MSPNetworks Blog

Going through your passwords and updating them every so often is a very wise habit to get into, particularly when they are used to protect a lot of data—as the password to your Google account often is. Considering this, let’s go over how to update your Google password and otherwise lock down your account.

How Much is Tied to a Google Account?

For many, their Google account is linked to quite a few frequently-used utilities and applications. Going far beyond the search engine functionality it began as, Google’s services now involve multiple programs and solutions. As such, the potential danger of a cybercriminal accessing your Google account is increased greatly.

For instance, a Google account is now linked to:

• Google.com (for custom tailored search results)
• Gmail
• Google Drive
• Google Docs/Sheets
• Google Maps
• Android
• Google Workspace
• Google Chrome
• YouTube

 … with many, many other accounts and services also tied to Google. A good rule of thumb: anything with “Android,” “Chrome,” or of course “Google” in the name is likely tied to your Google account.

Updating Your Google Password

Fortunately, Google makes it exceptionally simple to update the password to your account:

1. Visit https://accounts.google.com/. If you aren’t signed in already, log in with your email/phone number and password.
2. Click Security on the left-hand side.
3. Look for Signing in to Google. Click Password.
4. Google will usually prompt you to provide your current password, and then have you input a new password.

A WORD OF WARNING: Naturally, with so much tied to a single password, you need to make sure it is as secure as you can possibly make it. Use a totally unique password—not one that provides you with access to any other account. Don’t include any personally identifiable information that others might associate with you, like your birth date, maiden name, social security number, phone number, or the like.

To help accomplish this, it will help to use a password manager to keep track of them all, along with any built-in password creation features it has built in, as this will help you to generate a secure, randomized password with sufficient complexity. You could also string a few random and unrelated words together to make a passphrase, sprinkling in numbers and symbols as you see fit to help make a memorable but significantly more secure option.

Once you make these changes, you’ll probably need to re-log into your Google account on a few devices.

But Wait, There’s More!

To really protect your Google account, let’s go a little further and set up 2-Step Verification (also commonly known as Two-Factor Authentication) if you have not yet done so. 2-Step Verification is a great insurance policy against the possibility that your password is breached.

Once your password is changed, from your Google Account page:

1. Click the Security option on the left-hand side of the page.
2. Click 2-Step Verification.
3. Google may prompt you to enter in your password again, just to make sure it’s you.
4. Depending on what Google already knows about you, this might go a few different ways—you’ll either be prompted to set up a phone number to get a text message or phone call, or Google might walk you through setting this up on your smartphone. Either way, follow the on-screen instructions. 

Your various authentication options come at varying levels of simplicity and efficacy. Most convenient is the use of a Google prompt, which sends a notification to your Android device whenever a new device is attempting to log into your account that allows you to permit or disallow permission to do so. Receiving a text message with a code is undoubtedly convenient, but less secure as these text messages can potentially be intercepted. The most secure option is to utilize Google’s Authenticator app, which is also simple to set up.

If your business uses Google’s solutions to power your business, MSPNetworks recommends that you implement these changes. Need help? Give our team a call at (516) 403-9001.

The new year is upon us and after the debacle that 2020 was, it is extremely welcome. If you are like us, you have a new set of goals that you’ve created for yourself and are probably looking to improve your professional and personal well-being. One way to do that is to ensure that your accounts are secure. Today, we will be going through how to update your password with Microsoft.

You may have heard that the U.S. Government just suffered from a massive cybersecurity breach from an attack that was perpetrated from overseas, and among the systems that were affected was Microsoft Office. Unfortunately, foreign hackers were actively monitoring email accounts between the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA). Fortunately, however, Microsoft, who is known for its active role in identifying and thwarting cybercrime, didn’t find any active vulnerabilities in their Office 365 applications or cloud services, but they did offer some suggestions, one of which was to do everything you can to protect your data.  

It is important to understand how to take action to ensure your organization—and your personal accounts—are secured properly. 

What You Need to Know About Your Microsoft Account Security

If you actively utilize Office 365, or any other Microsoft product, you need to know a breach would affect you. For your typical user account, their Windows 10 license is tied to their Microsoft account, and if you have Office 365 or use any other Microsoft applications or services, they are covered by those credentials as well. Here is a list of the application titles you need to concern yourself with when considering your Microsoft account security:

• Windows
• Outlook
• Office
• Skype
• OneDrive
• Xbox Live
• Bing
• Microsoft Store
• MSN

Here’s How to Update Your Microsoft Password

To Microsoft’s credit, they make it extremely easy to change your password. Here are the steps:

1. Visit https://account.microsoft.com/
2. Click Sign In on the top right, if you aren’t already signed in. If you are already signed in, the page will display your name with options about your subscriptions and other services. Once you sign in with your email and password, you’ll be taken to this page.
3. Towards the top of the page, on the right-hand side, you’ll see an option that says Change Password. Click it.
4. If you have Two-step verification enabled, it will walk you through verifying your account with a text, an email, or using the Microsoft Authenticator app. If you don’t have that set up, don’t worry, we’re going to get you set up after you change your password.
5. Once prompted, enter your current password, and then come up with a brand new password.

CRUCIAL ADVICE: You never want to use the same password on multiple accounts. Every password you make should be unique, complex, and lack any personally identifiable information (such as your date of birth or your address). Really random works best, but we know it is difficult to remember random passwords. Make sure that your password is something that nobody could guess with variance in case, numbers, and symbols. The more complex your password is, the more secure your accounts are going to be.

One feature Microsoft offers when setting up your credentials is a checkbox that will require you to change your password every 72 days. It really works to secure your account. You might think it’s unnecessary, but consider how much of your personal information is tied up in your relationship with Microsoft. Check it and keep active on protecting your data and account security.

One Last Thing

One thing you should consider when changing your password is to set up Two-step Verification. Click that too. If you are using a Microsoft 365 account through work, you may need your administrator to turn it on and give you further instructions. Give us a ring if you need help.

All you will need to do is follow the on-screen instructions. If you do not already have an authenticator app on your smartphone (like Google Authenticator, Lastpass Authenticator, Duo Mobile, Authy, etc.) Microsoft has a tutorial to help you set up Microsoft Authenticator. If you prefer to use one of the other apps, set it up with your preferred app.

Two-factor verification will require you to use the Authenticator app to log into your Microsoft account on a new device, or make major changes to your Microsoft account (like updating a new password). It won’t require you to use the app every time you want to use Word or Outlook, but it is a good practice to use to ensure you are doing all you can to protect your account and data. 

Keeping your Microsoft account secure isn’t hard, but it is extremely important. If you need help or would like to talk to one of our certified technicians about setting Microsoft products up for your whole business, give us a call at (516) 403-9001 today.

To preserve your cybersecurity, you need to have a comprehensive view of everything involved with your technology—and we do mean everything. Let’s consider a recent close call, involving the Democratic Republic of Congo that exemplifies this perfectly that could have potentially exposed millions of Internet users to serious threats.

First, it will be helpful to go over how websites work (giving you a hint as to the nature of the close call we’ll be discussing).

How Web Browsing Works

When navigating to a website, you type that website’s URL into your address bar and you’re brought to the website, right? While this is how it appears on the surface, there’s actually a lot more going on underneath.

The domain name we know, as users, to go to a website is different than the actual functioning name that your Internet browser recognizes. Instead, your browser recognizes a series of numbers known as an Internet Protocol (IP) Address. IP addresses are too in-depth of a topic for us to go into much detail here, but to sum up: they tell the browser which web server it needs to direct towards to find the desired website.

Obviously, a series of numbers is more difficult to remember than a name, so this discrepancy would make the Internet much harder to use if it weren’t for nameservers.

Nameservers are the component of the Internet that helps bridge the URL to the IP address. When you type a website into the address bar, the browser references a nameserver to find out where the correct web server is before requesting content from it. In essence, the nameserver helps your browser translate your request into a language it understands—in many ways acting like your browser’s GPS.

