Nearly 1 Million Windows Computers Have Serious Vulnerability

If any of your business’s computers are running older versions of Windows, you need to make sure they receive a patch that fixes a vulnerability known as BlueKeep. Discover what Windows versions have this dangerous vulnerability and where you can find the patches.

Nearly 1 million computers have this security hole, according to one report. To make matters worse, the proof-of-concept code demonstrating how the vulnerability can be exploited was partially released.

The vulnerability is found in Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003. It lies in the pre-authentication system used for Remote Desktop Services (formerly known as Terminal Services). This security hole is so serious that Microsoft has even released patches for Windows Vista, Windows XP, and Windows Server 2003, which have reached the end of their lifecycles and therefore are no longer officially supported.

Why the Vulnerability Is So Serious

BlueKeep has been rated as a critical vulnerability. One reason for this rating is that it’s “wormable”. This means that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” said Simon Pope, the director of incident response at the Microsoft Security Response Center, in a TechNet blog.

Pope reiterated this concern in a subsequent blog, adding that it only takes one vulnerable computer connected to the Internet to provide a gateway into a company’s network. Once inside, malware could spread from the initially compromised machine to other computers, even those that are not online. “This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed,” said Pope.

What to Do

No matter what versions of Windows your business is running, you should disable Remote Desktop Services if it is not being used. This is true even for Windows 10, Windows 8, Windows Server 2019, Windows Server 2016, and Windows Server 2012 machines — which do not have the BlueKeep vulnerability. Disabling this service will reduce your business’s attack surface.

Windows 7, Windows Vista, Windows XP, Windows Server 2008, and Windows Server 2003 machines need to be patched, even if you disable Remote Desktop Services on them. Here is the information you need to know:

Let us know if you need assistance in checking for or installing the patches to fix the BlueKeep vulnerability.

7 Ways Businesses Can Use Office 365 More Securely

Microsoft Office 365 has become a popular target for hackers. Here are seven measures your company can take to keep them at bay if you are using this cloud service.

Microsoft Office 365 has grown in popularity, which has made it a prime target for hackers. Threats in Office 365 have grown by 63% in the last two years, according to McAfee’s 2019 Cloud Adoption and Risk Report.

Companies subscribing to Office 365 Business and Microsoft 365 Business plans can take measures to use the cloud service more securely. Here are seven measures you might consider taking if your company is using Office 365:

  1. Use Two-Step Verification

More than 7.8 billion online accounts have been compromised through data breaches. These compromised passwords pose a significant threat, especially given the common practice of reusing passwords. A Virginia Tech study of 28.8 million online account holders over an eight-year period found that more than half of those individuals reused passwords or used slightly modified versions of them. Cybercriminals are aware that people reuse passwords, so they often try compromised credentials on multiple accounts using automated attacks.

Therefore, requiring employees to use unique, strong passwords for their Office 365 accounts might not be enough to protect those accounts. Requiring employees to use two-step verification is a much better strategy. With two-step verification, employees need to provide two pieces of information — such as a password and a security code — to log in. That way, even if the password has been compromised, a cybercriminal won’t be able to use it to hack the account. The US Cybersecurity and Infrastructure Security Agencynotes that this is the best mitigation technique to protect against credential theft for Office 365 users.

  1. Use Administrator Accounts Only for Their Intended Purpose

Office 365 administrator accounts should only be used for their intended purpose — managing Office 365, according to a Microsoft report. Employees with administrative access should use separate user accounts for their other job duties. Two-step verification should be set up for the administrator accounts.

Microsoft’s Security Team, which is responsible for securing the company’s internal infrastructure, has a few other recommendations for protecting administrator accounts, including:

  • Using a separate device for administrative operations. Besides setting the device’s security controls at high levels, it is a good idea to not allow administrative tasks to be executed remotely.
  • Creating administer accounts in a separate namespace or forest that cannot access the Internet.
  • Providing non-persistent access by giving no rights to administrator accounts. When privileges are needed, they should be given for only a specific amount of time.
  1. Change the Macro Settings

A macro is a series of commands grouped together. Some Office 365 apps (e.g., Word, Excel, PowerPoint) provide macro functionality so that people can use them to automate routine tasks. However, cybercriminals sometimes use macros to spread malware.

By default, macros are automatically disabled in Office 365 applications. However, users are notified when macros have been disabled and are given the option to enable them. To tighten security, businesses can change the setting so that macros are automatically disabled without any notification. When this setting is chosen, users will not get the security notification or the option to enable them. Alternatively, companies that use digitally signed macros can select the option that disables all macros except those that are digitally signed.

  1. Make Sure Mailbox Auditing Is Enabled

Office 365 mailbox auditing tracks and records various actions performed by mailbox users, administrators, and delegates. For example, it documents when messages are deleted or moved to different folders. The information in the mailbox audit log is useful for investigating security issues and troubleshooting other types of problems.

Starting in January 2019, Microsoft enabled mailbox auditing by default. Prior to that date, companies had to manually enable it for user mailboxes. For this reason, it is a good idea for businesses to make sure it is currently enabled, especially if they have been using Office 365 before January 2019. When doing so, they can also learn what actions are being auditing and customize the audited actions if desired. Similarly, they can customize the length of time records are kept in the mailbox audit log. By default, records are deleted after 90 days.

  1. Disable or Limit Support for Legacy Email Protocols

Businesses sometimes use legacy email protocols (e.g., IMAP, POP) to provide email services to users with older email clients that do not support modern methods of authentication (e.g., two-step verification). In some circumstances, cybercriminals are able to exploit support for legacy email protocols to bypass two-step verification and hack email accounts.

For example, during a six-month study of major cloud-service tenants, Proofpoint security researchers discovered that hackers were using IMAP to hack Office 365 and Google G Suite accounts. They analyzed more than 100,000 unauthorized logins across millions of cloud user accounts and found that about 60% of Microsoft Office 365 and G Suite tenants were targeted with IMAP-based attacks, with a quarter of the attacks resulting in successful account breaches. These attacks went unnoticed because they were designed to avoid account lockouts and look like isolated failed logins, according to the researchers.

Because such attacks are common and hard to spot, the Cybersecurity and Infrastructure Security Agencyrecommends that companies using Office 365 disable support for IMAP and other legacy email protocols. If certain employees have older email clients that need this support, businesses should limit the use of legacy email protocols to just those users.

  1. Block Risky Email Attachments

Cybercriminals like to attach malicious files to emails. Opening the attachments starts a chain of events that can lead to the computer being infected with malware or compromised in some other way.

Word (.doc and .dot) and executable (.exe) files are most often used as malicious attachments, according to Symantec’s 2019 Internet Security Threat Report. Table1 shows other file types that are commonly used.

Table 1. Types of Files Commonly Used as Malicious Email Attachments*


Office 365 provides companies with the ability to block email attachments of certain file types. For example, businesses might want to block emails that contain an attached executable file.

Although Word and Excel files are often used to spread malware, companies do not necessarily have to block emails with those types of attachments. The attack vector in Word and Excel files is often a malicious macro. Changing Word’s and Excel’s macro settings so that macros are automatically disabled without any notification can mitigate much of the risk.

  1. Block the Automatic Forwarding of Emails to External Addresses

Cybercriminals who gain access to an employee’s mailbox can configure it to automatically forward the person’s email messages to an external email account. By design, the auto-forwarding process operates silently in the background, so the employee won’t know it is occurring.

Hackers typically auto-forward employees’ emails to steal sensitive data or get the information they need to launch other types of attacks (e.g., Business Email Compromise attacks). To prevent this data theft, companies can configure Office 365 to block any emails being automatically forwarded to external email addresses.

Help Is Here

If you need help in implementing the seven security measures discussed, contact us at 800-421-7151. We can also provide additional recommendations on how to securely use Office 365.

5 Ways the May 2019 Update Can Make You More Efficient When Working with Windows 10

Microsoft has released the Windows 10 May 2019 Update. Here are five enhancements in this latest feature update that can improve your productivity.

On May 21, 2019, Microsoft released the Windows 10 May 2019 Update (version 1903). Learning from past mistakes, Microsoft did not rush to get the update out the door. Instead, it kept the update in the preview stage for a longer time in an effort to discover and fix all the major installation kinks.

To distribute the May 2019 Update, Microsoft is using a phased rollout through the automatic update feature in Windows Update. As a result, it might be several months before it reaches your computer. If you do not want to wait, you can manually initiate the installation process.

Since the May 2019 Update is a feature update, it includes many enhancements to Windows 10’s functionality. Here are five of them that can make you more productive:

  1. Update When It Is Convenient for You

Feature updates take a while to install, which can be a problem if you are busy much of the time. The May 2019 Update includes enhancements that give you more control over the Windows update process. For starters, all Windows 10 users will be able to pause feature updates for up to 35 days. Previously, only users of the Windows 10 Pro and Enterprise editions had this capability. Plus, when you click the “Check for updates” button in the Windows Update page of the Settings app, feature updates will no longer automatically install. You will have the option to download and install them immediately or schedule a time.

The May 2019 Update also enhances the Active Hours feature in Windows Update. You use this feature to let Windows Update know when you typically use your computer. That way, it won’t install updates or perform reboots during that time. The active hours are set from 8 am to 5 pm by default, but you can manually change them. After the May 2019 Update is installed, you will have another option: let Windows Update automatically adjust your active hours based on your machine-usage patterns.

  1. Search Without Cortana Bugging You

In the May 2019 Update, Cortana and Windows Search are going their separate ways. The task bar now has a Cortana button for voice queries and a search box for text searches rather than an all-in-one box.

The separation involves more than just a cosmetic change, though. Cortana and Windows Search are now distinct functions under the skin. As a result, Windows Search behaves more like its old self, before Cortana was introduced. The separation also means the settings to manage Windows Search’s permissions and history have moved. You can find them in the “Search Windows ” section of the Settings app.

  1. Automatically Turn On Focus Assist for All Apps Running in Full-Screen Mode

In Windows 10, a box periodically pops up letting you know that an email, text, or another type of message has arrived. These notifications can disrupt your concentration and even stop you from working since they cover the lower right corner of your screen. Focus Assist lets you block these notifications so that you can work more efficiently.

Up until now, you could either manually enable Focus Assist or configure it to run automatically:

  • During a certain time period each day
  • When you are duplicating your display (e.g., mirroring your computer screen for a business presentation)
  • When you are playing a game that uses DirectX technology in full-screen mode
  • When you are at home

The May 2019 update adds another option to that list. You can now configure Focus Assist to turn on when you run any app in full-screen mode.

  1. Remove More Unwanted Preinstalled Apps with Just Two Clicks

Like most operating system software, Windows 10 comes with apps that either Microsoft or the computer manufacturer preinstalls. Removing the built-in programs you do not want will clear up space on your computer, which can help boost your computer’s performance. When your machine works faster, so do you.

Windows 10 has always let you uninstall a few of the built-in apps from the Start menu by right-clicking the unwanted program and then clicking “Uninstall”. Thanks to the May 2019 Update, you can uninstall even more of the preloaded programs in this manner, including 3D Viewer, Calculator, Calendar, Groove Music, Mail, Movies & TV, Paint 3D, Snip & Sketch, Sticky Notes, and Voice Recorder.

  1. Insert Symbols Quickly

Including symbols such as dashes (—) and plus-minus signs (±) is common when writing emails, reports, and other business documents. However, getting those symbols into documents can be time-consuming because you need to open and click through several windows to find and insert them.

The May 2019 Update adds a quick way to access symbols. You just press the Windows and period keys (Win+.) on your keyboard at the same time and select the “Symbols” tab. You will also find “Emoji” and “Kaomoji” tabs, which let you insert emoticons.

1 Out of Every 101 Emails Is Sent by a Hacker

Does your business receive hundreds of emails each day? If so, there is a good chance some of them have been sent by hackers. Find out how to protect your business from malicious emails.

Most businesses receive hundreds of emails each day — and there is a good chance some of them have been sent by hackers. After analyzing more than 500 million emails sent in 6 months, FireEye researchers found that 1 out of every 101 emails sent is malicious. Spam is not included in this count. It includes only those emails sent by cybercriminals with the express purpose of pilfering money, stealing data, or compromising systems.

The vast majority (90%) of the malicious emails do not contain any malware, but they are far from being benign. They can be just as dangerous as those containing malware.

Hackers Are Using Both Old and New Tricks in Malware-Less Emails

Not surprisingly, around 80% of the malware-less emails were phishing attacks. In this type of attack, cybercriminals try to trick recipients into performing an action, such as clicking a link that leads to a malicious website. Phishing emails are generic so that they can be sent to a large number of targets, which is why the researchers found so many of them.

The remaining 20% of the malware-less emails were impersonation scams. These highly personalized emails try to con recipients into transferring money or revealing sensitive information. Cybercriminals spend a lot of time researching their targets in order to create legitimate-looking emails. Because these emails appear to be normal traffic, it is harder for email security solutions to detect them.

One of the cybercriminals’ favorite type of impersonation email is the business email compromise (BEC) scam. In this type of attack, cybercriminals masquerade as executives, supplier representatives, and other business professionals to con companies out of money. In 2017, hackers stole more than $675 millionfrom US businesses using BEC scams.

While the researchers found that hackers were still using old favorites like the BEC scam, they also discovered a new type of impersonation scam: impersonation emails that led to phishing sites, where login credentials were harvested or malware was uploaded to victims’ computers. By including phishing links, hackers can send out vaguer emails to a larger number of targets. Because these emails still include some personalization, the recipients are more likely to think the emails are from trusted sources and click the link compared to generic phishing attacks. As a result, the email open rate for this new type of impersonation email is similar to that for highly personalized impersonation emails, according to the researchers.

Common Ways in Which Hackers Try to Deceive Recipients

In both the new and old types of impersonation emails, the cybercriminals typically manipulate the entry in the “From” field to trick recipients into believing the messages are from legitimate senders. The techniques include:

  • Spoofing the display name of an email address (e.g., Jane Doe)
  • Spoofing the username (the portion before the @ sign) of an email address (e.g., JaneDoe@)
  • Creating and using a domain (the portion after the @ sign) that is similar to a legitimate one (e.g., @paypa1.com, @secure-paypal.com)

How to Protect Your Business from Malicious Emails

To protect your business from impersonation and phishing attacks as well as emails containing malware, you can use the stop, educate, and mitigate strategy:

Stop as many malicious emails as you can from reaching employees. To do so, you need to keep your company’s email filtering and anti-malware tools up-to-date. They can capture many phishing and malware-laden emails. You might even want to explore getting an email security solution that uses advanced technologies to catch malicious emails. In addition, make sure that employees’ email addresses and other potentially sensitive information (e.g., job titles) are not publicly available.

Educate employees so they can spot any malicious emails that reach their inboxes. While email filters often snag phishing attacks, they are not as good at stopping impersonation emails. Plus, most anti-malware software is only effective against known malware strains. Thus, it is important to educate employees about the types of malicious emails they might encounter and how to spot them (e.g., check for spoofed names in an email’s “From” field). As part of this training, be sure to inform them about the risks associated with clicking email links and opening email attachments. Plus, let them know how hackers find the information they need to personalize impersonation emails (e.g., social engineering).

Mitigate the effects of successful email attacks.Cybercriminals keep coming up with new ways to pilfer money, steal data, and compromise systems using email, so your company might fall victim to an attack despite everyone’s best efforts to prevent it. Taking a few preemptive measures might help mitigate the effects of a successful email attack. For example, since obtaining login credentials is the goal of many phishing emails, you should make sure each business account has a unique, strong password. That way, if a phishing scam provides hackers with the password for one account, they won’t be able to access any other accounts with it. Equally important, you need to perform backups regularly and make sure they can be restored. This will enable you to get your data back if an employee inadvertently initiates a ransomware attack by clicking a link in an impersonation email.

The Individual Steps

The individual steps for implementing the stop, educate, and mitigate strategy will vary depending on your business’s needs. We can help you develop and implement a comprehensive plan to defend against malicious emails; give us a call at 800-421-7151 to learn more!

How to Make Text Easier to Read in a Windows 10 Display

Not being able to read text because it is too small is a common problem on Windows 10 computer screens, especially on laptops that have small, high-resolution displays. Learn two ways to quickly solve this problem.

If the text in your Windows 10 computer screen is too small to easily read, you are not alone. It is a common problem in computers that have small, high-resolution displays. Even a person with perfect eyesight will likely have trouble reading the text on a laptop that has a 15-inch 4K display because it is so small.

Fortunately, you now have two ways in which to make text larger and easier to read if the October 2018 Update has been installed on your Windows 10 computer. You can change just the size of the text, or you can change the overall scaling.

How to Change Just the Text Size

The Windows 10 October 2018 Update provides the new “Make text bigger” slider. You can use it to enlarge just the text in Windows 10 systems (e.g., Start menu) and apps. The overall scaling remains the same.

To use the “Make text bigger” slider, follow these steps:

  1. Open the Start menu by clicking the Windows button.
  2. Click the gear icon in the lower left corner of the Start menu to launch the Settings app.
  3. Select “Ease of Access”.
  4. Choose “Display” in the menu on the left.
  5. Move the “Make text bigger” slider until the sample text is easy to read.
  6. Click the “Apply” button.
  7. Close the Settings app.

This feature might not make the text larger in third-party apps. If that is the case, you can check to see if the third-party app has its own option for changing the text size.

How to Change the Overall Scaling

After the October 2018 Update is installed, you still have the ability to change the overall scaling, like you have been able to do in the past. For example, you can change the scaling from 100% to 125%. When you do, all the elements in the display (e.g., text, images) will be larger.

You use the “Make everything bigger” option to change the overall scaling. Follow these steps:

  1. Open the Start menu by clicking the Windows button.
  2. Click the gear icon in the lower left corner of the Start menu to launch the Settings app.
  3. Select “Ease of Access”.
  4. Choose “Display” in the menu on the left.
  5. Select the desired scaling percentage from the “Make everything bigger” drop-down list.

Close the Settings app.

SaaS, IaaS, and PaaS: What’s the Difference?

You have probably seen the acronyms SaaS, IaaS, and PaaS before, but do you know what they mean? Discover what these acronyms represent and, more important, the differences between them.

The IT industry is embracing the shift from ownership-based business models to service-based ones. Vendors are increasingly offering their hardware, software, and other IT products as cloud services rather than selling the products themselves. This is good news for small and midsized businesses, as it typically makes the hardware, software, and other IT components more affordable.

There are three main types of cloud services. They are better known by their acronyms — SaaS, IaaS, and PaaS — than their names. Here are the differences between these three types of cloud services and what the acronyms represent.

SaaS

SaaS stands for Software as a Service. It is probably the most recognized type of cloud service, thanks to such well-known offerings as Microsoft Office 365, Google G Suite, and Salesforce. SaaS is popular because all that the service subscribers need to do is open the software in a web browser or client program and start using it. They do not have to manage or maintain the application. Nor do they have to provide, manage, or maintain any of the hardware, networking equipment, or systems needed to run the application.

SaaS is popular for another reason as well. Many free SaaS offerings are available, such as Gmail, Dropbox, and Slack. These offerings help small and midsized companies save money.

The clouds services don’t have to be free to be helpful, though. SaaS subspecialties that alleviate companies’ pain points have been popping up. For example, instead of having to perform and store daily backups, companies can now turn to Backup as a Service (BaaS) providers. A BaaS firm will automatically back up business’s data and store the backup files at its facility. After the service is set up, the business does not need to manage any part of the backup process.

IaaS

Some companies prefer to own and control their own software environment but not the underlying components needed to run it. IaaS, or Infrastructure as a Service, is designed for situations like this.

IaaS customers are responsible for providing, managing, and maintaining the applications, operating system software, and middleware (e.g., software that integrates two separate applications or systems, allowing them to work together). The IaaS providers are responsible for providing, managing, and maintaining the servers, virtual machines, networking equipment, and storage components. Amazon Elastic Compute Cloud (Amazon EC2), Google Compute Engine, and Rackspace are a few of the firms that offer IaaS.

PaaS

There is a common misperception when it comes to PaaS, or Platform as a Service. Some people think that PaaS is only for companies that want to build and test new applications. While PaaS is well-suited for developing applications, businesses can also use PaaS to run existing ones. For instance, companies can move their on-premises database operations to a PaaS provider’s database platform.

With PaaS, companies are only responsible for managing their applications and any data those applications use. The PaaS firm provides, manages, and maintains everything else, including operating system software, middleware, servers, virtual machines, networking equipment, and storage components. PaaS solutions include Microsoft Azure, Oracle Cloud Platform, and Amazon Web Services (AWS) Elastic Beanstalk.

A Cost-Effective, Scalable Alternative

Despite their differences, the SaaS, IaaS, and PaaS business models have one thing in common: They offer companies a cost-effective, scalable alternative to owning, managing, and maintaining a room full of hardware and other equipment. If you would like more information on how about SaaS, IaaS, or PaaS might benefit your business, shoot us an email at info@wamsinc.com.

Watch Out for This Direct Deposit Scam

Cybercriminals are trying to scam businesses into depositing employee paychecks into their bank accounts. Learn about the variations of the scam and what you can do so that your business does not become the next victim.

Most companies use direct deposit to pay their employees. In the United States, for example, more than 80% of workers have their paychecks deposited directly into their personal bank accounts. This is providing many opportunities for cybercriminals to perpetuate their latest scam — trying to get businesses to deposit employee paychecks into their accounts.

Variations of the Scam

Different variations of the direct deposit scam have been surfacing. Most recently, cybercriminals have been posing as employees.

In some instances, the digital con artists use a multi-stage attack. First, they send an email to a member of a company’s HR department asking how to change the direct deposit information for their paychecks. After the HR staff member responds and explains how to make the change, the cybercriminals wait a short while and send a second email. In it, they tell the HR staff member that they tried to make the change as instructed, but it did not work. They then ask the person to make the change for them and include the new bank routing number and account number in the email.

In other instances, the cybercriminals take a more direct approach by sending a message such as:

“I need to change my direct deposit info on file before the next payroll is processed. Can you get it done for me on your end?”

If the HR rep takes the bait and agrees to make the change, the cybercriminals provide the person with the new bank routing and account numbers.

In earlier versions of the scam, the cybercriminals posed as HR staff members rather than employees. The cybercriminals sent emails to employees, instructing them to click a link. The link took the employees to a spoofed (i.e., fake) HR website, where they were asked to enter their login credentials to confirm their identity. The hackers then captured the credentials and used them to access the real HR site and change the employees’ direct deposit information.

The Same Tool

In all the versions of the direct deposit scam, the cybercriminals used the same tool to execute their attacks: spear phishing emails. These emails are similar to traditional phishing emails in that they use a convincing pretense to con recipients into performing an action. However, spear phishing emails take the scam up a notch. Cybercriminals take the time to perform reconnaissance so that they can personalize the email. When it comes to spear phishing, the more personalized the email, the less likely the target will become suspicious and question its legitimacy.

Despite being personalized, spear phishing emails often have one or more of the following common elements:

  • A request to update or verify information. Spear phishing emails often ask the recipients to update or verify account information. For example, as the direct deposit scam demonstrates, the recipients might be asked to change information in financial accounts. Or, they might be asked to log in to a spoofed web page to verify account information, allowing the hackers to steal their login credentials.
  • A deceptive URL. A deceptive URL is one in which the actual URL does not match the displayed linked text or web address. Deceptive links often lead to spoofed websites, where cybercriminals try to steal sensitive information or install malware.
  • An attachment. Hackers sometimes attach files that contain malicious code. Opening these attachments can lead to a malware infection.
  • A spoofed name in the “From” field. To trick the email recipient into thinking the message is from a trusted contact, digital con artists often spoof the name that appears in the “From” field so that it shows the contact’s name.

Don’t Let Your Employees Get Scammed

Some spear phishing email recipients fell victim to the direct deposit scam, but your employees do not have to share the same fate. Educating employees about spear phishing emails and the elements commonly found in them can help staff members spot these types of scams. Employees should also learn how to check for deceptive URLs and spoofed names in an email’s “From” field.

There are other measures you can take as well. You should make sure that employees’ names, email addresses, and job positions are not publicly available. Similarly, you should warn employees of the dangers of posting details about their jobs on social media sites. Limiting the amount of publicly available information will make it harder for cybercriminals to find the details they need to personalize the emails.

It is also important to keep the company’s security and email filtering programs up-to-date. These programs can catch many spear-phishing emails but not all. The more personalized and polished an email is, the less likely it will be caught by these programs.

More advanced solutions designed to catch spear phishing and other types of malicious emails are available. Give us a call at 800-421-7151. We can help you determine the best option for your business.

Don’t Let Your Phone Stalk You

Stalkerware is legal but often considered unethical. Find out what stalkerware is and how it can get on your smartphone.

The idea of someone tracking your whereabouts and eavesdropping on your conversations can be unsettling. Yet, more than 58,000 Google Android users had this happen to them. That’s because these individuals had stalkerware installed on their smartphones.

Stalkerware is not limited to Android phones. It can be installed on smartphones of virtually any make or model. (It can even be installed on other computing devices such as tablets and laptops.) To protect against this threat, you need to know what stalkerware is and how it can get on your phone.

Stalkerware 101

Stalkerware is commercial spyware offered by companies, not cybercriminals. Usually marketed as a solution to track employees or monitor children, it is set up like a Software as a Service (SaaS) offering. Customers pay a monthly fee to access data collected by a client app they installed on the phones they want to stalk. Although legal in many countries, stalkerware is increasingly being considered unethical because of the types of information it collects and how the data is gathered.

If a stalkerware app is installed on your phone, it will collect information on pretty much everything you do. For example, besides tracking the places you visit in both the physical and digital realms, it will log your calls, stockpile the photos you take, and amass the emails and text messages you send and receive.

All this information is sent to and stored on the stalkerware company’s servers. The customer (aka stalker) will have access to it as long as they continue to pay for the service. It typically costs between $16 and $68 per month, according to one report.

While some stalkerware apps will display a visible marker on the phone’s screen to let people know they are being watched, most operate in stealth mode. Several apps even go to great lengths to avoid detection, such as masking themselves as a system service in a phone’s installed applications list. Thanks to tactics like these, stalkerware victims are often unaware they are being tracked.

How Stalkerware Gets on Phones

Although stalkerware is legal, official app stores like Google Play and the App Store typically ban it. (Parental control software and programs designed to find lost phones are not considered stalkerware, which is why you will find them in app stores.) However, an Internet search will quickly reveal websites of companies that offer stalkerware.

The main method in which stalkerware apps get on phones is manual installation, according to security experts. The installation process is pretty straightforward — stalkers do not need to be techies to get the apps working. A few companies will even deliver phones with their stalkerware apps preinstalled to customers who are technically challenged.

The Dangers

Few people will contest that the kind of information gathered by stalkerware can be dangerous. Case studies have shown that it can lead to stalkers harassing, blackmailing, and even physically abusing their victims.

There are also other dangers that aren’t as obvious. Outsiders might see the captured data one of several ways:

  • Since the data gets stored on the stalkerware company’s servers, staff members might access and look at the data.
  • The data might get inadvertently leaked to the world at large. For example, millions of records collected by the mSpy stalkerware app were leaked because the company failed to properly protect its database. The leaked records included call logs, text messages, contacts, and location data.
  • Hackers might breach the data. For instance, Retina-X Studios was breached twice by the same hacker. The hacker accessed and exposed the photos collected by two of its stalkerware apps.

Help Is on the Way

Efforts to crack down on the stalkerware industry are being led by the Electronic Frontier Foundation (EFF). One action the EFF is advocating is for security software companies to treat stalkerware as a serious threat. Often, that’s not the case. A 2018 study found that most security programs do a poor job of detecting and flagging stalkerware as a dangerous app.

