Home » Blog » password

Tag: password

The Top 5 IT Security Problems for Businesses

The Top 5 IT Security Problems for Businesses

Companies that suffer security breaches nearly always have one of these IT security problems. Is your company guilty of any of them?

No Backups

A shocking number of businesses are not backing up their data properly. According to market research company Clutch, 60 percent of businesses who suffer a data loss shut down within six months.

Not only should every business be fully backing up their data, but their backups should be regularly tested to work too. It’s a step that businesses miss surprisingly often. Many businesses don’t find out that their backup can’t be used until it’s already too late.

Reactive and not proactive

The world is constantly changing. The IT world doubly so. Attackers are always figuring out new ways to break into businesses, hardware evolves faster than most can keep up, and old systems fail due to wear and tear far quicker than we would like. A huge number of businesses wait until these issues impact them directly before they respond. The result is higher costs, longer downtime, and harder hitting impacts.

By responding to hardware warnings before it fails, fixing security holes before they’re exploited, and upgrading systems before they are out of date: IT can be done the right way. Being proactive about your IT needs means systems don’t have to break or compromised before they are fixed. The result for your business is less downtime, fewer losses, and lower IT costs.

Weak Passwords

A surprising number of people will use the password “password” to secure some of their most important accounts. Even more still will write their own password on a post-it note next to their computer. In some cases, many will even use no password at all. Strong passwords act, not only as a barrier to prevent unwanted entry, but as a vital accountability tool too. When system changes are made it’s often essential that the account that made changes is secured to the right person.

With an insecure password or worse; none at all, tracking the individual responsible for reports or accountability becomes impossible. This can result in both auditing disasters on top of technical ones.

Insufficient Staff Training

Humans in the system are commonly the weakest point in IT security. Great IT security can be a bit like having state-of-the-art locks on a door propped open with a milk crate. If staff aren’t trained to use the lock, it’s worth nothing at all.

Often times businesses can justify spending big on security for the latest and greatest IT defenses. The very same firms may exceed their budget and spend almost zero on training staff to use them. In this instance, a little goes a long way. Security training can help staff to identify a threat where it takes place, avoiding and mitigating damage, often completely.

Weak Data Controls

Some companies can take an ad-hoc, fast and loose approach to storing professional data. Often crucial parts can be spread across many devices, copied needlessly, and sometimes even left unsecured. Client data can be found regularly on employee laptops, mobile phones, and tablet devices. These are famously prone to being misplaced or stolen out in the field along with vital client and security data.

It can be easy for both employees and firms to focus on the costs of devices and hardware purchased for the business. The reality is that the data held on devices is almost always worth many times more than the device that holds it. For many firms, their approach to data hasn’t been changed since the firm was first founded. Critical data is often held on single machines that haven’t been updated precisely because they hold critical data. Such machines are clearly vulnerable, outdated, and prone to failure.

Common problems with simple solutions

Each of these common issues have simple solutions to secure against IT failure. With a professional eye and expertise in the field, every business should be defended against IT issues that risk the firm.

If you need help securing your IT to protect your business, give us a call at 570-779-4018.

Lost Phone

How Losing a Mobile Device Puts Your Entire Business at Risk

Losing a mobile phone or laptop is an experience that everyone dreads. The expense and inconvenience of buying a new device is unpleasant, but only represents a fraction of the damage done when a device is misplaced. The cost of data contained within every device can add up to many times more than the total value of the device itself.

Chances are, you already use automatic login on a large variety of online services. Each of these services are vulnerable to an attacker having possession of your device.

Usernames and passwords – An obvious place for an attacker to start is the likely long list of usernames and passwords saved for future use by your browser. This is often done to save time when logging into sites that you visit often. Almost universally, people opt to save login information so that they don’t have to attempt to remember it every time they return.

In only a short amount of time, a browser is trained to log in to your Facebook, cloud storage, and bank details just by visiting the page using your regular device. These details, called up by the browser, are saved in a single list accessible to anyone with access to the device. For an unscrupulous stranger with a found device, this list represents a goldmine of information. Simply by finding a phone misplaced in public they may gain access to a huge array of services.

The problem can be made many times worse where a single password or a combination of similar passwords have been used across several accounts. In some instances, an attacker need only gain access to a single one and reuse the same stolen credentials across many sites and services.

