MSPNetworks Blog

Two-factor authentication is commonplace in the office environment, but it’s not commonplace enough, if you ask us. Too many organizations pass on it, placing their security at risk for no good reason. While the methods might vary, the benefits of two-factor authentication are too good to ignore. We’ll walk you through how to set up two-factor authentication for three of the most common accounts in the business environment: Microsoft, Google, and Apple.

But first, let’s discuss what two-factor authentication is and why it’s so beneficial to utilize.

What is Two-Factor Authentication?

It used to be the case that users would only utilize passwords to secure their accounts. However, passwords are easy for hackers to take advantage of on their own. Two-factor authentication uses at least two of the three methods below to secure an account rather than just the password alone, theoretically making it more difficult for a hacker to access an account. Basically, unless two of the three methods are fulfilled, the account will not be accessible. Here they are:

• Something you know (a password)
• Something you have (a secondary device you own)
• Something you are (biometrics, facial recognition, fingerprinting, etc)

Why Is It Important?

Imagine that your online accounts are a house with two doors: one for the mudroom and one for the house proper. If both doors use the same key, a thief only needs to steal one key to gain access to both the mudroom and the house. Now imagine that the mudroom and the house have two different keys. That essentially doubles the effort needed to break into the home.

Simply put, in the same way as the above scenario, it’s much harder for a hacker to access an account that is protected by multiple measures. For example, even if a hacker has your password, if the account is set up to use an external device like a smartphone or biometrics, they still won’t have access to the account. Unless the hacker goes through the trouble of stealing the secondary device or stealing your fingerprints/facial structure (something that is remarkably difficult compared to swiping a password), the account will remain secure.

Setting Up Two-Factor Authentication

Right, let’s get to the bread and butter of this article: how to set up two-factor authentication for the big three accounts: Microsoft, Google, and Apple.

Microsoft

Microsoft recommends that you either have a backup email address, a phone number, or the Microsoft Authenticator application installed on a mobile device before you get started with two-factor authentication for this account. To get started, go to this page and sign in with your Microsoft account. Next, select More security options. Under the option for Two-step verification, select Set up two-step verification. After that, it’s just a matter of following the on-screen instructions.

Google

The first step here is to log into your Google account by going here. Next, in the navigation panel, select Security. Under Signing in to Google, select 2-Step Verification. Finally, click on Get started. You’ll see the directions for the next steps appear on the screen. You can set up your verification step in a variety of ways, including Google Prompts, security keys, Google Authenticator, verification code via text or call, or a backup code. You can also disable this second step on trusted devices, but doesn’t that defeat the purpose?

Apple

To set up two-factor authentication for your Apple ID, go to your account by clicking here. Sign in, answer your security questions, then click Continue. If you see a prompt to upgrade your account security, tap Continue. Click on Upgrade Account Security. You can then add a phone number for which you will receive verification codes via text message or phone call. Click on Continue, enter the verification code, and turn on two-factor authentication.

Want to get started with two-factor authentication for your business? The three accounts outlined above are just the tip of the iceberg. MSPNetworks can help you implement a multi-factor authentication system that secures your data and network. To learn more, reach out to us at (516) 403-9001.

The first half of this year has seen its fair share of ups and downs, especially on a global scale. With a global pandemic still taking the world by storm, it’s despicable that hackers would take advantage of the opportunity to make a quick buck using phishing tactics. Yet, here we are. Let’s take a look at how hackers have turned the world’s great misfortune into a boon, as well as how you can keep a lookout for these threats.

According to reports from SecureList, spam and phishing trends in Q1 of 2021 relied heavily on COVID-19 and the buzz generated by it. Let’s take a look at some of the major threats that took advantage of the pandemic.

Stimulus Payment Scandals

The first couple months of 2021 saw businesses and individuals receiving payments from governments, such as economic impact payments or business bail-outs. Hackers took advantage of this opportunity to try to convince users to hand over their credentials through the use of messages that both looked and sounded professional. As is often the case with phishing messages, some users of specific banks were targeted through the use of near-identical websites designed to steal credentials and fool users. Others tried to convince users to enter information by convincing them that the latest details on the bank’s COVID-19 practices could be found on the other side of links or sensitive information forms.

The Vaccine Race

For a while, the COVID-19 vaccine was a bit tricky to get your hands on. While things have improved significantly in recent months, the initial rush to get vaccinated triggered many would-be hackers to try their hand at vaccination phishing emails that replicated the look and language of communication from health officials. Users would have to click on a link in the message, which would then redirect them to a form for plugging in personal information and, in some cases, banking credentials. Even those who already received vaccinations were not safe, as there were fake surveys circulating urging people to fill them out and claim prizes for doing so.

What You Can Do

Don’t let hackers take advantage of the cracks in your business’ defenses. Phishing attacks can come in countless forms, so it is your responsibility to protect your business from them. Here are some ways that you can make sure your organization is secured from phishing attempts.

• Filter Out Spam: A spam filter can keep the majority of threats out of your inbox, but the unfortunate fact is that most phishing emails are probably going to make it past the spam filter. Therefore, you will want to take more advanced tactics against these threats.
• Train your Employees: Training your employees on how to identify threats gives them the power to avoid threats that do manage to get past your defenses. Teach them what to look for and you’ll be giving yourself a better chance of overcoming them.
• Implement Unified Threat Management: No matter how well trained your employees are, it helps to have just a little bit of reassurance that you have done all you can to secure your business. This is what a UTM does; it’s a single security solution that can optimize your network’s protection.

MSPNetworks can help your business keep itself secure. Not only can we implement great security solutions, but we can also help to train your employees, including regular “tests” where we send out fake phishing emails to see who is and is not paying attention. To learn more about how this can help your organization, reach out to us at (516) 403-9001.

Data privacy is a bit of a hot topic in today’s business environment, especially with high-profile hacks and ransomware attacks emerging and putting organizations at risk. In particular, the emerging concept of “privacy engineering” has a lot of businesses thinking about how they can secure their organization and future-proof their data privacy infrastructures.

Let’s discuss what privacy engineering is, as well as what some big names in the industry have to say about the future of data privacy.

What is Privacy Engineering?

The International Association for Privacy Professionals, or IAPP, defines privacy engineering as “the technical side of the privacy profession,” which can mean any number of things. For some, it is making sure that the processes involved in product design take privacy into consideration. For others, it might mean the technical knowledge required to implement privacy into the products. At the end of the day, it seems there is a general consensus that privacy engineering is the consideration of privacy, from a user’s standpoint, throughout the production process, from conception to deployment.

This is notable for a couple of reasons. Systems and products that take privacy into consideration at every stage of development will be much more consumer-friendly. Users can be more confident that their privacy has been considered through each stage of the process, making them much more likely to buy into the product. When products have this kind of reputation, it would be no surprise to see profits increase.

