Nest Labs, a division of Google, recently discovered a list of email addresses and passwords that had been published online. As part of their ongoing commitment to protect their customers from hackers, Nest continuously monitors databases found online of stolen or leaked passwords. When they found that some of their customers’ passwords were listed on a phishing website, they sent out an email to customers. Consumers remain the weakest link Security experts all agree that the weakest link when it comes to internet security is the consumer. People click on suspicious links that download a virus or worm onto their device. They also frequently use the same password across multiple accounts. Many users visit sites that are unsafe where they may be exposed to malware. Often, consumers use the same password for years. All these practices make it very easy for hackers to steal passwords then break into various accounts. Nest takes proactive stance When Nest found the databases of leaked passwords, they sent out emails to all of their customers that read in part: “Nest monitors publicly leaked password databases and checks our own databases for matches. We’ve found that your email and password were included in a list of accounts shared online. Common causes of password theft are falling victim to phishing emails or websites, malware, and password reuse on other websites which may have been compromised.” The letter goes on to give instructions to users about what to do next and this applies to anyone who suspects that their password has been stolen. Instructions are below: Sign in to your Nest Account (bank account, credit card account, etc.) immediately. Navigate to the account management screen and find the item that says, “Reset Password.” Select a new password. Be sure to use numbers, letters, capital letters and symbols. An example of a good password would be: 57Rop*82!@HK. A password like this is much harder for crooks to decipher. An example of a weak password would be: time1234. This password would be easy for hackers to learn. Click “Save” to save the new password. Be sure to make a note of the password. You can also go to the log-in screen of any account including Nest and click on “Forgot Password.” This will initiate a procedure where you are sent a code (usually as a text message). Enter that code where prompted, then proceed to create your new password. Nest reminded its users that unless they did log on and change their password within a set length of time, the company might disable access to their account. Often, users put off changing passwords so the company most likely felt like it was necessary to include this veiled threat to shut down the account until a new password was chosen. How to change your Nest password using the app The company also included instructions for changing the password via the Nest app and these are given below for your convenience: On the Nest app home screen, tap the Menu icon. Select the Account icon. Select “Manage account,” then “Account security,” then “Account password. Enter your current password and your new password, then tap “Save changes.” How to use Two-Factor Verification (2FA) Nest also offers the option of 2-step (2-factor) verification, which can add a layer of protection to any account. This is very important to do for financial accounts and other accounts like Nest where your home, family or money might be at risk. The instructions for adding 2-step verification are given below: On the Nest app’s home screen, select the Menu icon at the top. Select Account. Select “Manage account,” then “Account security.” Select “2-step verification.” Then tap the switch to toggle 2-step verification on. Follow the prompts to enter your password, phone number, and the unique verification code sent to your phone. Cyber theft increasing globally Many experts are now recommending that customers add 2-step verification to all their online accounts. The increase in hacking and phishing schemes worldwide has alarmed many security experts, as well as consumers. It has become commonplace to read that one of your favorite stores or most trusted brands has lost millions of data records to hackers. This fact has spawned a new generation of security experts and advocacy groups whose purpose is to stem the tide of the growing number of cyber thefts. One of these groups called the Internet Society was the first to discover the Nest breach when they stumbled across an email from Nest to one of its customers. The society forwarded the email to the Online Trust Alliance and they published it as a blog post. Once this occurred, the story made international news. How Nest learned of the breach Though Nest has not revealed how they learned about the compromised passwords, it is believed that they regularly check a site called “Have I Been Pwned?” which is run by Troy Hunt, a security researcher. The site can be used to check whether any of your passwords have been stolen or leaked online. It includes half a billion passwords and other credentials stolen from consumers all over the world. About Nest Labs Nest Labs, now a division of Google, provides home automation tools that are programmable, sensor-driven and self-learning. Using your home’s Wi-Fi system, Nest products can be controlled either at home or remotely. These products include smoke detectors, thermostats, indoor and outdoor security cameras, security systems, lights, and other common household appliances. Nest was founded in 2010 by Matt Rogers and Tony Fadell, engineers who formerly worked for Apple. The company grew quickly to 130 employees and within just a few short years, Nest Labs had grown to 280 employees worldwide. In 2014, Google acquired the company for an estimated $3.2 billion. Today, the company has over 1,200 employees. They recently built a state-of-the-art engineering center in Seattle, Washington.
