The Rise of Scamware

You might not think you’ve heard of scamware, but the truth is you’ve probably come across it without even knowing. Just as so many people have seen the potential for good in the growth of the internet, with increased learning and communication opportunities, there have also been a number of unscrupulous parties looking to use the internet to perpetrate criminal acts for personal gain.

The emails calling for personal information in order to claim your Nigerian or UK lottery winnings have by now become a joke, but remember when they first appeared and people were sending their personal, private information in the hopes of receiving money? Like everyone else, scammers adapt, and scamware is the new Nigerian lottery.

Snake oil salesman are nothing new, and scamware is nothing so much as a bottle of venom disguised as a cure-all. It’s software that purports to be useful and legitimate, when in fact it’s just malware – a means of collecting personal data and stealing money and identities.

It’s designed to make users think they need it in order to create the fear or anxiety that will cause people to buy into its hype and deliver the goods, so to speak. Unfortunately, such tactics are on the rise, and many people have been duped, to their great detriment.

How Does Scamware Work?

Some of the most popular scamware on the internet poses as antivirus software. Users receive a popup or email posing as a source that appears legitimate, like Microsoft, for example. It offers a free scan to look for viruses, which it naturally finds (whether there are viruses or not).

Then it urges users to purchase the paid version of the software. What do users get when they download the software? If they’re lucky, nothing – they only lose the money used to purchase the software.

Those that are not so lucky may have their credit card number or other personal information stolen, and worse, the software they download could scan their computer and steal further information, infect the computer with a virus, or even hold the computer hostage until further funds are sent.

This last insidious feature is becoming more popular. In fact, a purchase isn’t even required – sometimes all you have to do is click a link or open a legitimate-looking email for this malware to install.

Once it is in your system, the software freezes your computer and locks you out, revealing a pop-up that tells you to send money within a certain amount of time or your files will be corrupted or deleted. There are other types of scamware, as well. Some appear to be coupons or legitimately useful apps for mobile devices, but the one-click, fix-all scamware is easily the most popular grift.

How Can I Identify Scamware?

By its very nature, scamware is difficult to identify. Unlike other viruses and malware, it can’t necessarily be caught by a computer program, at least not until it’s too late. Although many antivirus/anti-malware software is designed to identify and warn you of threats (like suspicious websites or untrusted email), no software has yet been designed to differentiate between false and legitimate advertising.

The only real way to identify scamware is to be smart and wary. There are two good rules to follow. First, if it looks too good to be true, it probably is. Second, do your homework – check out the company before downloading their software.

How Can I Avoid Getting Caught in the Trap?

What you want to avoid is a knee-jerk reaction. You should always be suspicious of companies that approach you via pop-ups or email, even if they seem to be from a legitimate source like Microsoft of Mac. Do not click links or download anything.

If you’re actually worried about dire proclamations of viruses or you’re interested in the services offered (PC tune-ups, system care, etc.), exercise due diligence. Look for a company website and user reviews. If they don’t exist, it’s probably scamware.

Of course, even this isn’t entirely trustworthy. In the past, scammers have used SEO practices to put their websites at the top of Google search pages. Still, there are steps you can take.

If you’ve never heard of a software and the purveyor approaches you, simply look for well-known alternatives that you have heard of or ask around. In terms of antivirus software, plenty of people use Norton, McAfee, or AVG, just for example. Trust what you know and steer clear of solicitation.

Posted in General | Tagged , , , , | Leave a comment

How to Proactively Monitor Your Site Uptime

Traditionally, businesses have relied on customers visiting stores in order to purchase goods or services. This meant having posted business hours and ensuring that the store was open on time to welcome customers.

These days the internet has significantly changed the way many companies conduct their business operations. Certainly brick-and-mortar stores are still popular, but many businesses have also embraced the 24/7 access offered by the internet.

Your business can make sales at all hours of the day and service consumers across the globe thanks to websites and secure online shopping carts. Of course, this system does require your site to be available, and for this you will have to rely on a web hosting service.

Unfortunately, these services are not always reliable. As a business owner, you need to know when downtime occurs and how long it lasts so that you can assess the impact to your business and find out if you need to switch to a more reliable service provider.