In other words, the nameserver is a crucially important part of how the Internet functions, which means that these servers are particularly important to keep secure… particularly if the nameserver in question controls a top-level domain (the “.com”,”.net”,or “.edu” part). If an attacker were to gain control of a top-level nameserver, man-in-the-middle attacks could be used to redirect web traffic to malicious websites.

What Happened in the Democratic Republic of Congo

Therefore, when security researcher Fredrik Almroth noticed that one of the nameservers for the .cd country code top-level domain (belonging to the Democratic Republic of Congo) was set to expire, he took notice. When these domains expire, as did the nameserver domain scpt-network.com did in October, the governments that own them have a set amount of time to renew it before someone else could claim it.

Almroth was monitoring this domain to ensure that it was renewed, just to be safe. Once the end of December rolled around, the security researcher was quick to snap it up to protect it from ne’er-do-wells who would otherwise abuse it. Because the other nameserver to the domain was still operational, Almroth simply had any requests timeout of his nameserver and be passed to the working one.

What Was at Risk?

In short, quite a bit. With possession of such a nameserver, an attacker could potentially intercept any traffic—encrypted or not—directed to a .cd domain. This could give an attacker a frightening amount of power and control over thousands of websites.

The Congolese government ultimately opted to set up a new domain, ensuring that security was never in question.

What Your Business Can Learn From This

In short, technology can be complicated, which means that threats can potentially come from every angle.

Cybercriminals are irritatingly resourceful and will absolutely resort to cheap tricks to get their way. The size of their target is also irrelevant to them, so whether they’re targeting a government infrastructure or the website a local store keeps up doesn’t particularly concern them. As such, businesses of all shapes and sizes need to have a trusted resource they can rely on to keep their IT in order, especially in terms of its security.

As such a resource to many businesses, MSPNetworks prioritizes keeping an eye on all aspects of our clients’ technology solutions to help avoid issues like these that could otherwise have gone unnoticed. To find out more about what we can do for your operations, give us a call at (516) 403-9001 today.

Privacy is a sensitive subject nowadays, especially online. Regardless of the browser you have elected to use, properly using it will have a large impact. Let’s review a few ways that you and your team can help secure your business and its resources and go over these settings.

Promoting Privacy Via Your Browser Settings

Here, we’ve assembled a few best practices that you should keep in mind to help reinforce your browser’s security.

Revise Default Permissions, as Necessary

Before a website is able to access some of your data and peripherals, like your location, your camera, and pop-up windows, it needs to ask you for permission to do so. Too many people set these permissions to on—carte blanche—by default, potentially opening themselves to various attacks and threats.

For instance, by accessing the camera and microphone without informing the user, a cybercriminal could invite themselves to a peek into your personal life, listening and watching for personal moments and data to exploit. Pop-up windows could themselves host threats, and automated downloads could install nasty pieces of malware.

Instead, you should make sure that these permissions are set to Ask before allowing them, while also simply turning these permissions Off when you have no reason to enable them.

Block Third-Party Cookies and Trackers

While websites will often use their own cookies to keep track of users to improve their functionality, there are a lot of other cookies present from third parties that are tracking you as well. By blocking cookies that don’t come from the site you’re browsing and leaving the native ones to operate, you can minimize threats against your business from these sources.

As for trackers, you should be able to switch them off entirely. Trackers have begun to replace cookies as a means of, well, tracking a user’s online behaviors. As a plus, blocking a tracker has a decreased probability of breaking a website, as blocking cookies can at times do. If you cannot block trackers via your browser, you may want to reconsider which browser you are using.

Use Smarter Tools and Utilities to Minimize Your Risks

While different browsers offer different security features, there are certain choices that can help you make the most out of any situation. For instance, you should not sign into any of your accounts on more than one browser. If you’ve decided on Firefox for your Facebook use, only sign into Facebook from Firefox and not from Google Chrome or Microsoft Edge. While you may have disparate Google accounts attached to these services (a company one for work and a personal one for your own use), Google understands that they are all you and will take it upon themselves to merge your activities into their own reference files. You should also avoid using your accounts from Google or Facebook as a form of sign-in, as this will give those companies access to your behaviors on those sites as well.

There are, however, some browser extensions and alternative websites that can help you take back some of your privacy. Some add-ons help to shield your activities from this kind of tracking, while some online services are anonymized and therefore more secure. Identifying the most secure options and committing to them will be crucial to your continued success.

The Internet can be a wonderful resource, but it can also be considerably risky to work with if not prepared. Trust MSPNetworks and our team to help keep you out of trouble. Give us a call at (516) 403-9001 to learn about our many services, including those that can improve your security.

If you are an avid reader of our blog, we are constantly saying how there are always a growing number of threats. This is true. Two-in-every-three business owners consider that their cybersecurity risks are increasing each year. The other third must not focus on them, and that is a problem. In fact, many business owners don’t give the proper respect to cyberthreats and many of those businesses pay the price. This is why every business should consider a security and compliance audit a mandatory part of their yearly IT assessment. 

Explaining the Security and Compliance Audit

Since there is a constant stream of threats coming at your business from the Internet, it stands to reason that you need to come up with a strategy to reduce or completely eliminate those threats’ path to your business’ IT infrastructure. Traditionally, that means installing security software solutions such as firewalls and antivirus, training your staff on how to navigate potential scams, and doing your best to monitor the threats as they come in. This seems comprehensive, right? Unfortunately, these efforts are unlikely to prevent a breach of your network or a corruption of your IT infrastructure.

The IT infrastructure that continues to grow.

If you consider that every year more and more is added to your IT infrastructure, it’s not a stretch of the imagination to not only gain more to support, but also additional points of potential exploitation. New systems can create new vulnerabilities in your network, and more to support can add even more holes in your existing system. These are the avenues hackers use to access your network and steal your data. 

Additionally, the more complicated your IT infrastructure gets, the more difficult it will be to stay in compliance with any regulations your business operates under. As issues with data privacy start to be taken seriously by lawmakers, expect more regulations; and additional focus on compliance. 

A security and compliance audit is basically the full assessment of your cybersecurity situation. It goes far beyond your average vulnerability scan as it takes into account how your technology is used and provides you with specific criteria that you need to take into account. This profile will go above and beyond your cursory network and infrastructure scan. MSPNetworks has the certified technicians on staff to comprehensively conduct such an assessment. We can provide you with information on where your business is weakest and what you can do to bump up your network security to stay in compliance and keep your network resources safe. 

Go Even Further

Our security and compliance audit can tell you what you need to know, but once you have taken the steps to patch the potential vulnerabilities in your network and infrastructure, you will need to keep it up. We can conduct penetration testing to ensure that the steps you take work to fix the vulnerabilities in your network. This can function as assurance that your business isn’t caught up in two terrible situations: a data breach or fallout from non-compliance. 

If you would like to talk to one of our IT professionals about getting a security and compliance audit, or if you would like to talk about how our managed IT services can work to thwart all types of negative situations, give us a call at (516) 403-9001 today.

While Google Search has become eponymous for “online search”, the company has not stopped innovating upon the capabilities of the service. Most recently (as of this writing, of course) one improvement that the company is making is to give more content a bit more context before a user clicks through to a potential threat.

Let’s go into what this new update will look like on your Search results pages.

The Google Page Widget

With its rollout beginning on February 2nd, your Google Searches via a desktop, mobile device, and the Android mobile app probably now offer a small widget that provides a look at the website each result directs to.

Here’s how it will purportedly work:

You will soon notice (if they haven’t already caught your attention) small three-dot menus appearing next to your search results. These menus, if clicked, will give you more information into the website the result has pulled up.

This information will include things like a blurb about the website the link directs to—if available, coming from Wikipedia, and if not, based on Google’s own analysis when the site was indexed—as well as whether the website offers a secure HTTPS protocol connection and if a link is an ad.

