Turn on 2FA with Microsoft 365

If you’re using Microsoft 365 without two-factor authentication (2FA), you could have a basic security problem. Cybercriminals are taking advantage of a loophole in Microsoft’s Basic Authentication, an outmoded system doesn’t require extra security checks, like a second password or a verification code sent to your phone. Here’s how to harden your system.

Hackers are using a method called “password spray and pray,” where they try common passwords across many accounts, hoping for a match. Security researchers have discovered that a botnet of at least 130,000 infected devices is being used in this attack. The hackers use non-interactive sign-ins, a method commonly used for automated logins between services. Because these logins don’t require human interaction, they often bypass 2FA protections, and many security protocols don’t pay much attention to them.

While Microsoft is phasing out Basic Authentication, it will still be partially active until September 2025. The threat is immediate and serious.

If you have a website, experts urge you to disable Basic Authentication and monitor non-interactive sign-in logs. You should also adopt access policies based on location and device security to restrict logins from unknown locations or requiring extra security steps for an unfamiliar device. Enabling multi-factor authentication (MFA) or certificate-based authentication would require users to verify their identity with a second factor, like a phone code or fingerprint scan. Even if hackers steal a password, they still won’t be able to access the account without this extra verification.

On the user side, eliminate multiple-use passwords. A password manager makes it easy to generate long, unique, complex passwords that are extremely hard to hack. And if a hacker does happen to hit one, it’s highly unlikely they’ll get another one.

If the websites you use require 2FA, we suggest using your password manager to set up a six-digit token through your phone’s authenticator app. With a cell phone, you can use facial recognition or fingerprint for authentication. And there’s still the six-digit code sent to your phone as a text message or an email.

We can help businesses and individual users upgrade or improve their online security. Call us – 973-433-6676 – or email us to talk about your needs.

When Old Technology Meets the Present Day

This is a cautionary tale about how many businesses maintain years and years of data storage. They’ve maintained servers and stored them on disks using RAID 5 technology. It’s a reliable system, but when you need to retrieve data, it can present a lot of costly complexities, as one of our clients recently discovered.

Our client was having trouble retrieving data and asked us to take a look. They gave us a half-dozen or so drives, and our immediate problem was that we couldn’t just pop them into a machine and take a look.

The problem was that our client had a server configured for RAID 5. In technical terms, RAID 5 is a configuration – redundant array of independent disks – that utilizes disk striping with parity. It enables you to distribute data across multiple drives with a parity check. This ensures data integrity even if one drive fails, and the configuration makes fast data retrieval possible.

However, it requires a minimum of three drives to function properly, and you need detailed record keeping to retrieve your data. That’s where the problem comes in. You need to take a Sharpie and identify each RAID 5 drive you have from the oldest to the newest. If you can’t view them in their proper sequence, you can’t retrieve your data.

If you have data on RAID 5 disks, you should consult an IT pro to see if you can dump your data to an external drive. However, it won’t be cheap. The cost can be $250 to $500 per disk to copy data to an external drive. The more disks you have, the harder it can be – unless you absolutely have them in the right sequence. And the process can be more difficult – if not impossible – if a disk is inadvertently fouled.

A better choice is RAID 1, commonly referred to as disk mirroring. Hard disks are kept in sync with one another so that if a disk were to fail, an exact copy remains, ensuring no loss.

In the event of a drive failure, recovery is easy since the duplicate drive can take over immediately. Read performance can be enhanced as data can be read from multiple disks simultaneously. The major drawback is that storage capacity is diminished, which means you’ll need more disks. In our opinion, that could outweigh the drawbacks of RAID 5, which requires more time and resources to rebuild data after a drive failure and can have slower write operations because of the need to update parity information.

We can help you determine which storage need is better for you or help you organize RAID 5 disks for more efficient data retrieval. Call us – 973-433-6676 – or email us to discuss what’s better for you.

Is ‘Zero Trust’ in Your Future?