How can you be proactive when it comes to monitoring website uptime? Here are a few steps every business owner should take.

Visit Frequently

How often do you look at your own website? Unless you’re making changes, the answer could be infrequently. If you want to have any idea of what your customers are complaining about, it behooves you to visit your website at least daily to make sure it’s up and running and note loading times.

You should also ask employees to check in periodically throughout the day, both on computers and mobile devices. With input from a variety of sources you can gain at least some idea of what’s going on with your website and whether it might be suffering from frequent or prolonged episodes of downtime and inaccessibility.

Know When Scheduled Downtime Will Occur

This is an important factor. For one thing, you’re likely to schedule your own downtime for maintenance and updates, preferably during the slowest times of the day, and you should inform subscribers in advance and post a redirect to an explanation page while the site is down. You don’t want to alienate visitors or else they may never visit your website again.

At times, your web hosting service may also schedule downtime for similar reasons (maintenance, upgrades, etc.). A good host will inform you well in advance so that you, in turn, can make appropriate preparations to inform your customers. You can even schedule your maintenance to coincide with your web host.

Hire a Monitoring Service

There are steps you can take on your own to monitor website uptime, but if you really want to know what’s going on around the clock you need to hire some outside help. The good news is that it’s not hard to find reliable monitoring services to do the heavy lifting for you.

What do these professional services provide? Not only do they offer consistent monitoring of your website with frequent check-ins to make sure your site is up and running, but they also check it from several different geographic locations to ensure that it is accessible not only locally, but also via domestic and international portals.

In addition, these tests may be synchronized to allow for verification across multiple locations and provide further data about where and when downtime is occurring. The resulting data can help you to determine whether the problem lies with your web host or with specific portals.

Some services are free and some offer paid subscriptions that include additional features. Most monitoring companies offer both options as a means of providing solutions for businesses large and small.

Request Reporting and Alerts

Although there are many options to choose from when you’re interested in hiring a service to monitor your website uptime, you need to look for a vendor that provides two main things: reporting and alerts. For starters, you need regular feedback that includes actionable data.

Ideally, your site will suffer from little or no downtime, but if it does occur, you need to know the particulars, the when and why, so that you can take appropriate corrective action. Alerts are also a must.

A good monitoring service will provide you with immediate alerts concerning downtime via email, or text, for example, so that you can respond in record time. This service is essential to making the most of your third-party website monitoring service.

Posted in General | Tagged , , , , | Leave a comment

5 Tips for Creating a Secure Password

Remember when you created your first AOL account and you could use your real name (without a slew of numbers behind it) and create a simple password that was a mere four or five characters longs? Nowadays, you’re John_Smith260548 and your password is some crazy combination of letters and numbers you can’t possibly remember.

This is all for your own protection, of course. Not only do we have to contend with data breaches on massive scales, but if your passwords aren’t secure, you can look forward to diligent hackers slicing through your defenses like tissue paper and stealing your sensitive personal data in the process.

In other words, you need to be your own best advocate by creating passwords strong enough to protect your online accounts, including your email, any clubs you join, and e-commerce sites that save data such as your credit card number. Plus, it hardly needs to be said that you’d be in real trouble if hackers accessed any accounts containing your social security number.

So how can you create a password that’s hack-proof? Such a thing may not exist, but you can definitely make secure passwords that will have would-be hackers heading for greener pastures, so to speak. Here are some tips to get you started.

1. Number and Type of Characters

The standard number of characters recommended for secure passwords is a minimum of eight, although some forward-thinking websites are starting to demand twelve. You password should also include different types of characters.

These characters may be uppercase letters, lowercase letters, numbers, and symbols and/or spaces. The best passwords will employ a combination of all of these elements. In addition, you should try not to use recognizable words at all, opting instead for a random combination that cannot be guessed once a few of the letters are revealed.

Such passwords may be more difficult to remember than your passwords of old, but if you’re keen to keep hackers out of your accounts, this is the best way.

2. Avoid Personal Data

We get it – you want to create a password that has some kind of personal meaning to make it easier to remember. However, this is a mistake that hackers will find ways to exploit.