This sets off a chain reaction for businesses that create these products, increasing their bottom line. When businesses achieve this level of success, the value of the company increases, leading to more investors and the production of similar goods or services. Furthermore, since privacy and security is such an important part of modern computing, these types of investments are relatively safe from a shareholder’s point of view, as organizations that invest in products that meet specific regulations and set these high standards are more likely to persist into the future.

You can see how this all shakes out; in the end, the concept of privacy engineering is beneficial to both the consumer and producer. Therefore, placing your bets on technology that facilitates this is a great way to invest in your own company’s future.

What Does the Future Hold?

Back in 2020, Gartner made some predictions for where the data privacy industry was heading in the years to come. Here are some insights from their report:

• Proactive security and privacy is better: When you take measures to build security and privacy into operations, you are more likely to build trust and adhere to regulations. We preach this all the time; it is easier to prevent issues from emerging than reacting to those that are already here.
• Increased reach of security regulations: According to Gartner, 65% of the world’s population will have their privacy governed by some sort of data privacy legislation or regulations by the year 2023. This is notable, especially with the rise of regulations like GDPR.
• The rise of a privacy officer: By the end of 2022, 1 million organizations will have appointed a data privacy officer. Having someone within your organization whose sole responsibility is to keep you compliant means that you can rest easy knowing that you are doing all you can to make sure it stays that way.

Don’t Wait to Get Started

MSPNetworks can help your business ensure it is implementing adequate data privacy and security standards all across your infrastructure. To get started, reach out to us at (516) 403-9001.

With the onset of the COVID-19 pandemic, many organizations were forced to transition to remote work, even though they would have preferred to keep operations within the office. While the transition was rough at first, these organizations may have found that remote work offers certain flexibilities that were impossible in the traditional office environment. That said, one looming threat was (and still is) a major concern for the remote workplace: security.

One of the major ways that businesses can protect their organization while working remotely is through the use of what’s called a virtual private network, or VPN.

What is a VPN?

When you connect your device to a virtual private network, what exactly is happening to the connection? It’s actually much more simple than it sounds; what it boils down to is that the device connects to an encrypted network over the Internet. This encryption allows for the secure transfer of data to and from the device, preventing onlookers from observing (or stealing) the data.

Think about it like looking at a pipe that is transferring something to and from a location. If the outside of the pipe is solid, onlookers cannot see what is in the pipe. When it is clear, you can see exactly what is inside it. Encryption in this case acts like an opaque pipe, obfuscating contents to the point where they cannot be seen clearly, but you still know that something is there. In VPN terminology, the pipe in the above scenario is referred to as a “tunnel.”

How Does It Help Your Business?

You can see how this would benefit the remote employee. Since the employee is not in-house working on the company network, they do not have access to the in-house security solutions that you may have implemented to keep your data safe. This is why encryption is so necessary; if you fail to protect your company’s assets through unsecured connections to your network, you are unnecessarily risking your company’s future.

Now, think about the possibilities that open up when you don’t have to worry about network security while out of the office. Employees can travel for business trips (when it’s safe to do so, of course) without fear of data being stolen while communicating with your home office. They can perform work from anywhere at any time, allowing for enhanced productivity without sacrificing security. They will not need to rely on public Wi-Fi connections or other unsecured networks to connect to your office.

We don’t want to beat a dead horse, but from a security and longevity standpoint, it just makes sense to implement a VPN.

Get Started with a VPN Today

If you are ready to take the leap and implement a virtual private network for your business, don’t wait any longer. MSPNetworks can help you deploy a solution that is specific to the needs of your organization. We’ll work with you to get the most secure solution at the best price point. To learn more about how a virtual private network can benefit your business, reach out to us at (516) 403-9001.

Data breaches have a tendency to destabilize relationships. With so many data-related problems befalling businesses nowadays, it is important that each side of every data-driven relationship understands their role in the protection of other organizations’ data. Today, we’ll take a look at the issue and how to determine if your partners are putting in the effort required to keep your data secure. 

Are Your Vendors Properly Protecting Your Information?

We’ve seen businesses have a litany of challenges protecting their sensitive data over the past several years, and as threats get more sophisticated it poses more problems. Additionally, many businesses outsource a fair amount of their operational and support efforts and that can have a negative effect on their security. 

So, how do you know that your vendors are protecting your information?

You ask them, of course. 

Before you onboard any new vendor, you should come up with a questionnaire that asks the right questions about how they handle their own cybersecurity, and more specifically (and importantly) how they go about handling your information. 

At MSPNetworks, we do this for all of our clients to ensure that they are partnering with reliable companies that, at the very least, are attempting to do the right things to protect sensitive information. 

Questions You Should Ask Your Vendors

The first thing you should consider when making up some questions to ask your vendors about security is: do you understand the answers? If you don’t know what you are doing, you could just assume any thoughtfully answered response would be sufficient. This is far from true and is a liability, especially in trying to ascertain what risk your business is facing by doing business with a company. We can’t stress enough that if you don’t have someone that knows what they are doing, you need to find someone, as this will serve you much better in times like this.

Let’s go through a couple of important questions you should ask if you do have the competence available to sufficiently measure risk from the answers:

1. Do you collect, store, or transmit personally identifiable information (PII)?
2. If so, do you store your PII onsite or in the cloud?
3. How do you provide users access to the PII you store?
4. Can PII be accessed remotely?
5. Do you constantly monitor all services, systems, and networks?
6. What regulatory bodies does your business operate under? Do you have proof of compliance?
7. What kind of encryption do you use for data-at-rest? Data-in-transit?
8. Do you consistently patch your software? 
9. Do you have mobile device management and IoT management systems?
10. Do you utilize legacy systems that aren’t supported by manufacturers?
11. What cybersecurity tools do you use?
12. Do you have language in your agreements about vendor cybersecurity? 
13. How are your continuity systems?
14. How would you go about the situation in the event of a data breach?
15. What authentication procedures do you use? 
16. Do you train your employees on the best practices of cybersecurity?

There are many more questions you can ask, and you should ask them if you find them necessary. Vetting your vendors is a great way to know if they have your best interests in mind. 

If you would like to partner with a company that not only has your best interests in mind, but also can help you ascertain if your other partners do as well, give MSPNetworks a call at (516) 403-9001 today.

You’ve probably heard by now, a Russia-based hacking collective by the name of DarkSide targeted Colonial Pipeline, a company that supplies nearly 45 percent of the fuel used along the Eastern Seaboard of the United States, with a ransomware attack. Not only does this hack have an effect on fuel prices and availability, it highlights just how vulnerable much of the nation’s energy infrastructure is. Let’s discuss the details of the hack and the raging discussion about cybersecurity that’s happening as a result. 

