The purpose of a password is to protect sensitive data from unauthorised access.
For a long time, to keep up this protective layer, we have advocated that employees create ever more complex passwords and change them even more often.
This is now wrong ! What’s the point of a password system if it makes employees lives even more complex and it doesn’t even properly provide protection any more? Most current password practices were designed for a different age and are no longer fit for purpose. One enormous lesson that the COVID pandemic has taught us, is that the work environment is now totally different :
However, Human Nature is unchanged:
The more rules and complexities and changes you introduce , the more people will try to find an easy way around them.
The new Best Practice Password System:
If you do this, then:
Even better, with the right computer equipment, you can now even get rid of passwords all together when using a trusted device. Your employees will really appreciate the difference and your security will now actually work !
If you need help , feel free to give us a call; we’re happy to lend our expertise to your organisation.
As we are all still trying to understand what the lasting impact of the COVID-19 pandemic will be, many organisations are taking a hard look at their operating costs and looking for potential cuts. Protecting cash flow is vital right now. At Sensible we want to help you implement strategies that can help reduce your IT costs and set you up with a system flexible enough to support your business through the many changes (or pivots) you might be making to position yourselves to thrive through it all. We want to offer you guidance and support through these times, and potentially help you save some money.
Take a look at your current technology solutions. Take stock of everything you are paying for and ask yourself these questions:
• Is this the right system for my business? Does it accomplish all I need it to?
• Are we currently utilising all the tools we are paying for? Can we cut any?
• Do we lack internal processes? Are there ways I can improve efficiency and save our employee’s time?
The easiest way to reduce costs is to get rid of what’s not working. Many companies have a habit of purchasing a new tool or service to meet an immediate need. Little do they know they usually already have a tool that could meet that need, it’s just not being used properly. Here is a free tip: Do you have Office 365? Most companies get this package so they can use programs like Word and Excel, but don’t fully utilise the other apps that come with it. Microsoft teams can easily replace Slack and Zoom, and Sharepoint or OneDrive can do the job of Google Drive and Dropbox. You’re already paying for Office 365, and the tools themselves are more powerful, providing integration of your information and files across all the apps. You might simply need some training or guidance on how to implement these tools into your business processes, and we can help with that.
Is IT your core skill set? Will you ever be as efficient and skilled as a complete team of specialists? Often your time will be better spent doing what you are best at, then wasting countless hours trying to learn an entirely new skill set. Additionally, can you really afford not to do IT the right way? Payroll and training costs alone can be a nightmare. Outsourcing a portion of your IT needs to a 3rd party resource like Sensible can help you simultaneously improve your technology management, and potentially save money. If you’re currently relying on an internal IT manager or a small internal team, are they struggling to keep up with the tsunami of complex and ever-changing technology needs and services? Important competitive projects may be delayed while your team has to complete training, and you become the test environment for their new skills, increasing your risk. Sensible offers a full-service solution for your IT needs, resulting in a higher standard than most organisations can achieve in-house.
How does your current IT resource handle your technology needs? Are you currently working with a “break-fix” style of management, where you pay for problems as they occur whether or not they happened before? Or are you paying a predictable monthly fee for a process that analyses your business, looks for opportunities to improve your staff productivity and tries to prevent problems in the first place? We believe you should engage a provider like us, who trusts their systems to offer you unlimited support for a fixed fee. Those quick fixes add up quickly, and with the right solution, you can eliminate them.
As we are working remotely, it is more imperative than ever to understand how to protect your data. Protecting your finances, your reputation, and your Intellectual property can be costly, mainly if not implemented properly. However, it is even more expensive if you don’t protect them adequately at all. Adhering to compliance regulations can be costly and often means implementing and maintaining a stringent security infrastructure- do you have the expertise to do this most cost-effectively?
We could cover many more steps to take, but these are the areas where we think you can make the most impact on you and your business. If you’re hesitant about tackling this problem on your own, that’s okay! We encourage you to contact Sensible. We can help you identify these problems and guide you on how to solve them. Give us a call!
