TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

online security

Outdated Software Could Cost Much More Than An Upgrade

It’s nice when we own something and it’s completely paid for. Think of a car or large purchase you financed. Once it’s paid off, you feel great: money is freed up and it’s yours.

However, often in these situations, you’ve poured a few years of use into it by the time it’s paid off. When something finally breaks, the warranty has probably already expired. Then, you’re forced to decide if you are going to put money into this old car or appliance or if it’s time to upgrade instead.

When you don’t upgrade your car or appliances, there may be some small risks in terms of missing out on improved safety or the newest features, but the biggest risk will be monetary.

Businesses sticking it out with old software isn’t much different, but the consequences can be much worse.

Software is sometimes pricey, and often, the outdated software will still technically work. We get used to the layout and processes, and it becomes easy to use. After five or ten years, you know where all the buttons are. Your documentation for employees might be based this particular version, and you may not have the time to overhaul your reference materials.

The issue with this is, while you’re happy to run the 2015 version of a software, that software company has released a new version in 2016, 2017, 2018, etc. Usually, they will still update old versions for a short time after new ones come out.

Once these software companies stop providing updates, however, any known vulnerabilities will remain unpatched and any new vulnerabilities that are discovered will not be addressed.

If you know the software inside and out, so do the hackers. It’s far easier for them to utilize a known flaw than attempt to break a new and unknown software. The longer you wait to update, the more likely it is that your data or network will be compromised.

Yes, paying for that new version of software is not something we want to do, but in the long run, it may save you a lot of money and headaches.

Software as a Service (SaaS) also makes this a little easier to deal with. Rather than paying a huge amount one time upfront, you can often subscribe and pay a smaller amount monthly or yearly that allows you to install new versions as they come out. This usually includes security patches and updates too.

Another consequence of holding out on updating old software is the possibility that your PC may need to be suddenly replaced or updated. If it crashes or becomes too slow to reliably use, you can lose that program. A lot of software is provided via download, and it may not be available for download once it’s time for a new PC.

In addition, if you bought something that was written for Windows 7 and have not upgraded in the past six years, it may not be possible to use that program if you are stuck five versions behind. Also, since you paid the vendor long ago, they often won’t help you reinstall the old software; instead, they’ll require you to buy a current version before assisting.

We understand that staying with what you’re familiar with is easy. Since you own the software, it carries a financial benefit as well. However, the short-term financial gains risk data loss and essential parts of your business becoming unrecoverable in a disaster. Look at software updates like insurance: you are paying to keep yourself as protected as possible and working to minimize any potential risk.

The Biggest Cyber Threat To Your Business Is In Your Pocket

According to a Verizon study, one in three businesses has admitted to suffering a breach as a result of a mobile device. The same study found that 80% of businesses were aware that they had a big gap in their network security as a result of mobile device usage.

Banning the use of mobile devices for work is not an option, however. The productivity benefits of these mobile devices are too big to give up, and chances are, employees will still use them.

So how can you make sure that your data is safe as it travels around in your (and your employee’s) pockets?

Basic protection for all operating systems

Regardless of your operating system and device model, the following security protocols can easily be implemented.

Fingerprint and/or face recognition and secure passcode – this feature not only protects you, but your employee as well. Highlight and encourage employees to set this security feature up on their devices.

Offer internal support to help less tech-inclined employees to set this up and troubleshoot common challenges with unlocking the device with these features.

Not only will this help keep your information secure if the device is lost, but it will also help prevent other unauthorized individuals from accessing your device if it is left unattended.

Use a VPN – A VPN provides a secure phone connection to a private server between your devices and your data and bypasses using public networks to access your information. This helps secure the data and encrypts it as it travels from point to point.

Enable data encryption – Both Android and iPhone devices can be encrypted through the device and it is highly recommended that you encourage your employees to activate this feature. Spreadprivacy.com has detailed instructions on how to do this for both Android and iPhone devices.

