Password security – a source of anxiety for many of us. So much of our lives rely on the strength and secrecy of our passwords. How would you like to never worry about your password security ever again?

In today’s workplace, almost everything we do requires some form of password-guarded access.

Because password security is so crucial, it is part of my job to educate others to ensure password security. Many people fall foul of poor password security at one point or another. If you’re lucky, it results in your computer’s language hilariously changed to something you have no hope of understanding. The result being time lost, spent on reversing the language change. If you’re not so lucky, a compromised password can lead to hackers and digital thieves accessing sensitive information, stealing money, corrupting data, or locking you out from your accounts. The consequences can cut deep and take many months or even years to repair.

Password practices are often taken for granted, which is one of the reasons why reminding ourselves of best practices from time to time, such as on the annual Password Day, can help us ensure complete password security.

Follow these steps to never have to worry about password security again.

Stop Being Predictable

We’ve all been trained to build our passwords the same way. Years of automatic prompts have asked us to include capitalized letters, and numerical or punctuation characters, in our passwords.

Unfortunately, password crackers out there have noticed the pattern.

Because the result is that we all:

  • Start out with a favored word to form the foundation of our password
  • Use up our capital letter on the first character
  • Add on a number and exclamation mark on the end of the password to hit the requested quota
  • And voila – we’re left with our ‘uncrackable’ password: “Ninja1!”
  • While we think we are secure, having hit all the types of characters required, we are leaving ourselves open to having our password guessed. Whether through social engineering to crack passwords, or by way of other password hacking methods, we are left vulnerable. Our best bet is to stop being so predictable.

    Stop Using One Word Passwords

    Words are very predictable. The next step we can take in upgrading our password security is to banish the use of single word passwords. Not only are one-word passwords often short, but also they are predictable. Did you know that databases exist that contain every word in every language? The purpose of these databases is to be used by hackers to crack passwords simply by trying every word. This is called a Dictionary attack, which can also take the form of a Rainbow table attack. Of course, it might seem that one-word passwords are far easier to remember than anything else is. But, when thinking of security, ease cannot be the main criteria for decision making. Security must be.

    In fact, as Better Business Bureau explained, some of the most common (and least secure) passwords are not always words.

    The following passwords were the top 10 passwords used in 2014 – You might guess, that these passwords should not your first choice for your online banking account.

    123456 2. password 3. 12345 4. 12345678 5. Qwerty
    123456789 7. 1234 8. Baseball 9. Dragon 10. Football

    Not only are more complex passwords more secure, they can be just as easy to remember too.

    What makes a strong password? On to our next step.

    Long And Strong Passwords

    How can we create passwords that are strong and still memorable? There’s a bit of a trick to it.

    First off, strong and memorable passwords should consist of multiple words. PieceOfCake you might think.

    Nope. First rule of multi-word passwords is to use a strong of words that are either nonsensical, or that are very particular to you.

    CoffeeLobsterMarathon – a good place to start for a nonsensical string of words. And the image it conjures is so bizarre it’s easy to remember.

    DavesFavoriteColorIsGrey – Knowing your mate Dave’s favorite color is a very unique circumstance to you. And very hard to guess.

    Second stage is to interlace these passwords with – you guessed it – special characters.

    Leaving us with C0ff33L0b$t3rM8r8th0n and D8v3sF8v0r1t3C0l0r1sGr3y.

    Both of these blow “Ninja1!” out of the water in terms of password security.

    Use Unique Passwords For Every Account

    I know. This advice normally elicits the response that it is impossible to remember passwords for every account. But, for reasons we will get into later, it really isn’t. And the benefits are huge.

    Does anyone you know use one password for every account? Many people do. The problem is that it is a real threat to password security. Because it only takes one leak from one of the many places you’ve used that password for more accounts to be accessed.

    If your username, email address, and password are exposed by a security breach of one of the services, accounts, or companies you have dealt with – hackers will be able to take these details and try to access any other accounts with the same details. If passwords are different for every account you use, this technique will not work. Meaning you can enjoy much better password security. So, how on earth can we remember each and every password?