Here, for example, is what appears when you check the link for Facebook:

From this, we can see that Google has confirmed that the connection to the website is secured, helping to protect our data, and that the link the user has inquired about was the result of their search, not placed there as an advertisement.

Moving forward, this utility may be able to help your users make more secure choices when browsing their search results. If you have access to it, we encourage you to explore it a little more yourself—and, if you’re ever concerned about how secure your business’ IT choices have been, to reach out to MSPNetworks at (516) 403-9001 for an assessment.

Your business’ security largely depends on how secure the passwords are that keep your resources from being accessed without authorization. Despite this, many users—perhaps even you—frequently sacrifice sufficient security measures in favor of the simple and convenient route, cutting corners when coming up with their passwords. Let’s try and remedy this by reviewing a few practices that can help make a password more effective.

What Threats are There to Passwords?

A password can be undermined in one of two different ways, generally speaking:

Digging into your online life or resorting to trickery, a “bad actor” (as they are sometimes called) figures out your password or how they can fool you into handing it over. Alternatively, the bad actor might phish you or infect your computer to crack the password.

As a result, you need to figure out how to make your passwords effectively guess-proof, while still being able to recall them as you need them. These principles should ultimately pertain to any passwords associated with your business—including the ones your staff members rely on.

The Balance Between a Strong Password and a Memorable Password

Whether you’re designing a password policy for your company members to follow, or simply creating a new account of your own, there are two important considerations to keep in mind.

• If a hacker can’t guess/crack a password, they will likely resort to a brute force method—simply trying every combination possible until they eventually get a hit.
• The security of a password and its resilience against brute force attacks aren’t the same.

It is important that both of these aspects are taken into serious account as you come up with your passwords.

How to Optimize Your Password Security

There are a few widely accepted best practices when it comes to what makes a good password:

• It is sufficiently long, ideally stretching over 16 characters
• These characters include non-consecutive numbers, letters, and symbols
• The password contains no common words or numbers, private information, or any publicly accessible details

It is also important that your considerations involve the aforementioned tools that cybercriminals use to break password protections. This is where we must account for the complexity of your passwords.

Did you know that about 40 percent of passwords only contain lowercase letters? Well, cybercriminals certainly know, and will certainly try to save time by only trying lowercase letters in their initial brute force attacks. Even one extra variable can significantly increase the password’s security, making it harder and more time-consuming for the hacker, and possibly convincing them that the effort isn’t worth it.

However, you also need a password that is memorable enough for you to be able to use it. The most secure password in the world is no good to you if you can’t commit it to memory, to the letter (or number or symbol).

This has recently led to the idea that a password composed of a few random words, randomized further with alphanumeric substitution and capitalization, padded with repeating symbols on either side, is the most secure option.

Think about it—like we said, each variable makes the hacker’s job that much more challenging and can help slow down any automated attempts long enough for the hacker to abandon them.

With all this in mind, it makes sense to create passwords that ultimately look something like this:

====p33k,,,@ss0c!@t3d,,,p0ck3t====

Not only is this password effectively impossible to guess, but it also has plenty of characters and—while designed to be somewhat simple to memorize, is still plenty resistant to brute force methods. Just make sure you come up with your own, instead of copying this one.

Remembering These Passwords

Admittedly, a password like this is a lot to remember on its own, so the thought of remembering a different one for each account (in keeping with best practices) can be daunting for most. Fortunately, a password manager can simplify this considerably.

A password manager is basically just a piece of software that safely and securely stores your passwords away for you, accessible to you behind a single master password. That way, your passwords could be totally secure and unique without forcing you to remember them all.

From your passwords and access management to every other aspect of your business’ IT security and productivity, MSPNetworks is here to help. Learn more about what we can offer by calling (516) 403-9001 today.

It’s been reported that a hacker virtually broke into a Floridian water treatment facility and briefly increased the levels of sodium hydroxide in the Pinellas County water supply. Fortunately, onsite operators noticed the spike and reduced it right away, keeping the public from risk of increased levels of poison in their water. This is just the latest story in a seemingly never-ending supply of them that have to do with public utilities being at risk from cyberattacks. Today, we will take a look at this issue. 

Protecting Online Utilities

Today, most systems are not only run through the use of computers, they are perpetually online so that remote operators have access to manage these systems. This provides hackers a wider-range of opportunities to carry out attacks against public infrastructure. Despite the massive amount of capital invested to ensure that these systems remain secure and reliable, all it takes is one situation to cause a great deal of public harm. The event in Florida just accentuates how important the security protecting these systems is. 

The Shifting Utilities Landscape

Over the past year, more people have been asked to work remotely to help keep the COVID-19 pandemic from spreading. This has not only led to more people working remotely at jobs that would typically require on-site staff, it also has helped push a degree of automation (using artificial intelligence and machine learning) to help identify incongruencies and threats to critical IT systems. This means that more people are relying on unfamiliar tools to do their jobs remotely. One can understand how this can lead to some confusion when trying to thwart very specific and targeted attacks. 

Threats Against Utilities and Infrastructure Are More Severe

A recent report from the Ponemon Institute suggests that threats against utilities are becoming shockingly more sophisticated. 54 percent of utility managers stated that they expect to have to deal with at least one cyberattack on critical infrastructure in 2021. That means that half of the people that work in electricity, water treatment, solar and wind, and gas think that they will be directly dealing with a major event triggered by a cyberattack this year. That’s completely unsettling considering how important these systems are to the sustainability of our society. 

What is Being Done?

This is where it gets a little tricky. Utility companies spend a lot of time and resources securing infrastructure. There’s a reason most of these places are surrounded by razor wire. To secure themselves against cyberattacks, however, they are taking much the same approach that your average enterprise would. They will try to secure systems by learning from past mistakes, innovating the tools they use, and simply being more vigilant.

Some innovations to speak of are similar to the ones you might see at your business. Using the integration of AI to actively search for and identify threats can end up being quite beneficial. AI can go through a lot of data extraordinarily quickly, meaning that it can identify potential problems quicker and thwart bad actors’ attempts at sabotage. Another technology that is being used in energy distribution is the Internet of Things. Utility companies are starting to utilize smart meters that modulate the flow of electricity and water. While you’d think that the integration of IoT devices would actually make the systems less secure, utility companies identified that from the outset and spent time and resources securing those systems before they were ever deployed in the field. 

Protecting our utilities has to be essential not only for utility companies, but also for society as a whole. What are your thoughts? Should the public subsidize utility companies for their cybersecurity? What moves would you make? Leave your thoughts in the comments section below.

For all the attention that we (and many others) give to cybercrime, people are still falling victim to hacks and scams every day. With most businesses operating more in the digital sphere than ever before, it stands to reason that they need to do more to keep from being a victim of a data breach or worse. Here are six things your business should do to keep from being a victim of a cyberattack.

#1 - Train Your Staff

You will want to establish basic security practices that make sense. You will want to go through how to identify a phishing attack and what to do if they come across one. You will want to explain what good password hygiene is and what benefits it offers both for your business and for them, individually. You will also need to go through the best practices of handling customer, vendor, and their contemporaries’ sensitive information. 

#2 - Patch and Manage

You will want to keep your business’ infrastructure updated and managed. This includes all machines and endpoints, web browsers, software; any part of your IT infrastructure that, if it were to be breached, could have a huge negative effect on your ability to continue business.

#3 - Security Solutions

Make sure that your firewall, antivirus, and any other security solution you have in place to protect your business is updated with the latest threat definitions. This includes setting up firewalls or a VPN for every member of your staff that is working remotely. 

#4 - Backup Your Data

In order to protect your data, regularly backing it up and storing it multiple places is suggested. That way you have copies of your data to restore from if something was to be corrupted, some IT were to fail, or there was some type of user error; and, also if some disaster were to compromise your data at your place of business.

