Not All Cloud Storage is a Backup

We tend to use the terms data storage and data backup interchangeably. It can be a costly mistake.

Cloud storage is all about easy access to files. It’s not only your access, but also collaborative access that allows teams of people to work on projects together without the need to email various versions. Cloud storage servers such as Microsoft OneDrive, Google Drive, and Dropbox allow team members to be online at the same time and see changes to files in real time. They also allow a single user to access files from anywhere in the world where you can get an internet connection.

Stored files typically are not encrypted or protected with any special technology, and that makes them vulnerable to theft and ransomware attacks. If just one team member has lax security, such as an easily cracked password or uses an unsecured public network, all those stored files are exposed. Further, it could open someone up to SIM swapping.

How should you store your data? We like Microsoft’s Conditional Access, an access management solution that enforces security policies by bringing together real-time signals from users, devices, locations, and applications to block, allow, or require additional verification steps to access resources.

It works on a granular level. For example, you can set limits on which countries someone can log into your system. You can limit IP addresses. Steps like these can provide extremely useful insurance against worldwide hacker organizations that take advantage of local weaknesses in our global networks.

Installing and configuring the right access limits for your needs is not something you should attempt by yourself. There are myriad variables to the conditions that limit access, and if you make a mistake, you could lock out access to people who need it. If that happens, you’ll need an IT professional to undo the problems and reconfigure your system.

How should you back up your data? The short answer is to use specific backup technology. It makes a copy of files in storage and then encrypts them for protection. In the event of a cyberattack, a system outage or some other disaster, the encrypted files are used to restore the files to your system.

We can help you set up and configure both Microsoft Conditional Access and a backup program to keep you safely up and running. We can also provide the training needed to maintain both systems. Call us – 973-433-6676 – or email us to set up an appointment to design a coordinated plan that best meets your needs.

Secure Your Email

Email security continues to be the most vulnerable security link in your email chain. Ninety-six percent of all phishing attacks use email, and some three billion emails are launched daily. Phishing can cost businesses $26 billion annually. The more email accounts you have, the more vulnerable you are.

One of our clients had six email accounts, all of them created for a variety of legitimate reasons. The problem is that it meant they had to guard six doors against intruders. That’s worrisome enough, but if you use multiple email clients, such as Outlook and Gmail, you need to deploy your security measures in line with each client.

Google’s Gmail has a particular vulnerability. According to a report from Malwarebytes, Russian hackers were able to bypass Google’s multi-factor authentication (MFA) in Gmail to pull off targeted attacks. They did it by posing as US Department of State officials in advanced social engineering attacks, building a rapport with their target, and then persuading them to create app-specific passwords (app passwords). App passwords are special 16-digit codes that Google generates to allow certain apps or devices to access your Google Account securely, especially when you have MFA enabled.

Outlook faces several significant security challenges, including vulnerabilities that allow for remote code execution, phishing attacks, and the potential for credential theft. These vulnerabilities can lead to data breaches, unauthorized access, and the spread of malware.

Here’s how to strengthen your defenses.

  • Only use app passwords when absolutely necessary. Change to apps and devices that support more secure sign-in methods whenever you can.
  • Authenticator apps, such as Microsoft Authenticator, or hardware security keys (FIDO2/WebAuthn), are more resistant to attacks than SMS-based codes.
  • Stay up to date on phishing attempts. Attackers often bypass MFA by tricking users into revealing credentials or app passwords.
  • Keep an eye on unusual login attempts or suspicious behavior, such as logins from unfamiliar locations or devices. Limit those logins where possible.
  • Regularly update your operating system and the apps you use to patch security vulnerabilities.
  • Enable automatic updates whenever possible so you don’t have to remember them yourself.
  • Use security software that can block malicious domains and recognize scams.

When it comes to SMS-based codes, we want to emphasize one particular vulnerability: SIM swapping. It’s one of the internet security industry’s biggest worries.

It’s undetectable and it works like this:

  • A hacker puts your mobile phone number on a SIM card installed in their own phone.
  • Using their phone, they get your authentication code, which gives them access to a website or email account.

Despite this vulnerability, SMS-based codes are better than nothing. At a recent training seminar, we learned that many people don’t use any kind of 2FA or MFA methods at all. That is totally unacceptable.

We can help you – and your employees and family members – set up better security measures on all apps devices. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.

