Passwords Becoming Passé

I’m as tired as anyone else when it comes to remembering dozens of arcane passwords for all the websites I need to access. Current and future technology will be able to provide relief and stronger protection. Here’s the lowdown on locking down.

If we’ve learned anything at all from the monthly ransomware reports, electronic “locks” are pickable. We’ve also learned that time is money for hackers when it comes to planting ransomware and other viruses that can make life painful or costly or both.

Operating under the assumption that any electronic barrier can be hurdled in time, you want to lengthen the time of your defense as much as possible – and we’re talking decades. The longer and more complicated the password, the longer it will take for hacking software to crack your code. We all know that when you include uppercase and lowercase letters in combination with numbers and special characters, the time stretches out. Making sure it follows no special pattern – that it’s totally random – adds to the security.

Many theories abound as to how to create a complex, random password that’s easy to remember. One suggestion is to take a phrase or sentence that you can easily remember. Then, take the first or second letter in your phrase and turn some into uppercase letters, numbers or special characters in a random order.

I have one password I use for everything, and I am extremely confident its length and complexity will deter hackers. You may find fault that I have only one password, and that would be a valid criticism. If it’s cracked, someone could get into every internet account I have.

You can eliminate the need to remember multiple passwords by using a password manager program. Some are free and some have a nominal cost. Basically, you just need to remember a master password to get into the system. The password manager randomly generates new complex passwords when you visit each site. Yes, you can argue that somebody could crack the password manager’s system. It’s possible, but would you feel more comfortable with $1 million under your mattress or in a vault that’s a half-mile underground, encased in 20 feet of concrete and guarded by a randomly rotated army that’s always being retrained?

You can augment the password manager with two-factor authentication, something we’ve liked and used for years. In many cases, you need to answer a question, and it should be something only you know. Other measures might include answers to randomly generated multiple choice questions based on publicly available information that can be verified as “right” or “wrong.” No “maybes” allowed.

In the future, passwords will give way to biometrics. The software is there; the hardware needs to catch up. Windows 10’s Hello can handle the biometrics, but most computers don’t have the 3-D cameras needed to use the feature. Some Microsoft Surface tablets have the cameras, and if you are in the right place, it works really well.

Regardless of what technology you use, don’t let your guard down. Don’t buy things or do your banking over a public Wi-Fi network. Use a trusted, secure network or a cellular data network. Make sure the networks you control are secure with up-to-date firewalls and anti-virus and anti-malware software. Make sure all operating systems and firmware are current with all bug fixes and security patches.

Remember that we can help you with all of your internet password and security needs, including choosing and setting up a password manager, setting up two-factor authentication and answering your questions about biometrics systems. Call us – 973-433-6676 – email us to set up an appointment.

Nomorobo = No More Robo Calls? We Hope It Adds Up

If you’re tired of robo calls and caught in the web of spoofed telephone numbers, Nomorobo might be the app for you. It is for us. It’s one product to help you manage your telephone.

For most of us, robocalls are a major annoyance. Even when you don’t pick up the phone, they ring and ring until your answering machine picks it up, and then you need to follow whatever instructions your answering machines provide to get rid the message.

For many others, however, robocalls are an expensive trap. Scammers posing as IRS agents steal millions every year, despite regular warnings from the real IRS that its agents will never contact you by phone if you owe them money. They send a letter first, and they tell people that if they have questions about whether they owe taxes, they should call the IRS toll-free phone number.

At one time, you could register your phone number with the FCC (Federal Communications Commission) to block robocalls and telemarketers representing companies with which you did not have a relationship. But VOIP (voice over internet protocol) technology made it cheap and easy for scammers operating outside the US to make long-distance calls that look like domestic calls. Essentially, the same technology that gives you a free Google Voice number gives scammers and thieves the ability to reach you under false pretense. How ridiculous can it get? You can get a call from a device identified as your own phone.

As phone carriers and the FCC went ‘round and ‘round in pointing fingers and passing along suggestions for the “other side,” the logjam broke when the FCC allowed the phone companies to block robocalls. One of the industry’s concerns was that it would block legitimate phone numbers, including those used by emergency-notification organizations.