#5 - Secure Wireless Networks

You will want to secure your Wi-Fi network(s). It should be hidden from view and encrypted to give your business the best chance at mitigating potential hacks aimed at accessing your wireless network. 

#6 -  Promote Sound Password Hygiene

Ensuring that your staff understands the best practices of using passwords and multi-factor authentication can go a long way toward protecting your business from outside threats. Passwords should be complex, but also easily remembered and use multiple characters.

If you are going to keep your data and infrastructure free from threats, these six steps are the bare minimum. If you would like to discuss additional steps you can take to protect your business’ most important assets, give our IT experts a call at (516) 403-9001 today.

2020, unsurprisingly, has decided to go out with a bang, as it has been revealed that the United States was targeted in the largest cyberespionage attack to date. Let’s go over what this attack means, and how things will need to play out in the future.

How Did the Attack Happen?

In short, an IT management company known as SolarWinds was breached back in March, affecting a massive number of organizations—18,000 in all. These organizations include the likes of Microsoft, Cisco, and FireEye, as well as many states and federal organizations, including:

• The U.S. Department of State
• The U.S. Department of the Treasury
• The U.S. Department of Homeland Security
• The U.S. Department of Energy
• The U.S. National Telecommunications and Information Administration
• The National Institutes of Health, of the U.S. Department of Health
• The U.S. National Nuclear Security Administration

When the attackers gained access to SolarWinds’ network, they were able to use what is known as a supply chain attack to introduce their malware to these departments and organizations by pushing it through the company’s automatic software update system for their Orion products. These kinds of attacks can be particularly effective since the threat is introduced to an environment via a trusted application.

Making this situation worse, many SolarWinds customers had excluded Orion products from their security checks on SolarWinds’ recommendation to prevent their other security products from shutting them down due to the malware signatures that these security products contain.

While (at the time of this writing) it is unclear what the attackers responsible used this access to do, the potential ramifications are truly terrifying. While government departments were targeted, it also needs to be said that this attack could have potentially continued from the major providers like Microsoft and Cisco to their clients, and so on and so forth. That’s why there is still no estimate of this attack’s true scope.

This attack was seemingly only discovered when an employee at FireEye received an alert that their VPN credentials had been used from a new device, and a little digging revealed the much larger situation playing out.

This Wasn’t the Only Attack, Either

Another attack was also discovered on SolarWinds’ network when the company performed an internal audit of its systems. On December 18, a second malware was found to have used the same tactic to infiltrate SolarWinds, but as of this writing does not seem to come from the same source.

What This Needs to Teach Us

Frankly, the most important lessons to be learned here are painfully obvious. First off, cybersecurity needs to be prioritized above all else, and all potential threats should be considered a likelihood. After all, the U.S. government was warned about the viability of exactly this kind of threat back in 2018 by the Government Accountability Office.

Secondly, the concept of your employees being a huge part of your cybersecurity strategy needs to be reinforced. This was only discovered when an employee was alerted of unusual activity and took that alert seriously. Your team needs to know what they are looking out for, and how to proceed if they spot it.

Unfortunately, the full extent of this threat will not be clear to us until much later, but what is clear is that we’ll be here to keep your business’ IT as secure as possible. To learn more about what we can do for your business and its security, take a few moments to give us a call at (516) 403-9001.

For a while there, blockchain was a buzzword that you would hear about constantly. It was the future of data security and secure online transactions. As 2020 has pointed our attention elsewhere, you’ve heard less and less about blockchain technology. Today, we’ll take a look at what some of the most innovative companies are doing with distributed encrypted networks,

What Is Blockchain? 

Blockchain was one of the most talked about technologies of the last half of the past decade; and while there have been hundreds of startups that use blockchain at the center of their offerings, there is some thought that the usability of the technology wasn’t as revolutionary as it was made out to be. For those of you who didn’t believe the hype, however, it should be noted that blockchain, the distributed ledger technology that provides unparalleled data security, transparency, and reliability, has been used as the basis of applications for financial services, real estate, law enforcement, supply chain management, insurance, and many more industries. 

The applications of this technology don’t end for cybersecurity, however. For the past several years the technology has been seen used in more and more practical applications.  You see, when you can depend on the reliability of information, developers will want to use it to enhance the ability to manage waste. Supply chain management is a great example. The more transparency a business can have with the products and resources on their supply chain, the more efficient their operations will be and the reliable their projections will be, allowing them to budget better and use the capital they would have otherwise wasted in advancing their company’s agendas.

How Some Industries Use Blockchain

The best way to see how blockchain has been integrated into software is to take a look at how companies utilize the technology.

Medical

If there has been one industry that has utilized blockchain technology the best, it is the healthcare industry. Some hospitals have already started utilizing the technology to help protect patient data. In healthcare there is a lot of information that needs to be both secured and simultaneously available, a complete conundrum for healthcare providers. Enter blockchain. Here is a technology with the ability to keep a transparent, yet incorruptible and private log of all patient health, insurance, and provider data; and, since it is decentralized, sharing the information that’s needed comes with fewer risks to patient profile info.

Banking

One industry that analysts were most curious about was how blockchain was going to affect the banking industry. Obviously, with the ability to keep transactions transparent and secure, the technology is perfect for the banking industry which, despite all the technological advancements over the past 50 years, hasn’t changed all that much. Today, banks are using blockchain as the basis for smart transactions that can be used to move money faster than ever. Banks are also partnering with various FinTech (financial technology) companies to create financial products that will seemingly revolutionize the way people and businesses can get the capital they need to push their initiatives forward.

Cybersecurity

Another obvious industry that is both quickly growing and in need of reliable instruments is the cybersecurity industry. Basically, companies are creating products that revolutionize the way people store their sensitive data. The distributed nature of blockchain is the impetus behind this shift. The less information can be gained from one location, the less likely hackers and cybercriminals will be to try and infiltrate. Moreover, with blockchain’s built-in encryption it has become a great option for access control systems and for data confidentiality as a whole. 

You may not be able to download a blockchain app and find any practical use, but the technology is here and is being used to secure large portions of sensitive data by companies from all over the world. If you would like to learn more about data security using blockchain technology, why not reach out to the IT professionals at MSPNetworks? Our experts can help you better understand what blockchain is and how you may be already using applications built with blockchain and didn’t even know it. Call us today at (516) 403-9001 to learn more.

Today’s smartphones are equipped with assorted ways that users can authenticate their identity, from the now old-fashioned PIN to basic biometrics. However, while these options are available on a wide range of phones, not all of them are equally secure. Let’s look a bit closer at these authentication measures to find out which is most effective.

Does Mobile Security Really Matter That Much?

In a word: yes.

Look at how much we can accomplish with a mobile device. While we’re used to the capabilities that a smartphone offers, it wasn’t too terribly long ago that these capabilities were unheard of outside of science fiction. It wasn’t until 1996 that practical PDAs came about with the Palm Pilot, followed by Blackberry in 2002 and 2004’s introduction of HTC’s Windows phones that we had a taste of what a “smart” phone would look like. It was only in 2007 that the first generally-agreed-upon smartphone, the iPhone, was released.

Just think about the difference between the devices we have today, compared to those that preceded them. While these so-called “dumb phones” were not devoid of sensitive data by any stretch, they may as well have been in comparison to today’s devices.

Now, there are applications for everything, from money management to medical data to shopping and every other purpose imaginable, many of which contain or regularly access personal data. Therefore, it is so important for these devices to be secured… the method by which a user can unlock the device being just one tiny facet of these security needs.

Evaluating Your Authentication Options

Nowadays, the authentication options present on mobile devices are designed to combine the needed security with the convenience of the user. Yet, since they aren’t all equally effective at securing the device, you need to be selective about the authentication method you use.

Let’s go over the options your device may offer and see which one is the best for your security.

