Category: Uncategorized

You don’t have to look long or hard through the news to find the latest cybersecurity incident — or the terrible press and loss of business that the organization suffers due to their inability to quickly respond to the threat. Chief Information Security Officers (CISOs) are actively looking for ways to protect their organization from the devastating effects of ransomware or other malware and trying to find ways to get the business back up and running quickly in the event of an attack. These three incident response tips can help keep your operations from buckling during an extensive incident that involves your data, hardware or software.

Make Sure You Have a Kill Switch

Today’s systems are dynamically interconnected, which can make it exceedingly difficult to segregate out one particular section that has been infected before it can infest the rest of the organization’s digital assets. With forethought and planning, you can create a kill switch that puts a walled garden around IoT devices, different operating systems in your back office, servers and more that will help you protect the remainder of your organization in the event of an incident. Think about what you can break off from your infrastructure that still allows you to marginally function as a business, and create kill switches accordingly. Data loss is one of the most expensive components of a cyber attack, making it crucial to save as much of your data and information structure as possible when a breach occurs.

Segment It to Save It

Segmentation and segregation is a good thing when it comes to networks and applications, but this same concept can also apply to user groups and even vendor management. The concept of “Segment it to save it” is generally constructed around data and networks, but it can easily be expanded to include user access controls and authorizations, vendor management and more. If a particular user group has been compromised, it’s much easier to rebuild a segment than it would be to rebuild your entire organization’s infrastructure. Think beyond the logical and physical implementations of segmentation, and think about everything you could possibly cordon off within your business — including vendors, partners and customer segments.

Invest in Regular Updates to Your Incident Response Playbook

Is your team confident that they know the required steps to protect your organization in the event of a cybersecurity incident? What happens if your cybersecurity expert just happens to be on vacation the week that a massive attack is launched? There are few substitutes for a written incident response playbook that provides you with step-by-step instructions that will help your business regain its footing in the digital world. Simply creating this playbook isn’t enough, you will still need to update it on a regular basis to ensure that you’re taking recent attack types and vectors into consideration as a part of your response and recovery planning. Your incident response playbook should be as dynamic as possible, reflecting today’s realities and offering achievable solutions to salvaging your business operations.

With luck, your business will be in the minority — those organizations that are never hit by a cyber attack. The unfortunate reality is that when a cyber attack hits your organization, it will cost you an average of 50 days to regain full operations of your business. Understanding these various components of incident response and forming your plan before you need it are crucial to ensuring that your organization is protected in the event of an attack.

If your company is still using the Windows 7 operating on your business computers, it’s time to look for a change. That’s because Microsoft is ending support for this popular and reliable operating system that has been popular with companies for years.

On January 14, 2020, Microsoft will stop offering security patches and dates for Windows 7. In the next few months, choosing a new operating system is a time-sensitive issue that should not be left until the last minute.

What Does Microsoft Mean When It Says Windows 7 Is Ending?

That’s not exactly what Microsoft is saying. After January 14, 2020, Windows 7 will continue to operate. However, doing so comes at a considerable risk to your business and employees. The “end of life” description of what’s happening to Windows 7 means that Microsoft will stop all paid and unpaid support.

Microsoft will stop creating and making available important security updates. It will also stop offering new features or design improvements of any type.

More critically is the stoppage of any kind of support for customers having problems with Windows 7. Free support that had been included in licensing agreements has already ended. As of January 2020, any “extended support,” which is Microsoft’s term for paid support and which is currently available, will stop as well.

Why Not Keep Using Windows 7 After the Support and Upgrades End?

Your Windows 7 operating system will continue to operate after support ends. However, your business will be highly susceptible to cyberattacks by those looking to exploit new vulnerabilities using viruses, phishing attempts and other attack vectors. Those vulnerabilities will multiply as your computers will not be protected by the regular patches that Microsoft offers to its customers for operating systems and software.

In addition, you may find that software applications you use on Windows 7 will also not work as well. Many software companies will stop offering upgrades or support for their programs for customers using Windows 7. While some may provide some updates and support after January 2020, those services are unlikely to last very long.

Hardware and peripheral companies are also unlikely to continue to provide updates or compatibility features with an eye on Windows 7. Newer technologies of all types will likely take advantage of newer features and capabilities that were not available in the Windows 7 operating system.

Older versions of operating systems like Windows 7 come with the browser Internet Explorer embedded. Support for these older versions of Internet Explorer will also cease in January 2020. Microsoft urges customers using Internet Explorer to upgrade to IE 11.

Hackers are well aware of the January 14, 2020, deadline and are apt to look to businesses still using Windows 7 as prime targets for their attacks.

