Secure Your Email

Security measures such as encryption and 2FA help make email communications more secure, but they have their own issues for many users and fall short in some ways. Use them wherever you can, but remember that nothing works better than common sense, especially when you click on links in an email.

The majority of breaches of computer systems through email are user-initiated. A user clicks on a link – usually because of carelessness – that results in giving up login credentials for a website or a technology system. Encryption is no protection against a user causing a breach.

Security holes in encrypted email include human error, such as failing to encrypt messages or falling for phishing attacks, reliance on imperfect encryption in transit where servers may not support it, vulnerabilities on the recipient’s device like malware or unsecured devices, and issues with key management, such as weak passwords or lost private keys.

Let’s focus on those last two points. Securely managing and distributing encryption keys is complex. If private keys are lost or stolen, recipients may be unable to access their encrypted messages, and attackers could use stolen keys to decrypt emails. Easily guessed passwords for email accounts can be compromised, allowing attackers to access encrypted emails on a device.

Attackers can also exploit complex email systems by compromising intermediary servers or utilizing features that weaken security. These can include URL redirects to bypass encryption and deliver malicious content.

Instead of adding complexity, it might be better for most organizations to reemphasize some proven basics. One of them is 2FA. As imperfect as it is, 2FA can utilize a device such as a cell phone, which should be in the hands of the user. Yes, it can be defeated, but that happens if a system has already been breached and the attacker has changed the phone number and/or email address of the user.

The other basic is common sense. Don’t click on a link in an email unless you are 10,000 percent certain it’s correct and legitimate. AI is making it harder to detect malicious links, so users must be more vigilant. Don’t be in a rush, especially if you’re juggling several tasks. The safest way to respond to an email with a link or phone number is to open a browser and go to the website of the company. You should be able to find a phone number and maybe a legitimate email address to contact.

We can help you with email security in two ways. One way is to conduct a security audit of your email system to find and patch holes. The other way to help you set up 2FA systems, including biometrics and authenticator apps. Call us – 973-433-6676 – or email us to discuss your needs and possible solutions.

If You Know All Your Passwords…

If you know all your passwords, your cybersecurity can be breached. Why? Anything that’s easy for you to remember follows a logical pattern that AI is getting better at picking up. A strong password has no logic. You must have a password manager, and you must let it generate a password for each online account.

You all know the drill by now. A strong password combines upper and lower case letters, numbers, and special characters in strings that generally are 12 to 16 characters long. We won’t say it’s impossible for a human being to create and remember 100 or more strong passwords. But it’s highly unlikely.

The best part of a password manager is that you only need to remember one strong master password. The downside is that if you lose or forget the password, you may not be able to access the app, or you’ll need to jump through a lot of hoops to gain access.

AI is making passwords weaker and weaker. Remember that at its core, AI is massive computing power. Anyone who tries to crack passwords can run an untold number of scenarios for as long as they need to crack a code or give up – momentarily. If you have a password that follows some kind of publicly available personal information and/or a pattern, the hacker’s computer will eventually pick it. The computer-generated password from a password manager doesn’t use any of that information, and it’s not readily machine readable.

In addition to giving you a strong password, a password manager does away with any need to reuse a password. There’s a tendency to reuse a password because you can remember it, especially if we fear it may be difficult to access the password manager. This can be true with a smartphone, where you can only view one screen at a time. However, you can copy a password from your password manager app and paste it into your smartphone’s browser.

As you all know, reusing passwords poses a significant risk if a password is cracked at one site. Again, using AI, the hacker can quickly apply the password to every website they know you access, and chances are good that they’ll get a hit and get in.

Just about any top-rated password manager works across all platforms and should give you the option to choose a family/friends subscription for personal use and a corporate subscription. It should be mandatory for everyone in your family and for all employees using corporate online accounts to have and – more important – use the password manager.

We can help you select a password manager that meets your needs and make sure that everyone in the program is properly set up. We can also make sure that everyone knows how to download their passwords and make a hard copy, which protects everyone if they lose or forget their password or if you want to change password managers. Call us – 973-433-6676 – or email us for an appointment.

Cybersecurity Keeps Them Awake at Night

“What keeps you awake at night?” That’s a question that seems to come up at many a business networking group when someone begins to offer a solution to a problem they can solve. If you’re a CEO at a major corporation, the answer to that question is: cybersecurity.