Be Weather Aware

Here in the Northeast, we’ve learned to take our flights in the morning or as early in the day as possible because storms around the country can affect flights to almost anywhere. Locally but similarly, heat and storms can wreak havoc with our technology systems and our utilities.

The Old Farmer’s Almanac, which sometimes seems more reliable than our local TV meteorologists, predicts a stormy July. Our summers are also getting hotter. That’s the perfect storm for power outages, voltage reductions, and power surges. There’s not much we can do about the first two problems, but we can certainly reduce their effects.

With most of us working between our computers and the cloud, the best strategy would be to give a file a name and save it as soon as you start working on it. That will allow you to turn on AutoSave if you’re working with Microsoft 365 and OneDrive. In Excel and Word, the default AutoSave feature saves your work automatically every few seconds. For older versions or files not saved to these locations, AutoRecover saves a backup copy every 10 minutes by default. If the power goes out after nine minutes from the last time you saved, you’d be mighty upset. So, save early and often.

If a power surge affects your computer’s hard drive, there’s no telling how many files can be salvaged. We have tools to recover data from damaged hard drives, but there are no guarantees. Again, our best advice is to use AutoSave, which gets your data to the cloud in real time.

As a follow-up to saving, use a backup power supply for desktop computers, printers, and your Wi-Fi network. Laptops will automatically switch to battery power when the lights go out, but anything plugged in will stop before a task is completed. Backup power lets you shut down what you’re doing.

When the power comes back on, there’s a risk of a power surge frying electronics. Surge protectors are designed to physically absorb the surge before it gets to a device (which includes anything in an office or home that you plug into a socket). When they work, there’s no way to tell how much energy they absorb. When they fail, you need to pick up the pieces.

Therefore, it makes sense to replace all your surge protectors every three years or – and it also makes sense to replace modems, routers, and mesh network components to keep your Wi-Fi up and running. Newer equipment will give you better insurance against a power surge and improve your overall system performance. When your internet provider increases the speed of their service to your office or home, your system needs to be able to handle it. Newer modems, routers, and mesh network nodes can handle those speeds and give you the performance you’re paying for.

We can help withstand the summer storms and work more effectively on sunny days by analyzing your system and helping you make necessary upgrades. Call us – 973-433-6676 – or email us for an appointment.

Windows Shades

You wouldn’t believe how many versions there are of Windows 10 and Windows 11. Don’t bother to try to count them. Instead, start making a plan to make sure you have the latest version of each throughout your organization and a plan to update on a regular basis.

Let’s look first at Windows 10. As we all know, Microsoft will end its support of this operating system (OS) in October, but there are ways to keep it going with security updates. You have two options to enroll in the Extended Security Updates (ESU) program for free. That will enable you to receive critical and important security updates from October 15, 2025, through October 13, 2026. You can also enroll in a wizard accessible via notifications and the Settings app.

In order to take advantage of the extended support, you need to know which version of Windows 10 you have on your computer(s) and see if it will be supported. Since its introduction, Microsoft has issued 14 versions of Windows 10, covering office, home, and student versions and updates for each. If you have version 1903 of Windows 10, for example, you won’t be able to receive any updates. To extend your Windows 10 use, you need to have version 22H2.

Depending on your hardware, it may or may not be possible to update your Windows 10 to a version that can work with security updates going forward. To check your Windows version, navigate to Settings > System > About. Under “Windows specifications,” you’ll find the edition and version of your Windows operating system.

Windows 11, by the way, has four versions, with a new one expected this fall.

A key thing to know about Windows – and your app software – is that you used to be able to install newer app software on older versions of Windows. That’s becoming less and less possible. One of our clients learned about that when they couldn’t install a new app their accounting firm had suggested because their Windows version wasn’t compatible.

As we go forward, this is only going to become a more critical issue. Both OS companies, such as Microsoft, and app publishers, will need to meet their customers’ need for more speed to process more data and provide the security measures needed to protect critical data.

Don’t wait until your technology system collapses under the weight of more data and faster-moving environments. We can help you by analyzing your current system – both hardware and OS – with an eye toward your future needs. That will help you develop a plan (and a budget) to make changes with minimal disruptions to your business. Call us – 973-433-6676 – or email us to set an appointment to talk about it.

Cybersecurity Keeps Them Awake at Night

“What keeps you awake at night?” That’s a question that seems to come up at many a business networking group when someone begins to offer a solution to a problem they can solve. If you’re a CEO at a major corporation, the answer to that question is: cybersecurity.