Passcodes/PINs/Passwords

We’re all familiar with these authentication measures, as they’re generally the baseline authentication measure for any device, including mobile devices. They also help prevent other authentication proofs from being put in place without the user’s approval. While these security measures are far from impenetrable, they are secure enough to serve as the basis for sufficient security. This is, of course, provided that the user is responsible when they set them.

That said, many users don’t act responsibly as they should, leaving their mobile devices relatively insecure. A study conducted in 2012 revealed that the PINs people used were often of personal significance to them, were composed of repeated digits, or (most amusingly) featured the number 69. Other common numbers were those that could easily be typed in sequence, like 1234, 7890, and the like.

Another study showed that increasing the length of the PIN from four numbers to six rarely added any security benefits, again because of the user. Apparently, the added length makes the user feel more secure by default, and by doing so, gives them the comfort to slack off in how secure their PIN is.

Naturally, assuming the user has the patience to retype their password each time the device locks, this option is more secure than a PIN. Regardless, these options are generally accepted as the most secure option right now.

Biometrics

Thanks to the hardware and software that our devices now support, users can now use their physical attributes to confirm their identity, as biometric authentication has risen in popularity. Naturally, the different methods that make up biometric authentication aren’t as consistent as many would assume.

Fingerprint Sensors: The first phone to have a fingerprint sensor—the Pantech GI100—first launched in 2004, and with the Toshiba G500, the fingerprint sensor became a mainstream inclusion on smartphones. This isn’t expected to change, with projections predicting that 90 percent of devices will still have a fingerprint sensor in 2023, as compared to 95 percent in 2018.

Fingerprint sensors come in many kinds, which does impact their security somewhat. For example, Samsung has started to incorporate sensors under the screen to enable a three-dimensional image to be captured. However, this inherently secure technology can be undermined using a screen protector, as the screen protector can actually lead to any fingerprint being accepted. There is also the concern that fingerprints can be harvested from another source and transplanted to the device to unlock it, so the user needs to prioritize making sure their device is properly acclimated to their unique print.

Iris Scanning: Currently, iris scanning is seen as the most secure biometric authentication, as the iris is even more unique than a fingerprint. While these capabilities are currently present in many devices, many users don’t use them. This is generally because it takes longer to scan the iris, as the user must direct their gaze to the sensor.

Facial Recognition: Fingerprint recognition has begun to be replaced by facial recognition capabilities, particularly with the rising prevalence of full screen displays. With a decent software installed and a good set of reference data, facial recognition can make unlocking a device effectively effortless. However, that’s assuming that the software is good and that the reference images are good. If these images have blights like glare on them, it is harder for a user to unlock and easier for a hacker to crack.

Pattern Passwords/Knock Codes

Finally, we’ve come to the least secure option of all. Many Android devices offer the user the option to tap a pattern of their choosing on a grid to unlock their device. Multiple studies have disproven the security of this method, simply because it isn’t too challenging to figure out a user’s pattern.

In one study, it was found that 65 percent of the 351 participants involved created a code that followed Westernized reading patterns, starting at the top-left and progressing to the top-right. Increasing the size of the grid only led to users selecting shorter patterns. Many patterns proved common amongst the participants as well:

1. An hourglass: top left, top right, bottom left, bottom right, top left, top right
2. A square: Top left, top right, bottom right, bottom left, top left, top right
3. The number seven: Top left, top left, top right, top right, bottom left, bottom left

To top it all off, the researchers found that knock codes were rapidly forgotten. 10 percent of the participants had forgotten their selected code by the time the 10-minute study was over. Plus, they’re slower: knock codes took five seconds to input, while a PIN takes four and a half.

Don’t Skip Securing Your Mobile Device

If you’ve made it this far, you’re likely a smartphone user, and as such, it plays an important part in both your professional and personal life. As you have probably gathered, you can’t afford to short-change any aspect of your security, down to the way you unlock your mobile device.

MSPNetworks can assist you in ensuring your business’ technology is adequate for your purposes, and that it has the necessary protections surrounding it. To learn more about our services, reach out to our team at (516) 403-9001 today.

Data security always needs to be considered as one of your most important business priorities. After all, the ramifications of data loss are wide-reaching and severe. To help you ensure that your data security is at the level it needs to be, we’ve put together five questions you need to answer regarding your business’ security preparedness.

“Are my processes based in security?”

Or, in other words: is your work environment designed in such a way that the most secure option is the default? End-to-end security is one thing, incorporating it into a proactive process is quite another. A foundation based upon secure functionality will help lead to better outcomes. Are your users trained to exclusively follow the most secure processes?

If not, this is where you need to start. A company culture steeped in security awareness is one of the best ways to protect your data, simply because it will help to minimize any improvisation that your employees would otherwise attempt. Educate your users properly, and they will turn into one of your biggest security assets.

“How regulated is access to different files?”

On the topic of your employees, how much data is accessible by any given person? There is no reason that one of your salespeople should have access to payroll information, just as your fulfillment division shouldn’t know any payment information beyond whether a bill was paid or not. Securing your data and only enabling access through role-based permissions with private usernames and multiple authentication measures will help shore up your risks. Remember, these permissions and access controls should be audited regularly to ensure that the data they protect remains on a need-to-know basis.

“Is my data encrypted?”

Or, as this question reads after being encrypted on a random website:

“?b64b0EbdbZMVy0aghJaLO+x2ic7F02JurazKFq4r6dv0y7RpMWaNL00qDWW1nQ39vgmELHKNtUl42u0iIhoc4AM1w==?64b”

Of course, without the decryption key, you can only assume that I’m being honest, which is kind of the point. Making sure that your data is encrypted can protect its contents should it be stolen. This means that you will want to be sure that the answer to this question is…

“?b64LQwXhsseeRhWY0MptIJLxsV4NyLYoBpSAzcypRZMD7BEQmmnDgbB4I6ks8ujGmza?64b”

…or, decrypted: “It sure is!”

The topic of encryption is far too complex to go into here in any detail. If you’d like to learn more about encryption and how it can help protect your business’ sensitive data, call us and ask one of our technicians to explain it to you (or to help you implement it)!

“Have I tested my security measures?”

Once your security measures are implemented, your job is far from done. To ensure that they remain effective, they must be stress-tested and evaluated under controlled conditions. What assets are the most important to protect, and what threats are they most in danger of succumbing to? How likely are these threats to come into play, and how are you vulnerable to them?

Establishing these benchmarks will give you greater insights into the weaknesses inherent in your processes and how they can be remedied.

MSPNetworks can help you find these insights and put the best solutions in place in response. To learn more about this process, reach out to our professionals at (516) 403-9001.

COVID-19 has changed the way that most business owners look at a dollar. For months, businesses have been making strategic budget cuts to try to stay afloat. Cybersecurity has been the ultimate growth industry over the past several years, but in the face of the pandemic, the market for these products and services is seeing substantial retraction. In fact, Gartner estimates that in 2020, the cybersecurity industry will shrink by almost $7 billion. Today, we’ll take a look at the cybersecurity market and why it is important not to slow your cybersecurity spending if you can help it.

The Cybersecurity Market

As more people lean on technology, the cybersecurity industry has been a major beneficiary. The cybersecurity market was estimated to hit $170 billion in 2020 with the United States and Europe making up for nearly 70 percent of all spending in the area. The areas that have seen the most growth recently are the SIEM/security analytics market, threat intelligence, mobile security, and cloud security. In fact, cloud security has seen a 50 percent increase since 2016. 

Why is all this necessary? Simple. Cyberattacks evolve as fast as (or faster than) the security systems in place to thwart them. This has led to massive growth for the better part of the past decade. Since cyberattacks cost businesses nearly $500 billion a year, the large market growth is justified. New sectors like FinTech have pushed cybersecurity companies to innovate faster than ever.  

The COVID-19 Effect

The era of ridiculous cybersecurity spending was on its way out already with business owners and decision makers finding that the return on their security investments weren’t strong enough to facilitate limitless spending initiatives. What nobody who works in cybersecurity saw coming was a global pandemic that would force CIOs to cut into their cybersecurity budgets. 

