TechTidBit - Tips and advice for small business computing - Tech Experts™ - Monroe Michigan

Brought to you by Tech Experts™

Internet Security: Beware Of “Malvertising”

Michael Menor is Vice President of Support Services for Tech Experts.

As if Internet use wasn’t already troubled with cyber perils, users now have to add “malvertising” to the list of things from which they need to protect themselves.

“Malvertising,” like the name suggests, means “ads that contain malware.” Some mal-ads aren’t dangerous unless you click on them – but others can do “drive-by downloads,” sneaking their malware onto your computer simply because you’re viewing the page on which the ad appears.

While most malvertising is on websites, it can also show up on other ad-displaying apps, such as Facebook, Skype, some email programs, and many games.

The reason that malvertising is more of a problem than other malware approaches is that it can be spread through online advertising delivery networks like Google DoubleClick to legitimate sites that users routinely visit, like the New York Times, Huffington Post, and Yahoo, as well as routinely-used mobile apps that show ads. Malware-bearing ads can be “injected” either by hacking ads at the provider end or by buying and providing mal-ads. In most cases, there’s no way for a user to tell just by looking that an ad has been compromised.

The Potential Damage
The dangers of advertising-delivered malware are the same as those from malware you get any other way. Malware can steal account usernames and passwords, bank and credit card information, and other sensitive data.

It can encrypt your data and “hold it for ransom.” It can, in turn, infect other computers on your network and turn your computer into a “zombie,” spewing out spam and malware to the Internet.

July_2015_MalvertisingLike other viruses and malware, malvertisements take advantage of security vulnerabilities on users’ computers and mobile devices. These may be anywhere from the operating system, to web browsers and other applications, to add-ons and extensions like Java, JavaScript, and Flash.

How do you know if your computer has been infected by malware? One sign is that your web browser shows unexpected pop-ups or seems to be running slower. But many malware infections remain “stealthy,” possibly even eluding anti-malware scans.

Legitimate ad creators and ad delivery networks are working on ways to detect and prevent malware from getting into the digital ads they serve. Otherwise, people have even more reason to not look at ads or block ads entirely.

But, assuming it can be done, this won’t happen for a year or more. The burden is on companies and individuals to do their best to protect their networks, computers, and devices.

What Can Companies and Users Do?
Although malvertising is a relatively new vector, the best security practices still apply; if you’re already doing things right, keep doing them. But what does “doing things right” look like?

  1. Avoid clicking on those ads, even accidentally.
  2. Maintain strong network security measures. Next generation firewalls at the gateway can often detect malware payloads delivered by ads, block the ads entirely, and/or detect communication from already-infected devices.
  3. Regularly backup systems and critical files so you can quickly restore to a pre-infected state if your systems and data are compromised.
  4. Deploy endpoint security software on every device so that it’s protected on and off the network.
  5. Ensure that all operating systems and client software (especially web browsers) are fully patched and up to date.
  6. If you suspect a computer has been infected, stop using it for sensitive activities until it’s been “disinfected.” Again, many security appliances can help you identify and quarantine infected devices.

It’s unfortunate that even more of everyday Internet use is potentially unsafe, but the steps to fend off malvertising are essentially security precautions that companies and individuals should already be following.

Does Your Company Need An Internet Usage Policy?

Scott Blake is a Senior Network Engineer with Tech Experts.

With the growth and expansion of the Internet, it is important to make sure that your business has a policy in place to protect its assets.

Depending on your business, an Internet Usage Policy (IUP) can be long and drawn out or short and to the point.

An IUP will provide your employees with guidelines on what is acceptable use of the Internet and company network. IUPs not only protect the company, but also the employee.

Employees are informed and aware of what is acceptable when it comes to websites and downloading files or programs from the Internet.

When employees know there will be serious consequences for breaking the IUP, such as suspension or termination of employment, companies tend to notice a decrease in security risks due to employee carelessness.

You will need to make sure your IUP covers not only company equipment and your network, but also employee-owned devices such as smart phones and tablets. You may be surprised at the number of employees that feel they do not have to follow the IUP because they are using their own device to surf or download from the Internet.

Make sure you address proper usage of company-owned mobile devices. Your business may have satellite employees or a traveling sales force. Even when they are away, they need to be aware they are still representatives of the business and must follow the business IUP.