What If We Use a Windows Embedded 7 Product?

Support for certain versions of Windows Embedded 7 end in October 2020, April 2021 and October 2021. More information about these cutoffs can be found here.

Can I Activate Windows 7 After the Cutoff Date?

If you still want to activate a purchased version of Windows 7, you may do so up to and after the January 2020 date. Just remember that a newly activated version will still be vulnerable to malware and virus and will not receive Microsoft support or upgrades.

What Are My Options for Replacing Windows 7?

Microsoft is understandably encouraging current Windows 7 customers to upgrade to Windows 10, its flagship operating system product. It is also encouraging customers to buy new computers with Windows 10 installed, as older computers may not have the minimum requirements to support Windows 10 and optimize its performance.

If you purchase Microsoft 365 Business, a cloud-based version of the popular suite of Microsoft Office Apps such as Word, Excel, PowerPoint, Outlook and OneNote. Microsoft 365 Business buyers get a free upgrade if they are currently using a Windows 7, 8 or 8.1 Pro license. Microsoft 365 Business owners can also upgrade all old Windows Pro licensed device at no additional cost.

What If I Need More Time to Upgrade from Windows 7?

If you use Windows 7 Professional or Windows 7 Enterprise, you can buy Extended Security Updates through January 2023. Those upgrades became available for purchase on April 1, 2019. For more information on this option, please contact Microsoft directly as there are specific technical and product guidelines regarding eligibility.

Understanding the options and risks when it comes to Microsoft’s cessation of Windows 7 support and updates helps your company make an informed decision.

Passwords are a problem. In one sense they are exactly the opposite of what they should be. They’re hard for users to remember but easy for intruders to guess or steal. The user frustrations with the current system make it ripe for abuse, and that’s exactly what’s taking place every day.

The best solution for lawyers and law firms alike is to implement a password management utility. We’ll take a look at that solution after exploring the nature of the problem in greater depth.

The Problems with Passwords

Can you even count how many digital sites and services you’re required to log in to with a username and password? Most people have upwards of one hundred. It’s challenging, if not impossible, to keep them all straight without some kind of assistance. People usually resort to one of several very insecure methods to solve this. One of the most common is reusing the same username and password on multiple sites.

Password Reuse Is Easy but Dangerous

Security professionals will tell you that reusing passwords is dangerous. This is because when (not if) your credentials are captured or stolen on one site, you become vulnerable on every other site that uses those same credentials. The problem here is that it’s just so easy to reuse passwords, especially on accounts we don’t consider to be sensitive in nature. Nearly half of security professionals themselves admit to reusing passwords, even though they know firsthand the dangers of doing so.

Strong, Unique Passwords Are Too Hard to Remember

If you’re not supposed to reuse passwords, then what should you do? Ideally, you should create a strong, unique password for every site. Each one should be lengthy (the longer the better) and should contain a mix of lower and uppercase letters, numbers, and symbols. The longer and more complex the password, the harder it is for a computer to crack it. People won’t be able to guess Gbje23+3zp?$T0n very well at all.

The problem with a password like Gbje23+3zp?$T0n, though, is obvious. You’ll have a tough time remembering even one of those, let alone a hundred.

Experts will suggest other tactics, like turning a familiar phrase into a password. “Four score and seven years ago our fathers brought forth a new nation” could become “4s&7yaoFbfaNN”. This method uses the first letters of each word (along with numbers and symbols where appropriate) to create a passcode that’s nearly inscrutable but that’s easier to remember.

This method helps, but it doesn’t scale well. It’s true you’ll have an easier time reproducing that than the previous example, but you’ll still have a tough time replicating that a hundred times over.

The Solution: Password Management

The best solution to the password conundrum is using a password management utility. Setting up a password management utility isn’t difficult, and putting one in place greatly increases your digital security. Once you’ve set up a password manager, you don’t even need to remember all those passwords. You just have to remember one.

How Password Management Tools Work

Password managers are programs or apps that function as a digital safe, or a digitally encrypted locker. All your passwords are stored inside the safe. Password management tools will also help you create long, complex, unique passwords for all your accounts. Some can even do this automatically once you supply your existing credentials.

With a password manager, it’s easy to maintain a different complex password for every account, because you no longer need to remember those passwords yourself. You just need to create and memorize one very strong password for the password manager itself.

Once you’ve set up a password manager, it will autocomplete the login fields on most websites. For the few that don’t auto-populate, you can access a database of your account credentials and copy and paste the proper credentials into the corresponding fields. All the major password managers also offer some degree of integration with both iOS and Android. Your passwords remain accessible, yet secure, on your mobile devices.

