IT Security Tip #41: Never use PERSONAL devices to connect to COMPANY data
You’re a hardworking team player who likes to check e-mail and get a few things done after hours – all good! But here’s something you might not know: you should never access company data, file servers or applications through personal devices and home PCs that are not properly monitored by us. Why?
If you and your kids are using a home PC to play games, access Facebook and surf the web AND you’re not diligently updating and monitoring the antivirus software, firewall and security patches on the machine (and who does, honestly?), then there’s a high probability you’re infected with spyware or malware. Since most malware is designed to operate in total stealth mode undetected, you won’t know that some hacker is watching you log in to your company’s file server or key cloud application containing critical, sensitive data and capturing your login with a key logger. Bottom line, ONLY use company-approved devices that are properly protected and monitored to access company data; and if you just can’t help but take work home, let us know so we can set you up with a SECURE way to work remote or from home.
IT Security Tip #42: Bookmark the LEGITIMATE websites you frequently visit
Here’s a sneaky trick used by many hackers: they purchase and set up a fraudulent website that is a close misspelling of a legitimate one. Example: www.faceboook.com instead of www.facebook.com. All you have to do is accidentally fat-finger ONE letter in the URL and up pops a very legitimate-looking fake copy of the site you were trying to get to – and the login and links are full of key-logger malware and virus landmines waiting for you to click on them. This is particularly important for any social networks you belong to.
IT Security Tip #43: If you installed it, you must update it!
There are thousands of hackers who get up every morning with ONE goal in mind: to find a new vulnerability in a commonly installed software (like Adobe, Flash or QuickTime) to access your computer. That’s why these companies frequently issue patches and updates for KNOWN security bugs; and once a KNOWN vulnerability is announced via a patch, hackers get to work like crazy trying to figure out how to use the vulnerability and access those users who are lazy about installing updates. That’s why it’s important to update installed software programs as soon as possible.
Of course, if you’re a client of ours, we’re monitoring your network for these updates and handling them for you; but your home computers, smartphone and other devices that may NOT be under our protection probably need a little attention.
IT Security Tip #36: Working from home? DON’T! Until you read this…
If you plan on catching up on some work from home AND you’re using a personal device such as a smartphone or personal laptop – DON’T! Unless your personal device is monitored by us, you could accidentally introduce a virus to the company’s network.
ONLY devices that are under our vigilant watch of patching, updating and monitoring should be used to work remote. Side Note: We can set up a way for you to work from home securely; call our office if you would like us to set that up: 505-792-2375.
IT Security Tip #37: Use STRONG passwords!
Thanks to powerful brute-force-attack software readily available online, hackers can try tens of millions of possible password combinations per second. For example, hacking software can guess a five-character password in under three hours. If you only use lowercase letters, it’s 11.9 seconds.
You KNOW you need to have a better password than “password” or “letmein” if you have any hope of keeping hackers out of your PC; but what does a “strong” password mean? A good password should be at least eight characters long (or longer!) and have a combination of uppercase and lowercase letters, numbers and symbols that are hard to guess. Don’t use dictionary words with proper capitalization because they’re easy to guess (like Password123#). Even though it meets the requirements we just discussed, it’s easily hacked; remember, hackers have sophisticated password-hacking software that will run 24/7/365. If you want a quick tip for remembering your password, use a phrase and insert letters and numbers into it, like $h@KeNb8ke.
IT Security Tip #38: If this type of alert pops up, DON’T click on it!
You’re working at your computer when all of the sudden – BAM! – you get a pop-up notification that your PC is infected with a virus and you must “click here” to run a scan or install antivirus software. This is a common scareware tactic used by hackers to get you to click and download a virus. (You should know we would NEVER deliver that type of pop-up to you!)
Often it will appear to be a system alert or a Microsoft operating system alert. Regardless of how legitimate it looks, NEVER click on the site or the pop-up. The safest thing to do is close your browser; do not click on the X, “Close” or “Cancel” button in the pop-up or on the site because clicking on anything on the page or pop-up will trigger a virus download. If that won’t work, bring up your task manager (hold Control + Alt + Delete on a PC and Command + Option + Esc to “Force Quit” on a Mac) and close the web browser or application where it appeared. Next, notify your IT department (us!) that this has happened so we can double-check with a legitimate scan if your computer was infected.
IT Security Tip #39: How to foil ransomware
Not too long ago, the CryptoLocker ransomware virus was all over the news, infecting over 250,000 computers in its first 100 days of release (at least that’s the number reported – the real numbers are probably MUCH higher). The threat was fairly straightforward: Pay us or we’ll delete all your data.
