Behind Last Month’s Internet Breakdown

We’ve harped for years about the inherent conflict of convenience vs. online security. That conflict reared its ugly head during the distributed denial-of-service attacks, using – maybe – millions of computers to hit some of the world’s largest and most popular e-commerce and news websites.

Investigators have been able to pin part of the cause on hackers using IP addresses commandeered from millions of home devices, commonly called IoT (Internet of Things) – such as interior and exterior security cameras, doorbell and baby monitors, thermostats, etc. – that are increasingly popular with consumers. Too many people install them on their Wi-Fi networks and never bother to change default user names or passwords. That just leaves the door wide open to have their devices hijacked and used for malicious purposes.

From our point of view, it’s what happens when we get lazy and sloppy because we are so tuned into convenience. And, a DDoS attack can be the least consequential problem for you, personally. The hacker can gain control of your device and peak into your house at will – and even change your thermostat settings.

Users are not the only sloppy parties in this turn of events. The device manufacturers share the blame because they don’t require you to reset your user name or password as part of the installation process. After all, they don’t want the blame for your inconvenience, and we think that’s wrong. They can require you to reset user names and passwords as part of the installation process.

You can help prevent these DDoS attacks by making sure you change user names and passwords for the devices during the installation process. You can further protect your privacy by making sure your Wi-Fi network has a good, strong password. Too many people leave the default user name and password on their routers, too.

We should note that businesses, including professional services providers, can be just as lax as home users. We’ve had client systems hacked because their system administrators did not set up stronger log-in credentials.

We strongly urge everyone to have somebody look at their networks and IT systems and procedures once or twice a year. This may not be a comfortable analogy for some people, but even though you brush your teeth and floss every day, you still maintain better health when you visit the dentist once or twice a year for a cleaning and exam.

If you avoid the visit because of expense, it’s costlier – and more painful – to fix the problem instead of preventing it. What would be your cost for system downtime and repairing security breaches? Contact us by phone – 973-433-6676 – or email to find out what our security audit would cover for you and to set it up. In today’s world, you can’t afford to overlook any possible weakness.

Following the Money Conversations

Money is the only reason somebody steals information. Some 70 percent of the emails that lead to information theft are related to either financial institutions, businesses or something that mentions money in the subject line. Another 20 percent are related to espionage, and 5 percent are related to employee grudges. In most cases, curiosity kills your security.

Phishing expeditions are still one of the most effective ways for hackers to get into a computer system, and that’s because people have insatiable curiosity, especially when it comes to money. We’ve told you time and time again to be very careful about the links you click on from within an email. It is so easy for a hacker to mimic the logo of any bank or financial institution and to create an email address that can be close enough to looking real that you won’t notice it’s a fake in your haste to check out a great offer or respond to a dire warning.

So, as we’ve mentioned ad nausea, your curiosity could open the door to a Trojan horse virus that will enable someone to get into your computer. And once they do that, they can insert themselves into your financial conversations. To whom are you talking about money? Is it your financial advisor? Is it an attorney or a CPA? Is it your bank, credit card company or several merchants? They can identify every single one of them just by looking at your email. After all, you keep thousands of them in your Outlook application or on a website – which they can easily find once they get into your computer.

How will they put your email conversations to work for them? Well, let’s see. There’s your financial advisor, who’s been talking to you about your 401(k). Hmm. That’s good. Bet you have the password for that account stored on your computer. That makes it easy.

But wait, what if you “forgot” your password. The hacker can go to the website with your 401(k) and use your email address to reset the password. If that security is lax – say, for example, there’s no two-factor authentication – the hacker can have your email address routed to his, and now he’s in your account and can clean it out.

Of course, that could be just part of his haul. He knows who your financial advisor is, and maybe their system isn’t 100 percent locked down. You can imagine the fallout.

What if you’re involved in a large business transaction, such as buying a business or even a house? Your attorney may be dealing with a financial institution or two – even through another attorney. Again, a hacker can insert himself in a conversation with any party connected to the money, spoofing your email address or that of anyone involved. And once the hacker is into that next system, it opens more doors.