Cybercriminals are getting more fearless by the day and their crimes are getting more and more sophisticated. Cybercrimes are costing businesses and organizations billions of dollars each year. This has spawned a new generation of cybercrime fighters who search for ways to end this threat once and for all. With each new attack, the crimes get more sophisticated. Hackers are learning from their mistakes and tweaking their methods to make them even more effective. While most attempts to end hacking seem futile, it is an industry that will continue to require experts in managed threat detection. Stopping thieves before they can get into your database is the preferred method and this has now become possible. The latest technology can assess your network’s weaknesses and your IT professional can recommend various ways to shut down those weak areas. Why the rise in popularity of managed threat detection? Investments in technologies that prevent cybercrimes are currently on the rise. There are now a number of solutions that prevent intrusion into your computers. But many companies feel they just don’t have the money to install the latest threat detection equipment. Though there is an initial expense involved, business owners with these new threat detection systems do enjoy greater peace of mind. One cyber-attack is now estimated to cost approximately $1.3 million on average. In addition, customer trust is eroded once the public learns of the breach and overall sales can go down. The expenses for a breach can often linger for years. What is Managed Detection and Response? MDR is a combination of technologies and skills that provide global threat intelligence, deep threat analytics, and earlier incident mitigation. The most effective response to a breach requires a collaborative, far-reaching effort. Managed Detection and Response works well because it is set up to function every minute of every day. It provides more thorough protection from the viruses, worms, ransomware, and malware that exist on the World Wide Web. MDR is commonly used together with traditional managed security services (MSS) to ensure complete protection. These services can be provided by specialized vendors who focus mainly on threat management. They can also be provided by specialists who have MDR capabilities. Managed detection is chiefly distinguished by the fact that it works even in circumstances where the traditional methods of protection, which are focused on limited log collection and rules-based analysis, do not work. How is MDR delivered? Today, businesses will find a few cybersecurity experts who understand the ever-changing landscape in the world of cybercrime. Thieves utilize a number of methods that evolve with each new attack. The only truly effective response to these attacks is to develop a system of crushing cyber-attacks that also evolves with each new event. New technology focuses on a series of effective approaches to threat detection and elimination. The initial step is known as threat anticipation, which measures the level of a company’s preparedness. This determines how high a company’s chances are of being targeted by cyber thieves. MDR also includes threat hunting. Instead of waiting for an event to occur, this technology actively hunts for threats and eliminates them. Third, security monitoring is essential. This service is basically exactly what it says. A system is put in place that constantly monitors all hardware, software, and networking equipment, looking for loopholes that thieves might exploit. Security monitoring should include alert response, incident response, and breach management. Why is Managed Detection and Response popular? For most business owners, there just isn’t time each day to worry about cyber breaches and data leaks. Though the costs to address them can be enormous, a business person needs to focus on running his company. Your business can suffer if you must constantly be pulled away to address potential security threats. That’s the major reason why business owners are opting for a greater level of protection for all their computers and networking equipment. Threat detection and prevention is a full-time job and most business people just don’t have the time or skills to deal with it. Your company needs the finest protection available so you can get back to work without the stress of knowing that a breach could occur at any moment. MDR service providers are able to collect data from various sources on the threats that your organization may face. This enables them to know exactly which threats are more pronounced. Once an organization knows where their weaknesses lie, they are in a better position to respond, repair those flaws, and move forward with more confidence. Of course, a good managed detection and response program should also include all the measures to respond should a breach occur. In spite of all the advances in technology, if just one of your employees clicks on a malicious link, they could download ransomware or other harmful malware into your system. You can mitigate the damage though, by knowing exactly what to do. Final Thoughts Managed Detection and Response (MDR) is designed to handle anything that cyber-thieves can throw at you. It initially seeks to find and close any weaknesses, but it also includes a sound response plan should a breach occur. It utilizes today’s best detection tools, threat intelligence, forensic investigation tools, and human analysts. It can give business owners the peace of mind they need to get back to running their companies without the constant worry of an expensive data breach.
In a day and time when everyone is being super careful not to click on suspicious links, there’s a new threat lurking. Just about every home and office have a router. It’s an inconspicuous piece of equipment that most of us rarely think about. And now, a new alert issued by the FBI says that Russian hackers have targeted routers in 50 countries around the world. Why the router? Routers are rarely updated. Unlike the operating system on a smartphone or computer, most router manufacturers do not send out regular updates for their products. Last January, a complaint was filed against router manufacturer, D-Link. In the complaint, the FTC said that the manufacturer was leaving their users at risk by not installing adequate security measure. Their failure to do so had left many consumers open to attacks from hackers. Experts are now saying that there’s no incentive for router manufacturers to release regular updates to their products that could stave off attacks. Up to now, these manufacturers have not been held liable and when there’s no liability, manufacturers will often take cost-saving shortcuts. How hackers are getting in Using malware to target the VPN filter, cybercriminals are able to collect user data. Once the hacker has control of the router, they can use it to eavesdrop on consumers. This weakness also allows hackers a doorway to all home computers, TVs or anything connected via the router. The FBI recently discovered one website that hackers had set up to use in their attack. This website was designed to give instructions to the routers that had been taken over. Though shutting this site down did cut off one avenue of attack, the FBI warned that millions of routers were still infected. This leaves millions of consumers around the world vulnerable and most users will not even realize they’ve been hacked. Who is responsible for the hacks? The Justice Department said the hacking group referred to itself as “Sofacy” and that they answered to the Russian government. The hacking group also goes by the names Fancy Bear and APT28 and they have been involved in some very high-profile targets over the last few years. This group was blamed for the hacks carried out during the 2016 presidential campaign that targeted the Democratic National Convention. Cisco Systems Inc. performed its own investigation and found that the targeted routers include Netgear, Belkin’s Linksys, QNAP, Mikro Tik, and TP-Link. There may be others involved as well and most were purchased by consumers at local electronic stores and online. Cisco shared the results of their investigation with the Ukrainian government and the U.S. The FBI said that they believe some of the affected routers were also provided by internet service companies. New types of warfare between Russia and Ukraine Russia has long been involved in attacks against Ukrainian companies due to ongoing hostilities between the two countries. In the past, these attacks have cost millions of dollars and exposed the personal, confidential information of both businesses and individuals. At least one attack was responsible for an electricity blackout in Ukraine. The Ukrainian government recently stated that the Russian government was planning a cyber-attack against some privately held companies, along with Ukrainian state bodies. They believe these attacks were meant to disrupt the Champions League soccer finals which were being held in Kyiv. What to do next Experts are recommending that everyone using a router shut it down and reboot it. They also recommend disabling remote manager settings. If at all possible, upgrade the router to the latest firmware and change your password. The FBI warned, “The size and scope of the infrastructure by VPNFilter malware is significant.” Their experts said that hackers could render the routers affected completely inoperable if they wanted to, but that wasn’t their primary goal. Instead, they were planning to steal data off the computers, phones, and other connected devices by taking over the routers that controlled internet access. The FBI stated that the malware would be very hard to detect even by professionals because of encryption and other tactics used by the hacking group.