Email – Email accounts are a key target for attackers looking for access to your personal information. It is a service that many take for granted, logging in once the first time they set up the device and using automatic login every time after. It is a service that also unlocks a great deal more than just private messages. Of course, an attacker having free access to read your personal emails is bad news, but with email access a malicious user can gain access to many of the most commonly used web services online.

Using the “forgotten password” button on many sites triggers a response that emails a password reset link to the email address registered on file. An attacker may use this feature to reset account passwords to one of their choosing. Doing this both grants themselves access to your account and denies you access to rescue it.

Contacts – One of the best features of instant messaging is that your contacts know the messages come from you. When a message is sent from your device to someone you know it displays along with your name, details, and likely a photograph too. This can lead to identity theft, one of the biggest concerns of a lost or stolen device.

With contact information already programmed in an attacker has an opportunity to impersonate you when speaking to anyone in your contacts list. Using your identity, an attacker may attempt to steal yet more details about you and your contacts.

Social Media – Your social media accounts are often the face of your brand. They can be a primary way to reach out and contact customers. They are almost always the first point of contact a client has with your business. They are also extremely vulnerable to being hijacked from a stolen device.

Fraudulent social media access can allow attackers to harvest both client and business data. Even without profiting directly, posting privileges can be used to cause irreversible damage to a business.

Protecting your business – Services, accounts, and entire businesses can be put in great danger by something as simple as misplacing an unsecured mobile phone or laptop computer.

We can help you to stay secure and remain in control even in the face of losing a device. Give us a call at 570-779-4018 and let us help secure your business.

Getting tech new business

How to Securely Dispose of Old Computers

Getting new computers for your business is exciting, but what happens to the old ones? Depending on the age, some people sell them, others throw them out. That’s the easy part. The problem is the sensitive data on them. There are passwords, account numbers, license keys, customer details, medical information, tax returns, browser history…. the works! Each computer, whether laptop, tablet or desktop, contains a treasure trove of sensitive information that cybercriminals would love to get their hands on.

Unfortunately, hitting delete on your files doesn’t actually make them disappear, nor does waving a strong magnet over the drive. These mistakes have cost businesses millions of dollars over the years.

Most businesses are unaware that specialized data cleanup is necessary, others think calling someone to collect the computers will cover all the bases. A 2016 experiment proved just how dangerous the situation can be when they bought 200 used hard drives and found 67% held unwiped, unencrypted sensitive data, including sales projection spreadsheets, CRM records, and product inventories. Frighteningly, they didn’t need any special hacking skills to get this data, it was all right there and helpfully labeled. It’s also not surprising that with simple data recovery tools, people have also been able to access British NHS medical records and missile data, all waiting patiently on a discarded hard drive.

Why hitting delete doesn’t help

Data on a hard drive works like a book with an index page. Every time data is written, it pops a quick entry into the index so when you need it again, it knows where to look. The index is used for files you create as well as system files you can’t even see. Sensible, right? Except if you delete a file it’s more like changing the index to say nothing is on page 10 and you can write something else there when you’re ready. But if you manually flip to page 10, you’ll find the information is still there – the file still exists until it’s been written over – it’s the index reference that got deleted.

Wiping data before disposal

There are software tools you can get to do it yourself, as well as dedicated security firms, but your best option is to choose an IT business you know and trust. With that in mind, a methodical approach is required to ensure not a single drive is left untreated. You don’t want to leave data behind, or even clues that a motivated person could extrapolate any private information from. The approach might include using checklists to maintain security, or dedicated processes to guide each step in decommissioning. Careful records should also be kept, including who signs off on completion of the retirement, and where the computers are sent afterwards. A proper inventory and auditing process may slow the rollout of the new computers slightly, but it’s always better than having your old data come back to haunt you.

We can migrate any needed data, backup the information to your server or external drive, then wipe or destroy the hard drives for you. We can assess the age of your old computers and either dispose of them for you or point you in the right direction of computer recyclers. Plus, the quicker you dispose of your old computers, the easier the process will be. Recyclers will be able to send less of your equipment to landfill, and you’ll be less likely to forget how valuable the drive contents are.