The Facts Surrounding the Hack

On Friday, May 7, 2020, Colonial Pipeline had to shut down operations after a ransomware attack threatened to spread into critical systems that control the flow of fuel. Almost immediately gas prices started to jump in the region, averaging around six cents per gallon this week. The pipeline, which runs from Texas to New York, transports an estimated 2.5 million barrels of fuel per day. The shutdown has caused some fuel shortages and caused panic buying in some southern U.S. states. Administrators said that the ransomware that caused the precautionary shutdown did not get into core system controls but also mentions that it will take days for the supply chain to get back up and running as usual again. 

Who Is DarkSide?

The hacker group DarkSide is a relatively new player, but it has set its sights high. The group claims to be an apolitical hacking group that is only out to make money.  In fact, they put out the following statement after the FBI started a full-scale investigation of the group:

“Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide seems to be a professionally-run organization that deals in ransomware. They follow what is called the Ransomware-as-a-Service model, where hackers develop and sell their ransomware to parties looking to conduct operations like the one that stymied Colonial Pipeline. They also are known for their “double extortion” methodology, where they threaten to take the data they encrypt public if their demands aren’t met. Their ransom demands are paid through cryptocurrency and have only been in the six-to-seven figure range. 

What’s interesting is that the group seems to have its own code of ethics, stating that they will never attack hospitals, schools, non-profits, or government agencies. Either way, their current attempt at extortion has made a mess for millions of Americans. 

Problems Securing Infrastructure

Even before the world completely changed, cybersecurity analysts were recommending that more had to be done to protect aging utility systems around the world. Back in 2015, hackers took down a power grid in Ukraine and left 250,000 people without electricity, and it caused some movement to improve system security, but nowhere near as much as is required. Now, with the push to use renewable energy and more efficient systems of deployment, more technology has been added to these systems than at any time in history. These smart systems, coupled with a resounding lack of security, means that the next cybersecurity catastrophe is just around the corner. 

The pandemic didn’t help matters. Systems that are being updated are increasingly being connected to public and private networks for remote access. All it takes is one vulnerability and hackers can exploit and take control of systems that affect the lives of millions of Americans. Hackers causing a gas shortage is scary, but hackers taking down power grids or other systems that the public depends on to live could be looked at as an act of war.

The scariest part is it seems as though no system is immune to these problems. According to CISA, the Colonial Pipeline hack is the fourth major cyberattack of the past year. You have the Solar Winds breach that allowed Russian Intelligence to infiltrate thousands of corporate and government servers; an attack where Chinese nationals rented servers inside the U.S. to invade a still unnumbered amount of Microsoft Exchange servers; and a still-unknown hacker that hijacked a tool called Codecov to deploy spyware on thousands of systems.

Microsoft is widely renowned as being at the forefront of cybersecurity and Solar Winds is itself a cybersecurity company. This tells you a little bit about where we are about protecting essential systems. It’s not a good situation.

While you can’t always worry about cybersecurity everywhere you are, you have to prioritize it for your business. If you want to talk to one of our security experts about your cybersecurity, give MSPNetworks a call today at (516) 403-9001.

Passwords are probably the most important part of keeping accounts secure. That’s why it is so important to follow industry best practices when creating them. Today, we’ll take a look at the standards outlined by the National Institute of Standards and Technology (NIST) in creating the best and most secure passwords.

What Is NIST?

For years, NIST has been the predominant organization in the establishment of password creation standards. They continuously change their advised practices to meet with the current cybersecurity demands. They recently updated their guidelines so we thought we would go over what strategies they suggest, to give you an idea of what makes a secure password. 

New Guidelines

Many corporations are currently using the NIST guidelines and all Federal agencies are expected to utilize them. Let’s go through their newest password guidelines step by step. 

#1 - Longer Passwords are Better than More Complicated Ones

For years, it was preached that the more complicated the password, the more secure the account. Today’s guidelines refute that notion. NIST suggests that the longer the password, the harder it is to decrypt. What’s more, they suggest that organizations that require new passwords meet a certain criteria of complexity (letters, symbols, changes of case) actually make passwords less secure. 

The reasoning behind this is two-fold. First, most users, in an attempt to complicate their passwords will either make them too complicated (and forget them) or they will take the cursory step of adding a one or an exclamation point to the end of a password, which doesn’t complicate the password as much, if at all. Secondly, the more complex a user makes a password, the more apt they are to use the same password for multiple accounts, which of course, is not a great idea.

#2 - Get Rid of the Resets

Many organizations like to have their staff reset their password every month or few months. This strategy is designed to give them the peace of mind that if a password were compromised that the replacement password would lock unauthorized users out after a defined set of time. What NIST suggests is that it actually works against your authentication security. 

The reason for this is that if people have to set passwords up every few weeks or months, they will take less time and care on creating a password that will work to keep unwanted people out of the business’ network. Moreover, when people do change their password, they typically keep a pattern to help them remember them. If a previous password has been compromised, there is a pretty good chance that the next password will be similar, giving the attacker a solid chance of guessing it quickly. 

#3 - Don’t Hurt Security by Eliminating Ease of Use

One fallacy many network administrators have is that if they remove ease of use options like showing a password while a user types it or allowing for copy and pasting in the password box that it is more likely that the password will be compromised. In fact, the opposite is true. Giving people options that make it easier for them to properly authenticate works to keep unauthorized users out of an account. 

#4 - Stop Using Password Hints

One popular way systems were set up was to allow them to answer questions to get into an account. This very system is a reason why many organizations have been infiltrated. People share more today than ever before and if all a hacker needs to do is know a little personal information about a person to gain access to an account, they can come across that information online; often for free.

#5 - Limit Password Attempts

If you lock users out after numerous attempts of entering the wrong credentials, you are doing yourself a service. Most times people will remember a password, and if they don’t they typically have it stored somewhere. Locking users out of an account, at least for a short period of time is a good deterrent from hackers that use substitution codes to try and guess a user’s credentials. 

#6 - Use Multi-factor Authentication

At MSPNetworks, we urge our clients to use multi-factor or two-factor authentication on every account that allows them to. According to NIST they want users to be able to demonstrate at least two of three authentication measures before a successful login. They are:

1. “Something you know” (like a password)
2. “Something you have” (like a mobile device)
3. “Something you are” (like a face or a fingerprint)

It stands to reason that if you can provide two out of three of those criteria, that you belong accessing the system or data that is password protected. 

Security has to be a priority for your business, and password creation has to be right up there with the skills everyone should have. If you would like to talk to one of our IT experts about password management and how we can help your business improve its authentication security, give us a call today at (516) 403-9001.

Today, employees have to be a major part of every business’ cybersecurity attempts. The reasoning is simple: attacks are more likely to come in the form of end user correspondence than on a direct assault of the network. As a result, it is important that cybersecurity is more than just another line item on a task list, it has to be built into the culture. Let’s discuss a few ways to get your employees to care about cybersecurity.

Why Is Cybersecurity A Nuisance?