When we think of Memorial Day, we have visions of parades, going to the beach, enjoying a picnic in the park, or gathering with family and friends for a barbeque. But, as most of us know, this is a special day to honor military members who made the ultimate sacrifice for our country. Many of us will be visiting the gravesites and memorials of the men and women who served and died performing military service for our country. The History Of Memorial Day This year, Memorial Day is on Monday, May 28th. Memorial Day was first known as Decoration Day. It originally honored only those who lost their lives while fighting in the Civil War. In the spring of 1865 at the end of the Civil War, people throughout the U.S. held tributes to fallen soldiers by decorating their graves with flowers on Decoration Day. General John A. Logan of the Grand Army of the Republic, proclaimed that the first Decoration Day be observed each year on May 30th. On the first Decoration Day, General James Garfield made a speech at Arlington National Cemetery where 5,000 attendees decorated the graves of the more than 20,000 soldiers from both the Union and Confederacy. It was during this time that the federal government established the first national cemeteries. Americans in the northern states followed suit with their own commemorative events, and by 1890 each recognized Decoration Day an official state holiday. Southern states honored their dead on separate days. After World War I, the holiday evolved to commemorate American military members who died in all wars. In 1966, the federal government declared Waterloo, New York as the official birthplace of Memorial Day. They chose this city because, on May 5, 1866, Waterloo closed businesses so residents had a day where they could decorate the graves of soldiers. However, a number of other cities claim to be the birthplace of Memorial Day. These include: Columbus, Mississippi Richmond, Virginia Macon, Georgia Carbondale, Illinois Boalsburg, Pennsylvania In 1968, the U.S. Congress passed the Uniform Monday Holiday Act, which established Memorial Day as the last Monday in May. It went into effect in 1971 and Memorial Day has been designated a federal holiday ever since. In the year 2000, President Clinton signed the “National Moment of Remembrance Act,” which designates 3:00 p.m. local time on each Memorial Day as the National Moment of Remembrance. Today, cities and towns across America hold Memorial Day parades each year along with military personnel and members of veterans’ organizations. Some of the largest parades take place in Washington, D.C., New York, and Chicago. What Will You Be Doing On Memorial Day? When Congress made Memorial Day into a mandatory three-day weekend with the National Holiday Act of 1971, it, unfortunately, caused some to think of it as a vacation weekend and to be distracted from the spirit and meaning of the day. Some people confuse Memorial Day with Veterans Day. Veterans Day is a commemoration of all the individuals who have served or are currently serving in the nation’s armed forces. Memorial Day was specifically enacted to honor those who died while serving the country. Because we also think of it as a “beginning of summer” celebration, this can tend to minimize the true meaning of Memorial Day. Because of this, Hawaii Senator Daniel Inouye, a World War II veteran, introduced a Congressional measure to return Memorial Day to May 30 in 1987. He continued to do so every year until his death in 2012. In 1999, he wrote: “Mr. President, in our effort to accommodate many Americans by making the last Monday in May, Memorial Day, we have lost sight of the significance of this day to our nation. Instead of using Memorial Day as a time to honor and reflect on the sacrifices made by Americans in combat, many Americans use the day as a celebration of the beginning of summer.” 3 Honoring Our Fallen Military Members Without the sacrifice of the men and women in our Armed Forces, we wouldn’t enjoy the freedoms we have today. Even if you’re having fun celebrating this Memorial Day holiday, we should all take a moment to remember them. Civil War – Approximately 620,000 Americans died. The Union lost almost 365,000 troops and the Confederacy about 260,000. More than half of these deaths were caused by disease. World War I – 116,516 Americans died, more than half from disease. World War II – 405,399 Americans died. Korean War – 36,574 Americans died. Vietnam Conflict – 58,220 Americans died. Operation Desert Shield/Desert Storm – 383 service members died. Operation Iraqi Freedom – 4,411 service members died. Operation New Dawn – 73 service members died. Operation Enduring Freedom – 2,346 service members died. Operation Freedom’s Sentinel – 48 service members have died as of May 2018. Operation Inherent Resolve – 61 service members have died as of May 2018. 1 A national moment of remembrance occurs at 3:00 p.m. local time on Memorial Day. Please join us in taking the time to remember and thank all of our fallen military members. https://www.cnn.com/2013/05/23/us/memorial-day-fast-facts/index.html https://www.history.com/topics/holidays/memorial-day-history http://people.com/celebrity/why-happy-memorial-day-is-inappropriate/