Just to add to your “watch list” when checking your email, also be wary of somebody sending you updated files that you are not expecting. We have a client who clicked on a PDF and wound up with an infected computer. Fortunately, it caused a major inconvenience more than anything else. Because all of the client’s files were backed up offsite, we had to wipe the computer clean and then find the infected files to delete from the backup. We were able to fully restore everything after that, but it took 18 hours.

So, let’s recap the steps you need to take:

  • Look before you click. Do I get this kind of email message from this sender on a regular basis? Is this an offer that’s too good to be true? Is there anything that looks just the least bit out of the ordinary – even if it’s from a sender I know and trust? Remember, you can always access the sender’s website from your Internet browser instead of the email, or you can pick up the telephone and call a company or a person.
  • If something looks odd even before you open the email, just delete it. I am amazed at how many people just let something suspicious just sit there.
  • Don’t conduct financial business or visit passworded sites while on a public Wi-Fi network. Non-secured networks can be viewed by anyone from anywhere.
  • Be very careful with flash drives. Someone can use one to invade your computer. If you are running a good anti-virus or anti-malware program, it should intercept any external device and give you the option to scan it.
  • Keep your anti-virus and anti-malware software up to date. And make sure they’re both running.

Finally, if you suspect your computer has been infected with a virus, call us immediately at 973-433-6676. We can assess your system and begin the process of restoring its health. If you have any questions about online security, call us or email us. We all have too much at stake.

Two More Tips to Protect Your Money

  1. When you travel by air, don’t just throw your boarding pass in the first trash bin you find in the terminal. The barcode on the pass has a wealth of information, including your frequent flyer account information – and any other personal information in that database – and your itinerary, which can let somebody know how far away from home you are and how long you will be away. If you can’t shred it, tear it into pieces that also separate the barcode and throw them into different trash bins.
  2. Check all of your financial accounts frequently, especially with business bank accounts. When you have a lot of money coming in and going out electronically, that means a lot bank treasury departments are accessing your account. If you monitor the accounts regularly, you have a much better chance of catching fraudulent activity.

Payments and Rewards with Your Smart Phone

We love near-field communications (NFC), the technology that enables you to pay for purchases with your smart phone. We love the security factors built into it. Banks and merchants are loving it more, too, because now they launch more loyalty programs to reward themselves – and even you. It’s the logical extension of programs that started with books of trading stamps from grocery stores and gas stations and now extend electronically from purchases at coffee bars to international vacation packages.

There’s a lot at stake for banks and retailers because the citizens of nations with developed economies still spend a lot of money. And while some older consumers dislike waiting for charges to be approved using the more secure chips in their credit cards, millennials and their older siblings are embracing mobile payments. With smart phones almost always accessible, it’s easy to tap a payment station with your phone or hold it close to the station, enter your passcode and keep going with life.

That phone, of course, contains a wealth of information that merchants and banks can tap into with their big-data systems. They can use the data to optimize rewards programs for their customers based on what you and where you buy it. Financial industry research shows that the more affluent you are, the more likely you are to use digital payments whenever you can. And a good number of you are likely to use digital coupons on your smart phone.

You might say a perfect storm is forming. As the use of smart phones grows for all sorts of purchases, merchants and bankers will offer more incentives, and that will draw more people to the technology. That will ratchet up new programs to attract more users in a continuing spiral. The financial industry sees big changes in the next three to five years.

What can our transactional environment look like over the next few years? It’s not that hard to imagine. Your browsing history may show, for example, that you are looking for a new computer in the $1,000 range. With location services turned on for your phone – because you used it to find the fastest route to the shopping mall – the retailer and the bank that supports your credit card can easily deduce that you are entering a store to make a purchase.

Together, the retailer and bank can send a message to your phone to let you know that if you buy a specific computer-and-accessory package today, you are eligible for a discount from the price you saw during your online shopping – or you may be eligible for extra miles from the airline that sponsors your credit card – or you may get extra cash back for this purchase.

Or, your credit card company may have an arrangement with another retailer nearby, and they can offer you rewards to go to their retailer. They can let you know about their specials before you go into any store.