    A Smarter Way To Memorize Your Passwords (A Password Manager)

    It would be very impractical to try to memorize passwords for every single account we own. For accounts we access every day, it would probably be doable. But, many times we have accounts to things we only need to access occasionally. At which point memory will likely let us down. We need some help. Password managers are secure applications that help us store and organize passwords. It is simply the best way to manage all the accounts and passwords we have. All we need to do then is remember the password we need to access the password manager. If you’ve followed the advice above, your password manager password will be strong and memorable.

    Change Your Passwords Regularly

    The dreaded password change. Often people see this as either optional, or a needless inconvenience. But there are very strong arguments for why changing passwords regularly is essential for password security. For example, brute-force attacks are used to decipher passwords. They work simply by trying every possible combination of characters. The limitation of this type of approach is that it requires a lot of time to achieve its desired result. Although – even then, this can be surprisingly short. Using our example above, according to How Secure is my Password, “Ninja1!” can be cracked in 7 minutes. Changing passwords frequently can minimize the risk that a brute-force attack has enough time to breach your password security. Not to mention that it can also minimize the danger posed by password leaks.

    Don’t Casually Share Your Passwords

    You would never share your password with anyone, right? Especially not a stranger. When we’re not focused on security, it can be easier to fall into a trap than we realize. If you think one of your accounts might be compromised, be sure to change the password as soon as possible.

    Ensure You Have Anti-Malware Installed

    What’s the connection between password security and malware? Well, some types of malware are able to track keyboard inputs for account and password information, and transmit that information to a malicious third party. The strongest password will do us no good if Malware is able to track the input from our keyboard. Which means, as part of our password security regime must be to ensure our devices are malware free. Malware often uses security flaws in unpatched software to infect a system. Therefore an up-to-date operating system is also needed to fully protect your device from being compromised by malware.

    Enable Two-Factor Authentication

    Two-factor authentication provides an extra layer of protection for your password security regime. On top of a password, authorized access requires another factor to login to your account.

    For example, a second factor might be a time-limited security code generated by an authenticator app on your mobile device – such as two-factor authentication with TeamViewer. Access is only granted when the username/email address, password, and security code is entered correctly.

    This is perhaps the most sure-fire way to ensure total password security, as even if your password is compromised, access will not be granted to your account without the correct second factor authentication.

    Password Security Key Takeaways

    Being absolutely sure of password security is a major relief. All sorts of potential problems can be avoided. Once you’ve set up the system you want to use, practice makes it a part of everyday business.

    In summary, password security means:

    Dropping the predictability. “Ninja1!” doesn’t cut it
    Leave one-word passwords behind
    Long and strong passwords are better and can be easy to remember too
    A different password for every account stops hackers in their tracks
    Password managers are a must-have tool for password security
    Changing passwords regularly is not optional
    Be careful not to reveal passwords to untrustworthy sources
    Make sure there is no malware on your devices
    Use two-factor authentication wherever you can

    I hope you found this advice useful.

    The NBA Finals may now be over but for one team, the losses keep coming. Yahoo! Sports reported that the Milwaukee Bucks fell victim to a spoofed email scam last month. Names, addresses, Social Security numbers, compensation information and dates of birth of the players were unknowingly sent to a hacker and created a massive security issue for the team. And just because your employees don’t make millions of dollars doesn’t mean hackers won’t target your company. Here are four ways to protect yourself from spoofed emails.

    Education is key
    There are countless cliches out there promoting the importance of education, but when it comes to cyber security, you might as well embrace them all. In the case of spoofed emails, you need to make sure your employees know what these are and how they can harm your company. They can come in several forms and look to attack your organization in a number of different ways. A good defense starts with trained employees using best security practices when it comes to emails. Knowledge isn’t just the key to success, it’s the building block of a comprehensive email security plan.

    Check the sender
    The easiest way to determine a real email from a spoofed one is to view who is sending it. While your basic junk mail folder will screen the really lazy attempts at spoofing, you and your employees can’t rely on it to weed out everything. A lot of cybercriminals have gotten skilled at mimicking the look and feel of companies through professional looking graphics and signatures. For starters, you are going to want to ignore email display names as these can be deceptive. The domain name provides the best clues as to who the sender really is. For instance, if an email requesting your company’s financial documents claims to be from the IRS but the domain reads IRSgov.com, it’s a spoof email since that domain is not what the IRS uses. If you ever spot an email containing a domain you consider to be suspicious, delete it immediately. If it is from a legitimate sender, they will send you a follow up email in a couple of days.