Partnering with EFF, Kaspersky Lab has taken the first step toward cracking down on stalkerware. Previously, its Internet Security for Android software flagged stalkerware apps as suspicious but then displayed a “not a virus” message, which was confusing for users. Now there is no question about the dangers. The software displays a large “Privacy alert” message for any blacklisted stalkerware apps it finds installed on phones. After explaining what the app can do (e.g., eavesdrop on calls, read text messages), the security software gives users the option to delete or quarantine the program. Alternatively, users can decide to leave the app on their devices.

How to Protect Yourself in the Meantime

The EFF hopes that other security software companies will follow in Kaspersky Lab’s footsteps. In the meantime, the best way to protect yourself from stalkerware is to prevent its installation on your phone. Since manual installation is the primary way it gets on devices, there is a simple but effective preemptive measure: Lock your phone when you are not using it.

Smartphones usually provide more than one authentication method to unlock them, so you can use the method with which you feel most comfortable. For example, you might want to use a password or biometric authentication (e.g., iPhone’s Face ID). If you use a password, be sure it is strong and unique — and do not share it with anyone.

If you suspect your phone already has stalkerware on it but your security software does not specifically flag this type of program as a threat, you can check the phone’s activity monitor for suspicious processes.

All It Took Was 52 Seconds for Hackers to Attack a Poorly Secured Server

Researchers set up honeypots to learn how cybercriminals find and attack poorly protected Secure Shell (SSH)-enabled servers. Learn what the researchers found so you can protect your devices.

Companies often enable Secure Shell (SSH) in servers, network attached storage (NAS), and other devices so that users can remotely access them. Security experts highly recommend using public-key authentication with SSH-enabled devices. However, some businesses still use password-based authentication, which leaves these devices vulnerable, particularly if questionable credentials are used.

To see just how vulnerable, Sophos security researchers set up 10 decoy SSH-enabled servers (aka honeypots) to use password-based authentication. The honeypots were set up in Amazon Web Services (AWS) data centers around the world, including California, Ohio, and Sao Paulo, Brazil.

It took cybercriminals only 52 seconds to find and attack the honeypot in Sao Paulo. Hackers did not waste any time attacking the other honeypots either. It took them less than 5 minutes to find the one in Ohio and less than 15 minutes to find the decoy in California. Overall, cybercriminals made 5.4 million attempts to log in to the 10 honeypots over a 30-day period. On average, each server was attacked 757 times every hour.

What the Researchers Learned

The speed in which the honeypots were found and the sheer number of login attempts confirmed the general assumption that hackers take advantage of automated tools to carry out SSH attacks. First, they run scripts to locate servers connected to the Internet. Then, they try to access those machines by using brute-force credential-cracking tools, which systematically try username and password combinations.

The honeypots recorded the usernames and passwords tried in the login attempts. After combining the login details from all 10 honeypots, the researchers found that “root” and “admin” topped the list of most-tried usernames. This didn’t surprise the researchers because they are the default usernames for many different types of devices. For example, most Linux devices ship with the default username of “root”, while Seagate, Verbatim, and Lacie NAS devices ship with the default username of “admin”.

Similarly, default passwords were frequently used in the brute-force attacks. For instance, hackers often tried “password” (the default password of Digicom routers and Lacie NAS devices) and “ubnt” (the default password of Ubiquiti Networks devices). Many weak passwords were also tried, including those based on keyboard patterns like “1q2w3e4r”.

The bottom line is that cybercriminals know some businesses use password-based authentication with SSH devices. They also know it’s not uncommon for people to leave the default credentials or change the default password to a weak one. So, hackers use automated tools to continuously scan the Internet for SSH-enabled devices and then attempt to access them with brute-force attacks.

What Happens after the Credentials Are Cracked

Besides wanting to learn how vulnerable SSH-enabled devices are when password-based authentication is used, the researchers wanted to know what happens after a cybercriminal compromises a device. To find out, the researchers allowed the honeypot hackers to log in if they used one of the credentials in a designated set of usernames and passwords. Once the cybercriminals gained access, the honeypot stored the commands they attempted to use.

The researchers found that hackers often used the compromised honeypot to launch attacks on other devices. The cybercriminals first made sure the compromised device had a valid Internet connection. If so, they used it to connect to another device. They then exploited the device, using the honeypot as a proxy.

Secure Your SSH-Enabled Devices So They Don’t Suffer the Same Fate

Using scripts and brute-force credential-cracking tools, hackers are able to easily find and compromise SSH-enabled devices. That’s why it is best to use public-key authentication rather than password-based authentication.

If that is not possible, it is crucial that you change the default username and password when you are setting up the device. The password should be strong, and the username should not be easily guessable. Plus, if your device supports it, it is a good idea to limit the number of login attempts. For example, on Linux servers, you can install and use the Fail2Ban software for this purpose.

To find out additional ways to protect your business’s SSH-enabled devices, contact us at 800-421-7151.

5 Things to Consider When Choosing a Password Manager for Your Business

Using a password manager is an effective way to ensure that employees use unique, strong passwords for online accounts. Here are five questions to answer so that you can find the best password manager for your business.

Having employees use unique, strong passwords for online accounts is a crucial component in companies’ security strategies. However, creating and memorizing numerous strong passwords can be challenging. This often leads to employees using weak passwords, reusing the same password for multiple accounts, and writing down passwords. Thus, many security experts recommend that businesses use password managers.

With a password manager, employees only need to create and remember one strong password — the master password — which is used to open the tool. Once opened, employees simply select the account they want to access. The password manager will then retrieve the account’s credentials from a repository, which is often called a vault. All credentials in the vault are encrypted.

Because of its benefits, the decision to use a password manager is a no-brainer for many businesses. However, the same can’t be said for deciding which one to use, as there are many business-grade password managers on the market. Answering the following five questions can help you determine which password manager will be the best fit for your company.

  1. Where Do You Want the Passwords Stored?

Some password managers store passwords in the cloud, whereas others store them on the local computer’s hard drive. If your employees use multiple devices at work, having a cloud-based vault might be preferable. They will be able to access their login credentials from any computer or mobile device that has an Internet connection. Plus, employees won’t lose all their passwords if they misplace their mobile device or it is stolen.

While convenient, some people are uncomfortable with storing passwords in the cloud because they have to rely on someone else to keep their employees’ passwords safe. Data breaches do occur. For example, OneLogin’s databases were hacked in 2017 and LastPass was attacked in 2015. If you are uncomfortable with cloud-based vaults, you can use a password manager that stores the vault on the local computer’s hard drive.

No matter where you want employees’ passwords to be stored, you need to make sure a strong encryption standard is being used to encrypt them. Ideally, the password manager should use the 256-bit Advanced Encryption Standard (AES).

  1. Is the Password Manager User Friendly?

The password manager you choose needs to be easy for employees to use. Otherwise, they will avoid it and go back to their old habits of creating weak passwords, reusing them, and writing them down.

Besides having an intuitive interface that doesn’t take hours to learn, the password manager should have a random password generator. That way, employees can quickly and effortlessly create unique, strong passwords for their accounts.

Another user-friendly feature is an automated password changer. It can automatically change employees’ old passwords to new strong ones on websites that support this capability. This can come in handy for the initial rollout of the password manager, as employees will likely have many passwords to change at that time. This feature also works well for periodic password changes.

The individuals who will be responsible for administering the password manager should also find it easy to use. For example, an administrative console that has central management capabilities can save them time and hassle.

  1. Do You Want Additional Security Measures?

Business-grade password managers offer a variety of security measures beyond password encryption. Measures that password managers might provide include:

  • Support for two-factor authentication (i.e., employees need to provide another form of verification besides their master password to access the password manager)
  • Employee-initiated password assessments (discovers any weak or reused passwords in a vault, which is particularly helpful if the vault includes passwords that were not created with a random password generator)
  • The ability to track password usage companywide and generate audit reports
  • The automatic closing of an employee’s vault when the person’s device is idle for a certain amount of time
  • A built-in VPN (adds another layer of security and privacy when using the password manager to log in to HTTP and HTTPS sites)
  • The ability to configure and deploy policies (e.g., policies that set requirements for the master password or restrict access to certain Internet sites)

The security measures offered by different password managers will vary, so make sure that the password manager you are considering has the ones you want.

  1. Does Your Company Have Shared Accounts?

Do you have employees who log in to shared accounts? If so, you should look for a password manager that lets you manage shared-account passwords.

For example, suppose you have a cross-functional project team that needs access to certain online resources. You can create a group named ProjectTeam, add the team members to the group, and share the login credentials to the online resources. The login credentials will then automatically appear in the password vaults of the team members.

  1. Do You Want Any Nice-to-Have Features?

Password managers often include nice-to-have features that increase their usefulness. For example, some password managers offer features such as:

  • An account recovery feature if employees forget their master passwords
  • Support for directory services integration so that onboarding, offboarding, and other password management tasks can be automated
  • The ability to generate a portable vault using a USB key
  • A digital wallet that stores payment information (e.g., bank account or payment card numbers)
  • The ability to encrypt and store sensitive files in a vault

Once again, the features offered by different password managers will vary, so make sure that the password manager you are considering has the nice-to-have features you want.

Software Supply Chain Attacks Are on the Rise

Software supply chain attacks are becoming more widespread. Learn what they are and how they occur so you can develop a strategy to help manage the risks.

The statistic is alarming. Software supply chain attacks increased by 78% in 2018, according to Symantec’s “2019 Internet Security Threat Report“. And security experts expect the number of attacks to continue to spiral upward.

If you haven’t heard of software supply chain attacks, you are not alone. It is important that you learn about them, though. You need to understand what they are and how they occur so that you can develop a strategy to help manage the risks.

What Software Supply Chain Attacks Are

The term “software supply chain attack” is not referring to a new hacking tool or the latest class of malware. These attacks have, in fact, been around for years. Rather, the term describes a strategy that cybercriminals use to attack companies. Instead of attacking them directly, hackers compromise the third-party software used by those businesses. This is done before the software reaches the companies’ doors, so the hackers do not have to worry about hacking into the companies’ networks and being detected.

Once the compromised software arrives, the hackers use it to initiate other types of malicious activities. For example, the NotPetya malware that paralyzed companies’ networks worldwide in 2017 was initiated by a successful software supply chain attack.

How Hackers Compromise Software

So, how do cybercriminals compromise companies’ software? The main ways include:

  • Hijacking software updates or update servers. If software update files are sent through unsecured channels (e.g., Wi-Fi networks) or posted on unsecured websites, hackers can replace a legitimate update file with one that includes malware. Malicious software updates can also result from a compromised update server. That is what led to the NotPetya malware attack, according to the security experts who conducted a forensic analysis of the attack. Cybercriminals hacked the server that was used to update an accounting program named MeDoc. The hackers used the application’s auto-update functionality to push malicious updates to the software users on three separate occasions. The updates created backdoors that allowed the hackers to remotely access the compromised computers and install the NotPetya malware.
  • Injecting malicious code into legitimate applications. Cybercriminals sometimes hack into a software provider’s development infrastructure and add malicious code to an application before it is compiled and released to the public. For instance, in 2018, hackers compromised a commercial antivirus program in order to steal South Korean classified military data, according to the Computer Security Resource Center at the National Institute of Standards and Technology (NIST), which is part of the US Department of Commerce.
  • Injecting malicious code into third-party code libraries. Applications often contain code libraries, frameworks, and other components created by third parties. Software can become compromised if a hacker inserts malicious code into a third-party component and then the developers use that component in the software. For example, in April 2019, security researchers discovered that several video games had backdoors due to compromised third-party components.

Hackers are not the only ones compromising software to carry out supply chain attacks. There have been cases of insiders inserting malicious code into programs.

How to Manage the Risks

Admittedly, there is nothing you can do to stop a hacker from inserting malicious code into software when the software is not under your control. That is one reason why software supply chain attacks are becoming more popular among cybercriminals. However, you can take steps to manage the risks.

At a minimum, you should list each application used in your company and its supplier. If you are not familiar with a supplier, do some research to make sure the company is reputable and no red flags pop up.

You might also want to look at NIST’s guide for managing risks in the cyber supply chain. It provides questions to ask suppliers to determine their security risk level as well as best practices to follow to manage the risks. If time is a factor, there are companies like BitSight Technologies and Security Scorecard that will evaluate and rate your vendors based on the security of their networks. However, they charge for this service.

Finally, you should take the basic security precautions (e.g., make sure your security software is up-to-date, perform backups of data and systems) in case you fall victim to a software supply chain attack. You might also want to consider getting a security solution that uses advanced detection methods (e.g., analytics, machine learning) to identify and block attacks. We can provide more information about those solutions if you are interested.

Why You Need Both a Disaster Recovery Plan and a Business Continuity Plan

It’s not uncommon for companies to think that disaster recovery and business continuity plans are one and the same. Learn why both plans are needed.

Tornados, hurricanes, fires, floods, and other natural disasters can destroy a business. Digital disasters like ransomware attacks can be just as deadly.

Most businesses realize that they need to plan for disasters in case one strikes. Disaster recovery and business continuity plans are tools to make that happen. However, it’s not uncommon for companies to think that disaster recovery and business continuity plans are one and the same. While both are designed to help businesses deal with disasters, they are separate documents. To be fully prepared for disasters, businesses need to have both a disaster recovery plan and a business continuity plan.

The Difference between Disaster Recovery and Business Continuity

To understand what needs to go into the two types of plans, you first need to understand the difference between disaster recovery and business continuity. To do so, imagine that you are a lemonade shop owner. You loved having a lemonade stand when you were a child, so you made your passion your business. You’ve come a long way from setting up your stand next to a big maple tree so customers could enjoy their beverages in the shade. Nowadays, your customers enjoy their lemonade in a cozy shop that offers free Wi-Fi service and other hi-tech amenities.

Then, disaster strikes. The big maple tree is now in your shop and has added a new skylight to it. You also have a new waterfall feature, thanks to the water gushing out of a damaged pipe in the ceiling.

To stay in business, you will need to recover from the damage caused by the disaster (disaster recover) while continuing to provide customers with lemonade (business continuity). Disaster recovery and business continuity plans provide roadmaps for doing so.

The Disaster Recovery Plan

Disaster recovery plans discuss how to get crucial infrastructures and systems running again after various types of catastrophes. Restoring the IT infrastructure is a large part of disaster recovery in most businesses. However, there might be other types of infrastructures and systems that need to be discussed as well, depending on the nature of a business. For example, if a company’s manufacturing process relies heavily on water, the plumbing infrastructure should be addressed.

Besides identifying who should do what after a calamity occurs, the disaster recovery plan should also identify what has to be done to prepare for disasters. For instance, it should mandate that data and systems be regularly backed up and the backups be stored in several locations (including offsite ones).

The Business Continuity Plan

Business continuity plans discuss how to restore business operations in the event of a disaster. A business impact analysis can help prioritize which business operations to restore first.

Business continuity plans also need to indicate the recovery time objectives (RTOs) and recovery point objectives (RPOs) for the business operations. The RTO is the maximum tolerable length of time an operation can be down after a catastrophe, whereas RPO is the maximum acceptable amount of data loss (e.g., transactions) after a disaster, as measured in terms of time. In a perfect world, the RTO and RPO would be 0 (i.e., no downtime and no data loss). However, in reality, that is not feasible. Realistic objectives need to be set in the business continuity plan, as the disaster recovery plan needs to detail how the objectives will be met.

Understandable Assumptions

In some businesses, recovering the IT infrastructure is crucial for restoring most of their business operations. That is why some people assume that:

  • Disaster recovery plans only cover IT infrastructures
  • Disaster recovery plans and business continuity plans are one and the same

However, these two documents serve different purposes. As a result, companies should develop both disaster recovery and business continuity plans. If you need assistance with developing and implementing them, let us know.

Hackers Infiltrated Citrix Using a Password Spraying Attack

A group of hackers used a password spraying attack to compromise Citrix’s internal network. Learn what password spraying is and how to defend against it.

If you never heard of “password spraying” before, you are not alone. It is a relatively unknown term — except to cybercriminals. In fact, a group of hackers known as Iridium is extremely familiar with password spraying. It used this technique to infiltrate Citrix.

On March 6, 2019, the US Federal Bureau of Investigation (FBI) warned Citrix that an international hacking group had likely accessed the company’s internal network. Citrix found that its network had indeed been compromised. In a blog about the incident, Citrix’s chief security information officer Stan Black noted that the hackers used password spraying to gain a foothold in the network.

At this time, not much is being said about what the hackers stole, except that they might have downloaded business documents. “The specific documents that may have been accessed, however, are currently unknown,” said Black.

Password Spraying 101

So, what is password spraying? It is a different approach to cracking login credentials.

To keep hackers out, accounts are protected by login credentials, which consist of a username — usually an email address — and a password. Most cybercriminals attempt to crack credentials by trying a known email address with a plethora of possible passwords. This is often done with automated brute-force password-cracking tools.

Password spraying takes the opposite approach. Hackers assume that at least one person is using a weak password (e.g., “F00tball “), so they try to find the email address of that person. They pair weak passwords with many different accounts in many different organizations, according to Alex Simons, the director of program management in the Microsoft Identity Division. “For example, an attacker will use a commonly available toolkit like Mailsniper to enumerate all of the users in several organizations and then try “P@$$w0rd” and “Password1” against all of those accounts,” explained Simons.

How to Defend against These Types of Attacks

To defend against password spraying attacks, large organizations sometimes use real-time detection and protection systems. These systems are often out of reach for small and midsized businesses, but they are not defenseless. Password spraying attacks still rely on weak passwords being used. As a result, small and midsized businesses can protect themselves by giving employees the tools they need to create strong passwords and using multi-factor authentication.

An important line of defense for any company is having employees create strong passwords, especially if those passwords are for IT system and service accounts. Trying to memorize many strong passwords, though, can be challenging. Thus, employees might be tempted to use weak, easy-to-remember passwords or variations of the same password for multiple accounts.

To help employees avoid these temptations, businesses can take advantage of password managers. With a password manager, people can easily generate and store strong passwords. All they have to do is remember one strong password.

Another measure to take is to use two-step verification (also known as two-factor authentication) for accounts. With two-step verification, a second credential is needed to log in, such as a security code. This means that even if hackers have the credentials for an account, they would not be able to access it.

If you would like more information about password spraying attacks and how to defend against them, let us know.

How to Choose the Default Apps Windows 10 Uses for Certain Tasks

Having more than one web browser or email app on a computer is common nowadays. When more than one app can be used for a certain task, Windows decides which one to use. Discover how you can make Windows 10 use the app of your choosing.

It is common for people to have multiple apps that perform the same function on their Windows 10 computers. For instance, people might have several web browsers or email apps. Similarly, people often can open certain types of files with more than one program. For instance, they can open PDF files with a web browser such as Google Chrome or a PDF program like Adobe Acrobat.

When more than one app can be used for a certain task, Windows will decide which one to use. However, if you do not like the choice it makes, you can tell Windows the app you want to use. In other words, you can customize the app that Windows uses by default for certain functions and file types. Here is how to make these customizations in Windows 10.

Specifying Default Apps Based on Function

Changing the default app used for certain functions such as web browsing and emailing is easy. For example, in Windows 10, the Microsoft Edge web browser is opened by default when you click a link in a non-browser program, such as Microsoft Word or the Slack desktop app. (If you click a link in a web browser, the new page will open in the same browser no matter which default app is specified.) If you want to change the default to Google Chrome, Mozilla Firefox, or another browser, follow these steps:

  1. Click the Start menu.
  2. Select the gear icon to open the Settings app.
  3. Choose “Apps”.
  4. Select “Default apps” in the pane on the left.
  5. Click “Web browser” in the “Default apps” section. Windows will then list the browsers currently installed on the computer as well as the option to look for an app in the Microsoft Store, as Figure 1 shows.
  6. Choose the browser you want to use. After a few seconds, it will then be displayed as the default app.
  7. Close the Settings app.

Specifying Default Apps Based on File Type

Changing the default apps used to open certain file types requires a couple more steps, but they are straightforward. For instance, in Windows 10, PDF files are opened with Edge by default, even if you have chosen a different default web browser. To open PDF files with another program, follow these steps:

  1. Click the Start menu.
  2. Select the gear icon to open the Settings app.
  3. Choose “Apps”.
  4. Select “Default apps” in the pane on the left.
  5. Click the “Choose default apps by file type” link, which is located under the “Reset” button. Windows will then compile a long list of file types, which takes about half a minute.
  6. Scroll down the list of file types in the left column until you find the “.pdf” file extension, as Figure 2 shows.
  7. Click the default app listed in the right column. Windows will then list the programs on the computer that can open PDF files. It will also present the option to look for an app in the Microsoft Store.
  8. Choose the app you want to use. Shortly thereafter, it will be displayed as the default app.
  9. Close the Settings app.

In some cases, you will see the message “Choose a default” in the right column, as Figure 2 shows. Clicking that icon typically brings up a message noting that there is no installed app for that file type, accompanied by a link to the Microsoft Store.

Be sure to check out our Webinars to learn more tips and tricks on how to work smarter in Microsoft!

Debunking 4 Common Myths about Complying with Data Privacy Regulations

The General Data Protection Regulation (GDPR) protects the data privacy rights of European Union citizens, while the California Consumer Privacy Act (CCPA) gives California residents more control over their personal data. Similarly, the Health Insurance Portability and Accountability Act (HIPAA) safeguards the medical information of US citizens.

Regulations that protect people’s privacy and data rights are becoming more common — and so are the myths about complying with them. Here are four myths debunked.

As more businesses try to adhere to these comprehensive policies, more myths about complying with them keep surfacing. Here are four of those myths debunked:

  1. We’re a Small Business, So We Don’t Have to Worry about Compliance

Size does not matter when it comes to complying with most data privacy regulations. For example, regardless of their size, all US healthcare providers, healthcare clearinghouses, and health plan providers must comply with HIPAA. Not surprisingly, health plan providers include health insurance carriers, health maintenance organizations, and government agencies that pay for healthcare (e.g., Medicare). But what people might not realize is that companies in other industries are also included. Any US company that offers but does not administer a healthcare plan to 50 or more employees is considered a health plan provider and thus must comply with HIPAA.

Size does not matter with GDPR, either. All companies that process or hold the personal data of EU citizens must comply with GDPR. However, businesses with under 250 employees have fewer requirements to meet when documenting their data processing activities. This stipulation is likely leading to the misguided belief that small companies do not have to comply with GDPR.

Another factor leading to confusion is that some data privacy laws use factors other than number of employees to determine which organizations need to comply. For example, businesses must comply with CCPA if they conduct business in California and meet at least one of these criteria:

  • Earn $50 million a year in revenue
  • Sell 100,000 consumer records each year
  • Derive 50% or more of its annual revenue by selling consumers’ personal information

So, most small and mid-sized companies that do business in California do not need to comply with CCPA. However, there are exceptions. For instance, a data broker that primarily sells consumers’ personal data would need to, even if it has only a few employees.

  1. It’s Our Cloud Service Provider’s Job to Make Sure Our Data Is Being Handled Properly

Cloud computing is now the norm in companies worldwide, but there is a common misconception among them concerning data privacy laws. Many companies think that cloud service providers are responsible for making sure their data is being handled in a way that is compliant with applicable data privacy regulations. This is wishful thinking.

Company accountability is a key factor in GDPR. It is the business’s responsibility to “ensure enforcement of the privacy principles not only within its walls but also across suppliers with whom it might share the data and subcontractors that might process data on its behalf,” according to GDPR experts. Cloud service providers fall into the latter category.

Company accountability is also a key factor in HIPAA. Although cloud service providers and other types of business associates can come under fire for not properly protecting data while it is in their care, the company is ultimately held responsible for compliance, according to HIPAA experts.

  1. Personal Data Only Includes Items Like Names, Addresses, and Credit Card Numbers

If you ask people to give examples of personal data, they will likely list items such as a person’s name, address, and credit card numbers. However, personal data encompasses much more — and companies that simply assume they know what is considered personal data in a data privacy regulation could find themselves in noncompliance with it.

Unfortunately, there is no standard definition of personal data among the various data privacy laws in existence. Each regulation has its own definition.

For example, in HIPAA, the data that needs to be safeguarded is referred to as “protected health information (PHI)”. It is defined as:

“…information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual,

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.”

So, PHI includes demographic information that can be used to identify individuals, such as their birthdates, phone numbers, email addresses, license plate numbers, and full-face photos. It also includes health-related data, such as admission and discharge dates, health records, health plan ID numbers, and billing information.

GDPR refers to the information that needs to be protected as simply “personal data”. It is defined as:

“… any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The GDPR’s definition for “personal data” is more encompassing than HIPAA’s definition for PHI, which is to be expected given that GDPR has a broader scope than HIPAA. However, GDPR’s definition is also fairly vague, so it could be construed to include many different types of data. For instance, physical factors could be interpreted as physical characteristics (e.g., height, weight), while cultural factors could be construed as religious or political preferences.

The question to answer is: Can this particular piece of data be used to identity an individual by itself or in combination with other pieces of information? If the answer is “yes” or “possibly”, it is best to err on the side of caution and take measures to protect it.

  1. It’s All about the Fines

It is true that failure to comply with data privacy regulations can result in hefty fines. For example, there are four categories of violations in HIPAA. The fine for a violation can be high as $50,000 per violation in each category, with a maximum penalty of $1.5 million per category per year. GDPR fines can also be substantial. The maximum fine is €20 million (around $22.5 million USD) or 4% of a company’s annual global turnover (whichever is greater).

While HIPAA and GDPR regulators have the authority to levy very large fines, they typically do so only for willful, serious violations. The purpose of the data privacy laws is to protect people’s privacy and data rights, not raise money.

In the case of GDPR, the regulators’ main goal is to educate and advise organizations on how to comply with the law. “We have always preferred the carrot to the stick,” according to UK Information Commissioner Elizabeth Denham.

What You Need to Know about Foldable Phones

Foldable phones have been stealing the tech spotlight recently, but are they really all they’re cracked up to be? Here is what you need to know to make up your own mind.

Thanks to new offerings from Samsung and Huawei, foldable phones have been making a comeback. These mobile devices are smartphone-tablet hybrids. Vendors are hoping that they open up a new revenue stream in an otherwise saturated mobile device market.

But are foldable phones really all they’re cracked up to be? Here is what you need to know to make up your own mind.

What All the Hype Is About

The biggest selling point of foldable phones is that they increase the amount of screen real estate yet are still small enough to tuck in a large pocket or handbag. You can use them when they are folded or unfolded.

For example, Samsung’s Galaxy Fold, which is scheduled for release on April 26, 2019, has a 4.6-inch display when the device is folded. Opening the phone like a book reveals a larger 7.3-inch screen inside.

This is by no means the standard size and design of foldable phones’ displays. Because this is the first generation of the product, anything goes. For instance, Huawei’s Mate X, which is expected to be released in summer 2019, has a 6.6-inch display on the front and a 6.38-inch one on the back when folded. When you unfold the phone, they combine to become one 8-inch screen. Equally important, although the phone opens and closes like a book, the larger display is outward facing – like the cover on a book.

Eventually, some designs might prove to be more durable or beneficial than others and become standard on all foldable phones. This might the case when it comes to the phones’ hinges. Both Samsung and Huawei designed new hinge systems for their foldable devices.

Samsung is promoting the durability of its hinges and has even posted a short video on YouTube showing the hinges being tested. For this test, the phones were folded and unfolded 200,000 times, according to Samsung. This is equivalent to folding and unfolding the devices 100 times per day for more than 5 years.

Huawei is touting the sophistication of its hinge system, which it calls the Falcon Wing. According to Huawei, the smartphone and tablet modes transition seamlessly from one to the other, thanks in large part to this hinge. When unfolded, the screen is a perfectly flat surface.

