Home Router Vulnerability

Your home router is easily your most essential device for connecting businesses and family members to the world. It’s also the most vulnerable opening for hackers. How vulnerable is your router? One good place to look is Port 7547. If it’s closed on your router, it’s safe – for now. If it’s open, you’re vulnerable.

You can test your router by visiting a blog post from Wordfence, which makes a firewall and malware scanner that protects over 2 million WordPress websites. They also monitor attacks on those sites to determine which IPs are attacking them and blocks them in real-time through a blacklist. They recently published a post showing that 6.7 percent of the hacks they see on WordPress sites comes from hacked home routers. Hacking gives them access to workstations, mobile devices, Wi-Fi cameras, Wi-Fi climate control and any other devices that use the home Wi-Fi network. From there, they can implant malware or viruses in your system, which can lead to all sorts of problems.

Hacking through an open Port 7547 is known as the “misfortune cookie,” or MC. ISPs (internet service providers) use the port to manage home routers, and they should configure their network to prevent access by outsiders. But many do not block the port, leaving you vulnerable. By clicking the Scan Me button on the post, you can find out if it’s open or closed.

If it’s closed, your OK for now. You should check back periodically, however, because your ISP could open it for some reason and then forget to re-block it. If it’s open, Wordfence suggests you immediately reboot your router, which may flush out malware. You can also run a virus scan on all computers and devices in your home and update your operating systems. Almost anyone can take these steps.

You may be able to take the more advanced step of upgrading your router firmware, but in most cases, you can’t. In all cases, you can contact your ISP and let them know there’s a security vulnerability in your home router and ask them to help you fix it. You can specifically mention Port 7547.

If you are unable to take all the steps mentioned above, call us immediately at 973-433-6676. We can help you reboot your router and may be able to help you close the port or upgrade the firmware. Just have your router name and model number handy to help us serve you better. If necessary, we can coach you in dealing with your ISP to resolve this important security issue.

If you want to take preventive action on Port 7547 vulnerabilities, call us – 973-433-6676 – or email us to schedule an appointment. Remember, you are your router’s first line of defense.

Cybersecurity Scorecard

Cybersecurity has dominated our conversation for the past year, and a report from SonicWall, which provides security tools worldwide for networks to email and everything in between, shows where we’re making progress and where new threats lie.

First, the good news. In data gathered in the past year from the SonicWall Global Response Intelligent Defense (GRID) Network, the good guys and the bad guys made advances. The most notable of the advances the company found were:

  • The number of new POS (point of sale – mostly credit and debit cards) malware variants decreased by 88 percent since 2015
  • SSL and TLS encrypted traffic increased 34 percent year-over-year
  • Major exploit kits Angler, Nuclear and Neutrino disappeared
  • Unique malware attack attempts dropped to 7.87 billion from 8.19 billion in 2015

On the other hand:

  • Ransomware attacks grew 167x from 2014 to 2016 to an astounding 638 million attacks during the year
  • SSL/TLS encrypted malware was exploited 72 percent more often in 2016 than in 2015
  • Internet of Things (IoT) devices were compromised to launch record-setting DDoS attacks
  • Despite significant efforts by Google to patch vulnerabilities, Android continued to be exploited by cyber criminals

SonicWall notes that the technology to solve many of the new challenges cyber criminals threw at victims in 2016 already exists.  SSL/TLS traffic can be inspected for encrypted malware by NGFWs (next-generation firewalls), which are hardware- or software-based network security systems that detect and block sophisticated attacks by enforcing security policies at various levels. For any type of new advanced threat like ransomware, it’s important to understand that all network-based solutions should block network traffic until a safe verdict is reached before passing that traffic through to the intended recipient.

In 2017, there are two areas that SonicWall joins us in telling you to be particularly on-guard: ransomware and the Internet of Things (IoT).