Here’s where Nomorobo stepped in to fill the breach. It won a $25,000 cash prize from the Federal Trade Commission in 2013 for figuring how to stop robo calls. The system reroutes calls to your phone number to a service that checks the incoming phone number against a database that whitelists the good guys and blacklists the bad guys. Once you sign up for Nomorobo, you need to wait until the second ring to pick up the phone. Nomorobo uses the first ring to check the incoming number against its database. If you don’t get a second ring, then you know a robo call was blocked.

In a perfect world, good calls, such as those from emergency-related organizations get through. Of course, the world is not perfect, but it is “trainable.” If you experience any problems, such as a school closing or a call from a hospital, you can report it at www.nomorobo.com/report under “A Valid Number That Was Blocked Incorrectly” and correct the database. The service won’t block charity calls, but it can block political calls. You can enable or disable this feature by clicking “Edit” next to your number.

Nomorobo is free for landlines, and it supports most carriers. It has an iOS app that costs $1.99 per month, and it plans to have an Android app soon. The company has an online help desk that covers most questions users would have about using its system or deleting it.

Nomorobo has plenty of company in the robo-blocking space, and you might find one you like better. One place to start your search is the CTIA website product listings. CTIA represents many wireless telecom companies in the US. If you have any questions about selecting a call blocker or installing on a landline or mobile device, we’re here to help. Just call us – 973-433-6676 – or email us.

Who’s Watching? Internal Software and the IoT

Connected homes. Connected cars. Doing more over the internet. The Internet of Things (IoT) is growing faster and faster. And that begs two questions: 1.) Who’s watching? 2.) How do you pull the shades on prying eyes?

The answer to the first question is unnervingly simple: It could be anyone in the world.

The short answer to the second question is: Shore-up your security.

As I walked around CES (the Consumer Electronics Show) in Las Vegas last month, I looked at all the devices that are connected to the internet. I thought about all the internal software in those devices – and wondered who’s upgrading that software for security?

Software is at the heart of every device in our house that’s connected – usually wirelessly – to the internet. While we continue to encourage you to change the username and password for every device you have, it’s still possible for hackers to use an open “back door” to get inside the internal software for, let’s say, the camera systems inside and outside your house. We all need to make sure that the companies who provide all these great connected devices are updating their software security. It’s no different than the security patches issued by all software publishers.

In the absence of device manufacturers pushing out software updates, you should make it a habit to visit their websites to see if any updates are available for your products – and to download them and install them right away.

It’s also important to know what’s in your house – even if it’s wired. We visited a house that somebody was buying, and we found a mound of wires in the basement. Not only did the new owners not know what all the wires were connected to, the old owner didn’t know about all of them, either. We found the whole house had been hard-wired, and that there was an old security camera system. We connected all the access points in the house to relieve the pressure on the new Wi-Fi system we installed, and we set up the camera system and made sure it was secure. But had we not been there, nobody would have known how everything was supposed to work and if anything had been exposed to a security breach.

Automobiles, by the way, have internal software, too, and you generally need to visit a dealer to have that checked. It has been demonstrated that hackers can break into certain parts of your car’s computer system and affect your car’s operation. While there’s likely not a widespread benefit that makes economic sense for doing this, you could be an isolated, totally random victim of someone who’s just playing around with the idea of hacking a car.

If you have any questions about the security steps you need to take for your devices, gather all the information you can find about the product and call us – 973-433-6676 – or email us with your questions. If need be, we can help you find the correct software updates or get the information you need to ask the right questions when you contact your device manufacturer.

Network Strength and Costs

With more and more devices in our homes – more than you think – you need to strike a balance between speed and cost. Keeping your network strong and secure is a given, but you should look at what you can hardwire into your gateway to maximize speed and free up wireless capacity for devices and systems that can’t be wired.

Many people have looked to simple solutions such as EERO, which plugs repeaters into power outlets in homes and offices. It’s known as a wireless mesh system, and it’s a technology that hasn’t won us over. The modules are repeaters, and the problem is that each time you repeat, you cut signal strength, and that diminishes the speed of the network to deliver signals to the target computer, TV, tablet or smartphone.

