IT Security Tip #36: Working from home? DON’T! Until you read this…
If you plan on catching up on some work from home AND you’re using a personal device such as a smartphone or personal laptop – DON’T! Unless your personal device is monitored by us, you could accidentally introduce a virus to the company’s network.
ONLY devices that are under our vigilant watch of patching, updating and monitoring should be used to work remote. Side Note: We can set up a way for you to work from home securely; call our office if you would like us to set that up: 505-792-2375.
IT Security Tip #37: Use STRONG passwords!
Thanks to powerful brute-force-attack software readily available online, hackers can try tens of millions of possible password combinations per second. For example, hacking software can guess a five-character password in under three hours. If you only use lowercase letters, it’s 11.9 seconds.
You KNOW you need to have a better password than “password” or “letmein” if you have any hope of keeping hackers out of your PC; but what does a “strong” password mean? A good password should be at least eight characters long (or longer!) and have a combination of uppercase and lowercase letters, numbers and symbols that are hard to guess. Don’t use dictionary words with proper capitalization because they’re easy to guess (like Password123#). Even though it meets the requirements we just discussed, it’s easily hacked; remember, hackers have sophisticated password-hacking software that will run 24/7/365. If you want a quick tip for remembering your password, use a phrase and insert letters and numbers into it, like $h@KeNb8ke.
IT Security Tip #38: If this type of alert pops up, DON’T click on it!
You’re working at your computer when all of the sudden – BAM! – you get a pop-up notification that your PC is infected with a virus and you must “click here” to run a scan or install antivirus software. This is a common scareware tactic used by hackers to get you to click and download a virus. (You should know we would NEVER deliver that type of pop-up to you!)
Often it will appear to be a system alert or a Microsoft operating system alert. Regardless of how legitimate it looks, NEVER click on the site or the pop-up. The safest thing to do is close your browser; do not click on the X, “Close” or “Cancel” button in the pop-up or on the site because clicking on anything on the page or pop-up will trigger a virus download. If that won’t work, bring up your task manager (hold Control + Alt + Delete on a PC and Command + Option + Esc to “Force Quit” on a Mac) and close the web browser or application where it appeared. Next, notify your IT department (us!) that this has happened so we can double-check with a legitimate scan if your computer was infected.
IT Security Tip #39: How to foil ransomware
Not too long ago, the CryptoLocker ransomware virus was all over the news, infecting over 250,000 computers in its first 100 days of release (at least that’s the number reported – the real numbers are probably MUCH higher). The threat was fairly straightforward: Pay us or we’ll delete all your data.
Ransomware, like the CryptoLocker attack, works by encrypting your files to prevent you from using or accessing them. After your files are compromised, the hackers behind the attack then pop up a demand screen asking for payment ($400 to $2,000) within a set time frame (e.g., 72 hours or three days) in order to get the key to decrypt your files. The last CryptoLocker virus forced many business owners to lose data or pay up since there was no other way to decrypt the files.
Obviously the best way to foil a ransomware attack is to be incredibly diligent about IT security; but with hundreds of thousands of new attacks being created daily, there are no guarantees that you won’t get infected. Therefore, it’s critical to maintain a full, daily backup of your data OFF-SITE so that IF you do get whacked with ransomware, you can recover all your files without having to pay a thin dime; and don’t forget to back up off-site PCs, laptops, remote offices and third-party software data stored in cloud apps as well!
IT Security Tip #40: How to spot a phishing e-mail
A phishing e-mail is a bogus e-mail that is carefully designed to look like a legitimate request (or attached file) from a site you trust in an effort to get you to willingly give up your login information to a particular website or to click and download a virus.
Often these e-mails look 100% legitimate and show up in the form of a PDF (scanned document) or a UPS or FedEx tracking number, bank letter, Facebook alert, bank notification, etc. That’s what makes these so dangerous – they LOOK exactly like a legitimate e-mail. So how can you tell a phishing e-mail from a legitimate one? Here are a few telltale signs…
First, hover over the URL in the e-mail (but DON’T CLICK!) to see the ACTUAL website you’ll be directed to. If there’s a mismatched or suspicious URL, delete the e-mail immediately. In fact, it’s a good practice to just go to the site direct (typing it into your browser) rather than clicking on the link to get to a particular site. Another telltale sign is poor grammar and spelling errors. Another warning sign is that the e-mail is asking you to “verify” or “validate” your login or asking for personal information. Why would your bank need you to verify your account number? They should already have that information. And finally, if the offer seems too good to be true, it probably is.
IT Security Tip #33: Physical security matters!
In a recent incident reported in US news, an office secretary unknowingly gave some of her law firm’s most private data to a gentleman who had bought a Comcast Cable polo shirt off eBay. He dressed in khakis with a tool belt, and told the secretary he was there to audit their cable modem specifications and take pictures of the install for quality assurance. She had no reason to suspect he was part of a now-extinct hacker ring who would gain access to a business’s private network by going inside the office and noting the configuration details and passwords for their firewalls and cable modems. In some cases, they actually built a secure VPN private backdoor they later used to steal data. If someone dressed up in a utility-provider uniform, would you let them in?
