Home » Blog » Archives for Keith Herstek » Page 2

Author: Keith Herstek

Https now

It’s Official: Your Business NEEDS to Use HTTPS

You may have noticed many business websites now have a green padlock in the address bar next to the letters ‘https’. Until recently, you’d only see that on shopping or banking sites, but it’s now become the expected norm for all business websites – even if you don’t ask people to log in or enter credit cards. Simply put, the ‘s’ in https stands for secure and means any data sent/received by the visitor is encrypted.

Clearly, it’s an essential feature for e-commerce sites, but why have all the info-only websites started using https too?

The New Google Rule

As of July 2018, Google will mark your page as insecure unless you’re using https. It’s a movement they started a few years ago to make the internet a more secure place by default. Since Google pretty much rule the internet search and increasing security is always a good idea, businesses have been gradually switching over. Without https protection, someone with access to your internet connection, whether from digital eavesdropping or hacking, could intercept the information. They could also place malware onto otherwise legitimate sites and infect innocent visitors. That’s why eighty-one of the top 100 sites online have already switched to https and a strong majority of the web is following suit.

The Browser Bar Says It All

In the same way a green padlock in the browser bar indicates a trustworthy site, you can expect non-https sites to be marked with a “not secure” warning. Previously, users had to click an information symbol to actively investigate non-secure sites. The shift to plain sight markers will be most noticeable on Chrome, however it’s expected that other browser developers will follow suit. Visitors may then be alarmed by landing on your site and seeing that the connection isn’t secure.

The fact that you may not be asking them to log in, enter personal details or payment is irrelevant. You may not be asking them to enter anything at all, but perceptions matter. Eventually that warning will be changed to an alarming red as Google declares war on unsecure sites. As the common understanding is that a warning = bad, you may get more visitors bouncing away within seconds or even contacting you to report that your site has a problem.

Boosts for Secure Sites

Google is taking its commitment to safe web browsing further by favoring https. That means the search algorithm is taking your site security into account, preferring to display results that it knows will protect users from hackers. Since https status gets the nod, you may find yourself climbing in the ranking while other businesses scramble to catch up. It really is a win-win situation.

What to Do Next

In an ideal world, your site would have a secret switch on the back-end you could flick over and suddenly be https, but it’s a little more complicated than that. In fact, you may have already noticed some sites experiencing trouble with the migration. When the setup goes wrong, users don’t see your website with a little warning in the corner, they’re blocked by a full page error and offered a return to ‘safety’ (away from your site).

The easiest way to make the move to https is to contact your IT technician or web developer, as they’ll be able to make sure you’re keeping Google happy and rolling in the green.

We can migrate your site to https – call us today at 570-779-4018

Getting tech new business

How to Securely Dispose of Old Computers

Getting new computers for your business is exciting, but what happens to the old ones? Depending on the age, some people sell them, others throw them out. That’s the easy part. The problem is the sensitive data on them. There are passwords, account numbers, license keys, customer details, medical information, tax returns, browser history…. the works! Each computer, whether laptop, tablet or desktop, contains a treasure trove of sensitive information that cybercriminals would love to get their hands on.

Unfortunately, hitting delete on your files doesn’t actually make them disappear, nor does waving a strong magnet over the drive. These mistakes have cost businesses millions of dollars over the years.

Most businesses are unaware that specialized data cleanup is necessary, others think calling someone to collect the computers will cover all the bases. A 2016 experiment proved just how dangerous the situation can be when they bought 200 used hard drives and found 67% held unwiped, unencrypted sensitive data, including sales projection spreadsheets, CRM records, and product inventories. Frighteningly, they didn’t need any special hacking skills to get this data, it was all right there and helpfully labeled. It’s also not surprising that with simple data recovery tools, people have also been able to access British NHS medical records and missile data, all waiting patiently on a discarded hard drive.

Why hitting delete doesn’t help

Data on a hard drive works like a book with an index page. Every time data is written, it pops a quick entry into the index so when you need it again, it knows where to look. The index is used for files you create as well as system files you can’t even see. Sensible, right? Except if you delete a file it’s more like changing the index to say nothing is on page 10 and you can write something else there when you’re ready. But if you manually flip to page 10, you’ll find the information is still there – the file still exists until it’s been written over – it’s the index reference that got deleted.

