Another Day, Another Major Data Breach – 20 Tips to Protect Your Business in 2018

Over Easter weekend, hackers stole 5 million credit and debit card numbers that were used at Saks Fifth Avenue, Saks Off Fifth, Lord & Taylor, and Canada-based Hudson’s Bay Company. The personal information of customers who shopped at these stores is now compromised.

Saks Hacking

Most of the stolen card data — which goes all the way back to May 17 — was obtained from these stores in the New York City metro area, and other stores in the Northeast U.S. It appears that these stores weren’t using a secure credit card payment system. Security firm Gemini Advisory reported:

“The attack is amongst the biggest and most damaging to ever hit retail companies...Credit card data was obtained for sales dating back to May 2017. The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the majority of stolen credit cards were obtained from New York and New Jersey locations.”

Gemini Advisory says that the hacking group JokerStash/Fin7 boasted about their success on the Dark Web and that the data is now for sale. The name of their “product” is BIGBADABOOM-2. Gemini Advisory’s co-founder and chief technology officer said that this group previously targeted major hotel and restaurant chains. They were also responsible for other data breaches like the ones that affected companies including Whole Foods, Chipotle, Omni Hotels & Resorts and Trump Hotels.

The hackers typically use phishing emails to gain confidential information. They send the emails to company employees including managers and supervisors who are key decision makers. They disguise themselves as an entity these people would recognize as legitimate. The email contains an invoice and asks them to pay it via a link provided. Once clicked, their IT system is infected.

No store is immune from this type of breach. However, you can protect your business from phishing attacks by educating your employees.

Cybersecurity training is a must for all businesses today. You can have all the right security technology in place, but if one of your employees unknowingly clicks a malicious link, or visits a counterfeit website, your business can be ruined.

Phishing is when a scammer uses fraudulent emails, texts, or copycat websites to get you to click a link so that they can steal your confidential information like Social Security numbers, account numbers, login IDs, and passwords. They use this information to rob you of your money and your identity.

The majority of account takeovers come from simple phishing attacks where you or someone in your organization gets tricked into releasing private credentials and information.

Scammers also use phishing emails to get access to your computer or network, so they can install programs like ransomware that lock you out of your important files unless you pay a ransom.

Spoofing

Phishing scammers try to lure you or your employees into a false sense of security by pretending to be a trusted source like a legitimate company, the IRS, a colleague, vendor, or even a friend or family member.

Phishers create a sense of urgency, making it seem like they require your information right away or something terrible will happen to you. They may threaten to hold back a tax refund or close your bank account. Essentially, they lie to get your information.

Here are things that you and your employees should do to protect your business.

Be cautious about opening attachments and clicking links in emails.

Files and links may contain malware that can infect and weaken your computer’s security.

Type in URLs and email addresses.

If a company or organization you know sends you a link or phone number, don’t click the link or call the number. Go to your search engine and type in the correct URL for the company’s site and find the legitimate phone number.

Call the source. Don’t respond to emails that request confidential or financial information. Phishers use strategies that prey on fear. If you think the contact in the email needs this information, refer to the phone number in your address book, not the one posted in the email, and call them to verify the request.

Use TwoFactor Authentication. For accounts that support this, two-factor authentication is an extra step to ensure the security of your information. It requires both your password and an additional piece of information to log in to your account. The second piece might be a code the company sends to your phone or a random number generated by an application or token. Two-factor authentication protects your account even if your password is compromised.

 Update your applications and Operating System. Use a good security software you trust, and make sure you set it to update automatically. Also, make sure you update all your applications and your Operating System when you receive patches from the manufacturer. Don’t delay, as there are good reasons for these updates, and they will protect your information from the latest threats.

Back up your files to an external hard drive and enterprise-based cloud storage. Back up your files regularly to ensure you have a duplicate of all your files and applications if your network is compromised.