The Security of Password Management Tools

Password management tools stake their reputation on their security. They aren’t perfectly secure—nothing is. The Washington Post notes some of their flaws. They are, however, a vast improvement over most people’s current password practices. No one gets access to your vault without your master password, and hackers won’t get that password from the utility makers since they don’t store your master password anywhere. There’s no database to be hacked.

On that note, make sure your master password is itself long and complex. Consider using the “familiar phrase” tactic described earlier.

Conclusion

Lawyers have an obligation to keep their digital accounts secure. Doing so manually is difficult if not impossible. Implementing a strong password management solution is the answer. If you have more questions about implementing a quality password management system for your law firm, we’re here to help. Contact us today to discuss the options available.

Running a business requires a great deal of focused attention. Unfortunately, when your technology team is spending a great deal of time dealing with login problems, software licensing, cybersecurity and more, it doesn’t leave a lot of time for growth activities and strategic thinking. As businesses grow, many organizations find that it makes sense to work with an IT managed services company to maintain a high level of security and staff productivity that would be nearly impossible using only internal assets. These technology partners provide best-in-class tools and support that can scale with your business as you expand. Here’s an overview of the type of services that many of these technology partners provide.

Day-to-Day Operations

Technology teams often refer to “death by a thousand cuts” — which is what happens when you have dozens of people relying on you to provide technical support for your organization. Everything from computers that refuse to reboot to conference rooms where the projection isn’t working all come into your help desk. This can overwhelm the individuals in IT and also cause a productivity loss for the staff members who are waiting on a response or support. IT managed services providers are able to step into this gap and solve a variety of simple challenges, including:

• Retrieving lost files or folders
• Resetting passwords
• Issuing software licenses (based on pre-set business parameters)
• Troubleshooting network connectivity
• Rebooting servers

These are only a few of the “Help me now!” requests that technology professionals receive on a daily basis, and all of these options can be resolved remotely by a friendly technician from your IT managed services provider.

Creating or Refining Cybersecurity

Ensuring that your business information stays safe is a primary directive for today’s organizations. With many companies storing personal financial and health information for clients or staff, cybercriminals are enjoying access to data from organizations of all sizes — especially those businesses without a robust security posture. Staying current with the latest threats takes time and attention, and can be challenging for technology staff members to juggle with other priorities. When you work with a managed services provider, you have easy and immediate access to cybersecurity professionals who are able to review your current processes, make recommendations for improvement and then even help with the implementation of those suggestions.

Long-Term Technology Strategies and Budgeting

Even things that you might think of as integral to your business can be supported through a trusted IT managed services provider. A good technology partner may have access to dozens of business models and be able to make recommendations for your business based on a broader scope of understanding. Your external IT team can help with research on new vendor partners, negotiating better pricing on software due to shared buying power and even help create budgets based on the unique needs of your business.

Advanced Backup and Disaster Recovery

Should the unthinkable happen, it definitely pays to be prepared. There are any number of reasons you might have to restore operations from a backup, but without a proactive backup and disaster recovery process in place this can be a big challenge for businesses. Massive fires, flooding or other natural disasters claim thousands of businesses every year, as those businesses are unable to restart operations after a disaster. Cyberthreats or data loss could also spell doom for your business, especially if the loss leads to an extended period of time without access to your business data. With an IT managed services partner, you’re gaining access to advanced backup and disaster recovery software and protocols that will help protect your business in the event of an emergency — and help you restart operations quickly. More than 96% of businesses with a disaster recovery solution in place continue operations, but the same cannot be said of those without the forethought to create a comprehensive plan.

There are hundreds of scenarios where an IT managed services provider can help support your business. The bottom line is that you are gaining access to a deep bench of qualified professionals who are solely focused on helping make your business successful. Whether you need immediate assistance with help desk support or longer-term strategic advice, IT managed services providers serve a vital role in today’s business world.

You don’t think about a small business in middle America being targeted by hardened Russian cybercriminals, but that’s exactly what happened in the case of Smile Zone. This Missouri dental office caters to children, looking for ways to provide them with a higher comfort level with dental procedures. Smile Zone had not yet invested in any aggressive cybersecurity measures, because they didn’t expect to become the target of malicious attack from overseas. Unfortunately, they were wrong, and their lack of planning for cybersecurity cost them over $200,000 due to a simple phishing scam — money that Smile Zone has never been able to recover.

