Top 5 Small Biz Tech Trends for 2018

,

November 20, 2017 –

In October Microsoft surveyed over 1300 small business owners to gain insight into the trends we’ll be seeing in 2018. And there were a couple of surprises. Here we’ll share our take on the results, and showcase what we believe are the top 5 most important tech trends to be aware of as we turn the corner into next year.

#5 – Keeping up with Technology is a Top Concern

Top tech challenge for small biz in 2018 is staying ahead of technology change, with nearly have of the established business owners surveyed picking this as the top concern.  And there’s no arguing that technology is rapidly changing the business landscape.  But in some ways, new technology innovation is leveling the playing field for small businesses as they go up against their larger competitors.

#4 – In-person Contact Still Dominates

The most dominant communication form is still in-person contact, with email and text messaging further down on the list.  Fifty-one percent of small business owners indicated that in-person communication is still their “go-to” form.  This one felt like a bit of a surprise, but for a small business, having personal and engaging direct communication with your customers could be a unique differentiator in the market and is often a key part of the value proposition. From a tech trends perspective, in our own experience we’re also seeing more and more small businesses beginning to rely on text messaging for communicating to their employees, suppliers and customers.

#3 – Younger Businesses Rely Heavily on Mobile Devices

Managing your work from a mobile device is a trend that continues to rise.  Younger businesses (those in business for less than one year) are more likely to have employees working primarily from mobile devices compared to their established counterparts.  Approximately 2/3 of those businesses indicated that at least some of their employees are using mobile devices as their main technology for their job.  In general, the respondents were very mobile.  Rather than the traditional office, they are working from multiple locations and from home.

#2 – Small Businesses Are Underprepared and Concerned about Cybersecurity Threats

Small business owners feel underprepared for cybersecurity threats, with half of respondents indicating they’re concerned about a data breach.  And they have every right to be concerned.  43% of cyber-attacks happen to small businesses. And attacks are on the rise.  For more information on how to protect your business, check out our Threat Management page.

#1 – Too Many Small Businesses are Doing Nothing to Protect Themselves

As we write this tech trends article for 2018, this is the one which came as a surprise to us. And it’s also the most important. When we begin working with a new client one of the first things we put in place is a robust plan for Data Security.  Yet according to the Microsoft survey, many small businesses, a whopping 25%, say they are doing nothing to protect themselves from cyber security threats.  Why is this so concerning? As we mentioned, 43% of attacks happen to small businesses.  And for those experiencing a major data breach, 60% go out of business within six months.*

For those who are taking action, 70 percent have indicated that they would prefer to partner with experts in the area of cyber security rather than trying to go it alone.  For those companies, 30% are using encryption software, which can help protect the data on your machines if they are lost or stolen.  Almost 40% have their employees using some form of anti-virus software on their machines.

For more information on how to improve your data security please visit the data security section of our website.  You can also download the “Data Security: Top 10 Ways to Protect Your Business” whitepaper.

* http://www.denverpost.com/2016/10/23/small-companies-cyber-attack-out-of-business/

Spam – Simply Annoying or a Serious Business Threat?

November 13, 2017 –

It’s November of 2017 and we honestly can’t believe we’re writing a blog post about spam.  Yet spam-related issues are still a major problem…and it feels like it’s coming back in full force.  Is it our imagination?  Unfortunately not.  Back in 2010 spam was hitting its peak.  It was all over your inbox, and incredibly annoying.  But for the most part it was simply that…annoying.  The bulk of it just delivered ads you didn’t want.  And occasionally you would hear about spam delivering viruses, and people got used to the idea of installing anti-virus programs on their machines.  For users, you cleared out your inbox and moved on.

And over the past few years, we’ve all enjoyed a bit of respite from the spam deluge.  New anti-spam software came on the market.  Governments and private firms collaborated to take down spam-sending cyber criminals.  It appeared to be a problem under control.

Spam is Back. And It’s Brought Some Friends Along

According to the latest Cisco Cybersecurity report*, spam has come back in a big way, rivaling levels we saw back in 2010.  It is now estimated that nearly two-thirds of total email volume is spam, and the volume is growing.  What is even more unfortunate is that about 8 to 10 percent is malicious, meaning it includes dangerous attachments.  Often there are multiple malicious files included within a container zip-style file.  Cyber criminals are experimenting with a wide range of file types to see which ones are more successful.  They are flexible and dynamic in their approach, and quickly adjust as needed.