You might think you don’t have that many devices on your network, but you’d be surprised. In our house with four people, we have a dozen computers, tablets and smart phones, several automated systems for the doorbell and for turning on certain lights. We also have a Sonos sound system with seven speakers around the house. I haven’t added in smart TVs, which many households have. Most of them use a USB antenna to connect to their home wireless network, and then people use the wireless network to stream movies and shows – especially if they’ve cut the cord on cable TV.

Depending on your provider, you can get Internet connections ranging from 15 megabits per second (of data transmission) to 1 or 2 gigabits per second. Many users in moderately connected homes have service ranging from 50 to 300 megabits per second (mbs). The faster the speed, the more data it pushes through per second. However, your TVs, computers and devices on your wireless network may not be getting the full speed you’re paying for because of repeaters and the number of devices using the network at a given time.

You can maximize wireless performance and your Internet costs by hardwiring some computers and smart TVs and then determining how much speed you need to support your wireless devices. Wired computers and TVs will get the full benefit of your connection speed, and you may not need as fast (and expensive) a connection as you think.

To use our house as an example, we have a 150mbs connection, and we use it more for downloading large files than for streaming movies and shows. With hard wiring, it works fine. If I would double the speed to 300mbs, it would cost $90 per month more. That’s $1,080 more per year, and I wouldn’t get the full performance because of the wireless penalty.

With smart TVs and streaming becoming more popular, TV manufacturers are heading off potential problems with customer satisfaction by including Ethernet connections in their units. Taking advantage of the hardwiring capability can help you avoid problems elsewhere in your home.

In the office, hardwiring as many components of your system to the network is essential. Hardwiring grantees your computers and peripherals will work at the speeds you’re paying for, and it will free up wireless capacity for the devices that you must have, such as phones and tablets.

Regardless of whether you have a home or business network, remember that your service speed can be increased or decreased without a visit from a technician. You can see how one connection speed works and then have your provider raise or lower it from their service center.

We can help you by installing the wiring and connecting your equipment. We can also help you analyze your system’s performance to find the right combination of speed and cost. Call us – 973-433-6676 – or email us to set up an appointment to discuss your needs.

Behind Last Month’s Internet Breakdown

We’ve harped for years about the inherent conflict of convenience vs. online security. That conflict reared its ugly head during the distributed denial-of-service attacks, using – maybe – millions of computers to hit some of the world’s largest and most popular e-commerce and news websites.

Investigators have been able to pin part of the cause on hackers using IP addresses commandeered from millions of home devices, commonly called IoT (Internet of Things) – such as interior and exterior security cameras, doorbell and baby monitors, thermostats, etc. – that are increasingly popular with consumers. Too many people install them on their Wi-Fi networks and never bother to change default user names or passwords. That just leaves the door wide open to have their devices hijacked and used for malicious purposes.

From our point of view, it’s what happens when we get lazy and sloppy because we are so tuned into convenience. And, a DDoS attack can be the least consequential problem for you, personally. The hacker can gain control of your device and peak into your house at will – and even change your thermostat settings.

Users are not the only sloppy parties in this turn of events. The device manufacturers share the blame because they don’t require you to reset your user name or password as part of the installation process. After all, they don’t want the blame for your inconvenience, and we think that’s wrong. They can require you to reset user names and passwords as part of the installation process.

You can help prevent these DDoS attacks by making sure you change user names and passwords for the devices during the installation process. You can further protect your privacy by making sure your Wi-Fi network has a good, strong password. Too many people leave the default user name and password on their routers, too.

We should note that businesses, including professional services providers, can be just as lax as home users. We’ve had client systems hacked because their system administrators did not set up stronger log-in credentials.

We strongly urge everyone to have somebody look at their networks and IT systems and procedures once or twice a year. This may not be a comfortable analogy for some people, but even though you brush your teeth and floss every day, you still maintain better health when you visit the dentist once or twice a year for a cleaning and exam.

