What is cybersecurity posture?
Cybersecurity posture refers to an organization’s overall defense against cyber-attacks. Your cybersecurity posture encompasses any security policies in place, employee training programs, or security solutions you have deployed, from malware to anti-virus. It is the collective security status of all software and hardware, services, networks, and information, and how secure you are as a result of those tools and processes. These 5 steps will help your company stay safe, and maintain a strong cybersecurity posture.
- Two-Factor Authentication
Two-Factor Authentication is the current standards for adding extra layer of protection to existing system and account logins. 45% of polled businesses began using 2FA in 2018. Compared to 25% the year prior. Biometrics like fingerprints, voice, or even iris scans are also options, as are physical objects like keycards. Complete security usually demands multiple authentication methods: something you know (like a password), something you have (like your phone for 2FA), and something you are (like a fingerprint or other biometric).
- Data Encryption
Encrypted data is formatted using a key, storing or transmitting it in such a way that if would be meaningless if intercepted. It is one of the most efficient ways to secure a database given that decryption can only take place with the correct key.
- Access Monitoring
In addition to encryption, the client data you store should be protected from unauthorized access:
- A firewall is a particular type of solution that maintains the security of your network. It blocks unauthorized users from gaining access to your data. Firewalls are deployed via hardware, software, or a combination of the two.
- Intrusion Detection. One of the only surefire ways to protect your network and data is to actively watch over it. A Security Operations Center (SOC) can monitor your network traffic around the clock and respond to any intrusion attempts in real time.
- Password Hygiene
- Length and Complexity. The easier it is for you to remember a password, the easier it’ll be for a hacker to crack.
- Personal Information. Password recovery systems use personal details to verify a user’s identity – unfortunately, with widespread use of social media, it’s not difficult for hackers to research a target through Facebook to determine when they were born, information about their family, personal interests, etc.
- Numbers, Case, and Symbols. While it may be easier to remember a password that’s all lower-case letters, it’s important to mix in numbers, capitals, and symbols in order to increase the complexity,
- Avoid Patterns and Sequences. “abc123”, or the first row of letters on the keyboard, “qwerty”, etc., are extremely easy for hackers to guess.
- Avoid Dangerous Emails
Always exercise caution when it comes to clicking on a link or downloading an attachment. Be careful even if the email seems to be coming from a known source or even from within your organization as email addresses are often spoofed:
- Be wary of links and attachments in email messages. They may contain malware that can infect your computer.
- Confirm the real sender of the message. The company name in the “From” field should match the address. Also, watch for addresses that contain typographical errors or lookalike domains like “janedoemicrosofthelp.com”.
- Hover over the URL in the email to view the full address. If you don’t recognize it, or if all the URLs in the email are the same, phishing is likely.
Cybersecurity is as complex as it is essential. Most low firms don’t have the resources (or the desire) to handle everything on their own. A knowledgeable IT services company can make all the difference. An IT provider with a proven track record of cybersecurity success can help you develop a cybersecurity plan capable of defending your law firm and your clients against hackers.
At mPowered IT, we have the experience and solutions needed to keep you safe through this year’s challenges and beyond. To learn more reach out to us at 678–389–6200 or schedule a free zero obligation consultation here.
The continuation of homeschooling and remote learning has been challenging for parents, educators, students, and school IT administrators. Even before remote learning became the norm, schools were major targets for cyberattacks. According to the K-12 Cybersecurity Resource Center, since 2016, there have been at least 775 publicly disclosed cyber incidents against educational institutions in the U.S. alone. Further, the number of incidents more than doubled between 2018 and 2019, increasing from 122 to 348.
Now that more students and teachers are using both their own and school-issued devices from remote locations, school IT administrators are being swamped with technical issues, which is diverting IT resources away from cybersecurity. Cybercriminals are taking full advantage of the chaos, prompting the U.S. Federal Bureau of Investigation to issue a formal warning regarding the cyberthreats posed by insufficiently secured remote education platforms.
Here are 4 ways password management and cybersecurity solutions help school IT administrators keep teachers and staff members, students, and parents secure.
1. Establish & enforce good password hygiene
Since Verizon estimates that about 80% of successful data breaches can be traced back to stolen or compromised passwords, ensuring that all staff members, parents, and students are practicing good password hygiene is crucial to securing online education platforms.
2. Enforce role-based access
Role-based access control (RBAC) and least-privilege are critical in all organizations, and arguably even more so in a remote education environment, where staff members, students, and parents all require different levels of access to different systems.
3. Prevent password overload & eliminate password-reset requests
Password overload is a serious issue. According to a survey by Digital Guardian, 70% of consumers have over 10 password-protected online accounts, and 30% have “too many to count.” In remote education environments, password overload problems are compounded in households that include multiple school-age children, on multiple grade levels and possibly attending multiple schools, all using their own systems.