Determining the Attack Vector

It didn’t take long for investigators to determine the attack vector, as it was a simple phishing email that was launched on the computer that Smile Zone used to conduct their banking business. With the information stored on that computer, the Russian cybercriminal and his associates were able to tap into the bank account of Smile Zone and create a transaction for $205,000 that looked perfectly legitimate to the bank. Unfortunately, that also meant that the bank would not accept liability for the transaction — something that they would have done if the account were a consumer account instead of a business account. What’s worse, the cybercriminals left the back door of the business open so they could help themselves to more funds in the future if the vulnerability was not addressed in time.

Why Russian Hackers Target Small Businesses

It’s hard to imagine, but why would a well-known Russian hacker who was on the FBI’s Most Wanted List waste their time attacking a small business for “only” a few hundred thousand dollars? The answer is simple: small businesses are less likely to have invested in cybersecurity. Not only are the businesses perceived to be less secure, but cybercriminals are looking for an ongoing payday — not a one-time bankroll. Small to mid-size businesses may not even notice relatively small amounts being shifted around until the dollars add up to a significant amount of money. This allows these nation-state actors to slowly siphon away funds that could otherwise be used to fund payroll or grow the business. Even if small businesses do have passive cybersecurity, they may not be actively monitoring their transactions and systems in a way that would allow them to see the fraud happening in near-real time. Symantec defines the time between the injection of malware or a data breach to the discovery time as “dwell times“, and they average 191 days before many businesses discover that their systems have been compromised.

Are There Legal Avenues for Recourse?

The unfortunate reality is that it’s difficult for the government, local police or anyone else to help regain access to your funds once they’ve been exfiltrated to a remote location. Hackers are extremely savvy, in taking just enough money that they can easily move it around without a lot of notice from others. It’s difficult for law enforcement to prove that there has been a crime, much less track down a slippery individual thousands of miles away from the crime. When your business suffers this type of loss, it’s unlikely that the money will ever be recovered — a devastating blow for a small business.

Are There Ways to Protect Your Business?

Fortunately, you don’t have to simply wait for your business to be hacked, and you don’t have to invest in over-the-top security solutions that are meant for enterprises instead of small to mid-size businesses. Your trusted technology services partner can help you understand the various options that are available to help protect your organization. This could include a variety of solutions:

• Endpoint protection and monitoring of WiFi hotspots that are available to customers and employees
• Rigorous password policies
• Ongoing employee and contractor security training and testing
• Active monitoring of your network by knowledgeable security professionals
• Proactive notification systems so your technology partner can immediately begin remediation in the event of a breach
• Email and website security software that helps filter out malware and spam before it reaches your staff
• Robust backup and recovery procedures, to ensure your business can continue functioning even if you’re under attack
• Systematic review of all potential fail points within your infrastructure on a regular basis
• Rigorous management of user accounts and logins, to ensure that accounts are inactivated quickly when they’re no longer needed

Each business is unique, and working with your trusted IT managed services provider will offer more direct and detailed recommendations that will fit the unique needs of your business.

No one is expecting to be the target of a Russian hacker, and small businesses may be even less prepared than larger ones. No business is truly safe from cybercriminals unless your business is fully protected by a suite of cybersecurity measures that include active management of your infrastructure. It pays to invest a small amount upfront to protect your business from what could be a disastrous cyberattack in the future.

Researching IT support companies can lead to confusion — and quite a headache! You may have started down the path of finding a technology partner due to internal frustrations or a lack of time to support basic technology needs, but your search can quickly expand due to the number of potential partners in the marketplace. Trying to determine exactly the level of support that you need and the associated costs may feel like an exercise in futility, but there are some basic tenets that will help you find the best IT support company for your needs. From reviewing the pricing models to service levels, here are the key considerations that will help you determine which partner is right for your business.

1. Does Your IT Support Company Offer Flexible, Scalable Contracts?

Technology solutions are rarely one-size-fits-all, and your IT services partner should recognize this and be able to provide you with customized recommendations that will meet your unique business needs. This could mean shorter contracts so you can evaluate the working relationship to support packages that provide you with scalable options that are designed to grow with your business. Your IT services partner should feel like they are on your side, making recommendations that will save you money while providing you with the support that your business desperately needs to grow.

2. Does Your IT Support Company Focus on Ongoing Education?

Technicians with industry certifications in various platforms should indicate to you as a client that your technology partner is placing an emphasis on ongoing education. The technology landscape changes dramatically in the course of several years. If your IT professionals are not maintaining their certifications or growing their body of knowledge, it can be challenging for them to provide your business with the support that you deserve. Key certifications to look for include Microsoft Silver or Gold Partner Certifications and CompTIA Certifications, to name a few. Your partner should be able to demonstrate that they value ongoing education by setting aside time for team members to attend training or continue their education.