The driver in all of this is likely to be the bank that supports your credit card – or more realistically that has the credit account you access from your phone. They are the ones who “lend” the money when you charge a purchase or collect a handling fee on a debit purchase. The sheer volume of money changing hands creates incentives for them to incentivize you.

In turn, you will need to pay closer attention to the security of your smart phone. You will need to make sure you always have the latest operating system on your phone and that you have all appropriate anti-virus and anti-malware software running – on your computer or tablet as well as on your phone. And you will need to pay special attention to all offers you receive over your smart phone. If a retailer or bank can send a special offer to your smart phone, so can a scammer.

We can help you reap all the benefits of your rewards programs by making sure all of your technology has the latest security software properly set up to match the way you live. Call us – 973-433-6676 – or email us to help you make sure you are good to go.

 

Ransomware Doesn’t Stop with a Payment

If you think paying off a ransom demand to get back files is the end of your experience, you’re wrong. Getting to cough up a few bucks…well, Bitcoin…is just the start. Ransomware pirates are finding ways besides email to get access to your computer and all of your data – and they’re looking for long-term relationships, too. One tech columnist has sardonically suggested they need good customer service plans. You need a good protection plan.

Let’s start with some basics, which we’ve discussed many times before:

  • Be extremely careful about clicking on links in an email, even if it looks like it comes from someone or an organization you know and trust.
    • Personal email addresses get stolen and spoofed all the time.
    • It’s very easy for someone to recreate a corporate look – such as for your bank – that looks realistic at first glance. (Seriously, does your bank use a Hotmail account?)
  • Install and use anti-virus and anti-malware protection. Make sure update it, and make sure you update it from a legitimate site (see above).
  • Install all updates from application software provider (but make sure it’s legit). Most patches and updates cover security issues.
  • Back up your data files to an off-site server or, better yet, store them in the cloud. For an extra precaution, you can store files to portable hard drives, and keep them disconnected when you’re not backing up data.

One of the problems with storing data on a laptop computer, which many people do, is that when it’s stolen, your data can be accessed before any kind of Internet-based program kicks in to wipe your drive clean. All somebody needs to do it remove your hard drive and hook it up to a computer to see what’s on there.

If you have covered all the basics, you now face some new concerns, especially if you store confidential personal, financial or medical information as part of your business. You face additional risks because there is no way for you to control the security steps your customers or clients take. If they leave vulnerabilities, a hacker can use one person’s log-in credentials to see a lot more data than would ever care to expose.

You can protect your business and data in a number of ways – in addition to the steps listed above:

  • Insist visitors to your website use newer versions of all browsers. As browsers age, publishers stop supporting them. You don’t want to expose yourself to their vulnerabilities.
  • Encrypt your data and your emails. If you do a lot of email marketing or communicate confidential information, this is a no-brainer. Email services, such as Constant Contact, which we use, build in a number of security measures. Spend the money to take advantage of them; it’s cheaper than taking a financial hit (see below).
  • Check with your insurance agent or carrier to see if E&O covers you for cybersecurity breaches. It may be an extra cost, but remember that insurance companies like to collect premiums, not pay claims. They are motivated to minimize your risk and should work with you.

The back story on these tips starts with a client who has two offices. In the “main” office, nobody uses the Internet. But in the other office, people used a remote desktop to access the system in the main office, and the security was weak. The link was not secure, and the passwords were simple. I was able to hack in using an iPad that still had a SIM card from another country, and the client could not detect that I was in there.

That should be a wake-up call for every small business to install and maintain security systems throughout their information management system. Ransomware pirates are getting more sophisticated in ways they can get into your systems and stay there – which brings up the “customer service” observation from Glenn Fleishman in PC World. Our point is not to scare anyone away from technology. Every advance – from the bicycle to space travel – has a risk-reward component, and we all know the rewards are great when we follow the proper precautions.

We’d like to leave you with three steps to take right now:

  1. Encrypt all data
  2. Never send passwords in an open email
  3. Look before you click – disguises are getting better and more numerous

Sterling Rose can help you design, install and maintain a cybersecurity program. Contact us by phone – 973-433-6676 – or email us to make an appointment to discuss your needs.