Your manufacturing company is in the crosshairs of hackers. Cyber-spies are using backdoor viruses to steal intellectual property from businesses like yours. According to Verizon’s 2017 Data Breach Investigations Report, these cyber-spies are supported by nation states. 620 of data breaches hit the manufacturing sector last year, and 94% were committed by state-affiliated actors. 91% of the intellectual property (IP) that was stolen was proprietary data owned by manufacturing businesses. China in particular expanded their state-sanctioned hacking of US manufacturers in 2017. It’s expensive to do the R&D necessary to design and build a product. It’s a lot less costly just to steal it. Nation-state cyber-espionage is the predominant cause of breaches in the manufacturing industry. In February 2018 the Worldwide Threat Assessment of the U.S. Intelligence Community confirmed that some nation-state actors are continuing to use cyber attacks to “acquire U.S. intellectual property and proprietary information to advance their own economic and national security objectives.” They say that advances in manufacturing, particularly the development of 3D printing, almost certainly will become even more accessible to a variety of state and nonstate actors and be used in ways contrary to our interests. The problem is that while manufacturing increasingly involves high-tech processes, in many cases manufacturing businesses don’t have the right IT security in place. 40% of manufacturing security professionals say they don’t have a formal IT security strategy in place. And 37% say they don’t have an incident response plan. This makes manufacturing businesses a prime target for hackers who want to steal IP. A Backdoor Could Be Secretly Leaking Your IP The Verizon report reveals that most computer intrusions in the manufacturing industry began with a spear-phishing email that was sent to a company employee and which contained a malicious link or attachment. The malware comes in the form of a backdoor that gives the hacker secret remote access to the computer. A backdoor is an undetectable technique where a technology system’s security is bypassed without anyone knowing so a thief can steal data. Hackers use backdoors to install malware to modify a code or detect files and gain system and data access. Any connected device in the manufacturing process is at risk. Social engineering and malware-based cyberattacks combined for a whopping 73 percent of all data breaches in the manufacturing sector last year. Spies favor email phishing techniques with malware to compromise victims. A recent article in the CIO Journal stated: “Almost any connected device, whether on the shop floor in an automated system or remotely located at a third-party contract manufacturer, should be considered a risk.” Manufacturers aren’t asking their Technology Service Providers to perform cyber risk assessments on technology they use on the factory floor. If they did, these backdoors could be detected and “closed.” This is a nightmare that will only get worse if manufacturing companies don’t perform their due diligence where IT security is concerned. If this doesn’t scare you, these statistics should. In 2017: 21 percent of manufacturers lost intellectual property to hackers. Four of the top ten cyberthreats facing manufacturing organizations are caused by their employees. 28 percent of manufacturing organizations lost revenue due to cyber threats. Over 35% of manufacturing executives believe IP theft was the primary motive for the cyber attacks in their businesses. To change this paradigm requires buy-in from leadership. However, although the manufacturing industry is focused on innovation, updating and enhancing technologies on the factory floor is a cumbersome, slow process. Hackers know this. It’s time to protect your intellectual property. Develop a cyber-risk management program with the help of your Technology Solutions Provider. They can do a complete IT risk assessment and detect if there are any backdoors installed on your systems. The right Technology Solutions Provider (TSP) will customize an IT strategy for you that includes protection for your intellectual property. Data Security: With ever-increasing threats from cybercrime, your manufacturing business requires risk assessments, data protection, data recovery, staff awareness training, and maximum security of your critical data. You must be able to backup, protect and recover your proprietary and confidential information. To do this, you should outsource your disaster recovery and backup solutions to an expert TSP who will analyze your current state of preparedness and offer guidance on potential courses of action. Disaster Recovery/Business Continuity: You must be able to recover data after a power outage, disaster, or when IT services are compromised. This requires backing up data to a secure, offsite location so it can be retrieved anywhere you have an internet connection. This way, your employees can continue working. The right TSP will: Develop and deploy a complete Business Continuity and Disaster Recovery Plan, a customized program to integrate the policies and procedures into your corporate culture, and conduct training sessions to ensure all employees are comfortable with procedures. Maintain an on-going program designed to ensure the validity of the Business Continuity and Disaster Recovery Plan and keep the plan up to date and communicated to all key personnel. Security Enhancement Via Continuous Monitoring and Maintenance: The right TSP provides continuous monitoring to remotely view your technology network, identify risks and halt IT attacks and breaches. They will address IT issues before they cause downtime or data loss. Identity and Access Management: They will help you comply with security and regulatory requirements, allowing only authorized individuals to access confidential information. Virtualization—Servers, Desktop, Storage, Applications, Data Center: Virtualization in information technology refers to the use of virtual servers, desktops, storage devices, applications, and computer network resources. It allows you to virtualize your entire IT infrastructure or specific aspects of it. Virtualization simplifies technology to promote security and efficiencies and reduce costs for your manufacturing business. The right Technology Solution Provider will ensure the security of your intellectual property. They will also be available 24/7 to provide the specialized and customized IT Service and Support you need to succeed.