Microsoft Office 365 has proven itself to be one of the foremost business-level office solutions in the world, regardless of industry. It’s a set of tools that companies and MSPs all over the world utilise and promote—but that doesn’t mean it’s perfect, and it definitely doesn’t mean that people have mastered and taken advantage of all of its features. Unfortunately, one of the most important aspects of IT management is neglected in most Office 365 implementations: cybersecurity.
Here in Australia we’ve seen a number of high-profile successful cyberattacks in the past few months; Toll Group suffered two attacks, BlueScope Steel was hit by an attack that forced them to shut down operations company-wide, and money management company MyBudget was hacked, causing a nationwide shutdown that left over 13,000 customers financially upset.
If companies of that size are able to be hacked, so can your organisation—you cannot assume that your standard firewall and antivirus combination will keep you safe.
This takes us back to Office 365, which has a variety of security features that many organisations are not aware of, and therefore do not utilise. With more and more organisations moving to Office 365, there are more and more people not optimising their environment or taking the next steps to protect themselves. When we consider the growth and staying power of remote work environments, it becomes an even higher priority.
In our years of experience, we’ve run into a few cases where a company adopts Office 365 out-of-the-box, and experiences some form of cybercrime that they thought they were safe from. In one case, there was a malicious actor that was automatically forwarding every email the employee received to their company’s competition—including sensitive personal and financial information. Office 365 has a security feature that can alert the user and/or administrator if company emails are being forwarded outside of the network, or if there’s other strange behaviour—but this feature is not enabled automatically. The victimized company in that case was being spied on for two weeks before they found out —not many companies come out of that with revenue and reputation intact. If they had looked into their cybersecurity options, and didn’t assume that Office 365 automatically secured everything, this could have been mitigated or avoided entirely.
Another form of security that Office 365 supports is “impossible travel detection”. In an impossible travel scenario, the system detects if logins are being attempted from different geographic locations in a timeframe that you couldn’t physically achieve. e.g. Login attempt in London, and after an hour it’s being attempted again from New York. This is impossible travel, and it’s a major indicator that someone is trying to hack your account. There are tools to detect those things and alert the proper individuals—but again, these are not automatically turned on. You need to set it up specifically.
While those tools (and others like them) are less known or understood, there is one security feature that almost everyone is aware of—and also isn’t activated out-of-the-box : Multi-Factor Authentication (MFA). With MFA activated, users are required to validate their login attempt via another system—this could be a text message, a smartphone app, or token. While yes, MFA adds another step to every login, it also adds an impossible step to any hacker or social engineer that manages to get a hold of your password. If they don’t have both your password and your smartphone, they can’t get into your account to cause problems. Sensible recommends always implementing MFA.
Another major misconception and point of neglect with Office 365 is the assumption that data stored in OneDrive or other Cloud-based solutions are backed up. Microsoft only supplies a short term recycle bin. They do not supply backups at all: this is up to you to arrange. Just because you are working in the cloud does not mean your data is immune from accidental / intentional data loss or corruption.
So what can we do? Sensible is happy to work with you to improve your cloud defences and cybersecurity solutions, whether it involves an Office 365 subscription or not. We begin by discussing your current environment, and business, before auditing your company for security risks. Once we’ve audited your network and identified your weak points, we can work with you to improve. Whether there’s a certain cybersecurity benchmark you want to hit, or if you need to meet regulatory compliance criteria, we can help you get there.
If you’re interested, feel free to give us a call; we’re happy to lend our expertise to your organisation.
Businesses and organisations of all kinds are thinking about the eventual transition back into the office environment. This experience will be different for each organisation. Some have been running essential services during the COVID-19 outbreak, and haven’t really noticed much change in this. Their experience will differ greatly from the business that transitioned to an entirely remote workforce in response to the pandemic—their needs are going to be more costly and drastic. Whatever your experience has been, or what your situation currently is, it’s time to start planning for what comes next. Are you going to return to the office life, like before the pandemic? Are you going to stay entirely remote? The answer to both of these questions is likely “no.” Most organisations would benefit from adopting the Hybrid Working Model.
