The purpose of a password is to protect sensitive data from unauthorised access.
For a long time, to keep up this protective layer, we have advocated that employees create ever more complex passwords and change them even more often.
This is now wrong ! What’s the point of a password system if it makes employees lives even more complex and it doesn’t even properly provide protection any more? Most current password practices were designed for a different age and are no longer fit for purpose. One enormous lesson that the COVID pandemic has taught us, is that the work environment is now totally different :
However, Human Nature is unchanged:
The more rules and complexities and changes you introduce , the more people will try to find an easy way around them.
The new Best Practice Password System:
If you do this, then:
Even better, with the right computer equipment, you can now even get rid of passwords all together when using a trusted device. Your employees will really appreciate the difference and your security will now actually work !
If you need help , feel free to give us a call; we’re happy to lend our expertise to your organisation.
Apple computers have long touted enhanced security measures as compared to their PC counterparts. The truth? Macs can be just as vulnerable as PCs.
Apple’s closed system: once a strength, now a downfall
Though their closed system is an advantage over Microsoft, it has recently proven to be a massive downfall. The T2 equipped Macs, meant to be their most secure version yet, has proven vulnerable. Hackers have found that with physical access, security encryption can be compromised entirely.
Usually, Apple would issue a patch (an update) to fortify any openings, but this specific weak spot lives in the hardware of the machines, not the software of the operating system. Hackers can use what is called the Blackbird exploit to boot with root access to the SEP chip in your Mac which stores your most sensitive data: encryption, passcodes, ApplePay, biometric data, etc.
In simpler terms, all Macs with the T2 chip are seriously hackable, and Apple can’t fix it.
What about Macs that don’t have the T2 chip?
Even though this hardware vulnerability is a specific case, Macs have always been and will be susceptible to cybercrime. Though cybercriminals are typically focused on PCs since they are more widely adopted, the rising popularity of Macs is proving to draw their attention. We are seeing more system-agnostic attacks meaning they can be effective on both Macs and PCs.
Beyond the T2 chip vulnerability, all Macs are susceptible to viruses, malware, and web threats. Here are some busted myths:
1. Macs don’t get malware. Even though the system has certain safeguards, users are ultimately the vulnerability when it comes to malware. Actions like opening an unknown attachment, downloading software from malicious sites, or clicking on bad online ads can land you with malware that can sap your system's productivity or worse.
2. Macs don’t need security software. Again, the system is at the mercy of the user. Users can be fooled by phishing emails or prompted to download bad software. Security solutions will stop you before you do something detrimental.
3. My Information is safe on my Mac. Though many cybercriminal attacks are geared towards Pcs, device theft skews towards Mac computers and devices as they are easily identified and highly priced. Make sure that your devices have Find My Mac set up, are password protected, and go through regular data backups to an external storage space.
Should I stop using Macs? How do I protect my device?
We are not at all suggesting that Macs are not suitable for personal or business use. We see the discovery of the T2 chip vulnerability as a timely example to underscore that no matter what devices you are using, you need to take precautions to protect yourself or your business from cybercrime. Here are some basic steps to protect your device:
1. Install security software. Period. There are so many options, finding one with adequate strength and at a reasonable price point is fairly simple. If you run into any issues, we encourage you to give us a call (book a call link), and we would be happy to help you out.
2. Keep on top of software updates. The reason for updates is to improve your device. Though it can be a minor annoyance, keeping your devices up to date ensures you have the most recent security patches and big fixes.
3. Invest in education and training. Especially for businesses, training your employees on how to adhere to security policies and recognize cyberthreats will exponentially decrease their likelihood to put your information at risk.
4. Work with an IT professional. An IT provider can help ensure that you aren’t leaving any holes in your defences, advise you on which tools or software would work best for your organization, and help provide solutions to any IT problems you are facing. Here at Sensible we love giving our clients back their peace of mind, knowing that with all the potential threats out there, we can expertly protect their information and help craft solutions for any problems they encounter. If you need IT assistance, give us a call.
