MSPNetworks Blog

You’ve probably heard by now, a Russia-based hacking collective by the name of DarkSide targeted Colonial Pipeline, a company that supplies nearly 45 percent of the fuel used along the Eastern Seaboard of the United States, with a ransomware attack. Not only does this hack have an effect on fuel prices and availability, it highlights just how vulnerable much of the nation’s energy infrastructure is. Let’s discuss the details of the hack and the raging discussion about cybersecurity that’s happening as a result. 

The Facts Surrounding the Hack

On Friday, May 7, 2020, Colonial Pipeline had to shut down operations after a ransomware attack threatened to spread into critical systems that control the flow of fuel. Almost immediately gas prices started to jump in the region, averaging around six cents per gallon this week. The pipeline, which runs from Texas to New York, transports an estimated 2.5 million barrels of fuel per day. The shutdown has caused some fuel shortages and caused panic buying in some southern U.S. states. Administrators said that the ransomware that caused the precautionary shutdown did not get into core system controls but also mentions that it will take days for the supply chain to get back up and running as usual again. 

Who Is DarkSide?

The hacker group DarkSide is a relatively new player, but it has set its sights high. The group claims to be an apolitical hacking group that is only out to make money.  In fact, they put out the following statement after the FBI started a full-scale investigation of the group:

“Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

DarkSide seems to be a professionally-run organization that deals in ransomware. They follow what is called the Ransomware-as-a-Service model, where hackers develop and sell their ransomware to parties looking to conduct operations like the one that stymied Colonial Pipeline. They also are known for their “double extortion” methodology, where they threaten to take the data they encrypt public if their demands aren’t met. Their ransom demands are paid through cryptocurrency and have only been in the six-to-seven figure range. 

What’s interesting is that the group seems to have its own code of ethics, stating that they will never attack hospitals, schools, non-profits, or government agencies. Either way, their current attempt at extortion has made a mess for millions of Americans. 

Problems Securing Infrastructure

Even before the world completely changed, cybersecurity analysts were recommending that more had to be done to protect aging utility systems around the world. Back in 2015, hackers took down a power grid in Ukraine and left 250,000 people without electricity, and it caused some movement to improve system security, but nowhere near as much as is required. Now, with the push to use renewable energy and more efficient systems of deployment, more technology has been added to these systems than at any time in history. These smart systems, coupled with a resounding lack of security, means that the next cybersecurity catastrophe is just around the corner. 

The pandemic didn’t help matters. Systems that are being updated are increasingly being connected to public and private networks for remote access. All it takes is one vulnerability and hackers can exploit and take control of systems that affect the lives of millions of Americans. Hackers causing a gas shortage is scary, but hackers taking down power grids or other systems that the public depends on to live could be looked at as an act of war.

The scariest part is it seems as though no system is immune to these problems. According to CISA, the Colonial Pipeline hack is the fourth major cyberattack of the past year. You have the Solar Winds breach that allowed Russian Intelligence to infiltrate thousands of corporate and government servers; an attack where Chinese nationals rented servers inside the U.S. to invade a still unnumbered amount of Microsoft Exchange servers; and a still-unknown hacker that hijacked a tool called Codecov to deploy spyware on thousands of systems.

Microsoft is widely renowned as being at the forefront of cybersecurity and Solar Winds is itself a cybersecurity company. This tells you a little bit about where we are about protecting essential systems. It’s not a good situation.

While you can’t always worry about cybersecurity everywhere you are, you have to prioritize it for your business. If you want to talk to one of our security experts about your cybersecurity, give MSPNetworks a call today at (516) 403-9001.

Passwords are probably the most important part of keeping accounts secure. That’s why it is so important to follow industry best practices when creating them. Today, we’ll take a look at the standards outlined by the National Institute of Standards and Technology (NIST) in creating the best and most secure passwords.

What Is NIST?

For years, NIST has been the predominant organization in the establishment of password creation standards. They continuously change their advised practices to meet with the current cybersecurity demands. They recently updated their guidelines so we thought we would go over what strategies they suggest, to give you an idea of what makes a secure password. 

New Guidelines

Many corporations are currently using the NIST guidelines and all Federal agencies are expected to utilize them. Let’s go through their newest password guidelines step by step. 

#1 - Longer Passwords are Better than More Complicated Ones

For years, it was preached that the more complicated the password, the more secure the account. Today’s guidelines refute that notion. NIST suggests that the longer the password, the harder it is to decrypt. What’s more, they suggest that organizations that require new passwords meet a certain criteria of complexity (letters, symbols, changes of case) actually make passwords less secure. 

The reasoning behind this is two-fold. First, most users, in an attempt to complicate their passwords will either make them too complicated (and forget them) or they will take the cursory step of adding a one or an exclamation point to the end of a password, which doesn’t complicate the password as much, if at all. Secondly, the more complex a user makes a password, the more apt they are to use the same password for multiple accounts, which of course, is not a great idea.

#2 - Get Rid of the Resets

Many organizations like to have their staff reset their password every month or few months. This strategy is designed to give them the peace of mind that if a password were compromised that the replacement password would lock unauthorized users out after a defined set of time. What NIST suggests is that it actually works against your authentication security. 

The reason for this is that if people have to set passwords up every few weeks or months, they will take less time and care on creating a password that will work to keep unwanted people out of the business’ network. Moreover, when people do change their password, they typically keep a pattern to help them remember them. If a previous password has been compromised, there is a pretty good chance that the next password will be similar, giving the attacker a solid chance of guessing it quickly. 

#3 - Don’t Hurt Security by Eliminating Ease of Use

One fallacy many network administrators have is that if they remove ease of use options like showing a password while a user types it or allowing for copy and pasting in the password box that it is more likely that the password will be compromised. In fact, the opposite is true. Giving people options that make it easier for them to properly authenticate works to keep unauthorized users out of an account. 

#4 - Stop Using Password Hints

One popular way systems were set up was to allow them to answer questions to get into an account. This very system is a reason why many organizations have been infiltrated. People share more today than ever before and if all a hacker needs to do is know a little personal information about a person to gain access to an account, they can come across that information online; often for free.

#5 - Limit Password Attempts

If you lock users out after numerous attempts of entering the wrong credentials, you are doing yourself a service. Most times people will remember a password, and if they don’t they typically have it stored somewhere. Locking users out of an account, at least for a short period of time is a good deterrent from hackers that use substitution codes to try and guess a user’s credentials. 

#6 - Use Multi-factor Authentication

At MSPNetworks, we urge our clients to use multi-factor or two-factor authentication on every account that allows them to. According to NIST they want users to be able to demonstrate at least two of three authentication measures before a successful login. They are:

1. “Something you know” (like a password)
2. “Something you have” (like a mobile device)
3. “Something you are” (like a face or a fingerprint)

It stands to reason that if you can provide two out of three of those criteria, that you belong accessing the system or data that is password protected. 

Security has to be a priority for your business, and password creation has to be right up there with the skills everyone should have. If you would like to talk to one of our IT experts about password management and how we can help your business improve its authentication security, give us a call today at (516) 403-9001.