Companies in the United Kingdom were 3x more likely to suffer ransomware attacks than in the United States, but don’t breathe easy. The US experienced the highest number of ransomware attacks in 2016 because of large volume of business.  While we as individuals and small businesses depend on companies like SonicWall to provide the tools to detect and stop ransomware, we need to follow strict security procedures – all of which should be well-known to us by now:

  • Install updates for all of your software for operating systems and apps. They contain the security patches and bug fixes that shore up the breaches in your systems.
  • Be extremely careful about the emails you open and the links you click.
  • Back up your data continuously to a system that is either not always online or that uses authentication. This will help ensure that you don’t accidentally revert to an encrypted back up if you’re hit.

The IoT has been massively compromised because of poorly designed security systems by device manufacturers. To protect yourself, SonicWall reminds you to make sure your devices are behind next-generation firewalls that scan for IoT-specific malware and that you segregate IoT devices on a separate zone to make sure they don’t affect the rest of your network if they’re compromised. To that, we add that you immediately change user names and passwords – and that you make those passwords strong. Some 70 percent of IoT breaches worldwide are in the US.

More protection was made available for Android mobile phones and devices, but they still remain vulnerable to overlay attacks. SonicWall recommends that companies using Android devices keep the option to “install applications from unknown sources” unchecked and both options to “verify applications” checked. They also recommend you avoid rooting and that you install anti-virus and other mobile security apps – and that you enable “remote wipe” in case your device is stolen or compromised with ransomware.

If you’re interested in a deeper dive and more technical explanations, we invite you to read SonicWall’s whitepaper on cybersecurity.

We can help you with a cybersecurity audit for your office or home and for all mobile devices. Call us – 973-433-6676 – or email us for an appointment.

Who’s Watching? Internal Software and the IoT

Connected homes. Connected cars. Doing more over the internet. The Internet of Things (IoT) is growing faster and faster. And that begs two questions: 1.) Who’s watching? 2.) How do you pull the shades on prying eyes?

The answer to the first question is unnervingly simple: It could be anyone in the world.

The short answer to the second question is: Shore-up your security.

As I walked around CES (the Consumer Electronics Show) in Las Vegas last month, I looked at all the devices that are connected to the internet. I thought about all the internal software in those devices – and wondered who’s upgrading that software for security?

Software is at the heart of every device in our house that’s connected – usually wirelessly – to the internet. While we continue to encourage you to change the username and password for every device you have, it’s still possible for hackers to use an open “back door” to get inside the internal software for, let’s say, the camera systems inside and outside your house. We all need to make sure that the companies who provide all these great connected devices are updating their software security. It’s no different than the security patches issued by all software publishers.

In the absence of device manufacturers pushing out software updates, you should make it a habit to visit their websites to see if any updates are available for your products – and to download them and install them right away.

It’s also important to know what’s in your house – even if it’s wired. We visited a house that somebody was buying, and we found a mound of wires in the basement. Not only did the new owners not know what all the wires were connected to, the old owner didn’t know about all of them, either. We found the whole house had been hard-wired, and that there was an old security camera system. We connected all the access points in the house to relieve the pressure on the new Wi-Fi system we installed, and we set up the camera system and made sure it was secure. But had we not been there, nobody would have known how everything was supposed to work and if anything had been exposed to a security breach.

Automobiles, by the way, have internal software, too, and you generally need to visit a dealer to have that checked. It has been demonstrated that hackers can break into certain parts of your car’s computer system and affect your car’s operation. While there’s likely not a widespread benefit that makes economic sense for doing this, you could be an isolated, totally random victim of someone who’s just playing around with the idea of hacking a car.

If you have any questions about the security steps you need to take for your devices, gather all the information you can find about the product and call us – 973-433-6676 – or email us with your questions. If need be, we can help you find the correct software updates or get the information you need to ask the right questions when you contact your device manufacturer.

Don’t Wait When Hacked

A client got hacked at 5 p.m. and discovered it at 8 p.m. They waited until the next morning to call us. Our advice to them was to shut down their system. Our advice to you is don’t wait – but please use some common sense. We don’t appreciate calls at 5:30 in the morning because you can’t connect to the internet or get your email, but a hack is a whole other story.

If you think you’ve been hacked, shut down – as in “power off” – your computer or your system immediately. If nothing’s running or connected, nothing more can be taken from you, nor can anyone get deeper into your system. Once you call us, we can examine every part of your system and help you take steps to secure it before you and everyone in your business or home goes back online.

