Panera Bread Serves Up More Than Cookies.
Over the last 8 months, almost whoever wanted them could gain access to millions of Panera customer records. According to a report by krebsonsecurity.com, a whistle-blower made Panera aware of a huge flaw in the way it stored customer data on their website in the summer of 2017. However, they took no action until the whistle-blower decided to go public with his findings. Panera took its website down to prevent access to the data, which included names, addresses, birthdays, phone numbers, and the last four digits of the customer’s credit card. Past members of the restaurant’s loyalty program and scores of other catering companies that deal with Panera might have had information exposed as well. Beyond data mining, the breach allowed would-be scammers to spend prepaid amounts tied to customers’ accounts or siphon value accrued from past purchases. The report suggested that over 37 million accounts were affected.
No matter what size business you have, your customers’ security (and their trust) should always be your #1 priority. And lucky for you, LDD Consulting specializes in network security. Our dedication to a thorough knowledge of the ins and outs of an ever-changing world of technology security means that YOU, not a whistle-blower or a hacker, is the first to know when something goes wrong. With firewall, antivirus, and general security services just a phone call away, don’t let something like this happen to you! Call 505-792-2375 right away!
IT Security Tip #62: Change your name, and I don’t mean the last one
Too often we see e-mail usernames and prefixes the same across multiple free e-mail services. For example:
This makes the work of hackers and cybercriminals way too easy. With the first part easy to figure out, they can get access to other online services and data or even spoof your e-mail addresses to others. Variety is the spice of life. Introduce it to your e-mail addresses.
IT Security Tip #63: Keep sensitive data off employee equipment
If a laptop is stolen, even a strong password will likely get cracked. Once the thief succeeds, any private data that is unencrypted is free for the taking. One solution: keep sensitive data on a secure private cloud service, so it’s never on your employer’s hard drive in the first place. By storing this information in the cloud, you can immediately revoke access when a device goes missing. If you have an internal file server in your office, make sure it’s secured properly – you need to talk to your IT provider and discuss options for shared folders for things like HR that only certain people need. You may have a q:\ drive for documents, and s:\ for accounting, and a p:\ for workflows and processes. Everyone can use q:\ and p:\ but only people who do accounting can use s:\. It’s simple stuff – but think of the possible damages of data on a lost laptop at the airport. If you are in the medical field, this could also engage the Office of Civil Rights as a HIPAA violation. If your laptop hard drive has the option to encrypt, use it!
IT Security Tip #64: Start with a fresh session or browser window
You’d like to access the company website or a site for one of your vendors from work. When you click on your favorite browser, it opens to your homepage: msn.com, yahoo.com, aol.com, espn.com… You get the point. You then select the bookmark for the desired website and go. BIG problem! Most websites these days have tracking cookies, microdots and other advertising and data-collection bots that sit on them. These little spies are now following you across your browser session. Be careful with your information. Web portal sites like I listed are filled with ads, and the site’s overhead is paid for with information they get from you.
- Consider changing your homepage to something like https://startpage.com/. They don’t spy.
- Always open a new browser tab when navigating to a new website. Close the last one to keep things tidy after the new one loads.
- Consider using add-ons in your browser to cut down on ads and spies. Not sure how? Ask us.
IT Security Tip #65: Lie, lie, lie!
Social engineering is big business. What is it? Figuring out who you are and then using that information to make money off of it. People list password challenge and identity verification publicly or at least freely on their Instagram, Twitter and Facebook pages and feeds without giving it a second thought. Maiden name? Check. Favorite pet? Check. High school? Check. Town they grew up in? Check. Favorite or first car? Check. Throwback Thursday is a social engineer’s dream! They love this stuff. Combat it by always giving false password and identity challenge and verification information to the sites and services that require it. Keep the answer file off-line or at least in a format that’s not easily guessed. Remember, if it’s a handwritten list, you can still take a photo of it.
IT Security Tip #61: Start with the basics!
You’ve heard the advice countless times before: you must have antivirus software and a strong firewall. However, in this day and age, there is more to the security “basics” than a solid firewall. What about the employee who inadvertently clicks on an e-mail on her phone from a foreign ambassador trying to move money to the US. She sees it’s a scam, but it’s too late…her phone is infected and now sending a copy of every outgoing e-mail to a Russian crime network. Have you trained your employees? Don’t open an Excel attachment called “Invoice” from someone you don’t know – trust me, they’ll call you if you owe them money. A single crack in your armor can open the door for network attacks. Get serious about locking down your devices, e-mail filtering and teaching your users how to not lose last year’s P&L to a crime ring by trying to help a Nigerian prince.
IT Security Tip #60: Don’t download ANYTHING you’re not authorized to download
So you have a big file you need to get over to your printer YESTERDAY and you can’t get it to “send” via e-mail because the file is too big. What should you do? The right thing to do is contact your IT department (us!) so we can assist by installing a secure, commercial-grade file-sharing application. What you shouldn’t do is download a free copy of Dropbox or some other file-sharing software without telling us. Dropbox and other free apps come with a price: SECURITY. These applications are known for security vulnerabilities and hacks. Plus, if we don’t know about it, we can’t manage it or secure it; so the golden rule is this: NEVER download any software or application without checking with your IT department first!
IT Security Tip #57: If you’ve ever said this, you’re ASKING to be hacked!
Want to know what every hacker hopes you believe? “We’re small…nobody wants to hack us.” This is the #1 reason why people (companies) get hacked. They dismiss the importance of IT security because they’re only a “small business.” This is a lazy, irresponsible excuse.
One thing is for certain: NO ONE is immune to cybercrime. In fact, one in five small businesses falls victim to cybercrime and that number grows every year. Plus, half of all cyber-attacks are aimed at small businesses BECAUSE they make themselves low-hanging fruit with sloppy or non-existent security protocols.
And one more critical point to ponder: If YOU aren’t giving IT security the attention it deserves, how do you think your CLIENTS would feel about that? If for no other reason, you need to do it to protect your clients’ data, even if the only information about them you store is an e-mail address. If YOUR system gets compromised, hackers will now have access to your CLIENT’S e-mail and can use that for phishing scams and virus-laden spam. I’m sure your clients want you to be a good steward of their information and privacy, so stop lying to yourself and get serious about putting essential security practices in place.
IT Security Tip #58: How to keep staff from unintentionally causing a security breach
With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).
Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and TRAIN your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. NEVER assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.
This e-mail series is one great way to keep your employees informed, but you STILL need a good AUP in place and training. If you’d like our help in creating one for your company, based on best practices, call us at 505-792-2375. You’ll be glad you did.
IT Security Tip #59: Do online banking? READ THIS!
If you do online banking, NEVER access your online account with a PC or device that you use to log in to social media sites or free e-mail accounts (like Hotmail) or to surf the web. Since these are all highly hackable, keeping one PC dedicated to online banking reduces your chances of getting a bank-account-hacking virus. Of course, that PC should have antivirus installed, be behind a well-maintained and well-monitored firewall, have a strong password and be monitored for suspicious activity.