How to Protect Your Small to Midsized Business

Small and mid-sized businesses need just as much protection as large enterprises.  Due to the nature of the threat, spam is an equal opportunity access point for hackers.  It spreads far and wide, and is constantly changing.  Businesses need to protect their systems by using an email defense solution, which filters out unwanted and dangerous spam, preventing it from infiltrating the organization. And it’s critical that your solution provider continuously updates their defense software with the latest protections from constantly changing threats.

However users often have one main complaint when using email defense and filtering solutions. Sometimes a legitimate email from a new customer or supplier gets “caught” in the email filtering software.  Every few hours the email security software will send a notice about emails that are in quarantine, but by then you may have already wasted a lot of time trying to track down the missing email.  However if you use Outlook to manage your email, one feature we recommend is getting a solution which includes a Microsoft Outlook plug-in.  If you have a solution with an Outlook plugin, you can quickly check email messages which are quarantined and release safe ones right from the Outlook program.  You get all the protection, without the inconvenience.

Email Defense and Filtering is a Must…but it can only go so far

You need a solution that continuously keeps your system up-to-date with the latest protections.  This is because cyber criminals are continually adjusting their approach in order to circumvent these protections.  They create a new malicious file and the email defense software hasn’t seen it before.  The defense software quickly adapts, and within a few seconds or minutes it will begin blocking the new threat.  The cyber criminals like to work in that window, sending out as much spam as possible. It is a constant race, and no defense software can keep every bit of spam out 100% of the time.

Your next best line of defense is the individual user.  Training is essential so users learn how to spot and avoid interacting with spam emails.  A strong email defense and filtering solution works almost like a magic wand, but you must strengthen every link in your chain.  Each employee is potentially a vulnerable entry point, and you must give them a strong training program to provide the information, test their knowledge, and continually refresh the team to keep their skills sharp.

For more information on how to train your employees to stay vigilant, visit the User Training portion of our website.

If you would like to start a data security training program, please call us at 303-410-2845, email us at info@xlingshot.com, or use the Contact Us page.

  • The Xlingshot Team

* Cisco 2017 Annual Cybersecurity Report

Top 5 Social Engineering Scams – Protect Yourself

November 6, 2017 –

What are Social Engineering Scams?

Social engineering scams are tactics that allows hackers to access your systems through direct manipulation of your employees.  This is taking cyber-attacks to a whole new level. And it is challenging because it can be extremely difficult to prevent. With social engineering, the hacker will focus themselves on a specific target. They will try to fool their target into clicking on a link and downloading a file. Or they’ll try to get them to reveal personal and confidential information like usernames and passwords.

What are the main Social Engineering Scams to watch out for?

There are 5 main social engineering scams.  Read below to find out how to spot them before hackers can do damage to your systems.

  1. Phishing – Phishing is by far the most common of the social engineering scams. Typically, this is done through email.  The hacker will pose as a financial institution or some other authoritative group (like a government agency). They will send out an email that required “urgent” attention by the target user.  These emails will contain a malicious attachment or an embedded link.  When the user interacts with the attachment or link, malware is released into the system.  Sometimes it is obvious right away, other times it lurks silently waiting to strike at a later date.
  2. Baiting – Baiting is a lot like phishing. The user will receive an email from a seemingly reliable source. The message will include some sort of incentive or reward for engaging with the content.  Often this will be in the form of a free gift the employee can claim.
  3. Pretexting – Pretexting is when an individual lies and pretends to be someone else in order to gain information. It typically comes in a couple of different forms.  In one form, the hacker will pretend to be in a position of authority in the company.  They will send a communication from a fake email address that at first glance appears to be similar to the legitimate email address. It will often include a similarly formatted email signature.  They’re betting people are so busy they won’t notice that the email address is spelled slightly differently and they are right…how often do you actually look at the long form email address for contacts you already know?  In the email they’ll give you instructions to open an attachment. Or perhaps they’ll ask the employee to add a new supplier account to your financial system. In another example, the hacker will pretend to be in a position of authority. They you, either by phone or email, indicating that they need to verify your personal information to confirm your identity.  They are very talented and manipulative, and can easily trick an unsuspecting person to reveal more and more information over time.
  4. Quid pro quo – this is a bit like baiting, where the employee is (seemingly) getting something of value in exchange for information. Often this will take the form of someone pretending to be in IT support, and offering to fix something on their machine in exchange for their login information.  They’ll claim they need this in order to correct a problem on the employee’s computer. Or better yet in an ironic twist they say they want to install data security software to protect the employee from hackers.
  5. Tailgating – this form of social engineering is more hands-on and in-person. As your employee is approaching the door to the office, they will be followed in by another “employee” or “delivery person.”  Often the fake employee will pretend to have their hands full and be struggling to find their badge.  These types of scammers are incredibly comfortable with conning people, and appear to be friendly and social.  They might even read the employee’s name off their badge and pretend to know them.  And now they have access to your facility.  Side note: this is a particular vulnerability for small and mid-sized businesses leasing space in larger office buildings.  Someone will gain access to the building as a whole and then easily follow an employee into their work area. 