Microsoft Office 365 has proven itself to be one of the foremost business-level office solutions in the world, regardless of industry. It’s a set of tools that companies and MSPs all over the world utilise and promote—but that doesn’t mean it’s perfect, and it definitely doesn’t mean that people have mastered and taken advantage of all of its features. Unfortunately, one of the most important aspects of IT management is neglected in most Office 365 implementations: cybersecurity.
Here in Australia we’ve seen a number of high-profile successful cyberattacks in the past few months; Toll Group suffered two attacks, BlueScope Steel was hit by an attack that forced them to shut down operations company-wide, and money management company MyBudget was hacked, causing a nationwide shutdown that left over 13,000 customers financially upset.
If companies of that size are able to be hacked, so can your organisation—you cannot assume that your standard firewall and antivirus combination will keep you safe.
This takes us back to Office 365, which has a variety of security features that many organisations are not aware of, and therefore do not utilise. With more and more organisations moving to Office 365, there are more and more people not optimising their environment or taking the next steps to protect themselves. When we consider the growth and staying power of remote work environments, it becomes an even higher priority.
In our years of experience, we’ve run into a few cases where a company adopts Office 365 out-of-the-box, and experiences some form of cybercrime that they thought they were safe from. In one case, there was a malicious actor that was automatically forwarding every email the employee received to their company’s competition—including sensitive personal and financial information. Office 365 has a security feature that can alert the user and/or administrator if company emails are being forwarded outside of the network, or if there’s other strange behaviour—but this feature is not enabled automatically. The victimized company in that case was being spied on for two weeks before they found out —not many companies come out of that with revenue and reputation intact. If they had looked into their cybersecurity options, and didn’t assume that Office 365 automatically secured everything, this could have been mitigated or avoided entirely.
Another form of security that Office 365 supports is “impossible travel detection”. In an impossible travel scenario, the system detects if logins are being attempted from different geographic locations in a timeframe that you couldn’t physically achieve. e.g. Login attempt in London, and after an hour it’s being attempted again from New York. This is impossible travel, and it’s a major indicator that someone is trying to hack your account. There are tools to detect those things and alert the proper individuals—but again, these are not automatically turned on. You need to set it up specifically.
While those tools (and others like them) are less known or understood, there is one security feature that almost everyone is aware of—and also isn’t activated out-of-the-box : Multi-Factor Authentication (MFA). With MFA activated, users are required to validate their login attempt via another system—this could be a text message, a smartphone app, or token. While yes, MFA adds another step to every login, it also adds an impossible step to any hacker or social engineer that manages to get a hold of your password. If they don’t have both your password and your smartphone, they can’t get into your account to cause problems. Sensible recommends always implementing MFA.
Another major misconception and point of neglect with Office 365 is the assumption that data stored in OneDrive or other Cloud-based solutions are backed up. Microsoft only supplies a short term recycle bin. They do not supply backups at all: this is up to you to arrange. Just because you are working in the cloud does not mean your data is immune from accidental / intentional data loss or corruption.
So what can we do? Sensible is happy to work with you to improve your cloud defences and cybersecurity solutions, whether it involves an Office 365 subscription or not. We begin by discussing your current environment, and business, before auditing your company for security risks. Once we’ve audited your network and identified your weak points, we can work with you to improve. Whether there’s a certain cybersecurity benchmark you want to hit, or if you need to meet regulatory compliance criteria, we can help you get there.
If you’re interested, feel free to give us a call; we’re happy to lend our expertise to your organisation.
Very few internet users understand the meaning of the padlock icon in their web browser’s address bar. It represents HTTPS, a security feature that authenticates websites and protects the information users submit to them. Let’s go over some user-friendly HTTPS best practices to help you surf the web safely.
Older web protocols lack data encryption. When you visit a website that doesn’t use HTTPS, everything you type or click on that website is sent across the internet in plain text. So, if your bank’s website doesn’t use the latest protocols, your login information can be intercepted by anyone with the right tools.
The second thing outdated web browsing lacks is publisher certificates. When you enter a web address into your browser, your computer uses an online directory (called DNS) to translate that text into numerical addresses (e.g., www.google.com = 220.127.116.11) then saves that information on your computer so it doesn’t need to check the online directory every time you visit a known website.
