From the Trenches: A day at Year Up Baltimore

Year Up’s Professional Training Corps (PTC) is a national program, with one that has been offered at Baltimore City Community College since 2010. It is a one-year, intensive for college students age 18-24 that prepares urban young adults to reach their potential through career experiences and higher education. Year Up provides students with the skills, experience and support necessary to thrive professionally.

The goal of Year Up is to address the opportunity divide. “Five million young adults are disconnected from stable career pathways [while] 12 million jobs requiring post-secondary education will go unfilled in the next decade.” Access to higher education resulting from social and economic injustice are preventing millions of young adults from achieving stable careers, despite talent and knowledge.

Earlier this month, Winquest President & CEO John Leitch and Vice President & COO Nate Corry visited Year Up Baltimore to meet Clif Morgan, Site Director and John Carberry, Director of Corporate Engagement and learn more about the Year Up program. Winquest was also interested in meeting some of the students to help determine if Year Up could provide Winquest with cybersecurity interns to help with an expected boost in summer business. While many companies are looking for interns with more advanced cybersecurity skills, Winquest is looking for interns who are eager to learn and hungry for an opportunity. As John Leitch said, “If the intern has the right attitude, they can learn anything.”

Winquest was able to meet two Year Up students, both of whom were very impressive. The students had as many questions as Winquest and everyone was engaged in the dialog. Nate remarked, “If we have enough business, both of them would be an asset to our team.” The visit concluded with a follow-up invitation to talk with students about the cybersecurity services industry and John and Nate look forward to a return trip.

Thank you Year Up Baltimore for the hospitality and introducing the team to some of your outstanding students. Interested in learning more about Year Up Baltimore? Click here.

Winquest is excited for the possibility of adding interns to the team this year to learn more about the suite of services offered.

From the Trenches: How cyber aware are your employees?

Security is only as strong as your weakest link, which is usually an employee. In fact, “91% of cyber attacks and the resulting data breach begin with a spear phishing email,” according to a 2016 report from PhishMe. Simply put, a majority of attacks are the result of an employee clicking on an email that contains malware.

Cyber-attacks are becoming more prevalent and employees at all levels need to be aware of how to protect their information. Below are a few quick tips on what to focus on when it comes to cybersecurity training:

1. Concentrate on phishing scams and social engineering
2. Standardize password policies
3. Include training during onboarding
4. Make an incident response plan

Recently, a local company called on Winquest to help after two phishing attempts, the second being successful.

First attempt

The company’s bookkeeper received an email that looked like it came from a legitimate email address within the organization. The email asked that this employee’s next paycheck be moved to a different account than it normally deposited to. It wasn’t until the bookkeeper approached the employee in person to verify the account change that they realized it was a phishing email. First phishing attempt thwarted because the bookkeeper verified the authenticity of the request before taking any action.

Second (successful) attempt

The second phishing attempt on the same company was unfortunately successful. An employee received an email from who she thought was the company president, who was on vacation at the time. The exchange was as follows (names changed for privacy purposes).

Email from the “president”: How quickly can you get to the store? I need you to purchase some gifts for some specific clients. I would provide you with details on what product of gift cards and the exact quantity and amount needed. I can’t take calls, because I am in a meeting. I have my iPad next to me so I can quickly respond to your message”

Response from employee: “I have a meeting at 1, but should be done by 1:30ish so I can go after if that’s helpful. Just let me know what you need!”

“President”: “What I need is Google Play cards of $100 face value. I need 6 of each card. That’s $100 X 6 = 600. Scratch the back out and email me the codes or pictures of the scratched codes. Let me know. Thanks.”

Employee: “OK, I can buy them online and send the code directly to your email. You should get them in a moment.”

“President”: “E-Gift Cards takes 24hrs to activate, get the physical cards and email them to me.”

Employee: “Just tried to buy them and was denied because of a few things:

1. Store policy only allows $400 of gift cards at a time
2. The name on the card has to be the name of the purchaser 

So, how urgently do we need these? I could ask either Amy or Jessica to go out and get $400 worth, or I could get them online if we are good with waiting 24 hours.”

“President”: “You can ask Amy or Jessica to get them.”

Employee: “Ok, I am sending Amy the details, she is in a meeting but said she will go when she gets out.”

“President”: “Have you purchased the cards?”

Employee: “Just sent them all your way, please let me know if you have any issues with them!”

“President”: “Thank you. Cards received and sent out accordingly. Sadly, I would need you to get 10 more cards. Let me know when you can get that ASAP. Thanks.”

Employee: “10 more meaning $500 worth or 10 more meaning $1000?”

“President”: “Have you been able to purchase the cards?”

It was after this message that the employee realized they had fallen for a scam. However, it wasn’t a sophisticated approach at all. One look at the email address it was sent from would have tipped the employee that the emails weren’t in fact coming from the company president.

The company employee is not alone and attacks like this happen frequently due to lack of awareness training. The lack of employee-level cybersecurity training is concerning, seeing how prevalent these attacks are and how expensive they can be. In fact, the average cost of a phishing attack for mid-size companies is $1.6 million, according to PhishMe.

Since this attack, the company has agreed to be a pilot for a new Winquest employee-level cybersecurity awareness training program. This training program is effective, convenient and inexpensive and follows our goal of making cybersecurity services affordable for all businesses.

For information on Winquest cybersecurity training for your employees, contact us at info@winqeustengineering.com or visit https://winquestcyber.com/ to see our other offerings.