IT Security Tip #57: If you’ve ever said this, you’re ASKING to be hacked!
Want to know what every hacker hopes you believe? “We’re small…nobody wants to hack us.” This is the #1 reason why people (companies) get hacked. They dismiss the importance of IT security because they’re only a “small business.” This is a lazy, irresponsible excuse.
One thing is for certain: NO ONE is immune to cybercrime. In fact, one in five small businesses falls victim to cybercrime and that number grows every year. Plus, half of all cyber-attacks are aimed at small businesses BECAUSE they make themselves low-hanging fruit with sloppy or non-existent security protocols.
And one more critical point to ponder: If YOU aren’t giving IT security the attention it deserves, how do you think your CLIENTS would feel about that? If for no other reason, you need to do it to protect your clients’ data, even if the only information about them you store is an e-mail address. If YOUR system gets compromised, hackers will now have access to your CLIENT’S e-mail and can use that for phishing scams and virus-laden spam. I’m sure your clients want you to be a good steward of their information and privacy, so stop lying to yourself and get serious about putting essential security practices in place.
IT Security Tip #58: How to keep staff from unintentionally causing a security breach
With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).
Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and TRAIN your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. NEVER assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.
This e-mail series is one great way to keep your employees informed, but you STILL need a good AUP in place and training. If you’d like our help in creating one for your company, based on best practices, call us at 505-792-2375. You’ll be glad you did.
IT Security Tip #59: Do online banking? READ THIS!
If you do online banking, NEVER access your online account with a PC or device that you use to log in to social media sites or free e-mail accounts (like Hotmail) or to surf the web. Since these are all highly hackable, keeping one PC dedicated to online banking reduces your chances of getting a bank-account-hacking virus. Of course, that PC should have antivirus installed, be behind a well-maintained and well-monitored firewall, have a strong password and be monitored for suspicious activity.
IT Security Tip #55: 3 rules to keeping your data safe in the cloud
If you’re using any kind of cloud application (and these days, who isn’t?), you are right to be concerned about data privacy and security. The company hosting your data is ultimately responsible for keeping hackers out of THEIR network, but most cloud breaches are due to USER ERROR. So it’s important that you, the user, are being smart about security. Here are a few things you can easily do to improve security in the cloud:
1. Maintain a STRONG password of at least eight characters with both uppercase and lowercase letters, numbers and symbols. Do NOT make it easy, such as “Password123!” While that technically meets the requirements, a hacker could easily crack that.
2. Make sure the device you’re using to access the application is secure. This is an area where you need professional help in installing and maintaining a strong firewall, antivirus and spam-filtering software. Don’t access your cloud application with a device you also use to check social media sites and free e-mail accounts like Hotmail.
3. “Reverse”-backup your data. If the data in a cloud application is important, make sure you’re downloading it from the application and backing it up in another safe and secure location. That way, if your account is hacked or the data is corrupted, you have a copy.
IT Security Tip #56: The #1 threat to your security is…
YOU! And your employees. Like it or not, human beings are our own worst enemies online, inviting hackers, viruses, data breaches, data loss, etc., through the seemingly innocent actions taken every day online. In most cases, this is done without malicious intent – but if you as a manager or owner aren’t monitoring what websites your employees are visiting, what files they’re sending and receiving, and even what they’re posting in company e-mail, you could be opening yourself up to a world of hurt.
That’s because employees’ actions can subject the company they work for to monetary loss, civil lawsuits, data theft and even criminal charges if they involve disclosure of confidential company information, transmission of pornography or exposure to malicious code.
One thing you can (and should) do is configure your firewall to document and monitor which websites users are visiting. Almost all enterprise-level firewalls have this ability built in; you simply need to configure it and monitor the reports (something we can certainly help you with). But it’s up to you to set the rules, write it into an Acceptable Use Policy (AUP), TRAIN employees on what is and isn’t acceptable and then get them to sign the AUP.
IT Security Tip #51: Don’t just close your browser!
When online accessing a banking site or any other application containing sensitive data, make sure you log out of the site and THEN close your browser. If you simply close your browser, some of the session information that a hacker can use to gain entry is still running in the background.
IT Security Tip #52: Your firewall is USELESS unless…
A firewall is a device that acts like a security cop watching over your computer network to detect unauthorized access and activity – and EVERY business and individual needs one.
However, your firewall is completely useless if it’s not set up or maintained properly. Your firewall needs to be upgraded and patched on a continual and consistent basis, and security policies and configurations set. This is not something you want to try and handle on your own – you are best served by letting the pros (us!) handle that for you.
If you’re not covered, you should call us immediately to correct the error of your ways: 505-792-2375.
IT Security Tip #53: A WARNING if you handle, process or store client credit cards
If you handle, process or store credit cards in any manner, you are required to comply with PCI DSS, or Payment Card Industry Data Security Standards. This is a set of LEGAL requirements you must abide by to maintain a secure environment. If you violate them, you will incur serious fines and fees.
Are you subject to them if you take credit card payments over the phone? Absolutely! If you have clients that pay you direct by credit card, you’re subject to these laws. However, there are various levels of security standards – but thinking you don’t process enough to matter or that “no one would want to hack us” is dangerous. All it takes is an employee writing down a credit card number in an e-mail or on a piece of paper to violate a law; and then you’ll be left with legal fees, fines and the reputational damage incurred when you have to contact your clients to let them know you weren’t properly storing or handling their credit cards.
Getting compliant – or finding out if you ARE compliant – isn’t a simple matter I can outline in a 1-2-3-step checklist. It requires an assessment of your specific environment and how you handle credit card information.
A great resource is the PCI Security Standards Council, or www.pcisecuritystandards.org. If you want assistance in figuring out if you’re complaint, call us for a free assessment.