Google conducted a study between March 2016 and March 2017 in conjunction with researchers from the University of California, Berkeley. The results revealed that phishing is far riskier for users than data breaches because of the additional information phishers collect.

Use a unique email address.

Spammers send out millions of messages to name combinations hoping to find a valid email address. If you use a common name like Joe, you’ll receive more spam than with a name like Wwmj4itvi. It’s harder to remember an unusual name like this. Try using an acronym like: “We were married June 4 in the Virgin Isles (Wwmj4itvi).

Use an email filter.

If your email account provides a solution that filters out potential spam or will channel it into a bulk email folder, opt for this. If they don’t, you might want to consider another Internet Service Provider.

Use more than one email address.

Consider using a disposable email address service that forwards messages to your permanent account. If the disposable address receives a lot of spam, you can shut it off without affecting your permanent address.

Limit your exposure.

Don’t share your email address in public. This includes blog posts, chat rooms, social networking sites, or in online membership directories. Spammers use the web to obtain email addresses.

Check privacy policies and uncheck boxes.

Before submitting your email address to a website, determine if they can sell your email to others. Don’t provide your address to sites that won’t protect it.

Be wary of messages that:

  • Try to solicit your curiosity or trust.
  • Contain a link that you must “check out now”.
  • Contain a downloadable file like a photo, music, document or pdf.

Don’t believe messages that contain an urgent call to action:

  • With an immediate need to address a problem that requires you to verify information.
  • Urgently asks for your help.
  • Asks you to donate to a charitable cause.
  • Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Watch for messages that:

  • Respond to a question you never asked.
  • Create distrust.
  • Try to start a conflict.

Watch for flags like:

  • Misspellings
  • Typos

 Always Use Secure Passwords.

  • Use Two-Factor Authentication if it’s available.
  • Never use words found in the dictionary or your family name.
  • Never reuse passwords across your various accounts.
  • Consider using a Password Manager (e.g., LastPass or 1Password).
  • Use complex passwords.
  • Create a unique password for work.
  • Change passwords on at least a quarterly basis.
  • Use passwords with 9+ characters.

Keep Your Passwords Secure.

  • Don’t tell anyone your passwords.
  • Don’t write them down or email them.
  • Never include a password in a non-encrypted stored document.
  • Don’t speak your password over the phone.
  • Don’t hint at the format of your password.
  • Don’t use “Remember Password” feature of application programs such as Internet Explorer, Portfolio Center or others.
  • Don’t use your corporate or network password on an account over the Internet that doesn’t have a secure login starting with https://. If the web address begins with https:// your computer is talking to the website in a secure code that no one can access. There should be a small lock next to the address. If not, don’t type in your password.

If you believe your password may have been compromised, you should change it.

Regularly Backup Your Data Both Onsite and Remotely.

  • Maintain at least three copies of everything.
  • Store all data on at least two types of media.
  • Keep a copy of your data in an alternate location.

If you haven’t backed up your data and you’re attacked, it’s gone forever.

Ask Your IT support to Conduct Testing and Security Awareness Training for Your Employees.

  • Give a social engineering test.
  • Share the results with your staff.
  • Debrief and train your users.
  • Test again each year.

 Report Phishing Emails and Texts to the Federal Trade Commission.

Forward phishing emails to the Federal Trade Commission at spam@uce.gov – as well as the organization that was impersonated in the phishing email. Include the full email header if it’s available.

File a report with the Federal Trade Commission at FTC.gov/complaint.

Visit Identitytheft.gov. Victims of phishing could become victims of identity theft; there are steps you can take to minimize your risk.

You can also report phishing emails to reportphishing@apwg.org. The Anti-Phishing Working Group which includes Internet Service Providers, security vendors, financial institutions and law enforcement agencies uses these reports to fight phishing.

Easy Ways to Make Outlook 2016 Work Better for You

The new Outlook 2016 has incorporated some cool features, designed to be helpful and make your work day a little smoother. It can look a bit different depending on what version of Outlook you’re using and how your admin sets it up.

