Technology Advisor Blog

We all know what we "should" do about passwords, but reality is quite a bit different as a recent report by LogMeIn shows, in collaboration with the National Cybersecurity Alliance.  At Ekaru we're on a mission to help Small Businesses stay strong in the face of cyber threats.  The more you know about the threats you face, the better your chances of keeping your data safe an your name out of the headlines.

As more and more people work and socialize exclusively online, protecting your digital identity is more important than ever. Most people believe they are knowledgeable about the risks of poor password security; however, they're not using that knowledge to protect themselves from cyber threats.  Good password hygiene is one of the most important steps you can take to secure your data.  

Gerald Beuchalt of LogMeIn and Dan Eliot of the National Cybersecurity Alliance put together a great program this week on the Psychology of Passwords and here are some of the key take away's.  Many in our community will recognize Dan from our in-person lunch and learn event several months ago.

• 91% of computer users know that using the same or variation of a password is a risk, but 66% do it anyway.
• 54% of computer users try to keep track of passwords by memorizing them and its not working.  24% of them need to reset passwords monthly after forgetting.
• The old advice of 8 characters for a strong password is out of date - the longer the better and eight is not enough.
• 52% of computer users haven't changed their password in a year even after learning of a breach!
• Don't re-use passwords.  Keep in mind that hackers can use "credential stuffing" to try to use your password at all the other sites you may use it.  Don't re-use passwords.  With automated tools, now starting to be powered by AI, this is a quick task!
• Use MFA - Multi Factor Authentication - whenever available.  Yes, it can be an inconvenience, but you will drastically increase your security with this simple step.

One question we hear a lot came up during the presentation. Is it okay to store passwords on paper stored in a secure location?  It is possible to very safely store the paper, but it's important to consider Protection vs Availability.  When we see users doing this, typically they end up keeping the paper with them, making it a lot less secure.

Also, the typical 90-day forced password reset policy actually can make passwords less secure.  Why?  Users will fear forgetting their password and will quickly take on some other bad habits like writing them down, re-using passwords, or creating passwords that are too simple.  The current advice is to keep a password that's strong until you have reason to change it (like a publicized breach). 

What can you do?  Educate your team.  Talk about security during your staff meetings and make sure everyone is on board.  Help create a culture of security in your organization.  You can get fancier with a formal training program, but even just a conversation will help.   Using a password manager like LastPass helps solve a lot of problems around keeping passwords strong and secure, but daily behavior improvements can go a long way.

Contact us at 978-692-4200 if you'd like a demo of LastPass or want to learn more. 

Also, here's a link to the video, report, and infographic from the National Cybersecurity Alliance:   View the Video and Get the Report. 

Subscribe to the Ekaru Technology Advisor Blog for more SMB technology advice by entering your email in the sign up box on the upper right of this page.

For those fortunate enough to be able to make the move to work from home during the pandemic, the rapid change has been a lot to handle.  Cybersecurity threats increased sharply while users are adjusting to a new way of work.  Last week we hosted security expert Jay Ryerse, CISSP, of Connectwise to speak to our community about the impact on small business.  Ekaru wants the cybersecurity culture of our community to transcend the office walls to protect you, your family, and your business.

Here are a few of the key take-aways from his presentation, and the full video is linked below.

• Prior to COVID-19, remote workers make up only 3.2% of the entire workforce and 44% of companies had policies that don't allow remote work.  All of that changed overnight!  The current pandemic is unprecedented.
• Malware is round on 45% of home office networks
• Cyberattacks now cost small businesses $200,000 on average, putting many out of business.
• A new ransomware attack occurs every 14 seconds
• 46% of SMBs have been targeted by ransomware
• In cybersecurity, what you don't know will hurt you
• Trust your team, but verify!

The return to the "new normal" will be just as challenging for businesses.  Some states are already re-opening, and it will be a long time before we get some semblance of normalcy. 

Work from home is likely to be a big part of our future.  Many affordable and secure solutions are available for smaller businesses to make the shift, and Ekaru is here to help.

Contact us to schedule a risk assessment to better understand the impact of COVID-19 and cyber threats to your business.

The full recording of the webinar is now available:

Zoom meetings have become so popular these days that the word has become a verb!  There are many great collaboration tools (GoToMeeting, Microsoft Teams, etc), and Zoom has emerged as a crowd favorite with huge growth resulting from their popular free version.  

If you've been on a call, you've probably seen someone with a fancy custom background - a scene from a beach, a view from space, or some other fun background (or maybe a serious one like a company logo).  If you'd like to give custom background a try, it's easy!

