS

Apart from those listed above, there are several other benefits of using a DMS. Firstly, the return on investment (ROI) is great. The software and the data storage options might seem a bit expensive in the beginning, but you can see the financial benefits of using a DMS in less than a year.

Switching to a computerized system makes it a lot easier for you to distribute information to customers and also reduces your response time significantly. In today’s competitive business environment, using a DMS is essential if you want to stay ahead of the competition.

For a few years after the release of an operating system, Microsoft provides users with updates and extensive customer support options. This stage of the operating system’s lifecycle is known as the mainstream support period. After the mainstream support period, the operating system enters an extended support period. At this point, Microsoft only offers extended customer support and key security patches. As a general rule, both the mainstream support and extended support periods each last five years, although Microsoft will sometimes extend them.

After the extended support period, Microsoft stops providing security updates for the operating system. These updates are crucial for cyber security since they patch security holes. Customers who are still using a Microsoft product after the end of support often find themselves in a difficult dilemma. They must find an alternative to the product or risk cyber security breaches.

LEARNING FROM THE 2014 MICROSOFT XP CRISIS

As of July 2014, an estimated 24 million servers worldwide were using Windows Server 2003. Unless action is taken, these servers will be vulnerable to cyber attacks when support for the operating system ends.

A similar situation occurred before the end of support for Windows XP. Businesses across the world scrambled to keep their systems safe before the deadline. Many rushed to find an alternative operating system. Others entered into expensive custom service agreements with Microsoft. Custom service agreements can cost hundreds of thousands of dollars, and are little more than stopgap solutions as businesses eventually must upgrade.

The end of support for Windows XP also presented problems in terms of hardware and software. With regards to hardware, Windows XP drivers were unlikely to be available again. New hardware would either not function, or function in a very limited way using old drivers. Moving forward, software would also fail to support Windows XP, and even worse, old software could become an entry point for malware.

The best course of action in these situations is to find an alternative operating system, preferably well before the deadline. This process, of moving from one operating system to another, is called migration.

MIGRATION

Migration is a multi-step procedure that can take several months to complete. According to the Microsoft Migration Planning Process, the main phases include planning, preparing, coexisting, and finally, migrating. Each of these phases contains numerous steps.

During migration, a company must select an alternative to their existing technology. Newer server operating systems like Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 are viable alternatives to Windows Server 2003. Shifting services into the cloud is another option, especially for companies looking to move away from physical servers.

Choosing the right approach to migration is tremendously important. After all, this choice will guide a company’s direction for years to come. As such, decision-makers should look to IT professionals for guidance and help.

Businesses that do nothing at the Windows Server 2003 end of support will increase their odds of facing a cyber criminal attack. Nevertheless, there are some measures that can be taken to mitigate the security risks. These include isolating weak points, preventing infiltration, and minimizing the impact of security breaches. While such efforts are not as effective as migration, they can limit cyber security dangers.

CONCLUSION

The end of support for Windows Server 2003 presents a challenge for many businesses. However, the key to managing this situation is developing a course of action that minimizes both data loss and impact on the business.

Contact an experienced IT service provider to get started as soon as possible.

As part of an investigation into the attack, the company discovered that hackers made off with more than 100 terabytes of confidential files. The attackers also deleted the original copies of these files and wiped Sony’s internal data centers. They destroyed 75% of the company’s servers and used file-sharing networks to publicly release a huge amount of the stolen information.

The list of released files featured corporate documents, private emails from Sony executives, and details about salaries and bonuses. It also included the usernames and passwords of hundreds of employees, as well as personal information, such as their social security numbers.

In addition, the attackers stole a number of movies that were scheduled for release in theaters during the 2014 holiday season. They posted these films online, hitting the company even harder.

Following the attack, Sony shut down nearly all of its global IT infrastructure. This left the company’s employees without any voice mail, corporate email, or production systems.

