Protection in the Third-Party World

The reliance on third-party providers for so many data servers continues to grow. That increases your dependence on other people’s diligence, and it increases your responsibility to be more vigilant.

“NJ Biz” recently devoted a series of articles to many aspects of online safety and protection, and one of them focused on issues we’ve been discussing: verifying the integrity of third-party providers and two-factor authentication. Third-party providers are being used more and more by businesses of all types because they can scale up faster and more economically to handle any number of users from any number of locations.

However, you need to rely on those providers to protect your data, and according to Jonathan Dambrot, CEO and co-founder of Prevalent, a Warren-based IT security, compliance and third-party risk management service provider, the security environment is far from ideal. In one of the “NJ Biz” articles, he says: “Depending on who you talk to, between 40 to 80 percent of all data breaches are happening at third-party vendors, because that is where most of the data is. People are focusing on third-party data security risks because criminals are going after the data where it resides.”

If a provider has weak security, it can be more vulnerable to an attack by hackers. But government and industry leaders are getting together to help you. Last December, Congress passed The Cybersecurity Act of 2015 to encourage companies to share with the government and each other technical details of hacking threats. This regulation reflects a growing acceptance of collaboration as a way to access data security threat intelligence and enforce vendor compliance.

It’s the latest of several early steps in a fluid regulatory process.

“Regulators have put controls in place over the last two-and-a-half to three years, and there is a combination of reasons why third-party or downstream risk has become really important to people as they look at their cybersecurity,” Dambrot said. “Third-party vendor and business associate risk has really changed as vendor services have changed. Years ago, people weren’t talking about cloud usage as much as they are today, and so, regulators will continue to change the wording to match the way data is handled.”

This collaborative effort, however, doesn’t get you off the hook. On the contrary, you need to do more. Two other articles we recently came across expand on two security matters we discussed last month: two-factor authentication and asking the right questions of any data-services provider.

Rather than re-explain some of the more effective ways to use two-factor authorization (2FA), we can refer you to a recent post by Ed Bott on ZDNet. There are many options available, including apps you can download to your mobile devices.

As he asks, “How much are your private communications worth? How about your reputation? Your bank account? Your identity?”

We know they are priceless to us but have great value on the black market. With 2FA enabled for a cloud service, any attempt to sign in on an unrecognized device might require you to enter a secret code that’s either received as a text message or generated by an authenticator app on your previously registered smartphone.

“Depending on the service, entering a code might automatically establish the current device as trusted, or you might be given the option to trust the current device,” he writes. “If this is your new computer or tablet (or a new browser), and you have this option you should say yes. When you’re signing in on a device you don’t control, you shouldn’t allow it on your trusted list. One way to make sure that the device isn’t marked as trusted is to use a browser in private mode (aka incognito in Chrome). If a bad guy manages to steal your credentials for an account that’s protected by 2FA, he’s unable to do any damage. Because he is signing in on an unrecognized device, he’s required to provide a second form of authentication. Without access to your trusted device, he can’t authenticate himself and can’t go any further.”

There are many variations on that theme, and we can help you find one or two 2FA programs that can best meet your needs and comfort level with your devices. But you need to be sure the data center that houses your information has all the right policies and procedures in place, too.

Services provider vXchange, which estimates some 78 percent of work-related data will be on the cloud by 2018, has a list of 10 questions you should ask your next data center manager, and we suggest you read them to get an idea of what’s at stake. They’re questions we ask of ourselves and our provider to minimize your risk and ours.

While you don’t get total control of your data, you will have a much better grasp of the possible risks and the steps you can take to maximize your protection.

As your trusted IT service provider and advocate, we have 2FA techniques we prefer and providers with which we have established relationships. We can answer your questions and address your specific concerns in selecting and installing 2FA programs, and we can help you select and vet data centers. Call us – 973-433-6676 – or email us to set up an appointment to discuss your specifics.

Preventing Viral Infections

Early shopping season reports showed online purchasing way up over in-store shopping this year. If you know what you want and what you want to pay for presents, online shopping is convenient and efficient. We’ve written a lot over the years about being safe online, but you’d be surprised who could be infectious.

