by Felicien | Oct 19, 2018 | Education
Everyone makes foolish mistakes. You’ve done, I’ve done it, and it’s all part of being human. But if that mistake affected your IT security, consider the ramifications it could have on your organization for being careless. For instance, a computer hacked or leak of sensitive data because a password was easy to crack. Luckily, these security problems don’t have to become a common occurrence and can get fixed easily.
What Are The Eight Foolish IT Security Mistakes to Avoid?
In no particular order, we’ve created a list of the most common IT security mistakes technicians see regularly. Also included are their recommendations to fix and avoid making the same mistakes again.
Mistake #1 – Using a weak password or not having one at all
Even with all the security warnings repeated continuously, people will always choose the same or a straightforward password to remember. It could be a birth date, the word “password,” a family pet’s name or the number sequence: 1-2-3-4-5-6. Then there are other individuals, that decide they don’t want a password, or they’ll get to it later, but later never comes.
Recommendation: Consider using a password generator. When using a password generator, it can create a strong password in seconds. Currently, on the market, there is Dashlane, Keeper Password Manager, Password Boss, LastPass, and Sticky Password.
Mistake #2 – Writing passwords on sticky notes or slips of paper
This mistake follows the previous one and makes it extremely easy for anyone to access your account or device, especially if they got their hands on your password. It is common to find a piece of paper and jot down our passwords. Or worse write it down on a sticky note and attach it to the back of your computer monitor. In all reality, why do that? It’s like you don’t have a password at all because everyone knows where you stuck it.
Recommendation: Stop writing down your passwords on paper. Consider using a password saver. Currently, on the market, there is Dashlane, Keeper Password Manager, Password Boss, LastPass, and Sticky Password.
Mistake #3 – Refusing to install antivirus protection or disabling it for faster computer speed
There continues to be this belief that antivirus software is not needed, especially for those individuals and companies that own and use Apple/Mac devices, but this is simply not true. Yes, it can be frustrating when your computer slows down while software is running.
Recommendation: Consider using an anti-virus program that won’t’ slow down your computer. Currently, on the market, there is Avast, AVG, Kaspersky, Bitdefender, and Check Point Zone Alarm.
Mistake #4 – Taking unnecessary risks with email and blindly trusting the sender
This mistake includes opening email attachments from unknown sources or people you don’t know. Or worse responding to these individuals and sharing highly sensitive information (such as credit card numbers or passwords). When you open an email with an attachment, and you don’t know who the sender is, leaves you wide open to a malware virus or your computer hacked. Please be mindful; when sharing personal information, always remember, doing so could place you, your business, and your client’s information vulnerable to identity theft.
Recommendation: From this point forward, no longer send sensitive information or data through an email. Consider using a tool like Google Drive. You can then send the data as a link which requires the recipient to log in first before they can access the file.
Mistake #5 – Walking away from your computer and not locking the screen
Eavesdropping continues to be an overlooked security issue and risk. When you get up from your computer and walk away, who has taken notice, that could potentially gain access to your account? What might happen if you forgot to close the bookmarked tabs in your browser, to step away, and on those tabs were your online banking account or your company’s bookkeeping system? With an open unlocked screen, you’ve given anyone full access.
Recommendation: Always lock your computer before leaving it. On most keyboards, you will see the Microsoft Windows key. Press and hold it down while you press the letter “L” key, and your screen instantly locks. You can also preset your computer to automatically close after a specific amount of time passes (one minute, five minutes or 10 minutes).
Mistake #6 – Not installing the application and operating system patches or updates on time
Operating system updates and patches are crucial and vital in protecting your computer from evolving threats. Mainly, these updates and patches keep your computer healthy. Next time, before you hit the “not now” or “ask me later” button, reconsider.
Recommendation: When prompted, always install the updates and patches when notified. Better yet, at least once a week, deliberately check for updates and patches. If you’re unsure where to begin, contact us or send us an email and we will help you.