Today, employees have to be a major part of every business’ cybersecurity attempts. The reasoning is simple: attacks are more likely to come in the form of end user correspondence than on a direct assault of the network. As a result, it is important that cybersecurity is more than just another line item on a task list, it has to be built into the culture. Let’s discuss a few ways to get your employees to care about cybersecurity.

Why Is Cybersecurity A Nuisance?

This is not a new phenomenon. Your employees want to be productive. In their minds, any extra tasks that are assigned are a hindrance to that aim. Cybersecurity, in today’s businesses, also has a tendency to intrude on their desire to separate their home life from their work life. While this isn’t really the case in most scenarios, there certainly needs to be some cooperation from them to properly secure your network. 

By now your workers understand that security is extremely important. What they don’t understand is how it is their problem. You hire them to do a job, and for most of them, that job isn’t "security guard." That’s why it is important that cybersecurity is something they are confronted with from the beginning of their employment. It is a culture issue, not just an operational one. Let’s go through some ways you can get your staff to care about cybersecurity.

Remove the Red Tape

Today, a well-executed hack or social engineering attempt can completely devastate a business. In some cases, and this is especially true for smaller businesses, a hack can cause the closure of a business. Those types of events affect more than just the business owners or the stakeholders. 

To ensure that your staff gets just how important this issue is, level with them. You don’t need to keep the threats a secret any longer. A unified approach to cybersecurity requires that your employees know how hackers and scammers will go about trying to trick them into handing over access to the company network. This will not only actively remove the indifference most employees have about cybersecurity, but it will also ensure that they realize how important doing the right things are. 

Make Sure Your Staff is Personally Invested

For the average employee, any indifference they have about a business’ cybersecurity efforts comes from the idea that it doesn’t really have any effect on them. This is not true. Hackers don’t just want access to business information, they want access to the network. That means all of the data on that network. 

Making sure that employees understand that it’s just not company information, it is their personal information and that of their contemporaries. Reminding that their data is at stake might just be the thing needed to get them to take security measures seriously. 

Build Solid Training and Literacy Right Into Your Culture

As we mentioned above, one of the best ways to ensure that your staff understands their role in your organization’s cybersecurity plan is to build it into your culture. To do this, it has to be out in front. You need to mention it in your hiring process (interview, any collateral you use to outline employee responsibilities), it needs to be parsed out properly in your organization’s documentation (employee handbook, etc.), and it has to be something that every person in the business knows that they will be confronted with at some point.

Ensuring that your people don’t get complacent is a massive point of emphasis if you want to keep their cybersecurity literacy ongoing. On top of training, you need to keep up some type of consistent reminder that they are important to organizational efforts to keep hackers and other unauthorized entities off of the business’ network. The more time and effort you put into planning out your cybersecurity training, the more that people will get out of it. 

We Can Help!

Keeping your business from falling victim to a cyberattack takes a lot of effort. Our security professionals are constantly readying ourselves to assist our clients in keeping them free of threats and a lot of that is helping them come up with policies, procedures, and strategies to keep their employees engaged in this never-ending fight against hackers. Give us a call at (516) 403-9001 today to learn how we can help you protect your business.

One of the most effective means for a business to shave a few dollars off its budget (and potentially boost employee engagement, for that matter) is to adopt something called a Bring Your Own Device policy—effectively, an agreement that allows their team members to access business-owned documents and files on devices they personally own to get their work done. While these policies have been shown to be very effective, they also need to be carefully considered so they can be adopted appropriately.

Let’s take a few moments to review some practices that are recommended for a secure BYOD implementation.

Determine Acceptable Parameters

Device and OS Requirements

For your productivity to remain intact and for your organizational security to be preserved, the tools your team brings to use need to meet the baselines that you set—otherwise, there is likely to be a shortcoming that leaves an opening. Certain workflows may require a specific operating system to be used, simply for the processes to be compatible. Keeping track of your team’s chosen hardware will help you determine if their devices are eligible to participate.

Accepted Software

On the topic, your business workflows should have defined software solutions identified for your team to use so that processes can flow smoothly. Make sure your team knows that they are expected to use these titles for their work processes and that they are expected to have certain protections in place on their mobile devices before they can use them to work.

Upkeep Policies

When using a personal device to access your business’ network, there needs to be some supported expectation that the user will ensure that the device remains functional and secure. This could mean that only authorized dealers or professionals are authorized to perform basic maintenance tasks and that these tasks are carried out promptly.

Security Preparations

Encryption Policies

In terms of protecting your data from the prying eyes of hackers, you’d be hard-pressed to find a more effective method than encrypting it. Considering this, it is important that you encourage/require encryption to be put in place as a part of any BYOD policies you implement.

Password Standards

We know, we know… the importance of secure passwords is a topic that has been covered frontways, backways, and every which way for a long time. However, once people start to follow these guidelines, we’ll stop bringing it up. When it comes to strong passwords, make sure your team is using them on all their devices, and that these devices are set to lock if an incorrect password is repeatedly entered.

Data Handling Guidelines

Where your data is concerned, you need to also establish the proper means for it to be stored and accessed while an employee is using a personal device. Ideally, your BYOD plan will have the means to block any data transfers to an insecure device as well as establish the proper procedures for accessing this data.

Necessary Prerequisites

Data Removal Circumstances

When an employee’s device has access to your company’s data via a BYOD strategy, it is critical that you retain the means to rescind that access as needed—like if a device is lost or stolen, or if an employee leaves the company. You may also want to include the right to review an employee’s device for company-owned data so that it can be removed if they were to leave so that your data isn’t brought elsewhere or abused.

Lost or Stolen Device Procedures

On the topic, your team needs to have a reporting process to follow should something happen to their device that will help to ensure that mitigating actions can be appropriately taken. Reinforce that these reports need to be promptly submitted to help minimize the potential impact of such occurrences.

Breach of Policy Consequences

Finally, you need to establish how employees will be reprimanded should these policies go unheeded or disregarded. While the loss of BYOD privileges is a common tactic, you should also seriously consider what is acceptable before an employee should be terminated. Once these distinctions have been made, share that information with your team when they opt into your BYOD implementation, so they are aware of the severity of such indiscretions.

A Bring Your Own Device policy is an essential piece of the modern office’s IT considerations and is something that we can help you out within much more detail. Find out what needs to be done by calling (516) 403-9001 today.

2020 was, obviously, a challenging year for healthcare providers. In addition to the obvious issue of the COVID-19 pandemic creating serious operational, financial, and supply chain difficulties, cybersecurity concerns didn’t go away during this time. Let’s consider some of the additional stresses that IT security needs can, will, and have placed on healthcare providers.

The amount that healthcare practices invest in their cybersecurity services has been projected to exceed $65 billion in the span of time from 2017 to this year—but despite this, the industry isn’t improving. In fact, healthcare providers have had to turn away patients for these precise reasons… but the question remains: why?

There Are a Few Reasons that Healthcare Providers Have Had Problems As of Late

IoT Security Issues

Anyone who has been to a hospital in the past decade or so has likely noticed how connected many of these facilities have become. A nurse’s clipboard has been replaced by a laptop that they wheel around to input all information and logs into, while diagnostic equipment itself is now largely computerized.

This means that many of a healthcare provider’s tools can now be classified as Internet of Things devices, and as such, are prone to security inconsistencies and vulnerabilities as a result. Many IoT devices are notorious for iffy-to-non-existent security as it is.

