IT Security Tip #33: Physical security matters!
In a recent incident reported in US news, an office secretary unknowingly gave some of her law firm’s most private data to a gentleman who had bought a Comcast Cable polo shirt off eBay. He dressed in khakis with a tool belt, and told the secretary he was there to audit their cable modem specifications and take pictures of the install for quality assurance. She had no reason to suspect he was part of a now-extinct hacker ring who would gain access to a business’s private network by going inside the office and noting the configuration details and passwords for their firewalls and cable modems. In some cases, they actually built a secure VPN private backdoor they later used to steal data. If someone dressed up in a utility-provider uniform, would you let them in?
Ask for identification and who they have spoken with about the service they are performing, and be gracefully suspicious, as they say in the South. Keep any company policies about how visitors are allowed in the building, if such policies exist. If those kinds of policies don’t exist, work to define them. We can help, if needed – but this is a real problem your office needs to address.
IT Security Tip #34: Don’t send your private information to anyone!
We’re seeing a new variant of an old scam. Here’s what happens: a secretary gets an e-mail from her boss – who is traveling – to please send him, as soon as possible, scanned copies of all the W2s the company issued at the end of January. The message appears to come from her manager, including having what looks like his actual e-mail address when she looks at in Outlook. She gets suspicious – she has just talked to her boss on the phone that morning, and he never mentioned needing that information. Before she collects the W2 PDFs that are on the HR drive, she decides to text her boss and check on it. Great catch! The boss never requested that information. Had she not been proactive and instead just completed the task assigned to her, she would have given a scammer all of the confidential information that is on a federal W2 form for every employee in her firm! The scammer likely would have used the information to commit identity theft and/or file false returns next year to claim the refund.
Always be vigilant and proactive – it’s better to be suspicious and double-check everything when dealing with confidential information. Try to provide that detail in an encrypted e-mail, or at minimum with a password on the files (and don’t include the password in the body of the e-mail!). The few extra minutes it takes could save months of heartache for all of your employees.
IT Security Tip #35: This will SHOCK you about bank fraud on business accounts
Did you know your COMPANY’S bank account doesn’t enjoy the same protections as a personal bank account? For example, if a hacker takes money from your business account, the bank is NOT responsible for getting your money back. (Don’t believe me? Go ask your bank what their policy is on refunding you money stolen from your account!) Many people think FDIC protects you from fraud; it doesn’t. It protects you from bank insolvency, NOT fraud.
Quick Tip: Set up e-mail alerts on your account so you are notified any time money is withdrawn from your account. The FASTER you catch fraudulent activity, the better your chances are of keeping your money. If you contact the bank IMMEDIATELY, you have a very high probability of foiling a hacker’s attack.
IT Security Tip #29: Keep sensitive data off employee equipment
If a laptop is stolen, even a strong password will likely get cracked. Once the thief succeeds, any private data that is unencrypted is free for the taking. One solution: keep sensitive data on a secure private cloud service, so it’s never on your employer’s hard drive in the first place. By storing this information in the cloud, you can immediately revoke access when a device goes missing. If you have an internal file server in your office, make sure it’s secured properly – you need to talk to your IT provider and discuss options for shared folders for things like HR that only certain people need. You may have a q:\ drive for documents, and s:\ for accounting, and a p:\ for workflows and processes. Everyone can use q:\ and p:\ but only people who do accounting can use s:\. It’s simple stuff – but think of the possible damages of data on a lost laptop at the airport. If you are in the medical field, this could also engage the Office of Civil Rights as a HIPAA violation. If your laptop hard drive has the option to encrypt, use it!
IT Security Tip #30: Start with a fresh session or browser window
You’d like to access the company website or a site for one of your vendors from work. When you click on your favorite browser, it opens to your homepage: msn.com, yahoo.com, aol.com, espn.com… You get the point. You then select the bookmark for the desired website and go. BIG problem! Most websites these days have tracking cookies, microdots and other advertising and data-collection bots that sit on them. These little spies are now following you across your browser session. Be careful with your information. Web portal sites like I listed are filled with ads, and the site’s overhead is paid for with information they get from you.
- Consider changing your homepage to something like https://startpage.com/. They don’t spy.
- Always open a new browser tab when navigating to a new website. Close the last one to keep things tidy after the new one loads.
- Consider using add-ons in your browser to cut down on ads and spies. Not sure how? Ask us.
IT Security Tip #31: Lie, lie, lie!