3. Does Your IT Support Company Value Proactive Security and Account Management?

Proactive account management is crucial to your business success, as your IT services partner should be continually looking for ways to save you money and improve the efficiency of your operations. This should include a bi-annual or quarterly review of your business, that truly digs into the details and provides you with actionable recommendations. The right partner will be able to peek into the future and call out items that could become a problem in the future, so you can resolve them before they negatively impact your business operations. Active security measures are another valuable aspect of your partnership, as your IT services technicians are continually reviewing network activity to discover discrepancies so remediation of any problems can begin immediately.

4. What Are the Stated Response Times for Your IT Support Company?

There is no slick or easy answer that you should be looking for in terms of response times, as that can vary based on the needs of your business. Some businesses may find that getting a response within several hours is perfectly acceptable, while others need to get help desk support in a matter of minutes. What you are looking for is the best match for your business: an IT support company that is able to provide you with workable response times at an acceptable cost.

5. Is Your IT Support Company Aggressive About Cybersecurity?

Protecting your business assets is a mission-critical task for your IT support company, and they should treat it as such. You need to know that you will have access to cybersecurity professionals who are actively reviewing your account on a regular basis to ensure that all appropriate precautions are being taken to protect your digital assets. This includes everything from user training to backup and data recovery processes, all of which must be in line with your business needs.

Sometimes, it’s not a matter of finding the best IT support company — it’s a matter of finding the best fit for your business. You’ll want to consider everything from the support you want to receive from your account team to the quality of the training that technicians receive on an ongoing basis to find the best IT support company to meet your unique business needs.

The attack dubbed “PhishPoint” is a recent cyber-attack scheme being used by foreign hackers. It demonstrates the craftiness and the extent that cybercriminals will go to in order to harvest your Microsoft Office 365 credentials. It uses several familiar aspects of Office 365 to lull potential victims into an assumption that everything is above board. But it’s not. Here’s what you need to know about PhishPoint and how to protect your organization.

How Did The PhishPoint Attack Get Into Office 365?

The PhishPoint hackers use Microsoft SharePoint files to host their phishing links. Typically hackers use emails to host malicious links. Now, these crafty hackers have figured out how to bypass Office 365’s built-in security to leverage their attacks. This shows that there’s a critical flaw in Office 365 in this respect.

How Does The PhishPoint Attack Work?

You can recognize a PhishPoint malicious email by its use of “URGENT” or “ACTION REQUIRED” to urge you to respond. But beware, this email contains a link to a SharePoint Online-based document that you don’t want to click.

Here’s how it works:

The link will direct you to SharePoint. It will look legitimate and could trick you or your users unless you know what to watch for it.

At this point, you’ll be shown a OneDrive prompt –The SharePoint file will impersonate a request to access a OneDrive file with an “Access Document” hyperlink. This is actually a malicious URL, as shown below.

Then you’ll see a Microsoft Office 365 logon screen – Don’t enter your information even though it’s very authentic-looking login page. if you do, the hackers can access your user credentials!

What Else Should We Watch For?

Several things stand out here, and you should watch for them:

1. The email is unsolicited and has a generic subject of “<person> has sent you a OneDrive for Business file.”

2. Opening the document requires you to take a number of steps.

3. The URL for the logon page isn’t on the office365.com domain.

Why Didn’t Microsoft Stop This Scam?

Unfortunately, Microsoft didn’t see this coming. They continually scan emails for suspicious links and attachments, but even they were fooled. They didn’t think that a link to their own SharePoint Online would be malicious.

Another problem is that Microsoft link-scanning only goes one level down. It scans links in the email body but doesn’t scan files that are hosted on their services like SharePoint. If they did, they would have to scan for malicious links within shared documents.

And there’s another problem…they couldn’t blacklist the malicious URL unless they did this for the full URL for the SharePoint file. In this case, the hackers could just make a new URL in an uploaded file that contained content similar to SharePoint.

Since Microsoft isn’t scanning files hosted on SharePoint, hackers can easily use the platform to con their users and steal their credentials.

This scam exemplifies the risk associated with cloud-based applications. Using context and services that users are familiar with, cybercriminals can take advantage of a lowered level of alertness, and gain access to corporate resources online – all without the user or organization ever knowing it.

What Is Microsoft Doing To Prevent Scams Like PhishPoint?

Microsoft has been working behind the scenes to stop foreign attackers. Court documents that were unsealed on March 27, 2019 show that they’ve been waging a secret battle against a group of Iranian government-sponsored hackers.