IT Security Tip #54: You’ve been HACKED! What’s the first thing you should do?
No matter how diligent you are about security, there’s always a chance you can get hacked. That’s why you need to put a plan in place NOW to protect yourself and your CLIENTS, so damage is minimized. But what should you do if you find out you’ve been hacked?
First, contact your IT department (us) IMMEDIATELY. The faster we can address the attack – and determine the extent of the data, applications and machines compromised – the better your chances are of preventing much bigger problems. We’ll go to work on containing the attack and conducting a full scan of your network.
Based on what we discover, we may advise you to contact the local FBI office and your attorney. Your legal responsibilities depend greatly on the type of data accessed. For example, if medical, financial or other confidential records were stolen or accessed, you are legally responsible for notifying those individuals that their data was compromised (your attorney can best direct you on what you need to do and how to do it).
IT Security Tip #46: The DANGERS of Dropbox and other file sync apps
If you’re using Dropbox, OneDrive, Google Drive or other consumer-grade file sync and sharing cloud applications, listen up! These applications pose a huge threat to your company because company data can be spread far and wide without central oversight of what information is being shared with whom. Further, over 7 MILLION Dropbox accounts have been hacked, giving cybercriminals a path into the company’s network.
This is even MORE important if your company has access to and/or stores financial, medical or other sensitive data. Using file-sharing applications like these are a clear and direct violation of data breach and compliance laws. Bottom line, DON’T USE THEM FOR COMPANY DATA and use only company-approved, business-grade file-sharing applications.
IT Security Tip #47: DON’T use public WiFi until you read this
We’re all guilty of it: connecting to free public WiFi. Whether it’s at the coffee shop, hotel or airport, the temptation to check e-mail and surf the web is just too strong to resist. So BEFORE you connect to any free, public WiFi, make sure the connection is legitimate.
It’s not uncommon for hackers to set up fake clones of public WiFi access points to try and get you to connect to THEIR WiFi over the legitimate, safe public one being made available to you. Before connecting, check with an employee of the store or location to verify the name of the WiFi they are providing. Next, NEVER access financial, medical or other sensitive data while on public WiFi. Also, don’t shop online and enter your credit card information unless you’re absolutely certain the connection point you’re on is safe and secure.
IT Security Tip #48: Work computers and devices are only for ONE thing…
That is, WORK! Never mix personal web surfing and social media with company devices. If you want to check your Hotmail account or Facebook page, do it during your lunch break and on YOUR personal device. Over 600,000 Facebook accounts are hacked every day. If you’re using a company device to access a compromised account, you’re opening up a door to a hacker who can then get into your company’s network via your e-mail or PC. Bottom line, don’t use company PCs, devices, phones or Internet for PERSONAL use.
IT Security Tip #49: Set up bank alerts – NOW!
Here’s a tip that just might save your bacon: set up withdrawal alerts on your bank accounts. Many banks will send you an e-mail alert whenever money is withdrawn from your account via check, debit card or transfer. Setting up those alerts will allow you to spot and report fraudulent activity BEFORE the money has already been siphoned into a cybercriminal’s hands.
IT Security Tip #50: Make THIS password different from everything else
You know you’re guilty of it: using the same password for everything. Believe me, I understand how annoying it is to try and remember all those passwords; and if you’re using the same password for sites that don’t share sensitive information, like a login to a news feed you like to read, then it’s generally okay.
HOWEVER, the ONE password you want to keep unique is your e-mail password. If an e-commerce site you’ve registered at or bought from gets hacked – and you’ve used the SAME password you usually use for everything to register at the site – you can pretty much bet hackers are going to gain access to your in-box. They’ll have your e-mail and your password to the e-commerce site and will use that to hack in. From there, they’ll have fertile ground for getting all your data and other passwords.
IT Security Tip #44: REMOVE that unwanted freeware
Like it or not, PC manufacturers LOVE to stuff your brand-new PC full of “free” applications (they get paid to do it, so you’ve got a slim chance of getting one without a side of spamware). But clutter is the enemy of a speedy PC, and if you’re not using a particular software on a regular basis, it’s best to REMOVE it completely. That way you don’t have it sucking up processing speed AND leaving the door open to hackers and malware.
IT Security Tip #45: What to do BEFORE you go to Starbucks
So you’re in the car on the way home from Starbucks, basking in the glow of consuming your triple-shot, low-foam, extra-hot pumpkin-spice latte when you suddenly realize your laptop has gone missing. You drive back like the caffeinated lunatic you are, only to discover no one has turned it in. What do you do? That depends on what precautions you have (or haven’t!) taken.
First, if you’ve properly encrypted your data, password-protected the access to your device and shut down and logged off all key applications, you’ve got a bit more time to respond. But the first thing to do, whether or not you’ve taken those precautionary measures, is to notify your IT department (us) that you’ve lost your device. That will allow us to change passwords and lock access to applications and data a thief may gain access to via your unprotected laptop. We can also remotely wipe your device to make sure no one will be able to gain access to the data stored on your computer. (Which is also why it’s CRITICAL to back up your data on a daily basis!)
Next, change ALL the passwords to every website you log in to, starting with any sites that contain financial data (your bank account) or company data. If your laptop contained medical records, financial information or other sensitive data (like social security numbers, birthdays, etc.), then you need to contact a qualified attorney to understand what you may be required to do by law to notify individuals who may be affected.
Quite simply, an ounce of prevention is worth a pound of cure; so make sure you’re engaging us to encrypt and back up your data, as well as put remote monitoring software on all mobile devices. Put a pin-code lock or password requirement to access a device after 10 minutes of inactivity, and get into the habit of logging out of websites when you’re done using them.