Think about how much information about your private life is available on the internet, especially via social media. All you have to do is tweet about your dog or post a photo that shows your street sign and you’ve potentially given hackers a substantial part of common passwords.

Don’t use your name, nicknames, street names, pet names, dates like birthdays or anniversaries, or any other personal information that hackers could glean with a little digging online.

What you can use to help you remember a seemingly random assortment of characters is an anagram. Make up a sentence you can remember that includes letters, numbers, and symbols and then turn it into an acronym by using only the first letter of every word. “My first dog was Fido! He died at 13 in January of 2002″ could become MfdwF!_Hda13in0102, just for example.

In this way you can create incredibly secure passwords that you’ll actually be able to remember when you login.

3. Different Passwords for Every Account

This can be a hard sell considering the dozens of accounts that most people use frequently, not to mention the handful used daily. However, there is a solution.

With a password manager you can enter all the passwords for your various accounts and all you have to do is remember the password that logs you into the password manager. Just make sure that password is really secure.

4. Never Repeat Passwords

Many websites will prompt you to change passwords periodically. When this happens, resist the urge to repurpose old passwords.

Once you’ve used a password, don’t recycle it. Create a new one every time for the best chances to avoid redundancy and the potential for hacking.

5. No Sharing

This should go without saying, but considering how many people make the mistake of sharing their ATM pins, it’s not really that surprising that passwords get shared with spouses, friends, and other seemingly trustworthy parties. Do not fall into this obvious trap!

The most secure password is absolutely useless if you share it with someone else. Not only could that person access your account, but they might not be as diligent as you at protecting it, potentially letting your private information fall into the hands of others willing to exploit it.

It’s one thing to trust your partner, your family members, or your friends, but the security of your online accounts relies on secrecy. You might trust your loved ones to keep this secret – the problem is if you can’t keep it.

Posted in General | Tagged , , , , | Leave a comment

Why Switching to the Cloud Can Improve Your Network Security

The cloud offers many advantages. Cloud service providers often handle the hassle of updating software, operating systems, and hardware. They also typically provide turnkey solutions for smaller shops ready to jump right into work that requires an IT infrastructure. One of the best advantages of using the cloud, though, is that it offers small-to-medium sized businesses a secure information systems environment.

Here’s why switching to the cloud can improve your network security.

Centralized Security Management

Consider this scenario: you have a mission-critical app that all of your employees use. It’s deployed to each of their workstations. Then, one day you read a report that there’s been a security threat discovered in the app. Fortunately, the company that produced the app also has a patch for it. You have to not only get that patch to your employees, but you also have to find some way to assure yourself that each of them correctly applied the patch.

That could be a logistical nightmare.

Now, consider the same scenario except that your employees access the app via the cloud. In that case, there’s really only one copy of the app and your cloud service provider centrally manages it. The service provider will handle the task of installing the security patch and your employees won’t have to do anything. In all likelihood, they won’t even know that a threat was detected.

That’s one distinct advantage of the cloud. It offers centralized control, making security updates much easier.

Cloud Service Providers Offer Excellent Security

Even if you have the space for a local IT infrastructure and can afford to buy the equipment necessary for an in-house solution, it’s not likely that you’ll match the security expertise of cloud service providers.

Simply put, cloud providers routinely immerse themselves in data security standards and make themselves aware of the most recent threats. They offer years of experience and unparalleled expertise in information systems security so that you can sleep peacefully at night knowing that you’re in good hands.

Less Threat From Unhappy Employees

Let’s face it. We live in a world where petty grievances are often settled in an unprofessional manner. Unfortunately it is not unheard of for disgruntled employees who know that their job is on the chopping block to act out. Even worse is when an employee doesn’t feel that he or she has been treated fairly and commits some type of industrial sabotage to mess up your business.

Fortunately, with a cloud solution, you can mitigate that risk. That’s because the hardware that someone would physically damage is in a remote location. If an angry employee tries to upload a virus, rest assured that the folks at your cloud service provider would notice that immediately. You’ll get a report about the employee’s actions and no damage will be done.