Internet systems are more complex, and complexity leads to more risks. It’s become a boardroom issue, and the most concerning part of the problem should be the increased time it takes to find a system intrusion. It now takes 292 days – more than nine months – to discover a breach.

Part of the problem is the size and complexity of large corporate networks. They have thousands of endpoints, and it’s become harder to spot anomalies and deploy patches. While our clients typically don’t have large, sprawling networks, we all interact on the corporate or personal level with large global networks for just about everything we do.

Other parts of the problem are that companies may take too long to investigate the breach, and then they need time to develop a plan to patch it. That time is directly related to the network’s size and complexity. If a company doesn’t have a continuous monitoring plan (yes, it’s hard to believe a large company wouldn’t have one), it also extends the time to discover a breach.

Two other reasons are:

  1. Hackers have better stealth tools to invade a network. Once they’re in undetected, they can take their time to look at all of their victim’s data to see what’s best to monetize.
  2. Hackers can steal login credentials and hang around a system for a long time until they’re detected.

Companies that can detect intrusions in less than 100 days can save $1 million in containment costs. But they may not be as motivated as you are to protect your network and the people they serve.

Here are some things you can do right away:

  1. Make sure you have strong passwords for every account you and your employees and family members have.
  2. Insist on using passkeys or some other form of two-factor authentication (2FA) wherever possible. A good authenticator should be device-specific and tied to a device that’s always with the user.
  3. Make sure all your software (operating systems and apps) and firmware (hardware systems) is up to date.
  4. Have an easily accessible list of your key usernames and passwords for emergency use.

Microsoft is making strides in a couple of areas. The company introduced passkey support across most of its consumer apps a year ago, allowing you to sign into your account without the need for 2FA methods or remembering long passwords. Today, it’s encouraging all new signups to use passkeys as it removes passwords as the default.

Windows Hello allows users to securely sign in to their accounts with their face, fingerprint, or PIN. Today, more than 99 percent of users sign into their Windows devices using Hello. The company reports that 98 percent of passkey attempts to login are successful; passwords are only 32 percent successful.

To help keep all your software up to date, Microsoft is developing an update orchestration platform designed to unify the updating system for all apps, drivers, and system components on Windows systems. Right now, it’s aimed at developers and IT product teams. The goal is to run an update scan tool that will queue downloads and updates at optimal times. We’ll see if they can actually make it work.

That’s in the future. For the here and now, we recommend you contact us for a security audit. It’s something you should do annually to make sure you’ve taken the four steps we enumerated above. At the very least you can strengthen your own systems before the big guys know they were breached. Call us – 973-433-6676 – or email us for an appointment.

We Need Humanity

My father-in-law recently sent me an article by Frank Bruni from the New York Times. Neither is a tech expert, but they hit the nail squarely on the head when it comes to making technology usable. Our modern conveniences are exhaustingly inconvenient, as the headline read, and the “the paradoxes of progress” smack us in the face. A little humanity can be helpful – and sometimes necessary.

We have to say, first off, that technology has given us some highly useful gadgets. The Ring doorbell, just to cite one example, enabled us to monitor and interact with our front door visitors from anywhere. It’s a convenience and a security tool, and early on, it helped us manage deliveries for business. Today, as Frank Bruni writes, it’s so much more. He has relished how it lets him know if a package has arrived, a service provider has shown up or his dog is staying put and behaving in the front yard. But when he got a new phone, the app didn’t accept his password, even though his computer did. It took him two weeks to resolve his problem.

Bruni didn’t say if he tried to contact a human at Ring. You have to scroll all the way to the bottom of its website and go through a few clicks to get a phone number. If you can’t easily speak to a human, you may not get a solution, or you may be exhausted from going through a menu tree. If you have a security issue with your product, the difficulty in reaching a human is intolerable.

But let’s put this into a business situation. More businesses are using the internet to move large sums of money, and some of that is being done by an AI-powered chatbot. Why do they do this? AI is programmed by humans, based on reactions humans have to situations. If you raise an unanticipated question, the chatbot will stumble.

This came up with a client who thought they had been hacked. They were given wiring instructions in an email from someone they had not dealt with before. They were right to question the email. As we pointed out in our previous article, the more complex a network might be, the more risk there is of something going wrong. And cybersecurity is today’s big corporate concern.

Our client really needed a human solution more than a technical solution to verify the wire transfer instructions. When you get an electronic message from someone you don’t recognize, you must take steps to verify its authenticity. Independently from the message, call a person you know at the financial institution or the organization that invoiced you. A person can reassure you. An AI chatbot can’t.