After all, it would not go over well if your sales staff was giving a presentation to a prospective client and suddenly, “adult content” ads popped-up on the screen because one of your employees was careless in their web habits.

The downloading of files and programs is a security risk in itself. Private, internal company documents and correspondence downloaded from your company’s network can become public, causing unrepairable damage.

On the same thought, employees downloading from the Internet open your company’s network up to malware attacks and infections.

There are a lot of hackers that prey upon the absent-minded employee downloading a video or song file by hiding a piece of malware within the download. Once the malware makes it into your network, there’s no telling what damage it can cause.

As for non-work related use of the company network and Internet, make sure your employees know there is no expectation of personal privacy when using the company’s network and Internet connection.

Make it well-known that the network and Internet are in place to be used for work purposes only. Improper use of the network can reduce bandwidth throughout the company network.

This includes all mobile devices owned by the company. This way, your employees know that no matter where they are they still must follow the guidelines of the IUP.

Make sure all of your employees sign the IUP and fully understand what it is they are signing. Make sure you answer any and all questions they may have.

This will help clear up any confusion your employees may have. This way, there can be no excuses as to why the IUP was broken.

Whenever you update the IUP, make sure you have all of your employees sign and understand the new additions and/or changes to the IUP. It may seem like overkill, but you’ll be glad you did if you ever run into any violations of your company’s IUP.

For assistance in creating Internet Usage Policies or if you have any questions, call the experts at Tech Experts: (734) 457-5000.

Is Antivirus Necessary For Smartphones?

July_2015_CellPhone_email_sizeChances are, you have an antivirus program installed on your personal computer. You may not, however, have the same sort of protection for your smartphone.

If you don’t, you’re certainly not alone. Being part of a majority, however, doesn’t make the data on your smartphone safe. The same threats that lurk in cyber land can attack your phone as easily as a personal computer, but there isn’t a lot of attention being given in the media and other venues about viruses on smartphones.

So, despite that lack of attention, should you install antivirus protection on your smartphones and tablets?

The truth is that you should. Smartphones are fast becoming the prime method of accessing the Internet, and the amount and nature of sensitive data on these devices puts you, your business, and even others whom you hold dear at risk.

Since many viruses are designed to gain access to personal information on devices, the risks are greater than you may think. We may not think about installing antivirus applications on our smartphones because it doesn’t address a widespread problem at this time.

In the near future, however, viral attacks on phones is inevitable. From an employer’s standpoint, the need to protect smartphones is even more important than on a personal level. With more and more business being conducted via handheld devices, a virus on a smartphone has the potential to interrupt operations, causing costly delays and compromising sensitive company data.

Security software applications that can protect smartphones are available for download. Look for one that is not just vigilant against malware, however.

It should also provide an option to remotely wipe smartphones clean in the case of a viral attack to protect company data as well as have a GPS location feature to facilitate easy recovery.

Another feature experts recommend in a security software application is the ability to limit the types of applications employees download onto their company-provided smartphones.

Should Your Company Install The Windows 10 Preview?

In short, no. While the Windows 10 Technical Preview is free of charge, there are too many dangers in downloading what is essentially the Beta release of Microsoft’s newest operating system.

There’s a reason why the preview is available, and it’s not to generate excitement about its coming release this fall. The preview exists for Microsoft to discover bugs and glitches that are present in this version, so they can fix them before Windows 10 officially hits the market. Unless you just enjoy being part of that process, it’s best to leave the testing to others.

It is especially important to wait for the official Windows 10 release if you only have one PC or mobile device.

Since all the kinks have not yet been worked out, you could find yourself unable to use accessories like printers or scanners if you make the premature jump into the new operating system. You also can’t be assured that the Windows 10 preview is safe for your devices, and it’s simply not worth the risk of incurring problems that can not only be costly moneywise but in the ill use of your time trying to correct any damage.

Furthermore, the technical preview isn’t complete. The features you’re looking forward to may not be included. The Spartan web browser and Holograph feature are missing from the Windows 10 preview.

So, even if the test version of the operating system functions seamlessly, you’re apt to be disappointed. Although you may be chomping at the bit to get rid of your old operating system, the wise thing to do is wait until Microsoft perfects Windows 10 and then fully explore it when it’s finally released, making sure it is compatible with your business applications.