Many People Won’t Even Know Where Your Servers Are Located

In the event that somebody wants to physically gain access to one or more of your servers, it’s likely that the person wouldn’t even know where your servers are located. That’s because your servers would be offsite in a secure location. Heck, the servers might not even be located at the same address where you send your monthly payment to the cloud service provider. In other words, you might not even know where your servers are physically located.

Even if somebody with cruel intentions does know where your servers are located, that location could be hundreds of miles away from your business. That means the unscrupulous hacker will have to travel a very long distance just to find a way to even break into the building where your servers are located.

It’s not going to happen.

Cloud Service Providers Keep Everything Up to Date

Sometimes, older systems are more prone to an attack just because they’re older. The good news is that cloud service providers go out of their way to keep their hardware, virus protection, operating systems, and software up to date. As a result, they minimize the risk of an effective attack.

Some people think that public cloud solutions aren’t as secure as in-house solutions. However, the fact of the matter is that the right cloud service provider can offer your organization an exceptional level of security.

Posted in General | Tagged , , , , | Leave a comment

The True Cost to Your Business When Your Server Goes Down

It’s happened. You just received a call from one of your IT employees that a server has gone down. It’s non-responsive and nobody knows what caused the problem. What is that down time going to cost you?

The answer is: it depends.

To calculate how much it costs you when your server goes down, you’re going to need to put on your bean counter’s hat, open up a spreadsheet, and calculate the figures based on a number of factors.

What Kind of Server Went Down?

The first thing you need to know is what kind of server went down. Was it an email server and nothing else? If that’s the case, then your email communications were interrupted. That could be a big problem, though, if you run a support shop that relies heavily on email communication.

Was it a web server that went down? If so, then your website might have been unavailable for a while. That’s almost always a huge a problem, but it’s even worse if you’re running an e-commerce company with no retail outlet.

Was it an analytics server that went down? If so, then your employees can’t crunch numbers to provide you with business-driven intelligence that feed your overall company strategy.

Regardless of which type server was disrupted and down, you will immediately feel the pain in lost opportunity cost as well as employee efficiency. The calculations for determining the exact cost of a down time vary significantly depending on the server’s primary use.

How Long Was the Server Down?

The next question you need to ask before you can calculate the cost of the down time is: how long was the server down? If it was down for just a few minutes, then maybe it’s not even worth calculating the cost of the down time at all. However, if it was down for an hour, three hours, or eight hours, you probably want to know the very painful truth about how much that down time has cost your business.

Calculating the Cost

Once you know the nature of the server and the length of the down time, you can begin to calculate the cost.

If it was a server that employees used, then you want to know how much you paid your employees to essentially do nothing. If the combined salaries of the three people who use that server amount to $300,000 per year and the server was down for two hours and no one could do their jobs, then the calculation is fairly straightforward. Let’s assume that the employees each work 2,000 hours per year. This effectively means that you’re paying each employee $50 per hour. The server was down for two hours, so you lost six “man-hours” because there were three employees who couldn’t do their jobs. At $50 per hour, you lost $300.

If the server was an e-commerce server, then you need to calculate the number of orders lost during the period that the server was down. The best way to do that is to use comparable sales figures from similar time periods. For example, if the server went down on Tuesday from 2PM to 3PM, then look at how much sales your company typically earns on Tuesdays that aren’t holidays between 2PM and 3PM. That’s the cost of the lost business.

If you lost an email server for a while and your company relies heavily on email traffic for customer relations and support, then the cost is a little harder to quantify. In that case, you’ve certainly lost some good will because customers are angry that they didn’t receive prompt replies to their emails. If you know for sure how many customers you’ve lost because of the down time, calculate the income that you would have received if they had remained loyal customers. It will not be a pretty figure.

Keep in mind that all of these calculations don’t even include the cost to fix the server, if any was incurred. You’ll need to include that cost as well.

There is a reason why redundancy is a great idea in engineering. Technical problems can and will occur. In many cases, those problems can be very costly. While it’s great to know what it costs your business when a server goes down, it’s even better to take proactive steps to ensure that you have proper backups.

