The purpose of a password is to protect sensitive data from unauthorised access.
For a long time, to keep up this protective layer, we have advocated that employees create ever more complex passwords and change them even more often.
This is now wrong ! What’s the point of a password system if it makes employees lives even more complex and it doesn’t even properly provide protection any more? Most current password practices were designed for a different age and are no longer fit for purpose. One enormous lesson that the COVID pandemic has taught us, is that the work environment is now totally different :
However, Human Nature is unchanged:
The more rules and complexities and changes you introduce , the more people will try to find an easy way around them.
The new Best Practice Password System:
If you do this, then:
Even better, with the right computer equipment, you can now even get rid of passwords all together when using a trusted device. Your employees will really appreciate the difference and your security will now actually work !
If you need help , feel free to give us a call; we’re happy to lend our expertise to your organisation.
Apple computers have long touted enhanced security measures as compared to their PC counterparts. The truth? Macs can be just as vulnerable as PCs.
Apple’s closed system: once a strength, now a downfall
Though their closed system is an advantage over Microsoft, it has recently proven to be a massive downfall. The T2 equipped Macs, meant to be their most secure version yet, has proven vulnerable. Hackers have found that with physical access, security encryption can be compromised entirely.
Usually, Apple would issue a patch (an update) to fortify any openings, but this specific weak spot lives in the hardware of the machines, not the software of the operating system. Hackers can use what is called the Blackbird exploit to boot with root access to the SEP chip in your Mac which stores your most sensitive data: encryption, passcodes, ApplePay, biometric data, etc.
In simpler terms, all Macs with the T2 chip are seriously hackable, and Apple can’t fix it.
What about Macs that don’t have the T2 chip?
Even though this hardware vulnerability is a specific case, Macs have always been and will be susceptible to cybercrime. Though cybercriminals are typically focused on PCs since they are more widely adopted, the rising popularity of Macs is proving to draw their attention. We are seeing more system-agnostic attacks meaning they can be effective on both Macs and PCs.
Beyond the T2 chip vulnerability, all Macs are susceptible to viruses, malware, and web threats. Here are some busted myths:
1. Macs don’t get malware. Even though the system has certain safeguards, users are ultimately the vulnerability when it comes to malware. Actions like opening an unknown attachment, downloading software from malicious sites, or clicking on bad online ads can land you with malware that can sap your system's productivity or worse.
2. Macs don’t need security software. Again, the system is at the mercy of the user. Users can be fooled by phishing emails or prompted to download bad software. Security solutions will stop you before you do something detrimental.
3. My Information is safe on my Mac. Though many cybercriminal attacks are geared towards Pcs, device theft skews towards Mac computers and devices as they are easily identified and highly priced. Make sure that your devices have Find My Mac set up, are password protected, and go through regular data backups to an external storage space.
Should I stop using Macs? How do I protect my device?
We are not at all suggesting that Macs are not suitable for personal or business use. We see the discovery of the T2 chip vulnerability as a timely example to underscore that no matter what devices you are using, you need to take precautions to protect yourself or your business from cybercrime. Here are some basic steps to protect your device:
1. Install security software. Period. There are so many options, finding one with adequate strength and at a reasonable price point is fairly simple. If you run into any issues, we encourage you to give us a call (book a call link), and we would be happy to help you out.
2. Keep on top of software updates. The reason for updates is to improve your device. Though it can be a minor annoyance, keeping your devices up to date ensures you have the most recent security patches and big fixes.
3. Invest in education and training. Especially for businesses, training your employees on how to adhere to security policies and recognize cyberthreats will exponentially decrease their likelihood to put your information at risk.
4. Work with an IT professional. An IT provider can help ensure that you aren’t leaving any holes in your defences, advise you on which tools or software would work best for your organization, and help provide solutions to any IT problems you are facing. Here at Sensible we love giving our clients back their peace of mind, knowing that with all the potential threats out there, we can expertly protect their information and help craft solutions for any problems they encounter. If you need IT assistance, give us a call.
Cybercriminal attacks are getting more and more sophisticated. If your business's site doesn't have an SSL certificate you are putting your reputation and your site's visitors at risk. In this blog, we will be covering:
If your business's website doesn't have an SSL certificate, we can help. Book a call today.