If we’ve learned anything from news reports, no system is immune from attack. But there are a number of steps you can take to make an intrusion more difficult – and for small businesses and homes, they may be enough to deter anyone from making a huge effort to invade your system.

In the case of the client who was hacked, he did not have administrative rights to his computer – and that was a big help in minimizing the damage. Administrative rights give those who have them the authority to make all sorts of changes to a computer or a group of networked computers. In addition to adding and removing programs and managing data files, administrative rights can be used to grant permission to other users to perform all of those actions.

In a small business, it makes sense to give several people administrative rights to keep business flowing smoothly. Even if you have automated systems to take care of certain functions, you may need to give people permission to do certain things. However, you need to pay attention to security to benefit from the convenience of this flexibility. We recommend:

  • Keep the number of people who need administrative rights to a bare minimum.
  • Make sure those people change passwords frequently and that they use strong passwords.
  • Limit permissions to certain functions to prevent a hacker from getting carte blanche to your entire system.
  • Set up separate users and log-in credentials for performing administrative functions and delete them after those functions are performed.

The same recommendations can apply to a home computer or home network, with the requirement that children and seniors should not have the ability to install or remove programs.

We also can repeat steps we’ve suggested before:

  • Do not use any simple usernames and passwords for any piece of equipment that is connected to the internet. Every device has a default name and password, and hackers know them all.
  • Use strong passwords and change them often. Strong passwords are usually complex passwords. Hackers have software to figure out certain patterns of numbers and letters, and they can pick up information about anyone from public records. Try not to relate your passwords to that information, but for any password, use a combination of upper and lower case letters, numbers and special characters.
  • Download and install updates from the publishers of your application software. In most cases, the updates contain bug fixes and patches to improve the security of your applications.
  • Keep your anti-virus and malware software up to date and active.

Again, if you get hacked, don’t wait to call us. Time is of the essence. Shut down everything and call 973-433-6676 for immediate help.

Of course, preventive measures offer the best protection. Call us or email us to arrange a security audit of your system. And don’t wait until you’re hacked to do it.

Smarten Up! The Spoof is On

I was at a client’s office when the email – to her as president of a service organization – arrived, asking for a wire transfer of money. Other members of the organization got the same message, and some actually sent money. A scammer had spoofed a name or email address that was recognizable. This is becoming a growing problem. Is technology making us stupid?

The answer is “no,” but it is making us careless because it gives us the ability to do too many things too easily with too little forethought. That, in turn, leads to doing stupid things – and that’s what spoofers and other Internet-based thieves are counting on now and will continue to do so.

Email seems to open the doors to your computer and your data more conveniently than anything else. The biggest breach opportunities come when you click on something or follow through on instructions because you didn’t take the time to look carefully at an email and when you send sensitive information in an unencrypted email.

Spoofing is the most effective way to get you to open an email and link yourself to trouble. It’s remarkably easy to recreate a company’s logo and attach a fake email address to it. When many people see what they think is a legitimate logo, they just click to open. If nothing jumps out as a red flag, they’ll continue to a bogus website, and BINGO, it’s too late.

People are particularly susceptible to spoofs at this time of the year. Online merchandise sales continue to grow at holiday time, and merchants or shipping companies often send tracking info so you’ll know when your packages should arrive. If you take a little time to look at the message, you’ll probably see that the domain attached to the shipper or merchant bears no resemblance at all to the company. You might also note that the message itself is generic – and it likely has misspelled words or syntax that just doesn’t fit how we converse in the United States.

If you want to verify the tracking on a package, you can go onto the merchant’s or shipper’s website and enter a tracking number you received when your order was confirmed. If you don’t have that number, there is often a way to get the information.

Similarly, as we move from the holiday season to the tax season, be especially careful of financial-related information. There’s a reason why your financial advisor doesn’t let you leave trade information on voicemail or email. They don’t want your financial data left out in the open, and you should feel the same way. When financial advisors and institutions – and even healthcare providers – have messages for you, they generally tell you to access them on their secure websites – and require you to sign in.

