Advantages Of Conditional Access

It seems that nearly as long as passwords have been around, they’ve been a major source of security concern.

Eighty-one percent of security incidents happen due to stolen or weak passwords. Additionally, employees continue to neglect the basics of good cyber hygiene.

Access and identity management have become a priority for many organizations.

Once a cybercriminal gets a hold of an employee’s login, they can access the account and any data that it contains. Using conditional access policies can mitigate the risk of an account breach.

What Is Conditional Access? Conditional access is also known as contextual access. It is a method of controlling user access. You can think of it as several “if/then” statements, meaning “if” this thing is present, “then” do this.

Conditional access allows you to add many conditions to the process of user access to a system. It is typically used with MFA.

This is to improve access security without unnecessarily inconveniencing users. Some of the most common contextual factors used include the IP address that is associated with the user, the geographic location if the login, time of day, the type of device used and the role or group the user belongs to.

Implementing conditional access for identity management will improve security, automates the access management process, and allows the business to restrict certain activities.

Another advantage of conditional access is the ability to apply the principal of least privilege, making sure that users can only access appropriate resources.

What Does ‘Zero Trust’ Actually Mean?

It’s nothing to do with the fear that your teenage children will hold a party when you go away for the weekend.

Zero trust is actually about technology security. It’s one of the most secure ways to set up your network, although it can have a very negative effect on productivity.

Most networks take a ‘trust but verify’ approach. They assume every device that connects is supposed to be there. Access the network once and you can go anywhere.
Imagine you’re using a security pass to access a building… and once inside there are no further security checks, so you can get into every single room.

Cyber criminals love this approach, for obvious reasons.

Zero trust is the opposite approach. Every login and device is treated as a potential threat until it’s authenticated, validated, and authorized.

Once in, you can’t access other parts of the network without going through this process again.
Back to the building analogy – once inside the building you are surrounded by security doors and must use your security pass to get through each one. If your pass isn’t valid, you’re limited where you can go.

Zero trust has its uses, especially with so many people working remotely these days. But it can have a negative effect on your workflow and can slow down your team.

If you want to talk through whether it’s right for your business, get in touch.

What To Do If You Lose Your Laptop (Or Other Device)

So, you’re in the car on the way home from the coffee shop, basking in the glow of consuming your triple-shot, low-foam, extra-hot pumpkin-spice latte when you suddenly realize your laptop has gone missing.

You drive back like the caffeinated lunatic you are, only to discover no one has turned it in.

What do you do?

That depends on what precautions you have (or haven’t!) taken.

First, if you’ve properly encrypted your data, password-protected the access to your device and shut down and logged off all key applications, you’ve got a bit more time to respond.

But the next thing to do, whether or not you’ve taken those precautionary measures, is to notify your IT support company that you’ve lost your device.

That will allow them to change passwords and lock access to applications and data a thief may gain access to via your unprotected laptop.

They can also remotely wipe your device to make sure no one will be able to gain access to the data stored on your computer. (Which is also why it’s critical to back up your data on a daily basis!)

Next, change all the passwords to every website you log into, starting with any sites that contain financial data (your bank account) or company data.

If your laptop contained medical records, financial information, or other sensitive data (like social security numbers, birthdays, etc.), then you need to contact a qualified attorney to understand what you may be required to do by law to notify individuals who may be affected.

Quite simply, an ounce of prevention is worth a pound of cure, so make sure you’re engaging with your IT support company to encrypt and back up your data, as well as put remote monitoring software on all mobile devices.

Set a pin-code lock or password requirement to access a device after ten minutes of inactivity and get into the habit of logging out of websites when you’re done using them.

Some other tips to keep your laptop safe:

Use strong passwords, change passwords frequently, and avoid setting up automatic sign-ins. This will make it more difficult for thieves to log on to your computer and access your personal information.

Don’t write down your passwords. If you must write your passwords down, don’t keep the list close to your laptop (for example, on a sticky note kept in your laptop bag).

