TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Security

Beware: Online Banking Phishing Schemes Are On the Rise

Banking online is a convenient and time saving way of managing and keeping track of your company’s finances.

Weak security practices, though, can make it more possible for cyber-thieves and hackers to steal your hard-earned money. It is important to make sure that all possible steps are taken to safeguard your company’s finances.

Online banking is a tool that many businesses utilize because of the ease, efficiency, and convenience it offers.

It’s a great way to manage finances in your day-to-day operations. Unforunately, as more businesses turn to online banking, cyberthieves and hackers who target small companies are becoming more adept at stealing from companies online.

Security experts are urging companies to beef up their security systems to keep them safe from cyber and identity theft.

The more companies rely on the Internet, especially when it comes to managing finances through online banking, the more prudent it is to take steps to prevent that hardearned money from being stolen or diverted to someone else’s account.

One tip experts give is to establish proper protocols for transacting with the bank, such as requiring two people to verify a transaction before it is approved.

This helps create a checks-and-balance system that hackers can’t bypass.

Having a dedicated workstation used for only online financial transactions is also recommended, as this lessens the likelihood of it being infiltrated by Trojans, viruses, spyware, and other malware that may come from the machine being used for other purposes.

Having the right anti-virus and antimalware software – and keeping it updated – also goes a long way in keeping your online banking transactions safe from unfriendly eyes.

Your finances are the lifeblood of your business. If you’re interested in how you can make your online banking experience more safe and secure, we’d be happy to sit down with you to discuss security solutions that are tailor-fit to your specific requirements and needs.

Give us a call at the office, (734) 457-5001.

For Small Businesses, Smartphone Security Is As Important As PC Security

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Although there aren’t any prevalent security attacks or threat mechanisms associated with smartphones in the market today, security vendors and analysts are urging mobile device users to use security best practices on them, just as they would with their computers.

With recent advancements around mobile devices and technologies, particularly smartphone devices, more and more people are staying connected both in the home and office environments.

Analysts at Forrester Research, a leading authority on security in the small business IT space, say the new breed of smartphones, such as Android and iPhone-based devices, are built on operating systems that are “fairly-well locked down.”

However, although they said using these types of devices are generally safer than PCs because malware can’t run on them (yet), there are still privacy and data risks to be aware of.

GPS hacking is just one concern – a rogue phone application sending your location to an outside service without your permission.

Privacy-related issues will emerge as third-party “fake” applications access more of your personal data.

These would be apps that look legitimate, but are designed to steal your personal information.

Fixing this type of issue will be simpler than a PC, though: The operators of the “app stores,” (Apple and Google) can find the offenders and remove them from the sites in a matter of minutes.

Security and privacy are a concern especially for users who bring and work with their personal devices in and out of the workplace.

The safety of the data on those devices becomes an even larger issue.

Smartphones allow business owners and employees to be more connected with each other. Users are sending information via e-mails and through attachments, all of which are susceptible to loss or theft.

Smartphones that are used for business communication should be treated like office PCs when it comes to data protection. The security threat is there – you have to protect the data that’s on the device.

One of the biggest security mistakes customers make with their mobile devices today is that they fail to use even the most basic security protection methods such as passwords.

Most users don’t set up passwords on their mobile device because they think of their smartphone as just a phone.

But really, it’s a small, low-power computer that happens to let you make phone calls, too.

For small business, it’s time to start thinking of smartphones as another entry into your business’ data. If they’re used for business communication, they need to be monitored, protected and updated just like a PC on your network that attaches to your server and financial data.

Industry Standard Security Best Practices

Network security is a must in any network, but when it comes to a business network, there are a number of security standards and best practices that ensure you have control over your network.

Businesses in certain industries secure. Many different companies require different security standards; one organization for instance is the PCI (Payment Card Industry). The payment card industry has very a strict network security standard.

The below practices are fairly strict and will offer you a great deal of control and protection against data theft and network intrusion.

Modem
We will start from the outside edge of your connection of your network and work our way in from your modem on into client workstations.

The modem is probably the simplest device on the network – you can’t really secure it (beyond performing regular updates), but some ISP’s feature a built in firewall in the modem. This can be turned on or off to work in conjunction with your company’s firewall.

Firewall
The next item to take a look at is your router/firewall. Generally you would have a router that offers several ports you can connect to via a direct Ethernet connection as well as WiFi access.