Over the years there have been many versions of Windows such as Windows 8, Windows Vista, and Windows XP. Windows 10, the latest update from Microsoft, has many unique features that distinguish it from its predecessors. While the previous versions ran mainly on laptops and desktops, Windows 10 is designed to run on tablets equally as well. One of the best features of this update, which is also known as Spring Creators Update, is that takes very little time to install – just under thirty minutes. While the previous updates used to take a lot of time, this new version is very time effective. Windows 10 has many other distinctive features that are very useful for many small businesses. Cortana on Desktop Windows 10 brings voice-controlled digital assistance in the form of Cortana to computers. Now you can interact with or give commands to your computer without lifting a finger. You don’t need to type – just tell your computer if you want to launch a PowerPoint presentation, need a specific file, or want to look at specific photos. Your PC can do all this while you work on, say, an interdepartmental email. Timeline Timeline has replaced the Task Viewer icon beside the Windows taskbar. This new feature allows the user to view the activity history of their desktop. If you are looking for a file that you were working on last week, Timeline will help you find it quickly. Just click on the Task View button on the taskbar, and you will be able to see all your open files and applications. It is a convenient way to see what applications are running. Windows will display photos, folders, and documents according to the date that they were last used. Privacy Another security feature of Windows 10 is the new Windows Diagnostic Data Viewer. This feature allows you to view the amount of information that Microsoft can access from your computer. You can keep your data safe by fine-tuning privacy settings which concern application usage, browser history, web permissions, and connected devices. The Start Menu is back! In the previous update the Start Menu was eliminated, but in Windows 10 we can see its revival. The bottom left shows the Start Button, and when you click on it, two panels appear side by side with the left side showing the most used applications. The right side displays a list of live tiles that you can resize, reorganize, and customize. There is a power button at the top similar to Windows 8 for features such as Standby, Hibernate, and Shut down. Nearby Sharing Another simple feature that makes office work so much easier is Nearby Sharing, which you can enable from the Control Panel. Select the computer you want to send the file to and then click on the Share button in the Photos app or the Edge browser. The computer will receive a notification asking it to accept or decline the file. This ensures that file transfers can happen without unreliable network folders, beat-up USB devices, or empty email messages. Snap Assist In this update, the Snap View feature has also been updated which allows users to open multiple windows side-by-side without being limited by your screen’s resolution. This feature also suggests different apps that you can open to fill the available space. Swift Pair This feature allows you to connect to a Bluetooth device within the desktop’s range. You will automatically receive notifications whenever there is a connection opportunity. With Windows 10 you can use wireless headphones to make a call or try out a wireless keyboard by just clicking connect. Microsoft Edge The new browser called Microsoft Edge has replaced the old Internet Explorer. This browser has many impressive features such as Cortana integration, which allows you to pull up contextual information without having to search through emails. It has an annotation tool which lets you write anything and share it with your friends on social networks without leaving the browser, and PDF support which makes reading easier by improving the layout of long articles. Tablet Mode Windows 10, unlike Windows 8, makes a clear differentiation between tablets and desktops. In Windows 8, if you happen to be using a mouse and keyboard, by default, you will be in desktop mode. Action Center The Action Center in Windows 10 has been expanded to allow easy access to frequently used settings such as tablet mode and Wi-Fi connectivity. It also shows all essential notifications as soon as your computer receives an update. Windows 10 has many impressive features which were missing in the previous update. It is faster, provides invaluable security protection and makes multitasking much easier. Update your computer today to enjoy all the benefits of this new operating system.
Moving to “the cloud” is good business sense – the cloud makes financial sense as opposed to the costly real estate involved with server expansion and never-ending data needs. But how can you protect yourself and your data in something you can’t see, touch, or control? “Change is scary.” It’s a phrase often uttered in response to big news that means change on the grand scale; something big is looming. The reference to change being “scary” really has to do with human nature and the fear of the unknown. But are we really afraid of the unknown? Or is this more to do with apprehension over something we don’t yet fully understand? You’ll pay a small fortune to a therapist to get the answers to all of those questions, but the bottom line really is just that change makes us nervous for all of those reasons. When the discussion turns to the cloud, this intangible and invisible “thing” that is ever-evolving and so adaptable that it’s seemingly different for everyone, our collective guard is up. The reality is that the cloud is only invisible to us – these storage servers do physically exist somewhere, using another entity’s real estate and power supply. Hired staff maintain and protect these servers on your behalf. The cloud is scalable based on your needs, meaning you can secure more or less storage space as your business needs change. Win-win-win, right? Yes and no. Myth: I’m paying someone else to store my data, so the burden of security is on them. Fact: It’s your data being stored in the cloud, so you still need to think about security. You have a duty to protect the information of customers and clients, and if there is a data breach or other cybersecurity vulnerability, there is still a liability. Myth: Cloud providers are super high-tech and impenetrable. Fact: Your data is stored on third-party servers and accessed via an Internet connection. Any reputable cloud solution provider employs incredibly strict security measures and keeps abreast of the latest cybersecurity news – so you don’t have to. That doesn’t mean, though, that you don’t need to worry about secure access and taking every precaution you can to prevent unauthorized access through a breach on your end. Myth: My cloud solution knows what they’re doing, so I don’t have to. Fact: You are paying an expert to provide you a service, but that doesn’t mean you don’t need to be aware or your team doesn’t need to be knowledgeable. More importantly, why would you