Upgrading your business computers should be a happy time for you and your employees, so with a little forward planning, you’ll be able to keep everyone smiling and all your data secure.

Need help with your old hardware? Call us today at 570-779-4018

Why Periodic Security Assessments Should Be Your New Normal

By now you know that building up your cyber security is just as important as building up your cash flow. Both are essential to your success, but while most businesses keep an eye on the financials, they tend to think cybersecurity is something they can set and forget. Unfortunately, cybercriminals are constantly coming up with new methods of attack and the security you had in place yesterday may not be sufficient today.

Instead of reacting to breaches and taking on the costs of downtime, lost files and destroyed trust, a periodic security assessment can identify blind spots that place you at risk. Once you know about these problems, you’re able to proactively setup adequate protection before cybercriminals strike. It’s best to use independent IT experts who can audit your security from an outside perspective, often seeing risks that would otherwise be missed.

Regulations change – Are you affected?

Many businesses are kept to strict government regulations around the way they store, process and protect data. Their operating license depends on staying as secure as possible. All regulations require regular security assessments but they vary in scope and timeframe. As regulations change, so do the security assessment requirements. You can imagine how much stricter they are now compared to just 5 years ago. Our team can ensure your business is meeting the relevant regulations, diving deep to be certain you’re safe.

Security patches and updates are vital

It’s so easy to fall behind on your security patches, after all, it seems like there’s a new update every week and each one takes precious time to apply. What we’re seeing though, is that cybercriminals are targeting any business running late, and it’s basically easy pickings for them. If you’re unpatched where it counts, it’s like inviting them in. When we conduct your security assessment, we take a look at your history and see if your business has a robust patch plan in place and make sure you’re up to date. If there’s an issue that’s placing you at risk now, impacted you in the past, or will in the future, we’ll find it.

Viruses are always evolving

Just like the human variety, computer viruses are nothing to welcome into your workplace. They’re constantly evolving to skip past anti-virus scans and do damage in new and interesting ways. Cybercriminals know people are more aware of the traditional infection methods like downloading an attachment or inserting an infected USB, so they’re getting more and more creative. Your security assessment doesn’t just include ticking that you have the latest anti-virus, it includes identifying where you’ve had the most breach attempts and where your biggest vulnerabilities are. This type of precise awareness has a lasting impact on reducing your risks.

Your business may have changed

As your business has grown over the years (or shorter if you’ve experienced a recent surge), your entire setup has changed. More employees, expanded remote access, additional vendors, supplementary locations…the list really is endless. With each change has come a new risk, particularly if your security has been growing around you. It might be that your password policies haven’t been updated since you began, or that you still have the old voicemail system even though phones are within easy reach of customers. This is perhaps one of the most useful areas a security assessment can help with, as you and your employees are accustomed to the business working in a certain way, whether that way leads to risk or not. Our experts will be able to see things from a different perspective, particularly as we make sure to think the same way a cybercriminal would.

What to do with your assessment results

While many experts might present you with a long list of problems and leave you feeling overwhelmed, our team ensures you have a benchmark for progress. You’ll know exactly what you need to do, how we can help, and perhaps most importantly, which actions take priority. Moving ahead, future security investments will be smarter as you focus on the high-payoff areas. You’ll also know exactly what you’ve done well and where your security strengths lie. Employees will see how much you value security, which helps to create a stable culture, and you’ll be able to report your commitment to customers, confirming they’re making the right choice by staying with you.

Book your security assessment today. Call us at 570-779-4018

Fire Employee

3 Essential Steps Before You Fire an Employee

Your employees need access to your various business accounts so they can do their job, but what happens to those passwords when you fire them? Nobody likes to think of firing their employees, or why you’d need to, but nonetheless, it’s a responsibility every business owner must face at some point. While your accounts team will no doubt be on top of stopping their paychecks, it’s important to take the same proactive stance to strip their system access.

Most of the time, the former employee leaves under good terms and you’ll wish them well. If you’re lucky, they’ll even manage hand-over to their replacement so your productivity losses are minimal. Other employees may leave your business reluctantly or in a storm of anger and suspicion. While you’ll have very different feelings about the two scenarios, the risk to your business remains high until action is taken. Here are 3 steps you can take to protect your business from retaliation and other password-related disasters.