Another notable feature of foldable phones is the ability to open and work with multiple apps on the display at the same time. For example, the Galaxy Fold lets you work on three apps simultaneously, while you can have two apps open in the Mate X.

Why You Might Want to Wait a While

While foldable phones hold great promise, you might want to hold off buying one. The reasons why include:

  • You don’t know what types of issues will crop up because it is the first generation of foldable phones. For example, real-world use might reveal that the polymer screens crease from being folded. Furthermore, it’s unknown what the repair process and costs will be like if problems occur.
  • More vendors are planning to enter the market, which will give you more choices. The list includes companies such as Motorola and TCL. Even Samsung is planning to release two more foldable phones in the near future, according to a Bloomberg report.
  • 5G networks will be more prevalent in the future so you can take advantage of 5G foldable phones. This might be an important point to consider when it comes to the Mate X. Huawei is planning to offer only a 5G version of the phone. Samsung will be offering both 4G and 5G models of the Galaxy Fold. The 5G model is expected to be released later in 2019.
  • The cost of foldable phones is currently high. For example, the price for the 4G Galaxy Fold is $1,980. The cost of the 5G Mate X is €2299 euros (around $2,600 USD). The cost will likely go down over time due to competition and the fact that the foldable phone will no longer be a brand-new technology.
  • Some experts are saying that people should hold off buying foldable phones until the devices have glass displays rather than polymer screens. While flexible, polymer screens are more prone to damage such scratches compared to glass. Corning and other manufacturers are currently working on creating highly bendable glass that could work on foldable phones. Experts predict that it will be available by the time foldable phones go mainstream.

An Important Note about Huawei

Some important information about Huawei needs to be mentioned. Although this Chinese-based company is not well known in some parts of the world (e.g., the United States), it is the second largest smartphone vendor. (Samsung is No. 1.) However, some governments believe that Huawei devices include backdoors that allow the Chinese government to snoop on users, which the company denies. For this reason, Section 889 of the John S. McCain National Defense Authorization Act bans US government agencies from purchasing Huawei telecommunications products. Regardless of this issue, Huawei’s Mate X provides a good idea of what to expect with foldable phones, which is why it is discussed here. Its inclusion is not an endorsement of the product.

Are Your Employees Inadvertently Exposing Your Company’s Sensitive Data?

The ease in which employees can now share information coupled with current cultural trends is causing accidental data leaks in many businesses. Learn how to prevent employees from accidentally exposing your organization’s sensitive data.

The number is eye-opening: 83% of companies believe that employee errors have put sensitive business and customer data at risk of exposure, according to a study by Egress. More than 1,000 security professionals at US-based companies participated in this study.

The study also identified the technologies that most often involved in this type of accidental data leak. Email services provided by both on-premises systems and cloud service providers (e.g., Google Gmail) topped the list. Examples of email-based accidents include sending emails to the wrong address (which can easily occur when the auto-completion feature is enabled) and forwarding messages that contain sensitive information.

Other technologies that are commonly involved in accidental data leaks by employees include:

  • File-sharing services (e.g., Dropbox)
  • Collaboration tools (e.g., Slack)
  • Messaging apps (e.g., WhatsApp)

The common denominator among these technologies is that they all are tools for sharing information.

The Perfect Storm and Its Aftermath

The ease in which employees can now share information coupled with current cultural trends is causing “the perfect storm” for accidental data leaks, according to Mark Bower, Egress Chief Revenue Officer and NA general manager. “The explosive growth of unstructured data in email, messaging apps, and collaboration platforms has made it easier than ever for employees to share data beyond traditional security protections,” said Bower. “Combine this with the growing cultural need to share everything immediately, and organizations are facing the perfect storm for an accidental breach,” he said.

The damage caused by this perfect storm could be grim. For example, suppose an employee emails a sensitive file that is not protected in any way to several coworkers for review. One of the coworkers might review the document on an unsecured personal device (e.g., a smartphone), opening up the possibility that it could fall into hackers’ hands. Or, the coworker might mistakenly forward the message to another employee, not realizing that the person should not be looking at the file.

Sending sensitive documents via file-sharing services adds another risk. Some of these services offer a feature that synchronizes files put in a shared folder across all registered devices. If an employee places a sensitive file in a shared folder without knowing that folder’s members, the file might be sent to multiple people who should not be seeing it.

How to Avoid Getting Caught in the Storm

To minimize the number of accidental data leaks caused by employee errors, companies might consider taking some of the following precautions:

  • Document the company’s rules regarding the sharing of sensitive data in a new or existing policy. If sharing is allowed, be sure to specify the conditions under which it is sanctioned and create procedures on how to properly share this data.
  • Provide employee training. After documenting the rules and procedures, let employees know about them. Be sure to discuss what is considered sensitive data and how accidental leaks can occur.
  • Use encryption. Encryption is one of the most effective ways to protect sensitive data that has accidentally fallen into the wrong hands. Various encryption strategies exist to meet different needs.
  • Limit employee access to sensitive data. Employees might not realize or might forget that certain types of data are sensitive. By using access controls, you can prevent them from obtaining and sharing that data.
  • Use a solution that automatically identifies sensitive files and prevents them from being copied into emails or other tools.

Every company should document its rules regarding the sharing of sensitive data and train employees. The other precautions to take, though, will depend on your business’s data, operations, and employees. If you aren’t sure where to start, give us a call at 800-421- 7151. We can explain the different encryption strategies, types of access controls, and other types of solutions so you can make an informed choice.

Hackers Are Hunting for Bigger Game with New Version of Ransomware

Pinchy Spider and GandCrab sound like scoundrels in a super-hero comic book, but they are real-life villains in the business world. Learn how to defend your company against the Pinchy Spider hacking group’s latest tactics and its newest version of the GandCrab ransomware.

Back in January 2018, a hacking group known as Pinchy Spider launched the GandCrab ransomware. It quickly became a dangerous form of ransomware, thanks to the group continually making adaptations to it.

Pinchy Spider has not slowed down in its quest to make GandCrab more deadly. Researchers recently discovered that a new version of the ransomware is making the rounds. Just as important, they discovered signs that Pinchy Spider is trying to catch bigger prey with it.

The Growing Trend of Big Game Hunting

Big game hunting is a growing trend among cybercriminals. To quickly increase revenue, hackers are turning to more targeted attacks of bigger game. For example, instead of sending phishing emails to the masses to spread malware, cybercriminals are using reconnaissance and sophisticated delivery methods to reach specific targets that will yield more profits.

Big game hunting fits well with Pinchy Spider’s “ransomware-as-a-service” business. In other words, it lets other cybercriminals (aka “customers”) use the malware it creates to carryout cyberattacks for a share of the profit. Typically, the hacker group uses a 60-40 ratio to split the profits, where 60% goes to the customers. However, Pinchy Spider is now advertising that it is willing to negotiate up to a 70-30 split for “sophisticated” customers. This change coupled with the fact that Pinchy Spider is actively recruiting hackers with networking, Remote Desktop Protocol (RDP), and virtual network computing experience is leading security analysts to believe that Pinchy Spider is hopping onto the big game hunting bandwagon.

GandCrab Well Suited for Big Game Hunting

GandCrab is well suited for targeted attacks of bigger game. While most ransomware is distributed through phishing emails, GandCrab takes a different route to its victims. It is distributed through exploit kits. Cybercriminals use these kits to find and exploit known software vulnerabilities in order to carry out malicious activities. In this case, Pinchy Spider created several exploit kits to look for weaknesses in the Java Runtime Environment, Adobe Flash Player, Microsoft Internet Explorer, and other software. If found, the kits exploit the vulnerabilities to launch VBScript, JavaScript, and other types of code that installs GandCrab.

Once the ransomware is installed on a computer, it does not immediately start encrypting the files on it. Instead, it lays dormant while the hackers try to use RDP and credentials they stole from the compromised machine to access and install the ransomware on other computers — preferably hosts or servers — in company’s network. In one instance, the cybercriminals were able to access a business’s domain controller (DC). They then used the IT systems management application installed on the DC to deploy GandCrab throughout the network.

When the hackers have finished infecting the targeted computers, they trigger GandCrab to start encrypting files with an RSA algorithm. GandCrab then demands payment in Dash (a form of cryptocurrency) to decrypt the files. While most ransomware blackmailers demand one payment to unlock the files on all the infected machines, Pinchy Spider and its customers request payment on a per-computer basis, especially if hosts or servers have been compromised.

How to Protect Your Business against GandCrab

Taking several measures can go a long way in protecting against a GandCrab attack:

  • Patch known vulnerabilities by regularly updating all software on each computer in your company, including workstations, hosts, and servers. Patching will eliminate many of the vulnerabilities that exploit kits use to access machines.
  • Make sure the security software is being updated on each computer. Even hosts and servers should be running security software. It can help defend against known ransomware threats and other types of malware attacks.
  • Secure RDP. Hackers like to exploit RDP to access businesses’ hosts and servers, so it needs to be secured. There are several ways to do this, such as deploying an RDP gateway and limiting who can use RDP to log in to the network.
  • Use two-step verification for the service and software accounts on your hosts and servers. That way, even if a password is compromised, it cannot be used to gain access to those accounts. If using two-step verification (also known as two-factor authentication) is not possible, at least use strong account passwords and implement an account lockout policy to foil brute force password-cracking attacks.
  • Regularly back up files and systems, and make sure the backups can be successfully restored. Although having restorable backups will not prevent a GandCrab attack, you won’t have to pay the ransom if the attack is successful.

We can help you implement these measures as well as provide recommendations on how to further protect against GandCrab and other types of ransomware. Give us a call at 800-421-7151 to learn more.

Malvertising Is Likely Coming to a Browser Near You

Cybercriminals are increasingly posting malicious ads on legitimate websites to obtain data and spread malware. Discover how malvertising works and what you can do to protect your business from it.

Cybercriminals do not take holidays off — in fact, they often use them to their advantage. That’s how a group of hackers celebrated President’s Day in the United States. They launched a massive malicious advertising (malvertising) campaign that involved more than 800 million ad impressions on legitimate websites between February 16-19, 2019, according to Confiant security researchers. The ads were designed to trick users into entering personal and financial information in order forms for fake products.

A Serious Problem

Malvertising is a serious problem. Avast notes that it is one of the top five endpoint threats affecting small businesses. That’s because cybercriminals are increasingly posting malvertising on legitimate websites in order to:

  • Obtain sensitive data. Like in the President’s Day campaign, hackers use malvertising to obtain sensitive data, such as payment card or bank account information.
  • Deliver exploit kits. These kits are designed to find known vulnerabilities in systems. If a vulnerability is found, it is used to install malware or carry out other types of malicious activities.
  • Deliver malicious payloads directly. Pop-up ads, for example, can deliver malware as soon as they appear or after people click the “X” button to close them.

The Devious Ways in Which Malvertising Works

To understand how malvertising works, you need to know how web browsers render web pages. When you visit a web page, your browser automatically receives the page’s content so it can display the page. So, for example, when you visit your favorite business news website, all the articles, pictures, ads (malicious or not), and other elements on the page are automatically sent to your browser.

What the malvertising does next depends on whether it includes malicious code. For instance, suppose hackers want to deliver an exploit kit. One way they can do this is to create ads that try to lure you into clicking a link. The ad itself does not contain any malicious code. However, if you click the link, you will be sent to a server that delivers an exploit kit. If the kit finds a vulnerability, it is used to install malware on your device.

Even worse, some malicious ads deliver exploit kits without you doing anything other than going to your favorite website. In this case, the malvertising contains code that automatically redirects your browser to a server, which delivers the exploit kit. The redirection occurs behind the scenes, without you clicking a single link.

How Hackers Get Malicious Ads on Legitimate Websites

Hacking into legitimate websites and inserting malicious ads is a lot of work. That’s why cybercriminals typically pose as businesspeople to get their malvertising online. This ruse is successful because there are many different ways to get ads on websites (e.g., through advertising agencies, using advertising networks) and there is no standard vetting process. The groups involved in getting ads often do not request much information from the people submitting them. Plus, while some groups check ads before accepting them, others do not.

Even if the ads are checked, hackers find ways around the screenings. For example, sometimes they submit their ads with the malicious code disabled and then enable it after the ad is accepted and put online. In addition, hackers often remove the malicious code from their ads shortly after they are posted to make it more difficult to detect and track their attacks.

How to Protect Your Business

While the digital ad industry knows about malvertising and is taking steps to mitigate the problem, it will be awhile before these ads are no longer a threat. Thus, you need to proactively protect your business. Here are some of the measures you can take:

  • Educate employees about malvertising. Be sure to discuss the dangers of clicking links in ads, as the ads might be malicious.
  • Tell employees about the dangers of allowing pop-ups and redirects. Most modern web browsers block pop-ups and redirects by default, but this functionality can be manually disabled. Let employees know this is dangerous since malvertising sometimes uses both pop-ups and redirects. Similarly, let them know they should not enable web content that has been disabled by their web browsers or security software, as it might contain malicious ads.
  • Uninstall browser plug-ins and extensions not being used. This will reduce the computers’ attack surface. For the plug-ins and extensions being used, consider configuring web browsers so that plug-ins and extensions are automatically disabled but can be manually enabled on a case-by-case basis.
  • Update software regularly, including browser plugins and extensions. Exploit kits look for known vulnerabilities in software. Patching these vulnerabilities helps eliminate entry points into devices.
  • Install ad blockers. Ad blockers remove or modify all ad content on web pages. However, they might unintentionally block non-ad content, causing a web page to display improperly or not at all.

We can help you develop a customized strategy to protect your business’s devices from malvertising and other types of cyberattacks.

Security Hole Is Putting Many Containers in the Cloud at Risk

A serious security vulnerability dubbed Doomsday Docker has been discovered. If your business uses containers, here is what you need to know.

serious security vulnerability dubbed Doomsday Docker is putting containers at risk. Cybercriminals can exploit this hole to attack the system that hosts the container as well as all the other containers running on the host system. Most containers in the cloud are vulnerable.

The security hole lies in a command-line runtime tool called runC. Popular container platforms such as Docker and Kubernetes use this open-source tool to generate and run containers. “As far as container runtimes go, runC is used by just about every container engine out there,” according to one security expert.

To exploit this vulnerability, cybercriminals just need to place a malicious container within a container system. The vulnerability will allow that container to overwrite the host’s runC binary code, letting the hackers gain access to the host system and potentially all the other containers running on it. This is done with minimal interaction by the hackers.

Container platform providers are patching their software to fix the vulnerability. We can check to see if your provider has issued a patch and make sure it is installed.

6 Ways to Make Your Passwords Easy to Crack

Passwords are an important line of defense against cyberattacks, yet many people make it easy for hackers to crack them. Here are six mistakes that people often make when creating passwords.

Serious consequences can result from cracked passwords. Cybercriminals might use them to steal money or data from the compromised accounts. Or they might change the accounts’ passwords and use the hijacked accounts for other malicious activities such as installing malware or sending phishing emails.

While no one wants to have their passwords cracked, many people make it easy for cybercriminals to do so. Here are six mistakes that people often make when creating passwords:

  1. Using Repeating or Sequential Characters

Want a password that is extremely easy to crack? Create a password that consists of:

  • Repeating letters or numbers, such as “aaaaaa” or “111111”
  • Sequential letters or numbers, such as “abcdef” or “123456789”
  • A combination of repeating and sequential characters, such as “abc123” or “aa123456”

SplashData’s 100 worst passwords list is full of these types of passwords. In 2018, the company analyzed more than 5 million passwords leaked on the Internet to find the most predictable, easily crackable ones in use. All the examples listed above are on this list. On an average computer, it would take a cybercriminal only one second to crack each of these passwords using a brute-force password-cracking tool, with one exception. It would take 32 seconds to crack “aa123456”, which is still a very short amount of time.

  1. Relying on Memorable Dates

While using your birthday, a family member’s birthday, or another memorable date makes a password easy to remember, it also makes it easier to crack. Hackers know people do this. With a little research, they often can learn their victims’ birthdates, anniversaries, and other special dates. If they cannot find the information on social media sites like Facebook or Twitter, they can search public records.

  1. Entering Keyboard Patterns

Although “1qaz2wsx” and “!@#$%^&*” might seem like random strings of characters, hackers know they are keyboard patterns. Hackers also know that people like to use keyboard patterns as passwords, so they check for them. In fact, “1qaz2wsx”, “!@#$%^&*”, “zxcvbnm”, and “querty” are all on SplashData’s 100 worst passwords list.

  1. Creating Short Passwords

Short simple passwords are easier to remember than long complex ones, but they are also much easier to hack. For example, passwords such as “football”, “Donald”, “banana”, and “whatever” take only two seconds to crack using a brute-force password-cracking tool.

Short passwords are dangerous even if you use letter substitution, such as replacing the number “0” for the letter “o” or substituting the “@” sign for the letter “a”. It would still take only three seconds to hack the passwords “f00tball”, “D0n@ld”, “b@n@n@”, and “wh@tever”.

Longer passwords are cryptographically harder to break than shorter ones. However, the long complex passwords that you are supposed to create — that is, long passwords that include mixed-case letters, numbers, and symbols — are hard to remember. As a result, people resort to writing them down or reusing the same password. This is why the US National Institute of Standards and Technology recommends using “memorized secrets” — passphrases that are simple, long, and easy to remember.

For instance, instead of using “football”, you might use “fond of flying footballs”. This passphrase would take more than 10,000 centuries to crack. As this example shows, including spaces is a good practice to follow, assuming they are allowed. Besides making the passphrase easier to enter, spaces make the passphrase harder to hack. It would take 58 centuries to hack “fondofflyingfootballs”. Although not as good as 10,000 centuries, 58 centuries is still a very long time.

  1. Reusing Passwords

People have to remember numerous passwords for both business and personal accounts. With so many passwords to remember, people often use the same password for multiple accounts. In one survey, 60% of the 1,000 participants admitted doing so.

However, cybercriminals know people frequently reuse passwords, so they try cracked passwords on multiple accounts. For instance, they sometimes launch an automated credential stuffing attack in which distributed botnets try using compromised credentials on high-value websites. This testing is done slowly using many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.

  1. Modifying Passwords

To make passwords easier to remember, some people add or delete characters from passwords they are using at other sites. For example, they might use the passwords “cheese”, “cheese001”, and “cheese002” for three different accounts. One research study found that about 20% of passwords are formed this way.

More important, the researchers were able to create an automated cross-site password-guessing tool by applying common password-transformation rules to compromised passwords. If they can create such a tool, chances are so can cybercriminals.

7 Ways to Spend Less Time Dealing with Emails

Business professionals often spend a lot of time reading and responding to emails every day. If you are one of them, here are seven ways you can reduce the amount of time you spend dealing with emails.

In many businesses, employees use emails to communicate with each other, customers, suppliers, and other business associates. And the number of messages being handled is not small. Employees send and receive an average of 126 emails per day.

Dealing that many emails takes time. One study found that business professionals spend more than 25% of their day reading and responding to messages.

Fortunately, this doesn’t need to be the case. Here are seven ways you can reduce the amount of time you spend dealing with emails:

  1. Read and Respond to Emails Only at Designated Times

When you get a notification that an email has arrived, what do you do? If you are like most people, you stop what you are doing and look at the email. However, reading and responding to emails as they arrive can wreak havoc on your productivity. Even just quickly scanning an incoming email disrupts your concentration. It takes people an average of 64 seconds to recover from the interruption and return to their normal work rate.

Instead of reading and responding to emails as they arrive, a more productive approach is setting aside a block of time once or twice a day to go through all your messages. You should also consider turning off email notifications. That way, you can avoid the temptation of taking a quick peek at incoming emails.

  1. Manage Emails with Rules

Most email apps let you set up rules to manage messages. For example, both Microsoft Outlook and Google Gmail let you configure rules to automatically flag messages or move them to designated folders based on who is sending them or keywords in the subject line. Flagging and moving messages to folders can help you prioritize and organize emails.

  1. Make Sure an Email Is Necessary Before Writing It

Before you write an email, it is a good idea to ask yourself, “Is the email needed?” You should avoid sending emails about matters that are not important to business operations. “Nice to know” information can often be provided through other communication channels, such as a company intranet site. Only sending emails about pertinent business matters will save you time since you will be writing fewer emails. Plus, it will save time for others, as they won’t have as many emails to read.

  1. Be Concise When Writing Emails

You likely have gotten them — emails that ramble on and on rather than getting to the point. Don’t be one of those senders. When writing an email, get to the point quickly and keep the message as short as possible.

When a longer email is necessary, consider using elements such as bullets and numbered lists to help organize and call attention to items. If a matter needs to be discussed in-depth or will involve a lot of back-and-forth conversation, you might consider talking to the person rather than sending an email.

  1. Send Emails to Only the People Who Need the Information

When sending a message, you should make sure that you are emailing it to only those individuals who need the information. This is especially important when sending an email to a contact group (aka distribution list). Although entering a contact group in a message’s “To” field might be easier for you, it is better to enter the names or addresses of only those people who truly need the information. It will be one less email for everyone else in the contact group to read, saving them time.

  1. Repeat Important Points in Long Conversation Threads

When replying to a long conversation thread, it is a good idea to reiterate important information relevant to the matter you are addressing. For example, suppose you want to answer one of the questions brought up in a thread about company policies. Rather than say “To answer your question, we …”, it is better to say something like “In regard to the question about whether our company needs a social media policy, we ….”. This will make it easier for the email recipients to quickly understand what you are communicating. It will also save the recipients time, as they won’t have to reread all the previous emails in the thread to find the question you are addressing.

  1. Filter Out Spam

Although email servers filter out a great deal of spam, some messages inevitably make it through to users’ Inboxes. If you often see spam in your Inbox, you might want to filter it out using the spam or junk email filtering system provided by your email app or security software.

For example, you can use Outlook’s Junk Email Filter to move spam to the Junk Email folder. You have the ability to change the filter’s level of protection from the default of “No Automatic Filtering” to a more aggressive setting (“Low”, “High”, or “Safe Lists Only”). You might also create a blocked senders list. When you add a name or email address to this list, Outlook automatically moves incoming messages from that source to the Junk Email folder.

If this was helpful and you feel you may benefit from some other tips, check out the Webinars section of our Vlog for tips on how to work smarter in Outlook! If spam is your issue, give us a call at 800-421-7151 if you need to beef up your email security.

See How Much Power Your Apps Are Consuming on Your Windows 10 Computer

Once the October 2018 Update is installed on your Windows 10 computer, you can easily find out how much power each app and process is using. Here is how to access this information.

Windows 10’s Task Manager has many useful features and capabilities that let you monitor the apps and processes running on your computer. Once the October 2018 Update is installed, it is even more useful. The update adds two new columns to Task Manager’s “Processes” tab:

  • “Power Usage”. This column lets you see how much power each app and process is currently using.
  • “Power Usage Trend”. This column tells you how much power each app and process has used in the past two minutes.

In both columns, the possible values range from “Very low” to “Very high”, letting you know an app’s or process’s power-usage level at a glance. While the values in both columns are useful, the ones in the “Power Usage Trend” column can give you a better idea of how much power an app or process typically uses. Knowing this can be helpful, for example, if your computer’s battery is running low and you won’t have access to a power outlet anytime soon. By closing apps that typically use a lot of power, you can increase your battery’s life.

In addition, the power usage columns might flag when a cryptojacking script is siphoning a computer’s processing power. In this type of attack, cybercriminals steal computers’ processing power to mine cryptocurrencies.

To see the power-usage levels for your apps and processes, follow these steps:

  1. Right-click the Windows button and select “Task Manager”.
  2. If you see the “More details” option in the lower left corner of the Task Manager window, click it.
  3. Maximize the size of the window by clicking the square box in the upper right corner.
  4. Find the “Power Usage” and “Power Usage Trend” columns. They will be to the right of the “GPU Engine” column.
  5. If you do not see these columns, right-click any other column heading. In the box that appears, check the boxes next to “Power Usage” and “Power Usage Trend”.
  6. If you want to sort the apps and processes by the amount of power they are consuming, click the “Power Usage” or “Power Usage Trend” column heading. (By default, the apps and processes are sorted by name.)

If the “Power Usage Trend” column is blank for a particular app or process, don’t worry. When an app or process is launched, its entry in this column will be blank. The entry will populate after two minutes and then keep updating every two minutes.

What Is Digital Transformation and Why Are Companies Pursuing It?

Digital transformation is a popular topic of discussion in boardrooms. Learn what digital transformation is all about and why companies are interested in digitally transforming themselves.

IDC predicts that at least 55% of organizations will be digitally transforming themselves by 2020. But what exactly is digital transformation? More important, why are companies pursuing it?

What “Digital Transformation” Means

If you search the Internet for the term “digital transformation”, you will find numerous definitions of it. The definitions vary widely, so it can be hard to quickly learn what digital transformation is all about.

To understand what is meant by the term “digital transformation”, it is helpful to know what it is not. If a company simply moves applications to the cloud, upgrades its IT infrastructure, or implements some other one-off IT project, it is not digitally transforming itself.

Digital transformation involves more than just adding new digital technologies to business operations. It requires a company’s leaders to rethink how the organization does business at a fundamental level — how they can achieve their business goals by leveraging digital technologies in processes throughout the organization. Sometimes, companies are able to effectively integrate new technologies into existing processes. More often, though, they need to design new processes.

“Digital transformation marks a radical rethinking of how an organization uses technology, people, and processes to radically change business performance,” according to George Westerman, a digital transformation expert with the MIT Initiative on the Digital Economy. “Such sweeping changes are typically undertaken in pursuit of new business models and new revenue streams, often driven by changes in customer expectations around products and services.”

Meeting customers’ expectations is not the only driver of digital transformation. Increasing competition and meeting regulatory requirements (e.g., General Data Protection Regulation requirements) are some of the other drivers. Since customer expectations, competitors’ offerings, regulations, and other business influences are constantly changing, a digital transformation is not something a company does once and then moves on. It is an ongoing process.

Why Businesses Are Pursuing It

Because of its wide-sweeping nature, digital transformation can be disruptive. Plus, it is a never-ending quest. So, why are companies increasingly embarking on the journey? The benefits reaped from a successful journey are enticing. They include:

  • Improved customer satisfaction
  • More efficient operations
  • Improved decision making
  • Increased agility and innovation
  • Happier, more productive employees

Realizing these benefits ultimately leads to better business performance overall and increased profitability.

The Types of Digital Technologies Companies Are Using

While each company’s digital transformation is unique, businesses use many of the same types of digital technologies. For example, they use Internet of Things (IoT) devices and edge computing to collect and process data locally. To respond to customers’ online requests for information, they turn to chatbots. They also use other forms of artificial intelligence (AI) to connect and communicate with customers.

In the past, only big businesses could take advantage of AI technologies because of their cost. However, many cloud-app providers have embedded AI services in their platforms, so small businesses now have access to AI technologies.

If your business is embarking on digital transformation journey, we can help you determine which technologies can help you achieve your business’s goals. Call us at 800-421-7151 to find out how WAMS can begin your transformation.

Still Using Windows 7? Here Is What You Need to Keep in Mind

Windows 7 is still being used by many companies, despite it being in its final year of life. If your business is running this software, here is what you need to consider.

Many companies have not upgraded their computers from Windows 7 to Windows 10. The reasons why vary. For example, some businesses have not moved to Windows 10 because it is incompatible with their existing business apps or processes. Others have not switched because their existing hardware will not support Windows 10. While these are legitimate reasons for not upgrading, there is a new factor that needs to be considered: Windows 7’s end is near.

On January 14, 2020, all support for Windows 7 ends. Using Windows 7 after this date can be risky because Microsoft will no longer provide free security updates or product support. If the computers in your company are still running this operating system software, here is what you need to consider.