Never leave your laptop in an unlocked car or conference room.

Never leave your laptop in plain sight in your locked car. Lock it in the trunk and make sure no one sees you put it there.

Carry your laptop in something other than a laptop bag. This may seem unusual, but a laptop bag makes it very obvious to thieves that you are carrying a laptop. Use something more inconspicuous, such as a backpack or messenger bag.

Always keep your laptop in your sight. Don’t leave a meeting or a conference room without your laptop – always bring it with you. You never know who could have access to that room, even if you’re only gone for a few minutes.

Be especially diligent when traveling – airports are a common place for laptop theft. Also be careful in taxis, hotel rooms, restaurants, and coffee shops.

If your laptop is stolen, you’ll want to make sure you have the make, model, and serial number so a complete report can be filed. Keep this information in your desk at work or at home.

Finally, if you store important data on your laptop, make sure it is being backed up! Most workers store their data on a company server, where it is protected and backed up.

If you’re a mobile worker, backups are extra important since you don’t have the security of a server-based backup system.

How Often Do You Need To Train Employees On Cybersecurity Awareness?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

You’ve just completed your annual phishing training where you teach employees how to spot phishing emails. You’re feeling good about it, until about 5-6 months later when your company suffers a costly ransomware infection because someone clicked on a phishing link.

You wonder why you seem to need to train on the same information every year yet still suffer from security incidents.

The problem is that you’re not training your employees often enough.

People can’t change behaviors if training isn’t reinforced regularly. They can also easily forget what they’ve learned after several months go by.

So, how often is often enough to improve your team’s cybersecurity awareness and cyber hygiene? It turns out that training every four months is the “sweet spot” when it comes to seeing consistent results in your IT security. [Read more…]

Which Form Of MFA Is The Most Secure?

Credential theft is now at an all-time high and is responsible for more data breaches than any other type of attack.

With data and business processes now largely cloud-based, a user’s password is the quickest and easiest way to conduct many different types of dangerous activities.

One of the best ways to protect your online accounts, data, and business operations is with multifactor authentication (MFA).

It provides a significant barrier to cybercriminals even if they have a legitimate user credential to log in.

This is because they most likely will not have access to the device that receives the MFA code required to complete the authentication process.

What Are the Three Main Methods of MFA?

When you implement multi-factor authentication at your business, it’s important to compare the three main methods of MFA and not just assume all methods are the same.

There are key differences that make some more secure than others and some more convenient. Let’s take a look at what these three methods are:

SMS-based

The form of MFA that people are most familiar with is SMS-based.

This one uses text messaging to authenticate the user.

The user will typically enter their mobile number when setting up MFA. Then, whenever they log into their account, they will receive a text message with a time-sensitive code that must be entered.

On-Device Prompt In An App

Another type of multi-factor authentication will use a special app to push through the code. The user still generates the MFA code at log in, but rather than receiving the code via SMS, it’s received through the app.

This is usually done via a push notification, and it can be used with a mobile app or desktop app in many cases.

Security Key

The third key method of MFA involves using a separate security key that you can insert into a PC or mobile device to authenticate the login.

The key itself is purchased at the time the MFA solution is set up and will be the thing that receives the authentication code and implements it automatically.

The MFA security key is typically smaller than a traditional thumb drive and must be carried by the user to authenticate when they log into a system.

Now, let’s look at the differences between these three methods.

Most Convenient Form of MFA?

The most convenient form of MFA would be the SMS-based MFA. Most people are already used to getting text messages on their phones so there is no new interface to learn and no app to install.

The SMS-based is actually the least secure because there is malware out there now that can clone a SIM card, which would allow a hacker to get those MFA text messages.

Most Secure Form of MFA?

If your company handles sensitive data in a cloud platform then it may be in your best interest to go for better security.