Ransomware

While ransomware can be, and is, an issue in every industry, the healthcare industry is particularly susceptible to its impacts for obvious, life-or-death reasons. Ransomware has been responsible for many organizations actually closing their doors, unable to sustain the damages. This is largely due to the reliance that their organizations have on the data that they need to treat their patients and manage the business—without the support required to properly protect this data.

Insider Threats

Unfortunately, the employees in a healthcare organization are not infallible, which does sometimes lead to insider threats to data. In fact, some professionals have said that insider threats are the biggest challenge for hospitals and such right now.

New Threats May Be On the Horizon

Of course, cybercrime of all kinds constantly advances, and that which targets the healthcare industry is no exception. In healthcare, these threats can be downright frightening.

For example, a research team in Israel managed to develop a proof-of-concept computer virus that could artificially paste tumors into CT and MRI scans so that high-profile patients could be misdiagnosed by their physicians.

With ingenuity like that, it is terrifying to consider what cybercriminals may do moving forward.

Regardless of your industry or the size of your business, cybercrime isn’t something to be taken lightly. MSPNetworks is here to help prepare for it. Give us a call at (516) 403-9001 to learn more about the solutions we have to offer.

As one of the biggest cybersecurity considerations the modern business has to make, how to combat phishing has to be at the top of any business’ cybersecurity strategy. Let’s take a look at phishing and why it’s such a big problem for today’s business. 

You’ve Probably Been Phished

When trying to explain what phishing is to someone who has no idea about it, we typically start with the namesake. Phishing is the same as fishing. A hacker will bait a hook and users will bite on it. It’s that simple. Instead of worms or minnows, a phishing attempt needs some bait that will fool an unsuspecting computer user into providing information that will allow a hacker to access secured networks and steal or corrupt data. 

To say that this method is effective would be an understatement. First of all, the massive breadth of attacks—there are literally millions of these attacks per day—results in high levels (and low percentages) of successful attacks. In fact, 88 percent of organizations that were polled claimed to experience at least one phishing attack in 2019. In 2020, phishing emails were one of every 4,200 emails sent or about 73 million. The pace has actually quickened in 2021.

Successful phishing attacks result in stolen credentials, compromised networks, ransomware and other malware. They all lead to businesses losing money. 

Phishing is More Prevalent Than Ever

Phishing has been an issue for quite a while, but the COVID-19 pandemic and the corresponding jump in remote work provided the perfect opportunity for these scammers to operate. In 2020, 75 percent of worldwide organizations were targeted by phishing attacks, while 74 percent of U.S. businesses were successfully attacked in some way. This often led to massive losses, some $3.92 million on average. That’s an average and takes into account loss of productivity from downtime, data theft, deterioration of consumer confidence, and other factors.

It is therefore important that you do what you can to train your staff about how to recognize and thwart phishing attempts before they have a chance to have a negative effect on your business.

MSPNetworks can help you put together a training strategy, as well as put together tools to help you keep your network and data safe. Call us at (516) 403-9001 to learn more.

Let’s face it, most people are glued to their phones when they have downtime. Many don’t look up to cross the street. With this much dedication to their individual mobile devices you’d think that people would be more careful about what they download.

Apparently, that Instagram feed is just too distracting to worry about individual data security. 

 Researchers from the mobile security firm Zimperium have discovered a malicious app that pretends to update your Android device, but is just spyware that can steal almost all of your data and monitor your search history and your location. Simply called “System Update” it has tricked many unsuspecting Android users as of this writing.

What Can “System Update” Do?

The spyware, or officially Remote Access Trojan (RAT), attached to this malicious download can only be downloaded outside of the Google Play store, which is fortuitous for many would-be victims of a malware attack like this. The spyware can effectively steal messages, contacts, device information, browser bookmarks, user search history, and can gain access to the microphone and the camera.

What’s more, it continuously tracks a user’s location, which can be really dangerous for anyone. The app starts spying everytime the device receives new information, which for any heavy user is constant. After stealing your data, the app will work to erase the evidence of it’s activity, effectively covering its tracks indefinitely.

 All-in-all, it is a pretty tough cookie. 

How Are People Accessing This Malware?

You won’t be surprised to learn that phishing is the number one way people are being exposed to the corrupt “System Update” app. Google continuously warns people to not install apps from outside the Google Play app store, but as people’s devices age, they aren’t always compatible with older operating systems found on these devices and start looking for options outside of the Google Play app store. This can lead to people downloading apps that seem useful, but are completely nefarious. “System Update” seems to be one of those apps.

What You Can Do to Protect Yourself

While there have been nefarious apps found on the Google Play store in the past, the malicious app rate is extraordinarily low when sticking to the official app store. Users should also consider questioning any situation where an app is suggested for you outside of the app store, even if it seems to redirect you to the Google Play apps store. You just never know what you are going to get when you trust third parties on the Internet.

 If you need a comprehensive plan to protect your business data from employee impulse and mobile negligence, give our technicians a call today at (516) 403-9001. We can help you with mobile device management (MDM) and Bring Your Own Device (BYOD) which can have all types of benefits for your business.

Going through your passwords and updating them every so often is a very wise habit to get into, particularly when they are used to protect a lot of data—as the password to your Google account often is. Considering this, let’s go over how to update your Google password and otherwise lock down your account.

How Much is Tied to a Google Account?

For many, their Google account is linked to quite a few frequently-used utilities and applications. Going far beyond the search engine functionality it began as, Google’s services now involve multiple programs and solutions. As such, the potential danger of a cybercriminal accessing your Google account is increased greatly.

For instance, a Google account is now linked to:

• Google.com (for custom tailored search results)
• Gmail
• Google Drive
• Google Docs/Sheets
• Google Maps
• Android
• Google Workspace
• Google Chrome
• YouTube

 … with many, many other accounts and services also tied to Google. A good rule of thumb: anything with “Android,” “Chrome,” or of course “Google” in the name is likely tied to your Google account.

Updating Your Google Password

Fortunately, Google makes it exceptionally simple to update the password to your account:

1. Visit https://accounts.google.com/. If you aren’t signed in already, log in with your email/phone number and password.
2. Click Security on the left-hand side.
3. Look for Signing in to Google. Click Password.
4. Google will usually prompt you to provide your current password, and then have you input a new password.

A WORD OF WARNING: Naturally, with so much tied to a single password, you need to make sure it is as secure as you can possibly make it. Use a totally unique password—not one that provides you with access to any other account. Don’t include any personally identifiable information that others might associate with you, like your birth date, maiden name, social security number, phone number, or the like.

To help accomplish this, it will help to use a password manager to keep track of them all, along with any built-in password creation features it has built in, as this will help you to generate a secure, randomized password with sufficient complexity. You could also string a few random and unrelated words together to make a passphrase, sprinkling in numbers and symbols as you see fit to help make a memorable but significantly more secure option.

Once you make these changes, you’ll probably need to re-log into your Google account on a few devices.

But Wait, There’s More!

To really protect your Google account, let’s go a little further and set up 2-Step Verification (also commonly known as Two-Factor Authentication) if you have not yet done so. 2-Step Verification is a great insurance policy against the possibility that your password is breached.

