Password Hygiene Best Practices

,

According to a report by Verizon, 80% of data breaches are caused by weak or stolen passwords. In addition, the report found that 60% of users reuse the same password across multiple accounts, making it easier for hackers to access multiple accounts with a single stolen password.

Maintaining good password hygiene is essential to protect against these threats and keep your accounts secure.

Weak or compromised passwords can be easily cracked, allowing cybercriminals to gain access to our data and steal our information. Here are a few password hygiene best practices to consider,

Use Strong Passwords

Using strong passwords is one of the most crucial steps in maintaining good password hygiene. A strong password is one that is long and complex, using a combination of letters, numbers, and symbols. Avoid using easily guessable passwords, such as “password” or “123456,” and avoid using personal information, such as birth dates or names.

Update passwords or revoke access when employees leave the organization

Changing passwords regularly is another essential step in maintaining good password hygiene. It is recommended to change passwords every 90 days or sooner, depending on the level of security required. Passwords need to be updated regularly and access to data has to be revoked when employees are no longer authorized to access it. However, this important step is often overlooked. This is especially an issue in SMBs where the staff is pretty busy and turnover is high. They are too busy to remember to change the passwords once a staff member quits, leaving their data vulnerable. So, next time the new intern finishes their stint with you, make sure you change the password and revoke their access.

Enable Two-Factor Authentication

Two-factor authentication adds an extra layer of security to your accounts. It requires you to provide a second form of identification, such as a code sent to your phone, in addition to your password. Two-factor authentication makes it harder for hackers to gain access to your accounts, even if they have your password.

Don’t Reuse Passwords

Sometimes people find it difficult to remember multiple passwords for various files and applications, so they use a single good, strong password everywhere. Using the same password for multiple accounts is a common mistake that can compromise the security of all your accounts. If one account is compromised, all accounts using the same password are also at risk. Using a unique password for each account decreases the amount of damage that can be inflicted in the event that one password is compromised.

Avoid Writing Down Passwords

Writing down passwords is a risky practice. It is easy to misplace or lose the paper where you wrote down your passwords. Avoid writing down passwords, and if you must write them down, keep them in a secure place, such as a locked cabinet. This applies primarily to an office environment, where desks, files and notepads are in open view and available to all.

Don’t share your passwords

Never share your password. If you need to give data access to multiple people, make sure each one of them has their own access credentials. This creates an audit trail and helps trace the data breach back to its origin if it occurs.

Be Wary of Phishing Scams

Phishing scams are a common way for hackers to gain access to passwords. Phishing scams involve sending an email or text message that appears to be from a legitimate source, such as a bank or social media site. The message typically asks you to click on a link and enter your password, giving the hacker access to your account. Before you click on any link, it is essential to verify if the links are genuine

/by

Password Management Tools: An overview

Effective password management is an essential aspect of cybersecurity. With the increasing number of online accounts and services, remembering all those passwords can be a daunting task. Password management tools provide an effective solution to this problem. This blog discusses the benefits of using password management tools and some password management best practices to be followed.

Some of the key benefits of deploying password management tools are:

Enhanced Security

The primary benefit of password management tools is enhanced security. Password managers store passwords in an encrypted format, making them less susceptible to hacking and phishing attacks. These tools also allow businesses to generate and store complex passwords for their employees. As a result, businesses can ensure that their employees use strong and unique passwords for every account, reducing the risk of a breach.

Easy Password Access and Management

Password management tools offer an easy way to access and manage passwords. Rather than manually entering passwords every time an employee logs into an account, password managers automatically fill in the necessary information. This feature not only saves time but also eliminates the risk of human error.

However, there are a few things to consider before you invest in a password management tool.

One of the things to consider is a security breach. Password managers are third party platforms. If your password management experiences a security breach, it can put all of the stored passwords at risk. Additionally, if the tool goes down, you may not be able to access your accounts.

Secondly, while password management tools reduce the risk of human error, they are not foolproof. Employees may still make mistakes, such as sharing their passwords or writing them down, which can compromise security. Additionally, if an employee forgets the password to their password manager account, it can cause problems. Hence it is important to ensure that you have good password hygiene in place.