Protection in the Third-Party World

The reliance on third-party providers for so many data servers continues to grow. That increases your dependence on other people’s diligence, and it increases your responsibility to be more vigilant.

“NJ Biz” recently devoted a series of articles to many aspects of online safety and protection, and one of them focused on issues we’ve been discussing: verifying the integrity of third-party providers and two-factor authentication. Third-party providers are being used more and more by businesses of all types because they can scale up faster and more economically to handle any number of users from any number of locations.

However, you need to rely on those providers to protect your data, and according to Jonathan Dambrot, CEO and co-founder of Prevalent, a Warren-based IT security, compliance and third-party risk management service provider, the security environment is far from ideal. In one of the “NJ Biz” articles, he says: “Depending on who you talk to, between 40 to 80 percent of all data breaches are happening at third-party vendors, because that is where most of the data is. People are focusing on third-party data security risks because criminals are going after the data where it resides.”

If a provider has weak security, it can be more vulnerable to an attack by hackers. But government and industry leaders are getting together to help you. Last December, Congress passed The Cybersecurity Act of 2015 to encourage companies to share with the government and each other technical details of hacking threats. This regulation reflects a growing acceptance of collaboration as a way to access data security threat intelligence and enforce vendor compliance.

It’s the latest of several early steps in a fluid regulatory process.

“Regulators have put controls in place over the last two-and-a-half to three years, and there is a combination of reasons why third-party or downstream risk has become really important to people as they look at their cybersecurity,” Dambrot said. “Third-party vendor and business associate risk has really changed as vendor services have changed. Years ago, people weren’t talking about cloud usage as much as they are today, and so, regulators will continue to change the wording to match the way data is handled.”

This collaborative effort, however, doesn’t get you off the hook. On the contrary, you need to do more. Two other articles we recently came across expand on two security matters we discussed last month: two-factor authentication and asking the right questions of any data-services provider.

Rather than re-explain some of the more effective ways to use two-factor authorization (2FA), we can refer you to a recent post by Ed Bott on ZDNet. There are many options available, including apps you can download to your mobile devices.

As he asks, “How much are your private communications worth? How about your reputation? Your bank account? Your identity?”

We know they are priceless to us but have great value on the black market. With 2FA enabled for a cloud service, any attempt to sign in on an unrecognized device might require you to enter a secret code that’s either received as a text message or generated by an authenticator app on your previously registered smartphone.

“Depending on the service, entering a code might automatically establish the current device as trusted, or you might be given the option to trust the current device,” he writes. “If this is your new computer or tablet (or a new browser), and you have this option you should say yes. When you’re signing in on a device you don’t control, you shouldn’t allow it on your trusted list. One way to make sure that the device isn’t marked as trusted is to use a browser in private mode (aka incognito in Chrome). If a bad guy manages to steal your credentials for an account that’s protected by 2FA, he’s unable to do any damage. Because he is signing in on an unrecognized device, he’s required to provide a second form of authentication. Without access to your trusted device, he can’t authenticate himself and can’t go any further.”

There are many variations on that theme, and we can help you find one or two 2FA programs that can best meet your needs and comfort level with your devices. But you need to be sure the data center that houses your information has all the right policies and procedures in place, too.

Services provider vXchange, which estimates some 78 percent of work-related data will be on the cloud by 2018, has a list of 10 questions you should ask your next data center manager, and we suggest you read them to get an idea of what’s at stake. They’re questions we ask of ourselves and our provider to minimize your risk and ours.

While you don’t get total control of your data, you will have a much better grasp of the possible risks and the steps you can take to maximize your protection.

As your trusted IT service provider and advocate, we have 2FA techniques we prefer and providers with which we have established relationships. We can answer your questions and address your specific concerns in selecting and installing 2FA programs, and we can help you select and vet data centers. Call us – 973-433-6676 – or email us to set up an appointment to discuss your specifics.

How Does Your IT Consultant Handle Your Info?

Today’s interconnected world is an interdependent world. No matter how many precautions you take to protect your data’s security, technology has forced you to depend on other people’s diligence to share your passion for protection. You don’t have a lot of control over the weakest link in your online chain. But asking how your IT consultant handles your information can help you gain better control where it’s possible.