If you avoid the visit because of expense, it’s costlier – and more painful – to fix the problem instead of preventing it. What would be your cost for system downtime and repairing security breaches? Contact us by phone – 973-433-6676 – or email to find out what our security audit would cover for you and to set it up. In today’s world, you can’t afford to overlook any possible weakness.

Following the Money Conversations

Money is the only reason somebody steals information. Some 70 percent of the emails that lead to information theft are related to either financial institutions, businesses or something that mentions money in the subject line. Another 20 percent are related to espionage, and 5 percent are related to employee grudges. In most cases, curiosity kills your security.

Phishing expeditions are still one of the most effective ways for hackers to get into a computer system, and that’s because people have insatiable curiosity, especially when it comes to money. We’ve told you time and time again to be very careful about the links you click on from within an email. It is so easy for a hacker to mimic the logo of any bank or financial institution and to create an email address that can be close enough to looking real that you won’t notice it’s a fake in your haste to check out a great offer or respond to a dire warning.

So, as we’ve mentioned ad nausea, your curiosity could open the door to a Trojan horse virus that will enable someone to get into your computer. And once they do that, they can insert themselves into your financial conversations. To whom are you talking about money? Is it your financial advisor? Is it an attorney or a CPA? Is it your bank, credit card company or several merchants? They can identify every single one of them just by looking at your email. After all, you keep thousands of them in your Outlook application or on a website – which they can easily find once they get into your computer.

How will they put your email conversations to work for them? Well, let’s see. There’s your financial advisor, who’s been talking to you about your 401(k). Hmm. That’s good. Bet you have the password for that account stored on your computer. That makes it easy.

But wait, what if you “forgot” your password. The hacker can go to the website with your 401(k) and use your email address to reset the password. If that security is lax – say, for example, there’s no two-factor authentication – the hacker can have your email address routed to his, and now he’s in your account and can clean it out.

Of course, that could be just part of his haul. He knows who your financial advisor is, and maybe their system isn’t 100 percent locked down. You can imagine the fallout.

What if you’re involved in a large business transaction, such as buying a business or even a house? Your attorney may be dealing with a financial institution or two – even through another attorney. Again, a hacker can insert himself in a conversation with any party connected to the money, spoofing your email address or that of anyone involved. And once the hacker is into that next system, it opens more doors.

Just to add to your “watch list” when checking your email, also be wary of somebody sending you updated files that you are not expecting. We have a client who clicked on a PDF and wound up with an infected computer. Fortunately, it caused a major inconvenience more than anything else. Because all of the client’s files were backed up offsite, we had to wipe the computer clean and then find the infected files to delete from the backup. We were able to fully restore everything after that, but it took 18 hours.

So, let’s recap the steps you need to take:

  • Look before you click. Do I get this kind of email message from this sender on a regular basis? Is this an offer that’s too good to be true? Is there anything that looks just the least bit out of the ordinary – even if it’s from a sender I know and trust? Remember, you can always access the sender’s website from your Internet browser instead of the email, or you can pick up the telephone and call a company or a person.
  • If something looks odd even before you open the email, just delete it. I am amazed at how many people just let something suspicious just sit there.
  • Don’t conduct financial business or visit passworded sites while on a public Wi-Fi network. Non-secured networks can be viewed by anyone from anywhere.
  • Be very careful with flash drives. Someone can use one to invade your computer. If you are running a good anti-virus or anti-malware program, it should intercept any external device and give you the option to scan it.
  • Keep your anti-virus and anti-malware software up to date. And make sure they’re both running.

Finally, if you suspect your computer has been infected with a virus, call us immediately at 973-433-6676. We can assess your system and begin the process of restoring its health. If you have any questions about online security, call us or email us. We all have too much at stake.


Two More Tips to Protect Your Money

  1. When you travel by air, don’t just throw your boarding pass in the first trash bin you find in the terminal. The barcode on the pass has a wealth of information, including your frequent flyer account information – and any other personal information in that database – and your itinerary, which can let somebody know how far away from home you are and how long you will be away. If you can’t shred it, tear it into pieces that also separate the barcode and throw them into different trash bins.
  2. Check all of your financial accounts frequently, especially with business bank accounts. When you have a lot of money coming in and going out electronically, that means a lot bank treasury departments are accessing your account. If you monitor the accounts regularly, you have a much better chance of catching fraudulent activity.