First, a couple of notes on using video in meetings.  When you start your Zoom meeting, you'll see that video is "muted" by default.  Just click on the video icon in the lower left to turn on the video. 

I like to use a web cam cover on my laptop so my camera is also physically covered when not in use.   Your laptop may already have a built in cover.  I like the extra peace of mind that I can control camera access.

As for custom backgrounds, If you've got a working webcam, getting a custom background is easy!

1.  Choose Virtual Background - Click on the little arrow to the right of the video camera icon, then select "Choose Virtual Background"

2.  Upload Your Background Image - Click on the "+" icon to add an image or video  (I have a few already loaded).  You can pick your favorite vacation photo, your company logo, or go on line to find some images.  

3.  Select the Virtual Background - pick the one you'd like to use for the current meeting.  Also, a heads up that that will be the default image for your next meeting, so if you're going on a virtual happy hour, you may want to change back at the end of the meeting so it doesn't load by default during your management meeting the next morning.

A few tips on video image quality - The Zoom virtual backgrounds work quite well even without a green screen.  For best results, a solid color wall behind you works best and don't wear colors that are in the virtual background image.  Why?  A lot of computing is needed to subtract your real background and display the virtual one.  If you match the image, your computer will get confused.  We received a help desk call this week from a user who reported a "fuzzy" image - she was actually blending into the background.  Test drive different images for the best results.

For more advanced troubleshooting, Zoom has some detailed info on technical requirements - https://support.zoom.us/hc/en-us/articles/210707503-Virtual-Background

A few tips on Security - Security is always on our minds.  Zoom has been in the news for security issues.  A few notes on security to stay safe on line:

• Use unique meeting codes for all meetings
• Set a password
• Use the Green Room function to know who's online
• Don't record meetings unless you have some important reason to do so.
• If you're the host, know how to mute users and end the meeting quickly if you need to.

One of the nice features of Zoom is that virtual background are "native" to the application.  You don't need any extra software.  For example, if you want to try this with GoToMeeting, you'll need an add on like ManyCam to do the same thing.  Its easy, but it requires an extra step.

Have some fun on your next meeting!   

Cyber criminals are working overtime to take advantage of the disruption and confusion caused by the pandemic.  The FBI reports a four fold increase in cyber threats recently and its more important than ever to stay alert, and talk to your team about cybersecurity.  The most common attack vector these days is eMail, and an unknowing employee may click on the wrong link thinking they're getting important safety information.  Think before you click!

Check out the infographic for more information on what to look out for, and please share with your team.

20 Seconds to better email hygiene:

1. Watch for overly generic content and greetings - Cyber criminals will send a large batch of emails. Look for examples like “Dear valued customer.”
2. Examine the entire "from" address - The first part of the email address may be legitimate but the last part might be off by letter or may include a number in the usual domain.
3. Look for urgency or demanding actions - “You’ve won! Click here to redeem prize,” or “We have your browser history pay now or we are telling your boss.”
4. Carefully check all links - Mouse over the link and see if the destination matches where the email implies you will be taken.  (But keep in mind some advanced hackers have ways even to hide the true destinations!)
5. Notice misspellings, incorrect grammar, and odd phrasing - This might be a deliberate attempt to try to bypass spam filters.
6. Check for secure websites - Any webpage where you enter personal information should have a url with https://. The “s” stands for secure. (But keep in mind some advanced hackers can hide behind encrypted sites!)  
7. Don't click on attachments right away - Attachments containing viruses might have an intriguing message encouraging you to open them such as “Here is the Schedule I promised.”

It takes just ONE employee to click on a bad email to cause a lot of potential harm to your business.  Ask us about affordable ongoing cybersecurity training, testing, and simulated phishing tests to help keep your organization safe!

Cybercrime instances appear to have jumped sharply since the beginning of the coronavirus pandemic, according to the FBI. The bureau’s Internet Crime Complaint Center (IC3) reported last week that it’s now receiving between 3,000 and 4,000 cybersecurity complaints each day, up from the average 1,000 complaints per day the center saw before the pandemic. 

There are many types of threats, and many ways to stay more secure, but one simple thing is to use strong and unique passwords, facilitated by a password manager.