Once your password is changed, from your Google Account page:

1. Click the Security option on the left-hand side of the page.
2. Click 2-Step Verification.
3. Google may prompt you to enter in your password again, just to make sure it’s you.
4. Depending on what Google already knows about you, this might go a few different ways—you’ll either be prompted to set up a phone number to get a text message or phone call, or Google might walk you through setting this up on your smartphone. Either way, follow the on-screen instructions. 

Your various authentication options come at varying levels of simplicity and efficacy. Most convenient is the use of a Google prompt, which sends a notification to your Android device whenever a new device is attempting to log into your account that allows you to permit or disallow permission to do so. Receiving a text message with a code is undoubtedly convenient, but less secure as these text messages can potentially be intercepted. The most secure option is to utilize Google’s Authenticator app, which is also simple to set up.

If your business uses Google’s solutions to power your business, MSPNetworks recommends that you implement these changes. Need help? Give our team a call at (516) 403-9001.

The new year is upon us and after the debacle that 2020 was, it is extremely welcome. If you are like us, you have a new set of goals that you’ve created for yourself and are probably looking to improve your professional and personal well-being. One way to do that is to ensure that your accounts are secure. Today, we will be going through how to update your password with Microsoft.

You may have heard that the U.S. Government just suffered from a massive cybersecurity breach from an attack that was perpetrated from overseas, and among the systems that were affected was Microsoft Office. Unfortunately, foreign hackers were actively monitoring email accounts between the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA). Fortunately, however, Microsoft, who is known for its active role in identifying and thwarting cybercrime, didn’t find any active vulnerabilities in their Office 365 applications or cloud services, but they did offer some suggestions, one of which was to do everything you can to protect your data.  

It is important to understand how to take action to ensure your organization—and your personal accounts—are secured properly. 

What You Need to Know About Your Microsoft Account Security

If you actively utilize Office 365, or any other Microsoft product, you need to know a breach would affect you. For your typical user account, their Windows 10 license is tied to their Microsoft account, and if you have Office 365 or use any other Microsoft applications or services, they are covered by those credentials as well. Here is a list of the application titles you need to concern yourself with when considering your Microsoft account security:

• Windows
• Outlook
• Office
• Skype
• OneDrive
• Xbox Live
• Bing
• Microsoft Store
• MSN

Here’s How to Update Your Microsoft Password

To Microsoft’s credit, they make it extremely easy to change your password. Here are the steps:

1. Visit https://account.microsoft.com/
2. Click Sign In on the top right, if you aren’t already signed in. If you are already signed in, the page will display your name with options about your subscriptions and other services. Once you sign in with your email and password, you’ll be taken to this page.
3. Towards the top of the page, on the right-hand side, you’ll see an option that says Change Password. Click it.
4. If you have Two-step verification enabled, it will walk you through verifying your account with a text, an email, or using the Microsoft Authenticator app. If you don’t have that set up, don’t worry, we’re going to get you set up after you change your password.
5. Once prompted, enter your current password, and then come up with a brand new password.

CRUCIAL ADVICE: You never want to use the same password on multiple accounts. Every password you make should be unique, complex, and lack any personally identifiable information (such as your date of birth or your address). Really random works best, but we know it is difficult to remember random passwords. Make sure that your password is something that nobody could guess with variance in case, numbers, and symbols. The more complex your password is, the more secure your accounts are going to be.

One feature Microsoft offers when setting up your credentials is a checkbox that will require you to change your password every 72 days. It really works to secure your account. You might think it’s unnecessary, but consider how much of your personal information is tied up in your relationship with Microsoft. Check it and keep active on protecting your data and account security.

One Last Thing

One thing you should consider when changing your password is to set up Two-step Verification. Click that too. If you are using a Microsoft 365 account through work, you may need your administrator to turn it on and give you further instructions. Give us a ring if you need help.

All you will need to do is follow the on-screen instructions. If you do not already have an authenticator app on your smartphone (like Google Authenticator, Lastpass Authenticator, Duo Mobile, Authy, etc.) Microsoft has a tutorial to help you set up Microsoft Authenticator. If you prefer to use one of the other apps, set it up with your preferred app.

Two-factor verification will require you to use the Authenticator app to log into your Microsoft account on a new device, or make major changes to your Microsoft account (like updating a new password). It won’t require you to use the app every time you want to use Word or Outlook, but it is a good practice to use to ensure you are doing all you can to protect your account and data. 

Keeping your Microsoft account secure isn’t hard, but it is extremely important. If you need help or would like to talk to one of our certified technicians about setting Microsoft products up for your whole business, give us a call at (516) 403-9001 today.

To preserve your cybersecurity, you need to have a comprehensive view of everything involved with your technology—and we do mean everything. Let’s consider a recent close call, involving the Democratic Republic of Congo that exemplifies this perfectly that could have potentially exposed millions of Internet users to serious threats.

First, it will be helpful to go over how websites work (giving you a hint as to the nature of the close call we’ll be discussing).

How Web Browsing Works

When navigating to a website, you type that website’s URL into your address bar and you’re brought to the website, right? While this is how it appears on the surface, there’s actually a lot more going on underneath.

The domain name we know, as users, to go to a website is different than the actual functioning name that your Internet browser recognizes. Instead, your browser recognizes a series of numbers known as an Internet Protocol (IP) Address. IP addresses are too in-depth of a topic for us to go into much detail here, but to sum up: they tell the browser which web server it needs to direct towards to find the desired website.

Obviously, a series of numbers is more difficult to remember than a name, so this discrepancy would make the Internet much harder to use if it weren’t for nameservers.

Nameservers are the component of the Internet that helps bridge the URL to the IP address. When you type a website into the address bar, the browser references a nameserver to find out where the correct web server is before requesting content from it. In essence, the nameserver helps your browser translate your request into a language it understands—in many ways acting like your browser’s GPS.

In other words, the nameserver is a crucially important part of how the Internet functions, which means that these servers are particularly important to keep secure… particularly if the nameserver in question controls a top-level domain (the “.com”,”.net”,or “.edu” part). If an attacker were to gain control of a top-level nameserver, man-in-the-middle attacks could be used to redirect web traffic to malicious websites.

What Happened in the Democratic Republic of Congo

Therefore, when security researcher Fredrik Almroth noticed that one of the nameservers for the .cd country code top-level domain (belonging to the Democratic Republic of Congo) was set to expire, he took notice. When these domains expire, as did the nameserver domain scpt-network.com did in October, the governments that own them have a set amount of time to renew it before someone else could claim it.

Almroth was monitoring this domain to ensure that it was renewed, just to be safe. Once the end of December rolled around, the security researcher was quick to snap it up to protect it from ne’er-do-wells who would otherwise abuse it. Because the other nameserver to the domain was still operational, Almroth simply had any requests timeout of his nameserver and be passed to the working one.

What Was at Risk?

In short, quite a bit. With possession of such a nameserver, an attacker could potentially intercept any traffic—encrypted or not—directed to a .cd domain. This could give an attacker a frightening amount of power and control over thousands of websites.

The Congolese government ultimately opted to set up a new domain, ensuring that security was never in question.