DO NOT click a link on an email you think was sent to you by anyone who wants financial, health or other sensitive personal data. If you know the website, open a new browser window and go to the website by typing in the website address. Even if the domain name in an email looks correct, something like “[email protected]” can really link to “you’vebeenscammed.com.”

And, of course, never, never send user names, passwords, credit card info, bank accounts, Social Security numbers (even the last four digits) or other personal information in an email. Unless you and the other party have activated a mutually agreed-upon encryption process, the data is wide open. Email messages can go through multiple communications systems, and it’s impossible to know when a data thief is waiting to pick off any number of random messages at any point. They can pick off thousands in the blink of an eye and then take their own sweet time pulling out key info and wreaking havoc.

It all goes back to convenience vs. security, with a dose of distraction thrown in for good measure. We’ve had clients accidentally open a door to their computers, and the invaders took their info and denied the owners access to their systems. Fixing it on the computer end generally requires a visit from us, and then there’s the nerve-wracking hassle of working with other companies to close your breaches. When you have to go through all of that, it’s more than just an inconvenience.

We’re not telling you anything you don’t know. We are telling you to take a deep breath and a closer look at your email and the links inside them. We’re also telling you not to send sensitive information in emails. If you think you may have had a breach in your security, we can help you patch up your computer system. We can also help you set up an email encryption system. Call us – 973-433-6676 – or email us with your questions or to have us help resolve an issue.

Network Strength and Costs

With more and more devices in our homes – more than you think – you need to strike a balance between speed and cost. Keeping your network strong and secure is a given, but you should look at what you can hardwire into your gateway to maximize speed and free up wireless capacity for devices and systems that can’t be wired.

Many people have looked to simple solutions such as EERO, which plugs repeaters into power outlets in homes and offices. It’s known as a wireless mesh system, and it’s a technology that hasn’t won us over. The modules are repeaters, and the problem is that each time you repeat, you cut signal strength, and that diminishes the speed of the network to deliver signals to the target computer, TV, tablet or smartphone.

You might think you don’t have that many devices on your network, but you’d be surprised. In our house with four people, we have a dozen computers, tablets and smart phones, several automated systems for the doorbell and for turning on certain lights. We also have a Sonos sound system with seven speakers around the house. I haven’t added in smart TVs, which many households have. Most of them use a USB antenna to connect to their home wireless network, and then people use the wireless network to stream movies and shows – especially if they’ve cut the cord on cable TV.

Depending on your provider, you can get Internet connections ranging from 15 megabits per second (of data transmission) to 1 or 2 gigabits per second. Many users in moderately connected homes have service ranging from 50 to 300 megabits per second (mbs). The faster the speed, the more data it pushes through per second. However, your TVs, computers and devices on your wireless network may not be getting the full speed you’re paying for because of repeaters and the number of devices using the network at a given time.

You can maximize wireless performance and your Internet costs by hardwiring some computers and smart TVs and then determining how much speed you need to support your wireless devices. Wired computers and TVs will get the full benefit of your connection speed, and you may not need as fast (and expensive) a connection as you think.

To use our house as an example, we have a 150mbs connection, and we use it more for downloading large files than for streaming movies and shows. With hard wiring, it works fine. If I would double the speed to 300mbs, it would cost $90 per month more. That’s $1,080 more per year, and I wouldn’t get the full performance because of the wireless penalty.

With smart TVs and streaming becoming more popular, TV manufacturers are heading off potential problems with customer satisfaction by including Ethernet connections in their units. Taking advantage of the hardwiring capability can help you avoid problems elsewhere in your home.

In the office, hardwiring as many components of your system to the network is essential. Hardwiring grantees your computers and peripherals will work at the speeds you’re paying for, and it will free up wireless capacity for the devices that you must have, such as phones and tablets.

Regardless of whether you have a home or business network, remember that your service speed can be increased or decreased without a visit from a technician. You can see how one connection speed works and then have your provider raise or lower it from their service center.

We can help you by installing the wiring and connecting your equipment. We can also help you analyze your system’s performance to find the right combination of speed and cost. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs.