The words “zero trust” in Zero Trust Network Access (ZTNA) are probably appropriate in a time when it seems like we don’t trust anybody about anything. ZTNA is being touted as a replacement for VPNs (Virtual Private Networks), especially for remote business needs. It could be more effective, but small businesses will need to jump through hoops.

ZTNA is a technology designed to limit who can access a network and where in the network they can go. The limits are important. For example, anyone who can access a Microsoft 365 network as a global administrator can effectively play God; they can do ANYTHING.

The goal of a ZTNA is to keep out false gods. Its proponents tout the following benefits:

  • Invisible infrastructure: ZTNA allows users to access applications without connecting them to the corporate network, thereby eliminating risk to the network.
  • More control and visibility: Managing ZTNA solutions is easy with a centralized admin portal with granular controls. Managers can see everything and create access policies for user groups or individual users.
  • Simpler app segmentation: Because ZTNA isn’t tied to the network, organizations can segment access down to individual applications instead of complex network segmentation.

Proponents further contend ZTNA is faster and more convenient than VPNs, offer better security, and are easier to manage. Gartner, a technology and research consultancy for large corporations and government, predicts its client base will largely phase out VPNs for ZTNA.

If you’re a small business or nonprofit organization that deals with large companies and government agencies, you may need to learn how to live in the world of ZTNA at the very least. If you want to adopt for your own use, you’ll need to answer some risk/reward questions:

  • Do you need a Ft. Knox type of defense system?
  • Are you willing to build new access systems to maintain your current business process?
  • Are you willing to take on the learning-curve risks of implementing a new security system?

There are no cookie-cutter solutions to changing your security measures. Call us – 973-433-6676 – or email us to discuss the specifics of ZTNA, especially if you need to use it to comply with another organization’s directive. We can help you design and implement a plan that minimizes your risk as best as possible.

New Outlook has Mixed Benefits

Classic Outlook has aged like a good wine, but Microsoft is pushing more users to the New Outlook for managing emails, contacts and calendars. Some features are gone from the New Outlook, and some are hidden.

Deciding whether to hang in with the Classic Outlook or go to the New version depends on how you use the app. However, keep in mind that Microsoft is like Lola. What Microsoft wants, Microsoft eventually gets – and at some point, they’ll stop supporting Classic Outlook to force everyone into New Outlook.

Microsoft touts a more minimalist interface for New Outlook that it says is more in line with Windows 11 and AI and handles email, calendars and contacts better. One of the specific benefits is they claim is the use of AI to help you write better emails, but you can turn off the autofill. They also claim New Outlook can let you access your emails – including Gmail, Yahoo, and even your “shopping account” – from one spot on every Windows device. And you can organize your appointments, share availability and events with a click, and ensure time for important people and events.

However, Microsoft took away a number of key functions that they may or may not restore. These include features involving multiple mailbox accounts and ways in which accounts can be shared from SharePoint. Some “take-aways” are scheduled to be restored, and some are still under investigation. The company says it’s looking for user feedback in deciding what to restore and when that might happen.

Quite honestly, we think this hurts Microsoft’s credibility, but it also shows where all major software companies are headed. They will make changes seemingly on a whim without regard to how those changes affect our ability to maximize our production. Features might come back – or they might not.

Together, we need to be flexible in how we use software such as Outlook, but on the other hand, we can force the issue somewhat. We can look specifically at how you use Outlook and determine what Classic features we may be able to recapture some things that were lost or help you find ways to make better use of New Outlook.

As much as we might yearn for the “good old days” of apps like Classic Outlook, it’s likely we’ll all be using New Outlook sooner rather than later. So, let’s get a head start on adapting to it. Call us – 973-433-66765 – or email us to see how you can bridge the Classic and the New to make Outlook work better for you.

Busting the Passkey Myths

Passkeys are replacing mere passwords at a rapid pace, and that may be scary for some people. Passkeys are inherently more secure than passwords. For the most part, they are extremely difficult (we won’t say impossible) to crack, and that’s why you should get more comfortable with using them.