This firewall will add another layer of protection for when your network connects to the Internet. When configured properly, you would block all unauthorized network connections. As far as protecting the WiFi goes you are best to enable MAC filtering.

Each piece of network hardware has a unique identifying numerical code, called a MAC address. Filtering by MAC lets you set up WiFi so that only devices you explicitly define are allowed to connect to your network.

Once you have MAC filtering in place, you can also encrypt network traffic and use a long secure password. Since the clients on the network will not need to type this password in all the time, it is best to make a complex password containing both capital and lower case letters, numbers, and symbols.

Another option to further increase security when it comes to WiFi connections is to set the access point to not broadcast it’s SSID. This will make it look to the normal person as if there is no wireless connection available.

Server
There are a lot of features that can be enabled at the server to further improve network security. The first item to review is the group policy. Group policy is part of the server operating systems that allows you to centrally manage what your client workstations have access to and how.

Group policies can be created to allow or deny access to various locations on your users’ desktops. You can get as granular as defining a group policy that sets standards on user passwords.

By default, Windows Server 2008’s password policy requires users to have passwords with a minimum of 6 characters and meet certain complexity requirements.

While these settings are the defaults, generally 8-10 characters is recommended as well as mixing upper and lower case letters, numbers, and special symbols. An example of a complex password might be @fF1n!ty (Affinity). This password would meet all complexity requirements and is fairly easy to remember. Passwords should also be forced to reset every so many days. A good time period is roughly 30 days.

One other possible option is to have firewall software installed on the server itself to regulate traffic in and out of the server.

The nice thing about having a firewall on the server itself is that you have the ability to log failed connections to the server itself as well as what that connections is and where it was coming from.

This feature alone gives you a lot more control over the network. For example if you noticed in the firewall logs on the server that a connection you didn’t want getting through was making it to the server you can go back and edit policies on the router/firewall to attempt to further lock down your network from that point as well as blocking it at the server.

One final quick thought on server security is physical security.

Generally it is a good practice to have the server physically locked in a room that only specific people have access to. If you really wanted more control as well you can have the server locked using a system that logs who comes in and out of a room via a digital keypad and their own passwords.

When it comes to your workstations, employees should only be logging into the workstation via their domain login and not using the local admin login.

This will allow you to centrally control via group policy what they can access like stated above. You can also configure roaming profiles so that if someone was to steal a physical workstation they would not have access to any company information as it would all be stored on the server and not that workstation – which is another great reason to have your server locked up.

Employee logins to workstations should also have account lockout policies in place so that if a user attempts to login too many times with an incorrect password, the server would lock them out on that workstation for a time period set by the administrator. One other item you could have in place for various employees is specific time periods their credentials will allow them to log into the systems.

One final step in network security is having good antivirus software installed on your workstations and your server. A compromised machine can be giving your passwords and information away to hackers making it possible for them to waltz right into your network undetected.

You are best protected by having as many of the above security steps configured and working properly on your network.

Determine what your network needs, evaluate the practice after it has been in place for a month and make the proper adjustments to ensure your network is safe. You should also preform regular security audits.

If you would like to see how secure or unsecure your network is give us a call and we can perform a network security audit for you and let you know where you stand!

Featured Article Written By:
Tech Experts

Internet Security: What Are They Surfing At Work?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

A recent survey of business owners and IT managers found that employees are using company computers, Internet access, e-mail, and other resources to conduct hours of non-work related activities.  And the problem is on the rise.

Some of these activities simply waste time, like day trading and monitoring eBay bids. However, some of the activities are malicious and can cause serious issues with a company’s server and network.

Here are a few incidents that were reported by the IT managers that were surveyed:

• One employee was caught running a gambling website and acting as a bookie for his co-workers.

• To bypass the company’s web filter, one employee was caught using his desktop computer as an FTP server for the other employees. He had downloaded and saved over 300GB of material, all on his work computer, using his company’s Internet connection and undoubtedly slowing down their systems.

• One employee was caught giving away confidential information such as price lists, contracts, and software code for application development.

• Another employee had a pretty lucrative side business stealing and selling company inventory on eBay.

• One woman was caught running an online “outcall” service from her desk.

• One employee was caught renting the corporate IP address to hacker friends to attack other company’s computers and networks.

While these scenarios seem outrageous, they are not uncommon. Of the 300 companies surveyed, almost one-third have fired an employee in the last 12 months for violating e-mail policies, and 52 percent of companies said they have disciplined an employee for violating e-mail rules in the past year.