Can you memorize 50-80 different passwords?  The average person may use 50-80 applications that require passwords (or more!).  Each password should be strong and unique.  A strong password contains uppercase and lowercase letters, with numbers, and symbols.  The longer the password, the better.  In addition, a different password should be used for every site you visit (banking, business applications, social media, etc).  The problem is that the average person simply can't remember that much information, and what ends up happening is corners are cut.  If one site gets breached and your password ends up on the Dark Web, if you use that same password ten different places, hackers can do "credential stuffing" to gain access to other accounts.

Beware of Social Media quizzes on line.  Answering fun questions about your high school mascot, year of graduation, etc can also be used by hackers.  If you rely on dates and places to compose your passwords, they may easily be cracked.

Get a Password Manager.  With so much change pushed upon us suddenly, one simple thing you can do to gain control is to use a password manager.  A password manager assists in generating and retrieving complex passwords, potentially storing such passwords in an encrypted database or calculating them on demand. This makes it easy to store passwords securely, and you'll be able to change passwords and "remember" them.  

Over the past several weeks, Ekaru has helped many businesses in the greater Boston area set up remote offices.  As businesses scrambled to set up a remote workforce, the initial focus was on business continuity - trying to continue operations after leaving the physical office.  Now as employees have settled in, security needs attention.  Major events like the Coronavirus pandemic create new opportunities for cybercriminals to exploit, but smart defense doesn't let them.  These tips can help keep systems and data safer in uncertain times.

1. Get the facts.  Stay away from the rumor mill and use information from reliable sources to make business decisions in chaotic times.  There's been a big increase in emails for fake news, health information, and cures.  Go direct to trusted websites for information.
2. Think twice before clicking links.  Make sure staffers are on the lookout for suspicious links that can lead to ransomware.   It's very easy for scammers to "spoof" a link that looks legit, but takes the user to a different location.  In fact, many dangerous emails don't even look suspicious until they're studied closely.  
3. Be suspicious of unexpected attachments.  Ensure users only open attachments from proven, trusted sources no matter how "official" that attachment looks.  Attachments can hide computer code that can harm your system and lead to security breaches.
4. Automate compliance.  Have one less thing to worry about by choosing a dynamic web portal system that keeps track of everything.
5. Protect those passwords.  Encourage safe password practices like using a password manager and not writing them down on sticky notes.  The MA Data Security law requires strong passwords that are stored in a safe way.  No one can simply memorize the 50-80 passwords that typical users require these days.
6. Beware of strange networks.  Make staffers aware of the dangers of logging in from insecure public and home WiFi networks and how to use them safely.    Watch for accidentally connecting to the wrong network, and make sure your network has a strong password, especially if you live in a crowded area.  When you click on the wireless networks symbol on your computer, you can see all the networks around you, and guess what - all of those people can see your network too.  Make sure your network is protected by a strong password.
7. Use two-factor authentication.  An extra layer of security keeps passwords and data safe.  Typically you'll be prompted to enter a random numeric code generated on your smart phone after entering your password.  If anyone gets your password, they can't access your systems without the extra code.
8. Keep an eye on the bad guys.  Monitor the Dark Web to watch for company data so a problem can be addressed before it becomes a crisis.  This is an early warning system that can save you from a lot of risk.
9. Stay current on threats.  Work with a partner that's on top of today's challenges.  Awareness goes a long way to help protect your network.  
10. Ask for help.  Consult a security expert to plan effective strategies and get innovative solutions.  There are many great options that are budget friendly.  Too many small businesses are intimidated by security.  Learn about your options.

With modern technology, we can work together to stay productive during this pandemic.  With all the disruption and anxiety, cybercriminals are sadly taking advantage of the situation, but with a focus on security, you can help protect your business.  Download the infographic.

As everyone works together to "flatten the curve" via social distancing, many workers are scrambling to work from home on short notice.  We've been fielding a lot of questions and put together some of the answers here in one post.

If you're new to video conferencing, don't be intimidated.  Most modern laptops have a webcam and microphone built in, so you don't even need any extra equipment.  Here's a short video showing how to launch a GoToMeeting call - as you'll see in the two minute video, its very simple.  It may take a little practice, but after a few tries you'll be comfortable:

GoToMeeting is our recommended solution for conducting video and screen-sharing calls.  A couple of things to remember if you're new to video conferencing.   

• Mute your microphone when you're not talking. This will cut down on distracting background noise especially in large groups.
• Take care to set up in a location with an appropriate background
• View your own video so you know what you look like
• Keep your own video view-able, you do don't forget you're on camera. You may not want all your colleagues seeing you snack while on the call.
• Get familiar with the audio and video mute buttons.  You may need to use them and its awkward to fumble on camera.
• Remember to CLOSE the meeting when you're done!  Or you may be sharing your screen the rest of the day!
• Keep your laptop camera covered when not in use.