How can I protect my business from Social Engineering?

Training. Training. Training.  There’s no magic wand…preventing social engineering requires you to strengthen every link in your chain.  Each employee is potentially a vulnerable entry point, and you must give them the skills to spot a social engineering scam and shut it down.  A strong training program will give people the information, test their knowledge, and continually refresh the team to keep their skills sharp.

For more information on how to train your employees to stay vigilant, visit the User Training portion of our website.

If you would like to start a data security training program, please call us at 303-410-2845, email us at info@xlingshot.com, or use the Contact Us page.

– The Xlingshot Team

Significant Wi-Fi Network Vulnerability – WPA2 Security Flaw

October 20, 2017 –

Earlier this week, security researchers announced a WPA2 security flaw.  WPA2 is the main encryption used to secure the majority of Wi-Fi networks.  This technology encrypts the connection between the wireless device (tablet, mobile phone, printer, etc.) and the wireless access point.  Up until a few days ago it was thought to be a very secure encryption technology.  This newly-discovered vulnerability, called KRACK could change all that. Android and Linux devices are particularly susceptible to the vulnerability.

How Will the WPA2 Security Flaw Affect Me?

This will primarily affect you if you are using public WiFi.  We recommend that you avoid sending any secure, sensitive, or personally identifiable information over public WiFi at all times.  However, with this vulnerability even password protected public WiFi is not any safer so avoid them if possible.

What Steps Can I Take?

  1. Only send sensitive and personally identifiable information when on your secured work network.
  2. Use a trusted Virtual Private Network (VPN) when connecting via WiFi. VPNs will encrypt your data and keep it protected from hackers.
  3. Set up a VPN on your smartphones and tablets too, not just your PC/laptop, to protect all of your web traffic.
  4. Only visit websites that are using HTTPS (Hyper Text Transfer Protocol Secure). You can confirm this by looking at the URL.  It should start with “https://” versus the un-secured “http://” (without the “s”).  Please note, while this can be manipulated and bypassed in certain circumstances by the KRACK vulnerability, it does help provide an extra layer of security.
  5. Watch for security updates from Microsoft, Apple, Google and others and apply them to your mobile devices.
  6. If you have Internet of Things devices (Amazon Echo, Google Home, connected thermostats, smart lights, etc.) check with your manufacturer for firmware updates.
  7. Check for firmware updates for your wireless access points and Internet routers.

For Current Xlingshot Customers

If you are a current Xlingshot managed services customer please rest assured we are updating your supported PCs, laptops and wireless network devices with the appropriate patches as soon as they become available.  Most updates have already been applied.

How Can I Enhance my Data Security?

For more information on how to improve your data security please visit the data security section of our website.  You can also download the “Data Security: Top 10 Ways to Protect Your Business” whitepaper.

Is it Time for a Password Manager?

,

October 16, 2017 –

A couple of weeks ago we wrote about the importance of changing and managing your passwords.  We also provided some tips on creating complex and unique passwords that are continuously updated.  (If you missed the post check it out).   For those of you who read the article and thought “I’m not sure I want to deal with that” there may be another way…the Password Manager.  There are multiple options out there for password management software.  Here’s what you need to know.