Sony’s problems didn’t end with the attack on its systems. The hackers, calling themselves the “Guardians of Peace,” threatened to attack theaters if Sony went ahead with its planned Christmas day release of “The Interview,” a comedic movie depicting the assassination of North Korean leader Kim Jong Un.

Shaken by the security breach and the threat of attacks against theaters, the company initially decided to cancel the movie’s release. A wave of criticism followed the move, and Sony was forced to change its stance. The movie was ultimately screened at a limited number of theaters, and made available online by the company.

THE HACKERS AND THEIR SUSPECTED METHODS

It remains unclear exactly how the attackers managed to break into Sony’s networks, though security experts suspect that a specific type of malware was used to steal the data and erase the original copies. It is believed that the attackers first stole the login credentials of a high-level systems administrator working in Sony’s IT department. Using this information, they were able to access the company’s entire network.

The US government has stated that it believes that North Korea was behind the attack, with the FBI releasing the IP range from which the attack originated, leaving little room for doubt as to the source.

SONY’S ATTEMPTS TO REGROUP FOLLOWING THE ATTACK

Sony clearly didn’t have a disaster recovery plan. After discovering that it had been hacked, the company shut down its entire local system, rendering its landline phones, computers and corporate email system inoperable.

The company’s senior executives used a phone tree to relay updates from one person to the next. More than 6,000 employees were forced to use cell phones, Gmail accounts and notepads to remain operational. The payroll department had to use an old machine to manually issue paychecks instead of using its electronic direct deposit system. The company’s network remained impaired for weeks.

A LONG LIST OF IT FAILURES

The attack on Sony exposed its poor cyber security practices. A lack of IT training, strong password protection protocols, and file encryption technology played a role in Sony’s faulty operations.

The company’s employees used easy-to-guess passwords, such as “password” and “s0ny123.” The passwords, along with other important data, were all stored in one place. This made it remarkably easy for the hackers to gain access.

In addition, Sony executives sent plaintext passwords in unencrypted e-mails. The company also failed to encrypt sensitive materials related to some of its employees, such as salaries, revenue numbers, medical information, and strategic plans. Without encryption, this information was relatively simple to steal.

A large part of this IT mismanagement stemmed from a lack of knowledge and preparation. Sony failed to implement company-wide protection measures or develop an adequate computer training program for its employees.

According to the company’s former employees, Sony repeatedly ignored warnings about specific vulnerabilities. While the company did carry out risk assessments, it rarely acted on them.

Physical security was another major problem for the company. According to a statement made by one of the alleged hackers, the company did not have the most basic physical security parameters like locked doors, CCTV cameras, or proximity card readers.

It appears that Sony also failed to protect itself against social engineering. Several media reports have suggested that the hackers tricked some executives into revealing passwords. The attackers also allegedly convinced some sympathetic employees to help them.

THE KEYS TO BETTER CYBER SECURITY

According to security experts, Sony’s haphazard practices are commonplace in the corporate world. Both multinational conglomerates and small businesses are equally vulnerable in this regard. Abandoning these ineffective policies are crucial to securing a company’s IT infrastructure.

Basic precautions are vital, especially when it comes to physical security. Even the little things, like failing to lock a door, can have a huge impact on cyber security.

Simple mistakes are prevalent in the digital world as well. These include using obvious passwords, repeating passwords, or sending passwords via email. Using encryption and password managers can help companies eliminate these costly errors.

Hackers are becoming more and more sophisticated in the level of their attacks. In light of these new and dangerous threats, companies must have up-to-date, comprehensive anti-malware and antivirus programs.

Finally, companies should educate their employees about IT. An awareness of these issues, along with the help of outside experts, goes a long way toward preventing attacks.

According to a 2014 study sponsored by the Carnegie Mellon CERT Insider Threat Center, more than 40 percent of organizational security professionals say their greatest concern is that their own employees will accidentally jeopardize the organization’s security. These accidental employee security breaches are called unintentional insider threats, or UITs. There are three basic types of UITs of which companies should be aware.