    Embrace DMARC
    Domain-based Message Authentication, Reporting and Conformance (DMARC) can help reduce the risk of spoofed emails being sent internally. For businesses that do not set this up, it is possible for someone to spoof an email account that looks like it is from your business or a current employee and send it from a different server. As we saw in the case with the Bucks, these can appear legitimate to employees who will then in turn do what is requested such as turn off security settings or handover sensitive data. With DMARC in place you can prevent spoofed emails from utilizing your domains by requiring any email sent by your domain to come from your server. This greatly reduces the risk of an internal spoofed email showing up in the inbox of your employees.

    Utilize email protections
    A lot of companies believe they can get by with the simple protections that come standard with an email client. However, doing the bare minimum is rarely enough to stop spoofed emails, not to mention all of the other threats lurking in your inbox, and high-powered email and spam protection will give your organization the added layer of security it needs. Much like elite-level basketball players need the best coaching and equipment to succeed, the only way to truly reduce the risk of falling victim of a spoofed email is to educate your staff properly and then equip them with email filtering. This ensures they aren’t wasting their time constantly trying to identify legitimate emails from fake ones but are prepared when the situation presents itself.

    When it comes to email security, working with us is a slam dunk. We may not have the skills of Steph Curry on the basketball court but when in the realm of IT, competitors say they want to be like us. Give us a call today to find out more.

    Published with permission from TechAdvisory.org SOURCE

    Cyber security is an important topic to address, not only for your personal files and accounts, but also for your clients.

    As mentioned in previous posts, both the ABA and many State Bars state that lawyers must take reasonable precautions to prevent client information falling into an unintended recipients hands as a part of their general guidance’s.

    One of the first steps to ensure that your client’s information is safe is to make sure your personal accounts are safe.

    I recently came across an article from The New York Times about just this topic: How to Devise Passwords that Drive Hackers Away. Besides the obvious red flags about hackers (such as avoiding suspicious links).

    Here are some take-aways from the article to help better ensure both your personal files as well as your clients are protected.*

    Never use the same password twice

    Although it is much easier for you to remember 1 password for all 20 online accounts, it’s also that much easier for a hacker to get into all of those 20 online accounts from your Facebook Page to your online bank account.

    Come up with a passphrase

    Lengthwise, a password should be at least 14 characters (or more!). The longer your password, the longer it will take a hacker to crack it. Sometimes it is easier to remember a phrase (like your favorite movie quote) than a longer password.

    Store your password securely

    Just because you’ve now come up with clever, extremely lengthy passwords for every single online account you have, you’re not in the clear yet. Make sure you keep these passwords secure! That means avoid leaving any of them on a post-it note on your desk. If you keep the passwords on a file on your computer, make sure it’s a secure file that only you have access to. Or if you don’t want any ability to track your passwords on your computer, whatever you write them on, make sure it’s locked away. Also leaving password hints are typically better than writing down the actual password.

    *Note: these take-away’s are tips to increase password protection; however, can still not ensure 100% protection.
    Published with consideration from Thomson Reuters SOURCE

    Taking work home, or practically anywhere else, has never been easier. With personal mobile devices, your employees can access company files wherever they are. Bringing your own device (BYOD) has become a popular strategy for many businesses to conduct work more efficiently and flexibly. But this strategy is not without its problems. BYOD, if not implemented correctly, can make your system susceptible to a number of risks. So what security risks do you have to account for? Here are 4 Security risks to consider with BYOD.

    Data leakage

    The biggest reason why businesses are weary of implementing a BYOD strategy is because it can potentially leave the company’s system vulnerable to data breaches. Personal devices are not part of your business’s IT infrastructure, which means that these devices are not protected by company firewalls and systems. There is also a chance that an employee will take work with them, where they are not using the same encrypted servers that your company is using, leaving your system vulnerable to inherent security risks.