Password hygiene refers to the practice of creating and maintaining strong passwords and protecting them from being compromised. It involves using unique and complex passwords for each account, changing passwords regularly, and storing the passwords securely so it isn’t accessible to unauthorized entities.

/by

Three common sense data safety reminders

When it comes to smaller and medium sized businesses, anything that distracts from the day to day concerns about bringing in revenue tends to fall by the wayside. With that in mind, we have put together a list of seven things that a small business needs to prioritize if you want to keep your business up and running. Remember, a cyber attack on your data security could be the biggest threat to your revenues that you face, even more serious than a recession or a pandemic

Software

Everything you have uses software programs, all of which can be vulnerable to hacking. Make sure all of your software programs are up-to-date. Software companies release program updates, security patches and critical updates for their applications. In addition to providing new features or fixing bugs in the program, these updates and patches prevent cybercriminals from exploiting the vulnerabilities that exist in the program to gain access to your network and data. So, you need to take the time to make sure that all of your software applications, including operating systems, and browsers are up-to-date. And do not forget your smartphone. It is important not to leave out your smartphone applications and mobile devices as well, because cybercriminals can find a way to invade your network and data from your smartphone For example, you have your work email configured on your phone. Hacking into your phone can give them access to your work email and consequently to work data.

Backups

There are things we all know we should do that are good for us, but that doesn’t mean we do them. Eat your vegetables, exercise every day… and back up your data. So here is a reminder of what you should do. Make sure you have clean and up-to-date backups. Backups come in extremely handy, especially in the case of ransomware attacks. Ransomware attacks are where cybercriminals gain control of your network or data and lock you out of your own system preventing you from accessing crucial business data. Sometimes your data is encrypted, which means it won’t be “legible.” They then demand a ransom to unlock or decrypt your data. Unless you pay up, you won’t have access to your data or your data won’t make any sense to you as it is encrypted. Having up-to-date, quality backups ensures you don’t have to worry about losing access to your data or paying the ransom, as you would have a most recent copy of your business data readily accessible. You can make backups on external hard disks, servers located at a place different from your place of business or even on the cloud (think Google Drive or One Drive or cloud servers). That said, contact an MSP to design workable backup procedures that don’t include copies of the ransomware. Just routine backups may not be enough to protect you.

Train everyone in your organization

Never forget the human factor in how cybercriminals get through your defenses. Training your employees to identify and respond correctly to cyberthreats plays a big role in any organization’s cybersecurity initiative. Regular cybersecurity training sessions along with mandated assessments should be conducted for all employees. Based on the assessment results, you may conduct follow-up training or refresher sessions for those who need it. You should also create an IT security policy document or handbook and share it with everyone in your company. This handbook or policy document must be updated on a routine basis to keep up with the latest in cybersecurity protocols.

Cybersecurity might seem like a lot of work, especially when you have a business to run and clients to focus on. However, it is certainly not an element that you can afford to ignore. The price you may have to pay if your business becomes a target of a cybercriminal is too high to take cybersecurity lightly. Consider bringing an experienced Managed Services Provider (MSP) on board to help manage the cybersecurity aspect of your business, while you can focus on your clients.

Questions? Contact Direct One for suggestions on improving your data security. Your business depends on it.

/by

7 Cybersecurity basics to never forget

,

No matter how much people hear “data safety,” they still can get sloppy about their cybersecurity. One of the reasons is that there are so many constant reminders that the warnings just become that much more background noise. Today, let’s do a quick review of the one you hear most about ( and most likely to forget about) Passwords.

Passwords

As annoying as they are (and who doesn’t doest curse them sometimes) passwords are a basic and necessary evil to protect access to your data. One of the root innovations that helps sidestep the tedium of entering ( and remembering ) passwords are facial recognition and fingerprint security measures. These can be a real timesaver, but they aren’t readily available across every site and device. So that leaves us with the question, what are the best practices for maintaining strong passwords and defending multiple sites, programs or devices (also known as “ good password hygiene’’)?

Maintaining password best practices

Simple passwords, with nothing but regular vocabulary words (even in other languages) are easily cracked. Most sites generally require mixed case, alphanumeric and a symbol or two for it to be an approved password. Here are a few things to remember.