On your side, we can help you set up email handling rules based on senders’ names and subject lines that pertain to invoices you need to pay and payment methods to use. At the very least, it will help you flag and re-examine emails on financial matters and see who you may need to talk to. Call us – 973-433-6676 – or email us to talk about it.

Keep Control of Your Technology

We recently made a sales call to a prospective client that was serviced by a larger IT provider and were shocked by what we saw and heard. They were still using Windows 10 but had switched to a new accounting system on the advice of their accountants. You need to demand better communications and coordination from all your providers to control your technology and your business.

Right up front, I saw Windows 10 as the current operating system as I glanced around their office. I was alarmed that at this late date, it seems that nobody told them that Microsoft is ending its support for Windows 10 in October. Yes, they will most likely be able to buy a one-year subscription to get security patches, but they won’t get any performance updates, and that will really hamper their accounting program.

That’s because their accounting firm suggested they upgrade their 20-year-old accounting software, which they can’t successfully install without upgrading to Windows 11. It seemed like nobody had put the issues together for them.

They are facing basic problems that we see all the time. Without an up-to-date operating system and application software, they won’t be able to move all their files from the old system to the new. They will need to deal with multiple versions of multiple files, and it will be a messy, time-consuming (and money-consuming) task to straighten them out. Finally, and increasingly more important in today’s technological environment, they won’t have the best security available to protect their data. They could risk becoming the weak link in their business chain.

The saddest parts of all this are that their IT provider didn’t seem to have upgraded them as Microsoft moves on from Windows 10 and that their accounting firm didn’t talk to them about having the right technology to handle a system that would make their business more efficient. It’s also sad that neither seemed to be aware of the relationship between technology and app performance. We pride ourselves on being keenly aware of that relationship.

The prospective client felt like they’d been taken advantage of. If you know of a company that seems to be struggling to match its technology to its apps, we’d like to talk to them. And if you think your systems aren’t doing all they can for you, we should talk. We can help you investigate possible solutions, select the one that should best meet your needs and configure it for your operations. Call us – 973-433-6676 – or email us to discuss it – or provide a referral.

The Time to Do the Right Thing

Be honest. How many times do you use a password for multiple websites because you need to remember it? You know that a string of 16 to 20 random characters upsets any pattern a hacker might use to steal a password for one site and maybe get into multiple places.

One of our clients recently told us how they saw the light, and it was a really gratifying conversation for me. He said: “I listened to what you said about passwords, and I did everything. Life is so much simpler now.”

It shocked me because that’s not usually what we hear. I wish more of our clients would get on the bandwagon when it comes to passwords and password managers. I can’t emphasize enough how password managers enable you to have unique, complex passwords for every website you need to access and how easy they are to use. You don’t always get to “stronger” and “simpler” as adjectives for a single concept.

What’s the “stronger” part of password managers? They generate those ideal passwords of 16 to 20 random characters that include upper and lower case letters, numbers and special characters. If everyone in your password chain – the people, companies and institutions you deal with – has a strong, generated password, that should make everyone as hack-proof as you can get. The problem is that the weakest link in the chain is the easy-to-crack password.

The” simpler” part is that you only need to remember one master password. (The hard part is making sure you have access to it in case you do forget it.) Before getting all his passwords into a password manager, our client said he would change a password by adding a number or a character because it was easier to remember. But it wasn’t simple. He would still need to remember what number or character he added to the old one, and maybe he had 50 passwords to remember – or carry around in a list.

A good password manager that can work across multiple devices can cost $50 to $100 a year. We believe that’s relatively cheap for the security you gain and the time you save from trying and retrying passwords or resetting them. The password manager becomes stronger and simpler when you combine it with facial recognition on a mobile phone.

Using a password manager and other forms of authentication will take some getting used to. But it’s worth it to take the time to do the right thing to protect your online security and your sanity.

Call us – 973-433-6676 – or email us if you need help in choosing a password manager and setting up the basics. We can also help you with other ways to authenticate your online access. See our article Pass the Key, Please.

 

Pass the Key, Please

If you’re sick and tired of managing passwords (see our article Take the Time to Do the Right Thing), take a new look at using passkeys and forget about the hassle. A passkey is a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account. They may take some getting used to, but the security boost will be well worth the effort.