One culprit, for example, could be an electrical contractor or video-surveillance-system contractor who does work at several locations for a national or regional retailer. That contractor may use some sort of billing app to invoice the retailer – let’s say it’s Target or Walmart, but it could be anybody; we’re talking about the size of the company. That invoice goes somewhere in the retailer’s massive data management program.

Now, let’s say that contractor hasn’t had the time to keep all of their security software update – or they’re using some free antivirus program that has more holes than a slice of Swiss cheese – or they’re using easily cracked passwords.

Do you see where this is going? A hacker gets into the contractor’s computer system, simply because it’s open. Once inside the system, the hacker sees that the contractor has done business with the large retailer and is able to find all the information the contractor uses to get into the system. Once hackers are in, they have the opportunity to explore other parts of the system, and that’s where it’s possible for them to get all sorts of personal data about the retailer’s customers.

It could only be email addresses, but that may be enough to help them launch a scam – which we’ll get into later in this article. They could also get into credit card information, which leads to financial consequences.

As a business or consumer, what can you do to keep from being infectious? First of all, make sure all of your antivirus and malware software and firewalls are up to date and activated. We always advise going beyond free versions of all of this software. The paid versions are stronger and better supported.

Second, make sure you have strong passwords and change them. Yes, it’s an inconvenience, but that’s the tradeoff you need to make to protect your security. We also recommend using additional security measures such as two-factor authentication or requiring a text notification being sent to your cell phone when you change a password. The text notification will tip you off if someone is impersonating you online.

Third, be VERY, VERY CAREFUL at this time of year. Holiday season is scam season. When you buy online, it’s common to receive an email from a retailer or shipper with a link to track your packages. With thefts of packages commonplace, it’s useful to know when a package will arrive to make sure you or a neighbor can take it in. With everyone rushing to complete shopping and get work done, it’s all too easy to click on a link, and that’s the opening for scammers to get into your system.

Another scam is in the travel industry, such as a special offer purportedly from a hotel or airline. Again, you invited to click a link to take advantage of a “great opportunity.”

You should do your best to verify the authenticity of any link before clicking it. One effective way to check is to hover your mouse over the link. You should see the link’s origin. If it looks funny, avoid it. Even better, open your browser and go to the company’s website to see if you can find the information contained in the email. If it’s legit and available, you should be able to access it. Your other option is to pick a phone and call the company – using a number provided on its website, not from the email.

The sad truth is that no person, business or government is safe from hacking. The question is not if you will be hacked, it’s when you will be hacked. And the consequences can be even more widespread than they used to be. Some of the viruses now get into your computer’s firmware. That means that even if you wipe your hard drive clean and reinstall your operating system and all your other software, the virus is still there.

If you think you’ve been hacked or have a virus in your computer, call us or your IT specialist immediately. We know where to look and have the tools to discover your breach and mitigate the virus if it’s all possible. Call us – 973-433-6676 – immediately if you have a security concern or contact us by email if you have any questions about your online security.

Technology and the Romance Novel

Back in the 19th century, parents feared their children reading romance novels and exposing themselves to things that they – the parents – weren’t ready to deal with. Today, we have technology. A recent seminar on raising kids in the digital age brought home a few time-tested ideas with a new twist.

We are raising our children in a radically different technological environment than we had growing up. My parents remember their families’ first television sets. I remember the first cable TV with the long wire and the clunky rows of buttons to push to change channels. The Internet has always been there for our kids; they’ve used tablets for several years.

In fact, as it was pointed out, how does a one-year-old relate to a magazine? In their eyes, it’s a tablet that doesn’t work. Think about it. It’s close to the same size. It has images, and some can look like icons. But when a one-year-old taps or swipes a page, nothing happens.

While I heard a lot of things I already knew, hearing them all at one time provided some perspective and context. The bottom line is that kids are growing up faster, and they learn things much earlier than we ever thought. For example, while most kids in the US start driving a car through lessons and under supervision by the age of 16, they have really learned about driving at the age of 5 – by watching you. That means they not only learn an attitude about driving and how to handle a car, they also learn about habits, such as talking on the phone or texting.