Microsoft said it received substantial support from the domain registrars, which transferred the domains over to Microsoft as soon as the company obtained a court order.

What Can We Do To Prevent Being Affected By PhishPoint?

It’s important that you share this message with all of your users:

Be on alert! The bad guys have a new way of stealing your login credentials. They target you by sending an invite via email to open a SharePoint document.

The link takes you to an actual SharePoint page where you will see a OneDrive prompt. The prompt will have an “Access Document” link in it- don’t click this link!  

This link is malicious and will take you to a fake Office 365 login screen. Any credentials you enter here will be sent to the bad guys. Don’t be tricked!  

Whenever you’re submitting login credentials to any site, make sure to check the URL of the page for accuracy. Also, remember to always hover over links to see where they are taking you. Remember, Think Before You Click.

Here are some other things that you and your users should do:

• Be wary of any email subject line that contains an imminent threat like “URGENT” or “ACTION REQUIRED.”
• Always suspect URLs in the body of an email. It’s best not to click them. Most legitimate businesses no longer send links in emails.
• Carefully review any logon page. Check to make sure that the URL is actually hosted by the service that you want to use.
• If an odd-looking email shows up in your inbox from someone in your organization and you question its authenticity, contact the person by phone to see if they sent the email.
• Use Multi-Factor Authentication for all of your software platforms and online accounts.
• You should also sign up your users for Security Awareness Training. When you do, they’ll have a better chance of spotting the telltale signs of a cyber threat.

With nearly a million patients affected, the recent ransomware attack on a Michigan healthcare billing services provider continues to cause waves in the industry.  

Close to a million Michiganders are finding that their healthcare information may not be as secure as they thought it was, according to Michigan’s Attorney General Dana Nessel. Unfortunately, the personal health and financial information of these individuals were part of a massive ransomware attack on a third-party subcontractor who prints and mails bills for healthcare organizations in the area. While the attack happened back in September 2018, the far-reaching repercussions are still being identified over six months after the breach occurred. These unlucky individuals are discovering that a vast array of information was impacted, including social security numbers, dates of birth, personal addresses, names, medical information, phone numbers and even information about their insurance contracts. It took nearly three weeks for the contractor, Wolverine Solutions Group, to regain access to their data after the ransomware attack.

Healthcare Organizations Are Often Targeted by Hackers

Due to the high volume of personal, financial and health information available, healthcare practices and associated organizations such as Wolverine Solutions Group are often the target of cyberterrorists. The information that is stored within the vaults of these companies is extremely attractive, both for the data points and the perception that healthcare organizations will pay handsomely to regain access to their crucial healthcare data in the event of a ransomware attack. Ransomware costs American small businesses more than $75 billion per year according to Datto, a staggering sum when you consider that this downtime can result in costs upwards of $8,500 per hour. Ransomware is increasingly becoming a part of the technology landscape, as cybercriminals perceive it to be a relatively easy and untraceable payday due to the rise of anonymous digital currency such as bitcoin.

Was the Record Encryption Strong Enough?

One of the questions that cybersecurity professionals are attempting to answer is whether or not the encryption that was applied to the records was enough to protect the records from the cybercriminals. In the case of ransomware, the Wolverine Solutions lost access to their data for a period of approximately three weeks. During that period, it’s still unclear whether the cybercriminals attempted to break the data encryption — and if they were ultimately successful, where that data might have been shared with others or sold on the dark web. While a security firm brought into investigate initially felt that the attack was strictly focused on gaining ransom money, that has yet to be independently corroborated.

Patient Notification and Next Steps

Patients who were potentially affected are being notified by Wolverine Solutions Group, an expensive and time-consuming process as it requires multiple contact methods and a great deal of support. The organization is also providing complimentary credit monitoring and identity protection services for the affected patients, an additional cost that must be considered a part of the loss. These services will all be provided for the period of a year, while patients worry and wait — wondering if their personal health and financial information is in the hands of cybercriminals somewhere in the world. While Wolverine Solutions Group technology leaders note that they are taking steps to ensure that this type of attack doesn’t happen again, this negative publicity has likely affected their business in ways that will continue to be seen for years to come.

While it’s nearly impossible to create a system that cannot be breached, this instance illustrates the importance of having proactive, advanced backup and data protection processes in place. Cybercrime is rampant throughout the world, and there are no businesses that are truly immune from the effects of a major attack. Wolverine Solutions Group is merely the latest in a string of healthcare organizations that suffered from this type of aggressive ransomware attack and join Hollywood Presbyterian Medical Center and other large healthcare organizations in the growing list of targets.