Microsoft is encouraging everyone to use a passkey when they sign up for a new account, and they’re moving away from the default of passwords for all new accounts allowing you to ditch them altogether. Just as a related side note, when you create a Microsoft account, do not create a local passkey. It will only work on the device you used to create the account, and that will defeat the purpose of being able to sign in from anywhere on any device.

A passkey is a pair of cryptography keys generated by your device. A public key and a private key combine to create a passkey that unlocks your account. If you remember going to your safe deposit box at the bank, you had one key in your possession, and you got a key from the bank for your visit. This is an electronic variation of the theme.

Microsoft introduced passkey support across most of its consumer apps a year ago, eliminating the need for two-factor authentication (2FA) or passwords. Now, it’s encouraging all new signs up to use passkeys as it removes passwords as the default. Websites are increasingly allowing you to passkeys for secure access.

Passkeys and password managers are able to work together for the most part. Usually, the device or software generating the passkeys uses a biometric authentication tool, such as FaceID or TouchID, to authenticate your identity. If your password manager is the passkey source, you can log in with your master password. Passkeys are unique to each app or website and stored in a password manager’s vault or your device’s keychain. Passkeys can also sync across devices, making them a convenient choice.

There are some holes in the passkey strategy that you should be aware of. The websites themselves can be the source of weakness in the security chain. Security experts say criminals can easily get around a passkey by stealing users’ validated browser cookies using malware.

While that puts an onus on the websites  to tighten up their operations, you can help protect yourself better. For example, don’t just accept the website’s data privacy settings when a box pops up on a website. Instead, navigate to the “Cookies” or “User Data” sections and choose the shortest available session duration. That way your cookies will expire automatically or whenever you close your browser window. You can also turn off various marketing and targeting cookies.

Again, passkeys take time to set up, and there’s a learning curve to using them effectively. We believe it’s well worth your time to start using them. Call us – 973-433-6676 – or email us to learn more about passkeys – and how they work with password managers. We can help you select and configure passkeys and password managers together and move you up to the next level of online security.

Read Your Email Before You Open It

Phishers, shmishers and other bad actors on the internet are getting really good at disguising themselves. They’re learning English better, designing their graphics better and even spelling better.

All of this means is that you need to start reading your emails more closely before you ever open them. Whether you’re using Microsoft Outlook or Gmail, the attack strategy is the same. We’ve warned for years and years that scammers rely on you being distracted or trying to do too much in too little time.

But now, the hackers are getting better at combining better language and graphics with holes or workarounds they find in website security systems. It’s not a new problem, but it’s becoming more widespread. ZDNet has an extensive article on how it affects Google and Gmail, but the principles are similar for Microsoft and Outlook. You need to take a close look at every email address for incoming email and every address or website link before you click on anything.

In the article, there was an example of how an email looked like a normal Gmail message, and it had links to what realistically looked like a legitimate Google support site. But a closer look revealed that it went to a Google Sites website. Google Sites is a free, web-based platform from Google for creating websites. It’s particularly useful for internal team sites, project hubs, or public-facing websites, and hackers have uses for it, too. A link to a Google Sites website came from no-reply@google.com, which is a legitimate but spoofable email address. The hackers or creators of that site were able get through some authentication workarounds to bypass safety measures used to stop this sort of attack.

You can see where this is going. One tech industry solution would be to require stronger forms of authentication or more authenticators. But as we’ve said over and over again, you need to take matters into your own hands.

In your email client, you can hover over the address that the email comes from and see who it’s really from. Even if you have opened a particular email, you can slowly and carefully read any email address or website link to see if it raises any suspicions. One thing that should raise a yellow or red flag is an urgent call to action, such as uploading a file or clicking a link to investigate a problem. A Google Sites website will have Google in its URL, and that could be a trap. Not to pick on Google, but any fake site can use a legitimate domain variation to snag you.

Here’s one checklist to help you spot a fraudulent email or website:

  1. Beware of any email that urges immediate action and tells you might face negative consequences.
  2. Check the “from” and ” to” email addresses. If the ” from” domain isn’t the actual company or the “to” recipient is not you, it’s likely a scam.
  3. Avoid clicking on links in the email and look at the context. Would Google send you a legal complaint and direct you to the Google Sites domain? We don’t think so!
  4. Run an online search for the content of the email to see if others have reported it as a scam or received a similar email.

If you think you may have clicked on a malicious website or may have downloaded some malicious software, call us immediately at 973-433-6676. We have tools to see what is on your computer and to remove the malware from your system.