This is not a new phenomenon. Your employees want to be productive. In their minds, any extra tasks that are assigned are a hindrance to that aim. Cybersecurity, in today’s businesses, also has a tendency to intrude on their desire to separate their home life from their work life. While this isn’t really the case in most scenarios, there certainly needs to be some cooperation from them to properly secure your network. 

By now your workers understand that security is extremely important. What they don’t understand is how it is their problem. You hire them to do a job, and for most of them, that job isn’t "security guard." That’s why it is important that cybersecurity is something they are confronted with from the beginning of their employment. It is a culture issue, not just an operational one. Let’s go through some ways you can get your staff to care about cybersecurity.

Remove the Red Tape

Today, a well-executed hack or social engineering attempt can completely devastate a business. In some cases, and this is especially true for smaller businesses, a hack can cause the closure of a business. Those types of events affect more than just the business owners or the stakeholders. 

To ensure that your staff gets just how important this issue is, level with them. You don’t need to keep the threats a secret any longer. A unified approach to cybersecurity requires that your employees know how hackers and scammers will go about trying to trick them into handing over access to the company network. This will not only actively remove the indifference most employees have about cybersecurity, but it will also ensure that they realize how important doing the right things are. 

Make Sure Your Staff is Personally Invested

For the average employee, any indifference they have about a business’ cybersecurity efforts comes from the idea that it doesn’t really have any effect on them. This is not true. Hackers don’t just want access to business information, they want access to the network. That means all of the data on that network. 

Making sure that employees understand that it’s just not company information, it is their personal information and that of their contemporaries. Reminding that their data is at stake might just be the thing needed to get them to take security measures seriously. 

Build Solid Training and Literacy Right Into Your Culture

As we mentioned above, one of the best ways to ensure that your staff understands their role in your organization’s cybersecurity plan is to build it into your culture. To do this, it has to be out in front. You need to mention it in your hiring process (interview, any collateral you use to outline employee responsibilities), it needs to be parsed out properly in your organization’s documentation (employee handbook, etc.), and it has to be something that every person in the business knows that they will be confronted with at some point.

Ensuring that your people don’t get complacent is a massive point of emphasis if you want to keep their cybersecurity literacy ongoing. On top of training, you need to keep up some type of consistent reminder that they are important to organizational efforts to keep hackers and other unauthorized entities off of the business’ network. The more time and effort you put into planning out your cybersecurity training, the more that people will get out of it. 

We Can Help!

Keeping your business from falling victim to a cyberattack takes a lot of effort. Our security professionals are constantly readying ourselves to assist our clients in keeping them free of threats and a lot of that is helping them come up with policies, procedures, and strategies to keep their employees engaged in this never-ending fight against hackers. Give us a call at (516) 403-9001 today to learn how we can help you protect your business.

One of the most effective means for a business to shave a few dollars off its budget (and potentially boost employee engagement, for that matter) is to adopt something called a Bring Your Own Device policy—effectively, an agreement that allows their team members to access business-owned documents and files on devices they personally own to get their work done. While these policies have been shown to be very effective, they also need to be carefully considered so they can be adopted appropriately.

Let’s take a few moments to review some practices that are recommended for a secure BYOD implementation.

Determine Acceptable Parameters

Device and OS Requirements

For your productivity to remain intact and for your organizational security to be preserved, the tools your team brings to use need to meet the baselines that you set—otherwise, there is likely to be a shortcoming that leaves an opening. Certain workflows may require a specific operating system to be used, simply for the processes to be compatible. Keeping track of your team’s chosen hardware will help you determine if their devices are eligible to participate.

Accepted Software

On the topic, your business workflows should have defined software solutions identified for your team to use so that processes can flow smoothly. Make sure your team knows that they are expected to use these titles for their work processes and that they are expected to have certain protections in place on their mobile devices before they can use them to work.

Upkeep Policies

When using a personal device to access your business’ network, there needs to be some supported expectation that the user will ensure that the device remains functional and secure. This could mean that only authorized dealers or professionals are authorized to perform basic maintenance tasks and that these tasks are carried out promptly.

Security Preparations

Encryption Policies

In terms of protecting your data from the prying eyes of hackers, you’d be hard-pressed to find a more effective method than encrypting it. Considering this, it is important that you encourage/require encryption to be put in place as a part of any BYOD policies you implement.

Password Standards

We know, we know… the importance of secure passwords is a topic that has been covered frontways, backways, and every which way for a long time. However, once people start to follow these guidelines, we’ll stop bringing it up. When it comes to strong passwords, make sure your team is using them on all their devices, and that these devices are set to lock if an incorrect password is repeatedly entered.

Data Handling Guidelines

Where your data is concerned, you need to also establish the proper means for it to be stored and accessed while an employee is using a personal device. Ideally, your BYOD plan will have the means to block any data transfers to an insecure device as well as establish the proper procedures for accessing this data.

Necessary Prerequisites

Data Removal Circumstances

When an employee’s device has access to your company’s data via a BYOD strategy, it is critical that you retain the means to rescind that access as needed—like if a device is lost or stolen, or if an employee leaves the company. You may also want to include the right to review an employee’s device for company-owned data so that it can be removed if they were to leave so that your data isn’t brought elsewhere or abused.

Lost or Stolen Device Procedures

On the topic, your team needs to have a reporting process to follow should something happen to their device that will help to ensure that mitigating actions can be appropriately taken. Reinforce that these reports need to be promptly submitted to help minimize the potential impact of such occurrences.

Breach of Policy Consequences

Finally, you need to establish how employees will be reprimanded should these policies go unheeded or disregarded. While the loss of BYOD privileges is a common tactic, you should also seriously consider what is acceptable before an employee should be terminated. Once these distinctions have been made, share that information with your team when they opt into your BYOD implementation, so they are aware of the severity of such indiscretions.

A Bring Your Own Device policy is an essential piece of the modern office’s IT considerations and is something that we can help you out within much more detail. Find out what needs to be done by calling (516) 403-9001 today.

2020 was, obviously, a challenging year for healthcare providers. In addition to the obvious issue of the COVID-19 pandemic creating serious operational, financial, and supply chain difficulties, cybersecurity concerns didn’t go away during this time. Let’s consider some of the additional stresses that IT security needs can, will, and have placed on healthcare providers.

The amount that healthcare practices invest in their cybersecurity services has been projected to exceed $65 billion in the span of time from 2017 to this year—but despite this, the industry isn’t improving. In fact, healthcare providers have had to turn away patients for these precise reasons… but the question remains: why?

There Are a Few Reasons that Healthcare Providers Have Had Problems As of Late

IoT Security Issues

Anyone who has been to a hospital in the past decade or so has likely noticed how connected many of these facilities have become. A nurse’s clipboard has been replaced by a laptop that they wheel around to input all information and logs into, while diagnostic equipment itself is now largely computerized.

This means that many of a healthcare provider’s tools can now be classified as Internet of Things devices, and as such, are prone to security inconsistencies and vulnerabilities as a result. Many IoT devices are notorious for iffy-to-non-existent security as it is.