The most secure form of MFA is the security key. The security key, being a separate device altogether, won’t leave your accounts unprotected in the event of a mobile phone being lost or stolen. Both the SMS-based and app-based versions would leave your accounts at risk in this scenario.

Five Things You Should Never Do On A Work Computer

Whether you work remotely or in an office, the line between personal and work tasks can become blurred when working on your company computer. If you’re in front of a computer for most of your time during work, then it’s not unusual to get attached to your desktop PC.

Over time, this can lead to doing personal things on a work computer. At first, it might just be checking personal email while on a lunch break. But as the line continues to get crossed, it can end up with someone using their work computer just as much for personal reasons as work tasks.

In a survey of over 900 employees, it was found that only 30% said they never used their work PC for personal activities. The other 70% admitted to using their work computer for various personal reasons.

Some of the non-work-related things that people do on a work computer include:

  • Reading and sending personal email
  • Scanning news headlines
  • Shopping online
  • Online banking
  • Checking social media
  • Streaming music
  • Streaming videos/movies

It’s a bad idea to mix work and personal, no matter how much more convenient it is to use your work PC for a personal task during the day. You can end up getting reprimanded, causing a data breach at your company, or possibly losing your job. Here are several things you should never do on your work PC.

Save personal passwords in the browser
Many people manage their passwords by allowing their browser to save and then auto-fill them. This can be convenient, but it’s not very secure should you lose access to that PC.

When the computer you use isn’t yours, it can be taken away at any time for a number of reasons, such as an upgrade, repair, or during an unexpected termination.

If someone else accesses that device and you never signed out of the browser, that means they can leverage your passwords to access your cloud accounts.

Store personal data
It’s easy to get in the habit of storing personal data on your work computer, especially if your home PC doesn’t have a lot of storage space. But this is a bad habit and leaves you wide open to a couple of major problems:

Loss of your files: If you lose access to the PC for any reason, your files can be lost forever.

Your personal files being company-accessible: Many companies have backups of employee devices to protect against data loss. So, those beach photos stored on your work PC that you’d rather not have anyone else see could be accessible company-wide because they’re captured in a backup process.

Visit sketchy websites
You should assume that any activity you are doing on a work device is being monitored and is accessible by your boss. Companies often have cybersecurity measures in place like DNS filtering that is designed to protect against phishing websites.

This same type of software can also send an alert should an employee be frequenting a sketchy website deemed dangerous to security (which many sketchy websites are).

You should never visit any website on your work computer that you wouldn’t be comfortable visiting with your boss looking over your shoulder.

Allow friends or family to use it
When you work remotely and your work computer is a permanent fixture in your home, it can be tempting to allow a friend or family member to use it if asked. Often, work PCs are more powerful than a typical home computer and may even have company-supplied software that someone wouldn’t purchase on their own.

But allowing anyone else to use your work computer could constitute a compliance breach of data protection regulations that your company needs to adhere to.

Just the fact that the personal data of your customers or other employees could be accessed by someone not authorized to do so can mean a stiff penalty.

Additionally, a child or friend not well-versed in cybersecurity could end up visiting a phishing site and infecting your work device, which in turn infects your company cloud storage, leaving you responsible for a breach.

At least 20% of companies have experienced a data breach during the pandemic due to a remote worker.

Turn off company-installed apps like backups and antivirus
If you’re trying to get work done and a backup kicks in and slows your PC down to a crawl, it can be tempting to turn off the backup process. But this can leave the data on your computer unprotected and unrecoverable in the case of a hard drive crash or ransomware infection.

Company-installed apps are there for a reason and it’s usually for cybersecurity and business continuity. These should not be turned off unless given express permission by your supervisor or company’s IT team.

The Security Problem Of John’s “Other” Laptop

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Love it or hate it, Working From Home is huge and here to stay.

As a nation, we’ve really embraced the changes forced upon us by the pandemic. Many businesses have become more flexible with a mixture of office-based workers, hybrid workers and fully remote workers.