Wiping data before disposal

There are software tools you can get to do it yourself, as well as dedicated security firms, but your best option is to choose an IT business you know and trust. With that in mind, a methodical approach is required to ensure not a single drive is left untreated. You don’t want to leave data behind, or even clues that a motivated person could extrapolate any private information from. The approach might include using checklists to maintain security, or dedicated processes to guide each step in decommissioning. Careful records should also be kept, including who signs off on completion of the retirement, and where the computers are sent afterwards. A proper inventory and auditing process may slow the rollout of the new computers slightly, but it’s always better than having your old data come back to haunt you.

We can migrate any needed data, backup the information to your server or external drive, then wipe or destroy the hard drives for you. We can assess the age of your old computers and either dispose of them for you or point you in the right direction of computer recyclers. Plus, the quicker you dispose of your old computers, the easier the process will be. Recyclers will be able to send less of your equipment to landfill, and you’ll be less likely to forget how valuable the drive contents are.

Upgrading your business computers should be a happy time for you and your employees, so with a little forward planning, you’ll be able to keep everyone smiling and all your data secure.

Need help with your old hardware? Call us today at 570-779-4018

Getting tech new business

How to Get the Right Tech for Your New Business

Congratulations on your new business! Start-up costs can easily escalate, and tech is often one of the bigger expenses. It’s not that everything is high priced, but the sheer number of technologies available can overwhelm smart decision making. The latest tech is dangled in front of you with amazing features you didn’t know you needed, and suddenly your budget has gone boom!

Here’s how to get the tech right for your business, without the headache and drama.

1. Check if you actually need it

In a lot of cases, using a cloud application means you can skip the big server purchase, along with the on-site technician to manage it. Many of your business programs will have a cloud option that allows you to get all the benefits without the big expense. Before you make the tech purchase, work out which applications you’ll be running and whether a local installation or cloud access is preferred. As part of this stage, think about how you’d like to use the applications – perhaps remote access is a priority, or perhaps collaboration will underpin your business culture. This level of clarity is often overlooked and the number 1 reason why tech expenses spiral.

2. Get expert advice

It’s easy to ask friends and family what to buy, but there are many more factors to consider than just their personal preference. You trust their opinion, of course, but they may be speaking from a consumer perspective or basing their recommendation on brand loyalty. Every business is different and pairing the correct technology with the business will save you a lot of money in the long run.

3. Buy business grade

Unfortunately, the computers and laptops you see in department stores aren’t up to business standard. They’re designed for home users to perform quick tasks, not run a full 8 hour (or more) workload. Business grade systems have additional features that your business needs, plus longer warranties and better support. Even the attached devices like networking or printers are built to a higher standard, to last longer and perform better. Considering the cyber climate we live in, taking a special interest in the security offered by the business grade technology is a wise decision.

4. Prioritize flexibility

Businesses evolve rapidly during their first few years and the last thing you want to do is go out and buy new tech, playing catch-up with your vision and smushing together an assorted mismatch of devices. Your new technology should be as scalable as your business, which means making purchase decisions based on strategy, not price. Perhaps this means instead of workstations for employees, you only need tablets. Rather than having a fixed point of sale system, you might choose mobile checkout devices so your staff can assist customers on the go. These examples highlight how easy it is to commit to certain tech because it’s ‘what you do’ but later discover you’re locked into a certain way of doing business. Trying to change your processes down the line impacts productivity, efficiency and culture in a big way, so we recommend buying with your future success in mind.

5. Choose an IT partner

During your set up and moving ahead through growth, you’ll need an IT partner who can not only help with your purchase strategy but support you through any tech problems as they arise. That’s the difference between a partner and a supplier, they’re committed to driving long-term business success.

You’ll be able to call on your partner and know they’re immediately up to speed with your business, they know how IT can help leverage your competitive advantage and which critical systems they should focus on. Getting good tech in place shouldn’t be seen as just an expense. It improves productivity and allows you to serve your customers better while enjoying consistent growth.

If you need an IT partner to help your business grow, give us a call at 570-779-4018.

Netgate pfSense Router

Netgame pfSense® Security Appliances

Netgate’s pfSense security appliance solutions provide reliable, scalable systems that are unmatched in value and performance.