    Lost devices

    Another risk your company has to deal with, is the possibility of your employees losing their personal devices. When devices with sensitive business information are lost, there is a chance that this could end up falling into the wrong hands. Additionally, if an employee forgets to use a four digit PIN code to lock their smartphone or tablet, anyone can gain unauthorized access to valuable company data stored on that particular device. Therefore, your company should consider countermeasures for lost devices like completely wiping the device of information as soon as an employee reports a missing or stolen phone.

    Hackers can infiltrate your system

    Personal devices tend to lack adequate data encryption to keep people from snooping. This along with the fact that your employees might not have updated their devices can allow hackers to infiltrate your IT infrastructure.

    Connecting to open Wifi spots makes your company more susceptible to hackers. Open wireless points in public places can put device owners at risk because there is a chance that hackers may have created that hotspot to trick people into connecting. Once the device owner has connected, attackers can simply surveil web activity and gain access to your company’s accounts.

    Vulnerable to malware

    Viruses are also a big problem when implementing BYOD strategies into your business. Using personal devices means your employees can access whatever sites or download any mobile apps that your business would normally restrict to protect your system.

    Jailbreaking or rooting a device also puts your systems at risk because it removes limitations imposed by the manufacturer to keep the mobile software updated and protected against external threats. It’s best to understand that as your employees have the freedom to choose whatever device they want to work with, the process of keeping track of vulnerabilities and updates is considerably harder. So if you’re thinking about implementing BYOD strategies to your business, prepare your IT department for an array of potential malware attacks on different devices.

    So you might be thinking that it would probably be best to just avoid implementing a BYOD strategy in the first place. However, BYOD will help your business grow and adapt to the modern workplace, and should not be dismissed as a legitimate IT solution. It’s just important to educate your company about these risks so that problems won’t occur for your business down the line.

    Published with consideration from TechAdvisory SOURCE

    Employees are on the front lines of information security. The more that can be done to regularly educate yourself of the small things you can do can go a long way towards protecting your organization.

    Since it is the beginning of the year, many people are returning to work and trying to get out of “vacation mode.” (Us too!) We’ve decided to outline some tips to help you throughout the year to stay safe online while protecting your company in the process.

    General Best Practices

  • Avoid providing personal information when answering an email, unsolicited phone call, text message or instant message.
  • Never enter personal information in a pop-up web page or anywhere else that you did not initiate.
  • Keep security software and all other software programs updated.
  • Cyber Security Best Practices

  • Phishers will try to trick employees into installing malware, or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your coworkers receive suspicious calls.
  • Don’t leak intellectual property- even accidentally. Sharing a picture with a whiteboard or computer screen in the background online could reveal more than someone outside of your company should see.
  • Report security warnings from your Internet security software to IT immediately, chances are, they aren’t aware of all threats that occur.
  • If traveling, alert your IT department beforehand, especially if you’re going to be using public wireless Internet. If offered, make sure you know how to connect to the company’s Virtual Private Network (VPN).
  • Be cautious of links and attachments in emails from senders you don’t recognize. Phishers prey on employees who open these without checking them out, opening the door to malware.
  • If you’re unsure about an email’s legitimacy, contact your IT department or submit the email to Symantec Security Response through this portal.
  • Online Behavior

  • Don’t steal. Taking intellectual property and releasing professional secrets are likely against corporate policies. Your company may track sensitive documents and you could get into hot water.
  • Read your company’s Acceptable Electronic Use (AEU) policy, and follow the policies for safe use of your devices.
  • When backing up to cloud services, be sure to talk to your IT department first, for a list of acceptable cloud solutions. Organizations can make this part of their AEU policy and make it a fire-able offense.
  • Best Practices for When to Contact Support

  • Call IT before you get in over your head. Often what starts as a simple update can be made more complex by attempting to “fix” the problem.
  • When you Bring Your Own Device (BYOD), ask your IT department if your device is allowed to access corporate data before you upload anything to it. Use authorized applications to access sensitive documents.
  • Learn the process for allowing IT to connect to your system. This can save time when you contact support and they need access to resolve an issue.
  • Learn basic computer hardware terms. This can save valuable time when you contact support and don’t have to describe the “mouse connector-thingy.”
  • Used with permission from Norton by Symantec by Nadia Kovacs

    As today’s companies are increasingly tending to run their business on the basis of digital assets, information security has become an even more critical factor of the business model, as it protects the most essential asset: information.