The problem is, if your computer is hacked it could be tricked into directing www.google.com to 18.104.22.168, even if that’s a malicious website. Oftentimes, this strategy is implemented to send users to sites that look exactly like what they expected, but are actually false-front sites designed to trick you into providing your credentials.
HTTPS created a new ecosystem of certificates that are issued by the online directories mentioned earlier. These certificates make it impossible for you to be redirected to a false-front website.
Most people hop from site to site too quickly to check each one for padlocks and certificates. Unfortunately, HTTPS is way too important to ignore. Here are a few things to consider when browsing:
Avoiding sites that don’t use the HTTPS protocol is just one of many things you need to do to stay safe when browsing the internet. When you’re ready for IT support that handles the finer points of cybersecurity like safe web browsing and preventing trick DNS addresses, give our office a call.
You have probably heard about the latest vulnerability that affects most modern wi-fi networks.
The possible exploit is called KRACK.
The vulnerability is related to a discovered flaw in the WPA and WPA2 encryption protocols used by most modern wi-fi access points.
WPA and WPA2 (Wi-Fi Protected Access II) are also currently used as a security layer so only authorised devices can connect to your w-fi network
In simple terms, an attacker can adopt a man-in-the-middle position on your Wi-Fi network. They could force access points and client devices to reinstall a different encryption key.The KRACK attack then allows an attacker to intercept wi-fi traffic,.
A criminal could then not only decrypt network traffic from a victim's device on a WPA/2 network, but also hijack connections. In some cases inject malware or ransomware into unencrypted websites you are trying to visit (those not using SSL). Users could also be redirected to malicious websites.
What does this mean for you?
When it comes to security, it’s better to be safe than sorry. But as the Equifax leak case has taught us, once a security breach does happen, it’s best not to be sorry twice. Read on so your business doesn't experience the same fate as the giant, bumbling credit bureau.
Equifax, the huge American credit agency announced in September 2017 that its database was hacked, resulting in a leak of tons of consumers' private data, including personally identifiable information of around 143 million US and UK citizens. It included names, social security numbers, addresses, birthdates, and credit card and driver’s license numbers.
Equifax responded by setting up a new site, www.equifaxsecurity2017.com, to help its customers determine whether they had been affected and to provide more information about the incident.
Soon after, Equifax’s official Twitter account tweeted a link that directed customers to www.securityequifax2017.com, which is actually a fake site.
Fortunately for Equifax’s customers, the fake phishing site was set up by a software engineer who wanted to use it for educational purposes and to expose flaws in Equifax’s incident response practice. So, no further harm was done to the already-damaged customers, and Equifax is left with even more embarrassment.
One of the huge mistakes Equifax made in responding to its data breach was setting up a new website to give updated information to its consumers outside of its main domain, equifax.com.
Why? You first need to know that since the invention of phishing scams, organised criminals have been creating fake versions of big companies’ websites. That’s why so many major corporations buy domains that are the common misspellings of their real domains.
You should also know that phishers can’t create a web page on the company’s main domain, so if Equifax’s new site was hosted there, it’d be easy for customers to tell whether the new page was legitimate and not be fooled by a fake domain name.
What’s obvious from this embarrassing misstep is that Equifax had never planned for a data leak. And this is an unforgivable oversight by a company that handles the information of over 800 million consumers and more than 88 million businesses worldwide.
Whether your business is a small startup or as big as Equifax, it needs to prepare for a data breach. Besides having a comprehensive network defence plan, you also need to have the right incident response plan in place. New Australian Data Privacy Laws which come into effect in February 2018 have stiff penalties and mandate that you must have a data breach system in place.
So what you should do is implement a system that makes you aware of leaks, then, after you’ve discovered the leak is, first of all, be upfront with your customers and notify them as soon as possible.
You also need to establish a message that includes the following information:
You should also create a web page to keep your customers up to date. But remember, the new web page should be under your company’s primary domain name.
As we’ve seen from Equifax, an incident response plan that's robust is a must. Feel free to talk to our experts about how you can come up with an acute one -- so you won’t have to repeat Equifax’s apologetic statement, since it doesn’t help the company redeem it's reputation at all.