Because there are no required on-going maintenance or license fees, we provide the lowest total cost of ownership with the most security and connection features in the market today!

Affordable. pfSense firewall appliances come with the industry’s lowest total cost of ownership. Up-front cost is a fraction of traditional pricing, and there are no software maintenance or license fees.

Efficiently powerful. pfSense appliances combine efficient use of power with 1Gb upstream performance. From day one, you’re prepared for growing bandwidth needs.

Open source. pfSense is both affordable and flexible, with all the features expected of far more expensive enterprise-class firewalls. Our rich, versatile feature set is fully customizable with any combination of options you prefer.

pfSense Software Features

pfSense can be configured as a stateful packet filtering firewall, LAN or WAN
router, VPN appliance, DHCP server, DNS server, or for other applications and
special purposes. Next-generation pfSense security features available:

  • Stateful packet filtering or pure router
  • Routing policy per gateway and per rule for multiple WAN, failover, load balancing
  • Transparent Layer 2 firewall
  • Support for IPv6, NAT, BGP
  • Captive portal with MAC filtering, RADIUS support, etc.
  • VPN: IPSEC, OpenVPN, site-to-site, site-to-client, site-to-cloud and cloud-to-cloud, with support for Amazon AWS
  • Dynamic DNS Client
  • DHCP server and relay functions
  • PPPoE server
  • Reporting and monitoring features with real time information
  • Add-on optional packages such as Snort or Suricata for IDS/IPS and network security monitoring, Squid for optimized content delivery, and SquidGaurd for anti-spam/anti-phishing and URL filtering.
Unified Threat managment

Why Your Business Needs Unified Threat Management

Sounds scary doesn’t it? Almost like a swat team dressed in black is going to swing in and start yelling orders. While just as effective at disabling the bad guys, Unified Threat Management (UTM) is a special kind of IT solution focused on proactive protection. Consider it more like a team of virtual bodyguards that stand at the door between your business and the internet, keeping trouble out while your legitimate traffic can come and go normally.

With the increasing number of connected devices in your business network and the different ways your employees now connect, it’s more important than ever to set up dedicated security systems that give integrated protection. UTM is a series of solutions that work together, simultaneously layering your protection across the board. We’ll cover the four main inclusions here, and exactly what they can do for your business.

Robust Firewall

Put simply, a firewall keeps an eye on all the data coming in and out, looking for anything abnormal. While every home PC comes with a software firewall built in, those ones pale in comparison to what a UTM firewall can do. Remember the team of virtual bodyguards? Imagine the home firewall asking nicely if the data should be doing that, while the UTM slams the data to the ground and demands credentials. It exists to make sure the data entering your network is safe, that it’s not part of a cyber-attack, and that in the rare event your network becomes infected, your servers aren’t being used to attack another business.

Anti-virus Where it Matters

With so much new malware being released daily, it’s easy to fall behind in updates and discover you’ve been infected. Your employees are likely doing their best, but manually scanning each file can be exhausting and time-consuming. Your UTM anti-virus is built into the firewall, ensuring known or suspicious malware is stopped at the door. It doesn’t even make it through to your employees, so the risk is removed. Clearly that’s the best outcome possible and will allow your employees to work at maximum efficiency, while you can run your business with confidence.

Spam Blocking

Most cyber-attacks come via email these days, with either an attachment or a link. Once clicked, the malware is released into the network to wreak havoc. Obviously, your employees are smart enough not to open random attachments/links, so hackers use phishing emails. These are emails that look legitimate and may refer to vendors you use, financial services you have accounts with, or even seem to be from other employees. Your UTM isn’t falling for any of those disguises, it strips down each email and checks it against high-tech legitimacy markers. If it sees anything suspicious, the email is marked as spam and either held for review or bounced away.

Your employees never see the attack, so they can’t accidentally fall for it. While the UTM is monitoring for phishing/fake emails, it’s also culling out the general spam that clogs up inboxes. Employees will no longer have to spend precious minutes each day wading through the junk, and the likelihood of missing an important customer email has greatly dropped.