Behind Last Month’s Internet Breakdown

We’ve harped for years about the inherent conflict of convenience vs. online security. That conflict reared its ugly head during the distributed denial-of-service attacks, using – maybe – millions of computers to hit some of the world’s largest and most popular e-commerce and news websites.

Investigators have been able to pin part of the cause on hackers using IP addresses commandeered from millions of home devices, commonly called IoT (Internet of Things) – such as interior and exterior security cameras, doorbell and baby monitors, thermostats, etc. – that are increasingly popular with consumers. Too many people install them on their Wi-Fi networks and never bother to change default user names or passwords. That just leaves the door wide open to have their devices hijacked and used for malicious purposes.

From our point of view, it’s what happens when we get lazy and sloppy because we are so tuned into convenience. And, a DDoS attack can be the least consequential problem for you, personally. The hacker can gain control of your device and peak into your house at will – and even change your thermostat settings.

Users are not the only sloppy parties in this turn of events. The device manufacturers share the blame because they don’t require you to reset your user name or password as part of the installation process. After all, they don’t want the blame for your inconvenience, and we think that’s wrong. They can require you to reset user names and passwords as part of the installation process.

You can help prevent these DDoS attacks by making sure you change user names and passwords for the devices during the installation process. You can further protect your privacy by making sure your Wi-Fi network has a good, strong password. Too many people leave the default user name and password on their routers, too.

We should note that businesses, including professional services providers, can be just as lax as home users. We’ve had client systems hacked because their system administrators did not set up stronger log-in credentials.

We strongly urge everyone to have somebody look at their networks and IT systems and procedures once or twice a year. This may not be a comfortable analogy for some people, but even though you brush your teeth and floss every day, you still maintain better health when you visit the dentist once or twice a year for a cleaning and exam.

If you avoid the visit because of expense, it’s costlier – and more painful – to fix the problem instead of preventing it. What would be your cost for system downtime and repairing security breaches? Contact us by phone – 973-433-6676 – or email to find out what our security audit would cover for you and to set it up. In today’s world, you can’t afford to overlook any possible weakness.

Following the Money Conversations

Money is the only reason somebody steals information. Some 70 percent of the emails that lead to information theft are related to either financial institutions, businesses or something that mentions money in the subject line. Another 20 percent are related to espionage, and 5 percent are related to employee grudges. In most cases, curiosity kills your security.

Phishing expeditions are still one of the most effective ways for hackers to get into a computer system, and that’s because people have insatiable curiosity, especially when it comes to money. We’ve told you time and time again to be very careful about the links you click on from within an email. It is so easy for a hacker to mimic the logo of any bank or financial institution and to create an email address that can be close enough to looking real that you won’t notice it’s a fake in your haste to check out a great offer or respond to a dire warning.

So, as we’ve mentioned ad nausea, your curiosity could open the door to a Trojan horse virus that will enable someone to get into your computer. And once they do that, they can insert themselves into your financial conversations. To whom are you talking about money? Is it your financial advisor? Is it an attorney or a CPA? Is it your bank, credit card company or several merchants? They can identify every single one of them just by looking at your email. After all, you keep thousands of them in your Outlook application or on a website – which they can easily find once they get into your computer.

How will they put your email conversations to work for them? Well, let’s see. There’s your financial advisor, who’s been talking to you about your 401(k). Hmm. That’s good. Bet you have the password for that account stored on your computer. That makes it easy.

But wait, what if you “forgot” your password. The hacker can go to the website with your 401(k) and use your email address to reset the password. If that security is lax – say, for example, there’s no two-factor authentication – the hacker can have your email address routed to his, and now he’s in your account and can clean it out.

Of course, that could be just part of his haul. He knows who your financial advisor is, and maybe their system isn’t 100 percent locked down. You can imagine the fallout.

What if you’re involved in a large business transaction, such as buying a business or even a house? Your attorney may be dealing with a financial institution or two – even through another attorney. Again, a hacker can insert himself in a conversation with any party connected to the money, spoofing your email address or that of anyone involved. And once the hacker is into that next system, it opens more doors.