SSL Certificates are a vital part of internet security, especially when your business needs to have an online presence. SSL certificates secure your domain, providing your online visitor's security, which is paramount. You need to create a secure environment that makes clients and potential customers confident in your business. Position your business as a trusted and secure resource- an SSL certificate helps you do that in two essential ways:
As technology advances, so does the sophistication of cybercriminals attacks. We have seen business's websites spoofed or redirected which causes a lot of grief for the business, their clients, and their potential clients. In fact, as a result, Google Chrome and other browsers will now penalise (and potentially block) any website that does not have an SSL certificate. Check to make sure your URL begins with https:// not just http://. The S indicated that the website does have an SSL certificate. If you don't have one, we can help you get one- book a call with us today.
Not all SSL Certificates are equal. There are essentially 2 types of SSL Certificate generally available now:
SSL certificates can only now be purchased for 1 year periods, so make sure to renew it every year.
There are definitely cheaper options out there for SSL certificates. However, you do get what you pay for.
As we outlined above, SSL certificates are not all the same. Having a cheaper SSL usually provides minimum encryption and trust, and is considered the bare minimum when it comes to protecting your website and it's visitors. The more expensive the SSL the more protection it provides. We can help you weigh your options and find the right provider for your business.
We have put together a checklist to help you decide on the best SSL provider for you:
1. Do they properly validate the identity of the SSL purchaser? This is a manual, slower process to ensure that the purchaser of the "www.CONTOSO.com.au" SSL certificate actually is CONTOSO and not an imposter. They also include your business name on the certificate. Cheaper providers simply do not have the infrastructure for this important step, or they skip it or do a very basic check = Lower Trust = the main reason for a cheaper price.
2. Is there a warranty offered to users of your internet services? Warranty is an insurance for an end-user against loss of money when they make a payment on an SSL-secured site. This is very important for e-commerce sites but is also important if personal data is being submitted to the secure site. e.g. GoDaddy offers only a limit of $1000 to end users against loss of money when submitting a payment on an SSL-secured site. = Lower Trust Our preferred provider comes with a $1 million warranty.
3. Are you buying the SSL from a registered Trusted Certificate Authority or just a wholesaler? Is the provider simply a mass wholesaler of other people's SSL's or do they directly stand behind it and offer the service themselves? Trusted Certificate Authorities are organisations that have earnt trust globally (and by all web browsers) to safely and securely provide secure identities. There are only 8 actual Trusted Certificate Authorities in the world. Our preferred provider is one of these Trusted Authorities and offers 24X7 support.
4. What Level of Encryption is provided? What level of encryption is provided to protect the data in transit over the public internet- 128-bit / 256-bit? This encryption means how easy is it for a hacker to grab the sensitive information. The standard now is 256-bit - which is a lot harder to hack.
5. Is the SSL Certificate guaranteed to Work on All Devices? Has the certificate been verified to work on all devices that may connect? e.g. smartphones and tablets? Some providers do not - though this is becoming less common.
As an internationally ISO27001 accredited organisation, Sensible Business Solutions takes security very seriously.
We have to go out of our way to ensure the systems and suppliers we deal with have best practices in place, offer business-grade support, etc. The choice is up to you - but we will always be able to help you with the systems we recommend.
If you need more assistance, give us a call, we're happy to lend our expertise to your organisation.
Microsoft Office 365 has proven itself to be one of the foremost business-level office solutions in the world, regardless of industry. It’s a set of tools that companies and MSPs all over the world utilise and promote—but that doesn’t mean it’s perfect, and it definitely doesn’t mean that people have mastered and taken advantage of all of its features. Unfortunately, one of the most important aspects of IT management is neglected in most Office 365 implementations: cybersecurity.
Here in Australia we’ve seen a number of high-profile successful cyberattacks in the past few months; Toll Group suffered two attacks, BlueScope Steel was hit by an attack that forced them to shut down operations company-wide, and money management company MyBudget was hacked, causing a nationwide shutdown that left over 13,000 customers financially upset.
If companies of that size are able to be hacked, so can your organisation—you cannot assume that your standard firewall and antivirus combination will keep you safe.
This takes us back to Office 365, which has a variety of security features that many organisations are not aware of, and therefore do not utilise. With more and more organisations moving to Office 365, there are more and more people not optimising their environment or taking the next steps to protect themselves. When we consider the growth and staying power of remote work environments, it becomes an even higher priority.