No matter your profession, reusing passwords is a horrible idea. It’s dangerous and insecure. Reusing passwords is especially problematic for those working in fields like law, ones that require confidentiality in one form or another.

Many people already know that reusing passwords is unsafe, but they do it anyway. One recent survey conducted by Lastline revealed that nearly half (around 45%) of information security professionals polled admit to reusing passwords. These people get paid to work in information security, and yet they don’t follow some of the most basic protocols for keeping information safe.

If anyone should understand the dangers here, it would be information security professionals. You’re likely not an information security pro, though, so let’s look in greater detail at why reusing passwords is so bad.

A Broken System

First, cut yourself a little slack. The internet password system is inherently broken. Most people have well over a hundred digital accounts. These range from the seemingly trivial (paying a utility bill, “store insider” loyalty programs, and the like) to the vitally important (banking, proprietary business accounts, and so on). Each one requires a username and a password. To make things worse, many sites require a mix of characters (capital and lowercase letters, at least one number, and at least one symbol). Some sites won’t accept all the special characters, and various sites won’t even agree about which special characters are acceptable!

Cheating Ensues

Most people can’t easily memorize one hundred or so unique sets of site plus username plus password, so they cheat. Either they write all their passwords down in a notebook or they reuse the same password across multiple sites. Even worse, they may do both!

The Frequency of Reusing Passwords

How widespread is reusing passwords, really? A massive study from researchers at Virginia Tech found that the problem is quite severe. They analyzed 61.5 million passwords spread out over 28.8 million users and found that over half (52%) reused passwords wholesale. That doesn’t even account for people reusing the same basic word or phrase and just switching out a few characters or adding a new one to the end.

The Problem with Password Reuse

Here’s the problem with password reuse: credentials have a habit of being stolen. Companies frequently experience hacks where customer data is exposed. You may not consider it such a big deal if hackers got ahold of your username and password for Bargains ’R’ Us. You don’t shop there often and you don’t have any credit card info stored on their website. Is it really a big deal?

On its own, it’s likely not a very big deal. But if you reused the same username and password for, say, your bank or your credit card, it’s suddenly a very big deal!

The same goes for the sticky-note users out there. If you’ve ever written down your “go-to” password on a sticky note or in a notebook, consider who all has had access to that information. Family? Friends? Coworkers? The cleaning crew or service technicians? How easy would it be for someone to snag a quick picture of your password list? If you reuse your passwords, this problem escalates quickly.

One more problem worth noting is messaging or emailing passwords. Many of us have had the experience of texting, emailing, or messaging a password to a spouse or significant other. Those communications aren’t always secure, though, and often they stick around for a while. If someone gained access to your email, would they also gain access to sensitive passwords?

The Ubiquity of Data Breaches

Data breaches are happening all over the place, and some of them are huge. Yahoo had every single one of its 3 billion accounts breached. If you had a Yahoo account at the time of the breach, even an old dead one you never check, hackers may now have your sign-in info. If you used your go-to password on that account, then every other account you’re using that password for is now at risk. This is a big deal.

Solutions to the Password Problem

Passwords are a mess, and not reusing passwords is difficult. Here are some solutions that can help you clean up the mess and reduce frustration.

Enable Two-Factor Authentication Wherever Possible

Many websites offer two-factor authentication (2FA), which is much more secure. With 2FA, a one-time code is sent in a text message or email after logging in with username and password. Enable 2FA wherever possible.

Use a Password Manager

Password managers solve the problem of memorizing hundreds of unique passwords. They store all your passwords in an encrypted vault that you secure with one strong master password. We recommend using a good password manager. Doing so makes strong password security easy.

Conclusion

Understanding the danger behind reusing passwords is an important first step in securing your digital life. For help securing your workplace against digital threats, enlist the help of professionals like us. Contact us today to learn how we can help keep your systems secure.

Businesses owners need to know important dates for personal and corporate tax filings with protection plans from any tax-related identity theft. Knowing how income is produced is smart for business leaders and the generation of income also goes with a reporting process. The income produced may be posted to personal tax returns and the best planning of generated income will go smartly with the protection of personal credit and finances. In 2016, $21 billion in tax refunds was stolen from the American population as a result of identity theft. Protection of assets, profits, employee records, and income are smart areas of focus for business leaders. What are the best ways to avoid tax-related identity theft? A priority for management is to protect company profits and personal data such as Social Security Numbers. Implementing the best procedures for employees and tax reporting is helpful with worker compensation reporting and considerations for any independent contractors. Correct planning throughout all of this can help you avoid any tax identify theft as another part of effective leadership.