I had the craziest experience this week.
A business owner we spoke with had a ransomware attack on Monday, and his entire team of 100 staff got locked out of their network.
Clearly his current IT infrastructure wasn’t up to scratch, which lead to this problem and his team’s productivity going out the window, costing him thousands in lost revenue and hard wage costs - essentially he was paying for an empty office.
His current IT company (which let the problem into his network), scrambled on a fix and managed to get him back up and running the next day.
The most shocking thing here wasn’t that his IT company didn’t have his protection up to scratch ... it was the comment he made to us:
“It only took 1 day for our IT company to fix it and get us back up and running... Wasn’t that good! We feel no need to change providers.”
This blew my mind.
How can a small business owner:
1. Continue to pay a provider that’s not keeping their IT up to date with best practice?
2. Accept a full 8 hours of productivity loss, across 100 staff. That is at least $30,000 of wages that result in ZERO productivity for the day?
3. Then think that 8 hours to resolve the problem is a good result!
4. Want to stick with a company that caused all this headache, loss of revenue and $30,000 expense?
5. Keep operating the same way, with the possibility of having to tolerate it again?
Is this what the IT industry has come to? Is this the accepted expectation levels?
We’re really proud to be able to say that not a single client of ours has ever lost 1 hour of productivity due to Ransomware or Virus attacks.
I know it may be hard to believe, but it’s the lengths we go to, and the expectation we set for our clients.
Has this happened to you?
Do you think you’re settling too?
Do you no longer want to settle?
If you can spare 4mins, I would love to hear about your experiences or expectations around this – it’s been bugging me all week!
Yesterday, the Australian Parliament enacted the Privacy Amendment (Notifiable Data Breaches) Bill 2016.
This means that Australian organisations will now have to publicly disclose any data breaches.
Penalties for non-disclosure range from $360,000 for responsible individuals to $1.8 million for organisations.
Forget the fines, if the world found out you were responsible for a data breach, what would that do to your business reputation? Are you the responsible person?
Just about all Australian businesses and non-profit organisations:
Any day - as soon as the new law is signed by the Governor General.
A breach occurs where there has been unauthorised access to, or unauthorised disclosure of, personal information about one or more individuals
AND this event could allow serious harm to an individual :
You’ll need to disclose what information was involved. This could include personal details, credit card information, credit eligibility information, and tax file numbers.
You’ll also need to advise the customers what they should do to protect themselves.
Penalties per non-disclosure range from $360,000 for individuals to $1.8 million for organisations.
If you need help with this, contact your professional Business Technology Adviser who should have the systems ready now to prepare and protect you.
If you require any assistance, call us to arrange a Data Security Audit at 1300-SENSIBLE (736-742) or email : firstname.lastname@example.org
“Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today.” That’s what The Evolution of Ransomware, a study by California-based cybersecurity firm Symantec, reported recently.
If you have any illusions that your company is safe from cyber-attack in 2017, consider just a few findings stated in a recent report by the Herjavec Group, a global information security firm:
Clearly, your company’s information and financial well-being are at greater risk than ever in 2017. And you cannot count on the federal or state government or local police to protect your interests. That’s why I STRONGLY SUGGEST that you implement the following resolutions starting TODAY.
Resolution #1: Tune up your backup and recovery system. The #1 antidote to a ransomware attack is more frequent and up-to-date backup copies of all your data and software. Yet managing backups takes more than just storing a daily copy of your data. For one thing, if your business is at all typical, the amount of data you store grows by 35% or more PER YEAR. If your data management budget doesn’t expand likewise, expect trouble. What about important data stored in cloud solutions like dropbox?