not want to know how your cloud provider is protecting you – and your data. Would you be concerned if servers were stored in an unlocked and unguarded facility? What about if your data was backed up on hard drives that sat exposed to the elements or accessible to anyone? Or worse – if your data wasn’t being backed up at all? That’s like letting your staff keep passwords to their network or cloud access on a notepad on their desktop for the world to see! Don’t let human error be responsible for a breach – keep informed. Did you know that more than half of organizations, especially those classified as “small and medium businesses (SMBs)”, that experience a data loss, whether from cybersecurity breach or not – result in a catastrophic impact and aren’t able to recover? That means if there is a data breach, the odds aren’t in your favor to recover at all. The most important thing to remember is that a 100% cybersecurity guarantee isn’t possible, but that every business can take steps to make sure they’re protected, and so is their cloud service access. How can you make sure your data is secure? Establish a formal process with your team. Does each member of your team understand their responsibility as it relates to security measures? Maybe – but the only way to make sure every team member is taking every precaution is to define what measures are in place and what steps need to be taken to protect the brand, the organization, and its data. Ensure the formal process is part of the new team member onboarding so that all staff have the information and understand what is expected – including executives. Follow the latest security best practices. Is your network secure? If your IT staff is in-house, make sure there is a process for continuing education. If your organization outsources your managed processes, make sure your trusted partner is employing these same best practices and communicates needs with your organization timely and clearly. Are passwords complex? Do passwords contain a mix of uppercase and lowercase letters, plus numbers and symbols? Are passwords routinely changed? Passwords shouldn’t be reused in multiple locations, either, and should be unique to users. Is data backed up? As many as 20% of back-ups are incomplete or corrupt, and some systems are fundamentally flawed. If your organization backs-up your own data, even a fraction of your stored data, make sure it’s stored in a secured location with these same best practices above. Are desktop workstations, mobile access machines, and remote technology all equipped with the latest in active antivirus software? Proactivity and consistency. This is probably the most important part of any cybersecurity process. Does your organization provide ongoing training to team members to make sure security measures are kept updated and consistent? Operator error is the most common cause of a data breach! “An ounce of prevention is worth a pound of cure.” Never are these words truer than in the case of data security! Protecting your data is essentially protecting yourself from cybercriminals who seek to access your data for illicit gain. Proactive protective safeguards, consistently deployed, really will go the farthest in terms of protecting your organization’s future. Is the cloud right for you? You may not have a choice. Recent estimates show that costs and other factors will require organizations to use the cloud in some manner within the next five years
Most business owners are cognizant of the prevalence of fraud in the digital world today. According to Experian’s Global Fraud and Identity Report 2018, almost three-quarters of businesses believe fraud is a growing concern, and nearly two-thirds reported fraudulent losses over the past year. What is Fraud? Fraud occurs when an individuals’ payment information is used without their authorization. When hackers breach your network and access your customers’ or clients’ sensitive cardholder information, they have many opportunities to commit fraud numerous times. Anytime someone falsifies an identity and “tricks” a system into thinking the person making a purchase is someone other than who they actually are, this is considered to be fraud. Fraud is Pervasive in Today’s Digital World This is because the majority of business and consumer data remains vulnerable. As the value of digital information grows, so does the hacker’s motivation to develop methods to avoid detection from the latest technologies. The existing account setup process requires consumers to provide extensive amounts of personal information along with passwords and secret questions. And data breaches provide this information to cybercriminals. When this data is stolen, it’s often used for fraudulent activities. Fraud is a moving target just like the hackers. New tactics are evolving where criminals combine real and fake information to create new identities. Most business owners just don’t have a handle on this – and they lack confidence in their ability to protect their customers and their companies from fraud. One of the reasons for this is that their initiatives are mostly reactionary rather than proactive as many continue to use legacy cybersecurity technology rather than investing in new, more sophisticated data protection solutions. As a result, every month that goes by increases their vulnerability and exposure to data breaches and fraud. Fraud is an ever-present and growing risk For businesses in e-commerce, managing the risk of fraud is a delicate balancing act between providing an ease of use for customers vs. fraud protection. They struggle with mitigating fraud and providing a positive customer experience. Unfortunately, the customer experience wins out in most cases, and businesses are willing to risk fraudulent losses over losing customers to their competition. Ironically, they are setting their businesses up for reputational damage where they will end up losing customers anyway, fail to gain new ones, and possibly face financial penalties and litigation costs. The 2017 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, puts the global average cost at $3.6 million, or $141 per data record. That’s a reduction in the average cost in 2016, but the average size of data breaches has increased. It’s also worth noting that the average cost of a data breach in the United States is much higher at $7.3 million. More than 50 percent of businesses say they still rely on passwords as their top form of authentication.1 And business leaders know that using passwords isn’t the most secure option. But customers are used to them, and business owners want to please them. They also complain that they lack the financial resources to adopt more advanced authentication methods when this would save them legal fees and penalties if/when their customers’ accounts are breached–not to mention their reputation and the future existence of their business. This, of course, is very shortsighted. How data breaches and fraud are connected Data breaches and fraud don’t usually occur at the same time and place. Cybercriminals won’t steal a customer’s information and turn around and use it for a