Tech leaders such as Microsoft, Google, and Apple are among those leading the passkey charge because there are nearly 7 million combinations of usernames and passwords on the dark web. When your passwords end up on the dark web, cybercriminals can use them to get into your accounts and steal your private data. That’s why passkey-based authentication is becoming a fast-growing trend. Their main benefits are that they can’t be stolen like passwords, and there’s nothing for you to remember.

Still, myths persist, and Dashlane, the password manager app that we prefer, has its own magnificent seven myths it wants to bust.

  1. If you lose your phone, you can’t access your passkeys. If you have a password manager, your passkeys should sync across all devices – unless you “cheaped out” on a freebie. If you only use a mobile device for your passkey, make sure you store it in your phone’s password app. That will enable you to move them to your new device.
  2. Only Google and Apple currently sync passkeys. Third-party passkey providers like Dashlane use their own cloud infrastructure for syncing, similar to Google and Apple. Microsoft has announced that synced passkeys will be coming to Windows 11 and associated with Microsoft accounts. Google recently indicated that synced passkeys in Google Password Manager will soon be available on both macOS and Windows.
  3. Passkeys send your biometric information over the internet. All verification methods operate solely on your device. No biometric information is sent to the website, only confirmation that verification was successful.
  4. You can change your password but not a passkey. Passkeys can be changed simply by deleting them from the website they’re set up with and re-enrolling a new one. This is because every new passkey is unique, even when multiple passkeys are set up for the same website.
  5. PIN codes are not as secure as passwords. Once a device PIN code is set up, it can only be used on a particular device. That’s a security feature not available with a password.
  6. Using a password manager for your passwords is better than using passkeys. While password managers help, they can’t completely prevent phishing. Passkeys, by contrast, are phishing-resistant by design. Additionally, almost all leading password managers now support passkeys for both secure password storage and the added protection of passkeys.
  7. Passkeys are a way for vendors to lock users into their platforms. The FIDO Alliance has published new standards that will allow password managers to safely and easily export passwords and passkeys.

The myths point to a certain intimidation factor about using passkeys. Our advice is don’t be intimidated. We can help you set up an authentication app, such as Microsoft Authenticator, and other methods, such as biometrics and PIN codes. Call us – 973-433-6676 – or email us to talk about what’s best for you and your organization.

We’re Traveling in January

We’ll be taking the trip of our lifetime, starting Jan. 10, when we head to South Africa, Madagascar, Mauritius and few other stops on the other side of the world. You won’t lose our support while we’re gone, and we’ll have the chance to see how some of Apple’s new communications technologies are working.

Most of our previous travels have been to places with good communications infrastructures, and that’s always enabled us to plan with some certainty how we can serve your needs. We’re still going to serve your needs; we have Apple’s iOS 18 with the ability to communicate via satellite when no Wi-Fi or cellular service is available.

So, we’ll be able to stay in touch with you and our support resources whether we’re on a game reserve or in a jungle or rain forest.

Just to remind all of you, when we are away, it’s best to call our office – 973-433-6676. We have people trained to get the information we need to serve you best by contacting us or going directly to one of our trusted partners. If need be, we can get in touch with you or resolve your issue remotely.

Because the places we will be visiting are 7 to 9 hours ahead of New Jersey, we will be doing our activities while you’re asleep, and our downtime will be during your waking hours.

If you happen to be traveling to some remote areas of the world and have an iPhone 14 or newer, you’ll be able to take advantage of Apple’s new communications technologies. You should be able to send and receive texts, emojis, and Tapbacks over iMessage and SMS. To connect to a satellite, you will need to be outside with a clear view of the sky and horizon. You can learn a lot more by visiting Apple’s support page for messages via satellite.

In the meantime, we have a month until we leave. If you have some issues that need attention or questions about planning future maintenance or the purchase and configuration/installation of new equipment, let’s take care of it as soon as possible. Call us – 973-433-6676 – or email us to discuss your needs.