Non-profits, municipalities, and healthcare organizations can get a 90 day remote work kit - Contact us if you'd like us to help you get access.  Please put "Emergency Remote Work Kit" in the subject line.

Always keep security and privacy in mind when you're conducting conference calls or video calls.  There are other great remote collaboration tools available, but please keep in mind that the free versions may not be appropriate for business calls.  Zoom has been in the news recently for some privacy concerns - https://www.consumerreports.org/video-conferencing-services/zoom-teleconferencing-privacy-concerns/

NIST has also put together an excellent list of security recommendations in an infographic: 

Don't be intimidated by technology, and remember security and privacy as you adjust to remote work.

Working remotely has become a necessity for many with the Coronavirus outbreak. The technology that enables many to work remotely is a great benefit to keeping many businesses operational, but it also poses many new risks for the security of your organization’s data. For example, if an employee-owned device (laptop, PC, etc.) is connected to the company’s network and contains a virus or malware, they could be spread to your company’s network. Additionally, it becomes more of a challenge to verify the legitimacy of emails (for example, you’re no longer right down the hall from your CEO who requested an unusual wire transfer), you may be unfamiliar with policies and procedures as they pertain to a work from home environment, and the list goes on.

We’ve developed a list of guidelines and tips to assist you as you prepare to work from home in a safe, functional work environment. Note, this list is intended for guidance and information purposes only. If you have any questions regarding these tips, please reach out to us for additional information.

• Secure workspace
  • Ensure you have the ability to lock your devices (laptop, PC, etc.) and any business relevant information when not in use. Use the keyboard shortcut “Windows Button” + “L” to lock your screen when not in use.  Right at the moment, none of us are mobile, but in normal times, cable locks for laptops should be used when necessary. Laptops and devices should be locked out of sight and/or in the trunk if it must be left in a vehicle unattended
  • Avoid using your personal devices for work-related business.  Best case scenario is a company issued laptop with full security or a dedicated home office system with full security.  Use separate accounts if you have to share a computer in the case of an emergency.
  • Safely perform conversations without visitors eavesdropping or shoulder surfing, especially if you deal with protected information.  This is a bigger issue in “normal” times in a mobile setting like a coffee shop, but keep in mind that any regulated information has to stay protected ALWAYS.  
  • Protect the data you are accessing by using a VPN to log into the company network, and ensure you are protecting data visible on your screen with a screen protector. This is especially critical for employees who are required to be HIPAA compliant, PCI compliant, etc. 
  • Restrict the use of devices containing business-relevant information. Do not let family members, friends, or anyone but yourself use company-owned devices or personal devices used for business purposes
  • Use strong unique passwords on all your devices and accounts to prevent unauthorized access
• Wireless Security
  • Change default Wi-Fi Router passwords
  • Enable WPA-2 or higher encryption 
  • Ensure your local router firmware is up to date
  • Limit the use of public Wi-Fi. Always use a VPN when connecting to public Wi-Fi. Never use public Wi-Fi to send sensitive information without a VPN 
• Ensure all personal devices are secure with company-provided or personally owned antivirus and anti-malware software company 
• Updated IOT Device firmware (smart thermostats, surveillance cameras, etc.) 
• Ensure default passwords are changed 
• Ensure the software on all devices within your home network is kept up to date (corporate laptop, IOT devices such as cameras and smart thermostats, personal laptops/tablets, etc.)
• Review and follow corporate Bring Your Own Device (BYOD) and other relevant policies and procedures

• Remote Work Employee Awareness
  • Be extremely cautious of email phishing scams
  • Limit social media use
  • Don’t reveal business itineraries, corporate info, daily routines, etc.

Hardly a day goes by without national news related to Cybersecurity.  Target, Marriott, Yahoo, Facebook, and Home Depot have all had major incidents in the past few years.  In addition, the cities of Atlanta and Baltimore, as well as many municipalities in Texas have all been hit with Ransomware in the past two years.   Locally in the Boston area, schools, police departments, and several towns have all been hit.

At this point, everyone's aware of the big headlines, but too many small and medium businesses have heard the headlines and created a false sense of security thinking only bigger targets need to worry.  In fact, over half of cyber threats hit smaller businesses, but individually, none of these is big enough to make national news. 