What is a Password Manager?

A password manager is an application you install on your computer and mobile devices designed to make password management quick and easy.  The core concept is you create one Master Password to access the software, and it will create and store unique passwords for all the various websites you visit.  Some versions can even automatically fill in your login and password credentials for you.  Most products also include a password generator, which will create very strong, complicated passwords that you don’t need to remember.

Will Password Managers work on my mobile devices?

Most fee-based password managers will sync across all of your devices including Windows and Mac computers as well as mobile phones running iOS or Android.

How can I get a Password Manager?

There are several password managers on the market today.  Some are free and others charge a fee. Prices range from about $12 to $40 and up, depending on the features you want.  Popular choices include LastPass, LogMeOnce, and Sticky Password.  If you’re looking for a free option, LastPass is popular (the free version doesn’t include syncing across multiple devices).  You might also check out LogMeOnce (visit their product comparison page page to see the difference between the free and paid versions).

If you try a new password manager feel free to come back and leave a comment sharing your experiences.

For more information on how to improve your data security please visit the data security section of our website.  You can also download the “Data Security: Top 10 Ways to Protect Your Business” whitepaper.

– The Xlingshot Team

That Favorite Password You Love…It’s Out There | Xlingshot Tech Tip of the Month

October 2, 2017 –

That favorite password you love is great. You know it well. It flies off your fingers onto your keyboard with lightning speed and gets you in everywhere. Unfortunately, if you’re using the same one in more than one place there’s a very good chance it’s out there. And not “out there” in a cool way, it’s out there on the dark web, waiting to be purchased by the next cyber-criminal set out to make some cash and ruin your day.

So, what’s the right type of password? Passwords should be like your high school relationships. Super special, constantly changing and overly complicated. By special we mean you should treat each place you log in like it’s special with a separate password for each, and they should be changed every 30 – 90 days. Passwords should also be complicated and include a mix of characters including capital letters, lowercase letters, symbols, etc.

When setting up password policies, the main complaint we hear is that creating complicated passwords and changing them regularly is a pain. But it doesn’t have to be. Here’s a quick tech tip for creating memorable passwords:

Xlingshot Monthly Tech Tip: How to Create a Memorable Password

    1. Make up a sentence(s) you’ll remember. We create some pretty outrageous ones that stick in our mind easily. Or it can be basic like a sentence about your favorite food.
      e.g. “I like to eat pizza on Friday nights. How much? 17 pieces!”
    2. Use the first letter of each word to create your password, and keep the symbols.
      In the above example your password would be “Il2ePoFn.Hm?17p!” (fonts are tricky so if you can’t tell the first character is a capital “I” followed by a lower case “L” and we changed “to” to “2”)
    3. This is a nice long password (16 characters) but could be simplified as you see fit.

When it comes time to change your password, you can do a variation of the sentence.
e.g. “I like to cook 3 pounds of spaghetti. Why? It’s great!” This would be “Il2c3#os.W?Ig!”.

Tips for a strong password:

  • Have a mix of upper and lower-case letters with special characters like the pound symbol (#) or question mark (?) as well as numbers.
  • Don’t have anything personal included like birthdates for yourself, your spouse, or your kids. That information is easily found online and easy to guess.
  • Don’t use dictionary words.
  • Spread out the use of symbols and numbers throughout the password versus bunching them up at the beginning or end

With the recent data breaches at Equifax, Yahoo and even the SEC there is a VERY GOOD CHANCE some of your passwords are out on the dark web. Start your new password process today…you’ll sleep better for it.

For more information on how to protect your systems, please download our free whitepaper “Data Security: Top 10 Ways to Protect Your Business”.  And please feel free to contact us at any time.

-The Xlingshot Team

Ransomware – Two Myths That Are Putting You at Risk

September 25, 2017 –

We’ve encountered some interesting perspectives when talking with small businesses about ransomware.  Unfortunately what we’ve found is most small and midsized businesses have beliefs about cyber security and ransomware that are anchored more in myths than in facts.  Here’s the two biggest myths we encountered, and why they’re dangerous for your business.