4. Prevent phishing attacks
Cybercriminals are using the remote learning boom to take advantage of tech-challenged parents (and educators) and attempting to get them to enter their login credentials on phony lookalike sites with domain names that are just a tad different; for example, ABCE1ementary-dot-com instead of ABCElementary-dot-com.
Secure your school today
Reach out to mPowered IT today and discover how simple and affordable it is to protect your institution and its staff members, parents, and students against password-related cyber attacks.
Are you interested in learning more on how an MSP could help your organization stay safe? Give us a call at 678-389-6200 or visit mPoweredIT.com.
How often should you change your passwords? We all know we should be changing our passwords, but how often is “often” enough? Some people never change their passwords, and even worse, recycle the same (or similar) passwords for almost all of their online accounts. This is a dangerous practice that can lead to security breaches, identity theft, and more.
Passwords are, unfortunately, often neglected by everyday people. We have enough to worry about on a daily basis without adding password security, right? The problem is that security breaches and cybercrime are on the rise. If you think it can’t happen to you, it most certainly can! Every year, thousands of Americans are victims of cybercrime and identity theft and fraud, costing billions in damages.
Protecting your passwords and personal information starts with securing passwords. Your passwords are your first line of defense against intrusion, and there are some rules to follow for best password practices. Let’s take a closer look at some important password guidelines that can help you take back control of your internet passwords.
When Should You Change Your Password?
After A Security Breach: With massive breaches like the Capital One and Target breaches in recent years, consumers have been put at risk from hackers halfway across the globe and on domestic soil. When a company declares they’ve experienced a data breach, you’ll want to change your password as soon as possible to protect your information. If your info has been compromised, you’ll typically be alerted by the company.
If You Suspect Unauthorized Access: Don’t wait until there’s glaring evidence of unauthorized access of your account(s). By that time, it’s usually too late. If you suspect someone is attempting or has attempted to access one or more of your accounts, change your passwords ASAP. It’s always better to take preventative measures than to wait until the damage is done.
If You Discover Malware or Other Phishing Software: A virus can put your computer at risk and leave your personal information exposed. If you discover such software on your computer after a scan, change your passwords immediately; preferably from a different device until you’re certain the virus has been removed.
Shared Access: Lots of people share access to accounts like Netflix and other media services. Some even share access to a joint bank account and access the info via web or mobile app. If you share access with someone you’re no longer in contact with, change your password as soon as possible. It’s best to not trust anyone outside of your circle of trusted people with your passwords. Ex-spouses or significant others, friends, and previous colleagues shouldn’t have access to any of your accounts.
Logging In At Public Places: Using an unsecured network to log in to your accounts is a good way to have your password stolen. If you visit the library or use a public network, change your password afterward.
Managing passwords is a responsibility that falls on both us as individuals and businesses. Without proper password habits, it’s far easier to fall victim to cybercrime and identity theft; each of which costs the nation billions in damages every year. Take control of your passwords with a password management and better protect your personal information and your identity.
Are you interested in learning more on how an MSP could help your organization stay safe? Give us a call at 678-389-6200 or visit mPoweredIT.com.
As the old saying goes, “a chain is only as strong as its weakest link.” Unfortunately, the new saying is that a business network is only as secure as its employees’ passwords.
Despite widespread knowledge that hackers exploit weak passwords to breach entire systems, trusted workers still use ones that are easy to guess at and repeat them across platforms. If that seems counterintuitive, business leaders may want to consider these statistics.
- The two most commonly used passwords remain “iloveyou” and “sunshine.”
- Approximately 23 million people use the password “123456.”
- More than half of workforces use the same password for personal and business purposes.
- Upwards of 57 percent of phishing email scam victims do not change their password.
- One-third of people stop doing business with organizations responsible for compromising their credentials.
What seems stunningly illogical about rampant password protection failures stems from this statistic: Approximately 90 percentof internet users say they are worried about getting hacked due to a compromised password. Industry leaders may be left scratching their heads. But as a decision-maker responsible for ensuring the integrity of digital assets, something needs to be done. You can set company policy that educates team members about how to create and remember strong network passwords. If that doesn’t work, there’s always Plan B.
How To Educate Employees About Strong Passwords
Getting workers to create powerfully secure passwords may not be that difficult. Insisting on a series of unrelated letters, numbers, and characters will fend off most hackers. On the other hand, team members will likely lose productivity, resetting a difficult-to-remember login profile. Fortunately, a happy medium can be achieved without too much difficulty.