No Free Security Updates

After January 14, 2020, Microsoft will no longer provide free updates to fix newly discovered security vulnerabilities in Windows 7. Similarly, it will no longer provide free security updates to Internet Explorer web browsers running on Windows 7 machines. According to Microsoft, Internet Explorer is a component of the Windows operating system, so it follows Windows 7’s lifecycle policy.

This means that your Windows 7 computers and the Internet Explorer browsers installed on them will not be protected against cyberattacks exploiting newly discovered security vulnerabilities. As a result, your business will be at greater risk of data breaches, ransomware, and other types of cybercrime. To make matters worse, hackers often keep track of when vendors stop supporting popular apps. They then launch new cyberattacks that target those apps once the support has ended.

There is another less-obvious risk associated with using unpatched software. Since you cannot protect your Windows 7 computers from new cyberattacks, your company might not be compliant with regulations that govern the protection of sensitive data. Noncompliance can result in penalties, higher costs, and even lost business.

No Product Support

After January 14, 2020, Microsoft will no longer support computers running Windows 7. Nor will it support Internet Explorer browsers running on Windows 7 machines. This means that Microsoft will no longer answer any technical questions or help troubleshoot any problems. The only Microsoft resources that will be available are articles, webcasts, and other free online content that the company has posted about the software in the past.

Your Options

January 14, 2020, is approaching fast. It is a good idea to start planning now instead of waiting to the last minute. Here are your main options if your business is still running Windows 7:

  • Continue to use Windows 7 without any security updates or support. Windows 7 and Internet Explorer will not suddenly stop working after January 14, 2020. The apps will still work, so you can keep using them. However, doing so leaves your business at greater risk of cyberattacks.
  • Purchase Extended Security Updates. In September 2018, Microsoft announced that it will offer Extended Security Updates for Windows 7 (which will include updates for Internet Explorer) through January 2023. The Extended Security Updates will be sold on a per-device basis, with the price increasing each year. These updates will be available for Windows 7 Professional and Windows 7 Enterprise customers that have volume licensing agreements.
  • Upgrade to Windows 10. By moving to Windows 10, you will have free security updates, feature updates, and product support. If you subscribe to Microsoft 365 Business and your computers are running Windows 7 Professional, you can upgrade at no additional cost.
  • Switch to a different operating system. If you do not want to use Windows 10, you can switch to a different operating system, such as Apple macOS.

We can help you make the best choice for your business based on its needs and help you carry out that decision.

How to Use the Clipboard’s History and Syncing Features in Windows 10

The Windows 10 October 2018 Update soups up the Windows Clipboard with new history and syncing features. Here is how to enable and use these features.

The history feature lets you copy and store multiple items (text and images) on the Clipboard. In the past, you could only store one item at a time. The syncing feature lets you store Clipboard items in the Microsoft cloud so that the items will be available for pasting on all your Windows 10 computers.

You can take advantage of just one or both of these features. Before you can use them, though, you must have the Windows 10 October 2018 Update installed. You also need to enable each feature.

How to Enable and Use the History Feature

To enable the history feature, all you need to do is press Win+V to open up the Clipboard window and select “Turn on”. If you are unfamiliar with keyboard shortcuts, Win+V indicates that you press the Windows key and the letter v on your keyboard at the same time.

Once enabled, Windows 10 will automatically place the items you copy on the Clipboard. To paste an item that you copied earlier in the day, you just need to open the Clipboard window, find the item, and click it. The most recent items you copied will be at the top of the window.

You can store up to 25 items on the Clipboard. (Text, HTML, and images are supported.) Each item can be up to 4 megabytes. If you copy numerous items throughout the day, it is important to know that older items are automatically removed. To prevent this, you can pin items, which tells Windows 10 to keep those items on the Clipboard indefinitely.

To pin an item, you simply open up the Clipboard window, find the clip you want to save, and click the icon that looks like a pushpin. (It will be on the right side of the clip.) If you are going to be shutting down your computer, you also need to pin any items that you want to save. The Clipboard history is cleared every time you restart your machine. Only those items you pinned will remain on the Clipboard.

How to Enable and Configure the Syncing Feature

The Clipboard syncing feature comes in handy if you regularly use two (or more) computers, such as a desktop machine when you are in the office and a laptop device when you are on the road. For the syncing feature to work, the Windows 10 October 2018 Update needs to be installed on both machines. Plus, you need to use the same Microsoft account to log in to the computers.

The syncing feature needs to be enabled and configured. When setting up the feature, you will be given two options:

  • “Automatically sync text that I copy”. This is the default setting. If you keep this setting, all items that you copy will be stored in the Microsoft cloud and synced across your devices.
  • “Never automatically sync text that I copy”. If you select this setting, you need to manually open the Clipboard window and select the content you want to make available across your computers. If you often copy sensitive data, this option might be the best choice.

To enable and configure the syncing feature, perform these steps on both computers:

  1. Click the Start menu.
  2. Select the gear icon to open the Settings app.
  3. Choose “System”.
  4. Select “Clipboard” in the left pane.
  5. Scroll down to the “Sync across devices” section.
  6. Move the “Sync across devices” slider to “On” to enable the syncing feature.
  7. Choose either the “Automatically sync text that I copy” or “Never automatically sync text that I copy” option.

Clearing the Clipboard

At any time, you can clear items from the Clipboard. To remove individual items, open the Clipboard window, find the item you want to delete, and click the “x” icon in the upper right corner.

If you want to clear the everything except pinned items from the Clipboard, follow these steps:

  1. Click the Start menu.
  2. Select the gear icon to open the Settings app.
  3. Choose “System”.
  4. Select “Clipboard” in the left pane.
  5. Scroll down to the “Clear clipboard data” section.
  6. Click the “Clear” button.

This will clear the items from the Clipboard window and from the Microsoft cloud. If you want to clear pinned items, you will first need to unpin them.

If you have any questions about the new Clipboard features or run into issues using it, let us know.

4 Things You Might Not Have Known about Microsoft Teams

To help facilitate communication and collaboration in businesses, Microsoft offers a solution called Teams. Although it is a relatively unknown offering, its popularity is expected to grow. Here are four things it helps to know about Teams.

Teamwork is a mainstay in businesses. Although it has been in existence since November 2016, it is still a relatively unknown offering. That is expected to change, though. Experts predict that Teams will have the fastest growth of all the available business chat solutions over the next two years, according to a Spiceworks report released in December 2018.

So, it pays to learn about Teams. Here are four things you might not have known about it:

  1. Teams Is Microsoft’s Version of Slack

Like Slack, Teams is a communication and collaboration solution that offers a wide variety of services. The core services offered by Teams include:

  • Unlimited chat messaging and message searches that do not have a size limit
  • Audio and video calling (one-on-one or group calls)
  • The ability to host audio, video, and web conferences with anyone inside or outside a company
  • Built-in Microsoft Office Online apps (Word Online, Excel Online, PowerPoint Online, and OneNote)
  • Integration with more than 140 apps and services (both Microsoft and third party)
  • 10 gigabyte (GB) of storage per team for file sharing, plus 2 GB of storage for each team member
  • Screen sharing
  • Channel meetings
  1. There Is Now a Free Version

In July 2018, Microsoft launched a free version of Teams that does not require a Microsoft account. Teams is also included in some Office 365 subscriptions, such as Office 365 Business Essentials and Office 365 Business Premium.

The free version includes the core services just mentioned and a few others. The version provided with Office 365 subscriptions offers several extra features, such as administrative support, advanced security features, Microsoft Outlook, and additional file storage space.

  1. Teams Runs on Multiple Platforms

Teams runs on a variety of devices and platforms. Desktop versions are available for Windows 10, Windows 7, and Apple Mac OS X (10.10 and later). There are also mobile apps available for Google Android and Apple iOS devices. Download links for the free version of Teams can be found on the Get Microsoft Teams for Free web page.

  1. Teams Will Eventually Replace Skype for Business and StaffHub

Microsoft has announced that it plans to replace Skype for Business — a unified communications solution that is part of Office and Office 365 —  with Teams. Teams has already reached “feature parity” with Skype for Business, according to experts. Microsoft has not yet released a timeline for the retirement of Skye for Business. However, it might be coming in the not-too-distant future. On October 1, 2018, Microsoft stopped offering Skype for Business to new Office and Office 365 customers with fewer than 500 users. Instead, these customers are being set up to use Teams. Current customers with fewer than 500 users can continue to use Skype for Business. In addition, Microsoft is continuing to offer Skype for Business to existing and new Office and Office 365 customers with more than 500 users.

Although not nearly as widely used as Skype for Business, StaffHub will also be retired. Part of Office 365, StaffHub enables a manager to set work schedules for frontline employees, which they can then view. Employees can also use StaffHub to swap shifts and chat with each other. Microsoft has already incorporated StaffHub’s capabilities into Teams. The StaffHub mobile app will no longer be unavailable for download after April 1, 2019, and will stop working entirely on October 1, 2019

What Businesses Can Learn from Google’s Hefty GDPR Fine

Google was fined $57 million for not complying with the General Data Protection Regulation. Learn why Google was penalized so you can avoid the same data-privacy mistakes in your company.

Although it has only been enforced since May 25, 2018, companies are already being fined for not complying with the European Union’s General Data Protection Regulation (GDPR). In January 2019, Google was fined $57 million [USD] by France’s data protection authority, the National Data Protection Commission (CNIL). Google is the first US technology company to be penalized for GDPR noncompliance.

Learning why Google was fined can help you better understand what companies need to do to comply with data-privacy regulations. It is important for all businesses to have this basic understanding because legislation similar to GDPR is being passed in other parts of the world. For instance, in June 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA). It gives California residents some of the strongest data-privacy protections in the world. CCPA will start being enforced in January 2020.

Why Google Has Been Fined

GDPR was created to provide data-privacy rights to EU citizens and protect them from data breaches. For example, EU citizens have the right to find out the types of personal data that companies are collecting about them, how the data is being used, and where it is being stored. Furthermore, businesses must ask customers for permission to collect and process their personal information. Companies must also make it easy for customers to withdraw their consent.

Two digital-rights advocacy groups made formal complaints to CNIL about Google’s data processing practices, especially when it comes to personalizing ads. Here is what CNIL found when it investigated the complaints:

Information is not easily accessible. CNIL found that is not easy for Google users to learn essential information about the types of data being collected about them, how that data is being used, and how long it is being stored. According to CNIL, the information is excessively disseminated, forcing users to access multiple documents and perform many steps to get it.

Some information is unclear and inadequate. CNIL discovered that, in some instances, Google’s explanations about how it is using the collected data are too vague, which impedes users’ ability to fully understand the purposes for processing that data. Similarly, the types of personal data being collected and processed is sometimes unclear. Plus, Google does not always specify how long it keeps the data.

There is a lack of valid consent regarding personalized ads. Although Google states that it obtains users’ consent to collect and process data for ad personalization purposes, CNIL found that it is not being validly obtained for two reasons:

  • Users are insufficiently informed about the total amount of data being collected and processed to make an informed decision. To personalize ads, Google collects data from many of its websites, apps, and services. However, Google does not tell users the specific sources from which their data is collected and how the various pieces of information are combined to provide personalized ads.
  • The consent is not specific. GDPR mandates that companies get customers’ specific, clear-cut consent to collect and use their personal data for each desired purpose. For instance, if a company wants to collect and process customers’ personal data for the purposes of displaying personalized ads and offering speech recognition services, it needs to ask customers for their consent for each purpose individually. Moreover, customers have to give their consent using a clear affirmative action, such as checking a box. (The box cannot already be preselected by the company.) According to CNIL, Google is not following these requirements. To create a Google account, users must select the boxes “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy”. By doing so, users are giving their consent for all of Google’s various data collection and processing purposes (e.g., for ad personalization, for speech recognition services). While users can later configure their settings to stop their personal data from being collected and processed for the purpose of displaying personalized ads, this option is not easy to find. Furthermore, the option giving consent is preselected by Google.

Based on these findings, CNIL fined Google $57 million. The tech giant has already announced that it will appeal the penalty. Even if the appeal succeeds, Google will have likely spent a considerable amount of money and resources challenging the fine. For this reason and others (e.g., less prone to data breaches, increased customer satisfaction), it is a good idea for businesses to make sure they comply with GDPR if they have customers in the European Union.

 

Although Google Was the First, It Won’t Be the Last

Other well-known tech companies might be following in Google’s footsteps. Complaints have been levied against FacebookTwitter, and several streaming service providers(including Apple, Netflix, Spotify, and YouTube). Complaints and fines are not limited to large tech companies. Any business that processes or stores the personal data of EU citizens is required to comply with GDPR, regardless of its size or industry.

New Ransomware Is Masquerading as Apps and Games

Anatova has gained security experts’ attention. Besides being the first new ransomware in 2019, it poses a serious threat. Discover why it is so dangerous and how to protect your business from it.


A new form of ransomware is disguising itself as apps and games to trick people into downloading and launching it on their devices. Since January 1, 2019, cybercriminals have been using this dangerous ransomware, known as Anatova, to hold victims’ files for ransom. It has been found worldwide, with the largest number of victims in the United States.

 

How Anatova Works and Why It Is So Dangerous

Anatova typically masquerades as the icon of an app or game to trick people into downloading it. During installation, it requests administrative rights. After the ransomware makes sure it is on a legitimate computer, it encrypts the files on the machine. It also encrypts the files on any network shares connected to the device. Once all the files are encrypted, the victim is presented with a ransom note asking for 10 Dash. Dash is a type of cryptocurrency — 10 Dash is worth around $700 [USD] at the time of this writing. Victims are allowed to decrypt one JPG file for free as proof that the files can and will be decrypted if they pay the ransom.

While Anatova sounds like many other ransomware programs, security experts are warning that it is a serious threat. One reason why Anatova is so dangerous is that uses a variety of methods to prevent detection. For example, it uses dynamic calls that have been designed to not raise suspicion. Similarly, it uses techniques to deter analysis, such as memory cleaning functions.

Even more troubling is that cybercriminals can easily add new functionality to Anatova because of its modular architecture. Thus, they can quickly adapt Anatova to make it more effective. For instance, they might add new techniques to evade detection or new spreading mechanisms. The latter is of particular concern. Currently, Anatova has only been found on private peer-to-peer networks, but researchers believe it could be spread other ways in the future.

 

How to Protect Your Business

To avoid having your business become a victim of Anatova or another ransomware variant, you need to educate employees about ransomware. Topics to cover include:

  • What ransomware is and how cybercriminals commonly spread it. Besides covering how Anatova is being distributed through downloads, it is important to cover how ransomware can be spread through other methods, such as phishing emails.
  • Warn employees about the dangers of downloading and opening executables (e.g., apps, games) and files (e.g., PDF files) from peer-to-peer networks and the Internet. This is a good time to discuss your company’s policy regarding when employees are permitted to download executables and files and the sources where employees are allowed to get them.
  • Tell employees about other dangerous practices that can lead to a ransomware infection, such as clicking links and opening attachments in emails, especially if the emails are from unknown senders.
  • Stress the importance of avoiding any content flagged as a potential security threat by security software or web browsers, as it might contain malicious code.

Besides educating employees, you need to take other measures, including:

  • Making sure your security software is being updated on every computer in your business
  • Regularly updating the apps installed on your computers so that known security vulnerabilities are patched
  • Making sure you have restorable backups of your data in case a ransomware attack occurs

We can make sure that your business has covered all the bases so that it will be protected from Anatova and other ransomware variants.

Blackmail Emails Are Being Sent to the Workplace

Blackmail emails that were previously sent only to personal accounts are now being sent to business accounts. Find out what the emails are saying so you can be prepared in case you receive one.

In 2018, people were receiving emails in their personal accounts that tried to blackmail them into paying a ransom. People are now reporting that they are receiving similar emails at work.

In the emails, the blackmailers state they have evidence that the recipient has viewed a video on a pornography website because they hacked into the recipient’s computer. Specifically, they claim to have recorded what the recipient was watching and doing while viewing the video by using the device’s screen-capturing capabilities and webcam. The blackmailers then threaten to send the recording to everyone in the recipient’s email and social-media contact lists if the person does not pay the specified ransom.

 

The Blackmail Emails Are Actually Phishing Scams

The blackmail emails that people have been receiving at work and at home are actually phishing attacks being sent out by cybercriminals. The emails contain several classic signs of phishing scams:

  • Generic greeting. The emails do not include the recipients’ names in the salutation. Instead, they use a generic greeting such as “Good Morning my friend” or no greeting at all. In some cases, the recipient’s email address (or a shortened version of it) is used in the salutation.
  • Generic content. The emails do not contain any specifics about the incidents that were supposedly recorded. For example, they do not mention which websites the recipients were supposedly visiting when the recordings were made.
  • A sense of urgency and fear. To get people to fall for the scam, the emails try to create a sense of urgency and fear by first letting the recipients know that compromising recordings have been made and then telling them the recordings will be shared with their coworkers, friends, and family if the ransom is not paid.
  • Misspellings and grammatical errors. The emails contain misspellings and grammatical errors.

In some of the blackmail emails, the cybercriminals have been including a password that the recipient currently uses or has used in the past as “proof” they have hacked the person’s computer. However, email address-password pairs are often stolen in data breaches and can be easily purchased on the dark web. So, although alarming, the inclusion of a password does not prove the recipient’s computer has been compromised.

 

What to Do If You Receive This Phishing Email

If you receive a phishing email like this (or any other type of phishing email), here is what you should and shouldn’t do:

  • Do not panic or respond to the email.
  • Do not open any email attachments. In one instance, a blackmail email included an attachment. Opening an attachment could lead to spyware or another type of malware being installed on your computer.
  • Do not click any links in the email. Although the blackmail emails thus far have not included links, cybercriminals continually change their attack methods. Clicking a link could lead to malware being installed on your computer.
  • Follow company policy on how to deal with phishing emails if you receive one at work (e.g., forward it to the IT help desk, simply delete it).
  • Change your password if necessary. If the email includes a password that you currently use, change that password. If you used the password for multiple accounts, be sure to change each instance to a unique, strong password.

Scan your device for malware using your device’s security software as a precaution.

Don’t Let Your IT Policies and Procedures Fall by the Wayside

IT policies and procedures are not “set and forget” documents. Discover why they need to be reviewed regularly and learn some tips on how to do so.

Businesses sometimes create IT policies and procedures and then forget about them. Reviewing IT policies and procedures is important for several reasons, including:

  • Keeping IT systems running optimally. Companies create IT policies and procedures to help keep their IT systems running efficiently and securely. If these documents are not updated to reflect changes made to the systems, problems might arise. For instance, if a company starts collecting additional personal data from customers, it should update its privacy, data governance, and other applicable policies and procedures. Otherwise, the data might not be properly collected, cleaned, secured, used, and stored. This could lead to security vulnerabilities (e.g., improperly stored data) or data integrity issues (e.g., the new data cannot be combined with existing data because of formatting inconsistencies).
  • Complying with regulations. Regularly reviewing and updating certain types of policies is necessary for compliance to some regulations. For example, businesses that process or store the personal data of European Union (EU) citizens must comply with the General Data Protection Regulation (GDPR). One of the main requirements is that companies have privacy policies that tell EU citizens what data it is being collecting about them and how their data is being used, secured, shared, and stored. So, if a business starts collecting additional personal data from EU citizens but fails to update its privacy policy, it could be fined for noncompliance with GDPR.
  • Avoiding lawsuits. Businesses can be held liable for outdated, vague, and inconsistently enforced policies. For instance, a US jury awarded $21 million in damages to a woman who was struck by a Coca-Cola delivery driver who had been talking on her cell phone at the time of the accident. The plaintiff’s attorneys successfully argued that the company’s mobile phone policy for its drivers was vague and that Coca-Cola was aware of the dangers of distracted driving but withheld this information from its drivers. As this example illustrates, it is important for companies to periodically review their IT policies to make sure they are clear, current with the times, and consistently enforced throughout the workplace.

At least once a year, you should review your company’s existing IT policies and procedures to make sure they are up-to-date and relevant. This is also a good time to determine whether any new policies need be written. For instance, if you recently permitted employees to use their personal smartphones for work, you can use this opportunity to discuss the need for a Bring Your Own Device (BYOD) policy to govern the use of employee-owned phones in the workplace.

In addition, it is a good idea to test certain IT policies and procedures before the review process if it has not been done recently. For example, you could test the IT disaster recovery plan and procedures by holding a drill. Besides identifying problems with the plan and procedures (e.g., phone numbers that are no longer correct), the drill will allow employees to become familiar the process. This will lessen employees’ stress in the event of an actual disaster, which can lead to a faster recovery time.

If changes need to be made to an IT policy or procedure, you should:

  • Assign someone to make the changes.
  • Make sure the updated documents are reviewed and approved by the appropriate people (e.g., human resources staff, legal team).
  • Share the updated versions of those documents with employees.

Retest the policies and procedures if applicable. Need help keeping your policies moving forward? Give us a call at 800-421-7151.

5 Things to Know If You Are Considering Getting Cyber Insurance

As cyber attacks continue to increase in number and sophistication, more and more companies are purchasing cyber insurance. If you are considering getting this type of policy for your business, here are five things to keep in mind.


Discovering that a hacker just conned your business out of a large amount of money is probably one of your worst nightmares. For one organization, this nightmare came true. In December 2018, the Connecticut-based Save the Children Federation revealed that it fell victim to a business email campaign (BEC) scam the year before. The charity unwittingly transferred nearly $1 million to the hackers’ account.

Fortunately, the charity had cyber insurance, which covered most of the stolen money. The charity ended up losing only $112,000.

With BEC scams and other types of cyber attacks increasing in number and sophistication, more and more organizations are turning to cyber insurance to mitigate the risks and offset the costs of cyber attacks and other Internet- and IT-related liabilities. In the United States alone, the market is expected to grow from $2 billion to $15 billion in the next decade.

If you are considering purchasing cyber insurance for your business, here are five things to keep in mind:

  1. Cyber Insurance Is Continually Evolving

Cyber insurance is not new. Its roots are in errors and omissions (E&O) insurance policies. Around 20 years ago, add-ons were attached to tech companies’ E&O policies. These add-ons covered incidents such as a tech company’s software program bringing down another company’s network. Eventually, the add-ons evolved into separate policies that covered a lot more types of incidents (e.g., data breaches). As the kinds of coverages increased, so did the interest in these policies by companies outside the tech industry.

Nowadays, there are many different types of cyber insurance policies being purchased by many different kinds of businesses. And as the Internet, cyber crime, and IT systems evolve in the future, so too will the cyber insurance policies.

  1. Comparing Policies Can Be Challenging

Cyber insurance policies can be hard to compare because there is no set standard for underwriting this type of insurance. It is up to each insurance company to decide what it will cover and how to market that coverage. As a result, you might find that:

  • Some insurance companies simply add cyber insurance extensions to existing insurance policies. Most insurers, though, have separate cyber insurance policies. Stand-alone policies are usually more comprehensive than extensions, according to experts.
  • Some insurance companies put different types of coverages into separate policies. For instance, they might have a policy covering just data breaches and a policy covering cyber liability. In contrast, other companies offer one policy in which they include all their coverages (e.g., one policy covering both data breaches and cyber liability).
  • A few insurance companies offer different cyber insurance policies for different types of organizations. For instance, they might have separate policies for small businesses, tech companies, and public sector entities.
  • Like other types of insurance, the cost of the cyber insurance depends on many factors beyond the type of coverage provided. For instance, a business’s gross revenue, industry, and data risks are factored into the cost.
  1. Types of Expenses That Are Commonly Covered

Although there is no standard for underwriting cyber insurance policies, they cover many of the same types of expenses. Insurance companies typically cover cyber incidents caused by both internal actors (e.g., errors and omissions by employees) and external actors (e.g., cyber attacks by hackers). Examples of items usually covered include:

  • Lost revenue due to network downtime or a business interruption resulting from a cyber incident
  • Cyber extortion costs (e.g., ransomware payment)
  • The expenses incurred from a forensics investigation of a cyber attack
  • The costs incurred to restore data and systems after an attack
  • The expenses associated with notifying customers and other parties about a cyber incident
  • The cost of hiring a PR firm to minimize a cyber incident’s impact on a company’s reputation
  • Regulatory fines
  • Defense costs to handle lawsuits levied by individuals or businesses adversely affected by a cyber incident or a lawsuit imposed by a government entity (e.g., a state’s Attorney General)
  • Legal settlements from lawsuits

As this list shows, cyber insurance usually covers expenses incurred by the insured business as well as third parties adversely affected by the cyber incident. This is referred to as first-party coverage and third-party coverage, respectively.

  1. What Is Usually Not Covered

There are some costs and types of incidents that are not typically covered in cyber insurance policies. They include the loss of future revenue due to a cyber incident, costs to improve internal IT systems, bodily injury, and property damage.

In addition, it is important to know that a claim can be denied if a company misrepresents its security measures. Businesses are usually required to fill out an application that includes questions about the security measures they have in place. If a company submits a claim and the insurer can prove that the business did not have the specified security measures in place, the insurer can deny the claim.

  1. Where to Start If You Want to Get Cyber Insurance for Your Business

Before shopping for cyber insurance, experts recommend that you start by identifying the following for your business:

  • The types and sensitivity of the data used in your business
  • The kinds of cyber threats your company faces
  • How susceptible your business’s operations are to a network interruption and how much revenue you would lose every day if a cyber incident brought down your operations
  • Whether your business must adhere to any cyber-related laws or regulations (e.g., European Union’s General Data Protection Regulation, United States’ Health Insurance Portability and Accountability Act) and the cost of noncompliance
  • The contracts you have with suppliers and other business associates and what data they are able to access through joint business operations

With this information, you can get an idea of the types and amount of coverage needed. We can help you gather this information so you can get the best cyber insurance for your business.

Just Because a Mobile VPN App Is Popular Doesn’t Mean It Is Protecting Your Privacy

A study of the top free VPN apps available in Apple’s App Store and Google Play revealed that some of them might not be protecting your privacy as promised. Find out what the researchers discovered.

Using free public Wi-Fi networks at airports, hotels, and restaurants is convenient when traveling for business, but it can be risky. If you connect to an unsecured public Wi-Fi network, you run the risk of having hackers eavesdrop on your electronic conversations.

In theory, you can use a virtual private network (VPN) app to protect your privacy and data when using your mobile device within public Wi-Fi networks. In reality, that might not be the case if you are using a free mobile VPN app.

study of the top free VPN apps available in Apple’s App Store and Google Play revealed that most of them have no formal privacy policies or unacceptable ones. Plus, many of them are from obscure Chinese companies that deliberately make it difficult for people to find out anything about them. Equally concerning is that these apps often lack adequate customer support.

How the VPN Apps Were Selected

Researchers at Top10VPN.com selected the apps to study by searching for “VPN” in the App Store and Google Play for both the United States and United Kingdom sites. (Top10VPN.com is a VPN review site run by Metric Labs, an online security and privacy education company.) If a paid app appeared in the search results, the next one was selected. The top 20 VPN apps in each store at each site were listed, giving a total of 80 apps. Many of the apps appeared more than once in the list, so duplicate entries were removed. The end result was a list of the top 30 free VPN apps.

What the Study Found

For each app, the researchers investigated several elements, including the app company’s privacy policies, ownership, and customer support. One of the most concerning findings is that 86% of the apps are provided by companies that do not have any privacy policies or unacceptable ones. In regard to the latter, some of the companies have generic privacy policies that do not include any VPN-specific terms or policies that lack important details about data collection practices — both of which can give users a false sense of security. Other policies note that the companies track user activity and share it with third parties. Several policies even explicitly state that the companies collect and share users’ personal data with China.