Ransomware, like the CryptoLocker attack, works by encrypting your files to prevent you from using or accessing them. After your files are compromised, the hackers behind the attack then pop up a demand screen asking for payment ($400 to $2,000) within a set time frame (e.g., 72 hours or three days) in order to get the key to decrypt your files. The last CryptoLocker virus forced many business owners to lose data or pay up since there was no other way to decrypt the files.
Obviously the best way to foil a ransomware attack is to be incredibly diligent about IT security; but with hundreds of thousands of new attacks being created daily, there are no guarantees that you won’t get infected. Therefore, it’s critical to maintain a full, daily backup of your data OFF-SITE so that IF you do get whacked with ransomware, you can recover all your files without having to pay a thin dime; and don’t forget to back up off-site PCs, laptops, remote offices and third-party software data stored in cloud apps as well!
IT Security Tip #40: How to spot a phishing e-mail
A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular website or to click and download a virus.
Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous – they LOOK exactly like a legitimate e-mail. So how can you tell a phishing e-mail from a legitimate one? Here are a few telltale signs…
First, hover over the URL in the e-mail (but DON’T CLICK!) to see the ACTUAL website you’ll be directed to. If there’s a mismatched or suspicious URL, delete the e-mail immediately. In fact, it’s a good practice to just go to the site direct (typing it into your browser) rather than clicking on the link to get to a particular site. Another telltale sign is poor grammar and spelling errors. Another warning sign is that the e-mail is asking you to “verify” or “validate” your login or asking for personal information. Why would your bank need you to verify your account number? They should already have that information. And finally, if the offer seems too good to be true, it probably is.
IT Security Tip #33: Physical security matters!
In a recent incident reported in US news, an office secretary unknowingly gave some of her law firm’s most private data to a gentleman who had bought a Comcast Cable polo shirt off eBay. He dressed in khakis with a tool belt, and told the secretary he was there to audit their cable modem specifications and take pictures of the install for quality assurance. She had no reason to suspect he was part of a now-extinct hacker ring who would gain access to a business’s private network by going inside the office and noting the configuration details and passwords for their firewalls and cable modems. In some cases, they actually built a secure VPN private backdoor they later used to steal data. If someone dressed up in a utility-provider uniform, would you let them in?
Ask for identification and who they have spoken with about the service they are performing, and be gracefully suspicious, as they say in the South. Keep any company policies about how visitors are allowed in the building, if such policies exist. If those kinds of policies don’t exist, work to define them. We can help, if needed – but this is a real problem your office needs to address.
IT Security Tip #34: Don’t send your private information to anyone!
We’re seeing a new variant of an old scam. Here’s what happens: a secretary gets an e-mail from her boss – who is traveling – to please send him, as soon as possible, scanned copies of all the W2s the company issued at the end of January. The message appears to come from her manager, including having what looks like his actual e-mail address when she looks at in Outlook. She gets suspicious – she has just talked to her boss on the phone that morning, and he never mentioned needing that information. Before she collects the W2 PDFs that are on the HR drive, she decides to text her boss and check on it. Great catch! The boss never requested that information. Had she not been proactive and instead just completed the task assigned to her, she would have given a scammer all of the confidential information that is on a federal W2 form for every employee in her firm! The scammer likely would have used the information to commit identity theft and/or file false returns next year to claim the refund.
Always be vigilant and proactive – it’s better to be suspicious and double-check everything when dealing with confidential information. Try to provide that detail in an encrypted e-mail, or at minimum with a password on the files (and don’t include the password in the body of the e-mail!). The few extra minutes it takes could save months of heartache for all of your employees.
IT Security Tip #35: This will SHOCK you about bank fraud on business accounts
Did you know your COMPANY’S bank account doesn’t enjoy the same protections as a personal bank account? For example, if a hacker takes money from your business account, the bank is NOT responsible for getting your money back. (Don’t believe me? Go ask your bank what their policy is on refunding you money stolen from your account!) Many people think FDIC protects you from fraud; it doesn’t. It protects you from bank insolvency, NOT fraud.
Quick Tip: Set up e-mail alerts on your account so you are notified any time money is withdrawn from your account. The FASTER you catch fraudulent activity, the better your chances are of keeping your money. If you contact the bank IMMEDIATELY, you have a very high probability of foiling a hacker’s attack.