Set up remote wipe capabilities – Depending on the device, there is a function along the lines of Find My Phone that you can have implemented that will allow you to remotely lock and erase the device in the event it is lost or stolen.

Apple devices have the function built into the operating system and Android devices can enable this feature with app downloads.

Mobile protection for Android users

One of the great things about Android devices is that you have a variety of manufacturers, features, and price points to choose from.

While they might differ slightly in features and functionality, here are some basic tips for protecting your Android device:

  • Only buy Androids from vendors who are proactive in issuing security patches
  • Use 2FA (Two-factor authentication)
  • Take advantage of built-in security features
  • Do not save all passwords
  • Only buy apps from Google Play
  • Always, always back up the device’s data
  • Encrypt your device (See instructions above)
  • Be careful about connecting to public WiFi, and be diligent about securing your own WiFi networks.
  • Use the Android security app
  • Install a VPN

Mobile protection for iPhone users

Regardless of the model, all Apple iPhone devices will have the following security features. Keep in mind, however, that older models of the phone will not be able to take advantage of the newest iOS and may require an upgrade.

Here are 10 tips for keeping your iPhone safe:

  • Update the iOS frequently. You can opt into automatic software updates through your phone as well so you don’t have to keep an eye out for new updates
  • Enable 2FA (Two-factor Authentication)
  • Set the phone to “self-destruct” or wipe the entire phone after someone fails to access the phone 10 times.
  • Activate “Find my iPhone.”
  • Avoid public WiFi
  • Only use trusted iPhone charging stations
  • Change your iTunes and iCloud passwords regularly.
  • Revoke permissions to your camera, microphone, etc
  • Use a passcode longer than 4 numbers
  • Disable Siri access from the lock screen.

Take the next step

These tips will get you started on keeping your business, and personal, information safe as you roam. But this is just the first step. Take the next step and set up a full security audit to see where there may be a crack in your armor that leaves you vulnerable.

Work-From-Home Precautions For Your Network

Mark Funchion is a network technician at Tech Experts.

As our world has shifted to a heavy work-from-home environment, it is important that you do what you can to make sure your business’s network is secure, whether your employees are working from home or in the office.

Working from home can pose many challenges. The first involves the device the employee uses. If they have a company-issued laptop and you implemented a VPN, then great, you’re fairly secure.

What do you do if they are using their own home PC? Do they have anti-virus? Are they accessing documents through a common cloud storage location, such as OneDrive or Dropbox?

If so, that can cause issues because that home PC may have other users who are not careful about what they download or what emails they open. If that PC is infected and your employee connects to shared storage, your business may become infected.

For these reasons, you should really consider only allowing access to your data over a VPN that your employees must log into. Do not share files through cloud storage unless you are sure the devices connecting are secure.

This means you may need to provide anti-virus to your users. Yes, it’s an expense, but it’s much cheaper than recovering from a ransomware attack because an employee’s 12-year-old downloaded a Fortnite “hack” to get more V-Bucks.

Next, push the use of two-factor authentication (2FA) and password managers. Having a simple password like “CompanyVPN1!” won’t cut it.

Force your users to use strong and varied passwords. Now, those can be difficult to remember, so it may be a good investment to look into a corporate password manager. This will securely store passwords and make it easier for employees to use stronger credentials.

In addition to better passwords, use 2FA. This security measure sends a verification code to your employee via email or text when they log into secure apps or websites. It’s another extra step, but again, the more precautions you take, the better off your security will be. Just because your employee logged in from home with a strong password doesn’t mean it’s actually your employee. That second authentication makes it much more difficult for the end user’s information to be gained by cybercriminals.

Educate your employees about using public Wi-Fi as well. It’s nice to sit in a comfy chair at Panera and enjoy a bagel and coffee while responding to emails, but who else is on that network? If they must do this, then using a VPN and 2FA are a must.