Ransomware

While ransomware can be, and is, an issue in every industry, the healthcare industry is particularly susceptible to its impacts for obvious, life-or-death reasons. Ransomware has been responsible for many organizations actually closing their doors, unable to sustain the damages. This is largely due to the reliance that their organizations have on the data that they need to treat their patients and manage the business—without the support required to properly protect this data.

Insider Threats

Unfortunately, the employees in a healthcare organization are not infallible, which does sometimes lead to insider threats to data. In fact, some professionals have said that insider threats are the biggest challenge for hospitals and such right now.

New Threats May Be On the Horizon

Of course, cybercrime of all kinds constantly advances, and that which targets the healthcare industry is no exception. In healthcare, these threats can be downright frightening.

For example, a research team in Israel managed to develop a proof-of-concept computer virus that could artificially paste tumors into CT and MRI scans so that high-profile patients could be misdiagnosed by their physicians.

With ingenuity like that, it is terrifying to consider what cybercriminals may do moving forward.

Regardless of your industry or the size of your business, cybercrime isn’t something to be taken lightly. MSPNetworks is here to help prepare for it. Give us a call at (516) 403-9001 to learn more about the solutions we have to offer.

As one of the biggest cybersecurity considerations the modern business has to make, how to combat phishing has to be at the top of any business’ cybersecurity strategy. Let’s take a look at phishing and why it’s such a big problem for today’s business. 

You’ve Probably Been Phished

When trying to explain what phishing is to someone who has no idea about it, we typically start with the namesake. Phishing is the same as fishing. A hacker will bait a hook and users will bite on it. It’s that simple. Instead of worms or minnows, a phishing attempt needs some bait that will fool an unsuspecting computer user into providing information that will allow a hacker to access secured networks and steal or corrupt data. 

To say that this method is effective would be an understatement. First of all, the massive breadth of attacks—there are literally millions of these attacks per day—results in high levels (and low percentages) of successful attacks. In fact, 88 percent of organizations that were polled claimed to experience at least one phishing attack in 2019. In 2020, phishing emails were one of every 4,200 emails sent or about 73 million. The pace has actually quickened in 2021.

Successful phishing attacks result in stolen credentials, compromised networks, ransomware and other malware. They all lead to businesses losing money. 

Phishing is More Prevalent Than Ever

Phishing has been an issue for quite a while, but the COVID-19 pandemic and the corresponding jump in remote work provided the perfect opportunity for these scammers to operate. In 2020, 75 percent of worldwide organizations were targeted by phishing attacks, while 74 percent of U.S. businesses were successfully attacked in some way. This often led to massive losses, some $3.92 million on average. That’s an average and takes into account loss of productivity from downtime, data theft, deterioration of consumer confidence, and other factors.

It is therefore important that you do what you can to train your staff about how to recognize and thwart phishing attempts before they have a chance to have a negative effect on your business.

MSPNetworks can help you put together a training strategy, as well as put together tools to help you keep your network and data safe. Call us at (516) 403-9001 to learn more.

Let’s face it, most people are glued to their phones when they have downtime. Many don’t look up to cross the street. With this much dedication to their individual mobile devices you’d think that people would be more careful about what they download.

Apparently, that Instagram feed is just too distracting to worry about individual data security. 

 Researchers from the mobile security firm Zimperium have discovered a malicious app that pretends to update your Android device, but is just spyware that can steal almost all of your data and monitor your search history and your location. Simply called “System Update” it has tricked many unsuspecting Android users as of this writing.

What Can “System Update” Do?

The spyware, or officially Remote Access Trojan (RAT), attached to this malicious download can only be downloaded outside of the Google Play store, which is fortuitous for many would-be victims of a malware attack like this. The spyware can effectively steal messages, contacts, device information, browser bookmarks, user search history, and can gain access to the microphone and the camera.

What’s more, it continuously tracks a user’s location, which can be really dangerous for anyone. The app starts spying everytime the device receives new information, which for any heavy user is constant. After stealing your data, the app will work to erase the evidence of it’s activity, effectively covering its tracks indefinitely.

 All-in-all, it is a pretty tough cookie. 

How Are People Accessing This Malware?

You won’t be surprised to learn that phishing is the number one way people are being exposed to the corrupt “System Update” app. Google continuously warns people to not install apps from outside the Google Play app store, but as people’s devices age, they aren’t always compatible with older operating systems found on these devices and start looking for options outside of the Google Play app store. This can lead to people downloading apps that seem useful, but are completely nefarious. “System Update” seems to be one of those apps.

What You Can Do to Protect Yourself

While there have been nefarious apps found on the Google Play store in the past, the malicious app rate is extraordinarily low when sticking to the official app store. Users should also consider questioning any situation where an app is suggested for you outside of the app store, even if it seems to redirect you to the Google Play apps store. You just never know what you are going to get when you trust third parties on the Internet.

 If you need a comprehensive plan to protect your business data from employee impulse and mobile negligence, give our technicians a call today at (516) 403-9001. We can help you with mobile device management (MDM) and Bring Your Own Device (BYOD) which can have all types of benefits for your business.

Going through your passwords and updating them every so often is a very wise habit to get into, particularly when they are used to protect a lot of data—as the password to your Google account often is. Considering this, let’s go over how to update your Google password and otherwise lock down your account.

How Much is Tied to a Google Account?

For many, their Google account is linked to quite a few frequently-used utilities and applications. Going far beyond the search engine functionality it began as, Google’s services now involve multiple programs and solutions. As such, the potential danger of a cybercriminal accessing your Google account is increased greatly.

For instance, a Google account is now linked to:

• Google.com (for custom tailored search results)
• Gmail
• Google Drive
• Google Docs/Sheets
• Google Maps
• Android
• Google Workspace
• Google Chrome
• YouTube

 … with many, many other accounts and services also tied to Google. A good rule of thumb: anything with “Android,” “Chrome,” or of course “Google” in the name is likely tied to your Google account.

Updating Your Google Password

Fortunately, Google makes it exceptionally simple to update the password to your account:

1. Visit https://accounts.google.com/. If you aren’t signed in already, log in with your email/phone number and password.
2. Click Security on the left-hand side.
3. Look for Signing in to Google. Click Password.
4. Google will usually prompt you to provide your current password, and then have you input a new password.

A WORD OF WARNING: Naturally, with so much tied to a single password, you need to make sure it is as secure as you can possibly make it. Use a totally unique password—not one that provides you with access to any other account. Don’t include any personally identifiable information that others might associate with you, like your birth date, maiden name, social security number, phone number, or the like.

To help accomplish this, it will help to use a password manager to keep track of them all, along with any built-in password creation features it has built in, as this will help you to generate a secure, randomized password with sufficient complexity. You could also string a few random and unrelated words together to make a passphrase, sprinkling in numbers and symbols as you see fit to help make a memorable but significantly more secure option.