What’s New in Outlook 2016?

When you open Outlook, you’ll see six areas. Across the top is that familiar ribbon we’ve all become used to seeing. Above the ribbon, you’ll find the Title Bar which has the File tab, Home tab, Send/Receive, Folder, and View. Across the main section, you’ll find four wide panes of varying widths. Across the bottom is the newest addition to Outlook, the navigation bar.

While on the home tab, you can take a closer look at the four panes or main sections. The narrowest one located on the left contains your inbox, sent, deleted and other items pertaining to your mail folders. The second column contains your messages. Here, you can get a closer look at the items in your inbox. It shows the names and dates of each email. The widest pane shows the contents of the actual email. This section is called the reading pane. If you click on a specific email, you can read it and reply or forward it. The fourth smaller pane to the right contains your calendar and do-to list.

At the bottom, you’ll see the newly added navigation bar. Hover over each item there for a closer look. This is handy because you can access frequently used features or people very quickly here. The dots, which represent “more”, open up a “navigation options” dialog box. There you can change a number of things pertaining to the way your email client is laid out. You can also choose navigation options > compact navigation. This will make the navigation bar smaller. Little icons replace the larger words that were used. The icons can run horizontally across the bottom or vertically along the side.

Reading Pane Too Small?

You may not always need your calendar to stay open. It’s easy to close. Simply click on the arrow at the top to close it. You can also close the folders section located on the far left the same way. By closing these two sections, you’ll now have a much wider email viewing pane. This can be helpful if you have a long or important email to read. If you need to take a quick look at the folders, simply click on the words “All Folders” (far left side, vertically written) and a handy pop-out appears. This pop-out will stay there until you click on “All Folders” again. The navigation pane appears vertically written as well and this configuration can give you the greatest amount of space to work on emails.

In addition, you have the option of manually dragging the borders for each section. This is a quick and easy way to increase or decrease the width of a pane so that your Outlook email works best for your situation.

The New Navigation Pane

In the 2016 version, a navigation pane was added to the bottom. It has links that go out to:

  • Mail
  • Calendar
  • People
  • Tasks
  • More – More is represented by small dots in most programs now.

You can hover over each one to learn more about it or access that particular feature. For instance, hover over “People” to see all those listed in your contact list. You can also hover over a specific person to get more information about this person. For each of your contacts, you’ll see small icons along the bottom so you can email, call or video chat with that person. The same is true for each item in the Navigation Pane. Simply hover over your calendar for a quick look at your day, week or month. The calendar in your Navigation Bar performs the same tasks as the actual calendar portion of your Home Page. For that reason, you may find it handy to just leave that Calendar closed and use the one in the Navigation Bar. This will give you more room for emails and other tasks you do on the Home Page.

Taking a Deeper Look at The Ribbon

The Ribbon has been around since Word 2007 and most users are fairly knowledgeable about how to use it. If it’s in the way and you’d like to temporarily remove it, click on the small triangle on the far right side of the page. This collapses the Ribbon. When you want it back, click on the same triangle and it reappears. This works for all Microsoft Office programs, including Word, Excel, and Access.

Of course, there are shortcuts for just about all the actions found on the Ribbon. Many users find it helpful to learn those shortcut keys and use them instead of navigating through the tabs/items on the Ribbon. You can also hide or view the Ribbon by clicking on the View tab. Outlook 2016 is all about making your email tasks much simpler.

Dealing with Emails

Once you get your work area set up so that it’s most efficient for you, it’s time to read and answer a few emails. At the top of each one, you have inline options to reply, reply all, forward or IM. Click on reply and you can just start typing your message. You can also right-click in this area for a list of other options like changing the font and color of your typing. Right-clicking in various areas of the page will always call up a list of other helpful options and this can often prevent you having to reopen the Ribbon to accomplish a task.