High-Level Reviews for Companies and Business Leaders

Organizing your corporate books and reporting throughout the year can help you float easier through tax season with filing dates and proactive planning for the reporting process. A review of the business structure may be part of an evaluation for a company and business leaders. The business structure may determine the type of tax returns being filed. Working with an attorney or a CPA is a smart way of being prepared to discuss the appropriate business structure that works best for a company. Growth plans, employee numbers, income allocations, and tax reporting are considerations for some business leaders. Profit projections with possible international growth plans are additional considerations for some businesses and the structure should support the best ways to operate a business with protection and risk mitigation. Technology solutions should support the best corporate structure with management reporting and accounting procedures. Tax identity theft is avoided throughout the payroll process and the costs to reduce all risks can be simplified with smart planning and policies.

How does a business protect personal credit and finances?

Appropriate planning to calculate taxes, file returns, and make payments if necessary can help you avoid penalties and interest costs. Plans should include smart procedures for protecting personal data. Protection may consist of a thorough review to make sure there are no unauthorized loans, credit cards or other amounts using a false identity. Eliminating risks includes protection to ensure there is no need to freeze credit when tax-related identity theft occurs. Closely monitoring credit card charges, user accounts, and personal information is a smart choice for reducing any risks of tax-identity theft involved with a business. Two areas of focus will help reduce risks:

• Employee record keeping and protection of personal data
• Tax Reporting and protecting personal data from tax-identity fraud

Preparations include plans to know how technology is an answer to feeling confident about filing during tax season and steps to take for employee data protection. Business executives understand planning and organizing for operations, sales, and technology implementations. Technology reviews are important for data protection and security planning is smart business.

Protection Planning and Important Tax Dates

When is protection planning important for personal data such as Social Security Numbers? Business leaders that are preparing smartly for tax season also know to have policies and procedures to support protection of personal data for all employees. Technology systems, such as accounting and payroll software, should be checked often to eliminate any security breaches or digital data hacks. Also, the process of employee withholdings and reporting payments made to independent contractors are considerations with protection and tax dates. The following are some dates to consider for tax reasons.

• January 31, 2019 is a deadline for sending out W-2 for your employees and filing with the IRS.
• February 15^th, 2019 is the deadline for issuing 1099s to independent contractors that received payments in 2018.
• February 28, 2019 is important for businesses filing reports on 1099s for 2018.
• April 1, 2019 is a date to know for filing 1099s electronically. If you are not filing electronically, the deadline is February 28^th.

Knowing the 2019 tax dates can help you plan ahead and minimize the risk of any fraud or tax-identity issues. Data protection makes sure no thieves are filing fraudulent returns before the real taxpayers file their legitimate ones. Business executives can be applauded and look prepared when communication of risk prevention strategies are confirmed as optimized. The tax planning process may include work with a CPA or accounting firm. Confirming the due dates for the year is smart planning and having enough lead-time to file the tax documents should also include proactive procedures to protect credit and finances.

Payroll, Systems, and Processes

Payroll can be part of the reporting and tax planning. A planned out system to process payroll efficiently can help with tax reporting. Tax tables and employee records are part of the planning process with considerations, such as salaries, hourly rates, benefit payments, and tax withholdings. Companies with employees in multiple states may have different withholdings for taxes. Also, income withholdings for city and local taxes may be part of calculating gross and net pay. For many reasons, some companies choose to save costs and time by outsourcing payroll functions to a third party firm. The benefits of proper planning can be to develop better processes for making estimated quarterly tax payments. Important considerations include hiring and paying full-time employees and independent contractors. Organizing the best way can save money and time for busy company executives and managers. Correct planning may help with payroll processing, tax reporting, and determining the best technology solutions for business. Protection of your employee personal data should be a priority with communication to any involved third-party firms.

Eliminate expenses and time wasters of being forced into working with creditors and credit reporting agencies to clear any fraudulent activity and tax-related identity theft. Employee personal data should also be protected with a smart focus and strength as an employer. Victims of tax-identity theft may need to report it to both the IRS and the Federal Trade Commission. Other suggestions outlined in this guide https://www.thesimpledollar.com/protect-yourself-from-tax-identity-theft/ include applying for an identity protection PIN, a six-digit IRS number that will be used to confirm identity on all filings and tax returns. Employers should consider important policies for the protection of employee data. Business executives should understand the protection of credit and finances, and know how this applies to best practices throughout the organization. Tax-related identity theft should never trace back to a business that has smartly focused on data security plans.