ELECTRONIC

The best-known form of electronic UIT is phishing. Emails are sent either to targeted members of an organization or to the organization as a whole. These messages appear to come from a trusted organization (such as a bank) or from a fellow employee. They typically request verification of either personal or company information. Once the employee verifies the information, the attacker gains access to the victim’s personal information or to an organization’s computer network.

The CERT study offered a couple examples of successful phishing attacks.

In the first example, attackers sent phishing emails to the customers of a payment processing company. The emails warned the victims that they needed to download a web browser plug-in in order to gain access to a website. In reality, the plug-in was malware designed to steal the victims’ usernames and passwords. The attackers targeted the customers by name. The message also referenced the recipients’ usernames and a portion of their passwords for the site. This information was obtained by the attackers through a direct attack on the company’s servers.

In another example, an employee replied to a phishing email which they believed had come from a financial services provider. In doing so, the employee downloaded and installed keystroke-logging malware. This malware captured the employee’s credentials. The attackers then used these credentials to transfer hundreds of thousands of dollars.

Phishing is not the only kind of electronic UIT. Another common type is fraudulent websites and social media pages (Facebook, etc.) These sites target employees who surf the Internet. They trick their victims into clicking on a link, such as a music download, that installs malware on the victim’s computer. Still another common type features CDs or flash drives that, when inserted into a computer, install malware that gives the attacker access to information.

PERSONAL

This type of attack is in some ways the most effective of all. Personal UITs are carried out by people, not machines, and it is human nature to trust other people.

One form of personal attack is dumpster diving. This involves searching the trash for documents that could benefit the attacker, such as financial records, confidential reports, or personal information.

Next is impersonation. This threat, which targets a specific individual, sometimes occurs as a follow-up attack after dumpster diving. During impersonation, the attacker poses as someone in a position of authority and asks the victim for help in solving a problem. The solution requires the victim to provide sensitive information. That new guy from IT who shows up one day to work on your computer because it’s sending a faulty IP address. He must be who he says he is, right?

Another type of personal UIT is tailgating. An attacker poses as an employee to slip into a restricted area by walking behind a person with legitimate access. Employees are victimized by this kind of attack because they’re too trusting of others, too distracted by work, or simply too embarrassed to challenge the attacker.

Lastly, don’t underestimate shoulder surfing. This form of attack is like copying off someone’s test at school. The attacker looks over the victim’s shoulder while the victim enters security codes or passwords. It’s simplicity itself, and that’s why it works. No one expects it.

ACCIDENTAL

You could also call this the “dumb,” or “stuff happens” type of UIT. It doesn’t require a hacker, and it’s also the hardest UIT to defend against. Someone loses a laptop or a flash drive containing vital information. Someone accidentally posts sensitive information on a website or emails it to the wrong person. Someone leaves sensitive information in the trash (remember dumpster diving?).

FINAL THOUGHTS

Attacks producing UITs are successful for a number of reasons: inadequate security systems and policies, stressful work environments, and a tendency for individuals to overlook threats (the “It can’t happen here” mentality), among others.

These reasons can be combatted through improved security systems and better employee training. However, there’s one thing that can’t be prevented, and that’s the thing that gives hackers the “house edge.” As the CERT study states:

“Some social engineering campaigns may be so well crafted that individuals may still be exploited no matter what countermeasures (training, policies, etc.) are employed . . . . No matter how skilled, savvy, or trained an organization’s employees are, there will always be a chance that a phishing campaign will succeed, especially because it takes only one individual to succumb to the scam to open new opportunities for the social engineer to execute further exploits against the organization.”

In other words, human nature. People being people, a certain number are always going to click on that website, or lose that flash drive, or let that stranger in the door behind them, no matter how much training they’ve had. The only thing you can do is keep up the training and situational awareness. Hope that one day when that new guy from IT shows up to work on your employee’s computer because it’s setting a faulty IP address, the employee stops and says, “Hey, wait a minute . . .”