The Firewall is Mightier Than the Electrical Tape

Electronic Peeping Toms are always a concern, and putting a piece of electrical tape is one way of drawing the curtains on your laptop’s camera lens. A better way is to make sure you have a strong firewall activated, strong password protection for your network and the latest anti-virus and anti-malware software running. Here’s your checklist.

  1. Make sure your firewall is activated and that all the software for it is up to date.
  2. Make sure you change the default password on your Wi-Fi network. If we set up your network, we gave you a unique password – one that’s long.
  3. If you are not sure about the security of your network or firewall, you can power down your computer, but the downside to that is that you’ll miss the legitimate updates (which typically include security patches) that come in overnight.
  4. If you install a camera system in your house to monitor selected rooms, change the password for the system, too. This should be a no-brainer, but it’s something a lot of people forget to do. Even the most incompetent hacker can get the default password for any system, so just change it and make it a strong one.

In most cases, networks are infiltrated because people don’t have them secured, and to be honest, having a Peeping Tom see you in your underwear might be the least of your problems. If somebody can hack into your computer’s camera or into your room-monitoring cameras, they likely have gotten into your computer and all the sensitive information you have stored there.

On the flip side, having internal and external cameras – and a system such as Ring to monitor your doors when someone rings your bell – can be a strong deterrent to crime. With all of the secure ways to use the Internet and mobile devices, you can monitor everything about your home from wherever you can connect to the Internet.

We think using firewalls and other technology to secure your cameras works a lot better than a roll of electrical tape. We can help you configure all of the software on your in-home systems and mobile devices to make sure you keep out prying eyes. Contact us by phone – 973-433-6676 – or email to make sure your cameras are secure.

Ransomware Doesn’t Stop with a Payment

If you think paying off a ransom demand to get back files is the end of your experience, you’re wrong. Getting to cough up a few bucks…well, Bitcoin…is just the start. Ransomware pirates are finding ways besides email to get access to your computer and all of your data – and they’re looking for long-term relationships, too. One tech columnist has sardonically suggested they need good customer service plans. You need a good protection plan.

Let’s start with some basics, which we’ve discussed many times before:

  • Be extremely careful about clicking on links in an email, even if it looks like it comes from someone or an organization you know and trust.
    • Personal email addresses get stolen and spoofed all the time.
    • It’s very easy for someone to recreate a corporate look – such as for your bank – that looks realistic at first glance. (Seriously, does your bank use a Hotmail account?)
  • Install and use anti-virus and anti-malware protection. Make sure update it, and make sure you update it from a legitimate site (see above).
  • Install all updates from application software provider (but make sure it’s legit). Most patches and updates cover security issues.
  • Back up your data files to an off-site server or, better yet, store them in the cloud. For an extra precaution, you can store files to portable hard drives, and keep them disconnected when you’re not backing up data.

One of the problems with storing data on a laptop computer, which many people do, is that when it’s stolen, your data can be accessed before any kind of Internet-based program kicks in to wipe your drive clean. All somebody needs to do it remove your hard drive and hook it up to a computer to see what’s on there.

If you have covered all the basics, you now face some new concerns, especially if you store confidential personal, financial or medical information as part of your business. You face additional risks because there is no way for you to control the security steps your customers or clients take. If they leave vulnerabilities, a hacker can use one person’s log-in credentials to see a lot more data than would ever care to expose.

You can protect your business and data in a number of ways – in addition to the steps listed above:

  • Insist visitors to your website use newer versions of all browsers. As browsers age, publishers stop supporting them. You don’t want to expose yourself to their vulnerabilities.
  • Encrypt your data and your emails. If you do a lot of email marketing or communicate confidential information, this is a no-brainer. Email services, such as Constant Contact, which we use, build in a number of security measures. Spend the money to take advantage of them; it’s cheaper than taking a financial hit (see below).
  • Check with your insurance agent or carrier to see if E&O covers you for cybersecurity breaches. It may be an extra cost, but remember that insurance companies like to collect premiums, not pay claims. They are motivated to minimize your risk and should work with you.