So, here’s the question you need to ask: How do you handle my information, including your access to my systems?

And, here’s the discussion that needs to follow:

Your IT consultant must follow the strictest protocols available to protect all the information you provide. This includes access to your servers, routers (including repeaters or boosters for Wi-Fi networks) and computers that store your information or have access to wherever you store information.

An individual provider, such as Sterling Rose, can handle your data security differently from a large support organization. It’s not that one type of provider is better for a particular client; it’s more a matter of tailoring protection procedures to meet real-world needs and being diligent about following them.

We can keep all of our clients’ information in one place that can be accessed by only one person, and that helps us build a strong wall around (and roof over) the user names and passwords for your systems. With the ability to securely access the information from a desktop computer or mobile device, we can service a client from anywhere.

We protect that information in a number of ways. These are just a few of them:

  • We regularly use two-factor authentication, which requires more than just a password. Every two-factor system has its own set of additional requirements, but the net result is that a hacker or robotic system cannot provide the necessary response. (We’re sure somebody is hard at work to defeat two-factor authentication, but right now, it works.)
  • We use long, complex passwords with upper- and lower-case letters, numbers and special characters. Those are always impossible to crack using the latest available algorithms – at least for now.
  • We use systems that require us to re-log in every 14 days and change our passwords and authentication information. It’s a major inconvenience for us, but it’s much more convenient than having to explain why we need to react to a security breach.

A larger IT service provider with multiple technicians available to service a client can also store information securely in one place, but all the technicians need to access it. Some questions you should ask include:

  • Where do you store my information?
  • How do technicians access my information?
  • What protocols do you follow for user names, passwords and other authentication?
  • Are you notified when my information is accessed, and are you able to track who accessed it?

Your IT consultant must be able to advise you on the best security measures to take within your own organization. They should be able to help you design and install a set of procedures for any point at which information is accessed, such as:

  • Accessing specific files or categories of files from within your office or offices that are stored on your own server or on a server hosted by a third party (a cloud provider)
  • Accessing that information from a remote location, such as a home office, where you can install and monitor security measures
  • Accessing that information from a remote location, such as a customer’s place of business or a public place, such as a coffee shop or airport, where you cannot verify the security of a network.

You may also need to set up encrypted email, which we did for an insurance business. Our client reasoned that while they can control exchanges with their clients, they cannot control what happens when their clients communicate with others. Our client needed to be able to show that their security measures would stand up to an outside audit.

If you have any questions about how we handle your information, feel free to contact us at any time by email or phone – 973-433-6676. We would be more than happy to review our policies and procedures in general and for your information in particular. We can also help you develop and implement a security program for your business – or home – system.

Passwords and Passing Information

We’ve had numerous articles over the years about strong passwords, thinking before you click and responding to requests for sensitive information. A recent seminar and a personal experience brought it all together. You still need to be mindful of several principles that can keep your systems – and your sensitive data – more secure.

At the seminar, conducted by a cyber expert from the State of New Jersey, the presenter said he “cringes” at the “stuff” he sees on walls when he walks into many offices. People have Wi-Fi passwords on sticky notes on the walls near their computers. Passwords are taped to monitors, or people use very simple, easy-to-crack passwords.

Yes, those notes are a convenience for busy, overworked people, and state employees are not exceptions. We’ve seen a lot the same things when we service our business clients – and you have to ask the question: Who else is seeing this information?

The answer is that countless people who you can’t recall have probably seen the information. Anyone who visits your offices can see passwords hanging on the walls of cubicles or taped to monitors. If you have a lot of traffic in your office, the chances are greater that your networks and data have been compromised. If salespeople, contractors and others need Wi-Fi access to work in your office, have you given them the network password instead of a guest network password? Even if you don’t have a lot of visitors, do you have a cleaning service? Any member of the cleaning crew could see that information and access your network and files.

The solution is simple: Don’t allow anyone in your office to leave passwords out in the open. If they must be written down so you and everyone in the office can access the correct information when they need it, then keep that information in a locked desk drawer.