Why are so many smaller businesses at risk?  Many modern threats are automated, and cybercrime is now bigger than all other forms of organized crime.  Simply put, it's become a money maker for thieves.  As a small business, what would it mean for you to lose all access to your data? Perhaps you have a backup, but it could take weeks to recover.  Often the backup is wiped away during an attack, and it wouldn't even be available to you. The threat actors don't care about how important your data is to them, they care about how important it is to YOU.

A layered approach to security is advised.  This is also often called "Security in Depth"  A business class firewall, antivirus protection on all systems, Security Patch Updates, AI based threat protection, DNS management... all of these are important.  Tools that were previously only affordable to larger enterprises are now affordable to small businesses.   When we engage with a business to provide IT support, the first thing we do is install a long list of security layers.  No security is 100%, but implementing security layers greatly decreases your chances of being attacked. 

However, as protection layers increase, the treat actors get more an more creative and think of new ways to get threats onto your network.   In the Verizon 2019  Breach Investigation Report, the typical company reports that 94% of malware enters networks through eMail.  Training users on what to click on and what to avoid therefore needs to be a major priority.  

There are still a few days left in October for Cybersecurity Awareness Month, and it's always a good time to train your team.  Many of the businesses we work with sign on for our formal training platform, but ANY training you do, even just once in a while will help.  The Department of Homeland Security has some great links in support of Cybersecurity Awareness Month.    The theme is OWN IT, SECURE IT, PROTECT IT, and the site has some great informational handouts for your team.   The handouts include information on Travel Tips, Strong Passwords, MFA (Multi Factor Authentication), Phishing, Social Media, and more.  All are free and available to everyone.  If you're not incorporating security discussions in your staff meetings, then now is the time to start!  

Call to action!  Review the tip sheets listed above and review at least one at your next staff meeting.  If you're a small business in the greater Boston area, reach out to us and we'll schedule a complimentary review of your IT infrastructure and security and we'll provide more detailed and specific recommendations.

Each year Verizon publishes the much-anticipated Data Breach Investigations Report (DBIR).  The report is built on real-world data from 41,686 security incidents and 2,013 data breaches provided by 73 data sources, both public and private entities, spanning 86 countries worldwide.    We'll cover some of the key take-aways in this post, and if you're interested in more information, we recommend checking out the full report.  

One of the key take-aways is that small businesses are a prime target with 43% of breaches affecting SMBs.  Too many small businesses believe they're under the radar and this isn't the case.  Large, well-known businesses make the headlines when a breach occurs, but SMBs aren't safe.  Ransomware as a service has become a big money maker.  Any business that stores financial or other protected information is a target, and in the case of ransoware, what really matters is how important is the data to you.  Can your business run without access to your data for days or weeks while you try to recovery from a ransomware attack?    

Another significant data point  is that email is still the top threat vector for hackers to deliver malware to targets. After reviewing millions of malware detonations, Verizon found that the median company received over 94% of their detected malware through email.  We have a mantra:  "Think before you click!"  Fake invoices, fake resumes, fill inboxes of busy professionals.  We strongly recommend email security scanning AND employee training based on actual phishing test cases.

One of the biggest concerns from the report is that while attackers are quick to extract stolen data, defenders are distressingly slow to detect that compromise even occurred. On average, 56% of the breaches identified in this report ‘took months or longer’ to discover. The time it takes hackers to gain a foothold then actually compromise the asset can be measured in minutes. Many businesses don’t realize they are breached until the stolen info becomes public.  We strongly recommend detection tools and Dark Web monitoring to help make sure threats are detected early for the fastest response.

Data breaches continue to make headlines and this is the world we now live in.  It seems no matter what defensive measures security professionals put in place, attackers are able to circumvent them.  No organization is too large or too small to fall victim to a data breach and no industry vertical is immune to attack.  It's a scary situation, but there's actually a lot you can do at an affordable price to stay protected.

Having a sound understanding of the threats you and your peer organizations face, how they have evolved over time, and which tactics are most likely to be utilized can
prepare you to manage these risks more effectively and efficiently.   We strongly advise all businesses to work through a disaster recovery plan to make sure you have the right safeguards in place appropriate to the size of your business, and to maximize your chances of a speedy response to a threat.   The great news for SMBs is that many tools that were previously only available to enterprise class businesses are now available at an affordable SMB price.  The foundational security from years past, (firewall, antivirus, and security patches) are NOT enough to have an adequate protection level for today's threats.   

Call us for a security assessment and we'll help make recommendations to stay protected.