Once you make these changes, you’ll probably need to re-log into your Google account on a few devices.

But Wait, There’s More!

To really protect your Google account, let’s go a little further and set up 2-Step Verification (also commonly known as Two-Factor Authentication) if you have not yet done so. 2-Step Verification is a great insurance policy against the possibility that your password is breached.

Once your password is changed, from your Google Account page:

1. Click the Security option on the left-hand side of the page.
2. Click 2-Step Verification.
3. Google may prompt you to enter in your password again, just to make sure it’s you.
4. Depending on what Google already knows about you, this might go a few different ways—you’ll either be prompted to set up a phone number to get a text message or phone call, or Google might walk you through setting this up on your smartphone. Either way, follow the on-screen instructions. 

Your various authentication options come at varying levels of simplicity and efficacy. Most convenient is the use of a Google prompt, which sends a notification to your Android device whenever a new device is attempting to log into your account that allows you to permit or disallow permission to do so. Receiving a text message with a code is undoubtedly convenient, but less secure as these text messages can potentially be intercepted. The most secure option is to utilize Google’s Authenticator app, which is also simple to set up.

If your business uses Google’s solutions to power your business, MSPNetworks recommends that you implement these changes. Need help? Give our team a call at (516) 403-9001.

The new year is upon us and after the debacle that 2020 was, it is extremely welcome. If you are like us, you have a new set of goals that you’ve created for yourself and are probably looking to improve your professional and personal well-being. One way to do that is to ensure that your accounts are secure. Today, we will be going through how to update your password with Microsoft.

You may have heard that the U.S. Government just suffered from a massive cybersecurity breach from an attack that was perpetrated from overseas, and among the systems that were affected was Microsoft Office. Unfortunately, foreign hackers were actively monitoring email accounts between the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA). Fortunately, however, Microsoft, who is known for its active role in identifying and thwarting cybercrime, didn’t find any active vulnerabilities in their Office 365 applications or cloud services, but they did offer some suggestions, one of which was to do everything you can to protect your data.  

It is important to understand how to take action to ensure your organization—and your personal accounts—are secured properly. 

What You Need to Know About Your Microsoft Account Security

If you actively utilize Office 365, or any other Microsoft product, you need to know a breach would affect you. For your typical user account, their Windows 10 license is tied to their Microsoft account, and if you have Office 365 or use any other Microsoft applications or services, they are covered by those credentials as well. Here is a list of the application titles you need to concern yourself with when considering your Microsoft account security:

• Windows
• Outlook
• Office
• Skype
• OneDrive
• Xbox Live
• Bing
• Microsoft Store
• MSN

Here’s How to Update Your Microsoft Password

To Microsoft’s credit, they make it extremely easy to change your password. Here are the steps:

1. Visit https://account.microsoft.com/
2. Click Sign In on the top right, if you aren’t already signed in. If you are already signed in, the page will display your name with options about your subscriptions and other services. Once you sign in with your email and password, you’ll be taken to this page.
3. Towards the top of the page, on the right-hand side, you’ll see an option that says Change Password. Click it.
4. If you have Two-step verification enabled, it will walk you through verifying your account with a text, an email, or using the Microsoft Authenticator app. If you don’t have that set up, don’t worry, we’re going to get you set up after you change your password.
5. Once prompted, enter your current password, and then come up with a brand new password.

CRUCIAL ADVICE: You never want to use the same password on multiple accounts. Every password you make should be unique, complex, and lack any personally identifiable information (such as your date of birth or your address). Really random works best, but we know it is difficult to remember random passwords. Make sure that your password is something that nobody could guess with variance in case, numbers, and symbols. The more complex your password is, the more secure your accounts are going to be.

One feature Microsoft offers when setting up your credentials is a checkbox that will require you to change your password every 72 days. It really works to secure your account. You might think it’s unnecessary, but consider how much of your personal information is tied up in your relationship with Microsoft. Check it and keep active on protecting your data and account security.

One Last Thing

One thing you should consider when changing your password is to set up Two-step Verification. Click that too. If you are using a Microsoft 365 account through work, you may need your administrator to turn it on and give you further instructions. Give us a ring if you need help.

All you will need to do is follow the on-screen instructions. If you do not already have an authenticator app on your smartphone (like Google Authenticator, Lastpass Authenticator, Duo Mobile, Authy, etc.) Microsoft has a tutorial to help you set up Microsoft Authenticator. If you prefer to use one of the other apps, set it up with your preferred app.

Two-factor verification will require you to use the Authenticator app to log into your Microsoft account on a new device, or make major changes to your Microsoft account (like updating a new password). It won’t require you to use the app every time you want to use Word or Outlook, but it is a good practice to use to ensure you are doing all you can to protect your account and data. 

Keeping your Microsoft account secure isn’t hard, but it is extremely important. If you need help or would like to talk to one of our certified technicians about setting Microsoft products up for your whole business, give us a call at (516) 403-9001 today.

To preserve your cybersecurity, you need to have a comprehensive view of everything involved with your technology—and we do mean everything. Let’s consider a recent close call, involving the Democratic Republic of Congo that exemplifies this perfectly that could have potentially exposed millions of Internet users to serious threats.

First, it will be helpful to go over how websites work (giving you a hint as to the nature of the close call we’ll be discussing).

How Web Browsing Works

When navigating to a website, you type that website’s URL into your address bar and you’re brought to the website, right? While this is how it appears on the surface, there’s actually a lot more going on underneath.

The domain name we know, as users, to go to a website is different than the actual functioning name that your Internet browser recognizes. Instead, your browser recognizes a series of numbers known as an Internet Protocol (IP) Address. IP addresses are too in-depth of a topic for us to go into much detail here, but to sum up: they tell the browser which web server it needs to direct towards to find the desired website.

Obviously, a series of numbers is more difficult to remember than a name, so this discrepancy would make the Internet much harder to use if it weren’t for nameservers.

Nameservers are the component of the Internet that helps bridge the URL to the IP address. When you type a website into the address bar, the browser references a nameserver to find out where the correct web server is before requesting content from it. In essence, the nameserver helps your browser translate your request into a language it understands—in many ways acting like your browser’s GPS.

In other words, the nameserver is a crucially important part of how the Internet functions, which means that these servers are particularly important to keep secure… particularly if the nameserver in question controls a top-level domain (the “.com”,”.net”,or “.edu” part). If an attacker were to gain control of a top-level nameserver, man-in-the-middle attacks could be used to redirect web traffic to malicious websites.

What Happened in the Democratic Republic of Congo

Therefore, when security researcher Fredrik Almroth noticed that one of the nameservers for the .cd country code top-level domain (belonging to the Democratic Republic of Congo) was set to expire, he took notice. When these domains expire, as did the nameserver domain scpt-network.com did in October, the governments that own them have a set amount of time to renew it before someone else could claim it.