The Hybrid Working Model (HWM) is simply a simultaneous adoption of in-office and remote work environments. We’re expecting to see a significant number of workers continue to work from home after the social distancing and quarantine restrictions are lifted, and we expect that number to stay fairly consistent. There are also good reasons for returning to the office: face-to-face collaboration can be more effective than remote collaboration, it’s easier to stay focused without the trappings of home, and there are social benefits to working in the office with other people. With these things in mind, we need to look at what businesses and non-profit organisations need to do to prepare for this kind of HWM environment.
Security is always important, but it’s even more important right now. Ransomware attacks have increased by 400% over that last three months as a result of the COVID-19 pandemic response. With businesses and organisations everywhere trying to function with a hastily-assembled remote work environment, hackers are taking advantage of the generally weakened cybersecurity. Your business needs to take steps now to solidify your cybersecurity solution and prepare for securing your HWM environment. We expect issues regarding file version control and virus corruption to spike as employees move back into the office, which can put company data at risk.
The quickest and most cost-efficient step you can take to shore up your security is to enable Multi-factor Authentication or Two-Factor Authentication across all of your accounts and devices. Requiring a secondary verification source (like a smartphone app or a text code) to access accounts and data adds a layer of defense that all but the most dedicated hackers and cybercriminals won’t be able to penetrate. Beyond that, Sensible is happy to work with you to refine and strengthen your cybersecurity offering.
When your team is split between the office and remote work, there are a few things that can make a positive impact. The first of which is establishing solid policies around transferring data between home and the office. The second one is to learn and leverage the full functionality of your current tools. We very commonly see people using great tools like Microsoft Teams, but not using it effectively. For example, Teams has a chat function, a collaborative file sharing function, video conferencing, and task management; a lot of companies only use it for communication. Leveraging your tools to the fullest extent, especially when on-site and remote workers are working together on one project.
We hope this article highlighted some helpful things for you, and gave you an idea of what you need to prepare for when implementing your Hybrid Working Model environment. If you’re interested in working with a trusted IT partner, Sensible is happy to help you figure out how to best meet your needs.
When it comes to security, it’s better to be safe than sorry. But as the Equifax leak case has taught us, once a security breach does happen, it’s best not to be sorry twice. Read on so your business doesn't experience the same fate as the giant, bumbling credit bureau.
Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers' private data, including personally identifiable information of around 143 million US and UK citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.
Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.
Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.
Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.
One of the huge mistakes Equifax made in responding to its data breach was setting up a new website to give updated information to its consumers outside of its main domain, equifax.com.
Why? You first need to know that since the invention of phishing scams, organised criminals have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.
You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.
What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.
Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defence plan, you also need to have the right incident response plan in place. New Australian Data Privacy Laws which come into effect in February 2018 have stiff penalties and mandate that you must have a data breach system in place.
So what you should do is implement a system that makes you aware of leaks, then, after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.
You also need to establish a message that includes the following information:
You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.
As we’ve seen from Equifax, an incident response plan that's robust is a must. Feel free to talk to our experts about how you can come up with an acute one -- so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeem it's reputation at all.
Are your Business Passwords Already Up for Sale?
Over the past 12 months, I have personally spoken with over 100 Australian business owners, and found that a whopping 42% have had at least 1 Ransomware Attack or Data Breach.
I am sure you’d agree – that is just shocking. Stop tolerating….
How is this happening?
Employees, left to their own devices, don’t know how to manage passwords. This results in them being easily hacked, sold on the dark web and leaving your business as an easy target for ransomware / data breaches.
Another independent survey* showed:
Note : Criminals read the same surveys
Once a username and password is known it is extremely valuable and likely to be useful for some time…
But what if the breach has already happened?
How would you know? What user accounts and passwords are already compromised?
Sensible Business Solutions today launches a brand new Dark Web Search service that continuously monitors the dark web for user names and passwords that are currently offered for sale and how the breach occurred.
Call Me : Kevin Spanner at Sensible to find out more on 1300-SENSIBLE (736-742)
* Survey By Keeper Security
*Not familiar with the term “Dark Web”?