    We know that security is not a goal, but rather a process. As such, prevention and constant reinforcement of the outer edge of the corporate system are vital elements in the defense of assets in cyberspace.

    But despite this, contingencies occur, and the risk of suffering a security breach must always be considered. So let’s look at what action we should take in the face of this type of scenario to overcome a situation in which the organization’s resources could be compromised.

    Here 5 steps to take after a company is infected:

    Step 1: Determine the scope of the infection

    Time and time again, companies that have been victims of infections assess the traces of the impact just by using their intuition, rather than by means of an analytical examination of the problem. Clearly, after detecting an infection at the company, reaction speed is extremely important. However, hurrying to make groundless appraisals can divert your attention away from the right actions to take.

    If the necessary precautions have been taken, and there has consequently been an investment into the development of robust contingency management systems, it is possible to quickly gather the bits of evidence you need to answer some of the first key questions.

    In this way, to be begin with it is necessary to establish which systems have been compromised and in what way. Is the infection limited to a single piece of equipment or subnetwork? Has any sensitive data leaked out? Are we talking about corporate data, or private data relating to employees and/or customers?

    Step 2: Ensure continuity of service

    In the case of a leak of information which might compromise employees or end users, the second step would be to give them a warning of the possible breach and advise them to watch out for any unusual movements they might notice regarding the data they have stored under your service.

    If any physical equipment has been seriously compromised, you must set in motion any processes to activate backup resources, in order to maintain customer service. For this reason, it is critically important to plan your defense against attacks on availability, creating redundancy of equipment and connections. This, together with an action plan suitably defined at the level of the organization, will enable a rapid response to any events that lay siege to corporate security.

    Step 3: Contain the infection

    The containment of an infection begins with isolation of the equipment that you know has been compromised. Shutting down the segments of the network that include this equipment prevents the infection from continuing to spread throughout the corporate network, and interrupts any connection that may have been established with the attacker for the purpose of stealing information.

    If the traffic generated by the malicious agent turns out to be encrypted, the analysts must try reverse-engineering it to obtain the cryptographic keys. However, if communication is taking place on non-confidential protocols like HTTP, it will be exponentially easier to track the commands used by the attacker.

    Either way, studying these commands can lead the investigation to the discovery of new infected equipment, and the generation of traffic patterns should be translated into firewall rules, to quickly generate a first line of defense.

    To achieve this, it is necessary to have correctly labeled traffic captures in order to speed up processing. Once again, it’s self-evident that proactive prevention and detection of threats are the cornerstone of information security and define a company’s capacity to respond in times of crisis.

    Given that most of the procedures mentioned involve non-automated analysis of information, it is crucial to put in place a comprehensive corporate security solution in advance. This will make it possible to instantly deploy actions to block any harm that a malicious agent might attempt to inflict after penetrating your defenses.

    The latest generation of ESET corporate solutions was developed to be a key factor in the containment process, thereby preventing the spread of infectious components through the company’s different transaction systems.

    Step 4: Mitigate the infection and eliminate the line of attack

    Removal of the malicious part is a complex procedure which initially involves a detailed analysis of the code in order to understand how it works. Antivirus solutions support this type of activity by enabling automatic disinfection and saving valuable time in the process of responding.

    It is essential to understand that if the attackers are not completely eradicated from the network, they can resume their fraudulent activity on the infected equipment through another line of attack. Because of this, it is of vital importance to isolate the flaw that allowed them to enter in the first place, and then remove it from the system.

    Even after equipment identified as compromised has been cleaned, there remains a risk that other undiscovered infected equipment is still in operation. To prevent this from occurring, we need to reinforce the analysis of the packets transmitted by the network, as we now have the advantage of knowing the communication protocols and commands used thanks to the previous analysis of the infection.