Passwords do not necessarily need to be obscure. They just need to be difficult for hackers to unveil. A password employing 8-10 characters can be hard to crack if done cleverly. For example, the too common “iloveyou” can be tweaked to “iLuv2Make$,” which could be a tough one. That’s largely because it uses untraditional “Luv” in place of the spelled-out word, employs uppercase letters, a symbol, and a number. All an employee has to do is remember the phrase “I Love To Make Money” as a trigger.
Repeated passwords also need to be addressed. Consider training those under your leadership to make variations on one primary password. In this case, it could include “uLuv2Make$2” or “iH82owe$.”
It’s also important to share the reason that complex passwords are necessary. Hackers have a toolkit at their disposal that typically includes brute-force and dictionary techniques. When brute-force attacks try to run every conceivable combination of letters and characters possible. This tends to be time-consuming, and digital thieves are likely to give up when faced with strong passwords. Dictionary attacks run common words at the profile. If your worker’s password is “sunshine,” consider your network breached.
How Can Business Leaders Implement a Plan B?
Practical business leaders learn that human error ranks among the top reason things go sideways. Cybercriminals send out thousands of scam emails, knowing someone will open one, download a malicious file, or respond with critical information. Someone will make a mistake. Given that your financial future can be one mistake away from ruin, organizations are using multi-factor authentication as a fallback defense.
Multi-factor authentication requires employees to receive and enter a secondary code before gaining access to the network. This may be sent to another device that hackers cannot access. In some instances, an email alert is sent that must be approved. Even if someone foolishly uses “password123,” a cybercriminal would still need to know the authentication code or approve login access to upend your network.
If you are concerned about password security, give us a call at 678-389-6200 or visit mPoweredIT.com.
Username and Password Security – Make sure your employees are not making access way too easy for hackers.
Although it should be common sense, employees need to understand password security and avoid the use of passwords that are easy for hackers to guess. Among the top ten worst passwords according to www.splashdata.com are those that use a series of numbers in numerical order, such as <123456>. The names of popular sports such as <football> and <baseball> are also on the list as are quirky passwords such as <qwerty> and even the word <password> itself.
Emphasis should also be placed on the importance of avoiding common usernames. In analysis conducted by the information security firm Rapid7, hackers most often prey upon these 10 usernames in particular3:
• Username • administrator • Administrator • user1 • Admin • Alex • Pos • Demo • db2admin • Sql
How Attackers Exploit Weak Passwords to Obtain Access
While most websites don’t store actual username passwords, they do store a password hash for each username. A password hash is a form of encryption, but cybercriminals can sometimes use the password hash to reverse engineer the password. When passwords are weak, it’s easier to break the password hash.
Password Security Hazards
Here is a list of common word mutations hackers use to identify passwords if they feel they already have a general idea of what the password might be:
- Capitalizing the first letter of a word
- Checking all combinations of upper/lowercase for words
- Inserting a number randomly in the word
- Placing numbers at the beginning and the end of words
- Putting the same pattern at both ends, such as <foobar>
- Replacing letters like <o> and <l> with numbers like <0> and <1>
- Punctuating the ends of words, such as adding an exclamation mark <!> • Duplicating the first letter or all the letters in a word
- Combining two words together
- Adding punctuation or spaces between the words
- Inserting <@> in place of <a>
Educating end users on these tactics underscores the importance of creating long passwords (at least 12 characters) and applying multiple deviations, rather than something simple like just capitalizing the first letter.
Nine Tips to Better Password Security
- Change passwords at least every three months for non-administrative users and 45-60 days for admin accounts.
- Use different passwords for each login credential.
- Avoid generic accounts and shared passwords.
- Conduct audits periodically to identify weak/duplicate passwords and change as necessary.
- Pick challenging passwords that include a combination of letters (upper and lower case), numbers and special characters (e.g. <$>, <%> and <&>).
- Avoid personal information such as birth dates, pet names and sports.
- Use passwords or passphrases of 12+ characters.
- Use a Password Manager such as LastPass where users need just one master password.
- Don’t use a browser’s auto-fill function for passwords.
- An advanced and under-used password security tip to consider is two-factor authentication, which is a way for websites to double confirm an end user’s identity. After the end user successfully logs in, they receive a text message with a passcode to then input in order to authenticate their ID.
- This approach makes sure that end users not only know their passwords but also have access to their own phone. Two-factor authentication works well because cybercriminals rarely steal an end user’s password and phone at the same time. Leading banks and financial institutions enable two-factor authentication by default, but if not, the service can often be turned on by asking the website to do so. More and more non-financial websites are now offering two-factor authentication as well.
Next blog: Mobile Security
For more information on keeping your small business secure call 678-389-6200 or contact us online.