Social engineering is big business. What is it? Figuring out who you are and then using that information to make money off of it. People list password challenge and identity verification publicly or at least freely on their Instagram, Twitter and Facebook pages and feeds without giving it a second thought. Maiden name? Check. Favorite pet? Check. High school? Check. Town they grew up in? Check. Favorite or first car? Check. Throwback Thursday is a social engineer’s dream! They love this stuff. Combat it by always giving false password and identity challenge and verification information to the sites and services that require it. Keep the answer file off-line or at least in a format that’s not easily guessed. Remember, if it’s a handwritten list, you can still take a photo of it.
IT Security Tip #24: How to keep staff from unintentionally causing a security breach
With so many access points, from cell phones to laptop and home computers, how can anyone hope to keep their network safe from hackers, viruses and other unintentional security breaches? The answer is not “one thing” but a series of things you have to implement and constantly be vigilant about, such as installing and constantly updating your firewall, antivirus, spam-filtering software and backups. This is why clients hire us – it’s a full-time job for someone with specific expertise (which we have!).
Once that basic foundation is in place, the next most important thing you can do is create an Acceptable Use Policy (AUP) and train your employees on how to use company devices and other security protocols, such as never accessing company e-mail, data or applications with unprotected home PCs and devices (for example). Also, how to create good passwords, how to recognize a phishing e-mail, what websites to never access, etc. Never assume your employees know everything they need to know about IT security. Threats are ever-evolving and attacks are getting more sophisticated and clever by the minute.
This e-mail series is one great way to keep your employees informed, but you still need a good AUP in place and training. If you’d like our help in creating one for your company, based on best practices, call us at 505-792-2375 or reply to this e-mail. You’ll be glad you did.
IT Security Tip #25: Do online banking? Read this!
If you do online banking, never access your online account with a PC or device that you use to log in to social media sites or free e-mail accounts (like Hotmail) or to surf the web. Since these are all highly hackable, keeping one PC dedicated to online banking reduces your chances of getting a bank-account-hacking virus. Of course, that PC should have antivirus installed, be behind a well-maintained and well-monitored firewall, have a strong password and be monitored for suspicious activity.
IT Security Tip #26: Don’t download anything you’re not authorized to download
So you have a big file you need to get over to your printer yesterday and you can’t get it to “send” via e-mail because the file is too big. What should you do? The right thing to do is contact your IT department (us!) so we can assist by installing a secure, commercial-grade file-sharing application. What you shouldn’t do is download a free copy of Dropbox or some other file-sharing software without telling us. Dropbox and other free apps come with a price: SECURITY. These applications are known for security vulnerabilities and hacks. Plus, if we don’t know about it, we can’t manage it or secure it; so the golden rule is this: never download any software or application without checking with your IT department first!
IT Security Tip #27: Start with the basics!
You’ve heard the advice countless times before: you must have antivirus software and a strong firewall. However, in this day and age, there is more to the security “basics” than a solid firewall. What about the employee who inadvertently clicks on an e-mail on her phone from a foreign ambassador trying to move money to the US. She sees it’s a scam, but it’s too late…her phone is infected and now sending a copy of every outgoing e-mail to a Russian crime network. Have you trained your employees? Don’t open an Excel attachment called “Invoice” from someone you don’t know – trust me, they’ll call you if you owe them money. A single crack in your armor can open the door for network attacks. Get serious about locking down your devices, e-mail filtering and teaching your users how to not lose last year’s P&L to a crime ring by trying to help a Nigerian prince.
IT Security Tip #28: Change your name, and I don’t mean the last one
Too often we see e-mail usernames and prefixes the same across multiple free e-mail services. For example:
This makes the work of hackers and cybercriminals way too easy. With the first part easy to figure out, they can get access to other online services and data or even spoof your e-mail addresses to others. Variety is the spice of life. Introduce it to your e-mail addresses.
IT Security Tip #21: 3 rules to keeping your data safe in the cloud
If you’re using any kind of cloud application (and these days, who isn’t?), you are right to be concerned about data privacy and security. The company hosting your data is ultimately responsible for keeping hackers out of their network, but most cloud breaches are due to user error. So it’s important that you, the user, are being smart about security. Here are a few things you can easily do to improve security in the cloud:
- Maintain a strong password of at least eight characters with both uppercase and lowercase letters, numbers and symbols. Do not make it easy, such as “Password123!” While that technically meets the requirements, a hacker could easily crack that.
- Make sure the device you’re using to access the application is secure. This is an area where you need professional help in installing and maintaining a strong firewall, antivirus and spam-filtering software. Don’t access your cloud application with a device you also use to check social media sites and free e-mail accounts like Hotmail.
- “Reverse”-backup your data. If the data in a cloud application is important, make sure you’re downloading it from the application and backing it up in another safe and secure location. That way, if your account is hacked or the data is corrupted, you have a copy.