Mistake #7 – Putting off having a reliable, stable, and well-tested cloud storage backup
It’s going to happen. Servers will fail, and computers will crash. It’s not if, but when. Not considering what a lifesaving tool, cloud computing offers, is like signing a death warrant on your files. Besides getting hacked, there are other reasons servers go down, i.e., age, fire, flooding, natural disasters are just four everyday occurrences.
Recommendation: Seek out an IT company that hosts cloud storage services or is a vendor partner with a large cloud computing company. Do take the time to read and understand the SLA they present to you before you sign their contract.
Mistake #8 – Allowing personnel that is untrained, or not certified to secure your IT systems
Unfortunately, employees will be the most significant security threat a business faces. Most of the time is it not intentional, but human error and lack of training that usually causes the problems. It may seem convenient, but not everyone is an IT expert or specialist. IT security has many moving parts, and if one piece isn’t correctly set up, your system remains vulnerable.
Recommendation: Allow your employees to do what you hired them to do. But when it comes to your IT system, consider hiring an outside IT services provider.
Did you find this article informative? If you liked this one, check out our other content we think you’ll find interesting.
by Felicien | Oct 19, 2018 | Education
Read the following alert before charging your phone tonight and from this day forward. According to the Newton, New Hampshire, fire department’s PSA message posted on social media; it seems as though charging a phone in bed poses a serious health risk and lethal safety concerns for you and your loved ones. Now it is imperative you think twice before charging your tablet or smartphone in bed ever again.
What the Newton fire department shared is quite literally a wake-up call
The Newton Fire Department, in Newton, New Hampshire shared this photo. You will notice burned sheets and pillows next to a device charger’s cord. If the picture seems scary, you now have your proof. Without warning, if a child or teenager is sleeping next to their phone while it’s charging, this could happen to them, putting them in grave danger.
According to the fire department, a home fire is reported in the U.S. every 86 seconds. They also uncovered some recent research which indicates over 50 percent of children and teenagers charge their tablet or phone under their pillows. When you consider that everyday habit, you must ask yourself, “where does the heat go if the phone is covered up?”
We all know if the heat from that charger can’t evaporate you’re going to have a cord, charger, and device that’s hotter and to difficult to touch. If the charger and phone are under the pillow, then that pillow, mattress, and the entire bed could catch fire, and the whole house could go up in flames, putting all the family members in danger.
Should we be concerned, isn’t this an isolated situation?
Unfortunately, it isn’t. It continues happening.
It wasn’t that long ago a 10-year-old boy, in Northern Ireland woke up in shock. He was charging his new phone in his bedroom overnight. What awakened him was the smell of smoke, as his iPhone sat burning on his bed. The phone got overheated and severely singed. Fortunately, there was no fire outbreak.
Then there’s the incident where a family of a 15-year-old girl from Wales had to flee their home. They were not as lucky. The girl’s iPhone overheated while resting on the bedding. Next thing they know the bed quickly caught fire and engulfed the home. Fortunately, no one was hurt. But it took six months before the family could return to their home, due to the extensive fire damage.
But we can’t just look at children and teenagers who leave their tablets or phones charging overnight. Take the Alabama man, in his 30s that nearly lost his life getting electrocuted, after he fell asleep with his cell phone charging right next to him in bed.
As he slept, the charger disconnected from the phone. But in the morning he rolled over, and his military dog-tags around his neck got caught on the exposed prongs of the plugged-in phone charger. What happened next, nearly took his life. The dog-tags acted as a conductor so, the electricity traveled straight to his neck. Strips of flesh and skin were missing from his neck and his shirt got singed, where the metal dog-tag necklace had burned his throat.
What should you know moving forward?
It was pointed out in a 2017 Hartford Home Fire Index; there is a “high risk” when charging your phone on your bed overnight. They compared it to leaving a candle burning unattended or when your stove doesn’t get turned off after cooking.
There was more extensive research published by the American Medical Association (AMA), in their JAMA Pediatrics monthly peer-reviewed medical journal that shows roughly 89 percent of teens and 72 percent of children use, on average at least one device, tablet or phone, in their “sleep environment.” And quite often it’s used just before bedtime.