    • Avoid using the same password across multiple sites or devices.
    • Don’t share your passwords with co-workers, no matter how convenient or timesaving it may be
    • Don’t send passwords ( or any critical personal data, for that matter) via text or email.
    • Don’t save them on a device in an unencrypted file
    • Remember to change them periodically
    • Be sure that access to files is removed immediately when an employee leaves an organization or no longer has need to access particular programs, data or machines

Multi-factor authentication

Related to the password method of maintaining data security, multi-factor authentication is becoming increasingly popular and is often required by some organizations. Basically, this takes the password idea and adds another layer to ensure that the correct user is entering the password. Your ATM is an example of MFA. Just a password isn’t enough at the ATM–you have to have your ATM card also. Most of us know MFA through the request to enter a one time code that is sent to us, on a different platform, after we enter our usual password. Again the idea here is that even if a password is stolen, a second form of identification is required to ensure the correct person is gaining access. NOTE: A common form of MFA is to send a text message to your phone. Be aware that if you leave the country and don’t buy a text package for your phone, you may not be able to access some sites that use this form of MFA.

In short, we hear most about password safety, but because it can be such a pain to change them, we open ourselves and our business to data vulnerability. Contact Direct One for ideas to improve your data security.

/by

Social media at work…what could go wrong

As a business, there is no doubt today that you need to make your presence felt on major social media platforms such as Facebook, Twitter, Instagram and LinkedIn. But social media also exposes you to cybercriminals. In this post we talk about the steps you can take to ensure your social media account doesn’t become a gateway for cybercriminals to access your data.

Make someone accountable
The first step to a successful and safe social media experience as a company is to make someone in your organization accountable for it. Designate a social media manager who is responsible for maintaining your company’s social media accounts. This person should oversee everything–from the posts and pictures in your company account to approving/disapproving ‘Friend’/’Follow’ requests.

Train your employees
Of course you should train your employees who handle your official social media accounts about the security threats and how they need to steer clear of them, but you also need to train other employees who are not on your social media team as they could be a weak link that a cybercriminal could exploit to reach your business. Seems far fetched? Not really. A lot of people trust their ‘friends’ on social media and also unwittingly share a lot of information, which can be used to hack their personal accounts and devices, which in turn, may act as a gateway to your business. Teach your employees about general social media best practices in terms of security and also educate them about the privacy settings they can use to ensure there data is shared with trusted individuals only.

Take the necessary security measures
Make sure the devices you use to access your social media accounts are protected with firewalls and anti-malware tools and all security updates and patches are up-to-date.

Password hygiene
Practice good password hygiene and encourage your teams to do the same. That means no password sharing, no sequential letters/numerals, no obvious words or numbers as your social media account password.

Frame a social media policy
You should also frame a social media policy that spells out the dos and don’ts of social media that everyone in your organization should follow. This is important from various perspectives as employee’s statements on social media may be perceived as a reflection of your business’s values, whether you like it or not. This can make your business a target of cybercriminals and lawsuits.

Putting your business out there on the social networking sites gives your brand a lot of exposure, presents paid advertising opportunities and even helps you build and manage customer relationships, but as discussed, it can be tricky to navigate in terms of security. Businesses may find it overwhelming to manage their social media security strategy all by themselves can reach out to a managed services provider. An MSP with experience in social media security can be a valuable asset in helping you build a strong social media security strategy.

/by

Multi-Factor Authentication 101

,

You have probably already come across the term multi-factor authentication. The concept is not new, but has caught on really quick of late. In this post, we will discuss what multi-factor authentication is and why you should be adopting it.

What is multi-factor authentication?
Multi-factor authentication is basically the use of more than one credential to gain access to data. It is a combination of multiple access credential types. For example, instead of gaining access to an email account by just typing your username and password, you will be asked to further verify your identity by entering some other information, such as a pin or a one-time password (OTP) that was sent to the phone number linked with the email address you are trying to log into.