Technology needs to be viewed as a tool, not a treat. Today’s world holds a lot more risks than teens becoming more sexually active because of what they read in romance novels. Online activity exposes kids to risks of being lured into very dangerous health-and-safety situations, and it can expose entire families to health-and-safety and financial risks.

Further, the seminar speaker noted, helicopter parenting – now known as drone parenting – increases risk in the long run. Kids whose parents monitored all of their online activity, including texts, eventually exhibit riskier online behavior. And through their peer groups, they likely have the collective knowledge to make their technology capable of doing things you would never imagine.

With 74% of kids now having smartphones, putting smart technology use in perspective for kids is even more critical because they may be using channels that are not familiar to you, the parent. For example, texting – which grandparents do all the time – is down among teens, while the use of Instagram and Snapchat is up. What do you know about those apps?

Online safety and safer living require a great deal of common sense – both the common sense you exercise as a parent and the common sense you instill in your children. Step into your children’s digital lives without stepping on them. For example, don’t allow them to have phones and tablets in their bedrooms. Do have family discussions about living in a world that relies more and more on connectivity.

The world has always been an exhilarating place even though its context always changes. As the parents of two technologically adept children, my wife and I can relate to every concern any parent would have. As an IT professional, I make it a point to stay on top of every development and how it affects my family. So, call us – 973-433-6676 – or email us with any questions or concerns. Together, we can help your children stay safe online and learn the lessons that will help them avoid high-tech landmines.

Caution is Key to Online Safety

Take a deep breath and Look Before You Click during the holiday season. More scammers, hackers and schemes abound at this time of the year, looking for holes to breach and get critical personal data. Here’s a review of our tried-and-true safety measures.

Watch your email. It’s one of the easiest pathways into your computer and all of your valuable personal data. At this time of the year, scammers and hackers take advantage of harried shoppers, who are likely balancing work and shopping and not paying full attention to all of their email.

Here are some identities a cyber-invader may assume to get inside your computer:

  • Bank or Credit Card Company
    • Do you have an account with that bank or credit card company?
    • Is it really one of their actual email addresses or domains?
    • Does your bank or credit card company normally contact you about this?

Your Best Course of Action: Close the email and go the bank’s or credit card company’s website to see if there are any alerts that match the email. If you’re still not sure it’s a fake message, get the phone number from the website and call. You can also look at a bank statement or credit card to get a customer-service phone number. Don’t click on any link in a questionable email.

  • Retailer or Shipper
    • Did you actually do business with that retailer?
    • Did you agree to use that shipper when you bought something online?
    • Are you being asked to click on a link?

Your Best Course of Action: Close the email. If you printed a hard copy of your order confirmation, you should be able to see the name of the carrier and a projected shipping date and delivery date and verify the information in the email. For protection, go to the retailer’s website and log in if you have an account. That should provide you with updated information on your order’s status. If the retailer has provided you with a shipper and a tracking number, go to the shipper’s website and enter the tracking number there. If you’re still not sure, call customer service.

  • Charitable Solicitations

Your Best Course of Action: Close the email. If it’s a charity you want to support, find its official website and give a donation there.

  • Email from a Friend in Need

Your Best Course of Action: Close the email. If you really think it’s legit, call your friend or send a new email with a different subject line. If that person is a close enough friend to send money, you should have full contact info – or know a way to get it.

When conducting business online, make sure you give your information over a secure website page. There are a couple of ways to check:

  • The website address begins with https
  • You’ll see a padlock icon in the address bar

Some other precautions to take include:

  • Buy from a large, reputable online or brick-and-mortar merchant. Generally speaking, retailers who work through Amazon or EBay have been vetted and have contact info posted online. If you’re not sure, buy from someone else.
  • Don’t send sensitive personal information by email. It’s too easy for someone to intercept it.
  • If somebody calls you about an account or purchase or charitable donation, you can ask to call that person back – and then go to a website to get a phone number you believe is trustworthy.
  • Make sure your antivirus, spyware, malware and firewall programs are up to date and running.

