October Cyber Security Tips

IT Security Tip #51: Don’t just close your browser!

When online accessing a banking site or any other application containing sensitive data, make sure you log out of the site and THEN close your browser. If you simply close your browser, some of the session information that a hacker can use to gain entry is still running in the background.

 

IT Security Tip #52: Your firewall is USELESS unless…

A firewall is a device that acts like a security cop watching over your computer network to detect unauthorized access and activity – and EVERY business and individual needs one.

However, your firewall is completely useless if it’s not set up or maintained properly. Your firewall needs to be upgraded and patched on a continual and consistent basis, and security policies and configurations set. This is not something you want to try and handle on your own – you are best served by letting the pros (us!) handle that for you.

If you’re not covered, you should call us immediately to correct the error of your ways: 505-792-2375.

 

IT Security Tip #53: A WARNING if you handle, process or store client credit cards

If you handle, process or store credit cards in any manner, you are required to comply with PCI DSS, or Payment Card Industry Data Security Standards. This is a set of LEGAL requirements you must abide by to maintain a secure environment. If you violate them, you will incur serious fines and fees.

Are you subject to them if you take credit card payments over the phone? Absolutely! If you have clients that pay you direct by credit card, you’re subject to these laws. However, there are various levels of security standards – but thinking you don’t process enough to matter or that “no one would want to hack us” is dangerous. All it takes is an employee writing down a credit card number in an e-mail or on a piece of paper to violate a law; and then you’ll be left with legal fees, fines and the reputational damage incurred when you have to contact your clients to let them know you weren’t properly storing or handling their credit cards.

Getting compliant – or finding out if you ARE compliant – isn’t a simple matter I can outline in a 1-2-3-step checklist. It requires an assessment of your specific environment and how you handle credit card information.

A great resource is the PCI Security Standards Council, or www.pcisecuritystandards.org. If you want assistance in figuring out if you’re complaint, call us for a free assessment.

 

IT Security Tip #54: You’ve been HACKED! What’s the first thing you should do?

No matter how diligent you are about security, there’s always a chance you can get hacked. That’s why you need to put a plan in place NOW to protect yourself and your CLIENTS, so damage is minimized. But what should you do if you find out you’ve been hacked?

First, contact your IT department (us) IMMEDIATELY. The faster we can address the attack – and determine the extent of the data, applications and machines compromised – the better your chances are of preventing much bigger problems. We’ll go to work on containing the attack and conducting a full scan of your network.

Based on what we discover, we may advise you to contact the local FBI office and your attorney. Your legal responsibilities depend greatly on the type of data accessed. For example, if medical, financial or other confidential records were stolen or accessed, you are legally responsible for notifying those individuals that their data was compromised (your attorney can best direct you on what you need to do and how to do it).




September Cyber Security Tips

IT Security Tip #46: The DANGERS of Dropbox and other file sync apps

If you’re using Dropbox, OneDrive, Google Drive or other consumer-grade file sync and sharing cloud applications, listen up! These applications pose a huge threat to your company because company data can be spread far and wide without central oversight of what information is being shared with whom. Further, over 7 MILLION Dropbox accounts have been hacked, giving cybercriminals a path into the company’s network.

This is even MORE important if your company has access to and/or stores financial, medical or other sensitive data. Using file-sharing applications like these are a clear and direct violation of data breach and compliance laws. Bottom line, DON’T USE THEM FOR COMPANY DATA and use only company-approved, business-grade file-sharing applications.

 

IT Security Tip #47: DON’T use public WiFi until you read this

We’re all guilty of it: connecting to free public WiFi. Whether it’s at the coffee shop, hotel or airport, the temptation to check e-mail and surf the web is just too strong to resist. So BEFORE you connect to any free, public WiFi, make sure the connection is legitimate.

It’s not uncommon for hackers to set up fake clones of public WiFi access points to try and get you to connect to THEIR WiFi over the legitimate, safe public one being made available to you. Before connecting, check with an employee of the store or location to verify the name of the WiFi they are providing. Next, NEVER access financial, medical or other sensitive data while on public WiFi. Also, don’t shop online and enter your credit card information unless you’re absolutely certain the connection point you’re on is safe and secure.

 

IT Security Tip #48: Work computers and devices are only for ONE thing…

That is, WORK! Never mix personal web surfing and social media with company devices. If you want to check your Hotmail account or Facebook page, do it during your lunch break and on YOUR personal device. Over 600,000 Facebook accounts are hacked every day. If you’re using a company device to access a compromised account, you’re opening up a door to a hacker who can then get into your company’s network via your e-mail or PC. Bottom line, don’t use company PCs, devices, phones or Internet for PERSONAL use.