Myth #1: I won’t be a victim of ransomware

The first thing we found is that most small businesses think they won’t be a victim.  After all, who would want to steal their data?  Unfortunately the stats don’t prove that out….according to Symantec’s 2016 Internet Security Threat Report 43% of cyber attacks actually target small businesses.  That’s a startling statistic, but when you break it down it makes sense….small and midsized companies might not be as likely to invest in protecting their business, so they are often an easier target for hackers.

When it comes down to it, hackers likely aren’t interested in stealing your data to sell it.  However they recognize that getting access to your data is ESSENTIAL for you and how you run your business.  By holding it ransom, they know you’ll be willing to pay to get it back.  For more information on how we can help you manage threats to your business, visit our Threat Management page.

Myth #2: Back-ups will protect me

The second thing we found is business owners believe that they are protected from ransomware.  After all, they’re backing up their data.  This falls under the theory that if they have a backup, they can just copy their files back over and they are all set.  Unfortunately, just backing up your data won’t necessarily provide the protection you think.  And even if it does, the cost of recovery will still likely be more expensive than preventing the attack in the first place.

Let’s break this down a bit.  Why wouldn’t backing up your data be sufficient?

Reason #1:  Back-up Software Can Be Manipulated

Some sophisticated hackers can directly manipulate the actual backup software that is installed on your network to erase and/or corrupt the backup files.  If the files are sitting on your network, they can be found and compromised.

Reason #2: “Shadow copies” Aren’t in the Shadows

Servers running Microsoft Windows can create backups of their environment, called Volume Shadow Copy Service or (VSS).  This service allows you to create copies of your data on the server.  The VSS takes a snapshot of the system, even while it’s in use.  It’s a convenient way to quickly restore data. However, for those businesses relying upon these shadow copies as an emergency “backup” of their systems, it’s important to note that ransomware will routinely delete these copies.  They can’t be relied upon as a safe backup option.

Reason #3: “Sleeper” Ransomware

One of the latest trends for ransomware is the waiting game.  We call it “Sleeper Ransomware.”  Here’s how it works.  Hackers have realized that as businesses become more diligent about protecting their data they are more likely to have backups.  Once the ransomware breaches your network, instead of triggering the encryption process right away and locking up your data, it will sit and wait.  Sometimes for weeks or months.  It spreads throughout your network and becomes backed up through your normal backup process.  While you think you have a solid backup, what you actually have are backup files that are also infected.  Depending on how long you keep your backups, you may or may not have your files securely backed up after all.

Reason #4: Ransomware Trained to Find your Backup Files

Back-up products will store the backup files in a default network directory.  When you install the software you can pick a different location (i.e. harder to guess and more secure) but this step is often skipped.  The default location is documented online, and hackers will have this information.  They will program malware to work its way through the network, find these default back-up storage locations, and erase or encrypt your backup files.

For more information on how to protect your systems, please download our free whitepaper “Data Security: Top 10 Ways to Protect Your Business”.  And please feel free to contact us at any time.

–          The Xlingshot Team

Cybersecurity Planning in 90 Days

September 18, 2017 –

Cybercriminals are targeting small and midsized businesses more and more often. In fact, ransomware continues to be on the rise. The number of ransomware incidents we’ll see in 2017 will be over 6 times higher than what we saw just two years ago. To sum up, it’s getting crazy out there.

But you don’t need to go crazy coming up with a cybersecurity plan. In fact, you can come up with an approach in just 90 days using this guide:

Month 1: Assess Needs

  1. Take inventory of what assets you are trying to secure and the layers of security you have now.
    • Firewalls
    • Intrusion prevention system (IPS) and/or united threat management (UTM) that combines firewall, content filtering, virtual private network (VPN), and intrusion detection technologies
    • Endpoint protection (A/V, anti-malware, etc.)
    • Security information and event management (SIEM)
    • Data backup and recovery
    • Licensing issues (and out-of-date software)
    • Whitelisting
    • Patch management
  2. What are your gaps?  Which items, if ignored, cause the biggest risk to your business? To your customers?
  3. Do you need cybersecurity insurance protection?
  4. Make a list of priorities
  5. This priority list becomes your initial “simple list” plan