There is a large portion of the internet that is not indexed by search engines like Google. This is the “Deep Web.”
The US Government created this more secure (and usually encrypted) area of the Internet. It quickly became a preferred communication channel for privacy-conscious individuals, organisations and governments to share data, without detection.
However, criminal organisations now use the deep web as a platform. The term “Dark Web” describes the pockets of the deep web that are used to buy, trade and exploit illegal items (AKA Silk Road, etc.) and illegally acquired data (credit cards, passwords, etc.).
Traditional ransomware like WannaCry has been explained a thousand ways on a thousand blogs. But one thing you may not have thought about is what ransomware would be like if it infected your mobile device. Read on to learn more.
Like its desktop equivalent, mobile ransomware needs to be installed on your device before it can do damage. For Android devices, this means mobile apps that hide their true intent. There are two ways to install programs on your mobile device: downloading them from app stores like Google Play and Amazon Appstore, or downloading them directly from websites and email links.
Surprisingly, both come with risks. Unverified sources often advertise free apps that hide malware, and the best of these can occasionally avoid detection and be allowed into monitored app stores.
Similar to ransomware on personal computers, mobile ransomware holds data stored on your device hostage and demands ransom. For example, in the case of a ransomware that came with the "OK" app, a popular Russian social network platform that was infected earlier this year, a user is prompted to change device settings. There is no option to close the prompt and tapping Accept locks everything down and leaves you with nothing but a ransom note.
First and foremost, avoid downloading apps directly from websites or third-party app stores. Additionally, make sure you turn on Google’s security system -- Verify Apps -- which scans all the apps about to be installed on your device for potential threats. You can do so by opening your Android's settings, choosing Security, tapping on Verify Apps, and activating ‘Scan device for security threats’.
Second, install antivirus software on your device and keep it up to date.
Third, back up important files from your device to either a USB disk, a computer, or any cloud-based services. This way, you won’t lose your valuable data if you are forced to factory-reset your device.
Last, if ransomware made its way into your device, don’t pay. According to IT security company ESET, mobile ransomware very rarely includes programming to reverse the damage it has done.
Losing any type of data is an enormous inconvenience, but businesses need to be especially careful about careless employees. Data loss could result in lawsuits or regulatory fines, so it’s important that you know how to safeguard your Android against ransomware.
For more in-depth advice on how to protect yourself and your business from this threat, get in touch with our experts today.
I had the craziest experience this week.
A business owner we spoke with had a ransomware attack on Monday, and his entire team of 100 staff got locked out of their network.
Clearly his current IT infrastructure wasn’t up to scratch, which lead to this problem and his team’s productivity going out the window, costing him thousands in lost revenue and hard wage costs - essentially he was paying for an empty office.
His current IT company (which let the problem into his network), scrambled on a fix and managed to get him back up and running the next day.
The most shocking thing here wasn’t that his IT company didn’t have his protection up to scratch ... it was the comment he made to us:
“It only took 1 day for our IT company to fix it and get us back up and running... Wasn’t that good! We feel no need to change providers.”
This blew my mind.
How can a small business owner:
1. Continue to pay a provider that’s not keeping their IT up to date with best practice?
2. Accept a full 8 hours of productivity loss, across 100 staff. That is at least $30,000 of wages that result in ZERO productivity for the day?
3. Then think that 8 hours to resolve the problem is a good result!
4. Want to stick with a company that caused all this headache, loss of revenue and $30,000 expense?
5. Keep operating the same way, with the possibility of having to tolerate it again?
Is this what the IT industry has come to? Is this the accepted expectation levels?
We’re really proud to be able to say that not a single client of ours has ever lost 1 hour of productivity due to Ransomware or Virus attacks.
I know it may be hard to believe, but it’s the lengths we go to, and the expectation we set for our clients.
Has this happened to you?
Do you think you’re settling too?
Do you no longer want to settle?
If you can spare 4mins, I would love to hear about your experiences or expectations around this – it’s been bugging me all week!
Last week’s massive ransomware outbreak called WannaCry that affected over 150 countries and dominated the news headlines globally was just the beginning.... We expect newer, more malicious versions any day.