These are a lot of scary things, but don’t lose sleep. Be diligent in securing your network. If you allow work-from-home, be prepared to invest in setting up VPNs, 2FA, password managers, and anti-virus software for your employees. This time and due diligence will greatly help you prevent your data and network from becoming compromised.

Also, remember you are not in this alone: Tech Experts is here to help. If you want to secure your network for remote work, reach out to us at (734) 457-5000. We secured our own network so we can work remotely and have the expertise to help you do the same.

Using Public Wi-Fi? Consider A VPN

With more of us working remotely now, coffee shops are getting busier again as we look for somewhere other than home to work. But while it can be great for getting rid of distractions, it’s not so good for security.

That’s because public Wi-Fi is a hotspot for data theft. Any data sent over public Wi-Fi that doesn’t need a password to access is vulnerable to theft or manipulation from someone else using that network.

And it’s not just other Wi-Fi traffic you need to consider. There are also fake networks to be wary of. You think you’re connecting to the coffee shop’s Wi-Fi… but how do you know it isn’t a fake version with the same name?

As soon as you log on, they can suck up all of your credentials and any other personal data on your device.

If your team is using public Wi-Fi regularly, best practice is to use a VPN (Virtual Private Network) to keep your data safe. This acts as a private tunnel for your device to connect to a private network, keeping your info safe.

Three Steps To Improve Your Ransomware Resilience

This is a cold hard fact: Ransomware is on the rise.

What is ransomware?

It’s where hackers break into your network, encrypt your data so you can’t access it, and then charge you a large ransom fee to unlock it. It’s the most disruptive and costly kind of attack you can imagine. And very hard to undo.

Why is it a big deal?

Ransomware attacks are dramatically up thanks to the pandemic. All the urgent changes that businesses went through last year created a perfect storm with plenty of new opportunities for cyber criminals.

Is my business really at risk?

Thanks to automated tools used by hackers, all businesses are being targeted all the time. In fact, hackers prefer to target small businesses as they typically invest less time and money into preventive security measures compared to large companies. It’s estimated a business is infected with ransomware every 14 seconds.

How can my business get infected with ransomware?

42% of ransomware comes from phishing emails. This is where you get a legitimate-looking email asking you to take a specific action. You only need to click a bad link once to let attackers quietly into your system. And it doesn’t have to be you who clicks… it could be any member of your team.

Why is it so hard to undo?

A ransomware attack takes weeks for the hackers to set up. Once inside a network, they stay hidden and take their time to make lots of changes. Essentially, they’re making it virtually impossible for an IT security company such as ours to undo the damage and kick them out once the attack has started. If you haven’t thoroughly prepared for a ransomware attack before it happens, you are much more likely to have to pay the fee.

How much is the typical ransom?

The hackers aren’t stupid. They know trying to get $150,000 out of a small business simply won’t happen. But you might stump up $10,000 just to end the hell of a ransomware attack. They will change their ransom demand based on how much money they believe a business has.

Of course, the ransom isn’t the only cost associated with an attack. There are countless indirect costs. Such as being unable to access your data or systems for a week or longer. How horrendous would it be if no one could do any work on their computer for a week? How would your customers react to that?

What can I do now to protect my business?

This is the most important question to ask. It’s virtually impossible to stop a ransomware attack from happening. But you can do an enormous amount of preparation, so if an attack does happen, it’s an inconvenience, not a catastrophe.

Here are the three steps we recommend for maximizing your ransomware resilience.

Act as if there’s no software protecting you

Software is essential to keep your business safe from all the cyber security threats. But there’s a downside of using this software – it can make you and your team complacent.

Actually, humans are the first defense against cyber-attacks. For example, if your team doesn’t click on a bad link in a phishing email in the first place, then you’re not relying on software to detect an attack and try to stop it.

This means basic training for everyone in the business, and then keeping them up-to-date with the latest threats.