“The distinctly possible result is that the pillow or bed or both will catch fire,” the Newton fire department added. “This places the child or teen, as well as everyone else in the home in grave danger.”
What should you start doing today?
To quote Stuart Millington, senior Fire Safety Manager, of the New Wales Police department, “Turn chargers off. Unplug them before you go to bed,” His warning came after a similar incident where a phone caught fire while charging under a pillow of a North Wales family home. “Never leave items unattended or charging for long periods of time.”
If you are a parent or grandparent, warn your kids and grandchildren. Bring it to their attention to the dangers of sleeping next to a charging tablet or phone. Also, look to see where device charges are plugged in, and if not suitable recommend a designated charging zone in your home for all devices.
Did you find this article informative? If you liked this one, check out our other content we think you’ll find interesting.
by Felicien | Oct 18, 2018 | Education
Perhaps the space is not large enough for your expanding partnership. Maybe, it’s antiquated and no longer feels appropriate. Whatever reason an office chooses to move to a new building, relocating is a large undertaking. Unfortunately, in many offices, the IT-related aspects of the move are overlooked until the last minute. This can be disastrous.
Improper planning can result in lost data or broken equipment. It could cause interruptions in service. This might mean lost clients, which of course would equal lost money.
Fortunately, it is not difficult to do this right. It does, however, take adequate notice. This is often longer than one would anticipate. Usually, it requires at least 60 days. It also helps to have a good plan and consistently follow through. Here are a few other things to consider before relocating.
How Should an Office Plan for the Move?
The first step would be to determine who will act as the internal manager of the relocation. This should include someone on the staff who is familiar with the office. In a small business, he or she might coordinate the entire project alone.
For larger establishments, however, it would be wise to hire a professional Managed Services Provider. They are more experienced with delicate relocations and can help lead the internal manager in the process.
Generally, the first step is to inform all Internet and telecom providers of the coming move. It is often in the service agreement that they receive a certain amount of notice. This also ensures there will be no interruption in service.
When Is an IT Evaluation of the New Space Conducted?
Ideally, IT needs would be considered when initially choosing the location. This is not always realistic. In an office, there are many aspects to consider when selecting a new office space. A few of these include demographics of the area, accessibility, image, and the history of the site, etc. IT needs are often an important afterthought.
Typically, an evaluation of the new space will be conducted during the planning phase of the actual move. It would be done with or by the project manager or Managed Services Provider. If the office has one, the head of the IT department should be involved as well.
There are several things that should be evaluated to ensure the move goes as smoothly as possible. These include, but are not limited to, the following:
Cabling for computers, telephones, and security cameras
Power outlets of adequate number and in optimal locations
Wireless networking capability
Each room should be checked. Any of the above that are subpar will need to be addressed. This would ideally occur before the move itself.
How Should an Inventory Be Done?
The IT needs of most offices are evolving. Before moving it all, it would be advisable to take an inventory and evaluate the existing equipment. Begin by determining what is no longer needed. It is better to responsibly recycle it than move it to the new location.
Next check the condition of each remaining piece of equipment. Make a list of anything that is worn or outdated. Decide how to dispose of them rather than pack them. Order replacements so there is no interruption once the move has been made.
As the business world continues to embrace IT, this is the perfect time to assess current trends. It is also a good idea to look to the future and ensure any new equipment purchased is flexible enough to adapt.
Make a hardcopy list of every piece of equipment being moved to the new office space.
Have Disaster Recovery and Business Continuity Plans Been Developed?
Failure to have a Disaster Recovery Plan and a Business Continuity Plan in place before a move could, in fact, be devastating to your business. Further, it is an essential step to make several backups of everything important. This includes files, as well as data systems, security systems, and servers. Keep these separate and in a safe place during the move. If you’re already working with a managed IT services provider, they will take care of this for you. They can also handle much of the move as far as your IT infrastructure goes.
Lists should be made of the important information required for the successful implementation of the Business Continuity Plan. A few items to include are:
Business priorities
Inventory of all equipment
Emergency contact information for IT vendors
Plan for switching phone lines and internet connections
This improves the likelihood that the office will be able to resume business with as little delay as possible. If you have a good relationship with a managed IT service provider, they may be able to move your networking and computing equipment and get everything back up and running a day or so.