Educating your employees through an acceptable use policy is simply not enough. If the requirements are not enforced, employees will accidentally or intentionally violate your rules.

That’s why every company needs to invest in good e-mail and web filtering software. Just having it in place will act as a deterrent for such activities. If something really is going on – like an employee leaking confidential information to a competitor or sending racial or sexist jokes through your company’s e-mail – you’ll be able to catch it and resolve the issue proactively, instead of reacting to it after the fact.

Additionally, a good web filter will prevent employees from accessing inappropriate material online, wasting time on non-work activities, downloading viruses and spyware, and using up company bandwidth to download photos and music.

Almost Every Small Business Can Expect To Get Hacked

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Juniper Networks recently commissioned a study on small and medium company network security.

The startling result: Over 90% of US companies reported at least one security breach in the last year, with more than half indicating they experienced two or more significant security problems with their networks.

There’s a misconception among a lot of small business owners that they’re safe from cyber attacks, because small companies offer a smaller payback for hacking efforts.

Small business network security is usually lax

The reality is, security policies and procedures at small companies usually make them an easy and simple target for hackers.

While the payout isn’t as large as hacking TJ Maxx, invading a small business’ network usually takes a lot less effort, and the business lacks a sophisticated response system.

Why is hacking so easy?

A new technique, called spear phishing, let’s hackers target a small group of previously identified people. Sometimes, the attack goes after just a handful of people who work at the same company.

Spear phishing does away with the need for hackers to gain access to your passwords. As more companies start to use social media sites such as FaceBook and Twitter, hackers using spear phishing are finding it easier to “trick” unsuspecting employees into installing crimeware on their company computers. This crimeware let’s the criminals access the computer system directly. Once they have access to one machine on your network, it’s easy to connect to the others.

Recent attacks have highlighted the growing need for companies to implement network security controls to catch the bulk of socially engineered spear phishing attacks.

They also need to take measures to quickly detect and contain security breaches.

The first thing you’ll want to do to protect your business is implement a strong firewall (see Frank’s article on page two) that lets you assign security restrictions for users based on the content of websites, and even keywords that might be potentially dangerous.

The next thing to look at is your company’s acceptable use policy. This can be as simple as a few pages added to your employee handbook that outlines what is and isn’t acceptable behavior on your network.

The final thing to examine is your backup and disaster recovery plan. The hacker’s aren’t giving up, which means it’s time to plan for what comes after a security breach.

Firewalls: What Do They Do And Why Should You Have One?

Firewalls are network security devices that protect your internal network (your servers and PCs) from your external network (the Internet).

We’ve put together a basic guide to firewalls – what they are, when you should have one, and why.

What is a firewall?
A firewall is simply a border between the device and the firewall software is installed and running on (and devices on the LAN side of the firewall) and any other devices on the outside of it.

For example, there are many different kinds of firewalls. Windows firewall gives you very basic features, and is built into Windows.

This firewall is designed to block unwanted access to the computer itself and is not designed to protect the rest of the devices on a network.

Another form a firewall can take is a separate device all together.

Having a device that specifically functions as a firewall gives more control over what the firewall can be used to protect.

For example it is possible to buy a firewall appliance that can be attached to the perimeter of your network and block specific connections to your LAN.

When is it a good time to look into using a firewall?
On most Windows based computers Windows firewall is generally on by default so most people already run a firewall on their computers without even knowing it.

That being said, Windows firewall does not give you anywhere near the control or protection of a dedicated firewall product.

If your business requires very strict security and data compliance, or you intend to store highly confidential information (an example would be client credit card numbers), it may be in your best interest to have a third party firewall.

Third party firewalls offer much greater protection and allow the ability to configure specific rules in much greater detail than Windows firewall.

Having the ability to configure rules with more detail makes it possible for you to lock down your network and its possible security holes more tightly.

The reason this is a good idea if you are storing confidential information on a network is that having a firewall gives you control over exactly what comes in and out of your network.

Without this added security it may be possible for your valuable information to be compromised or copied to a remote location without you even knowing it is happening.

Why have a firewall or invest in a better one?
Three words: Vastly improved security. A third party firewall solutions affords you the best protection for your data and network.

If you have important data to secure, a firewall is an excellent step in protecting your network from unwanted access to your network.

If you have questions about your firewall (or lack of firewall) and would like us to evaluate your network security, please give us a call.

Whether it is security holes left open due to a weak firewall or other possible security issues we can help you secure your data!