Just to add to your “watch list” when checking your email, also be wary of somebody sending you updated files that you are not expecting. We have a client who clicked on a PDF and wound up with an infected computer. Fortunately, it caused a major inconvenience more than anything else. Because all of the client’s files were backed up offsite, we had to wipe the computer clean and then find the infected files to delete from the backup. We were able to fully restore everything after that, but it took 18 hours.

So, let’s recap the steps you need to take:

  • Look before you click. Do I get this kind of email message from this sender on a regular basis? Is this an offer that’s too good to be true? Is there anything that looks just the least bit out of the ordinary – even if it’s from a sender I know and trust? Remember, you can always access the sender’s website from your Internet browser instead of the email, or you can pick up the telephone and call a company or a person.
  • If something looks odd even before you open the email, just delete it. I am amazed at how many people just let something suspicious just sit there.
  • Don’t conduct financial business or visit passworded sites while on a public Wi-Fi network. Non-secured networks can be viewed by anyone from anywhere.
  • Be very careful with flash drives. Someone can use one to invade your computer. If you are running a good anti-virus or anti-malware program, it should intercept any external device and give you the option to scan it.
  • Keep your anti-virus and anti-malware software up to date. And make sure they’re both running.

Finally, if you suspect your computer has been infected with a virus, call us immediately at 973-433-6676. We can assess your system and begin the process of restoring its health. If you have any questions about online security, call us or email us. We all have too much at stake.

Two More Tips to Protect Your Money

  1. When you travel by air, don’t just throw your boarding pass in the first trash bin you find in the terminal. The barcode on the pass has a wealth of information, including your frequent flyer account information – and any other personal information in that database – and your itinerary, which can let somebody know how far away from home you are and how long you will be away. If you can’t shred it, tear it into pieces that also separate the barcode and throw them into different trash bins.
  2. Check all of your financial accounts frequently, especially with business bank accounts. When you have a lot of money coming in and going out electronically, that means a lot bank treasury departments are accessing your account. If you monitor the accounts regularly, you have a much better chance of catching fraudulent activity.

Payments and Rewards with Your Smart Phone

We love near-field communications (NFC), the technology that enables you to pay for purchases with your smart phone. We love the security factors built into it. Banks and merchants are loving it more, too, because now they launch more loyalty programs to reward themselves – and even you. It’s the logical extension of programs that started with books of trading stamps from grocery stores and gas stations and now extend electronically from purchases at coffee bars to international vacation packages.

There’s a lot at stake for banks and retailers because the citizens of nations with developed economies still spend a lot of money. And while some older consumers dislike waiting for charges to be approved using the more secure chips in their credit cards, millennials and their older siblings are embracing mobile payments. With smart phones almost always accessible, it’s easy to tap a payment station with your phone or hold it close to the station, enter your passcode and keep going with life.

That phone, of course, contains a wealth of information that merchants and banks can tap into with their big-data systems. They can use the data to optimize rewards programs for their customers based on what you and where you buy it. Financial industry research shows that the more affluent you are, the more likely you are to use digital payments whenever you can. And a good number of you are likely to use digital coupons on your smart phone.

You might say a perfect storm is forming. As the use of smart phones grows for all sorts of purchases, merchants and bankers will offer more incentives, and that will draw more people to the technology. That will ratchet up new programs to attract more users in a continuing spiral. The financial industry sees big changes in the next three to five years.

What can our transactional environment look like over the next few years? It’s not that hard to imagine. Your browsing history may show, for example, that you are looking for a new computer in the $1,000 range. With location services turned on for your phone – because you used it to find the fastest route to the shopping mall – the retailer and the bank that supports your credit card can easily deduce that you are entering a store to make a purchase.

Together, the retailer and bank can send a message to your phone to let you know that if you buy a specific computer-and-accessory package today, you are eligible for a discount from the price you saw during your online shopping – or you may be eligible for extra miles from the airline that sponsors your credit card – or you may get extra cash back for this purchase.

Or, your credit card company may have an arrangement with another retailer nearby, and they can offer you rewards to go to their retailer. They can let you know about their specials before you go into any store.