Microsoft’s Outage Issues

Microsoft outages seem to be a regularly occurring event, and that’s a real problem for all of us as we grow even more dependent on technology. The bad news is that the problem won’t get any better. Here’s a look at the industry’s metrics.

From my old help desk days, we followed the “rule of five-nines.” This meant our goal was to be “up” 99.999 percent of the time. Is it attainable? It sounds like a great marketing goal, but the reality is that no global company with the size and scope of Microsoft – or Google or Amazon or anyone else – can be perfect. It doesn’t matter which company you use; their service depends on the reliability of satellites and cables for connections and the power grid to keep them online. As we use online services more extensively, we can strain the capacities of those resources.

According to ThousandEyes Internet and Cloud Intelligence from Cisco, more than 90 percent of the world’s data centers experience outages. Local ISPs (internet service providers) experience the most outages, trailed by CSPs (cloud service providers). Outages increases are attributed to more demand on their infrastructures.

You’re not going to get any better service by switching the companies you use; they all face the same challenges. And they share some challenges with you, and those will be hard to plan for based on the world’s political and economic environment. This is not a political statement; it’s just a clear-eyed look at potential problems. For example, will there be a rush to order new equipment before possible tariffs go into place? Supply and demand issues ahead of any tariff issues will undoubtedly affect prices and inventories.

What can you do? We’ve discussed many of the steps you can take, so let’s put them in perspective.

  • Be backup savvy. Make sure all the data you and your employees use is backed up frequently in multiple places. In addition to backing up data, have battery backup capability so you can save data and close applications. This is more critical for desktop computers; laptops and phones have batteries.
  • Keep all your software up to date. It’s all related. Up-to-date operating systems and apps perform better, and that performance may be the difference in finishing and saving critical data or losing something that will take a long time to recreate or that might be lost forever.
  • Think about replacing computers and other hardware that’s approaching five years of service time. It’s nearly five years since the COVID-19 pandemic, when a lot of companies and individuals bought new hardware to be able to work effectively from remote locations. Five years is about the effective service life of most equipment, and your equipment may be on the same timeline as many other users. Our vendors and distributors have told us to expect shortages just for this reason.

We can help you set up a plan to replace your aging hardware and make sure all the systems you keep have the best prospects of making it through the next year or so. Call us – 973-433-6676 – or email us to discuss your needs.

Windows 10 ‘Support’

We’ve been talking about this for a while. Microsoft will end its support for its workhorse Windows 10 operating system next October. The good news is that the company will provide security patches and bug fixes until October 2026. The bad news is that it will cost you $30 per device. The worse news is that we don’t know how long that support will last – and you won’t get any performance enhancements. Right now, it’s a matter of kicking the can down the road.

The can is called Microsoft’s Extended Security Updates (ESU) Program, and enrollment will open near the end of the current Windows 10 support program in October 2025. It will only cover security updates, and its effectiveness will be limited by Windows 10’s limitations. This is Microsoft’s way of giving in to customer demands to keep Windows 10 alive – at least for now. Older computers can run Windows 10 but may not work with Windows 11.

Thirty bucks a device sounds cheap enough until you look at what you get for your money – and what you don’t get.

The ESUs are just for security updates. You don’t get any new capabilities, performance improvements, or bug fixes that come with the newer software versions. Then, you need to worry about other limitations and risks.

  • You’re still vulnerable to other types of threats, like zero-day exploits or advanced persistent threats.
  • ESUs don’t guarantee compatibility with other software or hardware. Your outdated systems may not work properly with newer applications or devices, leading to productivity and security issues.
  • ESUs can create a false sense of security. Just because you’re getting security patches doesn’t mean your systems are fully protected. Hackers are consistently discovering new ways to exploit vulnerabilities, and outdated software is an easy mark.
  • ESUs can slow down your business and hinder your business growth. Companies get complacent with ESUs, and before they know it, they’re years behind on their technology and struggling to keep up with their competitors.
  • There are no guarantees that Microsoft will continue ESUs or that they will hold the price.