Another troublesome finding concerns the companies providing the apps. “Our investigation uncovered that over half of the top free VPN apps [59%] either had Chinese ownership or were actually based in China, which has aggressively clamped down on VPN services over the past year and maintains an iron grip on the Internet within its borders,” said Simon Migliano, the head researcher at Top10VPN.com. Chinese legislation now forces local VPN providers to register with government authorities and obtain a license to operate. This is likely why some app privacy policies state that users’ personal data might be shared with China. For example, the privacy policies for the VPN Master, Turbo VPN, and SnapVPN apps state that “Our business may require us to transfer your Personal Data to countries outside of the European Economic Area (“EEA”), including to countries such as the People’s Republic of China or Singapore.” China’s VPN legislation coupled with the prevalence of Chinese hacking groups makes using VPNs provided by companies with links to this country risky to use.

The study also found that many of the top 30 apps have questionable user support. Specifically, 64% of the apps did not have dedicated websites for their VPN services. Several apps had no online presence whatsoever beyond their listings in the app stores.

Furthermore, 52% of the customer support email addresses specified in the app store listings were personal accounts (e.g., Gmail or Hotmail accounts). When the researchers sent emails to all the apps’ customer support email addresses requesting assistance, 83% of the emails were ignored. The emails were sent from the official top10vpn.com address and did not hide the researchers’ true identities.

You can find the details about all the apps investigated in the “Free VPN Apps: Chinese Ownership, Secretive Companies & Weak Privacy” report.

A VPN App Can Be Invaluable If You Pick the Right One

A VPN app can be invaluable if you use your mobile device within public Wi-Fi networks. It can protect your privacy and data if a network is not secured properly. However, when selecting a VPN app, it is important to do research and carefully evaluate the candidates, especially those that are free. If you need assistance selecting a safe VPN app for your mobile device, give us a call.

Reputation Jacking: Another Trick Up Hackers’ Sleeves

Reputation-jacking is on the rise. Discover what reputation-jacking is and why cyber criminals like to use it when attacking businesses.

Cyber criminals have another trick up their sleeves. Besides using phishing emails to steal money and data from businesses, some hackers are now employing an additional technique known as reputation-jacking — using popular, legitimate cloud storage services to deploy malware.

Security researchers at Menlo Labs uncovered a scam that showcases why using this technique is gaining popularity among hackers. In this scam, cyber criminals sent customized phishing emails to employees at banks and financial services companies in the United States and United Kingdom between August and December 2018. These emails used a convincing pretense to get the employees to download malicious files from the Google Cloud storage service.

Storing the files on Google Cloud likely gave the employees a false sense of security — the impression that the files were safe because they were on a popular, legitimate cloud service. Storing the files on Google Cloud also let the hackers circumvent possible security measures at the companies. If the hackers had attached the malicious files to the emails, they probably would have been caught by email security software since the files were Visual Basic Script (VBS) and Java Archive (JAR) files.

Downloading and opening the malicious VBS and JAR files initiated a process designed to infect the employees’ computers with remote access trojans. Cyber criminals use these trojans to gain control over compromised machines so that they can remotely run commands that will let them scout out companies’ networks. Hackers use what they learn to determine the best tools and techniques to deploy to accomplish their ultimate goal, which is often stealing money or data.

The security researchers who discovered the scam noted that reputation-jacking is on the rise. For this reason, it is important to discuss it when you are educating employees about phishing and business email campaign (BEC) scams. Let them know what reputation-jacking is and why hackers like to use it. Be sure to stress that anytime an email urges them to access a file, they should think twice about doing so. The file might be malicious, even if it is located on a legitimate cloud storage service. Call us at 800-421-7151 if it is time for some security training!

How to Customize the Startup Pages in Google Chrome and Microsoft Edge

If you have several websites you visit every day, you can configure your browser to automatically open those sites when you launch your browser. Here is how to customize the startup pages in Google Chrome and Microsoft Edge.

Most people have favorite websites they visit daily. If you are one of them, you can configure your web browser to automatically open those pages when you launch the browser. That way, you do not need to open each site every day, saving time and hassle.

To customize the startup pages in Google Chrome, follow these steps:

  1. Launch Google Chrome.
  2. Open the websites you want automatically opened when you start the browser.
  3. Click the icon that looks like a vertical ellipsis. It will be in the top right corner of the browser.
  4. Select “Settings” from the menu that appears. This will bring up the “Settings” web page.
  5. Scroll down to the “On startup” section at the bottom of the page.
  6. Click the “Open a specific page or set of pages” button.
  7. Select the “Use current pages” option.
  8. Close the “Settings” web page.

To customize the startup pages in Microsoft Edge, do the following:

  1. Launch Microsoft Edge.
  2. Open the websites you want automatically opened when you start the browser.
  3. Copy the sites’ addresses into a program such as Notepad or Microsoft Word.
  4. Click the icon that looks like an ellipsis. It will be in the top right corner of the browser.
  5. Select “Settings” from the menu that appears. This will bring up the “Settings” box.
  6. Find the “Open Microsoft Edge with” option.
  7. Select “A specific page or pages” from the drop-down list.
  8. Enter one of the site addresses you copied and click the save button (the button with the icon of a floppy disk).
  9. Use the “Add a new page” option to enter the other sites you want automatically opened.
  10. Click somewhere outside the “Settings” box to close it.

5 Noteworthy IT Trends That Will Affect SMBs in 2019 and Beyond

The IT industry is constantly changing. Because there are so many changes, it can be hard to discern which ones are most important. To help highlight the changes deserving attention, here are five IT trends that small and midsize businesses should know about.

Knowing the direction in which IT is headed can help companies prepare for the opportunities and challenges those changes might bring. However, many small and midsize businesses (SMBs) do not have the time or resources to keep up with IT changes since there are so many of them. Further, it can be hard to discern which ones are most important. To help highlight the changes deserving SMBs’ attention, here are five IT trends they should know about:

1. Data Privacy Regulations Will Become More Common

More data privacy regulations are likely on the horizon. The high rate of data breaches coupled with the controversial data-collection and data-sharing practices used by some companies (e.g., Facebook, Google) are prompting more people to rally around data privacy laws.

Some governing groups have already responded to people’s cries for more privacy. For example, the European Union passed the General Data Protection Regulation (GDPR), which went into effect in May 2018. A month later, the California State Legislature passed the California Consumer Privacy Act.

SMBs should keep abreast of the data privacy regulations being enacted and check to see whether they need to comply with them. The latter is not always readily apparent. For instance, companies do not have to reside in the European Union to fall under GDPR’s jurisdiction. Any organization that processes or stores the personal data of EU citizens is required to comply with GDPR, no matter it is located.

2. More SMBs Will Turn to Chatbots

To gain and retain customers, a company needs to quickly respond to their requests for information and answer any questions they might have. However, staffing a customer support desk 24 x 7 can be expensive.

One way companies are addressing this dilemma is by using chatbots, which are also known as virtual assistants or virtual agents. These software programs employ advanced technologies such as natural language processing and machine learning to simulate and automate conversations with humans. Chatbots can also help with routine tasks such as arranging meetings and collecting data.

Chatbots are becoming less expensive to purchase. Plus, companies have the option of buying prebuilt chatbots or building their own. Thus, chatbots are a practical solution for SMBs that want to be highly responsive to potential and existing customers.

3. Integrating Cloud and On-Premises Resources Will Become a Priority

With 96% of companies using at least one cloud service, it is safe to say that businesses have whole-heartedly embraced the cloud. However, companies’ cloud resources are not usually integrated with their on-premises resources. This can lead to a myriad of problems. For instance, a manager might want to break down product sales by customer age to analyze the buying habits of different generations. However, he might find that he is unable to do so because the customer data is stored in an on-premises legacy system while the product sales data is stored in the cloud, with no easy way to combine the two datasets.

In 2019, companies will begin to understand the importance of integrating on-premises and cloud resources, according to IDC experts. They predict that it will be a top IT spending priority for half of SMBs by 2021.

4. Companies That Want to Deploy Systems Using 5G Will Have to Wait

In December 2018, AT&T became the first wireless carrier to go live with a mobile 5G service in the United States. Although AT&T was the first, it won’t be the last. Other wireless carriers will likely follow suit.

Businesses are already looking forward to using this fifth generation of wireless networking technology because it is much faster, provides more bandwidth, and has lower latency than its predecessor, 4G. A survey by Gartner revealed that two-thirds of the polled organizations plan to deploy 5G by 2020. Ways they intend to use it include Internet of Things (IoT) device communications, video conferencing, and video analytics.

However, these companies will likely have to wait several more years. Gartner researchers expect that public 5G networks will not be capable enough to meet the needs of organizations by 2020 because wireless carriers will initially concentrate on providing 5G broadband services to consumers. They anticipate that an infrastructure capable of handling companies’ needs won’t be available until 2025 or later. Although companies could conceivably build their own private 5G networks in the meantime, the expense involved would not make it a viable solution for most SMBs.

5. The Proliferation of Data from IoT Devices Will Increase the Need for Edge Computing

Cisco estimates that IoT devices will generate a whopping 847 zettabytes of data by 2021. To handle the vast amounts of data generated by these devices, many companies will need to turn to edge computing.

With edge computing, the data from IoT devices is processed close to the location where it is being generated rather than being sent to a central location for processing. This allows the data to be analyzed and acted on in near real-time. Besides enabling such fast response times, edge computing helps companies significantly reduce the amount of data that needs to be sent to a central location, saving bandwidth.

Edge computing will be so crucial to handling IoT data that Gartner has ranked it as one of the top 10 strategic technology trends for 2019. And IDC researchers predict that, in key industries, a third of SMBs will be using IoT devices and edge computing to collect and evaluate data in near real-time by 2021.

7 Reasons Why IT Projects Fail

Projects frequently fail in businesses. Here are seven common reasons why IT projects fail and how you can avoid these pitfalls.

Having projects that fail is common in businesses. In one 2018 study, the Project Management Institute surveyed more than 5,500 companies and found that 15% of the projects they started failed. And these failures were costly — 9.9% of every dollar invested was wasted due to poor project performance.

Learning from other teams’ mistakes is one way to avoid failed projects. Here are seven common reasons why IT projects fail and how you can avoid making the same mistakes:

  1. Undefined Deliverables

While most project teams define the objectives for their IT projects, some teams do not define the projects’ deliverables. A common reason for this oversight is the belief that objectives and deliverables are referring to the same thing.

While objectives and deliverables are closely related, they are not synonymous. The objective describes what a team plans to accomplish with its project. Deliverables are things (e.g., reports, plans, processes, products) that the team will produce to enable the objective to be achieved. For example, suppose a project’s objective is to replace old printers with ones that will better meet the business’s needs. The deliverables might include a report detailing current and projected printer usage needs, an analysis determining whether it is best to buy or lease the printers, evaluations of at least three printer suppliers, a signed contract, installation of the printers, a training program for employees on how to use the new printers, and so on. A larger project might need separate objectives and deliverables for each phase in it.

Because deliverables often build on each other, they provide a roadmap that the team can follow to achieve the project’s objective. Deliverables also help the team more accurately estimate the time, resources, and funding needed to complete it.

  1. IT Project Too Large

Tackling IT projects that are too large in scope is a common reason why they fail. Large projects require large amounts of time, money, and resources to complete — all of which might be in short supply, especially in small and midsized businesses.

Projects with smaller scopes are typically more manageable and have a greater chance of success. So, for example, instead of undertaking a project to create a set of IT policies, it is better to narrow the scope by having the team create just the acceptable use policy. When that project is done, the team can then tackle the privacy policy, and so on.

It is important to note that an IT project might start out with a manageable scope, but then “scope creep” sets in. For instance, if a team is working on developing an intranet site for employees, having an ever-growing list of “must-have” and “nice-to-have” features might expand the project’s scope to the point where it is unmanageable. While changes to a project’s scope are sometimes necessary, they should be kept to a minimum. Significant changes might necessitate the need for the team to revise its deliverables, schedule, and budget.

  1. Unrealistic Schedules and Budgets

Sometimes, teams do not realize how much time or money will be required to complete IT projects. Other times, they are simply too optimistic.

Not taking the time to get accurate estimates of how much time and money a project will require can result in projects being late and overbudget. Even worse, it could lead to poor-quality deliverables. If a project’s schedule is unrealistic, people might rush to get things done or take shortcuts. Similarly, people might cut corners if a project’s budget is too small.

Having well-defined deliverables will help in the creation of realistic schedules and budgets. It’s important to build in a little extra time and money, though, in case any surprises pop up.

  1. Not involving the Right People

An IT project can run into trouble if the people involved do not have the necessary skills and knowledge. For example, having a technician head a project because he is knowledgeable in the project area can lead to failure if that person has no experience in managing projects or teams. Conversely, if no one on the team is knowledgeable about the latest IT technologies, the team might not consider a technology that could potentially be a good fit for the company.

It is important to make sure that each person involved in the project is capable of completing their assigned role. It is also important to make sure that at least one person on the team has sufficient IT knowledge in the project area. If no one in the company has the necessary know-how, the team should consider bringing in an outside expert.

  1. No Central Repository for Communications

For a project team to be successful, its members must be able to communicate effectively with each other and with other people inside their companies. To do so, they need good communication skills as well as effective communication tools.

Besides holding team meetings, project team members often use email to communicate with each other. While this is an effective tool, the emails are stored in the members’ inboxes, making it hard for other people (e.g., a new team member) to access the information discussed in them. Plus, if a team member forgets to copy the entire team on an email, some people might be inadvertently kept out of the loop.

A better approach is to have a central repository for project communications. This could be as simple as having project members store copies of their project-related emails in a shared folder on the company’s network. Ideally, though, teams should use collaboration software that enables them to communicate and collaborate with each other and that stores their communications and work in a central location.

  1. Not Monitoring and Tracking Progress

It is important monitor and track a project’s progress in terms of deliverables met, costs, and schedule. If a team fails to do so, a small glitch could turn into a big problem later on.

While manually monitoring and tracking a project is possible, it would be time-consuming. A better solution is to use project management software. That way, the team will always know exactly where the project stands and how much time and money has been spent on it thus far.

  1. Not Enough Testing

IT projects often include deliverables such as IT systems and IT products. Failure to thoroughly test these types of deliverables can result in their failure once they are implemented.

The team should not wait until the end of the project to conduct the tests. Testing needs to start early and be done often. This will allow small problems to be fixed before they grow into significant problems that will take much more time and money to fix.

If you have any other questions about upcoming projects you need done, give us a call at 800-421-7151. Our team will make sure your IT projects are executed successfully.

4 Misconceptions about Tech Support Scams

Despite being common, there are many misconceptions about tech support scams. Not knowing the truth can result in falling victim to this type of fraud. Here are four misconceptions set straight.

Tech support scams are common and costly. In 2017 alone, around 11,000 victims filed complaints with the Internet Crime Complaint Center (IC3). They reported losing nearly $15 million, which represents an 86% increase in losses compared to 2016.

Even though tech support scams are common, there are many misconceptions about them. Knowing the truth can help you become more adept at recognizing and avoiding this type of fraud. Toward that end, here are four misconceptions set straight:

  1. Tech Support Scammers Always Call

In the past, scammers frequently cold-called potential victims. They often identified themselves as tech support staff from a well-known tech company such as Microsoft. They then spun a tale of how they detected a problem on the person’s computer that should be fixed immediately, which they offered to do.

Nowadays, scammers are more apt to use other means to reach potential victims, including:

  • Pop-ups. When people visit a website, a message pops up that says their computers are infected with malware, have an expired software license, or have some other problem. The visitors are then urged to call a bogus hotline or go to a fake online tech support center to get the problem fixed.
  • Phishing emails. People receive emails that do not mention anything about their computers having a problem. Instead, some other pretense is used to try to get them to click a link. For example, security researchers found that some phishing emails were made to look like notifications from online retailers (e.g., Amazon) and professional social-networking sites (e.g., LinkedIn). Clicking the linking sent people to a malicious website that mimicked the legitimate one that supposedly sent the email. The site then deployed various scare tactics (e.g., pop-up messages saying there is a malware infection) to trick people into calling or visiting a phony tech support center.
  • Redirects to bogus tech support websites. In some cases, malicious ads (or links in other types of web content) redirect visitors to tech support scam sites. According to security researchers, these malicious ads are usually found in questionable websites, such as those that host illegal copies of media and software.
  1. If It’s Free, It Isn’t a Scam

The goal of many tech support scams is to make money. Scammers try to con you into paying for bogus software or services. Having someone notify you, out of the blue, that your computer has a serious problem, which they can fix — for a price — is a classic sign of a tech support scam.

However, you cannot assume the person is legitimate if they offer to fix the problem for free. Sometimes scammers have different goals. For example, they might want to change the settings on your computer so that it becomes part of a botnet. Or, they might want you to install their free software because it contains spyware.

  1. Baby Boomers Are Most Likely to Fall Victim to Tech Support Scams

A common misconception is that Baby Boomers are most likely to fall victim to tech support scams because they are less familiar with technology. However, a 2018 Microsoft study found that Gen Z’ers and Millennials are twice as likely to initially fall for a tech scam (e.g., click a link in a phishing email or call the number given in a pop-up) than Baby Boomers. And the Gen Z’ers and Millennials are five times more likely to lose money to tech support scammers (e.g., pay the digital con artists for bogus software or services).

The researchers attribute the higher vulnerability of Gen Z’ers and Millennials to several factors:

  • They engage in more risky online activities (e.g., use torrent sites, download movies, music, and videos) than the older generations.
  • They tend to be overconfident in their online abilities, causing them to be less cautious and more susceptible to scams. In the study, the Gen Z’ers and Millennials gave themselves high ratings in web and computer expertise.
  • They are more likely to believe that it is normal for reputable tech companies to make unsolicited contact than the older generations. In the study, 33% of the Millennials and 30% of the Gen Z’ers said unsolicited contact was normal compared to 18% of the Baby Boomers and 22% of the Gen X’ers.
  1. It’s Difficult to Defend against Tech Support Scams

Fortunately, the notion that it is hard to defend against tech support scams is a misconception rather than the truth. Besides understanding how tech support scams work, you can take some surprisingly simple measures to protect yourself.

For starters, you should not disable your web browser’s pop-up blocker. Most modern browsers automatically block pop-ups. For example, Google Chrome blocks not only pop-ups but also redirects by default. Manually disabling this functionality might result in you seeing more messages that try to scare you into calling or visiting a bogus tech support center.

Equally important, you should not visit questionable websites. Plus, you should heed the security warnings issued by your web browser and security software. These programs often flag or block content they know or suspect is unsafe. Resisting the urge to visit questionable sites and access flagged or blocked content can help reduce the number of tech support scam pop-ups and malicious ads in your web browser.

Another measure you can take is making sure your email app, web browser, and security software are being updated regularly. These programs are typically configured to automatically update, but it is a good idea to make sure that is the case. With the updates installed, they will be better able to identify and deal with security issues. For example, email apps usually include filtering tools that help weed out phishing emails. The more current the filtering tools, the more effective your email app will be at snagging phishing emails. Similarly, your browser and security software will be better able to identify unsafe content when they are updated.

You also might consider using ad blockers to eliminate the malicious ads that could send you to bogus tech support sites. These programs remove or alter all advertising content on web pages. Some ad blockers replace ads with content, such as news. Others simply leave holes where the ads would have been. However, there is one caveat with ad blockers. They might inadvertently block non-ad content, causing web pages to display improperly or not at all.

There are other, more-advanced measures you can take to protect yourself from tech support scams, such as using advanced email filtering solutions and configuring your DNS to block ads before they enter your network. If you would like to learn about these measures, contact us at 800-421-7151.

How to Stop Those Annoying Website Notification Boxes in Chrome Browsers

Are you tired of having websites asking you if they can send you notifications? Here is how to stop these notification boxes from popping up in Google Chrome web browsers.

If you use the Internet regularly, you have probably encountered them — those pesky boxes that pop up when you visit a website for the first time and it wants to send you notifications.

Although it is easy enough to refuse, having to do so for multiple sites can be annoying. And if you clear your browsing data, you will have to again refuse the notifications for the sites you visit often.

Fortunately, it is easy to stop these notifications from appearing if you use the Google Chrome web browser. Open your browser and follow these steps:

  1. Click the icon that looks like a vertical ellipsis. (It will be in the top right corner of the browser.)
  2. Select “Settings” from the menu that appears. This will bring up the “Settings” web page.
  3. Scroll down to the bottom of the page and click “Advanced”.
  4. Click the “Content settings” option. (You will need to scroll down a bit more to see this option.)
  5. Choose “Notifications” in the list that appears.
  6. Click the “Ask before sending (recommended)” option. The option will now read “Blocked”.
  7. Close the “Settings” web page.

If you should later want to receive notifications from websites, you can repeat these steps. The only difference is that in step 6, you will need to click the “Blocked” option. It will then toggle back to “Ask before sending (recommended)”. After you perform these steps, you will again be presented with notification boxes.

Office 2019 or Office 365: Which Is a Better Fit for Your Business?

Do you want to replace an old version of Microsoft Office on your company’s computers or add this productivity suite to some new machines? If so, you might be wondering whether it is better to use Office 2019, which Microsoft released in the fall of 2018, or Office 365. Here is what you need to know to make the best decision for your business.

The Fundamental Differences

There are a few fundamental differences between Office 2019 or Office 365:

Office 2019. Office 2019 is an on-premises product that you purchase upfront for use on a single computer. You can use this suite’s apps for as long as you want – whether it is three years or three decades. However, Microsoft will not be offering any upgrade options for Office 2019 in the future. This means that if you want to upgrade to the next major on-premises Office release (say Office 2022), you will have to buy it at full price. (Despite rumors to the contrary, Office 2019 will not be the last on-premises version of Office, according to company officials.)

Microsoft offers three Office 2019 suites available through volume licensing: Office Professional Plus 2019, Office Standard 2019, and Office Standard 2019 for Mac. If you need fewer than five licenses, you can use Office Professional 2019 or Office Home & Business 2019, both of which are licensed for business use.

All these suites (except Office Standard 2019 for Mac) need to run on Windows 10 computers. So, if you are running older Windows versions on your computers, you will not be able to use Office 2019.

If you have Mac computers, you can use either Office Standard 2019 for Mac or Office Home & Business 2019. These suites are compatible with the three most recent versions of macOS, which are 10.14, 10.13, and 10.12 at the time of this writing. The next time Apple releases a new major version of macOS (say 10.15), Microsoft will drop support for the oldest of the three versions (10.12) and support the newest version and its two predecessors (10.15, 10.14, and 10.13). The Office apps will still work on computers running the dropped version (10.12), but the apps will not receive any updates.

Office 365. Office 365 is a cloud service that you subscribe to on a per-user basis. Businesses have many subscription plans from which to choose, based how many employees need to use Office 365 and the apps, services, and other options those users will need. With most of the business subscription plans, each licensed user can install the Office apps on five desktop computers (Windows or Mac), five tablets, and five smartphones. With Office 365, you do not need to worry upgrading because users will always have the most up-to-date versions of the apps.

Office 365 is billed either monthly or annually. You pay a higher per-user fee if you choose to pay each month. When you stop paying, the users’ licenses to run the Office apps expire. The apps that are installed on users’ devices do not immediately stop working, though. They usually continue to work for 30 days thanks to a grace period.

Unlike Office 2019, Office 365 will work on computers running older versions of Windows. Office 365 is compatible with Windows 10, Windows 8.1, Windows 7 Service Pack 1, and the two most recent versions of macOS.

Functionality and Support

Not surprisingly, Office 2019 offers more functionality than its predecessor Office 2016. For example, in Office 2019, Microsoft added a text-to-speech feature to Word and funnel charts to Excel.

However, Office 2019 provides less functionality than the current Office 365 apps. The Office 2019 apps do not include many of the cloud- and artificial intelligence (AI)-based features that Microsoft has added to Office 365 apps the past few years. For instance, in Office 2019, Word does not include the Editor feature, even though it is available in the Word app provided through Office 365. This feature uses machine learning and natural language processing to make suggestions on how to improve your writing.

Further, with Office 2019, you will not get any new features delivered through updates. The updates will include only security and stability patches. In contrast, Microsoft will continue to add new features to Office 365 through updates. These updates will also include security and stability patches.

There is another difference in how Microsoft supports Office 2019 compared to Office 365. As long as you subscribe to Office 365, you will receive mainstream support. With Office 2019, Microsoft will provide only five years of mainstream support and two years of extended support.

The Bottom Line

What is best for your company will largely depend on your comfort level with cloud computing. If you are comfortable with using cloud services, subscribing to Office 365 might make more sense. It offers more features and better support than Office 2019. Plus, Office 365 apps work on older versions of Windows. However, Office 2019 is a viable alternative if using cloud services is not a good fit for your business. Contact us at 800-421-7151 if you have any questions about Office 365 or Office 2019.

Small and Midsized Businesses Continue to Be Common Targets in Ransomware Attacks

Ransomware continues to pose a significant threat to small and midsized businesses, according to a Datto survey of 2,400 managed service providers (MSPs). More than half of the MSPs reported that a least one of their clients experienced a ransomware attack in the first half of 2018. Although the average ransom was only $4,300, the attacks cost the businesses an average of $46,800 due to the downtime they caused.

How the Attacks Were Delivered

The Datto study explored how the ransomware was delivered to the small and midsized businesses. It found that the top three delivery methods were:

  1. Phishing emails. Cybercriminals often send phishing emails to employees at small and midsized businesses to spread ransomware. These emails use a convincing pretense to lure recipients into clicking a link or opening an attachment. All it takes is one employee to fall for the ruse to initiate a ransomware attack.
  2. Malicious websites or ads. To deliver ransomware, hackers build malicious websites or post malicious ads (aka malvertising) on legitimate sites. If employees visit one of these sites, code is installed on their computers without their knowledge. The code then kicks off a series of events that can ultimately lead to a companywide ransomware infection.
  3. Web pages often include clickbait — text links (“You won’t believe …”) and thumbnail image links designed to entice people to follow a link to web content on another web page. While clickbait is typically used to increase page views and generate ad revenue, cybercriminals sometimes use it to send people to malicious websites that spread ransomware.

Because all three delivery methods depend on someone performing an action (e.g., clicking a link), it is important for small and midsized businesses to teach employees about the hidden dangers associated with seemingly innocuous actions.

Key Elements to Cover When Educating Employees about Ransomware

While each company will want to customize its ransomware training program to meet the its unique needs, it is a good idea to cover the basics:

  • Let employees know what ransomware is and the methods cybercriminals commonly use to spread it (e.g., phishing emails, clickbait).
  • Discuss the elements commonly found in phishing emails, such as generic greetings, spoofed email addresses, and messages that try to create a sense of urgency (i.e., act now or pay the consequences). If employees know about these common elements, they will be better able to spot any phishing emails that make it through email filters.
  • Warn employees about the dangers of clicking links and opening attachments in emails, especially if they are from unknown senders.
  • Show employees real-world examples of clickbait and let them know the dangers that might be lurking if they are enticed into clicking the links.
  • Stress the importance of avoiding any web content flagged as a potential security threat by web browsers or security software, as it might contain malvertising or other malicious code.

Other Measures to Take

Businesses need take other measures as well, such as regularly updating their computers’ software so known vulnerabilities are patched. Equally important, they need to make sure they have restorable backups of their data in case a ransomware attack occurs.

If you need a security audit or know an area you are lacking, give us a call at 800-421-7151. We can make sure that your business has covered all the bases so that it will be protected from ransomware and other types of cyberattacks.

Why Cryptojacking Is More Dangerous Than Many Businesses Realize

 

Cryptojacking might not seem as dangerous as ransomware or data breaches since cybercriminals are stealing a computer’s processing power rather than money or data. However, companies that dismiss this threat might be putting their businesses at risk. Cryptojacking malware is becoming increasingly sophisticated, which could spell trouble for companies unprepared for it.