What Your Business Can Learn From This

In short, technology can be complicated, which means that threats can potentially come from every angle.

Cybercriminals are irritatingly resourceful and will absolutely resort to cheap tricks to get their way. The size of their target is also irrelevant to them, so whether they’re targeting a government infrastructure or the website a local store keeps up doesn’t particularly concern them. As such, businesses of all shapes and sizes need to have a trusted resource they can rely on to keep their IT in order, especially in terms of its security.

As such a resource to many businesses, MSPNetworks prioritizes keeping an eye on all aspects of our clients’ technology solutions to help avoid issues like these that could otherwise have gone unnoticed. To find out more about what we can do for your operations, give us a call at (516) 403-9001 today.

Privacy is a sensitive subject nowadays, especially online. Regardless of the browser you have elected to use, properly using it will have a large impact. Let’s review a few ways that you and your team can help secure your business and its resources and go over these settings.

Promoting Privacy Via Your Browser Settings

Here, we’ve assembled a few best practices that you should keep in mind to help reinforce your browser’s security.

Revise Default Permissions, as Necessary

Before a website is able to access some of your data and peripherals, like your location, your camera, and pop-up windows, it needs to ask you for permission to do so. Too many people set these permissions to on—carte blanche—by default, potentially opening themselves to various attacks and threats.

For instance, by accessing the camera and microphone without informing the user, a cybercriminal could invite themselves to a peek into your personal life, listening and watching for personal moments and data to exploit. Pop-up windows could themselves host threats, and automated downloads could install nasty pieces of malware.

Instead, you should make sure that these permissions are set to Ask before allowing them, while also simply turning these permissions Off when you have no reason to enable them.

Block Third-Party Cookies and Trackers

While websites will often use their own cookies to keep track of users to improve their functionality, there are a lot of other cookies present from third parties that are tracking you as well. By blocking cookies that don’t come from the site you’re browsing and leaving the native ones to operate, you can minimize threats against your business from these sources.

As for trackers, you should be able to switch them off entirely. Trackers have begun to replace cookies as a means of, well, tracking a user’s online behaviors. As a plus, blocking a tracker has a decreased probability of breaking a website, as blocking cookies can at times do. If you cannot block trackers via your browser, you may want to reconsider which browser you are using.

Use Smarter Tools and Utilities to Minimize Your Risks

While different browsers offer different security features, there are certain choices that can help you make the most out of any situation. For instance, you should not sign into any of your accounts on more than one browser. If you’ve decided on Firefox for your Facebook use, only sign into Facebook from Firefox and not from Google Chrome or Microsoft Edge. While you may have disparate Google accounts attached to these services (a company one for work and a personal one for your own use), Google understands that they are all you and will take it upon themselves to merge your activities into their own reference files. You should also avoid using your accounts from Google or Facebook as a form of sign-in, as this will give those companies access to your behaviors on those sites as well.

There are, however, some browser extensions and alternative websites that can help you take back some of your privacy. Some add-ons help to shield your activities from this kind of tracking, while some online services are anonymized and therefore more secure. Identifying the most secure options and committing to them will be crucial to your continued success.

The Internet can be a wonderful resource, but it can also be considerably risky to work with if not prepared. Trust MSPNetworks and our team to help keep you out of trouble. Give us a call at (516) 403-9001 to learn about our many services, including those that can improve your security.

If you are an avid reader of our blog, we are constantly saying how there are always a growing number of threats. This is true. Two-in-every-three business owners consider that their cybersecurity risks are increasing each year. The other third must not focus on them, and that is a problem. In fact, many business owners don’t give the proper respect to cyberthreats and many of those businesses pay the price. This is why every business should consider a security and compliance audit a mandatory part of their yearly IT assessment. 

Explaining the Security and Compliance Audit

Since there is a constant stream of threats coming at your business from the Internet, it stands to reason that you need to come up with a strategy to reduce or completely eliminate those threats’ path to your business’ IT infrastructure. Traditionally, that means installing security software solutions such as firewalls and antivirus, training your staff on how to navigate potential scams, and doing your best to monitor the threats as they come in. This seems comprehensive, right? Unfortunately, these efforts are unlikely to prevent a breach of your network or a corruption of your IT infrastructure.

The IT infrastructure that continues to grow.

If you consider that every year more and more is added to your IT infrastructure, it’s not a stretch of the imagination to not only gain more to support, but also additional points of potential exploitation. New systems can create new vulnerabilities in your network, and more to support can add even more holes in your existing system. These are the avenues hackers use to access your network and steal your data. 

Additionally, the more complicated your IT infrastructure gets, the more difficult it will be to stay in compliance with any regulations your business operates under. As issues with data privacy start to be taken seriously by lawmakers, expect more regulations; and additional focus on compliance. 

A security and compliance audit is basically the full assessment of your cybersecurity situation. It goes far beyond your average vulnerability scan as it takes into account how your technology is used and provides you with specific criteria that you need to take into account. This profile will go above and beyond your cursory network and infrastructure scan. MSPNetworks has the certified technicians on staff to comprehensively conduct such an assessment. We can provide you with information on where your business is weakest and what you can do to bump up your network security to stay in compliance and keep your network resources safe. 

Go Even Further

Our security and compliance audit can tell you what you need to know, but once you have taken the steps to patch the potential vulnerabilities in your network and infrastructure, you will need to keep it up. We can conduct penetration testing to ensure that the steps you take work to fix the vulnerabilities in your network. This can function as assurance that your business isn’t caught up in two terrible situations: a data breach or fallout from non-compliance. 

If you would like to talk to one of our IT professionals about getting a security and compliance audit, or if you would like to talk about how our managed IT services can work to thwart all types of negative situations, give us a call at (516) 403-9001 today.

While Google Search has become eponymous for “online search”, the company has not stopped innovating upon the capabilities of the service. Most recently (as of this writing, of course) one improvement that the company is making is to give more content a bit more context before a user clicks through to a potential threat.

Let’s go into what this new update will look like on your Search results pages.

The Google Page Widget

With its rollout beginning on February 2nd, your Google Searches via a desktop, mobile device, and the Android mobile app probably now offer a small widget that provides a look at the website each result directs to.

Here’s how it will purportedly work:

You will soon notice (if they haven’t already caught your attention) small three-dot menus appearing next to your search results. These menus, if clicked, will give you more information into the website the result has pulled up.

This information will include things like a blurb about the website the link directs to—if available, coming from Wikipedia, and if not, based on Google’s own analysis when the site was indexed—as well as whether the website offers a secure HTTPS protocol connection and if a link is an ad.

Here, for example, is what appears when you check the link for Facebook:

From this, we can see that Google has confirmed that the connection to the website is secured, helping to protect our data, and that the link the user has inquired about was the result of their search, not placed there as an advertisement.

Moving forward, this utility may be able to help your users make more secure choices when browsing their search results. If you have access to it, we encourage you to explore it a little more yourself—and, if you’re ever concerned about how secure your business’ IT choices have been, to reach out to MSPNetworks at (516) 403-9001 for an assessment.

Your business’ security largely depends on how secure the passwords are that keep your resources from being accessed without authorization. Despite this, many users—perhaps even you—frequently sacrifice sufficient security measures in favor of the simple and convenient route, cutting corners when coming up with their passwords. Let’s try and remedy this by reviewing a few practices that can help make a password more effective.