Ask for identification and who they have spoken with about the service they are performing, and be gracefully suspicious, as they say in the South. Keep any company policies about how visitors are allowed in the building, if such policies exist. If those kinds of policies don’t exist, work to define them. We can help, if needed – but this is a real problem your office needs to address.
IT Security Tip #34: Don’t send your private information to anyone!
We’re seeing a new variant of an old scam. Here’s what happens: a secretary gets an e-mail from her boss – who is traveling – to please send him, as soon as possible, scanned copies of all the W2s the company issued at the end of January. The message appears to come from her manager, including having what looks like his actual e-mail address when she looks at in Outlook. She gets suspicious – she has just talked to her boss on the phone that morning, and he never mentioned needing that information. Before she collects the W2 PDFs that are on the HR drive, she decides to text her boss and check on it. Great catch! The boss never requested that information. Had she not been proactive and instead just completed the task assigned to her, she would have given a scammer all of the confidential information that is on a federal W2 form for every employee in her firm! The scammer likely would have used the information to commit identity theft and/or file false returns next year to claim the refund.
Always be vigilant and proactive – it’s better to be suspicious and double-check everything when dealing with confidential information. Try to provide that detail in an encrypted e-mail, or at minimum with a password on the files (and don’t include the password in the body of the e-mail!). The few extra minutes it takes could save months of heartache for all of your employees.
IT Security Tip #35: This will SHOCK you about bank fraud on business accounts
Did you know your COMPANY’S bank account doesn’t enjoy the same protections as a personal bank account? For example, if a hacker takes money from your business account, the bank is NOT responsible for getting your money back. (Don’t believe me? Go ask your bank what their policy is on refunding you money stolen from your account!) Many people think FDIC protects you from fraud; it doesn’t. It protects you from bank insolvency, NOT fraud.
Quick Tip: Set up e-mail alerts on your account so you are notified any time money is withdrawn from your account. The FASTER you catch fraudulent activity, the better your chances are of keeping your money. If you contact the bank IMMEDIATELY, you have a very high probability of foiling a hacker’s attack.
IT Security Tip #29: Keep sensitive data off employee equipment
If a laptop is stolen, even a strong password will likely get cracked. Once the thief succeeds, any private data that is unencrypted is free for the taking. One solution: keep sensitive data on a secure private cloud service, so it’s never on your employer’s hard drive in the first place. By storing this information in the cloud, you can immediately revoke access when a device goes missing. If you have an internal file server in your office, make sure it’s secured properly – you need to talk to your IT provider and discuss options for shared folders for things like HR that only certain people need. You may have a q:\ drive for documents, and s:\ for accounting, and a p:\ for workflows and processes. Everyone can use q:\ and p:\ but only people who do accounting can use s:\. It’s simple stuff – but think of the possible damages of data on a lost laptop at the airport. If you are in the medical field, this could also engage the Office of Civil Rights as a HIPAA violation. If your laptop hard drive has the option to encrypt, use it!
IT Security Tip #30: Start with a fresh session or browser window
You’d like to access the company website or a site for one of your vendors from work. When you click on your favorite browser, it opens to your homepage: msn.com, yahoo.com, aol.com, espn.com… You get the point. You then select the bookmark for the desired website and go. BIG problem! Most websites these days have tracking cookies, microdots and other advertising and data-collection bots that sit on them. These little spies are now following you across your browser session. Be careful with your information. Web portal sites like I listed are filled with ads, and the site’s overhead is paid for with information they get from you.
- Consider changing your homepage to something like https://startpage.com/. They don’t spy.
- Always open a new browser tab when navigating to a new website. Close the last one to keep things tidy after the new one loads.
- Consider using add-ons in your browser to cut down on ads and spies. Not sure how? Ask us.
IT Security Tip #31: Lie, lie, lie!
Social engineering is big business. What is it? Figuring out who you are and then using that information to make money off of it. People list password challenge and identity verification publicly or at least freely on their Instagram, Twitter and Facebook pages and feeds without giving it a second thought. Maiden name? Check. Favorite pet? Check. High school? Check. Town they grew up in? Check. Favorite or first car? Check. Throwback Thursday is a social engineer’s dream! They love this stuff. Combat it by always giving false password and identity challenge and verification information to the sites and services that require it. Keep the answer file off-line or at least in a format that’s not easily guessed. Remember, if it’s a handwritten list, you can still take a photo of it.
IT Security Tip #24: How to keep staff from unintentionally causing a security breach
With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).
Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and train your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. Never assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.
This e-mail series is one great way to keep your employees informed, but you still need a good AUP in place and training. If you’d like our help in creating one for your company, based on best practices, call us at 505-792-2375 or reply to this e-mail. You’ll be glad you did.
IT Security Tip #25: Do online banking? Read this!