Posted in General | Tagged , , , , | Leave a comment

How to Maintain Security Protocols When Employees Work Remotely

Advances in modern technology and concerns for the environment alike have made it possible for employees to work remotely. That’s great news for people who want to avoid a crowded commute to the office and at the same time offers businesses a chance to empower their employees. However, there are also security risks associated with remote employment.

Here are a few tips to maintain security protocols when employees work remotely.

Employees Should Conduct All Work on Company Equipment

It might be tempting for you as an employer to save some money on additional equipment by requiring new employees to provide their own laptops for the job. If you do that, you’re opening the door to what could be a security nightmare.

Simply put, not all of your employees will care as much as you think they should about keeping their own equipment secure. If somebody finds a way into an employee’s computer, then that path could soon become a way into your own private systems. From there, there is potential for catastrophe.

However, if you issue equipment to your employees that follows certain security standards put in place by your IT team, then you can be sure that all equipment connecting to your company systems has up-to-date security.

Use the Cloud

The cloud is another relatively recent advancement in modern technology that’s made everybody’s life a little easier. Thanks to cloud technology, people no longer need install and update software on their own personal systems. Instead, they access remote apps and use them as though they were installed locally.

If you’ve got some mission-critical apps that you need your employees to use regularly, consider deploying them to a cloud. That’s a security benefit because the IT department will be responsible for handling security for the software at a single, centralized location. In contrast, non-cloud apps need to be updated everywhere they’ve been installed. That’s a hassle akin to herding cats.

Use a Secure Connection

One common-sense approach to avoiding data breaches and attacks is to ensure that communication between the employee’s PC and the company server uses a secure protocol.

Many remote employees use a technology like virtual private network (VPN) software that encrypts data traffic to and from the company site. Typically, they’ll couple that with a suite of software that automatically installs security patches and ensures that remote workstations are configured correctly.

The bottom line here is you don’t want data communications between employee workstations the company systems intercepted by some unscrupulous third party.

Develop Guidelines

Even when remote employees are using company equipment that’s configured to company standards with a secure communication channel, there is still the possibility for data breaches and attacks.

As long as there are codes, there will code breakers. It’s that simple.

That’s why it’s important that you not only provide secure technology for your virtual environment, but also give your remote employees guidelines about what is and isn’t acceptable use for company equipment. Those guidelines should include the following:

-  What kinds of websites aren’t acceptable for browsing.  Although your security software should automatically block sites that are considered a threat, it’s still a great idea to “go the extra mile” by telling your employees that visiting certain types of sites is grounds for discipline.

- Rules for downloading. It may be the case that some employees will need to download additional software to perform their job. You should provide very strict rules about which software repositories they’re allowed to use to download software. If they can’t find the software they need at any of those repositories, then the guidelines should spell out how to touch base with the IT department to get an exception.

- Other behavior that’s disallowed on company equipment. Although your employees might be very good at day trading, and there’s probably no security threat from frequent visits to eTrade, it’s probably best if they did that kind of thing using their own computers.

Congratulations on creating a virtual workforce. You’re giving your employees a great deal of flexibility while empowering them to make decisions that are in the best interests of the business. Just be sure that proper security protocols are in place so that you don’t suffer the fate of many other companies that have experienced data breaches.

Posted in General | Tagged , , , , | Leave a comment

Looking Ahead – Emerging Trends in Web Security for 2016

Thanks to the advent of the Information Age, our lives have been made a lot easier when it comes to compiling, aggregating, and analyzing data. Unfortunately, with that great privilege comes the great responsibility of ensuring that information systems are secure enough to withstand an attack from unethical hackers who seek to cause mayhem, steal data, and/or commit industrial espionage.

In 2016, there will be noticeable trends emerging in web security. Here are a few of them.

Mobile Security Will Gain More Focus

Thanks to the Bring Your Own Device (BYOD) concept, many employers are allowing employees to connect their own mobile devices to company servers. That makes life easier for the employee, because one device can be used for everything. It also boosts the company’s bottom line because it reduces expenses related to equipment purchases.

However, there’s a trade-off with BYOD. Many people don’t secure their mobile devices as well as they should. As a result, people who gain access to an employee’s mobile device might also gain access to company resources.