What Threats are There to Passwords?

A password can be undermined in one of two different ways, generally speaking:

Digging into your online life or resorting to trickery, a “bad actor” (as they are sometimes called) figures out your password or how they can fool you into handing it over. Alternatively, the bad actor might phish you or infect your computer to crack the password.

As a result, you need to figure out how to make your passwords effectively guess-proof, while still being able to recall them as you need them. These principles should ultimately pertain to any passwords associated with your business—including the ones your staff members rely on.

The Balance Between a Strong Password and a Memorable Password

Whether you’re designing a password policy for your company members to follow, or simply creating a new account of your own, there are two important considerations to keep in mind.

• If a hacker can’t guess/crack a password, they will likely resort to a brute force method—simply trying every combination possible until they eventually get a hit.
• The security of a password and its resilience against brute force attacks aren’t the same.

It is important that both of these aspects are taken into serious account as you come up with your passwords.

How to Optimize Your Password Security

There are a few widely accepted best practices when it comes to what makes a good password:

• It is sufficiently long, ideally stretching over 16 characters
• These characters include non-consecutive numbers, letters, and symbols
• The password contains no common words or numbers, private information, or any publicly accessible details

It is also important that your considerations involve the aforementioned tools that cybercriminals use to break password protections. This is where we must account for the complexity of your passwords.

Did you know that about 40 percent of passwords only contain lowercase letters? Well, cybercriminals certainly know, and will certainly try to save time by only trying lowercase letters in their initial brute force attacks. Even one extra variable can significantly increase the password’s security, making it harder and more time-consuming for the hacker, and possibly convincing them that the effort isn’t worth it.

However, you also need a password that is memorable enough for you to be able to use it. The most secure password in the world is no good to you if you can’t commit it to memory, to the letter (or number or symbol).

This has recently led to the idea that a password composed of a few random words, randomized further with alphanumeric substitution and capitalization, padded with repeating symbols on either side, is the most secure option.

Think about it—like we said, each variable makes the hacker’s job that much more challenging and can help slow down any automated attempts long enough for the hacker to abandon them.

With all this in mind, it makes sense to create passwords that ultimately look something like this:

====p33k,,,@ss0c!@t3d,,,p0ck3t====

Not only is this password effectively impossible to guess, but it also has plenty of characters and—while designed to be somewhat simple to memorize, is still plenty resistant to brute force methods. Just make sure you come up with your own, instead of copying this one.

Remembering These Passwords

Admittedly, a password like this is a lot to remember on its own, so the thought of remembering a different one for each account (in keeping with best practices) can be daunting for most. Fortunately, a password manager can simplify this considerably.

A password manager is basically just a piece of software that safely and securely stores your passwords away for you, accessible to you behind a single master password. That way, your passwords could be totally secure and unique without forcing you to remember them all.

From your passwords and access management to every other aspect of your business’ IT security and productivity, MSPNetworks is here to help. Learn more about what we can offer by calling (516) 403-9001 today.

It’s been reported that a hacker virtually broke into a Floridian water treatment facility and briefly increased the levels of sodium hydroxide in the Pinellas County water supply. Fortunately, onsite operators noticed the spike and reduced it right away, keeping the public from risk of increased levels of poison in their water. This is just the latest story in a seemingly never-ending supply of them that have to do with public utilities being at risk from cyberattacks. Today, we will take a look at this issue. 

Protecting Online Utilities

Today, most systems are not only run through the use of computers, they are perpetually online so that remote operators have access to manage these systems. This provides hackers a wider-range of opportunities to carry out attacks against public infrastructure. Despite the massive amount of capital invested to ensure that these systems remain secure and reliable, all it takes is one situation to cause a great deal of public harm. The event in Florida just accentuates how important the security protecting these systems is. 

The Shifting Utilities Landscape

Over the past year, more people have been asked to work remotely to help keep the COVID-19 pandemic from spreading. This has not only led to more people working remotely at jobs that would typically require on-site staff, it also has helped push a degree of automation (using artificial intelligence and machine learning) to help identify incongruencies and threats to critical IT systems. This means that more people are relying on unfamiliar tools to do their jobs remotely. One can understand how this can lead to some confusion when trying to thwart very specific and targeted attacks. 

Threats Against Utilities and Infrastructure Are More Severe

A recent report from the Ponemon Institute suggests that threats against utilities are becoming shockingly more sophisticated. 54 percent of utility managers stated that they expect to have to deal with at least one cyberattack on critical infrastructure in 2021. That means that half of the people that work in electricity, water treatment, solar and wind, and gas think that they will be directly dealing with a major event triggered by a cyberattack this year. That’s completely unsettling considering how important these systems are to the sustainability of our society. 

What is Being Done?

This is where it gets a little tricky. Utility companies spend a lot of time and resources securing infrastructure. There’s a reason most of these places are surrounded by razor wire. To secure themselves against cyberattacks, however, they are taking much the same approach that your average enterprise would. They will try to secure systems by learning from past mistakes, innovating the tools they use, and simply being more vigilant.

Some innovations to speak of are similar to the ones you might see at your business. Using the integration of AI to actively search for and identify threats can end up being quite beneficial. AI can go through a lot of data extraordinarily quickly, meaning that it can identify potential problems quicker and thwart bad actors’ attempts at sabotage. Another technology that is being used in energy distribution is the Internet of Things. Utility companies are starting to utilize smart meters that modulate the flow of electricity and water. While you’d think that the integration of IoT devices would actually make the systems less secure, utility companies identified that from the outset and spent time and resources securing those systems before they were ever deployed in the field. 

Protecting our utilities has to be essential not only for utility companies, but also for society as a whole. What are your thoughts? Should the public subsidize utility companies for their cybersecurity? What moves would you make? Leave your thoughts in the comments section below.

For all the attention that we (and many others) give to cybercrime, people are still falling victim to hacks and scams every day. With most businesses operating more in the digital sphere than ever before, it stands to reason that they need to do more to keep from being a victim of a data breach or worse. Here are six things your business should do to keep from being a victim of a cyberattack.

#1 - Train Your Staff

You will want to establish basic security practices that make sense. You will want to go through how to identify a phishing attack and what to do if they come across one. You will want to explain what good password hygiene is and what benefits it offers both for your business and for them, individually. You will also need to go through the best practices of handling customer, vendor, and their contemporaries’ sensitive information. 

#2 - Patch and Manage

You will want to keep your business’ infrastructure updated and managed. This includes all machines and endpoints, web browsers, software; any part of your IT infrastructure that, if it were to be breached, could have a huge negative effect on your ability to continue business.

#3 - Security Solutions

Make sure that your firewall, antivirus, and any other security solution you have in place to protect your business is updated with the latest threat definitions. This includes setting up firewalls or a VPN for every member of your staff that is working remotely. 

#4 - Backup Your Data

In order to protect your data, regularly backing it up and storing it multiple places is suggested. That way you have copies of your data to restore from if something was to be corrupted, some IT were to fail, or there was some type of user error; and, also if some disaster were to compromise your data at your place of business.