Top Seven Network Attack Types So Far In 2015

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

There’s no doubt that small businesses are under attack from hackers and cyber-criminals. Typically, small companies have less secure networks and looser security standards, making them easy targets.

The latest Threat Report from McAfee Labs details the types of attacks against small businesses. The chart shows the most common network attacks detected in Q1 2015.

Denial of service attacks – 37%
A denial of service (DOS) attack attempts to make a resource, such as a web server, unavailable to users. These attacks are very common, accounting for more than one-third of all network attacks reviewed in the report.

A common approach is to overload the resource with illegitimate requests for service. The resource cannot process the flood of requests and either slows or crashes. [Read more…] about Top Seven Network Attack Types So Far In 2015

The Basics Of HIPAA Compliance

Michael Menor is Vice President of Support Services for Tech Experts.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients’ medical records (including electronic records) and other personal health information.

The legislation makes organizations and individuals who collect and manage personal healthcare data legally liable for its security, including health care providers, health plans, health clearinghouses and business associated with any of these. Consequences of negligence and misuse of private information can include civil and criminal penalties.

As a result of HIPAA, the Department of Health and Human Services created specific regulations for the handling of Protected Health Information (PHI), including electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.

The HIPAA Privacy Rule governs the saving, accessing and sharing of health-related and other personal information, either oral or written.

This rule defines the guidelines safeguarding the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.
The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically.

This rule primarily focuses on the technological measures used to enforce policies keeping ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations, but for the responsible individuals.

Any entity that deals with protected health information must make sure that all the required measures are established and continuously observed — physical (actual data center server access), network, and process security (audits, policies and staff training).

While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013. These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation.

HIPAA Compliant Best Practices
1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996 and organizations’ policies must reflect those changes.

2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.

3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and that a process is in place for monitoring compliance.

Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members.

The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.

A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator or as large as a $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.

More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data. Protecting that data will protect clients and the organization as well.

Documenting Business Processes

Scott Blake is a Senior Network Engineer with Tech Experts.

Documentation is quite possibly the most important aspect of a business, but it can also be workers’ least favorite task to do. The average person doesn’t want to spend time writing down how they do something — they just want to do it and move on.

Can you guess the biggest reason for documenting your business processes? It may come as a surprise, but it’s also the most fluid part of your business: your employees.

Employees come and employees go and some just take vacations. It’s what they do in between that’s important. Every employee is responsible for some part of your daily business.

Whether an employee quits or just needs time off, having documentation that lists the software used with usernames and passwords, step-by-step instructions on how to use the business software, client and vendor contact information, and credit card information makes their absences that much easier to deal with.

Well-documented processes will cut down on the time it takes to train a new employee.
Give the related information to the new employee and let them use it as a guide for their daily activities. This will allow your other employees to spend more time on their tasks and assignments instead of spending the majority of their time answering routine questions that a documented process could answer.

Order-of-operation questions and disputes can be minimized as well. If there ever comes a time when your employees are unsure of the next step or there is a dispute between departments on how to proceed, they will only need to look over the documented processes in question to resolve the issue.

Having documentation that shows in detail how long it takes to produce a product will also help your sales force deliver your product to your customers.

It allows your sales and marketing departments to understand the timelines of production.

This knowledge will let them know when a product order can be delivered and if the amount can be fulfilled in the timeline requested by the customer. There will be no more over or under promising of delivery dates to customers.

Put trust in the documents, not the person. No one person should be trusted with remembering processes without documenting them. What if this employee quits or becomes ill and is unable to return to work?

For example: You have an employee that works in your IT department. This employee’s job is to monitor and resolve any network related issues. While doing his daily tasks, he discovers it’s time to change the passwords on the business networking equipment such as the router, managed switches and domain admin password.

While the employee doesn’t think twice about it and may have mentioned it to his manager, there was nothing ever documented. Now, four months later, the employee falls very ill and is unable to return to work. What do you do?

The best way to document your business processes is to document them in such a way that all contributing employees have access.

You could use online tools such as Google Docs or Microsoft SharePoint. This way, whenever a process is changed, amended, or removed, the documentation is instant and available for all to see.