Almroth was monitoring this domain to ensure that it was renewed, just to be safe. Once the end of December rolled around, the security researcher was quick to snap it up to protect it from ne’er-do-wells who would otherwise abuse it. Because the other nameserver to the domain was still operational, Almroth simply had any requests timeout of his nameserver and be passed to the working one.

What Was at Risk?

In short, quite a bit. With possession of such a nameserver, an attacker could potentially intercept any traffic—encrypted or not—directed to a .cd domain. This could give an attacker a frightening amount of power and control over thousands of websites.

The Congolese government ultimately opted to set up a new domain, ensuring that security was never in question.

What Your Business Can Learn From This

In short, technology can be complicated, which means that threats can potentially come from every angle.

Cybercriminals are irritatingly resourceful and will absolutely resort to cheap tricks to get their way. The size of their target is also irrelevant to them, so whether they’re targeting a government infrastructure or the website a local store keeps up doesn’t particularly concern them. As such, businesses of all shapes and sizes need to have a trusted resource they can rely on to keep their IT in order, especially in terms of its security.

As such a resource to many businesses, MSPNetworks prioritizes keeping an eye on all aspects of our clients’ technology solutions to help avoid issues like these that could otherwise have gone unnoticed. To find out more about what we can do for your operations, give us a call at (516) 403-9001 today.

Privacy is a sensitive subject nowadays, especially online. Regardless of the browser you have elected to use, properly using it will have a large impact. Let’s review a few ways that you and your team can help secure your business and its resources and go over these settings.

Promoting Privacy Via Your Browser Settings

Here, we’ve assembled a few best practices that you should keep in mind to help reinforce your browser’s security.

Revise Default Permissions, as Necessary

Before a website is able to access some of your data and peripherals, like your location, your camera, and pop-up windows, it needs to ask you for permission to do so. Too many people set these permissions to on—carte blanche—by default, potentially opening themselves to various attacks and threats.

For instance, by accessing the camera and microphone without informing the user, a cybercriminal could invite themselves to a peek into your personal life, listening and watching for personal moments and data to exploit. Pop-up windows could themselves host threats, and automated downloads could install nasty pieces of malware.

Instead, you should make sure that these permissions are set to Ask before allowing them, while also simply turning these permissions Off when you have no reason to enable them.

Block Third-Party Cookies and Trackers

While websites will often use their own cookies to keep track of users to improve their functionality, there are a lot of other cookies present from third parties that are tracking you as well. By blocking cookies that don’t come from the site you’re browsing and leaving the native ones to operate, you can minimize threats against your business from these sources.

As for trackers, you should be able to switch them off entirely. Trackers have begun to replace cookies as a means of, well, tracking a user’s online behaviors. As a plus, blocking a tracker has a decreased probability of breaking a website, as blocking cookies can at times do. If you cannot block trackers via your browser, you may want to reconsider which browser you are using.

Use Smarter Tools and Utilities to Minimize Your Risks

While different browsers offer different security features, there are certain choices that can help you make the most out of any situation. For instance, you should not sign into any of your accounts on more than one browser. If you’ve decided on Firefox for your Facebook use, only sign into Facebook from Firefox and not from Google Chrome or Microsoft Edge. While you may have disparate Google accounts attached to these services (a company one for work and a personal one for your own use), Google understands that they are all you and will take it upon themselves to merge your activities into their own reference files. You should also avoid using your accounts from Google or Facebook as a form of sign-in, as this will give those companies access to your behaviors on those sites as well.

There are, however, some browser extensions and alternative websites that can help you take back some of your privacy. Some add-ons help to shield your activities from this kind of tracking, while some online services are anonymized and therefore more secure. Identifying the most secure options and committing to them will be crucial to your continued success.

The Internet can be a wonderful resource, but it can also be considerably risky to work with if not prepared. Trust MSPNetworks and our team to help keep you out of trouble. Give us a call at (516) 403-9001 to learn about our many services, including those that can improve your security.

If you are an avid reader of our blog, we are constantly saying how there are always a growing number of threats. This is true. Two-in-every-three business owners consider that their cybersecurity risks are increasing each year. The other third must not focus on them, and that is a problem. In fact, many business owners don’t give the proper respect to cyberthreats and many of those businesses pay the price. This is why every business should consider a security and compliance audit a mandatory part of their yearly IT assessment. 

Explaining the Security and Compliance Audit

Since there is a constant stream of threats coming at your business from the Internet, it stands to reason that you need to come up with a strategy to reduce or completely eliminate those threats’ path to your business’ IT infrastructure. Traditionally, that means installing security software solutions such as firewalls and antivirus, training your staff on how to navigate potential scams, and doing your best to monitor the threats as they come in. This seems comprehensive, right? Unfortunately, these efforts are unlikely to prevent a breach of your network or a corruption of your IT infrastructure.

The IT infrastructure that continues to grow.

If you consider that every year more and more is added to your IT infrastructure, it’s not a stretch of the imagination to not only gain more to support, but also additional points of potential exploitation. New systems can create new vulnerabilities in your network, and more to support can add even more holes in your existing system. These are the avenues hackers use to access your network and steal your data. 

Additionally, the more complicated your IT infrastructure gets, the more difficult it will be to stay in compliance with any regulations your business operates under. As issues with data privacy start to be taken seriously by lawmakers, expect more regulations; and additional focus on compliance. 

A security and compliance audit is basically the full assessment of your cybersecurity situation. It goes far beyond your average vulnerability scan as it takes into account how your technology is used and provides you with specific criteria that you need to take into account. This profile will go above and beyond your cursory network and infrastructure scan. MSPNetworks has the certified technicians on staff to comprehensively conduct such an assessment. We can provide you with information on where your business is weakest and what you can do to bump up your network security to stay in compliance and keep your network resources safe. 

Go Even Further

Our security and compliance audit can tell you what you need to know, but once you have taken the steps to patch the potential vulnerabilities in your network and infrastructure, you will need to keep it up. We can conduct penetration testing to ensure that the steps you take work to fix the vulnerabilities in your network. This can function as assurance that your business isn’t caught up in two terrible situations: a data breach or fallout from non-compliance. 

If you would like to talk to one of our IT professionals about getting a security and compliance audit, or if you would like to talk about how our managed IT services can work to thwart all types of negative situations, give us a call at (516) 403-9001 today.

While Google Search has become eponymous for “online search”, the company has not stopped innovating upon the capabilities of the service. Most recently (as of this writing, of course) one improvement that the company is making is to give more content a bit more context before a user clicks through to a potential threat.

Let’s go into what this new update will look like on your Search results pages.

The Google Page Widget

With its rollout beginning on February 2nd, your Google Searches via a desktop, mobile device, and the Android mobile app probably now offer a small widget that provides a look at the website each result directs to.