#5 - Secure Wireless Networks

You will want to secure your Wi-Fi network(s). It should be hidden from view and encrypted to give your business the best chance at mitigating potential hacks aimed at accessing your wireless network. 

#6 -  Promote Sound Password Hygiene

Ensuring that your staff understands the best practices of using passwords and multi-factor authentication can go a long way toward protecting your business from outside threats. Passwords should be complex, but also easily remembered and use multiple characters.

If you are going to keep your data and infrastructure free from threats, these six steps are the bare minimum. If you would like to discuss additional steps you can take to protect your business’ most important assets, give our IT experts a call at (516) 403-9001 today.

2020, unsurprisingly, has decided to go out with a bang, as it has been revealed that the United States was targeted in the largest cyberespionage attack to date. Let’s go over what this attack means, and how things will need to play out in the future.

How Did the Attack Happen?

In short, an IT management company known as SolarWinds was breached back in March, affecting a massive number of organizations—18,000 in all. These organizations include the likes of Microsoft, Cisco, and FireEye, as well as many states and federal organizations, including:

• The U.S. Department of State
• The U.S. Department of the Treasury
• The U.S. Department of Homeland Security
• The U.S. Department of Energy
• The U.S. National Telecommunications and Information Administration
• The National Institutes of Health, of the U.S. Department of Health
• The U.S. National Nuclear Security Administration

When the attackers gained access to SolarWinds’ network, they were able to use what is known as a supply chain attack to introduce their malware to these departments and organizations by pushing it through the company’s automatic software update system for their Orion products. These kinds of attacks can be particularly effective since the threat is introduced to an environment via a trusted application.

Making this situation worse, many SolarWinds customers had excluded Orion products from their security checks on SolarWinds’ recommendation to prevent their other security products from shutting them down due to the malware signatures that these security products contain.

While (at the time of this writing) it is unclear what the attackers responsible used this access to do, the potential ramifications are truly terrifying. While government departments were targeted, it also needs to be said that this attack could have potentially continued from the major providers like Microsoft and Cisco to their clients, and so on and so forth. That’s why there is still no estimate of this attack’s true scope.

This attack was seemingly only discovered when an employee at FireEye received an alert that their VPN credentials had been used from a new device, and a little digging revealed the much larger situation playing out.

This Wasn’t the Only Attack, Either

Another attack was also discovered on SolarWinds’ network when the company performed an internal audit of its systems. On December 18, a second malware was found to have used the same tactic to infiltrate SolarWinds, but as of this writing does not seem to come from the same source.

What This Needs to Teach Us

Frankly, the most important lessons to be learned here are painfully obvious. First off, cybersecurity needs to be prioritized above all else, and all potential threats should be considered a likelihood. After all, the U.S. government was warned about the viability of exactly this kind of threat back in 2018 by the Government Accountability Office.

Secondly, the concept of your employees being a huge part of your cybersecurity strategy needs to be reinforced. This was only discovered when an employee was alerted of unusual activity and took that alert seriously. Your team needs to know what they are looking out for, and how to proceed if they spot it.

Unfortunately, the full extent of this threat will not be clear to us until much later, but what is clear is that we’ll be here to keep your business’ IT as secure as possible. To learn more about what we can do for your business and its security, take a few moments to give us a call at (516) 403-9001.

For a while there, blockchain was a buzzword that you would hear about constantly. It was the future of data security and secure online transactions. As 2020 has pointed our attention elsewhere, you’ve heard less and less about blockchain technology. Today, we’ll take a look at what some of the most innovative companies are doing with distributed encrypted networks,

What Is Blockchain? 

Blockchain was one of the most talked about technologies of the last half of the past decade; and while there have been hundreds of startups that use blockchain at the center of their offerings, there is some thought that the usability of the technology wasn’t as revolutionary as it was made out to be. For those of you who didn’t believe the hype, however, it should be noted that blockchain, the distributed ledger technology that provides unparalleled data security, transparency, and reliability, has been used as the basis of applications for financial services, real estate, law enforcement, supply chain management, insurance, and many more industries. 

The applications of this technology don’t end for cybersecurity, however. For the past several years the technology has been seen used in more and more practical applications.  You see, when you can depend on the reliability of information, developers will want to use it to enhance the ability to manage waste. Supply chain management is a great example. The more transparency a business can have with the products and resources on their supply chain, the more efficient their operations will be and the reliable their projections will be, allowing them to budget better and use the capital they would have otherwise wasted in advancing their company’s agendas.

How Some Industries Use Blockchain

The best way to see how blockchain has been integrated into software is to take a look at how companies utilize the technology.

Medical

If there has been one industry that has utilized blockchain technology the best, it is the healthcare industry. Some hospitals have already started utilizing the technology to help protect patient data. In healthcare there is a lot of information that needs to be both secured and simultaneously available, a complete conundrum for healthcare providers. Enter blockchain. Here is a technology with the ability to keep a transparent, yet incorruptible and private log of all patient health, insurance, and provider data; and, since it is decentralized, sharing the information that’s needed comes with fewer risks to patient profile info.

Banking

One industry that analysts were most curious about was how blockchain was going to affect the banking industry. Obviously, with the ability to keep transactions transparent and secure, the technology is perfect for the banking industry which, despite all the technological advancements over the past 50 years, hasn’t changed all that much. Today, banks are using blockchain as the basis for smart transactions that can be used to move money faster than ever. Banks are also partnering with various FinTech (financial technology) companies to create financial products that will seemingly revolutionize the way people and businesses can get the capital they need to push their initiatives forward.

Cybersecurity

Another obvious industry that is both quickly growing and in need of reliable instruments is the cybersecurity industry. Basically, companies are creating products that revolutionize the way people store their sensitive data. The distributed nature of blockchain is the impetus behind this shift. The less information can be gained from one location, the less likely hackers and cybercriminals will be to try and infiltrate. Moreover, with blockchain’s built-in encryption it has become a great option for access control systems and for data confidentiality as a whole. 

You may not be able to download a blockchain app and find any practical use, but the technology is here and is being used to secure large portions of sensitive data by companies from all over the world. If you would like to learn more about data security using blockchain technology, why not reach out to the IT professionals at MSPNetworks? Our experts can help you better understand what blockchain is and how you may be already using applications built with blockchain and didn’t even know it. Call us today at (516) 403-9001 to learn more.

Today’s smartphones are equipped with assorted ways that users can authenticate their identity, from the now old-fashioned PIN to basic biometrics. However, while these options are available on a wide range of phones, not all of them are equally secure. Let’s look a bit closer at these authentication measures to find out which is most effective.

Does Mobile Security Really Matter That Much?

In a word: yes.

Look at how much we can accomplish with a mobile device. While we’re used to the capabilities that a smartphone offers, it wasn’t too terribly long ago that these capabilities were unheard of outside of science fiction. It wasn’t until 1996 that practical PDAs came about with the Palm Pilot, followed by Blackberry in 2002 and 2004’s introduction of HTC’s Windows phones that we had a taste of what a “smart” phone would look like. It was only in 2007 that the first generally-agreed-upon smartphone, the iPhone, was released.

Just think about the difference between the devices we have today, compared to those that preceded them. While these so-called “dumb phones” were not devoid of sensitive data by any stretch, they may as well have been in comparison to today’s devices.