After a while, you will have an impressive collection of documented procedures. Having documented information available for employees to read can also start the flow of constructive questions and comments why things are done a certain way and how they can be improved.

If you have questions or you’re looking for suggestions on documenting your processes, call Tech Experts at (734) 457-5000.

Three Sure-Tell Signs Your Hard Drive Is Failing

Under ideal conditions, the average stationary hard drive lasts five to ten years. With the growing use of external drives and laptops that are toted around frequently and exposed to damaging elements, that life span shrinks to between three and five years.

Consequently, it is important to watch for indications that your hard drive is failing, so you can back up all of your valued files and data. Here are three signs that it’s time to act:

Slowed Operation and Freezes
You should immediately back up the contents of your hard drive when you notice that freezes and display of the blue screen become the norm.

It is even more imperative to do so, if these problems continue in Safe Mode or after a fresh installation of your operating system because that’s an indication that hard drive failure is imminent.

Corrupted Data
When it becomes problematic to save or open your computer’s files and you start getting error messages about corrupted data, you should know that your hard drive is failing.

As a hard drive’s functionality gradually wanes, this is a common problem, so act fast to ensure your business and personal data stays intact and safe.

Presence of Bad Sectors
If your hard drive has bad sectors, or areas incapable of maintaining data integrity, you may not immediately notice the problem.

The presence of such sectors is a grave problem and tells that your hard drive is in its final strides.

To check your hard drive for bad sectors, run a disk check with the options to automatically fix the problem and attempt recovery of files.

Coming Of “Edge:” Microsoft’s New Browser

Up until now, Internet Explorer’s successor has been secretly referred to as Project Spartan during Microsoft’s development stage. At the Microsoft Build 2015 Developer Conference, the project name was finally announced as the company’s newest browser: Edge.

The name was already familiar to those in the know because Project Spartan’s page-rendering engine was known as Edge, but now the name has been elevated to describe the product as a whole.

For those who have had difficulties with Internet Explorer, this new browser is long overdue, but Edge should turn their frowns into smiles because it is much faster and more compatible with modern web standards.

Edge joins its competitors, like Firefox and Chrome, in the use of extensions and actually uses the same JavaScript and HTML standard code.

This means that Microsoft’s new browser can easily adopt its competitor’s extensions. In fact, Joe Belfiore, Microsoft’s VP of Operating Systems Group at Microsoft, demoed a couple of extensions at the conference. However, you won’t see the extensions feature in Windows 10 until later this year.

Cortana, Windows 10’s Siri-like virtual voice assistant, makes an appearance in Edge as well. When needed, Cortana shows up in a blue circle in the browser’s toolbar to relay pertinent information related to the landing page, such as directions to a local business or contact information.

Edge users can also summon Cortana for assistance and extra info by right-clicking on text selections to find out more.

Another Edge feature is the new-tab page, a remnant from Internet Explorer with a few tweaks. When Edge users open a new tab, the page displays thumbnail icons for the most frequently visited sites. It also allows users to reopen closed tabs and makes many suggestions for apps and videos and facilitates access to weather or latest sports scores.

Edge also provides the option to view pages in a reading mode free of distractions such as images and advertisements. Users can even make annotations, such as highlights and notes, on webpages for sharing or storing as an image. Microsoft’s new browser also comes with coding support and will function the same across all platforms. Until Edge is formally released, users can test it on non-critical PCs by downloading Windows 10 and joining the Windows Insider Program.

How Can You Use Google Trends For Small Business?

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

Google Trends is a tool that has been around for a while, and has great potential for improving exposure and sales for businesses. It is entirely free to use, and its simplicity makes it accessible to virtually anyone with basic computer knowledge.

Here are some specific ways in which you can use Google Trends to enhance your small business practices:

Brainstorming Topics
For instance, if your business website contains a blog, it’s common to quickly run out of content ideas that will not only interest your readers but also tie into the products or services your business offers.

Choose a phrase that describes a broad idea for a blog post, and Google Trends will show you how popular that phrase is and also suggest related topics. With one simple search, you could potentially come up with ideas for dozens of different blog posts, and relevant content is the best way to build your business website. [Read more…] about How Can You Use Google Trends For Small Business?