Internet systems are more complex, and complexity leads to more risks. It’s become a boardroom issue, and the most concerning part of the problem should be the increased time it takes to find a system intrusion. It now takes 292 days – more than nine months – to discover a breach.

Part of the problem is the size and complexity of large corporate networks. They have thousands of endpoints, and it’s become harder to spot anomalies and deploy patches. While our clients typically don’t have large, sprawling networks, we all interact on the corporate or personal level with large global networks for just about everything we do.

Other parts of the problem are that companies may take too long to investigate the breach, and then they need time to develop a plan to patch it. That time is directly related to the network’s size and complexity. If a company doesn’t have a continuous monitoring plan (yes, it’s hard to believe a large company wouldn’t have one), it also extends the time to discover a breach.

Two other reasons are:

  1. Hackers have better stealth tools to invade a network. Once they’re in undetected, they can take their time to look at all of their victim’s data to see what’s best to monetize.
  2. Hackers can steal login credentials and hang around a system for a long time until they’re detected.

Companies that can detect intrusions in less than 100 days can save $1 million in containment costs. But they may not be as motivated as you are to protect your network and the people they serve.

Here are some things you can do right away:

  1. Make sure you have strong passwords for every account you and your employees and family members have.
  2. Insist on using passkeys or some other form of two-factor authentication (2FA) wherever possible. A good authenticator should be device-specific and tied to a device that’s always with the user.
  3. Make sure all your software (operating systems and apps) and firmware (hardware systems) is up to date.
  4. Have an easily accessible list of your key usernames and passwords for emergency use.

Microsoft is making strides in a couple of areas. The company introduced passkey support across most of its consumer apps a year ago, allowing you to sign into your account without the need for 2FA methods or remembering long passwords. Today, it’s encouraging all new signups to use passkeys as it removes passwords as the default.

Windows Hello allows users to securely sign in to their accounts with their face, fingerprint, or PIN. Today, more than 99 percent of users sign into their Windows devices using Hello. The company reports that 98 percent of passkey attempts to login are successful; passwords are only 32 percent successful.

To help keep all your software up to date, Microsoft is developing an update orchestration platform designed to unify the updating system for all apps, drivers, and system components on Windows systems. Right now, it’s aimed at developers and IT product teams. The goal is to run an update scan tool that will queue downloads and updates at optimal times. We’ll see if they can actually make it work.

That’s in the future. For the here and now, we recommend you contact us for a security audit. It’s something you should do annually to make sure you’ve taken the four steps we enumerated above. At the very least you can strengthen your own systems before the big guys know they were breached. Call us – 973-433-6676 – or email us for an appointment.

Cybersecurity Climate Only Getting Worse

The heat is rising fast in the cybersecurity world. At a recent conference in Phoenix, AZ, we saw how the industry’s top hackers and defense experts team up to fight an ever-increasing number of invasion attempts from bad actors around the world. Visiting a cybersecurity war room really opened our eyes.

We were ushered into a huge room, full of screens that hackers and defenders used to monitor traffic. This link, which shows the origins of constant firewall attacks from all around the world, made a huge impression on me. The attacks were detected because they had an invalid format or invalid character. It meant that the hackers probably forgot to change the language they were using to launch the attack.

My takeaway is that if hackers get smarter or pay more attention to details, they can become more lethal. They can use AI (artificial intelligence) to eliminate the need to know English, and that’s scary. For example, as we saw, they can use Chat GPT to create malware with a specific task. It’s only going to get worse as we hit the holiday shopping season.

Helping a client deal with an email hack brought home all the dangers. They thought they had an email hack, which resulted in emails going to their contacts under the guise of coming from them about file sharing in Dropbox. They thought they had it fixed, but the same problem cropped up two weeks later. It had a link to click (always a danger sign when the recipient “trusts” the sender).

As we got into the process of fixing the hack, it involved an apple.com account with a reference to Dropbox. Our efforts were hampered by the difficulty we had getting into accounts to verify that the hackers were using Dropbox to launch bogus email.