In 2016, look for the emergence of companies that specialize in BYOD security for businesses. It’s likely that many of those companies are going to set financial records in the new year.

Multi-Factor Authentication Will Gain Traction

Although your password might be very secure because it’s 14 characters long, includes three symbols, two numbers, and a mix of upper- and lower-case characters, your employer might still not be satisfied. That’s especially true if you work remote.

In 2016, expect to see an increased adoption of multi-factor authentication. That’s a method of logging on to secure systems that requires not just a password, but also some other security measure.

For example, some mutli-factor logons require a digital token to be used in addition to the password. A digital token is typically a number generated by a device that fits on your key chain. You press the button and it gives you a number that expires in 30 seconds or so. You’ll need to use that number in addition to your password to logon to the system. That way, a hacker who has your password can’t logon unless he or she has the token generator from your key chain.

Some multi-factor logins will go the extra mile from there and require biometric identification in addition to the other two factors. We’ve officially become a science fiction movie.

Concerns About Outsourced Code

With the threat of data breaches becoming ever more prevalent, some CIOs might start to consider the possibility that some custom-made software has a back door that can be exploited for hacking purposes.

Remember, companies often outsource their development efforts to save money. However, those outsourced companies could employ unscrupulous individuals as easily as any home-grown shop. The problem is even worse when outsourced contractors have produced software with thousands or tens of thousands of lines of code.

Look for IT management to recommend an “overview” of outsourced code in 2016 to ensure, as much as possible, that it’s free of back door threats.

Big Data Is a Big Headache

IT professionals everywhere love the concept of “big data.” That’s an industry buzz-phrase for a huge database that’s holds massive amounts of data and is used for decision making purposes.

Unfortunately, all that data is a treasure trove of information for unethical hackers. It was unsettling to a lot of American consumers when a hacker gained access to Anthem’s database and the information it held on as many as 80 million Americans. That data repository is what hackers would call a “target-rich environment.”

Look for CIOs to pay special attention to big data security in 2016 as they attempt to minimize threats of a data breach.

A High Demand for Information Security Professionals

If you’re contemplating a career change in IT, give serious thought to becoming an information security professional. It’s very likely that the demand for people who know how to minimize IT risks and put in place proactive measures to offset attacks will be in high demand in 2016 and the years following.

Data security will continue to be a high priority item for upper management in 2016. Too many companies have received bad press because they allowed hackers to gain access to their systems. Now, executives realize that cyber security is just one of many costs of doing business.

Posted in General | Tagged , , , , | Leave a comment

Will 2-Step Verification Make My System More Secure?

IT security is a growing field precisely because so many businesses lack suitable digital security. If news headlines are to be believed, no one is safe from the long arm of the hacking community. Even institutions that are supposed to employ the height of security (medical organizations, banks, and government entities, for example) have been subject to data breaches, and that’s just in the last year alone. What is the average business to do in light of such overwhelming odds? How can small and mid-size companies protect themselves from security breaches, data loss, and identity theft (not to mention the major fallout after a breach) when bigger, better-funded entities can’t fend off hackers?

In truth, there is no shortage of steps businesses can take to protect themselves and their clients from data theft. Simple steps like installing appropriate firewalls and encryption programs are a good start, as is hiring professional help like document shredding services, monitoring websites, and even managed services providers. The problem for many smaller businesses, however, is not a lack of motivation to upgrade security, but a lack of capital to devote to the project. Enlisting the aid of a managed services provider, for example, can cost a pretty penny.

One good option for many businesses looking to implement a major change without spending a ton of money is to institute a 2-step verification process for user logins for company systems. You may already have password protections in place for both employees and customers. If you’re smart, you’ve already taken steps to make this login process as secure as possible. Perhaps you require strong passwords, such as those that are eight characters or longer and that must use letters, numbers, and symbols. You may prompt users to change their passwords frequently. Maybe you even use a program that doesn’t allow users to save information and that won’t repopulate fields when any portion of the login data is incorrect.