Invest in the best data backup and recovery you can

Automatic off-site data backup is a business basic. When you have a working backup in place, it can be tempting not to give it a second thought.

But it’s worth remembering that cyber criminals will take any means necessary to get you to pay their ransom. That means they’ll target your backup files too. Including cloud-based data.

It’s critical that you create and implement a comprehensive back-up and recovery approach to all of your business data. The National Institute of Standards and Technology sets out a cyber security framework which includes best practices such as:

• Constant backups: Separate from the computers and ideally in the cloud
• Immutable storage: This means once created, backups can’t be changed
• Firewalls: To restrict what data gets in and out

Create a plan for cyber-attacks

When a cyber-attack happens, every second is crucial. The earlier you act, the less damage is caused.

So, prepare a detailed plan of action and make sure everyone knows what’s in it, where to find it, and how to trigger it.

Test your plan regularly to make sure of its effectiveness and remove any risk of failure by keeping at least three copies of it in different places. One should be a printout kept at someone’s home… just in case you have zero access to data storage.

Don’t Let Working From Home Lower Your Guard

Wyatt Funchion is a help desk technician at Tech Experts.

When working from home or taking online classes for school, it is very easy for us to get caught up in our work and forget about the potential risks of using the Internet.

Whether you are using Zoom, assisting clients, writing assignments, or even just sending a simple email, cybercriminals have figured out ways to exploit our everyday tasks.

Email is one of the most vulnerable territories for users, and cybercriminals love it because it works. Phishing emails, which are emails that try to trick you out of your sensitive information, are one of the most common Internet threats and are easy to overlook if you’re overworked or in a hurry. Some can be extremely convincing, especially at a glance.

One of the best ways to keep your personal information and your work information protected is to avoid clicking links, opening attachments, and replying to emails when you don’t know where or who the email came from. Don’t provide them with extra information like a password, log-in, or anything else sensitive.

Cyberattacks are another common threat while working from home, and your computer and network are targeted just for existing. An easy way to prevent these attacks would be to use an antivirus suite.

These run in the background of your computer and automatically update themselves. They can protect against zero-day attacks (viruses taking advantage of security flaws before they are patched), malware, spyware, viruses, trojans, worms, and more. Some can alert you of phishing scams, including those sent via email, and alert you when a download is suspicious.

Something else that could put both your work and personal information at risk is your web camera. Cameras are used frequently for Zoom calls or Google Meets for both schools and employers and can be a huge risk if you have any documentation like passwords written in your workspace.

It’s also a big risk to your privacy in general, so make sure there isn’t anything else confidential in frame, such as personal phone numbers on a whiteboard.

A simple way to get rid of the potential risks would be to either unplug your webcam or cover it when it’s not being used. Sliding webcam covers are a good way to cover them and are fairly easy to install. They can be found in all shapes, sizes, and colors.

If your workspace is easily accessed by your family or you also use your personal computer for work, it can create threats for your company. Make sure to not leave your computer unlocked or open on any sensitive information that could be accessed by someone other than you. Another risk can be using your work account for personal use because you may not be as careful about what you access during your personal time versus work hours.

In the end, it is important to keep your work life or school life separate from your personal life.

Taking a few extra steps to make sure everything is secure can be the difference between a stolen identity or encrypted computer.

The Internet Of Things Can Poke Holes In Your Network

Mark Funchion is a network technician at Tech Experts.

Some business owners spend a lot of time protecting their network. After putting a firewall in place, configuring security settings, and setting up users with complex passwords (and possibly even 2FA), it’s easy to think that’s secure enough.

Now, having that solid foundation and framework is great. If you’ve done that, you’re definitely on the right track. But you still might leave yourself open to exploitation without even knowing it.

How does that happen? IoT – the Internet of Things.

You’ve secured your business network, but what about the smart watches, fitness trackers, connected speakers, thermostats, and every other device with a battery and a tiny signal? Every single one of those devices is a potential inroad to your network.