Feature article by Tech Experts,
Service Manager for Tech Experts

Why Internet Predators Love Social Network Sites

Internet predators have become a fixture of sorts on many social media sites which necessitates the need for users to exercise caution.

Since the advent of the Internet “instances” of cyber crime have evolved into regular and expected occurrences.

Now the growing popularity of social network sites has cyber criminals taking direct aim at them with their Internet scams.

What is it that makes the social networks such an attractive target for this type criminal behavior?

Here are 3 very “inviting” reasons:

Casual Atmosphere
Social network sites are meant for just what they imply and that is to socialize.

This type of atmosphere is casual and relaxed therefore people for the most part are NOT expecting devious behavior.

It is just this type atmosphere that cyber criminals depend upon and thrive in. Their ability to manipulate others is based upon a “blind” trust or having others believe in their own sense of security.

Ease of Use
Most social media sites by and large are set up to be easy to use and navigate. This allows even the less than ‘tech savvy’ to become involved, but they also bring along their own naive nature relative to Internet security issues.

This makes them even easier prey since they are unaware of or unfamiliar with many Internet scams.

This ease of use on the other hand has also made it just as convenient for the “sinister online element” to gain access to their unsuspecting prey.

There are no security systems to work around or advanced coding to decipher therefore the “door” is wide open for the criminal element to gain easy access.

Popularity
As we all know crime always seems to gravitate towards the largest population bases offline and this remains true online as well. The very popularity of social media sites has put them in the “cross hairs” of the devious minded predators that lurk on the Internet.

Safety in numbers is NOT something innocent site members can count on when interacting within online social communities.

Internet predators have settled in quite comfortably on many social media sites to the point that they have almost become accepted “fixtures” to users.

For the 3 reasons we have spoken of above cyber criminals are attracted to many of the online communities.

The structure of these sites offers the perfect opportunity for the criminal element to successfully implement their Internet scams.

For the users they must simply be aware that cyber crime does exist and will continue to do so calling for the need to exercise caution when socializing online.

 

The Three Scariest Threats To Small Business Networks

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.
While spam, pop-ups, and hackers are a real threat to any small business network, there are three security measures that you should be focusing on first before you do anything else.

Worry About E-mail Attachments, Not Spam
Sure, spam is annoying and wastes your time, but the real danger with spam is in the attachments.

Viruses and worms spread primarily through cleverly disguised attachments to messages that trick you or your employees into opening them.

Another threat is phishing e-mails that trick you by appearing to be legitimate e-mails from your bank, eBay, or other financial accounts.

Here are three things you must have in place to avoid this nightmare. First, keep your anti-virus up to date and enabled. This sounds like a no-brainer, but it’s not uncommon for an employee to disable their antivirus software “because it bothers them.”

Second, educate your employees on what is and isn’t allowed on company computers, e-mail, Internet access, etc. One thing that should be on the list is that they should never open suspicious attachments or respond to phishing e-mails. We highly recommend creating an acceptable use policy (AUP) to teach your staff what NOT to do.

Third, put monitoring software in place to maintain the health of employees’ desktops and automatically “police” employees from accidentally visiting a phishing website, downloading a virus, or visiting questionable web sites.

Fear Downloads Before Pop-Ups
Did you know that most computers and networks get infected with viruses because the user actually invited the threat in by downloading a file (screen saver, music file, PDF document, pictures, etc.)?

Again, this comes down to training your staff on what they can and cannot do with your company’s network. Again, the best way to avoid trouble is to remove temptation by installing monitoring software that will prevent employees from downloading or opening dangerous items.

We also recommend installing and maintaining a good firewall, which will block Internet traffic to and from dangerous sites.

Lose Sleep Over Backups, Not Hackers
You are more likely to lose data from hardware failure, accidental deletion, human error, flood, fire, natural disaster or software corruption than a hacker.

Sure, you should do everything to keep hackers out of your network, but not backing up your data to a remote location is incredibly dangerous. At a minimum, you should have an onsite and offsite copy of your data, and you should be testing your data backups regularly to make sure your data can be restored in the event of an emergency.

So, here’s the scary Halloween question for you: If you came into your office tomorrow morning, and your computers and server were destroyed or missing, could you recover your data, and how long would it take?

Fall Is The Perfect Time For An IT And Network Checkup

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

To make the most of your IT investment,  you don’t need to be a technology whiz. However, you should have a plan in place for making the most of your company’s data. As fall approaches, now is an excellent time to examine your company’s technology to determine what’s working well and what could be improved.