The Changing Face of Cryptojacking

Cryptojacking was born from people’s need for more computing power so they could mine (aka earn) cryptocurrencies such as Bitcoin and Monero. These “miners” typically used website scripts that siphoned processing power from a visitor’s computer, without that individual’s knowledge or consent. When the person left the site, the siphoning stopped.

It wasn’t long before cybercriminals started using these scripts to get computing power for their exploits. Sometimes, they added these scripts to their own malicious web pages. Other times, they hacked into legitimate sites and insert the scripts there.

Since cybercriminals have entered the scene, cryptojacking malware has become more sophisticated. In addition, the hackers are becoming more creative in ways to deliver it.

Take, for example, the cryptojacking malware known as PowerGhost. When it was first discovered in July 2018, Kaspersky Lab researchers found that cybercriminals used phishing emails to gain initial access to a computer. Once the machine was infected, the malware used credential-stealing and remote-administration tools to spread itself to other machines in the local network. To make matters worse, some newer versions of PowerGhost have the ability to disable antivirus programs such as Windows Defender.

Another sophisticated program is PyRoMine, which Fortinet researchers found in April 2018. Besides stealing processing power, it creates a backdoor account with administrator-level privileges, enables the Remote Desktop Protocol (RDP), opens the RDP port in the Windows Firewall, and makes several other system changes so that the cybercriminals can remotely access the computer at a later time. The program even configures the Windows Remote Management Service to allow the transfer of unencrypted data.

As PowerGhost and PyRoMine illustrate, cryptojacking malware can create footholds in computers that hackers can later exploit. They could, for example, use these footholds to infect the computers with a different kind of malicious program, such as ransomware.

This might already be taking place. Companies infected by cryptojacking malware were found to have a larger number of other types of malware infections compared to businesses that did not experience any cryptojacking attacks, according to Fortinet’s “Quarterly Threat Landscape Report” for Q3 2018. However, this is only circumstantial evidence that cryptojacking leads to other malware attacks, which the Fortinet researchers acknowledged. They noted, “We attempted to establish a definitive causal relationship, and while those tests showed statistically significant results, they fell short of the burden of proof needed for a guilty conviction.” The researchers are planning to further explore this relationship in future reports.

How to Guard against Cryptojacking

In the past, you just had to prevent malicious scripts from running in web browsers to guard against cryptojacking. Nowadays, a more widescale approach is needed, including:

  • Making sure that computers’ operating system software and apps are updated so that known security vulnerabilities are patched. Both PowerGhost and PyRoMine exploit unpatched security vulnerabilities in Windows operating system software to create their footholds.
  • Making sure your security software is up-to-date. This can help guard against known cryptojacking code. It can also help protect computers from other types of malware that might be installed through footholds created by cryptojacking malware.
  • Educating employees about phishing emails and unsafe web browsing habits. As PowerGhost demonstrates, phishing emails can be used to gain initial access to a computer. So, employees need to know the dangers associated with clicking links in emails and opening files attached to them. Similarly, they should be taught about unsafe browsing habits, such as clicking links without knowing where they lead and visiting questionable websites.
  • Using ad or script blockers in web browsers to prevent malicious scripts from loading. There are also third-party tools available that are designed specifically for blocking cryptojacking scripts.
  • Inspecting your website. If your business hosts a website, you might want to make sure that hackers have not placed a cryptojacking script on it.

There are also other measures you can take, such as monitoring your computer systems and network for unusual activity. We can evaluate your business and provide specific recommendations on how to defend against cryptojacking and other types of malware.

Avoid Data Loss in Office 365

Microsoft understands the value of business data and the costly repercussions of losing it. That’s why they’ve released a slew of security and compliance tools for Office 365 subscribers. But given the increasing sophistication and frequency of data breaches, these cloud security solutions aren’t enough to protect your files. You’ll need to follow these seven security tips to prevent data loss in Office 365.

Take advantage of policy alerts
Establishing policy notifications in Office 365’s Compliance Center can help you meet your company’s data security obligations. For instance, policy tips can warn employees about sending confidential information anytime they’re about to send messages to contacts who aren’t listed in the company network. These preemptive warnings can prevent data leaks and also educate users on safer data sharing practices.

Secure mobile devices
Since personal smartphones and tablets are often used to access work email, calendar, contacts, and documents, securing them should be a critical part of protecting your organization’s data. Installing mobile device management features for Office 365 enables you to manage security policies and access permissions/restrictions, and remotely wipe sensitive data from mobile devices if they’re lost or stolen.

Use multi-factor authentication
Don’t rely on a single password to safeguard your Office 365 accounts. To reduce the risk of account hijacking, you must enable multi-factor authentication. This feature makes it difficult for hackers to access your account since they not only have to guess user passwords, but also provide a second authentication factor like a temporary SMS code.

Apply session timeouts
Many employees usually forget to log out of their Office 365 accounts and keep their computers or mobile devices unlocked. This could give unauthorized users unfettered access to company accounts, allowing them to steal sensitive data. By applying session timeouts to Office 365, email accounts, and internal networks, the system will automatically log users out after 10 minutes, preventing hackers from opening company workstations and accessing private information.

Avoid public calendar sharing
Office 365’s calendar sharing features allow employees to share and sync their schedules with their colleagues. However, publicly sharing this information is a bad idea because it helps attackers understand how your company works, determine who’s away, and identify vulnerable users. For instance, if security administrators are publicly listed as “Away on vacation,” an attacker may see this as an opportunity to unleash malware on unattended computers.

Employ role-based access controls
Another Office 365 feature that will limit the flow of sensitive data across your company is access management. This lets you determine which user (or users) have access to specific files in your company. For example, front-of-house staff won’t be able to read or edit executive-level documents, minimizing data leaks.

Encrypt emails
Encrypting classified information is your last line of defense to secure your data. If hackers intercept your emails, encryption tools will make files unreadable to unauthorized recipients. This is a must-have for Office 365, where files and emails are shared on a regular basis.

While Office 365 offers users the ability to share data and collaborate, you must be aware of potential data security risks at all times. When you work with us, we will make sure your business keeps up with ever-changing data security and compliance obligations. If you need help securing Office 365, we can assist you, too! Contact us today for details at 800-421-7151.

Browser Security for Business Data

The internet isn’t for the naive. It’s a wild place of dangerous creatures like polymorphic viruses, ransomware, scammers, and malicious hacker organizations. As  any business owner today would know, data is everything. If you or your employees browse the net unprotected, this valuable resource is threatened by cyber criminals on the lookout for easy targets. One way to protect your business’ data is to secure your browsers. It is easy enough for every small- and medium-sized business to do.

Data stored on desktops, servers and in the cloud, doesn’t make it safe. If anything, it makes it available to anyone who has the desire and capabilities to hack into your system and cause mayhem for your business operations.

One thing you should be doing to protect your data – and your company – is to make use of privacy-protecting browser extensions. Depending on the nature of your business, both you and your employees are likely to be online at least some, if not all, of the working day. What are some of the browser extensions that can make the experience more secure?

Prevent browser tracking

If you don’t like the idea of a third party (reputable or otherwise) being able to track your browsing habits, try installing a tool for private browsing. These programs offer protection against tracking by blocking third-party cookies as well as malware. Some extensions also boast secure Wi-Fi and bandwidth optimization and can guard against tracking and data collection from social networking sites such as Twitter, Facebook or Google+.

Blocking adverts

While online ads may seem harmless, the truth is they can contain scripts and widgets that send your data back to a third party. A decent ad blocking program will block banner, rollover and pop-up ads, and also prevent you from inadvertently visiting a site that may contain malware.
Many blockers contain additional features such as the ability to disable cookies and scripts used by third-parties on a site, the option to block specific items, and even options to ‘clean up’ Facebook, and hide YouTube comments. The major blockers work with Google Chrome, Safari, and Firefox and you’ll be able to find everything from user-friendly solutions to more advanced tools that are customizable down to the tiniest degree.

Consider installing a VPN

Unfortunately, browser tracking, malware, and adware are not the only internet nasties that you need to be concerned about. but the good news is that there a number of other extensions that you can download to really get a grip on your online safety. A VPN (Virtual Private Network) is something else to consider. VPNs encrypt your internet traffic, effectively shutting out anyone who may be trying to see what you’re doing.

Commonly used in countries where the internet is heavily censored by the powers that be, a VPN allows for private browsing as well as enabling users to access blocked sites – in China’s case that’s anything from blogs criticizing the government to Facebook and Instagram. There are hundreds of VPNs on the market so do a little research and find one that suits you best.

Finally, it goes without saying that having anti-virus and anti-malware software installed on your PC, tablet, and even your smartphone is crucial if you want to ensure your online safety.

Is browsing at your workplace secure? Would you like a more comprehensive security system for your business? We can tell you all about it and help your business protect itself from online threats. Get in touch with us today at 800-421-7151.

5 Cloud Security Tips for Business Owners

Cloud computing marketing can be deceiving. When you see an image of the cloud, it’s often a happy, bubbly, white puffball floating delightfully in front of a blue sky background. Its presence is both calming and reassuring, which makes you believe that anything is possible. Security would never be an issue, right? Ask one of the nearly seven million Dropbox users who had their accounts hacked, and they’ll give you a definitive answer. Sure, not every cloud provider has had security breaches, but that doesn’t mean we can take cloud security lightly. Here’s what you can do to protect yourself as a business owner.

Ask your IT provider what cloud security policies they have in place

This is probably the single most important security measure you can take. Find a trusted IT provider and have a candid conversation with them about their cloud security policies.

Ask about Security Training

The number one point for anything security related is user training. A Smart user is 90% of the way there to protecting themselves.  You can have all the browser extensions and ad blockers you want but if the plugins are out of date or compromised it might make things worse.   The content of this document, and all the other emails and blog entries you send out are helping to Train the user.  A Smart user will understand why and how to use the technology to help protect themselves and the company.

Ask where the physical cloud servers are located

When you have “the conversation,” don’t forget to ask about this. Believe it or not, some cloud servers may not even be located in your own country. Wherever they are, it’s wise to make sure they’re located in a safe data center with proper security afforded to them. Otherwise depending on your type of business you may be out of compliance with regulations such as Sarbanes-Oxley.Create unique usernames and passwords

Your login credentials represent one of the cloud’s main security vulnerabilities. Think of a better password than “12345” or “football.”

Use industry standard encryption and authentication protocols

AES (Advanced Encryption Standard), IPsec (Internet Protocol Security) and EAP (Extensible Authentication Protocol) are reliable technologies. IPsec is primarily used for a secure VPN connection.

Encrypt data before it’s uploaded to the cloud

Encryption is a must, and can be done by you or your cloud service provider. Should hackers manage to access your data, they’ll find it useless because they can’t make heads or tails of it.

When it comes to trusting the security protocol of a cloud service provider, transparency is key. They should take security seriously, be able to explain their security policies clearly, and be willing to answer any questions. If they can’t do one of these, that’s a red flag telling you to find another vendor.

Are you ready to talk cloud security and transition your business into the cloud? Call us today at 800-421-7151. We’re happy to answer all your questions.

5 Proactive Defenses Against Cyber Attacks

As IT security consultants, we’re stuck between a rock and a hard place. Managed IT services providers (MSPs) such as ours want to provide clients with enterprise-level IT, but that requires that we specialize in overwhelmingly intricate technology. Explaining even the most fundamental aspects of cybersecurity would most likely put you to sleep instead of convince you of our expertise. But if there’s one topic you need to stay awake for, it is proactive security.

Understand the threats you’re facing

Before any small- or medium-sized business (SMB) can work toward preventing cyberattacks, everyone involved needs to know exactly what they’re up against. Whether you’re working with in-house IT staff or an MSP, you should review what types of attacks are most common in your industry. Ideally, your team would do this a few times a year.

Reevaluate what it is you’re protecting

Now that you have a list of the biggest threats to your organization, you need to take stock of how each one threatens the various cogs of your network. Map out every company device that connects to the internet, what services are currently protecting those devices, and what type of data they have access to (regulated, mission-critical, low-importance, etc.). You should never spend more money than the vault of the asset or data that you are protecting.

Create a baseline of protection

By reviewing current trends in the cybersecurity field and auditing your current technology framework, you can begin to get a clearer picture of how you want to prioritize your preventative measures versus your reactive measures.

Before you can start improving your cybersecurity approach, you need to know where your baseline is. Devise a handful of real-life scenarios and simulate them on your network. Network penetration testing from trustworthy IT professionals will help pinpoint weak spots in your current framework.

Finalize a plan

All these pieces will complete the puzzle of what your new strategy needs to be. With an experienced technology consultant on board for the entire process, you can easily synthesize the results of your simulation into a multi-pronged approach to proactive security:

  • Security awareness seminars that coach all internal stakeholders – train everyone from the receptionist to the CEO about effective security practices such as password management, proper mobile device usage, and spam awareness
  • Front-line defenses like intrusion prevention systems and hardware firewalls – scrutinize everything trying to sneak its way in through the borders of your network
  • Routine checkups for software updates, licenses, and patches – minimize the chance of leaving a backdoor to your network open
  • Web-filtering services – blacklist dangerous and inappropriate sites for anyone on your network
  • Updated antivirus software – protect your data and systems against the latest and most menacing malware
  • Physical Access – minimize your risk by restricting physical access to network critical devices such as servers and switches behind a locked server closet.

As soon as you focus on preventing downtime events instead of reacting to them, your IT infrastructure will increase your productivity and efficiency to levels you’ve never dreamed of. Start enhancing your cybersecurity by giving us a call at 800-421-7151 for a demonstration.

Office 365 Stops Billions of Phishing Emails

Sending phishing emails is the most common method hackers use to distribute malware and steal information. In fact, there are billions of phishing emails sent every year, and millions of people keep falling for them. However, if you’re subscribed to Office 365 there’s a good chance that you won’t see harmful messages in your inbox, and here’s why.

Effective anti-phishing solutions must be able to recognize the key elements of a phishing attack, which includes spoofed (or forged) emails, compromised accounts, unsafe links, and harmful attachments. In April 2018, Microsoft upgraded Office 365’s Advanced Threat Protection (ATP) features so it can better detect these elements and prevent a wide variety of phishing scams. These enhancements include:

  • Anti-impersonation measures – ATP will now look for potential phishing indicators in an email, including the sender’s address, name, and links, to identify whether the user is being impersonated. You can specify high-profile targets within your organization, such as managers and C-level executives, so Office 365 can protect these users from email impersonation. Office 365 also utilizes machine learning to analyze a user’s email patterns and flag suspicious contacts that have had no prior correspondence with your company.
  • Anti-spoofing technology – This feature reviews and blocks senders that disguise their true email address. You can even enable safety tips that flag certain email domains that have strange characters. For instance, if your real domain is Acme.com, a spoofed domain could be Acḿe.com.
  • Email link scanning – Office 365 launched Safe Links, which scans emails for fraudulent links and redirects users to a safe page in case it does contain harmful materials. This feature also applies to email attachments, ensuring you’re protected against all types of phishing scams.

Due to these improvements, Office 365 had the lowest phish rate among other well-known email services between May 1 and September 16, 2018. The company has stopped over five billion phishing attempts and protected users against seven billion potentially malicious links. If you’re looking for a secure email platform, Office 365 is the best option for your business.

That said, it’s not a substitute for good security awareness. No matter how secure Office 365 is, employees still need to be adequately trained to recognize a phishing email when they see one. Hackers are constantly changing their tactics to evade Office 365’s detection systems, so it’s important that everyone is alert at all times.

If you need a well-fortified email service, we can implement and manage Office 365 for you, and include Mimecast for extra protection. We even offer practical security advice to make sure your business, employees, and assets are safe and sound. Contact us now at 800-421-7151.

Keep the Cloud Affordable with These Tips

Small and medium sized businesses and firms globally are adopting cloud technologies. However, there are hidden costs that some business owners might not be aware of. They might not seem like much at first, but those costs could eventually snowball. Follow these five tips to keep the cloud from breaking the bank:

No standalones

Cloud services come in various shapes and sizes, many of which are standalone platforms with rates that increase over time. Opt for a service provider that offers a suite of products that all work together. They are often less expensive than a group of standalone products. Another benefit of working with a cloud provider is that you receive a single point of contact to resolve your issues quickly and effectively.

Experience matters

If you plan on integrating a standalone cloud service into your system, make sure you hire an experienced integration consultant to facilitate a smooth transition. Integration mishaps can cause serious downtime and cost a lot of money.

Backups are important

Unnecessary or inefficient backups will waste cloud storage space. Examine your cloud storage data by asking the following questions:

  • How many versions of this data do I need to store long-term? The more versions you store, the more it costs. This is known as Recovery Point Objective or RPO which is determined by looking at the time between data backups and the amount of data that could be lost in between backups.
  • What regulatory demands do I need to meet? Some data may need to be accessible for up to three years, whereas other data can be deleted after 30 days.
  • How quickly do I need to access my backups? If it can wait for a day or two, archive that data to a less expensive service or offline at the provider’s data center. This is known as RTO, or Recovery Time Objective, which is the target time you set for the recovery of your IT and business activities after a disaster has struck.

Remove users

Many cloud service providers charge by the number of users in your system. By neglecting to manage the list of users, you could end up paying for people who no longer work for you. Implement processes that remove users when they are terminated and consider scheduling a regular audit. Ideally, this should be once every six months to a year, to ensure your cloud user list is up-to-date.

Monitor proactively

Ask your cloud provider whether they can proactively monitor your account and notify you of potential issues before they cause problems. This is especially important if you have a pay-as-you-go license that charges based on resource or storage consumption.

Utilizing the right technology resources is vital to your business’s success, and so is knowing how to prevent them from racking up an overwhelming monthly bill. If you wish to enjoy all the benefits of cloud computing without breaking the bank, give us a call at 800-421-7151 and we’ll be happy to help.

Is CRM Software Essential to your Business?

The right technology investment can lead to business success. With customer relationship management (CRM) software at the helm of your sales and marketing efforts, you can nurture long-lasting business relationships and improve your bottom line. If you need more convincing, we’ve compiled five more reasons why your business needs CRM.

Grows with your business

The ol’ Rolodex may have been useful for managing a few clients, but you’ll need a much better solution if you plan to maintain relationships with hundreds, possibly thousands, more. CRM scales with your business, meaning it can handle larger data sets and more clients as you expand your sales operation.

Organizes your data

CRM software acts as a central database for all your sales records and transactions. This means important customer information can be retrieved in just a few clicks rather than by rifling through thousands of documents, sticky notes, and disorganized cabinets. And since CRM is hosted in the cloud, sales data, customer interactions, and other actionable information are available for the entire company.

Improves customer service

Your sales team could be the most persuasive individuals in the world, but this means nothing if they can’t recall anything about their clients and their preferences. When your sales staff follows up on leads or existing customers, CRM will automatically retrieve contact history, past purchases, and customer preferences from your client database and display them on a single page during the call.

Armed with detailed customer information, sales representatives will be able to recommend products and services that meet the client’s needs. So instead of struggling through a sales call, marketing employees can focus on delivering a professional sales pitch.

Streamlines your sales funnel

CRM comes equipped with workflow management functions, supporting your sales pipeline in a number of ways. For example, you can configure your CRM to send instant follow-up emails when a lead visits a particular product page. You can even use automation to track where certain leads are in the sales pipeline and delegate the task to one of your sales closers.

Analyzes sales data

With real-time sales information, business managers can track marketing campaigns and adjust their strategy accordingly. For instance, you might notice that click-through-rates for promotional emails and company newsletters are higher during Tuesday afternoon than Friday night. Having this information can help you focus your marketing efforts and message to generate more leads.

In addition, you can use CRM to analyze customer calling activity, market demographics, lead conversion rates, and key performance indicators to influence future business decisions.

Understanding your customers can put you several steps ahead of the competition. If you need to manage contacts, eliminate time-consuming procedures, and improve your sales performance, CRM is the perfect business solution.

Contact us today to find out whether CRM is the right fit for your business.

 

What is App Virtualization?

Small- or medium-sized business (SMB) owners may be overwhelmed by their company’s IT demands. Fortunately, virtualization services are giving them a fighting chance to stay on top. Some technology vendors even recommend app virtualization services because many SMBs use it. Learn if it’s right for you by understanding the basics.

What are non-virtualized apps?

To understand app virtualization, first you need to understand how non-virtualized apps are installed.

When you install an application like Skype or Slack onto a computer, the installer program puts most of the files required for the app to run on your hard drive’s Program Files folder. This process is usually fine for personal use but may become problematic if you install similar apps on your device.

For instance, if two similar apps are installed on the same file destination, there’s a chance that they might conflict with each other and inevitably crash. Likewise, if you uninstall a program without knowing that it shares important files with another application, you run the risk of breaking the other one.

The solution to this is app virtualization.

What is app virtualization?

App virtualization involves running a program in an environment separate from the physical server, allowing you to run programs that are normally incompatible with a certain operating system (OS). In other words, virtualized apps trick your computer into working as if the application is running on a local machine, but in fact, you’re actually accessing the app from somewhere else.

Advantages of app virtualization

App virtualization offers numerous advantages for SMBs, including:

  • Quick installation times and less money spent on local installation
  • Allowing incompatible applications to run on any local machine. For instance, if your laptop is dated and can’t run the latest apps on its own, you can lighten the load on your CPU by accessing virtualized apps instead.
  • Mac users can run any Windows apps if your company’s local server runs Windows OS.
  • Applications on your computers won’t be in conflict with each other since virtual apps are installed in a separate location.
  • Upgrading is easy because your IT team won’t have to upgrade applications in individual desktops, they just have to upgrade the virtual application within the company’s local server.
  • Applications can be accessed from any machine, allowing your employees to work from home or on the go if they choose to.

Things to consider

Before you start deploying app virtualization solutions, you need to have a stable network connection so users can smoothly stream apps. Note that some apps like antivirus programs are difficult to virtualize since they need to be closely integrated with your local OS.

Virtualizing a workplace is no easy task, and that’s where we come in. If you’re convinced that your company can benefit from app virtualization, get in touch with our IT experts today.

Be Aware of these 4 Types of Hackers

Hackers come in all shapes and sizes. From kids wanting to gain notoriety on the internet to political groups trying to send a message, the motives for a cyberattack vary widely. So how can you protect yourself? It all starts with getting to know your enemy a little better. Here’s a profile of four different types of hackers.

Script Kiddies

Skill-wise, script kiddies (or skids, for short) are at the bottom of the hacker totem pole. Their name comes from the fact that they use scripts or other automated tools written by others. Most of the time, script kiddies are young people on a quest for internet notoriety. Or, more often than not, they’re simply bored and in search of a thrill. Many never become full-time hackers; in fact, many script kiddies end up using their skills for the greater good, working in the security industry.

Though lacking in hacking know-how, script kiddies shouldn’t be dismissed so easily, as they can cause businesses much damage. In May 2000, for instance, a couple of skids sent out an email with the subject line “ILOVEYOU” and ended up causing a reported $10 billion in lost productivity and digital damage.

Hacktivists

Hacktivists are primarily politically motivated, and they often hack into businesses and government systems to promote a particular political agenda or to effect social change. These so-called “hackers with a cause” steal confidential information to expose or simply disrupt their target’s operations.

If you’re a small- or medium-sized (SMB) owner, don’t think for a second that you’re immune to hacktivist attacks. This is especially true if your company is associated or partnered with organizations that are prime hacktivist targets. Or, if your business provides services that can be seen as unethical, you may targeted by hacktivists as well.

Cybercriminals

When a hacker breaks into digital systems or networks with malicious intent, they are considered a cybercriminal. Cybercriminals target everyone from individuals to SMBs to large enterprises and banks that either have a very valuable resource to steal or security that is easy to exploit, or a combination of both.

They can attack in a number of ways, including using social engineering to trick users into volunteering sensitive personal or company data, which they can then sell in underground markets in the dark web. They can also infect computers with ransomware and other malware, or use digital technology to carry out “conventional crimes” like fraud and illegal gambling.

Insiders

Perhaps the scariest type of hacker is the one that lurks within your own organization. An insider can be anyone from current and former employees to contractors to business associates. Oftentimes their mission is payback: to right a wrong they believe a company has done them, they’ll steal sensitive documents or try to disrupt the organization somehow. Edward Snowden is a prime example of an insider who hacked his own organization — the US government.

Now that you know what motivates your enemy, and you think you might be a target, it’s time to secure your business from the different types of hackers out there. Get in touch with our experts today to learn how.

Forget These Disaster Recovery Myths

Disaster recovery (DR) isn’t what it used to be. Long gone are the days when a DR solution cost over a hundred thousand dollars and relied predominantly on tape backups. Cloud computing has dramatically changed the DR landscape. Unfortunately, there are still many misconceptions about DR. Here are a few of the myths that no longer apply.

Tape Backups are the Best DR Solution
Backup tapes are physical objects that deteriorate over time. Don’t believe us? Try listening to a cassette tape from the ‘90s. Over time, tape backups become distorted and stop working. Deterioration is slow and may only affect some files in the early stages, so don’t settle for a mere cursory check. Tape backups are not the best for DR solutions, but they are an excellent price for offline storage. Super DLT Tape II can store up to 600GB of data and has a shelf life of 30 years if stored in the right environment; much longer than any backup medium.

Aside from backups in your office, another set of tape backups needs to be stored outside your premises. In case a natural disaster damages your office, not all your data will be wiped out. But if your storage space isn’t safe from the elements, this could also be a problem.

BUT,  a cloud backup solution is a much better DR solution.  The backups are always available,  online and ready when you need them for the disaster.  The right DR solution can get you back online in minutes, while the tape backups take much longer to restore data.   A Tape backup is not a good DR solution. Unlike tape backups, a cloud-based backup saves you time. Data is automatically backed up online, and you don’t need to spend time managing boxes of tapes. Your time is better spent on your assigned tasks, not IT management.

The RTO you want will be too expensive
Recovery time objectives (RTO) are essential to any DR plan. You need to get everything up and running again as quickly as possible to avoid serious losses. In the days before the cloud, a swift recovery time could cost you well into six figures. Today, cloud and virtualization solutions have made this much more affordable, and faster than ever before.

Most DR providers can back up your critical data in an hour or two. And if you ever need to recover it, most services can do so in less than a day. That’s the power of the cloud. And when it comes to DR, it truly has changed everything.

Disaster recovery is for big business, not SMBs
The cloud has made this valuable service affordable for businesses of all sizes. From dental offices to small retail operations, SMBs can now take advantage of the best DR solutions on the market. Advances in IT and the cloud have eliminated the obstacles of complexity, costs, and insufficient IT resources.

We hope that by dispelling these myths, we’ve demonstrated to you that disaster recovery is more affordable and efficient than ever. If you’d like to learn how our DR solutions can safeguard your business, send us a message at info@wamsinc.com or call us at 800-421-7151 and we’ll gladly fill you in.

Which Business Computers are Best?

We know that IT plays a big role in reaching your small- and medium-sized business (SMB) milestones. When it comes to hardware, you don’t need to be an IT expert to find the best possible solution. Here’s a concise and helpful guide to the best hardware for your firm.

Portability

Laptops allow you to keep working when you don’t have an electrical outlet. However, this ability to take your work anywhere can be counterproductive by creating more stress on employees who think they must work all the time.

Memory/Speed

Desktop computers used to have more memory and faster processors than laptops. And although high-powered laptops have caught up, they are more expensive. If work is limited to word processing and emailing, affordable less-powerful laptops should be enough. Anything more will probably require a desktop machine.

We also recommend SSD hard drives to increase speed. These offer a huge increase in performance and should be considered for desktops and laptops.  Most modern laptops will come with a SSD, but they do cost a bit more.

Security

Data security is necessary not only against data leaks but as protection from litigation, reputation damage, and loss of business. With a network security system and IT staff, vulnerabilities are easier to address for desktop computers within office premises. They’re also less likely to be stolen.