purchase from the same business. So. it’s not easy for a business to detect when a breach occurs. Data breaches are typically detected by using specific security tools that monitor all payment activity. Merchants should follow PCI/DSS Standards to identify and prevent breaches and remain compliant. PCI-DSS audits will help you find vulnerabilities in your system and reveal inadequacies that must be eradicated. A successful case of fraud spreads like cancer If a hacker can get one password, they may have the keys to other password-protected accounts. The more online accounts people open, the greater their risk. And most people have quite a few. If the hacker can figure out the password to someone’s email account, they may also have the key to their credit card and banking accounts as well. You must remain vigilant to prevent data breaches and fraud. What to do if you suspect fraud A key indicator of evidence of fraud is in chargebacks where a customer disputes a charge on their credit card, and where you aren’t paid for the service or product. If your chargeback rate increases above a 1% margin, this is a good indication that you’re experiencing fraud. In this case, you should hire a third-party auditor like an IT Managed Services Provider (MSP) to help bring you back into compliance and stop the thieves. They will detect where the problem(s) exist and if what they find indicates a data breach. PCI-DSS compliance requirements mandate that you do this to stop the fraudulent activity. Of course, you should contact the card processor as well. They will connect you to the card providers who can often identify the point of access or detect a suspicious pattern of activity. What You Can Do to Reduce Fraud and Data Breaches. Use EMV Technology. EMV (Europay Mastercard Visa) is the global standard to authenticate payment cards. EMV technology can help you protect your business from fraud. It ensures the card is legitimate and that the person using the card is the authorized user. EMV chips are microprocessors that store and protect cardholder data. They use a unique cryptogram that’s validated by the card issuer. This makes it more difficult for hackers to break the code and steal card information to commit fraud. Today, if you don’t use an EMV-capable terminal, and the transaction turns out to be fraudulent, you can be held financially liable for that transaction. EMV has been used in the United Kingdom since 2004, and card-present fraud has gone down
Your cybersecurity practices shouldn’t be treated like a game of chance unless you are 300% certain you’re going to win. What can you do to make sure your business isn’t the ultimate loser? Is technology today the endless cycle of cat-and-mouse, with the bad guys always one step ahead? A quick search for “cybersecurity best practices” will yield millions of results, all with their ideas of what you can do – but does any of it make sense? Someone busy running a company faces a complex dichotomy: Being too busy running their company to worry about something that won’t directly generate revenue, but not giving enough time and attention to something that could directly impact revenue. Those are two very distinct and different thoughts, but still closely related. Not only is cybersecurity a critical focus of business today, but it’s also the easiest way to fail. Cybercriminals – hackers – are usually one step ahead of us good guys, but that’s the “cat and mouse” game to them. We respond to cybersecurity breaches that make the news with preventive measures to avoid the same fate and do our best to have enough safeguards in place to protect every element we can. Hackers seek a cybersecurity vulnerability to exploit to their advantage. Their reasons don’t matter – it’s the result that affects their victims. Why do we still have vulnerabilities when we know better? Myth: Half of small businesses think they’re “too small” for a hacker to target. Truth: Small businesses make easier targets for many reasons. They often don’t have the tech budgets that the Fortune 500 companies do in order to take every precautionary measure to avoid being hacked. Smartphones are major targets of hackers now, given more than half of all web traffic is reported to take place via mobile devices. Smartphones don’t have the same level of protection, making them easy targets, and therefore easy points of entry to a cybersecurity vulnerability. Imagine pressing a thumbtack into a hairline fracture on a porcelain plate – this one weak spot has the potential for this singular action to shatter the plate into thousands of pieces. Now, imagine this plate is your proprietary data, and this thumbtack is a hacker. Can you see the potential damage? Myth: Employees of small businesses know more about the company and are more invested in its success, therefore take the time to safeguard their actions. Truth: The dedication of staff to their employer has nothing to do with cybersecurity. Modern cybercriminals are targeting critical data: consumer information, accounts with intellectual property, financial information about both the company and consumers. Three out of every four small businesses have no formal cybersecurity policies or protocols in place for staff, nor training to discuss the latest threats and how to thwart them. Hackers know this – oh, yes, they know – and they also know the small business is less protected than those Fortune 500 companies. This is a lethal combination. Nearly two-thirds of small businesses have yet to address security regarding mobile devices or enact formal policies for mobile device use as it pertains to professional operations. Myth: Small businesses can bounce back faster after a breach. Truth: Half of all small businesses don’t have a disaster preparedness plan in place for recovery should they be impacted by a cybersecurity threat, a “data breach”. It’s reported that less than half of all small businesses back up their data weekly. Let that sink in. The data loss in the event of a hack could have catastrophic results for as many as half of all small businesses. In the event of a breach, companies of any size consider the data loss and downtime to have the greatest impact, followed by the revenue loss – but most of the time, the impact to a company’s reputation isn’t considered until already in clean-up mode. If you’re ready to win at “Tech Truth or Dare”, here are the new rules of the game: Do you know what needs to be protected? What data do you store? How is your data stored? What protective measures and security protocols are in place? Where are the “holes”? This last question is the most important, and it’s a smart decision to hire an expert to help you with this one. What formal policies need to be updated – or put in place? Every business needs an official cybersecurity policy. This policy should also be updated annually, at the minimum. Formalizing a policy can make sure everyone that has access to your data follows the same procedures and the strongest safeguards are in place. This should include: Password protocols Passwords should be unique, complex, and changed regularly System updates Check