Here’s how it will purportedly work:

You will soon notice (if they haven’t already caught your attention) small three-dot menus appearing next to your search results. These menus, if clicked, will give you more information into the website the result has pulled up.

This information will include things like a blurb about the website the link directs to—if available, coming from Wikipedia, and if not, based on Google’s own analysis when the site was indexed—as well as whether the website offers a secure HTTPS protocol connection and if a link is an ad.

Here, for example, is what appears when you check the link for Facebook:

From this, we can see that Google has confirmed that the connection to the website is secured, helping to protect our data, and that the link the user has inquired about was the result of their search, not placed there as an advertisement.

Moving forward, this utility may be able to help your users make more secure choices when browsing their search results. If you have access to it, we encourage you to explore it a little more yourself—and, if you’re ever concerned about how secure your business’ IT choices have been, to reach out to MSPNetworks at (516) 403-9001 for an assessment.

Your business’ security largely depends on how secure the passwords are that keep your resources from being accessed without authorization. Despite this, many users—perhaps even you—frequently sacrifice sufficient security measures in favor of the simple and convenient route, cutting corners when coming up with their passwords. Let’s try and remedy this by reviewing a few practices that can help make a password more effective.

What Threats are There to Passwords?

A password can be undermined in one of two different ways, generally speaking:

Digging into your online life or resorting to trickery, a “bad actor” (as they are sometimes called) figures out your password or how they can fool you into handing it over. Alternatively, the bad actor might phish you or infect your computer to crack the password.

As a result, you need to figure out how to make your passwords effectively guess-proof, while still being able to recall them as you need them. These principles should ultimately pertain to any passwords associated with your business—including the ones your staff members rely on.

The Balance Between a Strong Password and a Memorable Password

Whether you’re designing a password policy for your company members to follow, or simply creating a new account of your own, there are two important considerations to keep in mind.

• If a hacker can’t guess/crack a password, they will likely resort to a brute force method—simply trying every combination possible until they eventually get a hit.
• The security of a password and its resilience against brute force attacks aren’t the same.

It is important that both of these aspects are taken into serious account as you come up with your passwords.

How to Optimize Your Password Security

There are a few widely accepted best practices when it comes to what makes a good password:

• It is sufficiently long, ideally stretching over 16 characters
• These characters include non-consecutive numbers, letters, and symbols
• The password contains no common words or numbers, private information, or any publicly accessible details

It is also important that your considerations involve the aforementioned tools that cybercriminals use to break password protections. This is where we must account for the complexity of your passwords.

Did you know that about 40 percent of passwords only contain lowercase letters? Well, cybercriminals certainly know, and will certainly try to save time by only trying lowercase letters in their initial brute force attacks. Even one extra variable can significantly increase the password’s security, making it harder and more time-consuming for the hacker, and possibly convincing them that the effort isn’t worth it.

However, you also need a password that is memorable enough for you to be able to use it. The most secure password in the world is no good to you if you can’t commit it to memory, to the letter (or number or symbol).

This has recently led to the idea that a password composed of a few random words, randomized further with alphanumeric substitution and capitalization, padded with repeating symbols on either side, is the most secure option.

Think about it—like we said, each variable makes the hacker’s job that much more challenging and can help slow down any automated attempts long enough for the hacker to abandon them.

With all this in mind, it makes sense to create passwords that ultimately look something like this:

====p33k,,,@ss0c!@t3d,,,p0ck3t====

Not only is this password effectively impossible to guess, but it also has plenty of characters and—while designed to be somewhat simple to memorize, is still plenty resistant to brute force methods. Just make sure you come up with your own, instead of copying this one.

Remembering These Passwords

Admittedly, a password like this is a lot to remember on its own, so the thought of remembering a different one for each account (in keeping with best practices) can be daunting for most. Fortunately, a password manager can simplify this considerably.

A password manager is basically just a piece of software that safely and securely stores your passwords away for you, accessible to you behind a single master password. That way, your passwords could be totally secure and unique without forcing you to remember them all.

From your passwords and access management to every other aspect of your business’ IT security and productivity, MSPNetworks is here to help. Learn more about what we can offer by calling (516) 403-9001 today.

It’s been reported that a hacker virtually broke into a Floridian water treatment facility and briefly increased the levels of sodium hydroxide in the Pinellas County water supply. Fortunately, onsite operators noticed the spike and reduced it right away, keeping the public from risk of increased levels of poison in their water. This is just the latest story in a seemingly never-ending supply of them that have to do with public utilities being at risk from cyberattacks. Today, we will take a look at this issue. 

Protecting Online Utilities

Today, most systems are not only run through the use of computers, they are perpetually online so that remote operators have access to manage these systems. This provides hackers a wider-range of opportunities to carry out attacks against public infrastructure. Despite the massive amount of capital invested to ensure that these systems remain secure and reliable, all it takes is one situation to cause a great deal of public harm. The event in Florida just accentuates how important the security protecting these systems is. 

The Shifting Utilities Landscape

Over the past year, more people have been asked to work remotely to help keep the COVID-19 pandemic from spreading. This has not only led to more people working remotely at jobs that would typically require on-site staff, it also has helped push a degree of automation (using artificial intelligence and machine learning) to help identify incongruencies and threats to critical IT systems. This means that more people are relying on unfamiliar tools to do their jobs remotely. One can understand how this can lead to some confusion when trying to thwart very specific and targeted attacks. 

Threats Against Utilities and Infrastructure Are More Severe

A recent report from the Ponemon Institute suggests that threats against utilities are becoming shockingly more sophisticated. 54 percent of utility managers stated that they expect to have to deal with at least one cyberattack on critical infrastructure in 2021. That means that half of the people that work in electricity, water treatment, solar and wind, and gas think that they will be directly dealing with a major event triggered by a cyberattack this year. That’s completely unsettling considering how important these systems are to the sustainability of our society. 

What is Being Done?

This is where it gets a little tricky. Utility companies spend a lot of time and resources securing infrastructure. There’s a reason most of these places are surrounded by razor wire. To secure themselves against cyberattacks, however, they are taking much the same approach that your average enterprise would. They will try to secure systems by learning from past mistakes, innovating the tools they use, and simply being more vigilant.

Some innovations to speak of are similar to the ones you might see at your business. Using the integration of AI to actively search for and identify threats can end up being quite beneficial. AI can go through a lot of data extraordinarily quickly, meaning that it can identify potential problems quicker and thwart bad actors’ attempts at sabotage. Another technology that is being used in energy distribution is the Internet of Things. Utility companies are starting to utilize smart meters that modulate the flow of electricity and water. While you’d think that the integration of IoT devices would actually make the systems less secure, utility companies identified that from the outset and spent time and resources securing those systems before they were ever deployed in the field. 

Protecting our utilities has to be essential not only for utility companies, but also for society as a whole. What are your thoughts? Should the public subsidize utility companies for their cybersecurity? What moves would you make? Leave your thoughts in the comments section below.