 

IT Security Tip #49: Set up bank alerts – NOW!

Here’s a tip that just might save your bacon: set up withdrawal alerts on your bank accounts. Many banks will send you an e-mail alert whenever money is withdrawn from your account via check, debit card or transfer. Setting up those alerts will allow you to spot and report fraudulent activity BEFORE the money has already been siphoned into a cybercriminal’s hands.

 

IT Security Tip #50: Make THIS password different from everything else

You know you’re guilty of it: using the same password for everything. Believe me, I understand how annoying it is to try and remember all those passwords; and if you’re using the same password for sites that don’t share sensitive information, like a login to a news feed you like to read, then it’s generally okay.

HOWEVER, the ONE password you want to keep unique is your e-mail password. If an e-commerce site you’ve registered at or bought from gets hacked – and you’ve used the SAME password you usually use for everything to register at the site – you can pretty much bet hackers are going to gain access to your in-box. They’ll have your e-mail and your password to the e-commerce site and will use that to hack in. From there, they’ll have fertile ground for getting all your data and other passwords.




August Cyber Security Tips

IT Security Tip #44: REMOVE that unwanted freeware

Like it or not, PC manufacturers LOVE to stuff your brand-new PC full of “free” applications (they get paid to do it, so you’ve got a slim chance of getting one without a side of spamware). But clutter is the enemy of a speedy PC, and if you’re not using a particular software on a regular basis, it’s best to REMOVE it completely. That way you don’t have it sucking up processing speed AND leaving the door open to hackers and malware.

 

IT Security Tip #45: What to do BEFORE you go to Starbucks

So you’re in the car on the way home from Starbucks, basking in the glow of consuming your triple-shot, low-foam, extra-hot pumpkin-spice latte when you suddenly realize your laptop has gone missing. You drive back like the caffeinated lunatic you are, only to discover no one has turned it in. What do you do? That depends on what precautions you have (or haven’t!) taken.

First, if you’ve properly encrypted your data, password-protected the access to your device and shut down and logged off all key applications, you’ve got a bit more time to respond. But the first thing to do, whether or not you’ve taken those precautionary measures, is to notify your IT department (us) that you’ve lost your device. That will allow us to change passwords and lock access to applications and data a thief may gain access to via your unprotected laptop. We can also remotely wipe your device to make sure no one will be able to gain access to the data stored on your computer. (Which is also why it’s CRITICAL to back up your data on a daily basis!)

Next, change ALL the passwords to every website you log in to, starting with any sites that contain financial data (your bank account) or company data. If your laptop contained medical records, financial information or other sensitive data (like social security numbers, birthdays, etc.), then you need to contact a qualified attorney to understand what you may be required to do by law to notify individuals who may be affected.

Quite simply, an ounce of prevention is worth a pound of cure; so make sure you’re engaging us to encrypt and back up your data, as well as put remote monitoring software on all mobile devices. Put a pin-code lock or password requirement to access a device after 10 minutes of inactivity, and get into the habit of logging out of websites when you’re done using them.




July Cyber Security Tips

IT Security Tip #41: Never use PERSONAL devices to connect to COMPANY data

You’re a hardworking team player who likes to check e-mail and get a few things done after hours – all good! But here’s something you might not know: you should never access company data, file servers or applications through personal devices and home PCs that are not properly monitored by us. Why?

If you and your kids are using a home PC to play games, access Facebook and surf the web AND you’re not diligently updating and monitoring the antivirus software, firewall and security patches on the machine (and who does, honestly?), then there’s a high probability you’re infected with spyware or malware. Since most malware is designed to operate in total stealth mode undetected, you won’t know that some hacker is watching you log in to your company’s file server or key cloud application containing critical, sensitive data and capturing your login with a key logger. Bottom line, ONLY use company-approved devices that are properly protected and monitored to access company data; and if you just can’t help but take work home, let us know so we can set you up with a SECURE way to work remote or from home.

IT Security Tip #42: Bookmark the LEGITIMATE websites you frequently visit

Here’s a sneaky trick used by many hackers: they purchase and set up a fraudulent website that is a close misspelling of a legitimate one. Example: www.faceboook.com instead of www.facebook.com. All you have to do is accidentally fat-finger ONE letter in the URL and up pops a very legitimate-looking fake copy of the site you were trying to get to – and the login and links are full of key-logger malware and virus landmines waiting for you to click on them. This is particularly important for any social networks you belong to.

 

IT Security Tip #43: If you installed it, you must update it!