for the latest updates to all applications and security releases Privacy settings Verify that users have the most secure privacy settings on their desktop and laptop computers, and smartphones and mobile devices What is your plan for how to handle a disaster? Perhaps an extension of the previous question, but no less important is how to handle a hack or breach should one occur. You’ve taken all the necessary steps and precautions, but you still had a disaster – now what? Best practices include daily back-up of your critical resources – which you’ll need to identify – and then test the process to ensure it’s sufficient, just in case. Talk to experts. You are an authority in what you do, and your sales pitch to your customers focuses on your expertise. Why wouldn’t you hire experts to protect your business? Is your training sufficient? Make sure your staff is aware of the steps needed for Internet safety, email security, network threats, and how to detect and protect in the event of each. Equally important is what need to be done if something happens and they suspect a threat. Prevent your business from becoming a victim of a hacker this year and win the game! Make 2018 the year you have an ironclad cybersecurity program,
Sure, yoga teaches the flexibility that is key to adapting to your surroundings. But in practicing daily self-awareness, the saying “A team is only as good as its weakest player” is rarely truer than in the world of cybersecurity. How does your team stack up? Target knows. Sony knows. Ashley Madison definitely knows. That’s the bad thing – an organization may only realize how strong — or weak — their cybersecurity position is once there is a successful cyberattack. The nature of the attack doesn’t matter, nor does the overall effect. The damage is done, and the organization goes into clean-up mode. In the days immediately following, the phrase heard most is “How did this happen” when the real question should be “How can we prevent this from happening again”? Subtlety isn’t the goal of a hacker, nor is it their strongest attribute. The modus operandi of any hacker is singular: find a cybersecurity vulnerability and exploit to their advantage. The rest doesn’t matter. You likely disagree, but we think you’ll realize this is exactly the case. After all, we want to help you beef up your security and prevent a vulnerability rather than shift into defensive mode upon clean-up from an attack. The latter is going to shift your focus for up to a year of reactivity, while a little extra focus now will prolong your proactive position. An ounce of prevention is worth a pound of cure, especially in this type of situation. At the most basic level, your organization’s cybersecurity is based on your team’s awareness level – which can easily be assessed and addressed in training. Data breaches caused by hackers are one thing, but the simplest way for a hacker to gain access is by finding a weak link – a human operator – and using sneaky tricks to exploit weakness from that angle. A hacker can use pretty low-tech approaches in this way, like phishing. Does your cybersecurity awareness training still include exercises and tips on old-fashioned tricks like phishing? It’s amazing the simple tactics some of these hackers will resort to – but the reason is that these tricks still work on us. A 2017 study by Google reported that phishing was still one of the most effective tactics used for hacking a user account. Phishing is the practice of sending emails pretending to be from a reputable company, like Google or Apple, to get recipients to reveal personal information like passwords to the sender. Perhaps it’s because we don’t see ourselves as targets anymore, thinking hackers only target the “big fish” for the bigger reward – a unique tactic called “whaling” – but the reality is that everyone is a target There are no exceptions. Any computer user can be an access point for a cyberattacker because any computer can serve a greater purpose for a cybercriminal. Why does phishing still work? Because we let it. We start to shift our focus to the newer or more sophisticated methods hackers use, and we don’t maintain vigilance on the basic approaches in cybersecurity awareness training. One click is sometimes all it takes to turn a user into a victim – and for a hacker to wreak havoc on a network. One click can lead to a malware installation, identity theft, or worse, ransomware. That click could cost an organization into the millions of dollars. Ransomware is like a virus, where a hacker accesses a computer or network and places a file or code that blocks user access, and requires the user to pay money – a ransom – to the cyberattacker to regain access to the computer or network. Remember when we said all it takes is one click? It’s true. In 2017, hackers sent emails to staff at Chipotle and managed to trick someone into one click, compromising the point-of-sale (POS) machines at locations that enabled the hackers to gain access to the credit card data of millions of customers. The worst part is that even end users who are in the tech industry have been tricked; Google and Facebook have both been affected to the tune of $100 million each because of successful phishing attempts. Did you know that some companies hire former (“rehabilitated”) cybercriminals as cybersecurity specialists – true experts – to help mold technology teams in charge of cybersecurity and oversee cybersecurity awareness training programs? These are probably among the most solid and effective programs in existence! One way organizations have used to test the awareness of their team is by executing an internal phishing campaign. This is a campaign where the company has total control of the phishing attempt but tests the staff to see where the weaknesses are. The results only help improve overall training and cybersecurity. This approach is wildly successful in getting an accurate picture of your team’s awareness. Who fails the test? How far will some employees allow a hacker to get before realizing they are being phished? Where does your training lack focus that the attempt was successful? A few things to keep in mind with this approach: While internal phishing campaigns are helpful, don’t shift your training focus to only weaknesses discovered in this process. Be careful not to call out any one particular team member or access point; the goal isn’t to embarrass team members but to improve your team’s awareness overall. Don’t aim for only those team members you consider to be the weakest when it comes to cybersecurity knowledge; you’d be surprised at where an organization may discover vulnerabilities On this note, it’s helpful to provide one-on-one level training catering to these team members, but you can still do so as a company by offering exercises aimed at specific weaknesses without placing blame. Keep the phishing exercise as realistic as possible, so the teachable moments that result are valid and credible When your exercises and training give you enough insight to update your training, keep the training outline simple with a few target areas that are comprehensive enough