In our years of experience, we’ve run into a few cases where a company adopts Office 365 out-of-the-box, and experiences some form of cybercrime that they thought they were safe from. In one case, there was a malicious actor that was automatically forwarding every email the employee received to their company’s competition—including sensitive personal and financial information. Office 365 has a security feature that can alert the user and/or administrator if company emails are being forwarded outside of the network, or if there’s other strange behaviour—but this feature is not enabled automatically. The victimized company in that case was being spied on for two weeks before they found out —not many companies come out of that with revenue and reputation intact. If they had looked into their cybersecurity options, and didn’t assume that Office 365 automatically secured everything, this could have been mitigated or avoided entirely.
Another form of security that Office 365 supports is “impossible travel detection”. In an impossible travel scenario, the system detects if logins are being attempted from different geographic locations in a timeframe that you couldn’t physically achieve. e.g. Login attempt in London, and after an hour it’s being attempted again from New York. This is impossible travel, and it’s a major indicator that someone is trying to hack your account. There are tools to detect those things and alert the proper individuals—but again, these are not automatically turned on. You need to set it up specifically.
While those tools (and others like them) are less known or understood, there is one security feature that almost everyone is aware of—and also isn’t activated out-of-the-box : Multi-Factor Authentication (MFA). With MFA activated, users are required to validate their login attempt via another system—this could be a text message, a smartphone app, or token. While yes, MFA adds another step to every login, it also adds an impossible step to any hacker or social engineer that manages to get a hold of your password. If they don’t have both your password and your smartphone, they can’t get into your account to cause problems. Sensible recommends always implementing MFA.
Another major misconception and point of neglect with Office 365 is the assumption that data stored in OneDrive or other Cloud-based solutions are backed up. Microsoft only supplies a short term recycle bin. They do not supply backups at all: this is up to you to arrange. Just because you are working in the cloud does not mean your data is immune from accidental / intentional data loss or corruption.
So what can we do? Sensible is happy to work with you to improve your cloud defences and cybersecurity solutions, whether it involves an Office 365 subscription or not. We begin by discussing your current environment, and business, before auditing your company for security risks. Once we’ve audited your network and identified your weak points, we can work with you to improve. Whether there’s a certain cybersecurity benchmark you want to hit, or if you need to meet regulatory compliance criteria, we can help you get there.
If you’re interested, feel free to give us a call; we’re happy to lend our expertise to your organisation.
Businesses and organisations of all kinds are thinking about the eventual transition back into the office environment. This experience will be different for each organisation. Some have been running essential services during the COVID-19 outbreak, and haven’t really noticed much change in this. Their experience will differ greatly from the business that transitioned to an entirely remote workforce in response to the pandemic—their needs are going to be more costly and drastic. Whatever your experience has been, or what your situation currently is, it’s time to start planning for what comes next. Are you going to return to the office life, like before the pandemic? Are you going to stay entirely remote? The answer to both of these questions is likely “no.” Most organisations would benefit from adopting the Hybrid Working Model.
The Hybrid Working Model (HWM) is simply a simultaneous adoption of in-office and remote work environments. We’re expecting to see a significant number of workers continue to work from home after the social distancing and quarantine restrictions are lifted, and we expect that number to stay fairly consistent. There are also good reasons for returning to the office: face-to-face collaboration can be more effective than remote collaboration, it’s easier to stay focused without the trappings of home, and there are social benefits to working in the office with other people. With these things in mind, we need to look at what businesses and non-profit organisations need to do to prepare for this kind of HWM environment.
Security is always important, but it’s even more important right now. Ransomware attacks have increased by 400% over that last three months as a result of the COVID-19 pandemic response. With businesses and organisations everywhere trying to function with a hastily-assembled remote work environment, hackers are taking advantage of the generally weakened cybersecurity. Your business needs to take steps now to solidify your cybersecurity solution and prepare for securing your HWM environment. We expect issues regarding file version control and virus corruption to spike as employees move back into the office, which can put company data at risk.
The quickest and most cost-efficient step you can take to shore up your security is to enable Multi-factor Authentication or Two-Factor Authentication across all of your accounts and devices. Requiring a secondary verification source (like a smartphone app or a text code) to access accounts and data adds a layer of defense that all but the most dedicated hackers and cybercriminals won’t be able to penetrate. Beyond that, Sensible is happy to work with you to refine and strengthen your cybersecurity offering.