For laptops, however, mobility makes them more vulnerable. Data loss is a real risk as laptops may be connected to unsecured networks and hotspots or be lost or stolen. You should consider hard drive encryption.  This way if the laptop is stolen the thief won’t be able to access anything on the laptop without the encryption password. Given the fact that they are so much smaller and more portable, keep in mind that laptops are also much easier to steal. NEVER and we mean NEVER leave your laptop in your car. Protecting your laptops require special safeguards, and consequently more time and money.

Price

Laptops and desktops come in varying prices according to preferences. On the cheaper end of the price range spectrum, there are notebook-style laptops that are limited to word processing and web browsing capabilities. Desktops have affordable equivalents as well. The deciding factor when it comes to price is your IT service provider or hardware supplier. With the right partner, you should be able to get a good bulk deal on powerful but affordable desktops or laptops.

Longevity

Laptop computers may provide the convenience of mobility, but it’s much harder to upgrade their components as they get older. Laptops are also easier to drop or damage and more expensive to replace or repair. Being in a fixed location, desktops are less prone to this. And unlike laptops, many desktops are not always pre-assembled. Many desktops can be custom built with parts that are easily removed, replaced, or upgraded. You should also consider hard drive encryption.  This way if the laptop is stolen the thief won’t be able to access anything on the laptop without the encryption password.

Final Recommendation

A growing company really needs a combination of both types of computers. However, a desktop computer will be generally more reliable for the fledgling company owner. Laptops should be added as budget permits to provide that extra portability and convenience, especially for managers who work remotely.

If you have other questions regarding enterprise hardware, give us a call at 800-421-7151. We’d be happy to recommend the best solution according to your company’s business needs and objectives.

4 Social Engineering Scams to Watch Out For

Experts are constantly creating new security systems to protect individuals and businesses from hackers. From those who want to attend popular events like the Olympics to avoiding an angry boss, hackers are preying on gullible victims to circumvent network security systems and steal sensitive information. If you don’t want to be the next victim, read about the most common social engineering scams here.

Phishing

This is the most frequently used social engineering attack, especially against small businesses. Check out these frightening statistics:

How is phishing carried out? Criminals make use of emails, phone calls, or text messages to steal money. Victims are directed to phony websites or hotlines and are tricked into giving away sensitive information like names, addresses, login information, social security, and credit card numbers.

To protect yourself, be wary of emails from people you don’t know that offer you a prize, come with attachments you didn’t request, direct you to suspicious sites, or urge you to act quickly. Phishing emails usually appear to come from reliable sources, but they are wolves in sheep’s clothing.

One of the most infamous and widespread examples of phishing was during the 2016 Summer Olympics in Rio, where victims received fraudulent emails for fake ticketing services that stole their personal and financial information.

Be aware of Whaling as well. Whaling and Phishing are both very similar:

Phishing is more automated, hoping you go to their fake website and type a real username/password so they can access your data.

Whaling is the same thing, but a real person is behind the email making it look legitimate and harder for filters to block it. They often ask for bank transfers or something similar. They will also respond quickly if you respond to the email to start a conversation and suck you in.

Tailgating

What’s the fastest and easiest way for criminals to enter a secure office? Through the front door, of course! Tailgating happens when an employee holds the door open for strangers and unauthorized visitors, allowing them to infiltrate an organization. This simple act of kindness enables fraudsters to enter restricted areas, access computers when no one is looking, or leave behind devices for snooping.

Quid pro quo

Here, scam artists offer a free service or a prize in exchange for information. They may lure their victims with a gift, concert tickets, a T-shirt, or early access to a popular game in exchange for login credentials, account details, passwords, and other important information. Or hackers may volunteer to fix their victims’ IT problems to get what they want. In most cases, the gift is a cheap trinket or the tickets are fake, but damages from stolen information are all too real.

Pretexting

Fraudsters pretend to be someone else to steal information. They may pose as a telemarketer, tech support representative, co-worker, or police officer to fish out credit card information, bank account details, usernames, and passwords. The con artist may even convince the unsuspecting victim to apply for a loan over the phone to get more details from the victim. By gaining the person’s trust, the scammer can fool anyone into divulging company secrets.

Also, and we cannot emphasize this enough, be aware of shoulder surfing. Shoulder surfing happens when someone is standing over your shoulder and watching the keystrokes that you enter while typing your password. Often this happens fairly quickly, and you may not even notice it. We all know that if someone obtains your password, they have access to your entire online life; keep an eye out for people nearby when typing in your passwords.

In spite of the many security measures available today, fraudsters and their social engineering schemes continue to haunt and harm many businesses. Thus, it’s best to prepare for the worst. To protect sensitive information, educate yourself and be careful. Remember: If anything is too good to be true, it probably is!

To shield your business from social engineering attacks, don’t take chances! Get in touch with us today by calling 800-421-7151.

4 Questions You Should Ask Any IT “Expert” Before Letting Them Touch Your Network

As businesses have become ever more dependent on technology, IT services providers have been popping up left and right. They’ve all got different strengths, capabilities and price points to consider. Some charge you by the hour and, while available to address any concerns you may have, they are pretty hands-off. Others are working on your network around the clock but charge more in turn. Many may boast an impressive record when working with a broad range of companies, but lack the experience necessary to understand the ins and outs of your specific industry. Some cost way too much month-to-month, while others try the “bargain bin” approach, but as a result, can’t afford to field the staff needed to respond to issues in a timely fashion.

There’s certainly a lot to consider when looking for an IT services provider for your business. And if you’re not particularly knowledgeable about information technology yourself, it can sometimes feel like you’re going into the process blind.

To suss out whether an IT company will mesh with your business’s workflow and industry specific requirements, it’s important to vet them thoroughly. The key is to ask the right questions. Here are four that will allow you to zero in on any IT company’s priorities and strengths, and help you determine whether or not they are a good fit for your organization.

1.DO YOU TAKE A PROACTIVE OR ‘BREAK-FIX’ APPROACH TO IT?

When your car breaks down, you take it to the shop and you get it fixed. The mechanic charges you for the work done and for the parts, and then sends you on your way. Many business owners consider their computer network to be the same kind of deal. Why not just wait until an outage happens and then call up somebody who charges by the hour to fix it? That way, they imagine, they won’t be paying for “extra” services they think they don’t need.

But unfortunately, unlike your car, when your network is out, you’re losing dollars every single minute. The

cost of a network outage is difficult to overstate – not only will it bring your business to its knees while it’s out, but it’ll frustrate customers and employees and result in a cascading set of problems.

Instead of a “break-fix” technician on hand, you need a managed IT services provider. These experts work directly with your company to optimize your network and its security at every turn, and are available nearly any time to address your concerns. And they’re genuinely invested in providing the best service possible, since it’s in their best interest as well.

2. WHAT IS YOUR GUARANTEED RESPONSE TIME?

We’ve all needed something fixed before and had to wait for hours, days or even weeks before anyone bothered to come by and solve the problem. Don’t let that happen to your business. If a company can’t guarantee a response time, it’s probably not a company you want to be working with.

3. WHAT WILL COST ME EXTRA?

This question is particularly important if you’re looking at a managed services provider (which you should be). The last thing you need is for a crisis to strike, only to discover you need to shell out a bunch of surcharges to get your network back up and running. Make sure the costs and services included are crystal clear before you sign anything.

4. HOW MUCH EXPERIENCE DO YOU HAVE?

As scrappy as the “new kid on the block” may be, you don’t want them in charge of one of the most important aspects of your business. Make sure any IT professionals you do business with have extensive experience not only in IT, but in your particular industry as well. That way they’ll know exactly what to do to optimize processes and keep your data under lock and key.

If you feel that your IT company is not transparent about all of this, it may be time to look elsewhere. Call us at 800-421-7151 today with any questions and you will receive only the most honest answers from account managers who are more than happy to help!

A Quick Guide to Choosing a Mouse

The good ol’ two-button mouse just won’t cut it anymore. They’re unresponsive, uncomfortable, and the cord somehow ties itself up every time you put it in your bag. However, buying a new mouse can be confusing, so if you’re having difficulty picking the right one, here are some things you should keep in mind.

Cable or wireless?

Choosing between a wired or a wireless mouse is a factor you have to consider if you’re planning on purchasing a new mouse. Wireless mice are generally more comfortable since your range of movement isn’t limited by a cable and they’re usually travel friendly. However, they tend to be less responsive, which can be frustrating.

In some cases, wireless mice can also interfere with other wireless devices nearby, and most require batteries, which can create problems when they run out of juice. And, if you use the same mouse for both work and home, you run the risk of losing the tiny USB receiver for your wireless mouse when you travel.

On the other hand, wired mice are cheaper and easy to plug-and-play. The only problem you’ll have to worry about is dealing with tangled wires. So when you’re deciding on a new mouse, think about whether you’re looking for comfort or convenience. Always keep in mind that wireless mice tend to be slightly heavier due to the battery that must be included to keep it running. It may not seem like much, but it will affect the way you work with it. If you have sensitive wrists or are prone to carpal tunnel, you may want the lightest mouse possible.

Ergonomics matters

You’re going to be using the new mouse for a while, so it’s important to choose one that feels comfortable in your hands. When deciding on the right mouse, focus on the size and the grip of the device. The size of the mouse usually comes down to hand size. For example, someone with smaller hands might find larger mice quite unwieldy.

Certain mice can also accommodate different types of grips — fingertip grip, palm grip, and claw grip. Users who want high-precision control of their cursor should opt for a mouse with fingertip grip, those needing comfort should get a palm grip mouse, and if you want both control and comfort, the claw grip mouse is the way to go. Another feature to be mindful of is the side scrolling wheel; this may be beneficial if you work frequently with large excel spreadsheets and pivot tables as this makes navigating through them much easier.

DPI (dots per inch)

Higher sensitivity is necessary for precise mouse movements, especially if you’re editing images, videos, or audio files. Mice with 1200 DPI or greater guarantee finer control.

Although mouse specifications like DPI might be the last thing on your mind when it comes to buying new hardware, your comfort is important. A good mouse with the right fit can make you more efficient and reduce the risk of injury.

If you need assistance setting up the best hardware for your company, give us a call at 800-421-7151. We’re happy to help.

Master Microsoft Excel with these 3 Tips

Digital literacy is all about mastering essential computer skills like navigating search engines and word processors. But one of the most crucial you need to learn is Excel. Check out these tips to be an Excel master.

Pie and Sunburst Charts

Everyone knows that bombarding stakeholders with endless numbers and decimal points is the wrong approach. You need to compile data and develop comprehensive pie or sunburst charts to make life easier for clients and investors.

Here’s how to create a pie chart:

  1. Select your data.
  2. Click on the Recommended Charts tool to see different style chart suggestions for your data.
  3. Click on the Chart StylesChart Filters, or Chart Elements button in the upper-right corner of the chart to personalize its overall look or add chart elements, such as data labels or axis titles.

Steps to create a sunburst chart:

  1. Select all your data.
  2. Click Insert > Insert Hierarchy Chart > Sunburst.
  3. Go to the Design and Format tabs to tailor its overall look.

Pivot Tables

Pivot Tables might be one of the most powerful yet intimidating data analysis tools in Excel’s arsenal. It allows you to summarize huge chunks of data in lists or tables without using a formula. All you need to do is to:

  1. Select the data, which must only have a single-row heading without empty columns or rows.
  2. Click Insert > PivotTable.
  3. Under Choose the data that you want to analyze, click Select a table or range.
  4. In the Table/Range box, validate the cell range.
  5. Under Choose where you want the PivotTable report to be placed, click New worksheet, or Existing worksheet and enter the location where you want to place the PivotTable.

Conditional Formatting

This tool highlights essential information within your dataset. For instance, you’re presenting the latest numbers on project efficiency and you use Conditional Formatting to highlight any number lower than 80%. The highlighted data will capture the audience’s attention, allowing them to identify the bottlenecks in your projects. To customize how the data is displayed, simply:

  1. Select the cell.
  2. Click Home > Conditional Formatting.
  3. Click Format.
  4. Change your formatting preference in the Color or Font style box.

Excel is one of the most commonly used business software on the market, yet not everyone knows how to fully utilize it. If you want to learn more about other handy Excel features, give us a call today at 800-421-7151 and we’ll elevate your user status from beginner to pro with some training!

5 Simple but Effective Cybersecurity Tricks

Can you name five cybersecurity best practices? Most people can’t, and few of those who can, actually follow them. Unfortunately, cyberattacks are far too common to be lax about staying safe online. Your identity could be stolen, or even worse, you could expose private information belonging to your company’s clients. There are many ways you can protect yourself, but this list is a great starting point.

1. Multi-factor authentication (MFA)

This tool earns the number one spot on our list because it can keep you safe even after a hacker has stolen one of your passwords. That’s because MFA requires more than one form of identification to grant access to an account.

The most common example is a temporary code that is sent to your mobile device. Only someone with both the password and access to your smartphone will be able to log in. Almost any online account provider offers this service, and some let you require additional types of verification, such as a fingerprint or facial scan.

2. Password managers

Every online account linked to your name should have a unique password with at least 12 characters that doesn’t contain facts about you (avoid anniversary dates, pet names, etc.). Hackers have tools to guess thousands of passwords per second based on your personal details, and the first thing they do after cracking a password is to try it on other accounts.

Password manager apps create random strings of characters and let you save them in an encrypted list. You only need one complex password to log into the manager, and you’ll have easy access to all your credentials. No more memorizing long phrases, or reusing passwords!

3. Software updates

Software developers and hackers are constantly searching for vulnerabilities that can be exploited. Sometimes, a developer will find one before hackers and release a proactive update to fix it. Other times, hackers find the vulnerability first and release malware to exploit it, forcing the developer to issue a reactive update as quickly as possible.

Either way, you must update all your applications as often as possible. If you are too busy, check the software settings for an automatic update option. The inconvenience of updating when you aren’t prepared to is nothing compared to the pain of a data breach.

4. Disable flash player

Adobe Flash Player is one of the most popular ways to stream media on the web, but it has such a poor security record that most experts recommend that users block the plugin on all their devices. Flash Player has been hacked thousands of times, and products from companies like Microsoft, Apple, and Google regularly display reminders to turn it off. Open your web browser’s settings and look for the Plugins or Content Settings menu, then disable Adobe Flash Player.

5. HTTPS Everywhere

Just a few years ago, most websites used unencrypted connections, which meant anything you typed into a form on that site would be sent in plain text and could be intercepted with little effort. HTTPS was created to facilitate safer connections, but many sites were slow to adopt it or didn’t make it the default option.

HTTPS Everywhere is a browser extension that ensures you use an encrypted connection whenever possible and are alerted when one isn’t available on a page that requests sensitive information. It takes less than one minute and a few clicks to install it.

If you run a business with 10 or more employees, these simple tips won’t be enough to keep you safe. You’ll need a team of certified professionals that can install and manage several security solutions that work in unison. If you don’t have access to that level of expertise, our team is available to help. Give us a call today at 800-421-7151 to learn more.

Watch Out for this Persuasive Phishing Email

Anglers catch fish by dangling bait in front of their victims, and hackers use the same strategy to trick your employees. There’s a new phishing scam making the rounds and the digital bait is almost impossible to distinguish from the real thing. Here are the three things to watch out for in Office 365 scams.

Step 1 – Invitation to collaborate email

The first thing victims receive from hackers is a message that looks identical to an email from Microsoft’s file sharing platform SharePoint. It says, “John Doe has sent you a file, to view it click the link below…”

In most cases, the sender will be an unfamiliar name. However, some hackers research your organization to make the email more convincing.

Step 2 – Fake file sharing portal

Clicking the link opens a SharePoint file that looks like another trusted invitation from a Microsoft app, usually OneDrive. This is a big red flag since there’s no reason to send an email containing a link to a page with nothing but another link.

Step 2 allows hackers to evade Outlook’s security scans, which monitor links inside emails for possible phishing scams. But Outlook’s current features cannot scan the text within a file linked in the email. Once you’ve opened the file, SharePoint has almost no way to flag suspicious links.

Step 3 – Fake Office 365 login page

The malicious link in Step 2 leads to an almost perfect replica of an Office 365 login page, managed by whoever sent the email in Step 1. If you enter your username and password on this page, all your Office 365 documents will be compromised.

Microsoft has designed hundreds of cybersecurity features to prevent phishing scams and a solution to this problem is likely on the way. Until then, you can stay safe with these simple rules:

  • Check the sender’s address every time you receive an email. You might not notice the number one in this email at first glance: johndoe@gma1l.com.
  • Confirm with the sender that the links inside the shared document are safe.
  • Open cloud files by typing in the correct address and checking your sharing notifications to avoid fake collaboration invitations.
  • Double check a site’s URL before entering your password. A zero can look very similar to the letter ‘o’ (e.g. 0ffice.com/signin).

Third-party IT solutions exist to prevent these types of scams, but setting them up and keeping them running requires a lot of time and attention. Give us a call today at 800-421-7151 to learn more!

How to Make Sure You Never Fall Victim to Ransomware

Late last March, the infrastructure of Atlanta was brought to its knees. More than a third of 424 programs used nearly every day by city officials of all types, including everyone from police officers to trash collectors to water management employees, were knocked out of commission. What’s worse, close to 30% of these programs were considered “mission critical,” according to Atlanta’s Information Management head, Daphne Rackley.

The culprit wasn’t some horrific natural disaster or mechanical collapse; it was a small package of code called SAMSAM, a virus that managed to penetrate the networks of a $371 billion city economy and wreak havoc on its systems. After the malicious software wormed its way into the network, locking hundreds of city employees out of their computers, hackers demanded a $50,000 Bitcoin ransom to release their grip on the data. While officials remain quiet about the entry point of SAMSAM or their response to the ransom, within two weeks of the attack, total recovery costs already exceeded $2.6 million, and Rackley estimates they’ll climb at least another $9.5 million over the coming year.

It’s a disturbing cautionary tale not only for other city governments, but for organizations of all sizes with assets to protect. Atlanta wasn’t the only entity to buckle under the siege of SAMSAM. According to a report from security software firm Sophos, SAMSAM has snatched almost $6 million since 2015, casting a wide net over more than 233 victims of all types. And, of course, SAMSAM is far from the only ransomware that can bring calamity to an organization.

If you’re a business owner, these numbers should serve as a wake-up call. It’s very simple: in 2018, lax, underfunded cyber security will not cut it. When hackers are ganging up on city governments like villains in an action movie, that’s your cue to batten down the hatches and protect your livelihood.

The question is, how? When ransomware is so abundant and pernicious, what’s the best way to keep it from swallowing your organization whole?

1. BACK UP YOUR STUFF
If you’ve ever talked to anyone with even the slightest bit of IT knowledge, you’ve probably heard how vital it is that you regularly back up everything in your system, but it’s true. If you don’t have a real-time or file-sync backup strategy, one that will actually allow you to roll back everything in your network to before the infection happened, then once ransomware hits and encrypts your files, you’re basically sunk. Preferably, you’ll maintain several different copies of backup files in multiple locations, on different media that malware can’t spread to
from your primary network. Then, if it breaches your defenses, you can pinpoint the malware, delete it, then restore your network to a pre-virus state, drastically minimizing the damage and totally circumventing paying out a hefty ransom.

2. GET EDUCATED
We’ve written before that the biggest security flaw to your business isn’t that free, outdated antivirus you’ve installed, but the hapless employees who sit down at their workstations each day. Ransomware can take on some extremely tricky forms to hoodwink its way into your network, but if your team can easily recognize social engineering strategies, shady clickbait links and the dangers of unvetted attachments, it will be much, much more difficult for ransomware to find a foothold. These are by far the most common ways that malware finds it way in.

3. LOCK IT DOWN
By whitelisting applications, keeping everything updated with the latest patches and restricting administrative privileges for most users, you can drastically reduce the risk and impact of ransomware. But it’s difficult to do this without an entire team on the case day by day. That’s where a managed services provider becomes essential, proactively managing your network to plug up any security holes long before hackers can sniff them out.

The bad news is that ransomware is everywhere. The good news is that with a few fairly simple steps, you can secure your business against the large majority of threats. Give us a call at 800-421-7151 for more information on how we protect you from ransomware.

How Business Continuity Plans Can Fail

Just because your IT provider has a plethora of awards and certifications under its belt doesn’t mean that you can blindly hand over your business’s future to them. Often times, there are some aspects in your business continuity plan that tend to be overlooked by your provider. We have rounded up some of these issues on your business continuity plans.

Over-optimistic testing

The initial testing attempt is usually the most important. It’s when IT service providers can pinpoint possible weak points in the recovery plan. However, what usually happens is that they test the system in full, instead of via a step-by-step process. This results in them missing out specific points, with too many factors overwhelming them all at the same time.

Insufficient remote user licenses

A remote user license is given by service providers to businesses so that when a disaster strikes, employees can log in to a remote desktop software. However, a provider may only have a limited number of licenses. In some cases, more employees will need to have access to the remote desktop software than a provider’s license can allow.

Lost digital IDs

When a disaster strikes, employees will usually need their digital IDs so they can log in to the provider’s remote system while their own system at the office is being restored. However, digital IDs are tied to an employee’s desktop, and when a desktop is being backed up, they are not automatically saved. So when an employee goes back to using their ‘ready and restored’ desktop, they are unable to access the system with their previous digital ID.

Absence of a communications strategy

IT service providers will use email to notify and communicate with business owners and their employees when a disaster happens. However, this form of communication may not always be reliable in certain cases, such as when the Internet is cut off, or there are spam intrusions. Third-party notification systems are available, but they are quite expensive, and some providers sell them as a pricey add-on service.

Backups that require labored validation

After a system has been restored, IT technicians and business owners need to check whether the restoration is thorough and complete. This validation becomes a waste of time and effort when the log reports are not easy to compare. This usually happens when IT service providers utilize backup applications that do not come with their own log modules, and have to be acquired separately.

These are just some reasons why business continuity plans fail. It is important for business owners to be involved with any process that pertains to their IT infrastructure. Just because you believe something works doesn’t necessarily mean that it works correctly or effectively. If you have questions regarding your business continuity plan, get in touch with our experts today at info@wamsinc.com and 800-421-7151.

Upgrading to a Dual Monitor System

Small businesses and firms are always searching for ways for their employees to be more effective computer users. But before you go out and buy bigger hard drives and faster processors, you should consider upgrading your desktops to a dual monitor system. Read on to find out about the advantages of using two monitors per desktop.

Enhanced productivity
Published studies conclude that by working with dual monitors, overall productivity increases by 20-50%. Computer programmers, for example, can use one screen for source coding and the other for programming; by using dual monitors, they no longer need to toggle back and forth between tabs. This reduces error and frees up time to complete more projects.

Better multitasking
Efficient multitasking requires adequate screen space to keep multiple applications simultaneously visible — a view that single monitors alone simply cannot accommodate. Workers who require computers, like customer service reps and web designers, would no longer waste time switching between tabs and resizing windows to fit the limited space; they could now focus on completing their tasks accurately and efficiently.

Easier cutting and pasting
This reason resonates with jobs that call for creating newsletters, complex documents, or PowerPoint presentations. Dual monitors would eliminate the need for alternating between tabs and scrolling up and down as you work. Also, the enhanced visibility reduces chances of making mistakes and thus losing more time fixing them.

Image and video editing
With dual monitors, the days of stacking numerous editing tools on top of the image or video you’re working on are long gone. Instead of your screen looking like a game of Mahjong, you can put the editing tools on one screen and leave the image on the other. With better visibility, you’re less likely to commit errors and more likely to be finessed, and you’re not sacrificing valuable working time in the process.

Dual monitors benefit almost every industry because of the enhanced visibility, larger screen space, and how you can briefly nap behind them without getting caught Using dual monitors can enhance even your leisure time activities as well.

Broaden your horizons by getting in touch with us at 800-421-7151 or info@wamsinc.com. We’ll answer any questions you have.

4 BYOD Security Risks You Should Prepare For

Personal computing is with us wherever we go. Thanks to the rise of the mobile industry, smartphones and tablets allow us to take work home with us. And with the bring your own device (BYOD) strategy, businesses have never been so productive. However, BYOD can pose a number of security risks if you’re not careful. Here are some BYOD security issues you should know before implementing it.

Data leakage

The biggest reason businesses are wary of implementing a BYOD strategy is because it can leave the company’s system vulnerable to data breaches. Personal devices are not part of your business’s IT infrastructure, which means that these devices are not protected by company firewalls and security systems.

Employees might also take work with them to places outside of your company premises that don’t have adequate security settings, thus leaving your system vulnerable to inherent security risks.

Lost devices

Another risk your company has to deal with is the possibility that employees will lose their personal devices. If devices with sensitive business information get lost and fall into the wrong hands, anyone can gain unauthorized access to valuable company data stored in that particular device. Therefore, you should consider countermeasures and protocols for lost devices, like remotely wiping a device of information as soon as an employee reports it missing or stolen.

Possible hacking

Personal devices tend to lack adequate data encryption to keep other people from snooping on private information. On top of this, your employees might not regularly update their devices’ software, rendering their devices and your IT infrastructure susceptible to infiltration.

Connecting to open WiFi spots in public places also makes your company vulnerable and open to hackers, because hackers may have created those hotspots to trick people into connecting. Once the device owner has connected to a malicious hotspot, attackers can see your web activity, usernames, and passwords in plain text

Vulnerability to malware

Viruses are also a big problem when implementing BYOD strategies. If your employees use their personal devices, they can access sites or download mobile apps that your business would normally restrict to protect your system.

As your employees have the freedom to choose whatever device they want to work with, the process of keeping track of vulnerabilities and updates is considerably harder. So if you’re thinking about implementing BYOD strategies, make sure your IT department is prepared for an array of potential malware attacks on different devices.

BYOD will help your business grow, but it comes with IT security risks that you should be prepared to handle.
Need help mitigating these BYOD risks? Call us today at 800-421-7151, and let’s find the best IT security solutions for your company.

Server Administration 101: Temperature

Servers are the heart of many firms and businesses.  And with the strain that most businesses put on their servers, one of the most important maintenance variables is temperature management. Understanding why keeping your servers cool is vitally important and could save you from an expensive crash, troubling data loss, or reduced hardware reliability.

How does temperature affect my servers?

High temperatures in server hardware can result in different types of damage. A server that completely crashes for any reason results in costly data loss and service interruptions, but the unbiased advisory organization Uptime Institute warns that overheating that doesn’t always result in total failure. Every 18 degrees higher than 70 degrees Fahrenheit, hardware reliability decreases by 50%. This decrease in reliability can be just as, if not more, expensive for your hardware budget in the long run.

Cooling methods can’t just be implemented and forgotten; they must be closely monitored to ensure the health of your server hardware in the short and long term. Options for temperature management range from simple low-budget solutions to expensive outsourced alternatives. Determining your server management budget will greatly depend on what types of methods you intend to implement at your SMB.

Cooling methods

Which system you use to cool your server largely depends on how much power your hardware is using. The more watts a computer needs to operate, the harder it’s working. This number will determine the scope of your temperature management needs.

For example, PCWorld says passive temperature control is adequate for any equipment operating at less than 400 watts. This includes simple solutions like positioning your server away from walls, low ceilings, cable clusters, and anything else that can block hot air from dissipating naturally.

For computers using between 400 and 2,000 watts, strategic ventilation becomes a necessity. Adding passive ventilation is viable up to 700 watts, but fan-assisted ventilation will be required above that and up to 2,000 watts. With the increased power consumption, temperatures will rise, and air movement needs to be more closely managed. At this stage, simple vent and oscillating fans will suffice.

Anything higher than 2,000 watts needs dedicated cooling solutions. This means air-cooled units to actively reduce server room temperature. Depending on the size and arrangement of the space, a simple self-contained unit may be enough to reduce temperatures to acceptable ranges. But if you’re not sure, you should schedule a consultation with a vendor to consider more drastic cooling and monitoring methods.