For example, a user’s watch connects to their cell phone, which is connected to your business’s Wi-Fi network. With no firewall on the watch, that creates a potential path into your network.

All of these devices require an IP address. In the past, forty people only needed fifty IP addresses to allow everyone to connect their one device to the network, including wiggle room for guests.

Now, every person has a laptop, cell phone, and some sort of accessory – each with its own IP address.

Each of these devices are transmitting a tiny amount of data, but that data and usage grows exponentially.

Plus, if you don’t have that wiggle room for extra connections, you’re more susceptible to a denial of service (DoS) attack, which is when cybercriminals overwhelm your network with traffic and bring it to a halt.

Your network needs to be able to handle an increase in traffic while also securing all that extra information that you do not have control over.

It is scary and overwhelming, but you can take steps to secure yourself without going too far.

The easy way is withholding access to anything that is not corporate-owned and approved. However, limiting all these devices can have a negative impact on your business and its operation.

Instead, take a measured approach. Make sure your firewall is up-to-date, and monitor who is trying to access your network. Limit that access to the smallest “allow” list you can without making it impossible to work.

For all the smart things like watches and thermostats, keep these IoT devices on a separate virtual network. Encourage and educate users to keep their devices up-to-date – and to use them responsibly while on the network.

Cyberattacks are always increasing and changing, and a strong defense makes a considerable impact when it comes to preventing huge losses in productivity, data, business reputation and funds.

Developers know this too, and that’s why it’s important that your devices – all of them, from servers and PCs to security cameras and thermostats – are all kept up-to-date. These updates help patch up holes in the firmware and software that can otherwise be exploited.

We’re big proponents of the “an ounce of prevention is worth a pound of cure” philosophy. If you need help closing up any gaps in your network security, Tech Experts can assist.

We can conduct a network survey, set policies and passwords, segment and restrict access to/from your network, and ensure the right people have the right access.

As cyberattacks against small businesses mount, the time to fortify your first line of defense is now, before it’s too late.

Your Business Is Already Under Attack

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Ransomware is big business. It’s one of the fastest growing online crimes. Cyber criminals are targeting small and medium sized companies as well as non-profits and government agencies.

It’s the computer crime where your data is encrypted so you can’t access it unless you pay the ransom fee.

The really scary part is that it’s unlikely you’d realize you were under attack from ransomware until it was too late.

Cyber criminals hide in your network for between 60 to 100 days before they strike. During that time they’re checking out your network, identifying vulnerabilities, and preparing what they need to hit you with the attack.

[Read more…] about Your Business Is Already Under Attack

Human Error: The Reason Why Cybercriminals Love Email

Mark Funchion is a network technician at Tech Experts.

Defending your data network against viruses, malware, ransomware, and other threats is a never-ending battle. Some attacks can be very sophisticated, using extremely complex techniques to try and exploit even the most secure networks. However, the vast majority of threats to your network – over 80% – are delivered through a very basic method: email.

Email is a common tool that many of us use constantly at work. Oftentimes, we use it without giving much thought to what we’re doing or what we’re opening.

It’s normal for co-workers, clients, or new prospects to communicate and share files with us via email. The file can be a document, spreadsheet, PDF, etc., but the fact is that it’s common and repetitive to us.

Like anything we do frequently, we can develop muscle memory. Think about the program guide on your TV – you probably navigate the menus without thinking. After an update or a provider switch, those menus can change and you might click the wrong buttons out of habit. No harm there.

But consider making the same mistake when a document is sent to you. The message arrives, and you briefly glance at who it’s from. Maybe you recognize them, maybe you don’t. You see an attachment, and you open it out of habit. The file is infected, and in less than a second, the damage has begun.

Like it or not, the people who are attacking your systems are running a business. Like any business, they are concerned with the return on their investment. Developing high-end, sophisticated attacks takes time and skill, which is expensive to do.