When your team is split between the office and remote work, there are a few things that can make a positive impact. The first of which is establishing solid policies around transferring data between home and the office. The second one is to learn and leverage the full functionality of your current tools. We very commonly see people using great tools like Microsoft Teams, but not using it effectively. For example, Teams has a chat function, a collaborative file sharing function, video conferencing, and task management; a lot of companies only use it for communication. Leveraging your tools to the fullest extent, especially when on-site and remote workers are working together on one project.
We hope this article highlighted some helpful things for you, and gave you an idea of what you need to prepare for when implementing your Hybrid Working Model environment. If you’re interested in working with a trusted IT partner, Sensible is happy to help you figure out how to best meet your needs.
A glaring security mistake has been discovered in Apple’s most recent desktop operating system. It’s not the sort of vulnerability that requires complicated malware or IT knowledge; anyone can learn this exploit in a matter of minutes to steal your password. Here’s how to stop that from happening.
The vulnerability pertains to sweeping changes in how macOS stores files. In the High Sierra update, the Apple File System (APFS) was introduced to make opening and saving files much faster. As an added bonus, APFS also added advanced features like drive encryption.
However, users who add a second encrypted APFS partition to their computer’s drive aren’t keeping their data safe from prying eyes.
Let’s imagine you want to create a separate storage partition for your work files. The data contains sensitive information so you encrypt the drive and add a password.
If in the course of setting the password you were to provide a password hint, High Sierra will display your password when anyone clicks Show Hint when accessing the drive. You can see how it’s done in this 45-second video.
When anyone can retrieve your password in a matter of seconds, encryption becomes completely pointless.
Sadly, the update for encrypted APFS drives requires much more than installing a patch. As such, we do not recommend trying to fix this issue without professional help if your encrypted partition has irreplaceable data. It is a complicated process and could result in data loss.
Apple procedures for fixing the issue if you’ve already encrypted a drive include:
Apple’s macOS is a great operating system. It is reliable, secure, and user friendly -- but like any piece of software, it’s not perfect. Don’t make the mistake of assuming macOS is safe enough to protect your data without outside help. For help encrypting your drives or securing your Macs, call us today.
Are your Business Passwords Already Up for Sale?
Over the past 12 months, I have personally spoken with over 100 Australian business owners, and found that a whopping 42% have had at least 1 Ransomware Attack or Data Breach.
I am sure you’d agree – that is just shocking. Stop tolerating….
How is this happening?
Employees, left to their own devices, don’t know how to manage passwords. This results in them being easily hacked, sold on the dark web and leaving your business as an easy target for ransomware / data breaches.
Another independent survey* showed:
Note : Criminals read the same surveys
Once a username and password is known it is extremely valuable and likely to be useful for some time…
But what if the breach has already happened?
How would you know? What user accounts and passwords are already compromised?
Sensible Business Solutions today launches a brand new Dark Web Search service that continuously monitors the dark web for user names and passwords that are currently offered for sale and how the breach occurred.
Call Me : Kevin Spanner at Sensible to find out more on 1300-SENSIBLE (736-742)
* Survey By Keeper Security
*Not familiar with the term “Dark Web”?
There is a large portion of the internet that is not indexed by search engines like Google. This is the “Deep Web.”
The US Government created this more secure (and usually encrypted) area of the Internet. It quickly became a preferred communication channel for privacy-conscious individuals, organisations and governments to share data, without detection.
However, criminal organisations now use the deep web as a platform. The term “Dark Web” describes the pockets of the deep web that are used to buy, trade and exploit illegal items (AKA Silk Road, etc.) and illegally acquired data (credit cards, passwords, etc.).
I had the craziest experience this week.
A business owner we spoke with had a ransomware attack on Monday, and his entire team of 100 staff got locked out of their network.
Clearly his current IT infrastructure wasn’t up to scratch, which lead to this problem and his team’s productivity going out the window, costing him thousands in lost revenue and hard wage costs - essentially he was paying for an empty office.
His current IT company (which let the problem into his network), scrambled on a fix and managed to get him back up and running the next day.