Limit access to a need-to-know basis

You might be surprised how often a new employee is presented the entire business on a platter when their actual job requires little more than a computer login. Accounts, strategy, customer details, industry secrets…all those sensitive aspects of your business that have made it a success – exposed. A better policy is to limit access to only what the employee needs to do their job. Rather than view it as a lack of trust, your employees will appreciate the care you’ve taken to protect your business (and their job). It also helps keeps them from being overwhelmed, confused or tempted if the situation ever turns sour. Likewise, take a few moments to delete old or temporary accounts that are no longer required, as you never know when a hacker or disgruntled employee will squeeze through the gaps.

Change passwords fast

On average, it takes at least a week before passwords are changed after an employee is fired, if at all. Unfortunately, this is the one type of delay your business can’t afford. In 2017, an ex-employee from the American College of Education held their entire email system to ransom for $200,000 after an unhappy exit. Stories of others stealing client databases are also common, especially as they leave to start their own business or work for a competitor. It’s not just full-time employees either, contract and part-time employees such as social media managers and customer support email specialists often have access to more of your business than you might imagine. Recent rulings make it easier for business owners to prosecute former employees who access their systems, however as we know, it only takes seconds to login and wreak absolute havoc. Knowing you can force those bad eggs into a lengthy court case is poor comfort considering the extent of damage you’ll likely endure. The best option is to change passwords fast – even before your employee knows they’re fired. This lessens the chance of revenge attacks and opportunistic access.

Use a password manager

If you have good password manager like LastPass, reducing your risk becomes mostly automated. You’ll be able to keep your logins in a central vault that only you can see, and share based on business roles/need. There’s even an option to share passwords without letting employees see them in plain-text. Instead of writing passwords down somewhere and manually entering them each time, they’ll be able to connect securely with a click. Plus, you can revoke the share at any time. If their role changes or they’re fired, you can use the dashboard to see who is having access to what and add/revoke at will. If you’re not sure what that employee has been up to, you can also generate reports of their history.

We can help you set up password management and lock down your network. Call us at 570-779-4018!

mac malware

Apple devices and Macs get malware!!

I don’t like picking on Macs… Oh, wait. That is a lie. I do like picking on Macs because I am tired of hearing “Apple’s don’t get viruses or malware.” This absolutely not true!

There hasn’t been a serious ransomware outbreak on Mac but that doesn’t mean isn’t coming. There are a few ransomware programs in the wild and there has been increased activity in the mac security sector just like there has been in the PC world. Other malware and scam software are out there and on the rise.  “Our tracking of Mac malware has seen a more than 220 percent increase in malware so far in 2017 over 2016,” said Malwarebytes. The main reason that Mac desktops and laptops seem to not be affected is that they only are about 7% of computer users. They are a much small target so there are less malicious programs out there. That doesn’t mean they don’t exist. They will still steal your data if they can. WIth RaaS (Ransomware as a Service) and cross-platform malware, it is becoming easier for the bad guys to target whatever they want. They don’t even have to be proficient at programming anymore. And with an attitude like “we don’t get malware,” you might be easy pickings.

Beyond that, you are also just as likely to lose your online data as a PC user! Just because you are browsing the internet from your Mac doesn’t mean things like the Yahoo and Equifax data breaches will not affect you. You still need to be vigilant in the cloud and protect your personal information.

Protect you and your Mac

  • Backup your data – Onsite, Offsite and Cloud
  • Keep your software and OS up to date
  • Don’t use unapproved software
  • Use an extra anti-malware solution
  • Be wary of unknown websites and unsolicited email
  • Use strong password and 2fa (Two-factor authentication) wherever you can
  • Use a standard account over an admin account for everyday use
  • If you have a laptop, consider full disk encryption

We offer backup, monitoring, and antimalware solutions if you use Apple products in your business. Let us know how we can help!

4 Simple Tips to Keep Your Internet Banking Safe

Online banking has boomed in the past few years to become the new norm. Branches are out and apps are in. Half the time when you visit a branch, you’re steered towards a computer for a DIY transaction – with optional assistance. But is internet banking really safe? You’re always told to keep your financial details private, but now also to jump on board the online banking train – talk about a push/pull scenario! The good news is you CAN bank safely online with a few simple precautions.