If you do online banking, never access your online account with a PC or device that you use to log in to social media sites or free e-mail accounts (like Hotmail) or to surf the web. Since these are all highly hackable, keeping one PC dedicated to online banking reduces your chances of getting a bank-account-hacking virus. Of course, that PC should have antivirus installed, be behind a well-maintained and well-monitored firewall, have a strong password and be monitored for suspicious activity.
IT Security Tip #26: Don’t download anything you’re not authorized to download
So you have a big file you need to get over to your printer yesterday and you can’t get it to “send” via e-mail because the file is too big. What should you do? The right thing to do is contact your IT department (us!) so we can assist by installing a secure, commercial-grade file-sharing application. What you shouldn’t do is download a free copy of Dropbox or some other file-sharing software without telling us. Dropbox and other free apps come with a price: SECURITY. These applications are known for security vulnerabilities and hacks. Plus, if we don’t know about it, we can’t manage it or secure it; so the golden rule is this: never download any software or application without checking with your IT department first!
IT Security Tip #27: Start with the basics!
You’ve heard the advice countless times before: you must have antivirus software and a strong firewall. However, in this day and age, there is more to the security “basics” than a solid firewall. What about the employee who inadvertently clicks on an e-mail on her phone from a foreign ambassador trying to move money to the US. She sees it’s a scam, but it’s too late…her phone is infected and now sending a copy of every outgoing e-mail to a Russian crime network. Have you trained your employees? Don’t open an Excel attachment called “Invoice” from someone you don’t know – trust me, they’ll call you if you owe them money. A single crack in your armor can open the door for network attacks. Get serious about locking down your devices, e-mail filtering and teaching your users how to not lose last year’s P&L to a crime ring by trying to help a Nigerian prince.
IT Security Tip #28: Change your name, and I don’t mean the last one
Too often we see e-mail usernames and prefixes the same across multiple free e-mail services. For example:
This makes the work of hackers and cybercriminals way too easy. With the first part easy to figure out, they can get access to other online services and data or even spoof your e-mail addresses to others. Variety is the spice of life. Introduce it to your e-mail addresses.
IT Security Tip #21: 3 rules to keeping your data safe in the cloud
If you’re using any kind of cloud application (and these days, who isn’t?), you are right to be concerned about data privacy and security. The company hosting your data is ultimately responsible for keeping hackers out of their network, but most cloud breaches are due to user error. So it’s important that you, the user, are being smart about security. Here are a few things you can easily do to improve security in the cloud:
- Maintain a strong password of at least eight characters with both uppercase and lowercase letters, numbers and symbols. Do not make it easy, such as “Password123!” While that technically meets the requirements, a hacker could easily crack that.
- Make sure the device you’re using to access the application is secure. This is an area where you need professional help in installing and maintaining a strong firewall, antivirus and spam-filtering software. Don’t access your cloud application with a device you also use to check social media sites and free e-mail accounts like Hotmail.
- “Reverse”-backup your data. If the data in a cloud application is important, make sure you’re downloading it from the application and backing it up in another safe and secure location. That way, if your account is hacked or the data is corrupted, you have a copy.
IT Security Tip #22: The #1 threat to your security is…
You! And your employees. Like it or not, human beings are our own worst enemies online, inviting hackers, viruses, data breaches, data loss, etc., through the seemingly innocent actions taken every day online. In most cases, this is done without malicious intent – but if you as a manager or owner aren’t monitoring what websites your employees are visiting, what files they’re sending and receiving, and even what they’re posting in company e-mail, you could be opening yourself up to a world of hurt.
That’s because employees’ actions can subject the company they work for to monetary loss, civil lawsuits, data theft and even criminal charges if they involve disclosure of confidential company information, transmission of pornography or exposure to malicious code.
One thing you can (and should) do is configure your firewall to document and monitor which websites users are visiting. Almost all enterprise-level firewalls have this ability built in; you simply need to configure it and monitor the reports (something we can certainly help you with). But it’s up to you to set the rules, write it into an Acceptable Use Policy (AUP), train employees on what is and isn’t acceptable and then get them to sign the AUP.
IT Security Tip #23: If you’ve ever said this, you’re asking to be hacked!
Want to know what every hacker hopes you believe? “We’re small…nobody wants to hack us.” This is the #1 reason why people (companies) get hacked. They dismiss the importance of IT security because they’re only a “small business.” This is a lazy, irresponsible excuse.
One thing is for certain: No one is immune to cybercrime. In fact, one in five small businesses falls victim to cybercrime and that number grows every year. Plus, half of all cyber-attacks are aimed at small businesses because they make themselves low-hanging fruit with sloppy or non-existent security protocols.
And one more critical point to ponder: If YOU aren’t giving IT security the attention it deserves, how do you think your clients would feel about that? If for no other reason, you need to do it to protect your clients’ data, even if the only information about them you store is an e-mail address. If your system gets compromised, hackers will now have access to your client’s e-mail and can use that for phishing scams and virus-laden spam. I’m sure your clients want you to be a good steward of their information and privacy, so stop lying to yourself and get serious about putting essential security practices in place.