You can take additional steps, such as changing your network password frequently, requiring your employees to change passwords frequently and establishing rules about the number of characters and types of characters that must be in a password. If outsiders need access to your network, set up a guest password – and change that even more frequently.

Remember, your security is only as good as the worst security of anyone who has access to your network.

Outside the office, make sure that you and everyone in your company have secure passwords for computers and mobile devices – especially if you have sensitive data, including passwords, on them. We can help you install and teach you how to use security systems that can lock computers and devices if they are lost or stolen.

Because we go in so many public places and can tend to leave computers and devices on a table, for example, it makes more sense to make more use of the cloud for storing sensitive data. Yes, we can lock devices and encrypt data, but unless you have a backup program, the data can be lost. We recommend both having a backup program and using one of the major storage providers such as Google, Dropbox, iCloud or Office 365. They all have security protocols to protect access – unless, of course, you have left your passwords on your computer or device or have used a simple, easy-to-crack password. They also have redundant systems to make sure your data are accessible anytime from anywhere.

While we are on the subject of security, this is a good time to remind everyone to think before you click. We recently installed a new PC for a client, and within a month, the client saw a pop-up message about a problem with the computer and a “solution” to fix it for $499. And instead of a credit card, the “solution” provider wanted the money transferred directly from a bank account. Fortunately, the client realized the error and was able to call the bank and freeze the account before the money was taken out – and before more was sucked out by the scam artist.

We were guilty of not thinking right away, too. One of our business partners sends us a check once or twice a year, and they wanted to switch to an ACH system. They sent us an email asking us to respond with our bank’s routing number and our account number.

I started to reply – without thinking it through – and then realized before I sent anything that this was an unusual request for sensitive information. I stopped and phoned the company. Yes, it was a legitimate request from our partner, but we can all learn two important security lessons from this:

  1. Don’t just respond to an emailed request for information – no matter how legitimate it looks. There are too many ways to spoof an email address or a phone number. Find the phone number of that person and that company independently, such as opening your browser and entering the website address (url) that you know or find through an online search.
  2. Never send sensitive information, such as passwords and bank accounts, by email. A phone call to the person you have identified as a legitimate employee who is designated to take your info is safe. So is using a secured page on a legitimate website.

Security is critical. If you have any questions about security measures for your system, email us or call us – 973-433-6676, and we will respond in a timely manner.

The BYOD Hangover

Some businesses got drunk on BYOD – Bring Your Own Device. They bought heavily into the idea that they could cut costs and get more work out of employees by letting them use their own mobile devices and computers. Now we’re starting to see more problems for businesses, individuals and everyone they touch electronically.

Ten years ago, the benefits were clearly present for businesses and their owners/partners and employees. As the first generation of smartphones, mostly Blackberry, took hold, busy people and small businesses found they could untether themselves from office systems. Tablets, starting with iPad, increased their freedom because their bigger screens and keyboards made it easier to read spreadsheets, written documents and email and update files or respond to email.

  • Salespeople could access pricing lists, customer records and just about any critical information they needed to provide better service.
  • Everyone with a smartphone – and soon after, a tablet – could respond with increasing capabilities.
  • Busy parents could stay in touch with the office, giving them more flexibility to manage their lives.

In our business, IT professionals could respond to client or corporate information management needs from anyplace that had cellular service.

As Wi-Fi and all forms of communications networks grew and more smartphones and tablets came to the market, along with various carriers, the ways to stay connected lost all technical limits. And because everyone wanted to have their own personal technology – smartphone, tablet, laptop or desktop computer – to use on their own time, businesses of all sizes met the demand. Employees no longer needed to have specific products. IT managers were able to incorporate everyone’s devices, and employers were happy to give everyone 24/7/365 work capability.

It was intoxicating for everybody. Now, it’s intoxicating for hackers and cybercriminals; everyone else is having a big, bad hangover. The problem is security.