This type of diligence is both wise and secure. However, 2-step verification can take your login process to the next level in terms of security. As you may know, offering 2-step verification means adding another step to the login process, and there are a couple of ways to go about it. You could, for example, require users to answer a security question (i.e. “what is your maternal grandmother’s name” or “where were you born”). This creates an extra layer of security by requiring additional, unique information from every user.

The other form of 2-step verification is even more secure. You could also require users to enter an authentication code after entering a username and password. This can be accomplished when users download an app that generates unique codes and refreshes after a short time frame (say one minute), providing a new code. Or you could simply send out unique codes to user phones for them to enter when they’re trying to log in to your system. It is this type of 2-step verification that most companies are leaning toward these days as a means of stopping hackers from breaking in by figuring out user login data.

Will this truly make your system more secure, though? Unfortunately, 2-step verification isn’t entirely foolproof. It definitely adds an extra layer of security, and will therefor stymie a certain segment of the hacking population, which will likely move on to easier targets. However, there are some flaws in the system that data thieves have learned to exploit.

The main problem can be account recovery. Suppose a user loses data and cannot access an account, commencing the process of account recovery. Businesses don’t want users to lose their accounts and the data they’ve generated, so most simply bypass the verification system or disable it in order to allow users to create new login information. With minimal data, hackers can exploit this process to gain access to user accounts, thus nullifying 2-step verification.

The hope, of course, is that users will be smart with their own data management, creating unique passwords and optimal protections for all of their accounts so that hackers can’t gain access to recovery data. However, this is not always the case. In the meantime, 2-step verification is just one more way to add protection. For companies looking for relatively affordable ways to increase security, it’s a great option to explore.

Posted in General | Tagged , , , , | Leave a comment

Is Password Management Software Really That Secure?

At this point there doesn’t seem to be any question that virtually any network, server, or website can be hacked. After all, if hackers can breach corporate entities, health insurance providers, and even the government, what’s to stop them from hacking your business?

In some ways, small and mid-size businesses are lucky – they don’t have the same target on their backs that larger competitors do. Unfortunately, many smaller businesses are also forced to compromise when it comes to security due to a limited budget. Even though you may not face the same threats as better-known entities, you might be at greater risk.

In order to protect yourself, you need to make sure the components of your security system are up to the task. While password management software is certainly handy in this day and age, what with the onus to create unique passwords for every online account, you need to know if it’s safe to use. How secure is it?

Password management software has become a popular option for anyone looking to cut back on the amount of time spent trying to remember usernames and passwords for their many online accounts. With this type of program, all you have to do is log in to one master account, remember just one set of login information, and you can access every online account, despite the fact that they all have unique username and password combinations.

This is handy for business owners and clients alike, but it may not be entirely safe. If someone is able to hack the master password, they could immediately gain access to absolutely every account, putting your identity and the identities of others at risk. It seems like a pretty big risk, but if you rely on such a program to manage your passwords, don’t despair. They’ve taken steps to ensure the safety of their users.

Just look at the hack of popular password management company LastPass a few months ago. Users were terrified to discover that the site had been hacked, compromising email addresses, passwords, password hints, and other information related to the security of user accounts. LastPass, however, seemed unconcerned with the breach.

Although hackers accessed security data, the company claimed that user identities were not actually compromised, per se. This, they claimed, was because they had taken aggressive steps to protect their data, so that even if it was stolen, it could never be accessed. LastPass stated that their encryption was so robust that even if hackers stole their user data, there was no chance they would be able to crack it. The only chance that information could be accessed would be due to the user error of creating too simple a password.

In light of the breach, the company asked users to change their password information. The situation raised an interesting point, though. Are services for password management secure enough that you would trust your personal data (or client information) to them? If LastPass and others are to be believed, their software is more secure than what the average person could come up with alone. Their stance seems to be that breaches are bound to occur – and they’re ready.

Many such companies do not store user information on their own servers, so even if breaches occur, there is little chance data will be stolen. In addition, the level of encryption used to secure sensitive data is so high that even the best hackers will be stymied should they manage to steal anything. All users have to do is create a master password complex enough that hackers won’t figure it out – so don’t use your birth date or the name of your first pet.