Month 2: Create an Action Plan

  1. Look at costs and timeline for implementing your top priority items
  2. Ask: Do we need external help from an IT company?. Do you have the expertise in-house to make the required changes and implement the plan?
  3. Decide on the best solution: current in-house staff, new hire, or service provider?
  4. Review user access controls …
  5. Consider establishing two-factor authentication …
  6. Secure wireless access points …
  7. And more… (access the full list in the Xlingshot Data Security Whitepaper)

Month 3: Implement Your Plan

  1. Build the formal policy documents including a disaster recovery plan, acceptable use policy, and employee exit process & template, Information security policy, security incident response plan, computer disposal procedure and facility security plan
  2. Determine your “checkpoints” for regular review of your documentation and plan to adjust as things change as well as ongoing maintenance.
  3. Ensure security policies and procedures are clearly documented with any existing third-party service providers
  4. For each security area identified, make the required changes to your network, security setting, business processes, etc. as determined by the plan.
  5. Develop a reporting structure and frequency for analyzing security stats, internally and with outside vendors.
  6. Create and implement a plan for employee information security awareness and training.

Windows Defender Exploit Information

May 9, 2017 –

Last night an exploit was discovered that affects the anti-malware engine used by several Microsoft Security applications. It has been called the “the worst Windows remote code exec in recent memory.”

You can read more about the vulnerability and the risks associated with it here:

http://www.infoworld.com/article/3194763/endpoint-protection/microsoft-rushes-emergency-fix-for-critical-antivirus-bug.html

http://www.zdnet.com/article/microsoft-releases-emergency-patch-for-crazy-bad-windows-zero-day-bug/

https://www.engadget.com/2017/05/08/microsoft-windows-malware-protection-engine-rce/

 

While these applications are installed on all machines, Xlingshot utilizes other software to protect your computers, email and data. However, based on the severity of the exploit we are going to be deploying the update as soon as it’s available from Microsoft. This update could require a reboot.

While our goal is to set a reboot schedule with minimal impact to your business, system security is our top priority and we’ll be applying the fix as soon as possible.

We will continue to send notices via the Xlingshot Companion.  If you have any questions, please submit a Help Desk ticket via the Companion.

For more information, please contact us.

Penetration Testing vs Vulnerability Testing for Your Network

March 9, 2017 –

Hearing “all of your confidential information is extremely vulnerable, we know this because…” can be good or bad news, but whatever follows the ellipses determines just what type of situation you’re in. Consider two scenarios.

Scenario 1: “All of your confidential information is extremely vulnerable… we know this because a hacker took all of your customers’ credit card info and locked all of your files behind ransomware.”

Scenario 2: “All of your confidential information is extremely vulnerable…we know this because we did a vulnerability scan of your network, and have some suggestions on how you can improve.” 61% percent of small businesses are victimized by cyber attacks each year, and one in five victims do not survive. It is financially worthwhile to make sure that you end up being the person hearing the latter sentence.

Scenario 2 describes the statement after you have had a vulnerability test conducted. A vulnerability test is a comprehensive audit of security flaws that a hacker could exploit, and the possible consequences. This is the equivalent of a doctor giving a physical examination. This information will allow you to know what your risks are and plan your security policies accordingly.

Vulnerability tests should be conducted quarterly, and can be done by in-house IT or outside consultants. They should be done quarterly, or whenever you are incorporating new equipment into your IT network.

What is a pen-test? A pen-test is a simulated attack on a network to test the strength of its security. Usually, the pen-tester will have a specific objective (e.g. “compromise this piece of data…) A vulnerability scan tells you “what are my weaknesses?” and pen­test tells you “how bad a specific weakness is.”

How often should you pen-test: Different Industries will have different government mandated requirements for pen­testing. One of the more broad reaching regulations, the PCI DSS, for example, requires pen-testing on an annual basis. However, it is prudent to go beyond the legal minimum. You should also conduct a pen-test every time you have

  • Added new network infrastructure or applications,
  • Made significant upgrades or
  • Modifications to infrastructure or applications,
  • Established new office locations,
  • Applied a security patch
  • Modified end user policies.

Questions or need more information?  Contact Us.