Now, there are applications for everything, from money management to medical data to shopping and every other purpose imaginable, many of which contain or regularly access personal data. Therefore, it is so important for these devices to be secured… the method by which a user can unlock the device being just one tiny facet of these security needs.

Evaluating Your Authentication Options

Nowadays, the authentication options present on mobile devices are designed to combine the needed security with the convenience of the user. Yet, since they aren’t all equally effective at securing the device, you need to be selective about the authentication method you use.

Let’s go over the options your device may offer and see which one is the best for your security.

Passcodes/PINs/Passwords

We’re all familiar with these authentication measures, as they’re generally the baseline authentication measure for any device, including mobile devices. They also help prevent other authentication proofs from being put in place without the user’s approval. While these security measures are far from impenetrable, they are secure enough to serve as the basis for sufficient security. This is, of course, provided that the user is responsible when they set them.

That said, many users don’t act responsibly as they should, leaving their mobile devices relatively insecure. A study conducted in 2012 revealed that the PINs people used were often of personal significance to them, were composed of repeated digits, or (most amusingly) featured the number 69. Other common numbers were those that could easily be typed in sequence, like 1234, 7890, and the like.

Another study showed that increasing the length of the PIN from four numbers to six rarely added any security benefits, again because of the user. Apparently, the added length makes the user feel more secure by default, and by doing so, gives them the comfort to slack off in how secure their PIN is.

Naturally, assuming the user has the patience to retype their password each time the device locks, this option is more secure than a PIN. Regardless, these options are generally accepted as the most secure option right now.

Biometrics

Thanks to the hardware and software that our devices now support, users can now use their physical attributes to confirm their identity, as biometric authentication has risen in popularity. Naturally, the different methods that make up biometric authentication aren’t as consistent as many would assume.

Fingerprint Sensors: The first phone to have a fingerprint sensor—the Pantech GI100—first launched in 2004, and with the Toshiba G500, the fingerprint sensor became a mainstream inclusion on smartphones. This isn’t expected to change, with projections predicting that 90 percent of devices will still have a fingerprint sensor in 2023, as compared to 95 percent in 2018.

Fingerprint sensors come in many kinds, which does impact their security somewhat. For example, Samsung has started to incorporate sensors under the screen to enable a three-dimensional image to be captured. However, this inherently secure technology can be undermined using a screen protector, as the screen protector can actually lead to any fingerprint being accepted. There is also the concern that fingerprints can be harvested from another source and transplanted to the device to unlock it, so the user needs to prioritize making sure their device is properly acclimated to their unique print.

Iris Scanning: Currently, iris scanning is seen as the most secure biometric authentication, as the iris is even more unique than a fingerprint. While these capabilities are currently present in many devices, many users don’t use them. This is generally because it takes longer to scan the iris, as the user must direct their gaze to the sensor.

Facial Recognition: Fingerprint recognition has begun to be replaced by facial recognition capabilities, particularly with the rising prevalence of full screen displays. With a decent software installed and a good set of reference data, facial recognition can make unlocking a device effectively effortless. However, that’s assuming that the software is good and that the reference images are good. If these images have blights like glare on them, it is harder for a user to unlock and easier for a hacker to crack.

Pattern Passwords/Knock Codes

Finally, we’ve come to the least secure option of all. Many Android devices offer the user the option to tap a pattern of their choosing on a grid to unlock their device. Multiple studies have disproven the security of this method, simply because it isn’t too challenging to figure out a user’s pattern.

In one study, it was found that 65 percent of the 351 participants involved created a code that followed Westernized reading patterns, starting at the top-left and progressing to the top-right. Increasing the size of the grid only led to users selecting shorter patterns. Many patterns proved common amongst the participants as well:

1. An hourglass: top left, top right, bottom left, bottom right, top left, top right
2. A square: Top left, top right, bottom right, bottom left, top left, top right
3. The number seven: Top left, top left, top right, top right, bottom left, bottom left

To top it all off, the researchers found that knock codes were rapidly forgotten. 10 percent of the participants had forgotten their selected code by the time the 10-minute study was over. Plus, they’re slower: knock codes took five seconds to input, while a PIN takes four and a half.

Don’t Skip Securing Your Mobile Device

If you’ve made it this far, you’re likely a smartphone user, and as such, it plays an important part in both your professional and personal life. As you have probably gathered, you can’t afford to short-change any aspect of your security, down to the way you unlock your mobile device.

MSPNetworks can assist you in ensuring your business’ technology is adequate for your purposes, and that it has the necessary protections surrounding it. To learn more about our services, reach out to our team at (516) 403-9001 today.

Data security always needs to be considered as one of your most important business priorities. After all, the ramifications of data loss are wide-reaching and severe. To help you ensure that your data security is at the level it needs to be, we’ve put together five questions you need to answer regarding your business’ security preparedness.

“Are my processes based in security?”

Or, in other words: is your work environment designed in such a way that the most secure option is the default? End-to-end security is one thing, incorporating it into a proactive process is quite another. A foundation based upon secure functionality will help lead to better outcomes. Are your users trained to exclusively follow the most secure processes?

If not, this is where you need to start. A company culture steeped in security awareness is one of the best ways to protect your data, simply because it will help to minimize any improvisation that your employees would otherwise attempt. Educate your users properly, and they will turn into one of your biggest security assets.

“How regulated is access to different files?”

On the topic of your employees, how much data is accessible by any given person? There is no reason that one of your salespeople should have access to payroll information, just as your fulfillment division shouldn’t know any payment information beyond whether a bill was paid or not. Securing your data and only enabling access through role-based permissions with private usernames and multiple authentication measures will help shore up your risks. Remember, these permissions and access controls should be audited regularly to ensure that the data they protect remains on a need-to-know basis.

“Is my data encrypted?”

Or, as this question reads after being encrypted on a random website:

“?b64b0EbdbZMVy0aghJaLO+x2ic7F02JurazKFq4r6dv0y7RpMWaNL00qDWW1nQ39vgmELHKNtUl42u0iIhoc4AM1w==?64b”

Of course, without the decryption key, you can only assume that I’m being honest, which is kind of the point. Making sure that your data is encrypted can protect its contents should it be stolen. This means that you will want to be sure that the answer to this question is…

“?b64LQwXhsseeRhWY0MptIJLxsV4NyLYoBpSAzcypRZMD7BEQmmnDgbB4I6ks8ujGmza?64b”

…or, decrypted: “It sure is!”

The topic of encryption is far too complex to go into here in any detail. If you’d like to learn more about encryption and how it can help protect your business’ sensitive data, call us and ask one of our technicians to explain it to you (or to help you implement it)!

“Have I tested my security measures?”

Once your security measures are implemented, your job is far from done. To ensure that they remain effective, they must be stress-tested and evaluated under controlled conditions. What assets are the most important to protect, and what threats are they most in danger of succumbing to? How likely are these threats to come into play, and how are you vulnerable to them?

Establishing these benchmarks will give you greater insights into the weaknesses inherent in your processes and how they can be remedied.

MSPNetworks can help you find these insights and put the best solutions in place in response. To learn more about this process, reach out to our professionals at (516) 403-9001.