The back story on these tips starts with a client who has two offices. In the “main” office, nobody uses the Internet. But in the other office, people used a remote desktop to access the system in the main office, and the security was weak. The link was not secure, and the passwords were simple. I was able to hack in using an iPad that still had a SIM card from another country, and the client could not detect that I was in there.

That should be a wake-up call for every small business to install and maintain security systems throughout their information management system. Ransomware pirates are getting more sophisticated in ways they can get into your systems and stay there – which brings up the “customer service” observation from Glenn Fleishman in PC World. Our point is not to scare anyone away from technology. Every advance – from the bicycle to space travel – has a risk-reward component, and we all know the rewards are great when we follow the proper precautions.

We’d like to leave you with three steps to take right now:

  1. Encrypt all data
  2. Never send passwords in an open email
  3. Look before you click – disguises are getting better and more numerous

Sterling Rose can help you design, install and maintain a cybersecurity program. Contact us by phone – 973-433-6676 – or email us to make an appointment to discuss your needs.

Protection in the Third-Party World

The reliance on third-party providers for so many data servers continues to grow. That increases your dependence on other people’s diligence, and it increases your responsibility to be more vigilant.

“NJ Biz” recently devoted a series of articles to many aspects of online safety and protection, and one of them focused on issues we’ve been discussing: verifying the integrity of third-party providers and two-factor authentication. Third-party providers are being used more and more by businesses of all types because they can scale up faster and more economically to handle any number of users from any number of locations.

However, you need to rely on those providers to protect your data, and according to Jonathan Dambrot, CEO and co-founder of Prevalent, a Warren-based IT security, compliance and third-party risk management service provider, the security environment is far from ideal. In one of the “NJ Biz” articles, he says: “Depending on who you talk to, between 40 to 80 percent of all data breaches are happening at third-party vendors, because that is where most of the data is. People are focusing on third-party data security risks because criminals are going after the data where it resides.”

If a provider has weak security, it can be more vulnerable to an attack by hackers. But government and industry leaders are getting together to help you. Last December, Congress passed The Cybersecurity Act of 2015 to encourage companies to share with the government and each other technical details of hacking threats. This regulation reflects a growing acceptance of collaboration as a way to access data security threat intelligence and enforce vendor compliance.

It’s the latest of several early steps in a fluid regulatory process.

“Regulators have put controls in place over the last two-and-a-half to three years, and there is a combination of reasons why third-party or downstream risk has become really important to people as they look at their cybersecurity,” Dambrot said. “Third-party vendor and business associate risk has really changed as vendor services have changed. Years ago, people weren’t talking about cloud usage as much as they are today, and so, regulators will continue to change the wording to match the way data is handled.”

This collaborative effort, however, doesn’t get you off the hook. On the contrary, you need to do more. Two other articles we recently came across expand on two security matters we discussed last month: two-factor authentication and asking the right questions of any data-services provider.

Rather than re-explain some of the more effective ways to use two-factor authorization (2FA), we can refer you to a recent post by Ed Bott on ZDNet. There are many options available, including apps you can download to your mobile devices.

As he asks, “How much are your private communications worth? How about your reputation? Your bank account? Your identity?”

We know they are priceless to us but have great value on the black market. With 2FA enabled for a cloud service, any attempt to sign in on an unrecognized device might require you to enter a secret code that’s either received as a text message or generated by an authenticator app on your previously registered smartphone.

“Depending on the service, entering a code might automatically establish the current device as trusted, or you might be given the option to trust the current device,” he writes. “If this is your new computer or tablet (or a new browser), and you have this option you should say yes. When you’re signing in on a device you don’t control, you shouldn’t allow it on your trusted list. One way to make sure that the device isn’t marked as trusted is to use a browser in private mode (aka incognito in Chrome). If a bad guy manages to steal your credentials for an account that’s protected by 2FA, he’s unable to do any damage. Because he is signing in on an unrecognized device, he’s required to provide a second form of authentication. Without access to your trusted device, he can’t authenticate himself and can’t go any further.”