IT Security Tip #29: Keep sensitive data off employee equipment
If a laptop is stolen, even a strong password will likely get cracked. Once the thief succeeds, any private data that is unencrypted is free for the taking. One solution: keep sensitive data on a secure private cloud service, so it’s never on your employer’s hard drive in the first place. By storing this information in the cloud, you can immediately revoke access when a device goes missing. If you have an internal file server in your office, make sure it’s secured properly – you need to talk to your IT provider and discuss options for shared folders for things like HR that only certain people need. You may have a q:\ drive for documents, and s:\ for accounting, and a p:\ for workflows and processes. Everyone can use q:\ and p:\ but only people who do accounting can use s:\. It’s simple stuff – but think of the possible damages of data on a lost laptop at the airport. If you are in the medical field, this could also engage the Office of Civil Rights as a HIPAA violation. If your laptop hard drive has the option to encrypt, use it!
IT Security Tip #30: Start with a fresh session or browser window
You’d like to access the company website or a site for one of your vendors from work. When you click on your favorite browser, it opens to your homepage: msn.com, yahoo.com, aol.com, espn.com… You get the point. You then select the bookmark for the desired website and go. BIG problem! Most websites these days have tracking cookies, microdots and other advertising and data-collection bots that sit on them. These little spies are now following you across your browser session. Be careful with your information. Web portal sites like I listed are filled with ads, and the site’s overhead is paid for with information they get from you.
- Consider changing your homepage to something like https://startpage.com/. They don’t spy.
- Always open a new browser tab when navigating to a new website. Close the last one to keep things tidy after the new one loads.
- Consider using add-ons in your browser to cut down on ads and spies. Not sure how? Ask us.
IT Security Tip #31: Lie, lie, lie!
Social engineering is big business. What is it? Figuring out who you are and then using that information to make money off of it. People list password challenge and identity verification publicly or at least freely on their Instagram, Twitter and Facebook pages and feeds without giving it a second thought. Maiden name? Check. Favorite pet? Check. High school? Check. Town they grew up in? Check. Favorite or first car? Check. Throwback Thursday is a social engineer’s dream! They love this stuff. Combat it by always giving false password and identity challenge and verification information to the sites and services that require it. Keep the answer file off-line or at least in a format that’s not easily guessed. Remember, if it’s a handwritten list, you can still take a photo of it.
IT Security Tip #24: How to keep staff from unintentionally causing a security breach
With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).
Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and train your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. Never assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.
This e-mail series is one great way to keep your employees informed, but you still need a good AUP in place and training. If you’d like our help in creating one for your company, based on best practices, call us at 505-792-2375 or reply to this e-mail. You’ll be glad you did.
IT Security Tip #25: Do online banking? Read this!
If you do online banking, never access your online account with a PC or device that you use to log in to social media sites or free e-mail accounts (like Hotmail) or to surf the web. Since these are all highly hackable, keeping one PC dedicated to online banking reduces your chances of getting a bank-account-hacking virus. Of course, that PC should have antivirus installed, be behind a well-maintained and well-monitored firewall, have a strong password and be monitored for suspicious activity.
IT Security Tip #26: Don’t download anything you’re not authorized to download
So you have a big file you need to get over to your printer yesterday and you can’t get it to “send” via e-mail because the file is too big. What should you do? The right thing to do is contact your IT department (us!) so we can assist by installing a secure, commercial-grade file-sharing application. What you shouldn’t do is download a free copy of Dropbox or some other file-sharing software without telling us. Dropbox and other free apps come with a price: SECURITY. These applications are known for security vulnerabilities and hacks. Plus, if we don’t know about it, we can’t manage it or secure it; so the golden rule is this: never download any software or application without checking with your IT department first!
IT Security Tip #27: Start with the basics!
You’ve heard the advice countless times before: you must have antivirus software and a strong firewall. However, in this day and age, there is more to the security “basics” than a solid firewall. What about the employee who inadvertently clicks on an e-mail on her phone from a foreign ambassador trying to move money to the US. She sees it’s a scam, but it’s too late…her phone is infected and now sending a copy of every outgoing e-mail to a Russian crime network. Have you trained your employees? Don’t open an Excel attachment called “Invoice” from someone you don’t know – trust me, they’ll call you if you owe them money. A single crack in your armor can open the door for network attacks. Get serious about locking down your devices, e-mail filtering and teaching your users how to not lose last year’s P&L to a crime ring by trying to help a Nigerian prince.
IT Security Tip #28: Change your name, and I don’t mean the last one
Too often we see e-mail usernames and prefixes the same across multiple free e-mail services. For example:
This makes the work of hackers and cybercriminals way too easy. With the first part easy to figure out, they can get access to other online services and data or even spoof your e-mail addresses to others. Variety is the spice of life. Introduce it to your e-mail addresses.