    Together with a review of the firewall rules, changing the passwords on corporate networks is another preventive measure to take after detecting compromised resources, as this is one of the favored goals in corporate attacks. While the process of updating keys may take time and effort, it will prevent the attackers from using any stolen information to disguise themselves as a legitimate user.

    At this point, it is worth establishing whether the infection was the simple result of carelessness online, or whether it constitutes a successful link in a chain of persistent targeted attacks.

    If it is established that the infection was specifically targeting the organization, the real question to answer will be who lies behind these events, bearing in mind that another attack could be imminent.

    Step 5: Learn from any errors

    Carrying out an in-depth investigation into what happened will give cause for improving the processes within the organization. The removal of any vulnerabilities whose existence was previously unknown provides an opportunity to reinforce the perimeter of the corporate networks by identifying any other potential points of access to the system that had not previously been considered as falling within the scope of lines of attack.

    Infections are always absolutely negative events for a company; however, they offer opportunities to learn. They show which elements of the system’s design need to be strengthened and they allow you to discover the flaws in the current defense measures.

    Published with consideration from ESET. SOURCE

    Every time a stolen laptop leads to a data breach, you wonder why the business involved hadn’t set up any safeguards. When the unencrypted laptop was stolen from a former physician at the University of Oklahoma, for instance, or when a laptop was stolen from insurance provider Oregon Health Co-op containing data on 15,000 members.

    You’d think money would motivate them, if nothing else. In November, EMC and Hartford Hospital were ordered to pay US$90,000 to the state of Connecticut over the theft of an unencrypted laptop in 2012 containing data on nearly 9,000 people. The laptop was stolen from an EMC employee’s home.

    The problem extends far beyond the healthcare industry, too—such as the laptop stolen from SterlingBackCheck, a New York-based background screening service. The laptop contained data on 100,000 people.

    These types of breaches don’t quite grab the same headlines as major cybercrimes and hacking incidents, if only because a thousand employees affected by a laptop theft is less dramatic than 40 million customers at Target. But it’s a lot easier to steal a laptop than it is to hack into a corporate database, so the theft and loss of laptops, as well as desktops and flash drives, highlight the need for enhanced physical security and employee training.

    It’s easier to steal a laptop than to hack a database

    The organizations mentioned here have wised up. A spokesperson for the University of Oklahoma said it has launched an encryption program and new training for employees when it comes to handling sensitive data.

    SterlingBackCheck said it has updated its encryption and audit procedures, revised its equipment custody protocols, retrained employees on privacy and data security, and installed remote-wipe software on portable devices.

    Another threat to your data is the proliferation of Bring You Own Device (BYOD) policies and mobile workers.Gartner anticipates that half of all companies will have some need for a BYOD policy by 2017. Workers will be using their own devices as well as company-issued ones in the office or on the go. This opens up a new risk if devices are lost or stolen.

    Security firms like Sophos urge companies to put a robust policy in place for the handling of professional devices, including full disk encryption as well as encrypted cloud and removable media. A strong password is highly recommended too, but it’s not enough on its own.

    A greater sense of urgency wouldn’t hurt, either. In Oklahoma, the physician had actually left his position at the university before his personal laptop went missing. He couldn’t say for sure whether it contained sensitive data, but by the time that possibility arose, it was too late.

    In another incident, at manufacturer Tremco, an employee lost a company-issued laptop on a plane. It was several weeks before the employee realized that it contained spreadsheets of personal employee data.

    Encryption, remote wiping, better data tracking

    Companies need to know where their data is at all times—not just what device it is on, but where that device is located physically.

    This highlights the need for remote wiping tools, which SterlingBackCheck has put in place. If a laptop is lost or stolen, the company should have an easy way to remotely wipe the sensitive data to ensure it never leaks.

    Much like large-scale hacking attacks, it’s the consumer or the patient that really suffers when a data breach occurs. The onus lies with the company to handle this data responsibly, whether it’s in the cloud or on a laptop on the bus.