Resolution #2: Harness the power of the cloud—but watch your back. Huge productivity gains and reduced costs can be achieved by making full use of the cloud. Yet it’s a double-edged sword. Any oversight in security practices can lead to a breach. Here are two things you can do to harness the cloud safely:
Resolution #3: Set and enforce a strict Mobile Device Policy. As BYOD becomes the norm, mobile devices open gaping holes in your network’s defences. Don’t miss any of these three crucial steps:
Resolution #4: Ensure you have the latest Security Technology Layers in place. The fact is that attacks are becoming more sophisticated every month. Do this at least:
Free Network And Security Audit Resolves Your Biggest Data Security Problems and Makes Your Systems Run Like A Fancy Swiss Watch
Ever asked yourself why some business owners and CEOs seem so blithely unconcerned about data protection? Don’t let their ignorance lull you into a false sense of security. If you’ve read this far, you are smart enough to be concerned. Contact us today at 1300-SENSIBLE (736-742) or email@example.com and we’ll send one of our top network security experts over for a FREE Network and Security Audit. It’s your best first step to a safe and prosperous 2017.
As end users of Google’s suite of productivity enhancing tools, we all have a right to know that the company is doing everything in its power to protect its billions of users - whether they are working from a desktop, browsing while they are on the go, or working remotely. But what measures do Google have in place to keep all its thousands of users safe and secure in the face of rising cyber crime? How can you be sure that, no matter what device you are using, you stand the best chance of protecting yourself from attack?
With more than one billion people using Google’s search engine on their desktops, and over a billion more accessing it through mobile devices, it is clear that security is – or should be - paramount. Google already claims to protect desktop users with its Safe Browsing service, but what about its mobile users?
With cyber threats ranging from the annoying, such as adware, to the unsavoury – hello spyware - and the downright terrifying (ransomware - we’re looking at you), mobile device users are increasingly demanding to know that they are being adequately protected when using Google’s products, tools and services. Therefore, so as to protect the mind-bogglingly large number of people who are using Google on their smartphones, laptops, notebooks and tablets, Google recently unveiled plans to extend its Safe Browsing service to mobile users - or at least to those who are using Chrome on an Android device.
Whether you regard this as a blatant ploy to get users to switch to Android is something we’ll let you decide for yourself, but the fact is that Google is taking steps to protect its users. Back in August 2014, the company bolstered its Safe Browsing warnings with messages alerting users to unwanted software programs trying to sneak onto their computers by attaching themselves without warning to a legitimate download. In addition, both the Android platform and the Google Play Store have security measures in place to weed out potentially dangerous apps.
However, not every cyber security threat comes from an app or installation so, while Google is doing the right thing by guarding against threats in these areas, there are other issues that require a different means of protection. Enter social engineering, and phishing in particular, which can cause untold harm – such as data or identity theft - to a business or individual.
In order to protect against social engineering, an up-to-date list of malicious websites needs to be stored upon the device – this enables Google to send an alert to the user before they get ambushed. But there are problems with this which Google has had to overcome, not least of which is how to keep the list updated in the face of new threats. Compounding this issue further are factors that are unique to mobile browsing: mobile data speeds can be slow and connectivity patchy, depending where the user is. A fast, stable connection is crucial when the timing of an alert is paramount. Not only that, but using mobile data costs the end user money!
Bandwidth (and battery) limitations mean Google has had to find a way to ensure the data they send to users is as small as possible. Protecting their customers is crucial – but so too is not sapping battery life and data plans. Because this boils down to connectivity and speed factors, a device’s location is now taken into account. For example, if a known phishing scam is only affecting certain locations, only devices that are in that part of the world receive a warning.
Google also prioritises data by sending information on a need-to-know basis - in other words, bigger threats take precedence over more minor issues. They have also designed the software to limit network traffic, and to be as light as possible on memory and processor usage.
Since its announcement in early December, Google is now protecting all Chrome users on Android devices as default, making Safe Browsing part of their Play services from Version 8.1 onwards. Chrome Version 46 is also the first app to initiate Safe Browsing.
How do you know whether you are protected by Safe Browsing mode? Go to your settings in Chrome, and check your Privacy menu.
Google are obviously trying to improve their game, which is great. However, we believe that businesses need as much protection as possible - now. This is why we are constantly researching and testing extra tools and practices that do assist.
How do you know if your small or medium-sized business stands the best chance of survival in the face of a cyber attack or phishing scam? Talk to us today and we’ll be more than happy to share our up-to-date knowledge with you.