This event had a massive impact everywhere, including the National Health Scheme in UK, blocking all access to patient records. Imagine what it could do to your business?
Ransomware is malicious software that blocks and encrypts computers and files (including backups) until a ransom is paid to organised crime. It spreads very easily across networks.
Organised crime reaped over USD $300million from one ransomware variant in 2016 alone. No wonder they invest in newer techniques every few months to trick people into running malicious software.
The result of such an attack may be complete loss of access to the data on all of your connected computer systems and your backups. The resulting damage to your business, customers, suppliers and employees could be catastrophic.
Paying the ransom may often seem like the only option but it is no guarantee that the ransom won’t be increased or the damage reversed or a backdoor left open for future attacks. Contrary to opinion, Telstra’s latest Cybersecurity Report showed that in 2016 less than 1/3 of people retrieved their data after paying the ransom.
Smaller Businesses are being Targeted
Wannacry was a general attack on all vulnerable users / computers around the world. No business is immune. Small and medium sized businesses, who often think they are too small or unimportant to be targeted are increasingly seen by criminal organisations as ‘soft targets’.
In fact, smaller enterprises like yours probably don’t have the scale and resources of larger enterprises like the UK’s NHS to survive an attack. It’s even more vital you protect yourself.
In recent months it has become clear that conventional anti-virus solutions, though reasonably adequate to date have been far out-paced by the capabilities of modern malware.
To stay protected from the latest ever sophisticated “threat landscape” requires a proactive, managed and continually evolving solution. These attacks can only be mitigated if continually updated layers of systems and processes are maintained to keep pace. This is called “Active Defence in Depth”.
Until recently, this was beyond the reach of businesses of your size.
We have launched a Free Report on how you can start protecting your business. The 10 Most Critical IT Security Protections Every Business Must Have In Place NOW.
The WannaCry attacks are a wake-up call and urgent reminder of the ever present threat that is only one click away. Please remember that should your data be compromised the subsequent disruption to your business could be an expensive, even disastrous test of your current defences.
ACT NOW !
“Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today.” That’s what The Evolution of Ransomware, a study by California-based cybersecurity firm Symantec, reported recently.
If you have any illusions that your company is safe from cyber-attack in 2017, consider just a few findings stated in a recent report by the Herjavec Group, a global information security firm:
Clearly, your company’s information and financial well-being are at greater risk than ever in 2017. And you cannot count on the federal or state government or local police to protect your interests. That’s why I STRONGLY SUGGEST that you implement the following resolutions starting TODAY.
Resolution #1: Tune up your backup and recovery system. The #1 antidote to a ransomware attack is more frequent and up-to-date backup copies of all your data and software. Yet managing backups takes more than just storing a daily copy of your data. For one thing, if your business is at all typical, the amount of data you store grows by 35% or more PER YEAR. If your data management budget doesn’t expand likewise, expect trouble. What about important data stored in cloud solutions like dropbox?
Resolution #2: Harness the power of the cloud—but watch your back. Huge productivity gains and reduced costs can be achieved by making full use of the cloud. Yet it’s a double-edged sword. Any oversight in security practices can lead to a breach. Here are two things you can do to harness the cloud safely:
Resolution #3: Set and enforce a strict Mobile Device Policy. As BYOD becomes the norm, mobile devices open gaping holes in your network’s defences. Don’t miss any of these three crucial steps:
Resolution #4: Ensure you have the latest Security Technology Layers in place. The fact is that attacks are becoming more sophisticated every month. Do this at least:
Free Network And Security Audit Resolves Your Biggest Data Security Problems and Makes Your Systems Run Like A Fancy Swiss Watch
Ever asked yourself why some business owners and CEOs seem so blithely unconcerned about data protection? Don’t let their ignorance lull you into a false sense of security. If you’ve read this far, you are smart enough to be concerned. Contact us today at 1300-SENSIBLE (736-742) or firstname.lastname@example.org and we’ll send one of our top network security experts over for a FREE Network and Security Audit. It’s your best first step to a safe and prosperous 2017.