The driver in all of this is likely to be the bank that supports your credit card – or more realistically that has the credit account you access from your phone. They are the ones who “lend” the money when you charge a purchase or collect a handling fee on a debit purchase. The sheer volume of money changing hands creates incentives for them to incentivize you.

In turn, you will need to pay closer attention to the security of your smart phone. You will need to make sure you always have the latest operating system on your phone and that you have all appropriate anti-virus and anti-malware software running – on your computer or tablet as well as on your phone. And you will need to pay special attention to all offers you receive over your smart phone. If a retailer or bank can send a special offer to your smart phone, so can a scammer.

We can help you reap all the benefits of your rewards programs by making sure all of your technology has the latest security software properly set up to match the way you live. Call us – 973-433-6676 – or email us to help you make sure you are good to go.

 

Ransomware Doesn’t Stop with a Payment

If you think paying off a ransom demand to get back files is the end of your experience, you’re wrong. Getting to cough up a few bucks…well, Bitcoin…is just the start. Ransomware pirates are finding ways besides email to get access to your computer and all of your data – and they’re looking for long-term relationships, too. One tech columnist has sardonically suggested they need good customer service plans. You need a good protection plan.

Let’s start with some basics, which we’ve discussed many times before:

  • Be extremely careful about clicking on links in an email, even if it looks like it comes from someone or an organization you know and trust.
    • Personal email addresses get stolen and spoofed all the time.
    • It’s very easy for someone to recreate a corporate look – such as for your bank – that looks realistic at first glance. (Seriously, does your bank use a Hotmail account?)
  • Install and use anti-virus and anti-malware protection. Make sure update it, and make sure you update it from a legitimate site (see above).
  • Install all updates from application software provider (but make sure it’s legit). Most patches and updates cover security issues.
  • Back up your data files to an off-site server or, better yet, store them in the cloud. For an extra precaution, you can store files to portable hard drives, and keep them disconnected when you’re not backing up data.

One of the problems with storing data on a laptop computer, which many people do, is that when it’s stolen, your data can be accessed before any kind of Internet-based program kicks in to wipe your drive clean. All somebody needs to do it remove your hard drive and hook it up to a computer to see what’s on there.

If you have covered all the basics, you now face some new concerns, especially if you store confidential personal, financial or medical information as part of your business. You face additional risks because there is no way for you to control the security steps your customers or clients take. If they leave vulnerabilities, a hacker can use one person’s log-in credentials to see a lot more data than would ever care to expose.

You can protect your business and data in a number of ways – in addition to the steps listed above:

  • Insist visitors to your website use newer versions of all browsers. As browsers age, publishers stop supporting them. You don’t want to expose yourself to their vulnerabilities.
  • Encrypt your data and your emails. If you do a lot of email marketing or communicate confidential information, this is a no-brainer. Email services, such as Constant Contact, which we use, build in a number of security measures. Spend the money to take advantage of them; it’s cheaper than taking a financial hit (see below).
  • Check with your insurance agent or carrier to see if E&O covers you for cybersecurity breaches. It may be an extra cost, but remember that insurance companies like to collect premiums, not pay claims. They are motivated to minimize your risk and should work with you.

The back story on these tips starts with a client who has two offices. In the “main” office, nobody uses the Internet. But in the other office, people used a remote desktop to access the system in the main office, and the security was weak. The link was not secure, and the passwords were simple. I was able to hack in using an iPad that still had a SIM card from another country, and the client could not detect that I was in there.

That should be a wake-up call for every small business to install and maintain security systems throughout their information management system. Ransomware pirates are getting more sophisticated in ways they can get into your systems and stay there – which brings up the “customer service” observation from Glenn Fleishman in PC World. Our point is not to scare anyone away from technology. Every advance – from the bicycle to space travel – has a risk-reward component, and we all know the rewards are great when we follow the proper precautions.

We’d like to leave you with three steps to take right now:

  1. Encrypt all data
  2. Never send passwords in an open email
  3. Look before you click – disguises are getting better and more numerous

Sterling Rose can help you design, install and maintain a cybersecurity program. Contact us by phone – 973-433-6676 – or email us to make an appointment to discuss your needs.