Always type in the website address

Many attackers will attempt to trick you into clicking a fake link to your bank website. Usually sent as a ‘phishing email’, they’ll claim there’s a problem and ask you to click through to your bank and correct it ASAP. The link points to a fake website that looks almost exactly like your real bank site and is recording your private account info. You can avoid scams like this simply by accessing your bank by manually typing in the website or using a bookmark.

Avoid public computers and networks

Jumping onto a PC at the library or mall might seem like a quick and easy way to check your account, but public computers are often targeted by scammers. In just a few moments, they can install keyloggers to record usernames, passwords and other private data, then sit back as all future user details are emailed to them. The same problem applies with free, unsecured Wi-Fi. You’re better off using an ATM or a data-enabled smartphone.

Use a strong password with 2- factor authentication

Create a unique password for your online banking, something you’ve never used anywhere else. Mix up words, numbers and symbols to create a complex password that can’t be guessed easily. Avoid giving attackers a head start with data they can find on Facebook, like kids names, pet names, birthdates, etc and really think outside the box. And of course, never write it down anywhere near your wallet, phone or computer. If remembering is likely to be an issue, you might like to consider a secure password manager app. Many banks will also help boost your security with two-factor authentication, sending random codes to your phone (or a special LCD device they provide) to verify any activity.

Check page security before entering data

Finally, take a micro-second to spot the small padlock icon before you enter any data. You’re looking for a padlock appearing as part of the browser itself, not just an image on the webpage. It will be either in the bottom corner or next to the URL. The address will also start with httpS:// instead of http://. If you don’t see these things, the page is NOT secure and you shouldn’t log in.

Everything You Need to Know About Facebook Privacy

Finding the balance between Facebook privacy and Facebook fun can be challenging. It’s a double-edged sword that allows us to connect with friends no matter where they live, but it also publicly shares information that just a few years ago, weíd never dream of putting online. You can search for people based on where they went to school, town they live in, clubs they belong to, who theyíre related to but when is it too much?

Your birthday is the first piece of info collected when you sign up, and it’s great getting birthday wishes from friends and family when it appears in their newsfeed. But while Facebook is sending you balloons and funny memes, your birthday is now public knowledge. It seems harmless, but when you call your bank or other institution, what’s the first question they ask to verify your identity? Your birthday! Some password recovery systems even ask questions like “which high school did you go to?” assuming this is knowledge that only you would know. Except you’ve just publicly shared it on Facebook. Whoops!

We’ve all heard stories of people who’ve lost their jobs after less-than-wholesome pictures or statements have gone public. If you have a reputation to keep, you definitely don’t want pictures from last weekend’s private party showing up, especially if you really let your hair down. While you can’t control what others do with photos they take of you, you can control whether or not you’re tagged in them.

Fortunately, there are settings in Facebook that allow you to control who sees what information and what happens when you are tagged. Despite what you may have heard or seen floating around in a Facebook share hoax, you do have complete control over your Facebook privacy, and it’s easy to adjust.

How to Check and Adjust Your Facebook Privacy Settings

See what your account looks like to an outsider

From your Facebook homepage, click your name on the blue bar at the top of the page. Click the three dots next to “View Activity Log” and then select “View as”

Run a quick privacy checkup

Click the question mark in the top right corner and choose privacy checkup.

Think about what you really need to share and do people need to know the YEAR of your birth or just your birthday? Your friends will still get the notification, and you’ll still get the balloons.

Edit advanced privacy

While the checkup covers the most obvious info, you can go much deeper. Click the V-shaped dropdown to the right of the question mark. Go to settings and choose privacy.

Adjust timeline and tagging

In the privacy settings, you can explicitly control who can tag you, who can see or share the tagged content, and what shows up on your newsfeed.

Tightening your Facebook privacy only takes a few minutes, but it can save you a whole lot of trouble in the future.

If you need help with this, just give us a call!

Mobile Cyber Security

Cyber Security: 4 Ways to Travel Safe For Business

Working from anywhere is now as simple as accessing the internet on your device. Managers, owners, and employees are all embracing the flexibility of working while traveling, making it the new global norm. But while you were in the office, you were protected by professionally designed firewalls, security infrastructure, and robust software. As soon as you step away from the building, those protections disappear, leaving your device and the data inside at great risk.