Content Filtering

In a perfect world, your employees would only access work-related sites and do work-related things online. Content filtering can help you limit the risk they’re bringing into your business via these websites. Your UTM can be set to restrict sites that infect computers, such as adult content, gambling or illegal downloads. It can also be used to restrict access to productivity vampires like Facebook or Pinterest, either during work hours or completely. It’s up to your policies how much you’d like to filter and whether to add any flexibility. Some businesses allow social media during lunch breaks or have special reward hours each week. Simple tweaks like this can increase productivity overnight and give you the security you’re looking for.

You can see how a layered security solution like UTM provides a space for your business to thrive, where systems are secure, employees are able to maintain efficiency, and cyber problems stay outside the doors. The way the layers work together is more effective than a patchwork of separate systems, and a UTM is much easier to configure and maintain.

We can find the right UTM solution for your business. Call us today at 570-779-4018!

Why Periodic Security Assessments Should Be Your New Normal

By now you know that building up your cyber security is just as important as building up your cash flow. Both are essential to your success, but while most businesses keep an eye on the financials, they tend to think cybersecurity is something they can set and forget. Unfortunately, cybercriminals are constantly coming up with new methods of attack and the security you had in place yesterday may not be sufficient today.

Instead of reacting to breaches and taking on the costs of downtime, lost files and destroyed trust, a periodic security assessment can identify blind spots that place you at risk. Once you know about these problems, you’re able to proactively setup adequate protection before cybercriminals strike. It’s best to use independent IT experts who can audit your security from an outside perspective, often seeing risks that would otherwise be missed.

Regulations change – Are you affected?

Many businesses are kept to strict government regulations around the way they store, process and protect data. Their operating license depends on staying as secure as possible. All regulations require regular security assessments but they vary in scope and timeframe. As regulations change, so do the security assessment requirements. You can imagine how much stricter they are now compared to just 5 years ago. Our team can ensure your business is meeting the relevant regulations, diving deep to be certain you’re safe.

Security patches and updates are vital

It’s so easy to fall behind on your security patches, after all, it seems like there’s a new update every week and each one takes precious time to apply. What we’re seeing though, is that cybercriminals are targeting any business running late, and it’s basically easy pickings for them. If you’re unpatched where it counts, it’s like inviting them in. When we conduct your security assessment, we take a look at your history and see if your business has a robust patch plan in place and make sure you’re up to date. If there’s an issue that’s placing you at risk now, impacted you in the past, or will in the future, we’ll find it.

Viruses are always evolving

Just like the human variety, computer viruses are nothing to welcome into your workplace. They’re constantly evolving to skip past anti-virus scans and do damage in new and interesting ways. Cybercriminals know people are more aware of the traditional infection methods like downloading an attachment or inserting an infected USB, so they’re getting more and more creative. Your security assessment doesn’t just include ticking that you have the latest anti-virus, it includes identifying where you’ve had the most breach attempts and where your biggest vulnerabilities are. This type of precise awareness has a lasting impact on reducing your risks.

Your business may have changed

As your business has grown over the years (or shorter if you’ve experienced a recent surge), your entire setup has changed. More employees, expanded remote access, additional vendors, supplementary locations…the list really is endless. With each change has come a new risk, particularly if your security has been growing around you. It might be that your password policies haven’t been updated since you began, or that you still have the old voicemail system even though phones are within easy reach of customers. This is perhaps one of the most useful areas a security assessment can help with, as you and your employees are accustomed to the business working in a certain way, whether that way leads to risk or not. Our experts will be able to see things from a different perspective, particularly as we make sure to think the same way a cybercriminal would.

What to do with your assessment results

While many experts might present you with a long list of problems and leave you feeling overwhelmed, our team ensures you have a benchmark for progress. You’ll know exactly what you need to do, how we can help, and perhaps most importantly, which actions take priority. Moving ahead, future security investments will be smarter as you focus on the high-payoff areas. You’ll also know exactly what you’ve done well and where your security strengths lie. Employees will see how much you value security, which helps to create a stable culture, and you’ll be able to report your commitment to customers, confirming they’re making the right choice by staying with you.

Book your security assessment today. Call us at 570-779-4018

The True and Unexpected Costs of Being Hacked

There are the normal costs everyone associates with a breach, like getting your own server and computers fixed up, with maybe a little downtime. But really, most businesses view the possibility of getting hacked as more of an inconvenience than a bottom-line cost. For those who’ve come out the other side though, it’s a very different story. They know the hidden and ongoing costs of a data breach can be crippling, and that IT security exists to protect your business on multiple levels. All those surprise costs that spiral out of control are why most businesses close after a cyber-attack. Here are a few of the hard, but common realities of life after a hack.