There are thousands of hackers who get up every morning with ONE goal in mind: to find a new vulnerability in a commonly installed software (like Adobe, Flash or QuickTime) to access your computer. That’s why these companies frequently issue patches and updates for KNOWN security bugs; and once a KNOWN vulnerability is announced via a patch, hackers get to work like crazy trying to figure out how to use the vulnerability and access those users who are lazy about installing updates. That’s why it’s important to update installed software programs as soon as possible.

Of course, if you’re a client of ours, we’re monitoring your network for these updates and handling them for you; but your home computers, smartphone and other devices that may NOT be under our protection probably need a little attention.




June Cyber Security Tips

IT Security Tip #36: Working from home? DON’T! Until you read this…

If you plan on catching up on some work from home AND you’re using a personal device such as a smartphone or personal laptop – DON’T! Unless your personal device is monitored by us, you could accidentally introduce a virus to the company’s network.

ONLY devices that are under our vigilant watch of patching, updating and monitoring should be used to work remote. Side Note: We can set up a way for you to work from home securely; call our office if you would like us to set that up: 505-792-2375.

 

IT Security Tip #37: Use STRONG passwords!

Thanks to powerful brute-force-attack software readily available online, hackers can try tens of millions of possible password combinations per second. For example, hacking software can guess a five-character password in under three hours. If you only use lowercase letters, it’s 11.9 seconds.

You KNOW you need to have a better password than “password” or “letmein” if you have any hope of keeping hackers out of your PC; but what does a “strong” password mean? A good password should be at least eight characters long (or longer!) and have a combination of uppercase and lowercase letters, numbers and symbols that are hard to guess. Don’t use dictionary words with proper capitalization because they’re easy to guess (like Password123#). Even though it meets the requirements we just discussed, it’s easily hacked; remember, hackers have sophisticated password-hacking software that will run 24/7/365. If you want a quick tip for remembering your password, use a phrase and insert letters and numbers into it, like $h@KeNb8ke.


IT Security Tip #38: If this type of alert pops up, DON’T click on it!

You’re working at your computer when all of the sudden – BAM! – you get a pop-up notification that your PC is infected with a virus and you must “click here” to run a scan or install antivirus software. This is a common scareware tactic used by hackers to get you to click and download a virus. (You should know we would NEVER deliver that type of pop-up to you!)

Often it will appear to be a system alert or a Microsoft operating system alert. Regardless of how legitimate it looks, NEVER click on the site or the pop-up. The safest thing to do is close your browser; do not click on the X, “Close” or “Cancel” button in the pop-up or on the site because clicking on anything on the page or pop-up will trigger a virus download. If that won’t work, bring up your task manager (hold Control + Alt + Delete on a PC and Command + Option + Esc to “Force Quit” on a Mac) and close the web browser or application where it appeared. Next, notify your IT department (us!) that this has happened so we can double-check with a legitimate scan if your computer was infected.

 

IT Security Tip #39: How to foil ransomware

Not too long ago, the CryptoLocker ransomware virus was all over the news, infecting over 250,000 computers in its first 100 days of release (at least that’s the number reported – the real numbers are probably MUCH higher). The threat was fairly straightforward: Pay us or we’ll delete all your data.

Ransomware, like the CryptoLocker attack, works by encrypting your files to prevent you from using or accessing them. After your files are compromised, the hackers behind the attack then pop up a demand screen asking for payment ($400 to $2,000) within a set time frame (e.g., 72 hours or three days) in order to get the key to decrypt your files. The last CryptoLocker virus forced many business owners to lose data or pay up since there was no other way to decrypt the files.

Obviously the best way to foil a ransomware attack is to be incredibly diligent about IT security; but with hundreds of thousands of new attacks being created daily, there are no guarantees that you won’t get infected. Therefore, it’s critical to maintain a full, daily backup of your data OFF-SITE so that IF you do get whacked with ransomware, you can recover all your files without having to pay a thin dime; and don’t forget to back up off-site PCs, laptops, remote offices and third-party software data stored in cloud apps as well!

 

IT Security Tip #40: How to spot a phishing e-mail

A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular website or to click and download a virus.

Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous – they LOOK exactly like a legitimate e-mail. So how can you tell a phishing e-mail from a legitimate one? Here are a few telltale signs…

First, hover over the URL in the e-mail (but DON’T CLICK!) to see the ACTUAL website you’ll be directed to. If there’s a mismatched or suspicious URL, delete the e-mail immediately. In fact, it’s a good practice to just go to the site direct (typing it into your browser) rather than clicking on the link to get to a particular site. Another telltale sign is poor grammar and spelling errors. Another warning sign is that the e-mail is asking you to “verify” or “validate” your login or asking for personal information. Why would your bank need you to verify your account number? They should already have that information. And finally, if the offer seems too good to be true, it probably is.