Our client could have just ignored the problem, or they could have sent an email to their entire contact list to warn them not to open emails with the Dropbox reference. But my preference and theirs was to get to the root of the problem. You have to know where all the dots and connections are so that you can get ahead of the hackers and shut them out.

We can help you stay secure by auditing your cybersecurity practices and implementing programs to strengthen your defenses. Call us – 973-433-6676 – or email us to discuss your cybersecurity and gain more peace of mind.

New Device, Same You, New Problem

You’re still the same person you always were, but when you get a new device, you’re a different person as far as some login procedures are concerned. You need to get back to basics in setting up account access. It’s a more acute problem as we do more work outside the office.

We recently got a call from a client who had trouble logging into a work system through a VPN with two-factor authentication (2FA). Nobody had changed any of the login information, so it was all baffling until the client mentioned they had a new phone.

Another client called because they couldn’t get into their email. Again, they had a new phone.

These incidents highlight the good and the bad of multiple authentication steps. The good is that they’re based on the device being used to verify the right of the person to access an account. That means a hacker halfway around the world can’t use their computer to get in. The bad is that you have to take the time to reconfigure all your access info. (Hey, we’re really sorry for the inconvenience.)

Because both cases involved clients with new cell phones, we had to invalidate their old cell phones. We registered one client as a new user and registered a new cell phone number for the other. These are essential steps everyone needs to remember to take as you get new devices.

And because all the 2FA steps in common use are tied to devices, it’s a good idea to make sure your devices require some extra steps to unlock them. Many people use a four- or six-digit PIN, and more people are going to biometrics. While nothing is impossible, even if someone knows your online login info and has your device, they can’t access your accounts if they can’t unlock the device.

If you or your employees are getting new devices, we can help you make sure that they have access to email and online accounts and protect them from unauthorized users. The process isn’t difficult, but it does involve diligence to check all the boxes in the setup process. Call us – 973-433-6676 – or email us if you have questions or need help in going through the process.

The 2FA Police

Microsoft is enforcing requirements for 2FA (two-factor authentication) for many of its apps. The good news is that it protects your data better. The bad news is that you must use authenticator codes and messages. It’s time to ensure everyone in your office (or family for home users) is up to speed on using authenticators and other 2FA measures.

Microsoft’s Authenticator App gets downloaded onto your iPhone or Android phone and helps to verify it’s you when you log in to an online account using two-step or two-factor verification. It uses a second step, such as a code sent to your phone, to make it harder for others to break into your account. Two-step verification helps you use your accounts more securely because passwords can be forgotten, stolen, or compromised.

One common way to use the Authenticator app is through 2FA, where one of the factors is your password. After you sign in using your username and password, you can either approve a notification or enter a provided verification code. Options include:

  • Signing in by phone with a version of two-factor verification that lets you sign in without requiring a password. It uses your username and your mobile device with your fingerprint, face, or PIN.
  • Using a code generator for any other accounts that support authenticator apps.
  • Using it with any account that uses 2FA and supports the time-based one-time password (TOTP) standards.

Any organization can require using the Authenticator app to sign in and access its data and documents. Even if your username appears in the app, the account isn’t set up as a verification method until you complete the registration. The entire process can be done more efficiently with a mobile phone that can scan a QR code on a computer screen.

Remember that most authenticator apps still require a password in commercial use, and every user must know their password or risk being locked out. The consequences can be time-consuming and costly – if not fatal. Everyone should write their passwords on a piece of paper and store them in a safe place.

We had a case with a client who used a customized database that was never upgraded for 20 years. A former IT company did the last work on it. Nobody had the password to get into the account housing the database. They suggested calling the programmer, but the programmer had died. Nobody admitted to changing the password at any time. We spent a few hours trying to access the database to no avail. Finally, we called the former IT company, and they had a password for one file.

That was the password that worked, and we were able to perform the necessary work. But we can’t stop thinking about all the time – and money – that was wasted because nobody had a password.

In today’s world of hacking and cybercrime, it will become more and more challenging to try multiple passwords without severe consequences. It’s up to you to ensure that you and key employees have all your necessary passwords and 2FA to protect your data – and to insist that your employees have 2FA set up for their corporate login info.

We can help you ensure you have all the correct authentication and management systems. Call us – 973-433-6676 – or email us to discuss your needs and develop an action plan.