Cyber attackers love to collect any data they can obtain, often preferring to hack first, assess value later. It doesn’t help that almost all data can be sold, including your personal details, those of your clients and suppliers, as well as your proprietary business data. These days, the information stored on your device is usually worth much more than the device itself.

Here are 3 ways a hacker will attack:

Flaunting Opportunity: Whether your employee left their laptop at a café or a thief stole the phone from their pocket, the outcome is the same – that device is gone. Hackers will take advantage of any opportunity to gain access to a device, including taking them from hotel rooms and even asking to ‘borrow’ them for a few minutes to install spyware, before handing it back.

Spoofing a Wi-Fi Hotspot: We’ve all come to expect free Wi-Fi networks wherever we go. Hackers will take advantage of this trust to create their own free, unsecure network, just waiting for a traveler to check a quick email.

Intercepting an Unsecure Network: Hackers don’t need to own the Wi-Fi network to steal content from it. Data traveling across an unsecure network is visible and available to anyone with the right software.

It’s okay, you don’t need to lock all employees inside the building or cancel all travel plans. Taking these four precautions will increase cyber safety and help protect your business data while on the go.

  1. Make a backup before you travel: In the event your device is lost or damaged, you’ll be able to replace the device with a new one and quickly restore all the data from a backup, all with minimal downtime.
  2. Don’t use public Wi-Fi: Wait until you have access to a secure network before going online – even just to check email.
  3. Use passwords and encryption: At a minimum, make sure you have a password on your device, or even better, have full drive encryption. That way, even if your data storage is removed from the device, the contents are inaccessible.
  4. Act fast after loss: If your device is lost or stolen, immediately notify the appropriate people. This might include your IT provider so they can change passwords, your bank so they can lock down accounts, and any staff who need to be aware of the breach so they aren’t tricked into allowing further breaches.

Need help with mobile cyber security? Call us at 570-779-4018

What to do if you think you have been hacked

What should you do if you think you have been hacked? Is there a new big site that has been hacked in the news? Not a surprise. What about those small sites that don’t even know they have been hacked that never make the news? Is something strange going on with one of your accounts?

First and foremost, change your passwords. If you use the same password for your e-mail as your hacked account, change it immediately before you doing anything else. You should use different passwords for different accounts. Especially your e-mail account!

 

How do you know?

Check your account activity. Does your account say you have done something or purchased something that you know you did not? Has your contact information or any other settings been altered in any way?

Check your inbox and deleted items.  Have you signed up for new services that you don’t remember signing up for?

Is your computer or device running slower than usual or behaving in odd ways? Use a malware scanner and virus scanner to check your devices thoroughly.

These could all be signs that you have been hacked. Even if these don’t appear in your accounts or computer, but you know you logged into one of those big sites in the news, reset your passwords anyway.

 

Reset your passwords

Make sure you use different complex passwords at each site.  Especially your e-mail account! Did I type that already?  Of course, I did! It is important. One of the easiest ways to keep track of and generate complex passwords is with a password manager.  Check our password manager article out here. Password managers like LastPass can be integrated into your workplace.  I still love LastPass and even use it on my phone now. If you used unique complex passwords at all your sites, you would only have to worry about the hacked one.

Not sure what password to use or what is a complex password?  Try these links:  Microsoft password checker, Password Generator

Use two-factor (2FA) authentication whenever possible. You should be thinking about your email here! Most of the big free email providers offer some level of 2FA. Also, consider using biometrics to ease the pain of entering passwords.

If it is too late and someone else changed your passwords, most of the major services have a system to recover your accounts. Rember that part about 2FA and using a different password for your e-mail? Well here is where it can really help since most of these services send a link to your email.

 

Let other people know

You should let your contacts know you think you have been hacked. One the way hackers attempt to use your hacked accounts is by sending messages or e-mails to people that trust you. They are more likely to follow a link or believe something you sent.

 

De-Authorize your apps

If you were hacked, there is a good chance the hacker logged into a device and authorized apps too.  This means even if you change your password, they will still have access.  You can usually find this feature under the security settings of the service you allowed access too.  Here are links to the big ones: Google, Facebook, and Twitter.