We had no idea that we could change so much, so quickly, did we? Work just doesn’t look the same as it did in 2019.

And because of that, cyber security in 2022 doesn’t look the same either. When you have people working away from your office, you need to take additional security measures to keep your data safe.

Even before we’d heard the word “Coronavirus,” many of us were working from home now and then. Checking emails on the weekend. Finishing up a project in the evening. Getting a head start on your week.

Now, Working From Home has to be taken more seriously. If any of your staff works anywhere away from the office, there’s a chance they’re taking unnecessary risks with your data. [Read more…]

Is Your Business Secure? Top Three Ways To Protect Your Company

Effective cybersecurity is not a “one size fits all” solution but needs to take into account the unique needs of your particular business.

That said, however, there are three key things you can do to immediately safeguard your business at a basic level.

Automate software updates

Let’s be real. We all forget things sometimes. Even something as important as updating the software on our devices. And sometimes it’s not even a “forget” but an “I don’t have time right now for my device to be down.” But automating updates and setting them to process during off-hours can be the difference between a successful and unsuccessful breach.

Educate your employees

Employees are the number one point of failure in any cybersecurity event. A recent report from Kaspersky Labs found that 90% of corporate data breaches occur as a result of social engineering attacks on employees – not the providers.

Use the Cloud

Many of us used to say that it was “too risky” to be in the cloud. That our data was “safer” here on-site where I can control access to every bit of the network. However, over the years, we have learned that using cloud solutions is actually more secure than on-site solutions and here’s why: cloud providers have a higher level of certification needed in order to prove the level of protection required of a cloud solution.

Cloud providers know it is imperative that their solution be the most secure solution available and any blemish can be a make or break problem for the longevity of their business. As such, they make it their business to know and keep up with the ever-changing cybersecurity world and work to implement the latest protections across their entire networks.

Last year was a record-breaking year for cyberattacks, with Colonial Oil, JBS, and even Buffalo Public Schools. The time to update your security protocols is now before you fall victim. Schedule your audit today and keep your business safe.

Three Scary Questions To Ask About Your Data On Your Staff’s Phones

More and more businesses encourage staff to use their own personal cell to access company data.

It’s very convenient and cost effective for everyone. Isn’t that the point of having all your data and apps in the cloud? You can access anything anywhere on any device.

But there are downsides. Any time someone accesses business data on a device that you don’t control, it opens windows of opportunity for cyber criminals.

Here are 3 scary questions to ask yourself.

What happens if someone’s phone is lost or stolen?

What’s a pain for them could be a nightmare for you. Would you be able to encrypt your business’s data or delete it remotely? Would it be easy for a stranger to unlock the device and access the apps installed?

What happens if someone taps a bad link?

Lots of people read their email on their phone. If they tap on a bad link in a phishing email (a fake email that looks like it’s from a real company), is your business’s data safe?

Despite what many people think, phones can be hacked in a similar way to your computer.

What happens when someone leaves?

Do you have a plan to block their ongoing access to your business’s apps and data? It’s the thing many business owners and managers forget when staff change.

If you haven’t already, create a cell phone security plan to go with your general IT security plan. Make sure everyone in your business knows what it is and what to do if they suspect anything is wrong.

If you need a hand, don’t forget that a trusted IT security partner (like us) can give you the right guidance.

Your Business Is Already Under Attack

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Ransomware is big business. It’s one of the fastest growing online crimes. Cyber criminals are targeting small and medium sized companies as well as non-profits and government agencies.

It’s the computer crime where your data is encrypted so you can’t access it unless you pay the ransom fee.

The really scary part is that it’s unlikely you’d realize you were under attack from ransomware until it was too late.

Cyber criminals hide in your network for between 60 to 100 days before they strike. During that time they’re checking out your network, identifying vulnerabilities, and preparing what they need to hit you with the attack.

[Read more…]