In truth, using a password manager is likely much safer than going the other route and trying to remember a laundry list of unique username and password combinations for every online account. For one thing, you can’t store them all in your head. This means you’re likely to write them down, store them in your phone, or otherwise allow for easy access.

With password management software you need only create and memorize one strong password in order to protect all of your online accounts. If it is discovered, you will definitely be in trouble, but if you use it appropriately, the odds of failure are much smaller than the alternative. This means greater protection for your own online accounts, and potentially the accounts of other users, as well.

Posted in General | Tagged , , , , | Leave a comment

What Can You Learn From the Latest Starwood Hotels Data Breach?

Data breaches are a dime a dozen these days. You can’t open a paper or check a newsfeed without coming across some kind of scandal involving a hack in which sensitive user data was stolen. In the last year alone, mega corporations, banks, health insurance providers, and government entities have all been breached by hackers, malware, or other online threats. The climate has become one of “if, not when” a hack will occur, and no one is entirely safe.

The most recent data breach to make headlines involved upscale hotel chain Starwood Hotels, a company that includes Sheraton, Westin, W Hotels, and other luxury brands. Starwood isn’t even the only hotel chain to be hacked this year – both the Mandarin Oriental and The Trump Hotel Collection suffered similar breaches.

So how was Starwood Hotels hacked? The chain admitted that malware had infiltrated point of sale (POS) systems, including payment systems in their gift shops, bars, and other retail areas, and that 54 of their hotels had been subject to attack. Luckily, the malware was not found in the guest registration system, so sensitive personal data related to reservations and Preferred Guest Memberships was not compromised, but the breach may still affect some portion of customers who used debit and credit cards at these locations during a certain date range.

Starwood Hotels announced that the malware discovered could have infected some systems as early as November of 2014. During that time, names, credit card numbers, security codes, and expiration dates (the data on a debit or credit card) were exposed, although PINs and contact information were not. In light of the incident, Starwood has taken steps to rectify the situation and make reparations.

When the breach was discovered, Starwood claims the malware was immediately removed and efforts were made to mitigate damage, including contacting authorities and coordinating with credit and debit organizations. Further, identity protection was offered to affected parties, along with credit monitoring services. Of course, Starwood Hotels has also vowed to increase security.

The problem is that many companies are doing exactly the same dance as Starwood Hotels. They’re waiting until a major data breach occurs to beef up their security and monitoring. Starwood is big enough that this black eye won’t cost them too much – their deal to merge with Marriott International Inc. (for a reported $12.2 billion) looks as though it will proceed. But could a smaller company recover from such a breach? Maybe not.

Companies large and small remain under-protected when it comes to digital security, a point that the Starwood Hotels breach (and other recent incidents) aptly demonstrates. Consumers and credit providers are taking steps to protect their interests, most recently through the use of EMV (Europay, MasterCard, and Visa) chips that store and protect user information, as well as create unique transaction codes for every payment.

However, businesses can certainly do more to protect user data, not to mention their own reputations. Starwood may be big enough to weather the storm caused by a data breach, but smaller competitors might not be so lucky. Data breaches can cost companies untold revenue, not only from known costs like security upgrades and reparations, but also from unknown losses related to unsatisfied customers and poor public opinion.

Looking on the bright side, data breaches can force businesses to make necessary changes and upgrades to outdated or subpar security systems. However, companies suffering from such attacks will have to first survive the fallout associated with legally mandated notifications and restitution, not to mention potential lawsuits.

The good news is that businesses can take a lesson from the Starwoods of the world. Starwood Hotels, in particular, could have benefited from some kind of security monitoring. If their admissions are to be believed, their system was infested with malware for approximately a year before they even noticed. Proper monitoring software would likely have caught the breach immediately.

Naturally, there are other steps businesses can take to protect themselves as well, including firewalls, encryptions, strong password policies and programs, and the assistance of a managed services provider, just for example. Hackers can get through a lot, but they’re likely to go for easy targets. Businesses that take preemptive steps on the security front can not only decrease the likelihood of attack, but also reduce the damage done should a data breach occur.

Posted in General | Tagged , , , , | Leave a comment