That’s not to say that businesses weren’t heavily investing in cybersecurity. They absolutely were, and are, but with the only metric to compare it against is a full-fledged data breach, notoriously optimistic executives see the value in spending that money on other things; and; make no mistake about it, until something terrible happens, they will look correct in appropriating those funds from cybersecurity to some other use.

Cybersecurity is the Last Technology You Should Cut

Without strong cybersecurity protections, your business has an even smaller chance to survive an already risky situation. It doesn’t take much for an attack or breach to put a healthy business out of commission, cause layoffs, or at the very least, put financial strain on an organization. If it were to happen now, it will sting even more.

Let’s talk about your cybersecurity, and how to get the most protection for what you have. Give us a call at (516) 403-9001.

Data security isn’t a matter to be taken lightly, as too many businesses have found out the hard way. Unfortunately, there are far too many simple ways to correct common security issues - enough that it’s foolish not to do so. We’ll review a few ways to fix security issues, after discussing one of, if not the, most egregious security failings in modern history.

The Equifax Problem

Sometime between May and July of 2017, the credit-reporting giant Equifax suffered a massive data breach that, as of this writing, exposed 148.1 million records containing the personally identifiable information of their customers. In other words, this breach exposed the data of almost half of the population of the United States of America.

In the aftermath of the Equifax data breach scandal, former CEO Richard Smith was cross-examined by Congress. Upon hearing Smith’s defense of “human and technology errors,” Chairman of the House energy and commerce committee Greg Walden quipped, “I don’t think that we can pass a law that fixes stupid.”

How to Fix Your Business’ Security

While Walden may be correct that stupid can’t be fixed by legislation, it may be able to be mitigated through the faithful enforcement of certain standards and practices. These standards should be enforced both on an organizational level, and on a case-by-case, personal basis.

First, let’s review what you should enforce in your organization:

1. Compliance should be the baseline - Unfortunately, compliance with regulations often does not equal true data security. Instead of looking at compliance as being the ultimate goal for your business, consider it the first step to your business security strategy.
2. Vulnerabilities need to be promptly remediated - It is astounding that so many exploits rely on known vulnerabilities… a full 99 percent of them.  Furthermore, other attack vectors often utilize vulnerabilities that are a half a year old at least. Patching these vulnerabilities as soon as possible will help cut down on threats to your business’ data and infrastructure. 
3. Data security needs to be centralized, organized, and assigned - While security should be a shared responsibility throughout the company, there needs to also be someone taking lead and accepting responsibility for ensuring that data is properly distributed in a secure fashion. Part of this responsibility should be to implement access controls, ensuring that the data only can spread to whomever it needs to and no one else.

Encouraging Your Employees’ Security

Of course, your employees are largely in control of how secure your company remains. This could be a bad thing, unless they are also held to certain best practices that keep data, and the accounts that can access it, secure. There are a few basic rules you can enforce among your staff to help encourage them to act securely.

1. Lazy credential habits - There are a variety of behaviors to adopt that can better protect the accounts and solutions that your employees have. First of all, the classic password problem: reusing the same password for every account. If one or more of your employees does this, each one is essentially creating a master key that someone could use to access everything in their life, including your data. Neglecting to set a passcode of some sort for a mobile device can cause the same issue. An effective way to remedy this kind of behavior is to utilize a password management system. That way, your employee can reduce the number of passwords they have to remember, without sacrificing security.
2. Oversharing - While you can’t necessarily control what your employees do in their off-hours, you should reinforce how easily a cybercriminal could piece together their passwords through some examination of their social media, especially if they subscribe to the lazy credential habits we just reviewed. See if they’ll avoid sharing personal anecdotes or information without first restricting the audience that can see that particular post. At the very least, they should have their social media accounts set so that only their approved friends can see their content. Furthermore, do your best to avoid oversharing from the office. Images can easily show confidential information if you aren’t careful, by accidentally capturing an invoice or your customer relationship management solution pulled up on a screen in the picture. Review what you are about to post before taking the image and before you share it online. 
3. Using the wrong Wi-Fi - While public Wi-Fi connections may be convenient, you should remind your employees that this convenience comes at a price: the security of public Wi-Fi is suspect at best. They should be warned against doing anything especially important over a public Wi-Fi signal, like banking or checking their email.

Data security is a critically important consideration, in part because there are so many ways that it can be undermined. We have some solutions to offer that can help keep your business secure (despite what may sometimes seem to be your employees’ best efforts). Reach out to MSPNetworks at (516) 403-9001 today!

Despite what detractors say, regulations are in place for good reason. They typically protect individuals from organizational malfeasance. Many of these regulations are actual laws passed by a governing body and cover the entire spectrum of the issue, not just the data involved. The ones that have data protection regulations written into them mostly deal with the handling and protection of sensitive information. For organizations that work in industries covered by these regulations there are very visible costs that go into compliance. Today, we look at the costs incurred by these organizations as a result of these regulations, and how to ascertain how they affect your business.

Today’s world is driven by data. As a result, information systems have to be secured. That really is the bottom line. Business is all about relationships and without proper security protocols in place, there are some very serious situations that could completely decimate the relationships you’ve worked so hard to forge. While today’s hackers have a lot of different ways to breach an organization’s network, data breaches that occur as a result of lax security are unforgivable from a customer standpoint. Some organizations can spend more on security than others, but it with the landscape as it is today, it has to be a priority, no matter your IT budget.

Here are some of the regulations all business owners and IT administrators should know:

• GDPR: The European Union’s General Data Protection Regulation is as comprehensive a data protection law as there is. Its aim is to protect the citizens of EU-member countries from data breaches. The GDPR applies to every organization that processes personal information of people residing in the EU.
• GPG13: Known as the Good Practice Guide 13, it is the U.K.’s general data protection regulation for organizations that do business in the U.K.
• HIPAA: The Health Insurance Portability and Accountability Act puts several guidelines on how patients’ data is shared and disseminated by insurers and health maintenance organizations.
• SOx - The Sarbanes-Oxley Act requires corporate records to be kept for seven years to ensure that there is transparency in the accounting. For IT this means being able to have access to data to run reports when called upon.
• PCI-DSS - Payment Card Index Data Security Standard are regulations enacted to try and reduce fraud by protecting an individual’s credit card information.

That’s just a few of the regulations business owners and IT administrators have to be cognizant of. For business owners there are several more, like the federal and state tax codes, and the adherence to the Affordable Care Act. All these regulations seem pretty straightforward and necessary until you begin to roll them out for your business. Then they just get expensive. In the first-ever Small Business Regulations Survey conducted by the National Small Business Association, the numbers reported, although not comprehensive by any means, weren’t pretty. To put it frankly, the cost to the small businesses that reported, would sink as many or more new businesses.

“The average small-business owner is spending at least $12,000 every year dealing with regulations,” NSBA President Todd McCracken said, “This has real-world implications: more than half of small businesses have held off on hiring a new employee due to regulatory burdens.” The report goes on to state that the average regulatory costs to start a new business venture add up to a whopping $83,019. These figures don’t take in to account the dozens of man hours each year spent on these very complex problems. It should be stated that the NSBA has been a long-standing advocate of reducing regulations on small businesses.

Regulators are paid to be skeptical, but overall they are put in place for a purpose, as oversight to ensure sustained adherence to data protection laws. How much can they demand from a small business? The question begs for analysis, as to listen to entrepreneurs talk about them regulations are unnecessary, but as stated before, these regulations aren’t just implemented willy-nilly. They have empirical evidence of immoral or unethical wrongdoing attached to them. Moreover, it becomes clear that the financial pain these entrepreneurs are in is indefinite, which means that it is highly debatable. The truth is that each scenario needs to be seen in perspective in order to understand just how much certain regulations are costing a business.