Here are some sobering concerns:

  • While we can help our business and professional services clients secure their networks and access to the data on their corporate servers, we need to educate employees about programs to control security. A business really needs to depend on its employees to keep their individual devices and computers secure. One hole can be an entry point to sensitive data anywhere.
  • Mobile phones and tablets are becoming more vulnerable to security problems. Why? That’s where the money is. With people conveniently accessing critical data over cellular and Wi-Fi networks all the time, hackers are finding more ways to penetrate security measures. Everyone needs to make sure they know that anybody in the world can take a peek at their business on any unsecured public network – like one in a coffee shop, hotel lobby or airport.
  • Even if you take every available security step in your corporate and personal systems – strong passwords, strong firewalls, up-to-date and active anti-virus and malware software – anyone with access to your system who doesn’t follow the same precautions puts you at risk.
  • The convenience of publicly accessible storage sites, such as Dropbox, can lead to the loss of privacy of your data. When you give someone the ability to download files from a storage site onto their own computers or tablets, you effectively give them ownership of that data. That means an employee can “own” client lists, financial information, etc.

With the horses already out of the barn and out on the open range, you can’t corral them and bring them back. But there a number of steps you can take:

  • Educate everyone in your organization about the need for security and what they need to do:
    • Have strong passwords and change them often
    • Be aware of when they are on unsecured public networks
    • Keep their own personal technology protected with up-to-date, activated anti-virus and malware programs
    • Understand that any holes in their own security systems can open holes for hackers to get into your business’s system and the systems of anyone or any organization they’ve ever contacted over the Internet – and that it can go viral from there
  • Require strong passwords (combination of upper and lower case letters, numbers and special characters) to access your data files wherever they are
  • Require frequent password changes
  • Determine which files need to stay on a secure server that you control
  • Backup data securely and often
  • Monitor your backup

We can help you with all of these steps:

  • Lunch ‘n’ Learn programs about security
  • Audits of your system’s security
  • Monitored backup services

Contact us by phone – 973-433-6676 – or email to keep your data clean and your systems sober in the BYOD environment.

Defeating the Biggest Business

Cybercrime is the world’s biggest business, and there are no signs it’s shrinking. While you can take a number of steps to protect yourself, here’s what you need to do if you suspect you’ve been hacked: ACT FAST.

The reason fast action is vital is because it takes practically no time at all for criminally minded hackers to get into your system once they find an unlocked door – or find a “cyberlock” they can pick. With a little more time, they can use your information to exploit larger systems to which you may have a connection, such as a large merchant or a bank. Your complacency works to their advantage.

After lying relatively low for a few months, malware and ransomware have once again reared their ugly heads. Google recently removed more than a dozen malware-infected apps from its Google Play store. Variations of the Crypto Locker and Crypto Wall viruses, which plagued the IT world in 2014 and 2015, are coming back in email attachments and fake update notices for Java and Adobe Flash.

If you see something really unusual or strange on your screen, you should call your IT specialist immediately. An IT professional should be able to fix the problem right away. We see a lot of the problems on a regular basis, and we know where to look to make the fix. If you can’t get your IT professional right away, take a picture of the screen with your smartphone and send as text or email. You can also take a screen shot and paste it into a blank Word document that you can save and send to your IT professional. On a Windows-based computer, press the FN key (it usually has blue lettering) and the PrntScrn key (also lettered in blue). Then paste it (Ctrl-V) into the Word document.

As soon as you do that, you can shut the computer off – without saving anything.

To further protect yourself and your data, you need to look before you click. DO NOT:

  • Open email attachments from sources you don’t recognize
  • Open email attachments that look suspicious or odd even if they appear to be from a source you know
  • Click on a link you cannot verify for authenticity

We’ve talked a lot about hacking, and here are some figures to cause concern. Some 82,000 new pieces of malware are released every day, and 600,000 Facebook accounts are hacked daily. On top of that, hackers are finding more ways to load ransomware on your computer, essentially holding your data hostage until you pay them money.

If a hacker manages to defraud you of money in your bank account, you get no FDIC protection. That is one reason why we recommend you stop using a debit card – remember, the money comes directly out of your bank account – and just get a plain-old, single-purpose ATM.

You can also sign up to get alerts from your bank or credit card company anytime a transaction is made on your account. That way, you’ll know immediately if somebody made an unauthorized purchase with your credit card or debit card or made an unauthorized withdrawal from your bank account.