IT Security Tip #22: The #1 threat to your security is…
You! And your employees. Like it or not, human beings are our own worst enemies online, inviting hackers, viruses, data breaches, data loss, etc., through the seemingly innocent actions taken every day online. In most cases, this is done without malicious intent – but if you as a manager or owner aren’t monitoring what websites your employees are visiting, what files they’re sending and receiving, and even what they’re posting in company e-mail, you could be opening yourself up to a world of hurt.
That’s because employees’ actions can subject the company they work for to monetary loss, civil lawsuits, data theft and even criminal charges if they involve disclosure of confidential company information, transmission of pornography or exposure to malicious code.
One thing you can (and should) do is configure your firewall to document and monitor which websites users are visiting. Almost all enterprise-level firewalls have this ability built in; you simply need to configure it and monitor the reports (something we can certainly help you with). But it’s up to you to set the rules, write it into an Acceptable Use Policy (AUP), train employees on what is and isn’t acceptable and then get them to sign the AUP.
IT Security Tip #23: If you’ve ever said this, you’re asking to be hacked!
Want to know what every hacker hopes you believe? “We’re small…nobody wants to hack us.” This is the #1 reason why people (companies) get hacked. They dismiss the importance of IT security because they’re only a “small business.” This is a lazy, irresponsible excuse.
One thing is for certain: No one is immune to cybercrime. In fact, one in five small businesses falls victim to cybercrime and that number grows every year. Plus, half of all cyber-attacks are aimed at small businesses because they make themselves low-hanging fruit with sloppy or non-existent security protocols.
And one more critical point to ponder: If YOU aren’t giving IT security the attention it deserves, how do you think your clients would feel about that? If for no other reason, you need to do it to protect your clients’ data, even if the only information about them you store is an e-mail address. If your system gets compromised, hackers will now have access to your client’s e-mail and can use that for phishing scams and virus-laden spam. I’m sure your clients want you to be a good steward of their information and privacy, so stop lying to yourself and get serious about putting essential security practices in place.
Ryan loved tweaking photos on his Android phone. He’d heard rave reviews from his friends with iPhones about Prisma, a new iOS app for image editing. So when he heard Prisma would soon be released for Android, he logged in to the Google Play Store to see if it was there yet. To his surprise, he found one that looked just like what his friends were describing. Delighted, he downloaded and started using it. Meanwhile, the app—a fake—was busy installing a Trojan horse on his phone. When he got to work the next day, he logged his phone into the company network as usual. The malware jumped from his phone to the network. Yet no one knew. Not yet, but that was about to change…
Now, this isn’t necessarily a true story (at least, not one we’ve heard of—yet…), but it absolutely could have been. And similar situations are unfolding as you read this. Yes, possibly even at your company… Fake apps exploded onto iTunes and Google Play last November, just in time for holiday shopping. Apple “cleaned up” iTunes in an effort to quell users’ concerns, but hackers still find workarounds. Unfortunately, these fake apps pose a real threat to the security of your network. Especially if your company has anything but the strictest BYOD (bring your own device) policies in place. And the more your network’s users socialize and shop on their smartphones, the greater the risk of a damaging breach on your network. Fake apps look just like real apps. They masquerade as apps from legitimate merchants of all stripes, from retail chains like Dollar Tree and Footlocker, to luxury purveyors such as Jimmy Choo and Christian Dior. Some of the more malicious apps give criminals access to confidential information on the victim’s device. Worse yet, they may install a Trojan horse on that device that can infect your company’s network next time the user logs in.
So what can you do? First, keep yourself from being fooled. Anyone can easily be tricked unless you know what to look for. Take the following advice to heart and share it with your team: Beware of Fake Apps! In case you weren’t aware, one of the latest and most dangerous Internet scams is fake apps. Scammers create apps that look and behave like a real app from a legitimate store. These fake apps can infect your phone or tablet and steal confidential information, including bank account and credit card details. They may also secretly install on your device malicious code that can spread, including to your company network. Take a moment and reflect on these five tips before downloading any app:
1. When in doubt, check it out. Ask other users before downloading it. Visit the store’s main website to see if it’s mentioned there. Find out from customer support if it’s the real McCoy.
2. If you do decide to download an app, first check reviews. Apps with few reviews or bad reviews are throwing down a red flag.
4. Offer as little of your information as possible if you decide to use an app.
5. Think twice before linking your credit card to any app. Most importantly, get professional help to keep your network safe. It really is a jungle out there. New cyberscams, malware and other types of network security threats are cropping up every day. You have more important things to do than to try and keep up with them all.