One thing is certain: that the average small business pays more for their regulatory compliance programs than larger businesses in the same market do. That disparity is a main point of contention for many small business owners, as it directly affects a company's ability to compete. Some studies have seen organizations that have less than 20 employees charged nearly 60 percent more than slightly larger businesses. Getting into which regulations are onerous and which are necessary would take an examination of each one in detail, so it’s worth it to repeat that these regulations were bred out of situations where individuals were hurt, making them an important part of the oversight process.

To Comply or Not To Comply? That Is the Question Small business owners who have been reprimanded or fined as a result of a lack of regulatory awareness have a tendency to get the message, but if an organization is notoriously noncompliant and has slipped past regulators, there is a tendency for them to stay the course; and, that course is filled with nothing good. Many european and multinational corporations are expecting to invest $1 million toward their GDPR compliance. Obviously this figure, despite being higher per user, will be substantially lower for small and mid-sized businesses. The cost, however, remains significant, and while an organization could probably get around it for a bit, when it hits, it could just sink the whole business.

According to Infosecurity Magazine, the average cost of compliance with GDPR is costing enterprises and average of $5.5 million, which comes in about a third of the estimate cost of noncompliance, $14.82 million. That’s a lot of cheddar. It stands to reason that if you are going to spend upwards of 10 percent of your yearly IT budget on ensuring your organization is compliant, that you meet the criteria under the regulation. The best way to do that is by finding affordable solutions that wont take as big of a chunk out of your operational budget every year.

More than the capital, a business that doesn’t adhere to simple IT regulations probably isn’t adhering to other regulations. Would you want to do business with someone that you know won’t do what’s asked of them to protect YOUR data? Unreputable businesses that are looking to gain an edge by not meeting regulations will pay later for not spending now, end of story.

Compliance and Your Business

Finally, we get to your business. How are you going to plan for your compliance burden? The best way is to educate yourself on what exactly your business needs to plan for by looking at the regulatory mandates, sure, but more often seeking out organizations who have already insulated themself from the risks associated from noncompliance. This is where a managed IT service provider (MSP) can be a godsend. Since we take security compliance extremely seriously, and deal with multiple businesses that represent several vertical markets, we have the perspective that can provide a clear strategy on how to avoid problems staying compliant.

Moreover, MSPs like MSPNetworks use extremely sophisticated monitoring, management, and reporting software to reduce risk and put our clients in the best position to prepare for any audits or assessments that need to be completed by regulators. Since the regulatory landscape is constantly changing, our IT professionals are in a unique position to serve as both IT administrator and regulatory consultant.

If you are searching for a way to control your compliance situation, look no further than the IT professionals at MSPNetworks. We can deploy our strategies made up from tried and true industry best practices to virtually eliminate any risk your organization would have as a result of compliance concerns. Call us at (516) 403-9001 today to get started.

In response to the coronavirus pandemic, many people are avoiding human contact by turning to the Internet and mobile apps. On a national scope, mobile banking alone has seen an increase of 50 percent over just the last few months. In what certainly is no coincidence, the Federal Bureau of Investigation recently put out a warning that identified banking apps as likely targets for hackers.

As was said in the FBI’s announcement:

“As the public increases its use of mobile banking apps, partially due to increased time at home, the FBI anticipates cyber actors will exploit these platforms.”

We recommend that you take a few minutes and read the entire announcement, as it has a lot of information about these threats and quite a few tips that can help protect your mobile banking as well as many other applications.

If you don’t have the chance to go over all of this now, we’ve put together some of the most important tips to abide by if you’re trying to protect yourself and your financial interests.

Use 2FA

2FA, short for Two-Factor Authentication, and often seen nowadays as MFA or Multi-Factor Authentication, is effectively the addition of another identifier to ensure that someone trying to access an account is who they claim to be. Via texting, emailing, or generating a unique code through an application like Google Authenticator, Authy, Duo, or LastPass Authenticator, a user is given the key to open the additional lock on their accounts.

Any account you use should be protected by 2FA/MFA, especially those that deal with your finances or other sensitive information.

You should always set up 2-Factor Authentication on any account you have, especially if it deals with sensitive information or your money.

Be Smart About Your Passwords

Make sure that any passwords you use are sufficiently secure for your purposes. Rather than using common phrases or easy-to-guess combinations, like your birthday or a pet’s name, use a unique string of characters, numbers, and symbols for each account, or a passphrase consisting of unrelated words.

If You Aren’t Sure, Don’t Click on It

In what is probably the best piece of advice you can give someone who does business online in 2020, if you don’t know who sent it or where it will take you, don’t click on it. In fact, if you aren’t 100 percent sure about something, don’t click on it. Chances are your bank has a mobile app. Download that one from a reputable app store. They may have the link on their website, but if it doesn’t take you to the Google Play Store or the Apple App Store, don’t click on any link. Your bank has spent significant resources to make sure that their app has the security needed, don’t risk using any other app. 

Contact the Bank if You Have Questions

Confirmation that it was your bank sending you information, or that their app isn’t working properly at the moment won’t take more than a simple phone call to confirm. Go to their official website and get the customer assistance number.

We’re really glad the FBI covered this tip too, as it’s often glossed over. If you have any suspicion that something is strange or not working correctly, just call your bank. Go to their official website, or use the number on the back of your card or from a statement. You don’t want to be fooled into making a mistake that puts your finances in the crosshairs of hackers or scammers. Your bank will never ask you for your name or password over the phone, so never give that information out. 

Keep your money out of the hands of cybercriminals by being vigilant and understanding the signs of a scam. If you would like any more information about keeping your finances secure, call the IT security professionals at MSPNetworks today at (516) 403-9001. 

More people than ever are utilizing the conveniences of the Internet and mobile apps to avoid unnecessary human contact during the coronavirus pandemic. In fact, mobile banking alone has increased by 50 percent over the last few months, nationwide. In a recent PSA, the FBI warned that hackers are likely to be targeting mobile banking apps.

According to the FBI’s public service announcement:

“As the public increases its use of mobile banking apps, partially due to increased time at home, the FBI anticipates cyber actors will exploit these platforms.”

The PSA is definitely worth a read, and includes some good tips and potential threats that are out there. It’s worth noting that many of the tips apply to a lot more than just mobile banking.

If you are in a rush, here are some of the best tips to take away from it to protect yourself.

Utilize 2-Factor Authentication

You’ll see this called 2-Factor Authentication, Multi-Factor Authentication, 2FA, or MFA. That’s where a website or service will email or text you a little code to log you in. Some services will utilize an authentication application, such as Google Authenticator, Authy, Duo, or LastPass Authenticator. Using an authentication app is definitely a safer way to go, as they are harder to spoof than email and text, but anything is better than nothing.

You should always set up 2-Factor Authentication on any account you have, especially if it deals with sensitive information or your money.

Always Have Good Password Hygiene

Use strong passwords that contain lower and uppercase letters, numbers, and symbols. Your passwords should always be unique and not be used for multiple accounts, and your passwords should never contain information that could be guessed like your name, birthdays, your pets, and so forth.

If Something Seems Fishy, Don’t Install It

Never install something you aren’t 100 percent sure about. If your bank has a mobile app, be sure to download their official app, which they should have linked in their website. Avoid installing a mobile banking app that is sent to you via email or text message, because there is a chance that it could be bogus. 

When In Doubt, Call the Bank

We’re really glad the FBI covered this tip too, as it’s often glossed over. If you have any suspicion that something is strange or not working correctly, just call your bank. Go to their official website, or use the number on the back of your card or from a statement. 

If you accidentally called the number from the banking app, and that phone call seems suspicious, immediately hang up and be sure you use the number from their official website. If the hackers were clever enough to get you to download a fake banking app, they could easily have a fake support number to get you to call and submit your credentials. Your bank will never need your username and password over the phone.

All in all, be ever vigilant, because cybercriminals want to take advantage of the chaos to grift people out of their money. Don’t let them!