Raiding the budget to reduce downtime

From the moment a cyber-attack gets into your system, things get expensive, and the longer the attack goes, the more it costs. Latest stats reveal most breaches aren’t identified for around 191 days, then it can take on average another 66 days to contain the damage. During this time you’re cleaning PCs, mobile devices, laptops, servers and even entire networks. Add to this the fee for experts to fix everything up, all the new tools and software they insist you have, and all the hours/days/weeks when your business is struggling with downtime, you’ll exhaust your emergency funds very quickly.

The long arm of the law

Depending on what data was stolen and how you handled the situation, you could be liable for fines into the millions. Having any medical data or legal files leak is a particularly messy scenario with fines coming from multiple sources. In any case, new privacy laws mean businesses are liable for massive fines if they don’t disclose a data breach, even if only email addresses were stolen. Where this gets even trickier is that the burden is on your business to know exactly what data has been stolen/illegally accessed, so you can report it before the fines stack up. This means that even if you were able to fix up the systems yourself, you still need to hire an expert who can identify exactly what the hackers took, from where and when.

Customer retention measures

In a double-down crush to your bottom line, not only does your business have to bear the cost of the hack, your future income takes a hit as customers lose trust and leave. To offset this, many businesses need to engage PR experts, spend more on advertising, and go all out to ensure they survive to fight another day. Even so, your breach disclosure will still come up in search results for many years. The more negative publicity your breach attracts, the more you’ll need to spend on customer retention.

All your secrets exposed

While you may not have Pentagon level secrets to protect, your business does have information that you’d like to keep to yourself. Hackers love going after those juicy tidbits, and the more closely you guard them, the more attractive they are. Think Coca Cola recipe, Big Mac Secret Sauce or 11 Herbs & Spices…While those corporations would be big enough to keep their competitive edge after the breach, your business success relies on at least some information staying secret. It may not be a secret recipe, but your proprietary methods and databases have a black-market value all of their own.

But simply avoiding a breach doesn’t cost much at all…

The thing is, it’s not expensive to stay on top of it all and keep your business protected. For a low monthly fee, we can reverse the entire scenario and secure your systems against the unknown. That means no need to raid other department budgets in a panic, pay crippling fines, make embarrassing public announcements, or fight to retain your competitive edge.

We can help with making sure your systems have the latest security patches and your anti-virus knows the latest tricks to watch for. Our technicians can build a virtual fortress around your business that keeps the bad guys out while letting you thrive, and even monitor security with early warning systems. Whatever your needs are, both now and moving ahead, we’re here to help keep you safe while keeping your IT costs low.

Ready to secure your business against breaches? Give us a call today on 570-779-4018.

Fake Invoice

Fake Invoice Attacks Are on the Rise – Here’s How to Spot (and Beat) Them

Businesses around the world are being struck with a cyber-attack that sends victims a fake invoice that looks real enough to fool to most employees. It’s an old scam that used to see bills faxed or mailed in, but it’s made its way into the digital world and instances are on the rise.

Chances are you’ve already seen some of the less effective attempts, like an email advising your domain is expiring, except it’s not from your host and your domain is nowhere near expiration. These new attacks are more advanced, in that they look completely legitimate and are often from contractors/suppliers you actually use. Logos are correct, spelling and grammar are spot on, and they might even refer to actual work or invoice numbers. The sender name may also be the normal contact you’d associate with that business, or even a co-worker, as cybercriminals are able to effectively ‘spoof’ real accounts and real people. While it’s worrying that they know enough about your business to wear that disguise so well, a successful attack relies on you not knowing what to look for, or even that fakes are a possibility. With that in mind, here are two types of invoice attacks you might receive:

The Payment Redirect

This style of fake invoice either explicitly states payment should be made to a certain account, perhaps with a friendly note about the new details, or includes a payment link direct to the new account. Your accounts payable person believes they’re doing the right thing by resolving the invoice and unwittingly sends company money offshore. The problem usually isn’t discovered until the real invoice from the real supplier comes in or the transaction is flagged in an audit. Due to the nature of international cybercrime, it’s unlikely you’ll be able to recover the funds even if you catch it quickly.