In Conclusion
When it comes to the day of the move, everything should have already been planned. This ensures the smoothest transition. For offices that do not have an onsite IT team, hiring a professional IT-relocation company would be a good idea. The internal manager or Managed Services Provider would be responsible for making important decisions. With proper planning, the actual move to the new location should be much easier.
by Felicien | Oct 18, 2018 | Education
A recent report has revealed that there are many US weapons systems that are susceptible to hackers. This news is disturbing on many levels, including the attitude exhibited by Department of Defense officials. What does the report reveal, and how serious is the threat?
GAO Report
The US Government Accountability Office (GAO) just released a report that reveals that almost all weapons that were tested by the Department of Defense (DoD) between 2012 and 2017 have serious vulnerabilities that make them very open to cyber attack. These vulnerabilities have been labeled mission critical, which makes this news all the more serious. The report had been requested by the Senate Armed Services Committee in connection with expected DoD spending in excess of $1 trillion in order to develop weapons systems.
Examples of Weaknesses Detected
The vulnerabilities were discovered by penetration tests performed by employees of the DoD. In one example, a penetration tester was able to partially shut down a weapons systems by merely scanning it. In another test, it only took nine seconds for DoD testers to guess the admin level password on a weapons system. Failure to make changes to default passwords connected with open source third-party software installed on systems resulted in several instances of vulnerability.
Those performing these tests were not making any efforts to hide their presence, but the systems they tested had a difficult time detecting their presence. These systems should have been able to detect the presence of intruders and alert those in charge. A few of the automated systems did detect the presence of the penetration testers and alerted those monitoring the systems. However, in an even more disturbing turn, the individuals monitoring the systems didn’t seem to understand what the intrusion alert meant and thus did not take any action.
Failure to Take Basic Cybersecurity Precautions
What makes this report distressing is that many of these potential open doors exist in part because of a failure to follow basic cybersecurity rules. Guidelines such as the use of encryption, robust passwords, and basic employee training are foundational to a security system. Because such guidelines have been neglected, hackers equipped with even simple techniques and tools would be able to not only take control of key systems associated with these weapons but do so almost undetected. What could a skilled hacker with the latest tools accomplish inside such a poorly secured system?
Is There a Valid Reason for the Lack of Concern?
The subtitle of this GAO report was “DoD Just Beginning to Grapple with Scale of Vulnerabilities.” Surprisingly, those in charge of such systems do not seem very concerned about these susceptibilities, perhaps because they feel the GAO is exaggerating the seriousness of the problems discovered. For example, the report does remind readers that some of the findings may no longer be a problem once a system is deployed in the field.
In addition, these officials have indicated that in the past they believe the systems were well-secured. The authors of the report, however, strongly imply that there’s a disconnect between what these officials may believe and what the reality is.
Another possible cause of the DoD’s lack of concern is the belief that the types of tests that were run would be practically impossible for any system to pass. The GAO, however, insists that the tests were not extreme and represented realistic threats to these critical systems.
The DoD may also be resting on its laurels: it received praise last year for a bug-bounty program that led to many different bugs being patched. On the other hand, the GAO report points out that only one of 20 vulnerabilities discovered in previous risk assessments had been fixed by the time the report was written.
Implications of the Report
One of the implications of the report is that a number of US weapons systems could be susceptible to a disabling cyber attack. Considering that so many adversaries of the United States have established reputations for extremely talented hackers, this is all the more disconcerting. And hackers are not subject to the same constraints as DoD penetration testers. Malicious actors may well have access to funding, state-of-the-art equipment, and would intentionally keep their activities hidden.
Another implication of the GAO report is that their testing merely revealed the proverbial “tip of the iceberg” when it comes to vulnerabilities that exist in US weapons systems. The penetration tests performed were far from exhaustive. For example, categories that were not tested included potential weaknesses related to counterfeit parts or industrial control systems.