If you need help locking down your business and protecting your staff from cyberthreats, give MSPNetworks a call at (516) 403-9001 today!

As much as a business relies on its technology, it relies just as much upon its employees to properly put that technology to use. Unfortunately, this can very easily expose the business to various threats that involve their employees. Understanding these insider threats is crucial for a business, especially given how current events may tempt those who would never have considered them otherwise.

Let’s review what constitutes an insider threat, and why they are now a bigger potential problem than ever.

What is an Insider Threat?

An insider threat is precisely what the term implies: a threat to your business that is sourced from one of your in-the-know employees. While this makes it sound as though we are referring to an embezzler or corporate spy (which can be the case), it also applies to any employees whose actions inadvertently compromise your business’ data, security, and other property. So, when you are working to prevent insider threats, you need to focus on a variety of fronts.

There are many reasons that these kinds of threats can arise, especially with the current issues that businesses everywhere are struggling with.

Technical Shifts

Given the fact that a pandemic has closed many workplaces, a huge amount of businesses of every size have needed to adjust drastically to sustain their operations however they can. For many, this meant rotating to a virtualized environment for remote work.

Of course, putting it this way makes it sound far easier than it is. Not only have many organizations suddenly been tasked with adopting an entirely new means of accomplishing their goals, many of these changes require adjustments to enable remote work at all. When all of this is considered, there is generally some trade-off between capability and security.

Emotional Distress

There is no denying that the last few months have been a challenging time for everyone. Stresses have been high, and without the recreational activities that many would normally turn to as a means of relieving some of this stress, many people will consider actions that they otherwise wouldn’t. With rising anxiety comes less forethought, and always-present thoughts of economic challenges and potential unemployment can tempt even the most trustworthy employee into considering alternatives like fraud and theft.

Organizational Adjustments

Every successful business has struck a balance between its progressive operations and the appropriate level of security it needs. If security were sacrificed, the business’ operations would be undermined, but if security becomes too oppressive, the business wouldn’t be able to function well enough to support itself. As a result, businesses must find a middle ground, of sorts, that positions them in the best possible circumstances.

Typical Behaviors Associated with Insider Threats

Of course, insider threats can be an issue in the best of times, as well. It doesn’t necessarily take the changes brought on by a pandemic to sour an employee’s opinion of a company, and data has shown that about 60 percent of insider threats involve data being taken as an employee prepares to leave a company—particularly if that employee had a role in preparing that data. Most who do this use email, while fewer numbers use cloud storage, data downloads, and removable storage media, respectively.

These flight risks can be spotted, however, with a little bit of diligence. For instance, if an employee is spending time on job search websites with no work-related reason to do so, you should be concerned, as you should if they are accessing data from a strange place or granting themselves more privileges than their responsibilities require.

Insider threats are certainly a problem, but many potential ones can be fixed proactively. It is important to remember that not all of them will be intentional attacks to your business. Very often, it is more of a matter of an employee inadvertently compromising your security in the attempt to do their job—emailing themselves a file to work on it after hours, for instance. Employees who are operating remotely may be reverting to old security habits as they are out of the work environment. Regardless, you need to do whatever you can to minimize the threats your business and its data face from those closest to it.

Putting the Kibosh on Insider Threats

Communicate Better with Your Team

Right now, things are pretty scary, and many are doubting their job security. Therefore, it only makes sense that people aren’t taking the most well-thought-out actions or could be tempted to create an insurance policy for themselves. Frequently and clearly communicating with your team will help to make them relatively more comfortable in their given situation, hopefully making them less likely to make rash decisions or act out.

Maintain Relationships

While there may be a time and a place for taking a step back and managing your team from a distance, a pandemic ain’t it. Make sure you double-down on your efforts to evaluate how well your employees can cope under the circumstances and adjust your processes accordingly. This will both give you a closer view of your employees and assist you in reducing the stress that might lead to error otherwise.

Give Your Team the Tools for Success

Finally, to cut down on the challenges that your employees must cope with while bolstering your business’ security, make sure that the team is making the most of the solutions at its disposal. The collaboration solutions now available, paired with modern security measures and implemented with a focus on best practices, will make life easier for your team… something you want when difficulties will increase the chances of an insider threat.

For the tools and resources to help your business put these protections in place—even now—reach out to the professionals at MSPNetworks today.

It seems as though every business is depending more and more on their IT. This means that their employees have more exposure to their IT systems. Unfortunately, that relationship is where the majority of the problems you will have are. The facts are that any business that has built a strong security policy has the solutions in place to keep direct infiltration from happening. Hackers have to find another way.

To make this happen, scammers create and send billions of phishing emails (and other messages) each day. Some of them will inevitably hit your company’s email. Even if you use the built-in firewall, the vast majority of them will be sent to spam. If you’ve outfitted your system with an enterprise spam blocker, your staff will see even less yet. Unfortunately, however, eventually one will make its way into an inbox. Sometimes the person is targeted directly and sometimes it’s just misfortune, but regardless of the variables surrounding these messages, interacting with one will very likely be problematic for your business.

This is why you spend so much time and money developing procedures, training your staff, and testing their aptitude: to be confident that they know what to do if they encounter problematic situations. Sometimes the attacks are very complex, but more often than not, all it takes is decoding, discarding, and reporting a hazardous message for them to be an actual hero. If your staff is highly trained, it will become just another part of their job. That’s the goal.

Of course, that’s not always the case. In fact, in one study, 77 percent of IT professionals feel as though their companies are unprepared to confront today’s most prevalent security challenges. That number has to scare you a little bit. Fortunately for business owners, IT professionals are notoriously pessimistic about the ability of people to make the right choices. The truth is that breaches do happen and they can be separated into three categories: mistakes, negligence, and sabotage. 

If you are going to be a company that is prepared for the threats that are going to come your way, you need to understand the difference. 

Mistakes 

Mistakes happen. They always have and they always will. People who are normally diligent, hardworking, and good at their jobs can make a decision that is simply wrong. As we mentioned earlier, there are literally billions of phishing emails sent per day, and it’s not out of the realm of possibility that you, your best employees, even your IT provider can mistakenly click on a link that opens up Pandora's box. If someone makes a mistake, immediately reports it, and it’s obvious there was no malice behind it, it’s really hard to come down on that individual too harshly. A mistake is a mistake, after all. You will want to retrain that person and test them to ensure that they understand what their responsibilities are, but ultimately isolated incidents should be met with understanding.

Negligence

On the other hand, if an employee continues to make mistakes regularly, it’s probably a matter of negligence. Obviously, negligent behavior shows that the employee is ambivalent to the rules set forth by the decision makers and is a problem when it comes to organizational network security. An employee that doesn’t take his/her training seriously probably isn’t taking many other aspects of his/her job seriously, either. Negligence is the cause of a majority of the cybersecurity problems that businesses are forced to confront, and cannot be allowed to undermine the organization.

Sabotage

Sometimes work relationships fail. There are a plethora of reasons why this happens, but most people have run into problems with a coworker, direct supervisor, or employer at some point in their work history. Sometimes the relationship gets so tainted that one party will look to undermine the other. Sabotage is when a current or former employee deliberately undermines the continuity of a business. Sabotage is criminal and purposeful. It can be something as simple as deleting files from a project or smashing company property, and it can be as complex as embezzlement and selling trade secrets to the competition. Most sabotage happens as a result of a work relationship that has turned sour. Unfortunately, if the saboteur still works for your company, you may not be able to catch him/her before it’s too late, but many of them are disgruntled ex-employees who for whatever reason still have access to company systems. For this reason, it is important that as soon as someone is let go or leaves the company, that their access to company resources is eliminated. Someone who knows where things are on your business’ network can really do a number. Avoid that fate by closing that door.

Cybersecurity is a complex issue with many facets. Make sure your business has all the resources it needs to protect your digital assets. Call the IT experts at MSPNetworks today at (516) 403-9001 to learn more.