    Published with consideration from PCWorld. SOURCE

    Adapt to Survive: Keeping One Step Ahead of Cyber Threats

    There have been numerous high profile cyber-attacks in recent years, of privacy companies and government agencies. In May 2014, eBay was hacked and had to announce that personal details of 233 million of its users had been stolen. In November of the same year Sony suffered a similar fate when 102 million of its user accounts were compromised, and several emails were leaked from its high ranking Hollywood executives. Earlier this year, it was discovered that the United States Office of Personal Management suffered from two large-scale hacks, resulting in the theft of millions of employee personal files.

    Against this backdrop of ever increasing cyber threats—and when you consider how much sensitive data is held by law firms—you realize how vital it is for the legal industry to keep data secure. Especially when the outcome of a legal case and the reputation of the legal firm concerned rests on it.

    Security Audit

    For each individual case a busy law firm will usually be privy to large numbers of physical documents, they will hold considerable amounts of electronic data, and there will be vast numbers of exchanges between clients that may contain sensitive information. Therefore, there are considerable potential vulnerabilities and the first step is to have all the risks professionally assessed by a cyber-threat specialist. Once you know where the gaps lie in your security, you can take steps to address them. A good way to do this, especially after an audit, is to create an Information Security Policy that lays out guidelines for your staff to ensure data is kept secure.

    Some high profile clients may wish to audit your firm from a security point of view before they appoint you. This is particularly true of those industries which are heavily regulated, such as health insurance, and payment card processing companies. If you have already carried out your own internal audit, then this eventuality shouldn’t be such a daunting experience.

    Keeping Documents Safe

    It is imperative that the records a legal firm holds are kept safe to protect their clients’ reputations as well as the fact that any breach could result in damage to ongoing lawsuits. The best option is to employ the services of a secure document management company that can protect your data whilst giving you the flexibility to access it whenever needed, an important point given the day to day practicalities of life in a law firm. These providers will be subject to their own auditing and will use high levels of both physical and data security to protect your assets. They can also store both hard copy documents and data.

    Firewall and Anti-Virus Software

    Your internal network and website should have a firewall as the first line of defense. Anti-virus software is also important to protect you from malware. In one recent cyber case involving a legal firm, they were subject to spear phishing. This is when an email is opened which seems to come from a trusted source that the firm recognizes. The email then installs malware which sits in the background gathering sensitive data for the hacker.

    Anti-virus software needs to be updated regularly and all systems should be scanned on an ongoing basis. These updates and scans should be set to run automatically by your IT department, to avoid human error.

    Encryption and Off-Site Servers

    The ideal solution for a legal firm is to have all their data held off-site in a high security data center. Furthermore all data held should be encrypted and all communications, including email, should also take place through encrypted connections. Encryption is important as then even if your data center is hacked your information should still remain secure.

    Even if your law firm is relatively small, you aren’t immune to hacking. The FBI recently warned that even small and medium sized firms are now coming under attack. A law firm’s reputation is paramount. Clients expect their data to always remain confidential and the success of a case may rest on this fact. With the stakes so high are you willing to risk your reputation and a subsequent loss of business when some key steps taken now can do a great deal to protect you? Are you concerned your business’s security isn’t up to par? Need the guidance of a seasoned IT provider who specializes in security? Talk to us today.

    Published with consideration from Law Technology.SOURCE

    The report found the most popular phishing attack templates with the highest click rates are items employees expected to see in their work email.
    Phishing attacks continue to grow in volume and complexity, supported by more aggressive social engineering practices that make phishing more difficult to prevent, according to a report from Wombat Security Technologies.

    Organizations surveyed indicated they have suffered malware infections (42 percent), compromised accounts (22 percent), and loss of data (4 percent), as a direct result of successful phishing attacks.

    Survey respondents said they protect themselves from phishing using a variety of methods, including email spam filters (99 percent), outbound proxy protection (56 percent), advanced malware analysis (50 percent), and URL wrapping (24 percent).

    “The lack of measurement by security professionals concerned us the most,” Trevor Hawthorn, chief technology officer of Wombat, told eWEEK.
    He pointed out that 37 percent of respondents did not measure their susceptibility to phishing, and a staggering 56 percent do not assess end user risk.