Keeping your servers running at ideal temperatures means smoother data operations, lower hardware budgets, and one less thing to worry about at your firm or business. As your business continues to grow and develop, keep close tabs on increasing server loads — it could save you from devastating data loss. If you need more detailed advice about server management, or have any other questions about your hardware setup, contact us today at 800-421-7151 or info@wamsinc.com.

How to Make the Most of Microsoft Word

Microsoft Word has become the go-to word processor for businesses big and small. It is used by every department and almost every type of personnel, but its constant updates and huge number of features mean there are lots of functions unknown to most users. Here, we uncover some of the most useful tricks with Word to help you get the most from it.

Edit simultaneously
You and your colleagues can now edit the same Word document at the same time. Just save yours in the cloud on OneDrive, click Share, then send the link to your colleagues. You’ll even be able to see them editing in real time.

Continue your work with Word Online
Don’t have the Word app on your computer, tablet, or smartphone? Go to word.office.com, sign in with your Microsoft account, and open Word Online, the browser version of Word. By clicking the blue Share button, your colleagues can access your document using Word Online or the Word app, which means anyone with the link and an internet connection can jump right in

Keep editorial control
With the Track Changes function, Word monitors all the edits that everyone makes to your document so you can go through the changes and accept or reject them accordingly.

To turn on Track Changes, click on the Review tab then select Track Changes. When reviewing a colleague’s edits, you have control to click on Accept or Rejectas you see fit.

Format the easy way: Write first, format later
The Style Gallery in Word makes it easy to format your document, despite the huge number of font types, sizes, colors, and effects to choose from. After finishing writing and editing your document, click the Home tab and you will see the Style Gallery prominently on top. Select the appropriate Headings in the font, size, and color that you like, and change any other text in any way you like — just make sure you don’t make any changes to the actual content that’s already been edited!

Insert photos faster, more conveniently
No need to open your browser to look for photos for your document. Just place the cursor on the area where you intend to insert the photo, click on the Insert tab, select Online pictures (type “clip art” on the search box if that’s what you need), select a photo, then click Insert.

Edit a PDF file
Click on the File menu, select Open, and choose Browse. Highlight the PDF you want to edit, then click Open. Word will convert files to the new format using text recognition, so double-check if the conversion is correct. Make the appropriate changes, then click File, then Save As, then Browse. A “Save as type:” dropdown menu will appear at which point you will choose “PDF” then click Save.

These tips may seem straightforward, but over time they can make a big difference in helping you work faster. Want to learn more Word tricks and tips? Get in touch with our Microsoft Office experts today!

New Spectre-Style Attack Discovered

Security experts are constantly discovering new potential threats, and quite recently, they’ve found a new type of Spectre-style attack more dangerous than the original. Here’s a quick rundown of the new Spectre variant.

Spectre 101
For those who don’t know, Spectre is a vulnerability in modern computer chips like Intel and AMD that allows hackers to steal confidential information stored in an application’s memory, including passwords, instant messages, and emails. Malicious code running on a computer or web browser could be used to exploit this vulnerability, but ever since Spectre was discovered, Microsoft, AMD, Intel, and other tech companies released a series of updates to fix it.

What is NetSpectre?
To perform Spectre attacks, malware would have to run on a targeted machine to extract sensitive data. But in late July, Austrian security researchers found a way to launch Spectre-style attacks remotely without locally installed malware. The new attack is called NetSpectre and it can be conducted over a local area network or via the cloud.

So far, it’s impractical for average hackers to use this method to steal data. In tests, researchers were able to steal data at a rate of between 15 to 60 bits per hour, which means it would take days to gather corporate secrets and passwords. As such, NetSpectre will probably be used by hackers who want to target specific individuals but don’t want to resort to obvious methods like phishing scams or spyware.

Experts also warn that while NetSpectre may be impractical now, hackers may develop faster and more powerful variants in the future.

How should you protect your business?
NetSpectre attacks exploit the same vulnerabilities as the original Spectre so it’s important to install the latest firmware and security updates. You should also secure your networks with advanced firewalls and intrusion prevention systems to detect potential NetSpectre attacks.

Last but not least, working with a reputable managed services provider that offers proactive network monitoring and security consulting services can go a long way in protecting your business from a slew of cyberthreats.

If you’re looking for a leading managed security services provider, talk to WAMS! We provide cutting-edge security software and comprehensive, 24/7 support. Call us today at 800-421-7151 for more information.

Cloud: 4 Common Myths Debunked

Overhyped reports of cloud hacks and server failures can lead some small business owners to be wary of a service that has so much to offer. So what are these common misconceptions about cloud computing? Here are a few myths people believe about the cloud.

#1. Cloud infrastructures are unsecure

Information security is a necessity for every business. And the most prevalent misconception about the cloud is the idea that cloud services lack appropriate security measures to keep data safe from intruders. Most users also think that the data stored in the cloud can be easily accessed by anyone, from anywhere, and at any time.

But the truth is it’s actually more secure for small businesses to use cloud services. Small companies usually can’t afford to hire an IT department let alone train them to deal with online security threats. Cloud providers, on the other hand, offer services such as multi-layered security systems and antivirus protection that not only specialize in keeping infrastructures safe from hackers but are available at a price that is much lower than you would pay for in-house IT staff.

Additionally, large cloud-based services such as G Suite and Office 365 are supported by an infrastructure that constantly installs updates and patches, which helps manage security breaches. This frees you from the burden of installing the updates yourself and managing the overall security of your system.

Users should understand that no company is completely safe from security threats regardless of their IT infrastructure. But data is likely to be more secure in the hands of cloud providers as they are the most prepared and qualified to protect your digital property.

#2. The cloud lacks proper encryption

Most people misunderstand how encryption is implemented to keep your data safe. For example, encryption is generally used for data in transition, where data is protected from anyone seeing it as it travels from one internet address to another. But encryption can also be applied to data at rest, where data is encrypted on a storage drive.

With this in mind, you should understand what types of encryption your business and its data require. When it comes to choosing the right cloud service, it is best to inform yourself about the security measures that a cloud infrastructure implements and look at how it can protect your company’s digital property.

#3. With the cloud you are no longer responsible for data security

While cloud security is important, protecting data ultimately rests on the users who have access to it. Misplacing unlocked mobile devices can leave your data vulnerable and compromise your entire cloud infrastructure. This is why we recommend strong verification mechanisms in place for devices that are used to access the cloud.

#4. The cloud is never faulty

Like many IT services, cloud-based services are not immune to technical difficulties. For example, some cloud businesses have suffered outages and server failures which corrupted files and may have lost data in the process.

Hacking is another reason why some cloud services fail. Using a less than optimal cloud service that is vulnerable to attacks can lead to stolen or deleted data, which would be near impossible to recover if you did not have any offline backups.

Before signing up for any type of cloud service, clarify with its provider what is guaranteed. Most cloud providers make promises about a service’s uptime or its safety from provider-related breaches.

Security is truly one of the biggest barriers to the adoption of cloud computing in a small business. But as cloud services expand and encryption technologies advance, cloud adoption is increasingly becoming the most cost-effective solution to meet the small business owner’s IT demands. Contact us today to learn how your business can take advantage of all the cloud has to offer.

5 Tips for Buying a New Computer

There are so many different types of computers out there, each with varying specifications and capabilities – how do you find the best one for your needs? Whether you’re purchasing a computer for yourself or for your family, here are a few things to keep in mind that will help you make the right decision.

Desktop or Laptop?

This depends on your working style and environment. The rule is quite simple: if you rarely work out of the office, get a desktop PC. If you need to work at home, on the go, or at client meetings, then go for a laptop. It’s worth noting that desktops are generally cheaper than laptops at similar specifications, have a longer usage life, and make for easier changing or upgrading of components. Laptops, on the other hand, are very portable due to their compact size, they consume less energy, and they offer a more flexible user experience.

Processor

If you want a computer that loads programs in a flash, completes tasks almost instantly, and runs smoothly at all times, then we recommend you invest in the strongest processors available. The performance of a processor is determined by its number of cores and speed, so the bigger the number, the better. These days, most users go for the latest octa-core processors, specifically if your tasks involve rendering high-definition images, animations, graphics, and analysis. For optimum results, get a processor with the higher number of cores.

RAM

Random Access Memory (RAM) allows your computer to perform multiple tasks at once without a hitch. Just like processors, the amount of RAM your computer has will determine how fast it will run when you work on several programs simultaneously. Nowadays, standard computers come with at least of 4GB of RAM, with 8GB being ideal for most users — to navigate smoothly between tasks such as email browsing, Internet surfing, and working on word processing documents and spreadsheets.

Hard Drive

The bigger the hard drive, the more space you have to store files. If you plan on using your computer with no peripherals, you’ll want to choose a computer that offers the biggest hard drive. But remember that you can always purchase an external hard drive to transfer or store files if your current hard drive is running out of space. Due to recent price changes making them more affordable, it is also a better option to use an SSD (Solid State Drive) as your main form of storage.

Operating Systems

Picking an operating system is a big decision when it comes to choosing a new computer. You’ll probably want to stick with an operating system you’re already familiar with, since it can take some time to adapt yourself to a new OS. Here are some of the popular options available on the market:

  • Windows 10
  • Mac OS X
  • Linux

Most people will just go for either Windows or Mac OS, because the complexity of Linux mean it is not popular among everyday users and we do not recommend them.

Want more hardware tips and tricks? Get in touch with our technology experts today at info@wamsinc.com.

IT Security Policies your Office Needs

When it comes to Internet security, most small businesses don’t have security policies in place. And considering that employee error is one of the most common causes of a security breach, it makes sense to implement rules your staff needs to follow. Here are four things your IT policies should cover.

Internet

In today’s business world, employees spend a lot of time on the internet. To ensure they’re not putting your business at risk, you need a clear set of web policies. This must limit internet use for business purposes only, prohibit unauthorized downloads, and restrict access to personal emails on company devices. You can also include recommended browsing practices and policies for using business devices on public wifi.

Email

Just like the Internet policy mentioned above, company email accounts should only be utilized for business use. That means your employees should never use it to send personal files, forward links, or perform any type of business-related activities outside their specific job role. Additionally, consider implementing a standard email signature for all employees. This not only creates brand cohesion on all outgoing emails, but also makes it easy to identify messages from other employees, thus preventing spear phishing.

Passwords

We’ve all heard the importance of a strong password time and time again. And this same principle should also apply to your employees. The reason is rather simple. Many employees will create the easiest to crack passwords for their business accounts. After all, if your organization gets hacked, it’s not their money or business at stake. So to encourage employees to create strong passwords, your policy should instruct them to include special characters, uppercase and lowercase letters, and numbers in their passwords.

Data

Whether or not you allow your employees to conduct work on their own devices, such as a smartphone or tablet, it is important to have a bring your own device (BYOD) policy. If your employees aren’t aware of your stance on BYOD, some are sure to assume they can conduct work-related tasks on their personal laptop or tablet. So have a BYOD policy and put it in the employee handbook. In addition to this, make sure to explain that data on any workstation is business property. This means employees aren’t allowed to remove or copy it without your authorization.

We hope these four policies shed some light on the industry’s best security practices. If you’d like more tips or are interested in a security audit of your business, give us a call at 800-421-7151.

Regularly Evaluate Your Cybersecurity

Experts estimate that the global market for cybersecurity products this year will exceed that of last year. At first glance, an increase in spending seems necessary and shows that businesses are becoming more aware of cybersecurity issues. But a closer look may prove otherwise. Learn why your company could be investing in cybersecurity products the wrong way.

Uncover threats and vulnerabilities

Every business should evaluate the current state of its cybersecurity by running a risk assessment. Doing so is one of the easiest ways to identify, correct, and prevent security threats. After discovering potential issues, you should rate them based on probability of occurrence and potential impacts to your business.

Keep in mind that risk assessments are specific to every business and there is no one-size-fits-all approach for small business technology. It all depends on your line of business and operating environment. For instance, manufacturing companies and insurance groups have totally different applications to secure.

After tagging and ranking potential threats, you should identify which vulnerabilities need immediate attention and which ones can be addressed further down the line. For example, a web server running an unpatched operating system is probably a higher priority than a front desk computer that’s running a little slower than normal.

Tailor controls to risks

Instead of spending time and money evenly on all systems, it’s best that you focus on areas with high risk. You should address these issues immediately after an assessment, but also put plans in place to evaluate their risk profiles more often.

Assess existing products

Chances are, your organization has already spent a great deal of money on security products and their maintenance and support. By conducting risk assessments more often, you can improve the strategies you already have in place and uncover wasteful spending. You may discover that one outdated system merely needs to be upgraded and another needs to be ditched. Remember, your existing products were purchased to meet specific needs that may have changed immensely or disappeared altogether.

It’s much harder to overcome cybersecurity obstacles if you’re not regularly evaluating your IT infrastructure. Contact our experts at 800-421-7151 for help conducting a comprehensive assessment today!

The Benefits of Virtualization in 2018

The relationship between computer hardware and software can be frustrating. Both require the other to function properly, but both also require individual attention. Virtualization makes this relationship more flexible, and we’ve got a rundown on a few of the best examples.

More technology uptime
Virtualization vendors use fancy names for the features of their technology, but behind all the technobabble are some revolutionary concepts. Take “fault tolerance” for example. When you use virtualization to pool multiple servers in a way that they can be used as a single supercomputer, you can drastically increase uptime. If one of those servers goes down, the others continue working uninterrupted.

Another example of this is “live migrations,” which is just a fancy way of saying that employee computers can be worked on by technicians while users are still using them. Let’s say you’ve built a bare-bones workstation (as a virtual machine on the server), but you need to upgrade its storage capacity. Virtualization solutions of today can do that without disconnecting the user and restarting their computer.

Better disaster recovery
Data backups are much simpler in a virtualized environment. In a traditional system, you could create an “image” backup of your server — complete with operating system, applications and system settings. But it could be restored to a computer only with the exact same hardware specifications.

With virtualization, images of your servers and workstations are much more uniform and can be restored to a wider array of computer hardware setups. This is far more convenient and much faster to restore compared to more traditional backups.

More secure applications
In an effort to increase security, IT technicians usually advocate isolating software and applications from each other. If malware is able to find a way into your system through a software security gap, you want to do everything in your power to keep it from spreading.

Virtualization can put your applications into quarantined spaces that are allowed to use only minimum system resources and storage, reducing the opportunities they have to wreak havoc on other components of the system.

Longer technology lifespans
The same features that quarantine applications can also create customized virtual spaces for old software. If your business needs a piece of software that won’t work on modern operating systems, virtualization allows you to build a small-scale machine with everything the program needs to run. In that virtual space, the application will be more secure, use fewer resources, and remain quarantined from new programs.

In addition to software, virtualization also encourages longer life spans of old hardware components. With virtualization, the hardware an employee uses is little more than a window to the powerful virtual machine on the server. Employee computers need only the hardware required to run the virtualization window, and the majority of the processing takes place on the server. Hardware requirements are much lower for employees and equipment can be used for several years.

Easier cloud migrations
There are several ways virtualization and cloud technology overlap. Both help users separate processing power from local hardware and software, delivering computing power over a local network or the internet. Because of these similarities, migrating to the cloud from a virtualized environment is a much simpler task.

There is no debate about the benefits of this technology. The only thing standing between your business and more affordable, efficient computing is an IT provider that can manage it for you. For unlimited technology support, virtualization or otherwise, on a flat monthly fee — get in touch with us today at 800-421-7151!

How to Reduce Your PC Power Consumption

Every home or office has a computer. In one year, a typical desktop that’s on 24/7 releases carbon dioxide that’s equal to driving 820 miles in an average car. To save energy, you don’t need drastic changes; you can start with making small adjustments that will ultimately accumulate to significant savings.

1. Disconnect your external devices

Devices that connect to your PC like printers, sound systems, and webcams consume power, too. That’s why you should disconnect or remove these devices from your PC as soon as you’re done using them.

2. Use a smart strip, especially for computers you cannot turn off

A smart strip is a series of several electrical outlets in one strip, with circuits to monitor and maximize your gadgets’ power consumption. By connecting your PC and its peripherals (printer, speakers, scanners, etc.) to the smart strip, you don’t need to unplug your equipment when you’re not using them.

3. Adjust your computer’s energy settings

You can also consume less energy by adjusting your PC’s power settings. For example, you can make sure your hard drive and monitor go into “sleep” mode when they’re left idle for a few minutes. Lowering the screen brightness will also help you save electricity.

4. Shutdown and unplug your computer when not in use

If you are not yet using a smart strip, then it’s best to shut down the computer when you’re not using it. Also, make sure to unplug it, as leaving it plugged consumes standby power.

5. Use a charger only when charging your laptop

When we charge our laptops, it’s easy to just leave them there and forget about them. This results in the eventual degrading of the battery. Leaving the charger plugged on the wall also consumes standby power. So either use a wall outlet with a timer, or plug your charger on a smart strip instead.

6. And should you be in the market for a new PC, choose one that’s Energy Star compliant

Energy Star is the U.S. Environmental Protection Agency (EPA)’s symbol for energy efficiency. Every product that earns the Energy Star symbol is guaranteed to deliver quality performance and energy savings. Studies have shown that a single Energy Star compliant computer and monitor can save from $7 to $52 per year in electricity bills.

Saving energy is a combination of smart choices in hardware plus developing good energy-conservation habits. These tips should help you achieve that. If you need assistance in choosing the best hardware for your needs, call us and we’ll be glad to help you out.

Malware Strain Infects 200k More Devices

Yet another global malware infection has been making headlines and the story just took a turn for the worse. When the news of VPNFilter broke, experts warned that 500,000 devices were already infected, but now they believe that number is much higher. Thankfully, it’s not too late to protect yourself.

VPNFilter recap

A team of security researchers from Cisco released a report that a strain of malware had been discovered on hundreds of thousands of routers and network devices. Originally, researchers believed it affected only Linksys, MikroTik, Netgear, and TP-Link devices.

Like many malware strains, VPNFilter infects devices that use default login credentials. But it’s worse than the average cyberattack because it can destroy router hardware and cannot be removed by resetting infected devices.

As if destroying 500,000 routers wasn’t bad enough, VPNFilter lets its creators spy on networks and intercept passwords, usernames, and financial information.

What’s new

Just two weeks after VPNFilter was discovered, security experts announced that it targets 200,000 additional routers manufactured by ASUS, D-Link, Huawei, Ubiquiti, UPVEL, and ZTE. Worse yet, VPNFilter can alter data passing through infected routers. That means when you enter a username and password into a banking website, hackers could steal that information and show you an incorrect account balance to hide fraudulent deductions.

How to stop VPNFilter

Rebooting a router won’t remove the malware, you need to factory-reset the device. Usually, all this requires is holding down the Reset button on the back of the device for 10-30 seconds. If your router has no reset button or you’re unsure whether pressing it did the trick, contact a local IT provider immediately.

Cybersecurity threats have become so prevalent that even large enterprises struggle to keep their digital assets safe. Outsourcing IT support to a managed services provider like us will give you enough capacity to deal with issues like VPNFilter as soon as they arise. Call us today at 800-421-7151 to learn more.

Industries that Need Virtual Desktops

Apart from the cloud, one of today’s biggest IT trends is virtualization. And why not, it has helped countless businesses in more ways than one. An emerging model of virtualization is virtual desktop infrastructure (VDI), which involves hosting a desktop operating system and making it available on almost any device. It is most effective in the following use cases:

Legal

The legal industry is relying more and more on virtual desktops due to the mobility that they provide. Attorneys work long hours on cases and often have a home office, occasionally work from other offices, or need to access important information at a moment’s notice. With the right virtual desktop, attorneys can access the information that they need safely and under compliance. Virtual desktops are changing the way law firms are able to operate.

Healthcare

In an industry where every file is sensitive, the importance of confidentiality can’t be overstated. With VDI, rules and permissions can be customized based on the individual virtual desktop. As such, every medical professional can only view patient records relevant to them. It also allows them to log into their virtualized desktop while working across a variety of locations and devices.

Academic institutions

By leveraging VDI, a school’s IT team can create a virtual desktop — with the necessary restrictions implemented — for each student. If each classroom has a set of workstations, students’ desktop experiences will be consistent throughout their day. Even though they’ll be using different hardware every hour or two, they’ll always see the same desktop.

Companies with shift workers

In most cases, shift employees don’t really need one designated computer to fulfill their task because one computer is shared by multiple users. VDI makes it easy for companies to manage several desktop accounts on fewer devices. Workers can log into any devices, access their own virtual desktop, work as they do every day, and log off at the end of their shift.

Users with multiple computers

Depending on the nature of work, some positions require working with several computers on a regular basis. With VDI, they can integrate desktops and maintain it across two or more devices.

Field or remote staff

Employees that work remotely or in the field need access to tools and applications when on the job. A secure and reliable way to do it is through VDI. A complete VDI solution makes access to a consistent desktop experience possible anytime, anywhere, and using any device. It allows your remote or field workforce to operate effectively, no matter the circumstances.

Of course, these are just a few situations where VDI is helpful. Any business can enjoy security and productivity enhancements with a team of virtualization experts on call. Contact us today at 800-421-7151 to find out how we can help.

Tips to Reduce Risks After a Security Breach

No company is completely safe from data breaches. For proof, look no further than companies like Yahoo, AOL, and Home Depot, which compromised millions of personal customer information. That said, no business is completely helpless, either. The following steps can minimize the risks to your business in the event of a large-scale data breach.

Determine what was breached

Whether its names, addresses, email addresses, or social security numbers, it’s critical to know exactly what type of information was stolen before determining what steps to take. For example, if your email address were compromised, you’d take every precaution to strengthen your email security, which includes updating all your login credentials.

Change affected passwords immediately

Speaking of passwords, change yours immediately after any breach, even for seemingly safe accounts. Create a strong password comprised of alphanumeric and special characters, and make sure you never reuse passwords from your other accounts.

Once you’ve changed all your passwords, use a password manager to help you keep track of all your online account credentials.

If the website that breached your information offers two-factor authentication (2FA), enable it right away. 2FA requires two steps to verify security: usually a password and a verification code sent to a user’s registered mobile number.

Contact financial institutions

In cases where financial information was leaked, call your bank and credit card issuers to change your details, cancel your card, and notify them of a possible fraud risk. That way, banks can prevent fraud and monitor your account for suspicious activity.

Note that there are different rules for fraudulent transactions on debit cards and credit cards. Credit card transactions are a bit easier to dispute because they have longer grace periods. Debit card fraud, on the other hand, is more difficult to dispute, especially if the fraudulent transactions happened after you’ve notified the bank.

Place a fraud alert on your name

Hackers who have your personal information can easily commit identity fraud. To avoid becoming a victim, contact credit reporting bureaus like EquifaxExperian, or Innovis and request that a fraud alert (also called credit alert) be added to your name. This will block any attempt to open a credit account under your name and prevent unauthorized third parties from running a credit report on you.

Putting a credit freeze on your name might result in minor inconveniences, especially if you have an ongoing loan or credit card application. Still, doing so will greatly reduce your risks of getting defrauded.

These steps will ensure you don’t fall victim to identity theft in the event of a large-scale data breach. If you want to take a more proactive approach to protect your sensitive information against breaches, contact our cybersecurity experts today.

HTTPS Matters More for Chrome

HTTPS usage on the web has taken off as Chrome has evolved its security indicators. HTTPS has now become a requirement for many new browser features, and Chrome is dedicated to making it as easy as possible to set up HTTPS. Let’s take a look at how.

For several years, Google has moved toward a more secure web by strongly advocating that sites adopt the Secure HyperText Transfer Protocol (HTTPS) encryption. And last year, Google began marking some HyperText Transfer Protocol (HTTP) pages as “not secure” to help users comprehend risks of unencrypted websites. Beginning in July 2018 with the release of a Chrome update, Google’s browser will mark all HTTP sites as “not secure.”

Chrome’s move was mostly brought on by increased HTTPS adoption. Eighty-one of the top 100 sites on the web default to HTTPS, and the majority of Chrome traffic is already encrypted.

Here’s how the transition to security has progressed, so far:

  • Over 68% of Chrome traffic on both Android and Windows is now protected
  • Over 78% of Chrome traffic on both Chrome OS and Mac is now protected
  • 81 of the top 100 sites on the web use HTTPS by default

HTTPS: The benefits and difference

What’s the difference between HTTP and HTTPS? With HTTP, information you type into a website is transmitted to the site’s owner with almost zero protection along the journey. Essentially, HTTP can establish basic web connections, but not much else.

When security is a must, HTTPS sends and receives encrypted internet data. This means that it uses a mathematical algorithm to make data unreadable to unauthorized parties.

#1 HTTPS protects a site’s integrity

HTTPS encryption protects the channel between your browser and the website you’re visiting, ensuring no one can tamper with the traffic or spy on what you’re doing.

Without encryption, someone with access to your router or internet service provider (ISP) could intercept (or hack) information sent to websites or inject malware into otherwise legitimate pages.

#2 HTTPS protects the privacy of your users

HTTPS prevents intruders from eavesdropping on communications between websites and their visitors. One common misconception about HTTPS is that only websites that handle sensitive communications need it. In reality, every unprotected HTTP request can reveal information about the behaviors and identities of users.

#3 HTTPS is the future of the web

HTTPS has become much easier to implement thanks to services that automate the conversion process, such as Let’s Encrypt and Google’s Lighthouse program. These tools make it easier for website owners to adopt HTTPS.

Chrome’s new notifications will help users understand that HTTP sites are less secure, and move the web toward a secure HTTPS web by default. HTTPS is easier to adopt than ever before, and it unlocks both performance improvements and powerful new features that aren’t possible with HTTP.

How can small-business owners implement and take advantage of this new interface? Call WAMS today at 800-421-7151 for a quick chat with one of our experts to get started.

Should you Worry About the New IoT Malware?

A malware infection is one of the worst things that could happen to your Internet of Things (IoT) devices. But some users don’t even know there are IoT-targeted attacks that threaten computers, networks, and data. Rebooting an IoT device is a simple way to remove malware, but for those already infected with the latest strain, it’s not that simple.

What is the Hide And Seek malware?

The Hide and Seek (HNS) malware has created a “botnet” by quietly infecting thousands of devices using advanced communication methods. Without getting too technical, a botnet adds or “recruits” computers to their network to carry out malicious acts, such as overloading a network by telling every infected device in the botnet to try and connect at the same time.

The new HNS can’t be removed by resetting the infected device, which is the solution for most IoT malware strains. The new strain can also exploit a greater variety of devices and in less time than its predecessors. Experts believe it has already compromised more than 90,000 IPTC cameras and other devices.

IoT devices are easily hacked if they connect to the internet, which is home to opportunistic cybercriminals. And because businesses and consumers are expected to acquire and use more IoT devices (the market is expected to reach $1.7 trillion by 2020), it’s imperative to take cybersecurity precautions.

How can I protect my IoT devices?

Luckily, there are steps you can take to keep your devices — and ultimately your network and data — safe from HNS and other forms of malware.

  • Turn off your IoT devices when not in use to reduce their exposure to fast-spreading malware.
  • Take simple precautions to keep your WiFi networks safe, like changing your network’s default settings (including your network’s name), and using complex passwords that are changed from time to time.
  • For those who use a large number and variety of devices, install a threat management system that will block intruders and secure common threat entry points.
  • Be sure that your IoT devices are updated with the latest firmware. If the device is old and not supported, or new firmware is not being release, these devices should be replace with more reliable devices.

With HNS and other malware strains expected to increase in number and complexity, it’s more important than ever to take a multi-layered approach to security. Call us today at 800-421-7151 to learn more about which cybersecurity solutions are right for your business.