Conclusion
The incidence of cyber attacks are on the rise, and the techniques and tools available to malicious actors are continuously evolving. It makes sense that the security of a nation’s existing weapons systems should be a very high priority. The revelations of the GAO’s report are disturbing, yet there is hope that the DoD will respond to the vulnerabilities discovered.
by Felicien | Oct 17, 2018 | Education
On November 1, updates to the Personal Information Protection and Electronic Documents Act (PIPEDA) will be in effect. Included in these updates are rules involving mandatory notification of Office of the Privacy Commissioner of Canada (and affected individuals) if certain types of security breaches of personal information occur. Considering the repercussions, including fines and legal fees that may be involved with a failure to report, Canadian companies would be wise to address issues related to data security as soon as possible.
Personal Information Protection and Electronic Documents Act
The Canadian government is cracking down on negligent practices with an individual’s personal information. And any breaches of personal data that involve a risk of financial loss, humiliation, identity theft, harm to relationships, or loss of reputation must be reported. Notifications must be made not only to the Office of Privacy Commissioner of Canada but to the individuals affected by the breach. These rules are going to be enforced, and Canadian organizations need to be well acquainted with the guidelines involved.
Breaches Are on the Rise – But So Is
Considering that data breaches, hacking, and other types of cyber crimes are on the rise, organizations should be paying closer attention than ever to their privacy practices. When large corporations like LinkedIn, Facebook, and Equifax suffer from breaches, one would think that companies would be even more diligent about their cybersecurity. However, it seems that the effect has been the opposite.
Recent surveys by the Privacy Commissioner’s Office indicate that far too many businesses are simply not concerned enough with preventing and responding to breaches. Companies seem to have grown more complacent, content with poor password policies, with employees falling victim to social engineering, and having their servers compromised by malware. Phishing emails, drive-by downloads, ransomware, and data theft are all serious problems, but organizations don’t seem to be extremely concerned.
Every organization that uses personal information is at serious risk, though. There are already billions of passwords that have been stolen across the world. Many of them are up for sale along with other private information, on the Dark Web. Cybercrime is reaching epidemic levels, and it makes sense for companies to be much more vigilant.
And the targets are not just large, well-known companies. More and more small to medium businesses are becoming victims of attacks, including ransomware, data theft, and even industrial espionage. In short, no organization is safe from security breaches – and the federal regulations regarding these breaches are the same for both small and large businesses.
Breach Response Plans
These plans are something that exists before the breach ever happens, not after one has occurred. Breach response plans must be developed to comply with federal privacy practices, including mandatory notifications for personal data that has been compromised. In addition, these plans must be updated as regulations are updated. It not only takes time to develop a robust breach response plan, but it also requires experience.
Breach Detection
Breaches must be detected quickly to minimize damage. However, detection of such breaches requires systems and tools to intelligently sort through logs and events. It takes special security skills to be able to effectively investigate an alert and perform damage control. Tracking down how a breach happens involves forensic skills.
Timeliness
Detection and response are far more than a report or a system check that is run once a week – it is a continuous process that runs 24/7. Breaches must be detected as soon as possible and the response plan must be enacted immediately after a breach has been confirmed. This is even reflected in the wording about private data breach reporting, which states that the Office of Privacy Commissioner must be notified “as soon as feasible.”
However, the average IT department (and even the typical IT service provider) will not have the kinds of resources and tools to adequately address all the threats that can develop.
Don’t Be Overwhelmed
When major companies, that have powerful security systems and analysts at their disposal, still fall victim to hackers, it can make privacy practices seem overwhelming to small companies. However, things can get worse: The Office of the Privacy Commissioner is also seeking new powers, including the right to enter an organization and confirm that federal privacy practices are in use even if a violation is not suspected. If that happens, will your organization be prepared?
Conclusion
Fortunately, there are solutions in the form of third-party experts who combine key skills such as digital forensics, breach mitigation, and response plan development. They also have access to the tools needed to help your company ensure that it is PIPEDA compliant while reducing the risk of a devastating data breach. Don’t allow your company or organization to become complacent – reach out for the help needed to become PIPEDA compliant.