At some point, you may have no other choice than to buy new computers and move to Windows 11. But Microsoft’s ESU for Windows 10 could buy you some time – or let you procrastinate longer. Either way, it’s kicking a bigger, heavier can down the road. Don’t stub your toes. Call us – 973-433-6676 – or email us to discuss your technology footwork.

Dumpster Diving – Email Style

We get overloaded with email and tend to let it just sit in our inboxes. When you max out your storage space, which is the equivalent of an electronic dumpster, you can create problems that are time-consuming and costly to fix.

Email overload became a vexing problem for a client who had 160,000 messages in their inbox, which Outlook limits to 50 GB. They wanted to delete some messages and keep some, but there were just too many messages to go through individually.

We decided the most practical course of action would be to delete all the messages except for those from the last three months. But that solution created other problems. There are limits on how much email you can simply delete. There’s also an issue of how Outlook handles deleted files: they just don’t go to an electronic landfill. They can go to recoverable folders, where they stay for 30 days before going to the “landfill.”

You can delete a large number of files by going to your Outlook online instead of your Outlook mail client. That’s what we had to do, but the process took hours. You can prevent the problem by just paying more attention to your inbox management. Try some of these measures:

  • Delete unwanted/unneeded email as you go. New Outlook’s default lists your messages on the left, and the preview pane on the right shows you the content. As long as you don’t open the email, it won’t harm your system. You can simply click on the trash can in the list to delete the message.
  • Set up subfolders within each account. Within each account, you can set up subfolders and drag-and-drop file messages there. That keeps them out of the dumpster.
  • Empty deleted emails on a regular basis. Whether you do it daily, weekly or biweekly, empty your deleted emails as a routine task. If you have Outlook on your mobile devices, you can delete unnecessary emails without needing your computer. I make deleting emails from my phone a regular task while traveling.

If you need to empty an electronic dumpster, we can help you set up and manage the process. If you need to institute a system to manage email across multiple accounts and users, we can help you determine rules that meet your needs and implement a program. Call us – 973-433-6676 – or email us to talk about it.

Cybersecurity Climate Only Getting Worse

The heat is rising fast in the cybersecurity world. At a recent conference in Phoenix, AZ, we saw how the industry’s top hackers and defense experts team up to fight an ever-increasing number of invasion attempts from bad actors around the world. Visiting a cybersecurity war room really opened our eyes.

We were ushered into a huge room, full of screens that hackers and defenders used to monitor traffic. This link, which shows the origins of constant firewall attacks from all around the world, made a huge impression on me. The attacks were detected because they had an invalid format or invalid character. It meant that the hackers probably forgot to change the language they were using to launch the attack.

My takeaway is that if hackers get smarter or pay more attention to details, they can become more lethal. They can use AI (artificial intelligence) to eliminate the need to know English, and that’s scary. For example, as we saw, they can use Chat GPT to create malware with a specific task. It’s only going to get worse as we hit the holiday shopping season.

Helping a client deal with an email hack brought home all the dangers. They thought they had an email hack, which resulted in emails going to their contacts under the guise of coming from them about file sharing in Dropbox. They thought they had it fixed, but the same problem cropped up two weeks later. It had a link to click (always a danger sign when the recipient “trusts” the sender).

As we got into the process of fixing the hack, it involved an apple.com account with a reference to Dropbox. Our efforts were hampered by the difficulty we had getting into accounts to verify that the hackers were using Dropbox to launch bogus email.

Our client could have just ignored the problem, or they could have sent an email to their entire contact list to warn them not to open emails with the Dropbox reference. But my preference and theirs was to get to the root of the problem. You have to know where all the dots and connections are so that you can get ahead of the hackers and shut them out.

We can help you stay secure by auditing your cybersecurity practices and implementing programs to strengthen your defenses. Call us – 973-433-6676 – or email us to discuss your cybersecurity and gain more peace of mind.