However, minimal skill is required to send an email – and that process can be replicated to hundreds of thousands of users with a simple click of a button. And almost everyone working today might accidentally open an email with little to no thought.

For small businesses, having a firewall, an email filter, and anti-virus software is a must. We can help install and maintain that infrastructure. Unfortunately, the methods that attackers use to slip under your defenses are always changing.

It is important that you and your staff – the end users who do the clicking – still do your part and remain vigilant. Attackers send such a high percentage of attacks through email because of that human element. It works.

It’s essential that you fight your muscle memory and treat email like physical mail. Look at what is being sent, who it is from, and if there is anything attached. If anything seems off, do not open it. Always err on the side of caution.

Also, if you do open something you shouldn’t, it’s better to notify your IT department or provider of a potential issue so they can look at what you were sent.

Often, I have observed someone get a suspicious message, open it, notice something is not right, then forward it to a co-worker for help. By sending the message on, there is a potential to increase the scope of damage done.

Those looking to do harm and steal information will always try the path of least resistance. All the security in the world can’t stop an intruder if you open the door for them.

The same caution you take at home when an unexpected knock is heard should be how you handle all email. Consider the source and content, and if you have doubts, don’t open the message. Delete it.

Malware will never be fully eradicated – cybercriminals will make sure of that – but you can do your part to make sure you do not infect your PC or business.

Handle Your Email With Care (Even With A SPAM Filter)

Mark Funchion is a network technician at Tech Experts.

A lot of the communication we do today is by email. Naturally, that makes it a favorite avenue for malicious individuals to attack your system. A SPAM filter can help considerably, however nothing is 100% effective – and there is a fine line between “too aggressive” and “not aggressive enough.”

Turning up the aggressiveness of the filter may stop the bad mail while at the same time improperly labeling legitimate messages as SPAM. Even with a SPAM filter, you should handle your email with care.

Here are a few tips to potentially save you from opening a message or attachment that is nefarious in nature.

The first rule is “just don’t do it.” It is tempting to just click that link or open that attachment.

You may even do it without a second thought. Scam emails can be very sophisticated, and they will often look like they are real.

Before you do anything, take a moment and consider a few things. If you are sent an attachment from someone you don’t know, never open it. If the fishy attachment or email is from someone you do know but it was not expected, reach out the sender to make sure they actually sent it.

Next, don’t jump the gun on clicking links that are sent to you. Links are easy to manipulate; they can be made to look legitimate, but they’ll actually take you to a different site or start downloading a program or virus.

With links, there are two things you can do.

First, you can open a browser and go directly to the site to bypass all links. This is the safest option, especially when you get an “urgent alert” about your account that “requires immediate action.”

If you can’t go to the page directly through the website, you can hover your cursor over the link. A box will pop up previewing the destination you’re actually being sent to.

If a link looks strange and doesn’t match the company website, don’t click on it. Also, look closely at the link as it may look just like a real one at first glance. Unless you are 100% sure the link is legitimate, do not click on it.

Another giveaway is that the message is poorly written with a lot of grammatical errors. If the message sounds like whoever wrote it doesn’t use English as their first language (and it is not from a foreign company you do business with), delete the message. Do not open or click on anything in the message.

The last point is that it’s usually not a good idea to unsubscribe from scam emails.

This may seem counterintuitive, but when you unsubscribe, you usually put your email address in to confirm you no longer want these messages.

Unfortunately, that lets the scammer know your email address is active. They will continue to send emails to this account or may sell it off as an active email.

Rather than unsubscribe from the email, block the sender. They will not know your email is active, and if they do send another message to you, it will not be received.

SPAM filters are great and they are essential. Still, remember that they are not 100% effective. Even with protection in place, it is wise to proceed with caution.

Take a moment to look for signs that the message is not from who it seems. These few seconds can save you a lot of time and money by avoiding disaster.