The Malware Click – Rather than go for the immediate cash grab, this style of attack asks your employee to click a link to download the invoice. The email may even look like the ones normally generated by popular accounting tools like Quickbooks or Xero, making the click seem safe. Once your employee has clicked the link, malware is downloaded that can trigger ransomware or data breaches. While an up-to-date anti-virus should block the attack at that stage, it’s not always guaranteed, especially with new and undiscovered malware. If it does get through, the malware quickly embeds itself deep into your systems, often silently lurking until detected or activated.

How to Stay Safe

Awareness is key to ensuring these types of attacks have no impact on your business. As always, keep your anti-virus and spam filters up to date to minimize the risk of the emails getting through in the first place. Then, consider implementing a simple set of procedures regarding payments. These could include verifying account changes with a phone call (to the number you have on record, not the one in the email), double checking invoices against work orders, appointing a single administrator to restrict access to accounts, or even two-factor authorization for payments. Simple pre-emptive checks like hovering the mouse over any links before clicking and quickly making sure it looks right can also help. Like your own business, your contractors and suppliers are extra careful with their invoicing, so if anything looks off – even in the slightest – hold back on payment/clicking until it’s been reviewed. Fake invoices attacks may be increasing, but that doesn’t mean your business will become a statistic, especially now that you know what’s going on and how you can stop them.

We can help increase your security, talk to us today. Call us at 570-779-4018

Fire Employee

3 Essential Steps Before You Fire an Employee

Your employees need access to your various business accounts so they can do their job, but what happens to those passwords when you fire them? Nobody likes to think of firing their employees, or why you’d need to, but nonetheless, it’s a responsibility every business owner must face at some point. While your accounts team will no doubt be on top of stopping their paychecks, it’s important to take the same proactive stance to strip their system access.

Most of the time, the former employee leaves under good terms and you’ll wish them well. If you’re lucky, they’ll even manage hand-over to their replacement so your productivity losses are minimal. Other employees may leave your business reluctantly or in a storm of anger and suspicion. While you’ll have very different feelings about the two scenarios, the risk to your business remains high until action is taken. Here are 3 steps you can take to protect your business from retaliation and other password-related disasters.

Limit access to a need-to-know basis

You might be surprised how often a new employee is presented the entire business on a platter when their actual job requires little more than a computer login. Accounts, strategy, customer details, industry secrets…all those sensitive aspects of your business that have made it a success – exposed. A better policy is to limit access to only what the employee needs to do their job. Rather than view it as a lack of trust, your employees will appreciate the care you’ve taken to protect your business (and their job). It also helps keeps them from being overwhelmed, confused or tempted if the situation ever turns sour. Likewise, take a few moments to delete old or temporary accounts that are no longer required, as you never know when a hacker or disgruntled employee will squeeze through the gaps.

Change passwords fast

On average, it takes at least a week before passwords are changed after an employee is fired, if at all. Unfortunately, this is the one type of delay your business can’t afford. In 2017, an ex-employee from the American College of Education held their entire email system to ransom for $200,000 after an unhappy exit. Stories of others stealing client databases are also common, especially as they leave to start their own business or work for a competitor. It’s not just full-time employees either, contract and part-time employees such as social media managers and customer support email specialists often have access to more of your business than you might imagine. Recent rulings make it easier for business owners to prosecute former employees who access their systems, however as we know, it only takes seconds to login and wreak absolute havoc. Knowing you can force those bad eggs into a lengthy court case is poor comfort considering the extent of damage you’ll likely endure. The best option is to change passwords fast – even before your employee knows they’re fired. This lessens the chance of revenge attacks and opportunistic access.

Use a password manager

If you have good password manager like LastPass, reducing your risk becomes mostly automated. You’ll be able to keep your logins in a central vault that only you can see, and share based on business roles/need. There’s even an option to share passwords without letting employees see them in plain-text. Instead of writing passwords down somewhere and manually entering them each time, they’ll be able to connect securely with a click. Plus, you can revoke the share at any time. If their role changes or they’re fired, you can use the dashboard to see who is having access to what and add/revoke at will. If you’re not sure what that employee has been up to, you can also generate reports of their history.

We can help you set up password management and lock down your network. Call us at 570-779-4018!