Why do you need multi-factor authentication?
Multi-factor authentication offers an additional layer of security. Simple access control measures such as logging in with user ID and password are increasingly being breached by cybercriminals because no matter how much we condition ourselves to follow good password hygiene, sometimes, we slip up. Have you ever been guilty of

  • Writing down your password so you don’t forget it
  • Sharing your password with someone just to get the work done faster
  • Used the same password for multiple accounts just because it is easier to remember
  • Creating a password that was obvious/easy to figure out. Examples include your date of birth, numbers or letters in sequence, your name, etc.,

Multi-factor authentication can help prevent cybercrimes that happen due to leaked/hacked passwords.

How does multi-factor authentication work?
The working of multi-factor authentication depends on a combination of the following 3 elements.

  • What you know
  • What you have
  • Who you are

The user has to prove their identity by answering the questions related to each of these 3 elements. User IDs, passwords, secret questions, date of birth, etc., fall in the first category (What you know), while OTPs sent to your smartphone, a physical token or an access card belong to the second category (What you have) and the third category (Who you are) includes biometric authentication such as retina scan, fingerprint or voice recognition.

Multi-factor authentication is no guarantee of data safety, but it certainly reinforces your data security. While there are tools available in the market that you can purchase and deploy, you could also connect with an MSP to help you implement multi-factor authentication across your network smoothly.

/by

Why MSP relationships fail

A lot of SMBs opt for managed service providers who can help handle their IT requirements, and for the most part, it works well. Almost everyone knows the benefits of having a MSP manage your IT. Increased cost savings, ability to focus on your business without worrying about IT, better IT support and expertise, and so on. But, there are times when the managed IT services model fails, leaving business owners to wonder what went wrong. This blog discusses some key reasons why MSP relationships fail.

You didn’t do a reference check
Did you just pick the first MSP you found on the Google search? Did you just go by the presentations they gave you, or the information on their website? Always remember to ask your MSP for references. Talk to someone they work with and get feedback.

They don’t have enough staff
If your MSP is short of staff, they won’t be able to give you the attention you need. One of the biggest advantages of bringing an MSP onboard is having someone who proactively manages and monitors your IT requirements– something you cannot do without a full fledged IT department. So, it is important that your MSP is well-staffed.

They are not experienced enough
Before you bring an MSP on board, make sure you pay attention to how long they have been in business. This is important because the whole idea behind hiring an MSP is to leverage their knowledge and expertise. Secondly, someone who has been in the business for quite some time is more likely to be able to scale with you as you grow.

They said they will be there, but…
You want your MSP to be available 24/7, because with IT, you never know when the problem will arise. Not only should your MSP be proactively monitoring your IT infrastructure to ensure everything runs smoothly, they should also be able to resolve IT problems when they happen–time and day notwithstanding, so that your business is back up and running as soon as possible.

They are not able to provide you with all that you need
Sometimes, as you grow, your IT needs change. You may need much more support and new technologies that you didn’t think you’d need earlier. In such cases, if your MSP is not able to grow and scale with you, then the relationship won’t work.

When choosing an MSP, think of the whole process as a partnership, and not a one-time deal. When you look at the relationship as a long-term one, you are more likely to consider all the factors that go into making your relationship with the MSP work in the long run.

/by

Do your homework: 3 things to do when looking for an MSP

,

Thinking of hiring a Managed Service Provider, but not sure how to go about it? Here are a few things to do before you zero in on one.

Figure out what you have already

The first step in a good plan is to figure out where you stand currently. Before you talk to an MSP, conduct an audit of your IT infrastructure to decide what you have currently. List all your hardware and software. When performing this IT audit, don’t forget other technologies that you are using, such as biometric access systems, CCTV systems and even telephone systems. You may think they are irrelevant as they are not directly related to your IT infrastructure, but, in the near future you may want them all to be connected to one another, and so, including them in the audit and inventory right now is a good idea.

Figure out what you need

This is the next step. After you determine what you already have, the next step is to figure out what you need. What do you want to add on or remove from your existing IT infrastructure? Are your servers too slow? Do you want to switch to the Cloud instead of traditional services? Do you want a Unified Communications set up instead of your current PBX phone line? Do you want to shift to a work-from-home model and need the infrastructure to support that?

Do your research

Now that you are clear about what you have and what you need, start doing your research. If you have an in-house IT team, you can ask them to evaluate the various options that can help you reach your goal. If not, then there are plenty of resources available online for SMBs that help with tech questions. https://www.sba.gov/learning-center is one great resource and a Google search will get you more.