Is It Time To Update?
Technology changes rapidly. While your systems may appear to be working well, you may be missing out on new ways to protect your business information, help your business run more efficiently, and better serve your customers.

For example, to run some of today’s most powerful programs, you need a fast and large hard drive with significant memory capacity.

You might consider adding newer technology – such as wireless capabilities – to older equipment; but the cost of upgrading a computer is often more than the cost of a new model.

Check Your Power Protection
Loss of electrical power and power surges are the most common causes of data loss and weaken computer components. If your business depends on computers, protecting the power source is critical.

This is especially important if your area is prone to power fluctuations or electrical storms.

An Uninterrupted Power Supply (UPS) unit offers both superior surge protection and, depending on the model, anywhere from 15 to 45 minutes of backup power-enough time to save and copy critical files.

The idea of a UPS isn’t to continue your business dealings while the lights are out. Rather, it is to ensure that your data is available when the lights come back on.

Have You Patched Windows?
Have you installed the latest version of Windows on your computer, and do you keep it updated? Do you do this automatically?

It is incredibly important that you keep Windows and your software applications current. Updates improve performance, fix bugs, and many add new features. You should also regularly update and run anti-virus software.

How’s Your Backup?
Consider storage needs in terms of both capacity and physical location. Depending on the amount of data, you can back up to USB flash drives, CDs, DVDs, tapes, or an external drive.

You might also want to look into off-site backup. Our Experts Total Backup System is an excellent backup, disaster recovery, and offsite storage service.

Integrate Your Data
Over the years, businesses tend to produce multiple silos of data. Your inventory, sales data, and marketing information need to be linked together to better serve your customers and increase your company’s productivity and profitability.

Without this integration, you may not know who your best customers are or you could end up agreeing to provide a top customer with an item you don’t have in your inventory.

Number One Security Risk For Small Business: Poor Patching

Symantec, one of the leading antivirus software companies, released their 2009 security review, and according to the report, the largest single threat to small business’ computer security is the failure to apply new security patches as they’re released by the manufacturers.

A “security patch” is simply a software fix to a security problem in a software application.

Once a security vulnerability is discovered, software companies rush to develop a security patch to prevent hackers from using the security breach to access PCs or servers, obtain confidential information, or erase files.

When the fix is released, cyber criminals often look at that as the best time to write a virus or trojan to exploit computer users who haven’t kept their systems up to date. That’s why regular server maintenance is so important.

With the national economy teetering on recession, more and more hackers are trying to take advantage of unsuspecting computer users. Economies of scale often come into play with cyber attacks – a well written trojan or virus can spread like wildfire in just a few hours.

Even if hackers are only successful in compromising a few hundred machines, that’s more than enough to obtain information that’s useful to steal someone’s identity or hold their electronic data hostage.

The real problem – most of the time, you can’t tell you’ve been hacked until it’s too late.

Since the majority of small business owners use their computers for everything from banking to client management, anything a hacker obtains will be useful.

PDF’s Can Be Dangerous
Adobe’s PDF application is the most hacked and exploited software program in use by small businesses. PDF-based security exploits rose to account for 49 percent of online attacks. Coming in second was Internet Explorer, accounting for 18 percent of webbased attacks.

Here’s an interesting fact: The Internet Explorer vulnerability that makes up the majority of the 18% is the Microsoft Internet Explorer ADODB> Stream Object File Installation Weakness that first came to the world’s attention in August 2003. Microsoft released a patch the following July.

Nearly six years later, this Internet Explorer exploit is still being used by hackers, which means an incredible amount of businesses simply aren’t patching their systems on a regular basis.

Regular Maintenance Is A Must
It seems strange to think of your computer this way, but it helps to think of your PC as an automobile. You know that to keep it in top running condition, you have to change the oil, rotate the tires, and flush the radiator once in a while.

Your computers and servers aren’t any different: To maintain optimal running condition, you have to perform regular, scheduled maintenance.

Downtime is expensive. When you consider the cost of lost employee productivity, the expense of the IT services to repair your network, and the amount of time it would take to recover your data by hand, the investment in regular maintenance seems a wise choice.

We perform regular, scheduled maintenance for the majority of our service contract clients – but if you’re not on one of our service plans, we should definitely talk about a comprehensive maintenance and update schedule for your business. If you’re not patching regularly, it’s only a matter of time before your system is compromised.