    “Without assessing to understand security problems, you cannot create an effective plan to combat them,” he explained. “There are multiple ways that security officers can measure risk – through pulling numbers on items like policy violations, malware infections, reported and identified phishing attacks, or they can do a knowledge assessment or simulated phishing attack that will not only help them understand risk, but set a baseline to measure improvement against.”

    The report found that the most popular phishing attack templates with the highest click rates included items employees expected to see in their work email such as an HR document, or a shipping confirmation.

    “Email is a part of virtually everyone’s life. We get large volumes every day, and we have more and more details about our lives online on places like social media that allow criminals to create more targeted messages to get us to click,” Hawthorn said. “Organizations can be sure that they are continuously training their employees on what phishing messages look like and how to avoid them.”

    Wombat found the following plugins as most vulnerable for being outdated and susceptible to an attack: Adobe (61 percent), Adobe Flash (46 percent), Microsoft Silverlight (27 percent), and Java (25 percent).

    “Threats will continue to do what works until it doesn’t,” Hawthorn said. “Then they will adjust and exploit the next easiest path. Right now end users are still the easiest path. Why? Because the security industry has matured when it comes to managing risk of technical assets. We need to manage end user risk the same way we manage technical risk. Perform on-going, targeted assessments, and gather real-time user behavior data to determine a user’s risk level.”

    For additional tips on how to resolve to be better about cyber security in 2016, reach out to GCInfotech to assess your current network security and any potential vulnerabilities.

    Cyber attacks are a real concern for businesses today, but it’s important to be able to separate myth from reality. Education is key to protecting your business against an attack and keeping your business and customer data safe.

    Curious to learn about other common malware that can cause trouble for business owners? Want to upgrade your existing network security system? Give us a call today, we’re sure we can help.

    Published with consideration from eWeek. SOURCE

    Most business owners have an employee handbook. But when it comes to the online security of their business, often times this portion is either not adequately addressed, or not addressed at all. However, with cyber crimes an ever increasing threat, and the fact that employee error is one of the most common causes of a security breach, it is incredibly vital that your staff is informed of your policies. Here are four policies that every business owner should share with their employees.

    Internet

    In today’s business world, employees spend a lot of time on the Internet. To ensure they’re not putting your business at risk, you need a clear set of web policies. Here are three important ones to keep in mind:

    1. Employees should be using the Internet for business purposes only. While this is undoubtedly hard to avoid without blocking specific websites, having a policy in place should at least cut back on employees spending time on non-business related sites.
    2. Prohibit unauthorized downloads. This includes everything from music to games, and even data or applications.
    3. Accessing personal email should not be done on business devices. If employees must access their own email account during the day, they can do so on their smartphone or other personal device.

    These are just a few Internet policies to get started, but you should also consider including information on your recommended browsing practices and your policies for using business devices (such as company phones) on public wifi.

    Email

    Just like with the Internet policy mentioned above, company email accounts should only be utilized for business use. That means your employees should never use it to send personal files, forward links or perform any type of business-related activities outside of their specific job role. Additionally, consider implementing a standard email signature for all employees. This not only creates brand cohesion on all outgoing emails, but also makes it easy to identify messages from other employees, and hence helps prevents spear phishing.

    Passwords

    We’ve all heard the importance of a strong password time and time again. And this same principle should also apply to your employees. The reason is rather simple. Many employees will create the easiest to crack passwords for their business accounts. After all, if your organization gets hacked, it’s not their money or business at stake. So to encourage employees to create strong passwords, your policy should instruct them to include special characters, uppercase and lowercase letters, and numbers in their passwords.

    Data

    Whether or not you allow your employees to conduct work on their own device, such as a smartphone or tablet, it is important to have a bring your own device (BYOD) policy. If your employees aren’t aware of your stance on BYOD, some are sure to assume they can conduct work related tasks on their personal laptop or tablet. So have a BYOD policy and put it in the employee handbook. In addition to this, make sure to explain that data on any workstation is business property. That means employees aren’t allowed to remove or copy it without your authorization.

    We hope these four policies have shed some light on best security practices. If you’d like more tips or are interested in a security audit of your business, do get in touch.

    Published with consideration from TechAdvisory.SOURCE