Another concern you should cover is the data on your hard drive if you lose your computer or if it’s stolen. With all the personal data that most people keep on their computers, a computer thief can easily get into your data and find all the account numbers, user names and passwords you have stored. Encrypting your data could make it extremely difficult – if not impossible – to get at your data. At the very least, it can give you enough time to contact banks, credit card companies and stores where you have accounts to shut down activity.

The possibility of losing your computer, having it stolen or getting hacked is also a good reason to make sure your data files are all backed up offsite – and it’s a good reason, too, to rely on the cloud instead of your hard drive for the bulk of your storage needs. Also make sure you have fully licensed application software. With securely backed-up data files and licensed app files, we can clean out ransomware and malware problems and restore your data and apps – and get your security up to date.

We can help you maintain the security and integrity of your information. Contact us by phone – 973-433-6676 – or email to talk about your business or home system, how you use your computer and the best available anti-virus, malware and backup programs for your needs. We can also make sure you’ve set up all defenses properly.

Preventing Viral Infections

Early shopping season reports showed online purchasing way up over in-store shopping this year. If you know what you want and what you want to pay for presents, online shopping is convenient and efficient. We’ve written a lot over the years about being safe online, but you’d be surprised who could be infectious.

One culprit, for example, could be an electrical contractor or video-surveillance-system contractor who does work at several locations for a national or regional retailer. That contractor may use some sort of billing app to invoice the retailer – let’s say it’s Target or Walmart, but it could be anybody; we’re talking about the size of the company. That invoice goes somewhere in the retailer’s massive data management program.

Now, let’s say that contractor hasn’t had the time to keep all of their security software update – or they’re using some free antivirus program that has more holes than a slice of Swiss cheese – or they’re using easily cracked passwords.

Do you see where this is going? A hacker gets into the contractor’s computer system, simply because it’s open. Once inside the system, the hacker sees that the contractor has done business with the large retailer and is able to find all the information the contractor uses to get into the system. Once hackers are in, they have the opportunity to explore other parts of the system, and that’s where it’s possible for them to get all sorts of personal data about the retailer’s customers.

It could only be email addresses, but that may be enough to help them launch a scam – which we’ll get into later in this article. They could also get into credit card information, which leads to financial consequences.

As a business or consumer, what can you do to keep from being infectious? First of all, make sure all of your antivirus and malware software and firewalls are up to date and activated. We always advise going beyond free versions of all of this software. The paid versions are stronger and better supported.

Second, make sure you have strong passwords and change them. Yes, it’s an inconvenience, but that’s the tradeoff you need to make to protect your security. We also recommend using additional security measures such as two-factor authentication or requiring a text notification being sent to your cell phone when you change a password. The text notification will tip you off if someone is impersonating you online.

Third, be VERY, VERY CAREFUL at this time of year. Holiday season is scam season. When you buy online, it’s common to receive an email from a retailer or shipper with a link to track your packages. With thefts of packages commonplace, it’s useful to know when a package will arrive to make sure you or a neighbor can take it in. With everyone rushing to complete shopping and get work done, it’s all too easy to click on a link, and that’s the opening for scammers to get into your system.

Another scam is in the travel industry, such as a special offer purportedly from a hotel or airline. Again, you invited to click a link to take advantage of a “great opportunity.”

You should do your best to verify the authenticity of any link before clicking it. One effective way to check is to hover your mouse over the link. You should see the link’s origin. If it looks funny, avoid it. Even better, open your browser and go to the company’s website to see if you can find the information contained in the email. If it’s legit and available, you should be able to access it. Your other option is to pick a phone and call the company – using a number provided on its website, not from the email.

The sad truth is that no person, business or government is safe from hacking. The question is not if you will be hacked, it’s when you will be hacked. And the consequences can be even more widespread than they used to be. Some of the viruses now get into your computer’s firmware. That means that even if you wipe your hard drive clean and reinstall your operating system and all your other software, the virus is still there.

If you think you’ve been hacked or have a virus in your computer, call us or your IT specialist immediately. We know where to look and have the tools to discover your breach and mitigate the virus if it’s all possible. Call us – 973-433-6676 – immediately if you have a security concern or contact us by email if you have any questions about your online security.