There are many variations on that theme, and we can help you find one or two 2FA programs that can best meet your needs and comfort level with your devices. But you need to be sure the data center that houses your information has all the right policies and procedures in place, too.

Services provider vXchange, which estimates some 78 percent of work-related data will be on the cloud by 2018, has a list of 10 questions you should ask your next data center manager, and we suggest you read them to get an idea of what’s at stake. They’re questions we ask of ourselves and our provider to minimize your risk and ours.

While you don’t get total control of your data, you will have a much better grasp of the possible risks and the steps you can take to maximize your protection.

As your trusted IT service provider and advocate, we have 2FA techniques we prefer and providers with which we have established relationships. We can answer your questions and address your specific concerns in selecting and installing 2FA programs, and we can help you select and vet data centers. Call us – 973-433-6676 – or email us to set up an appointment to discuss your specifics.

How Does Your IT Consultant Handle Your Info?

Today’s interconnected world is an interdependent world. No matter how many precautions you take to protect your data’s security, technology has forced you to depend on other people’s diligence to share your passion for protection. You don’t have a lot of control over the weakest link in your online chain. But asking how your IT consultant handles your information can help you gain better control where it’s possible.

So, here’s the question you need to ask: How do you handle my information, including your access to my systems?

And, here’s the discussion that needs to follow:

Your IT consultant must follow the strictest protocols available to protect all the information you provide. This includes access to your servers, routers (including repeaters or boosters for Wi-Fi networks) and computers that store your information or have access to wherever you store information.

An individual provider, such as Sterling Rose, can handle your data security differently from a large support organization. It’s not that one type of provider is better for a particular client; it’s more a matter of tailoring protection procedures to meet real-world needs and being diligent about following them.

We can keep all of our clients’ information in one place that can be accessed by only one person, and that helps us build a strong wall around (and roof over) the user names and passwords for your systems. With the ability to securely access the information from a desktop computer or mobile device, we can service a client from anywhere.

We protect that information in a number of ways. These are just a few of them:

  • We regularly use two-factor authentication, which requires more than just a password. Every two-factor system has its own set of additional requirements, but the net result is that a hacker or robotic system cannot provide the necessary response. (We’re sure somebody is hard at work to defeat two-factor authentication, but right now, it works.)
  • We use long, complex passwords with upper- and lower-case letters, numbers and special characters. Those are always impossible to crack using the latest available algorithms – at least for now.
  • We use systems that require us to re-log in every 14 days and change our passwords and authentication information. It’s a major inconvenience for us, but it’s much more convenient than having to explain why we need to react to a security breach.

A larger IT service provider with multiple technicians available to service a client can also store information securely in one place, but all the technicians need to access it. Some questions you should ask include:

  • Where do you store my information?
  • How do technicians access my information?
  • What protocols do you follow for user names, passwords and other authentication?
  • Are you notified when my information is accessed, and are you able to track who accessed it?

Your IT consultant must be able to advise you on the best security measures to take within your own organization. They should be able to help you design and install a set of procedures for any point at which information is accessed, such as:

  • Accessing specific files or categories of files from within your office or offices that are stored on your own server or on a server hosted by a third party (a cloud provider)
  • Accessing that information from a remote location, such as a home office, where you can install and monitor security measures
  • Accessing that information from a remote location, such as a customer’s place of business or a public place, such as a coffee shop or airport, where you cannot verify the security of a network.

You may also need to set up encrypted email, which we did for an insurance business. Our client reasoned that while they can control exchanges with their clients, they cannot control what happens when their clients communicate with others. Our client needed to be able to show that their security measures would stand up to an outside audit.

If you have any questions about how we handle your information, feel free to contact us at any time by email or phone – 973-433-6676. We would be more than happy to review our policies and procedures in general and for your information in particular. We can also help you develop and implement a security program for your business – or home – system.