As a part of this research, you should also make a list of credible MSPs in your area and learn more about them. A Google search can help you with that, but it would be even better if you reach out to a couple of your peers requesting them to refer you to their MSPs, if they have one.

Hiring an MSP means trusting them with your IT infrastructure, so it is very important that you have a clear understanding of what you really want and need, so you can share your expectations with your new MSP. This transparency and clarity goes a long way in determining the success or failure of your relationship with the MSP.

/by

4 things to do to ensure your business continuity planning is a success

,
4 things to do to ensure your business continuity planning is a success

4 Things to do

Working on creating a contingency plan for your business? That’s great! Here are 4 things you need to consider when preparing your new business continuity plan.

Audit of your business continuity plan
Having a business continuity plan alone is not enough. You need to audit it at regular intervals to ensure it is up-to-date and relevant. Often, business continuity plans aren’t used for years and may be obsolete or irrelevant by the time an actual emergency occurs.

Creating a team for business continuity
Constitute a team for your business continuity project. Decide who will take ownership of implementing the business continuity in the event of an emergency. Break down the business continuity plan into smaller elements and decide who is responsible for each of them. Also, remember to designate a back up for each person in the team.

Mock Drills and Dry Runs
After your business continuity plan is ready you need to check if it really works. A dry run will tell you if it is really effective and also point out to loose ends, if any, that you can fix before the actual emergency.

Don’t forget a debrief
In case you do end up using your business continuity plan, make sure you do a debrief. It will help you determine the effectiveness of your business continuity plan. The brief should focus on identifying the losses you incurred from the disaster, the time taken for implementation of the business continuity plan, the key positives of implementation of your business continuity plan and also offer suggestions, if any for improvement. Irrespective of the size of your business, business continuity planning is indispensable. Bigger companies often have their own staff (IT as well as non-IT) for business continuity planning, but for SMBs to have their own business continuity planning team can be a bit of a strain on their resources. Consider teaming up with a MSP who is experienced in disaster recovery planning, so you don’t cut corners now to regret later.

/by

Multi-factor Authentication Demystified

,

Multi-factor Authentication Demystified

You have probably come across the term multi-factor authentication of late. It is an IT buzzword today and is fast becoming one of the best practices of cybersecurity. So, what is multi-factor authentication, exactly? Read this blog to find out.

Multi-factor authentication, as fancy as the term sounds, is just multiple barriers to data access which adds to the security component. In simple terms, imagine, your data in a box, and that box fit into another, and then into another–all with locks. It is basically adding layers of security to your data. In fact, we are already experiencing multi-factor authentication on a regular basis. For example, when you want to make a transaction online using your banking portal, chances are, it sends you an OTP (one-time-password) to your mobile number that’s registered with your bank. Some banking portals also ask you for the grid numbers on the back of your debit card, and some online transactions using credit cards ask for CVV or expiry dates.

Even Gmail, Facebook, and LinkedIn use multi-factor authentication when they see unusual activity in your accounts such as a first-time log-in from a device you haven’t used before, or a log-in at a time that you don’t usually access your Gmail, Facebook or LinkedIn accounts. Going beyond OTPs, Facebook takes multi-factor authentication a notch higher by asking you to identify a couple of your friends on Facebook or your most recent profile picture.

According to Wikipedia, Multi-factor authentication (MFA) is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something the user and only the user knows), possession (something the user and only the user has), and inherence (something the user and only the user is). In simpler terms, that means,

  • As the first layer of security, we have passwords, answers to security questions, PIN numbers etc.,
  • The second layer includes authentication methods such as OTPs, security tokens, access cards, etc.,
  • The third, and final layer is something personal to the user. Examples include biometric validation such as an eye scan, fingerprint scan, voice commands, or facial recognition.

So, you see, even something as simple as withdrawing money from an ATM has you going through the multi-factor authentication process. You need to key in your PIN number and use your debit card to be able to transact successfully. With cybercrime being rampant, businesses cannot rely on old school access authorization methods using a single password or PIN. Ask an MSP today about setting up a strong, reliable, multi-factor authentication system for your data.

/by