Above all, Look Before You Click. Make sure you understand exactly where a click will take you and what will be put on your computer. As Michael Conrad’s Sgt. Phil Esterhaus warned TV’s Hill Street Precinct police officers: “Let’s be careful out there.” And if you run into trouble, make your emergency call to us – 973-433-6676 – or send us an email.

Make Cyber Monday a Winner

As sure as the sun will come up, Monday, Dec. 2 – Cyber Monday this year – will be the busiest day of the year for online shopping. There are traps and pitfalls all over the place. Here are some ways to avoid them.

  • If it’s too good to be true… You know that line: “If it’s too good to be true, it probably isn’t.” Have a healthy skepticism about prices, shipping costs, return policies and the rest of the “fine print.”
  • Look for free shipping. There is a lot of competition for your business, and there are many ways for online retailers to put together a deal for you.  Once you start to compare the prices, you’ll find some really low prices and prices that are lower than the average of all the places you’ve shopped. Free shipping can be a real deal maker with all things being equal. With all of the competition and all of the deals, you shouldn’t pay for shipping. Besides, shipping costs are one of those blind items when you buy. A retailer can offer you an unbelievably low price and make a ton of money on the shipping charge.  So, look for a good price with free shipping, and you’ll likely get a better value.
  • Check merchant reviews. I buy a lot of merchandise online and do a lot of research for clients, and reviews hold a lot of weight. I look for places in the middle of a price range, and I look for patterns in recent reviews. Is there a rant or a litany of problems? With the rise of social media, we find ourselves taking the advice of people we’ve never met, so you really need to read them carefully and see if there’s anything going on “between the lines,” so don’t be afraid to drill down to satisfy your good or bad impressions. There are severe penalties for fraudulent reviews. If a merchant has a lot of reviews, most of them should be positive – if not glowing. Major chains with a strong Internet presence and good reviews should be your most reliable source.
  • Make sure the item is in stock or available in a reasonable time. If you need to have a product delivered by a specific date, make sure the merchant can make it happen.
  • Read all of the website’s policies carefully. Every merchant should have clear policies about returns and any charges associated with returns. Make sure you understand them and they are acceptable to you. You don’t want to buy something – or give something as a gift – and then find that it’s impossible or next to impossible to return the item or exchange it. If you can’t understand a policy or set of conditions or can’t get straight answers to your questions, buy the product somewhere else.
  • Use a credit card. Credit cards are the only way to have some recourse when you have a dispute with a merchant. When you use a credit card, the credit card company stays in the middle of the transaction. It gives the merchant faster access to the money from your purchase (for a fee) and collects the money from you, collecting interest on unpaid balances. If you have a legitimate complaint, the credit card company has the clout to reverse the transaction – and it also has a vested interest in making sure the merchant conducts business properly. When you use a debit card, the merchant draws the money directly out of your bank account – just like if you paid cash. If you have a dispute with the merchant, you’ll have to fight that battle by yourself.
  • Think about what you’re buying. We discussed a number of points to consider to get the best deal online. You should also pay attention to what you’re buying. We’ll use cameras as an example. Some of you might be thinking about giving somebody a new DSLR. People who really get into the fine art of photography may really appreciate one, but they are likely to be very particular about the camera’s features and capabilities. You might be better off giving that person a point-and-shoot camera if they just want to take pictures and not make pictures bigger than 8 x 10. And, if they just want to take pictures to share immediately online, a better smartphone with built-in camera for stills and videos might do the trick. We’ll be seeing lots of tempting new gadgets, so run your own reality check to make sure whatever you buy is appropriate.
  • Don’t feel pressured. Not sure about something? Wait a day. You might pay a few extra dollars over the Cyber Monday price if you wait a day or two, but you might find it’s worth the peace of mind to make sure that you bought the right product from the right merchant at the right price.

We can help you have a better shopping experience. We buy a lot of products online, and we love looking at all kinds of technology and gadgets. Email or call us – 973-433-6676 – with any questions you have for the holiday season. We want to keep the “happy” in the holiday season.

This article was published in Technology Update, the monthly newsletter from Sterling Rose LLC.