The most shocking thing here wasn’t that his IT company didn’t have his protection up to scratch ... it was the comment he made to us:
“It only took 1 day for our IT company to fix it and get us back up and running... Wasn’t that good! We feel no need to change providers.”
This blew my mind.
How can a small business owner:
1. Continue to pay a provider that’s not keeping their IT up to date with best practice?
2. Accept a full 8 hours of productivity loss, across 100 staff. That is at least $30,000 of wages that result in ZERO productivity for the day?
3. Then think that 8 hours to resolve the problem is a good result!
4. Want to stick with a company that caused all this headache, loss of revenue and $30,000 expense?
5. Keep operating the same way, with the possibility of having to tolerate it again?
Is this what the IT industry has come to? Is this the accepted expectation levels?
We’re really proud to be able to say that not a single client of ours has ever lost 1 hour of productivity due to Ransomware or Virus attacks.
I know it may be hard to believe, but it’s the lengths we go to, and the expectation we set for our clients.
Has this happened to you?
Do you think you’re settling too?
Do you no longer want to settle?
If you can spare 4mins, I would love to hear about your experiences or expectations around this – it’s been bugging me all week!
Last week’s massive ransomware outbreak called WannaCry that affected over 150 countries and dominated the news headlines globally was just the beginning.... We expect newer, more malicious versions any day.
This event had a massive impact everywhere, including the National Health Scheme in UK, blocking all access to patient records. Imagine what it could do to your business?
Ransomware is malicious software that blocks and encrypts computers and files (including backups) until a ransom is paid to organised crime. It spreads very easily across networks.
Organised crime reaped over USD $300million from one ransomware variant in 2016 alone. No wonder they invest in newer techniques every few months to trick people into running malicious software.
The result of such an attack may be complete loss of access to the data on all of your connected computer systems and your backups. The resulting damage to your business, customers, suppliers and employees could be catastrophic.
Paying the ransom may often seem like the only option but it is no guarantee that the ransom won’t be increased or the damage reversed or a backdoor left open for future attacks. Contrary to opinion, Telstra’s latest Cybersecurity Report showed that in 2016 less than 1/3 of people retrieved their data after paying the ransom.
Smaller Businesses are being Targeted
Wannacry was a general attack on all vulnerable users / computers around the world. No business is immune. Small and medium sized businesses, who often think they are too small or unimportant to be targeted are increasingly seen by criminal organisations as ‘soft targets’.
In fact, smaller enterprises like yours probably don’t have the scale and resources of larger enterprises like the UK’s NHS to survive an attack. It’s even more vital you protect yourself.
In recent months it has become clear that conventional anti-virus solutions, though reasonably adequate to date have been far out-paced by the capabilities of modern malware.
To stay protected from the latest ever sophisticated “threat landscape” requires a proactive, managed and continually evolving solution. These attacks can only be mitigated if continually updated layers of systems and processes are maintained to keep pace. This is called “Active Defence in Depth”.
Until recently, this was beyond the reach of businesses of your size.
We have launched a Free Report on how you can start protecting your business. The 10 Most Critical IT Security Protections Every Business Must Have In Place NOW.
The WannaCry attacks are a wake-up call and urgent reminder of the ever present threat that is only one click away. Please remember that should your data be compromised the subsequent disruption to your business could be an expensive, even disastrous test of your current defences.
ACT NOW !
Yesterday, the Australian Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Bill 2016.
This means that Australian organisations will now have to publicly disclose any data breaches.
Penalties for non-disclosure range from $360,000 for responsible individuals to $1.8 million for organisations.
Forget the fines, if the world found out you were responsible for a data breach, what would that do to your business reputation? Are you the responsible person?
Just about all Australian businesses and non-profit organisations:
Any day - as soon as the new law is signed by the Governor General.
A breach occurs where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals
AND this event could allow serious harm to an individual :
You’ll need to disclose what information was involved. This could include personal details, credit card information, credit eligibility information, and tax file numbers.
You’ll also need to advise the customers what they should do to protect themselves.
Penalties per non-disclosure range from $360,000 for individuals to $1.8 million for organisations.
If you need help with this, contact your professional Business Technology Adviser who should have the systems ready now to prepare and protect you.
If you require any assistance, call us to arrange a Data Security Audit at 1300-SENSIBLE (736-742) or email : firstname.lastname@example.org