When an email has attachments, you can click on the attachment to view it there in the Outlook program. This is true for PDF docs, Word docs, and Excel. This saves you the trouble of having to open Word, Excel or Adobe and this can be a real time-saver. If you do want to open up the specific program and view the document there, simply double click on the attachment.

Show As Conversation

Another helpful feature when dealing with lots of emails from different people on the same topic is the “Show as Conversation” feature found on the View tab. By clicking on “Show as Conversation” you can group all the emails about a specific topic so that they make sense. This prevents you from having to sort through dozens of emails to find all those related to a topic. Once these emails are grouped together, it’s easy to click on one to read or respond to it.

The Clean Up Tool

Like many users, you may have a dozen emails on one specific topic and yet only five of them are actually important and contain good information. The Cleanup Tool can be used to remove those emails that only say something inconsequential like, “I agree” or “Thanks” or contain redundant information. The Cleanup Tool is found on the home page and hovering over it will show three options:

  1. Clean up conversation
  2. Clean up folder
  3. Clean up folders and subfolders

Before the messages are cleaned up, you will get a warning box that asks if you’re sure. Many users find it helpful to clean up messages and folders on a regular weekly basis. This can prevent you from maxing out your Outlook storage limit. Simply run the Clean Up tool each week on folders and emails to keep redundant items from clogging up the works.

These are just a few of the many ways to make Outlook 2016 work more efficiently. By learning these tips and tricks you can save valuable time throughout your day and reduce stress.

Hold on to Your Credit Cards… Alexa’s On a Shopping Spree!

I love my Alexa. I don’t know what I’d do without it. Last year I decided to set it up for voice shopping. That way, when I come home from work, I can start cooking dinner, get the kids going on their homework, and tell Alexa what I want to buy.

Alexa Shopping Spree

Evidently, other moms and dads are doing this too. Research shows that people are spending about $2 billion a year using voice shopping with their Echos and Alexas.

And, it’s predicted that this amount will increase rapidly over the next few years to a whopping $40 billion by 2022! According to the company that provided these statistics:

“Voice commerce represents the next major disruption in the retail industry, and just as e-commerce and mobile commerce changed the retail landscape, shopping through smart speakers promises to do the same…The speed with which consumers are adopting smart speakers will translate into a number of opportunities and even more challenges for traditional retailers and consumer products companies.”

It seems that Amazon is the preferred vendor with 85% of people choosing the products Amazon suggests. For those like me who purchase groceries online, 45% of online grocery orders are made through Amazon Fresh.

Here are some more interesting statistics:

  • Right now, only 13% of homes have one of these devices, but by 2022 this is supposed to grow to 55%.
  • Amazon Echo is the most used of any U.S. virtual assistant. Google Home is the next at 4%, followed by Microsoft’s Cortana at 2%.
  • Those of us who have an Amazon smart speaker spend 66% more on Amazon than other people do.
  • Amazon Alexa owners spend on average $1,700 a year at Amazon, while members of the Amazon Prime program spend around $1,300 a year at Amazon.

Well, what can I say? It’s so much easier to just speak into my Echo and tell Alexa to reorder what I did last week from Amazon Fresh. When I’m making dinner, I don’t have the time to sit down and type away on a keyboard. The Voice Purchasing function of Amazon’s Alexa and Echo is so convenient. I can order practically anything from Amazon without using my computer. It’s great!

It seems that the smart speaker market is still in its infancy (unlike my precious children), and it’s still not clear if the Google and Microsoft smart speakers will be able to catch up to Amazon in the future.

Speaking of children…

Because Amazon doesn’t ask me to confirm my purchases with a “yes,” I’ve found some items in my orders that I didn’t place – but that my “precious” children did! Sugary cereal, microwave popcorn, chips, cookies, etc. Boy, was I mad when I found out they did this. You can be sure these purchases will come out of their allowance!

When I complained to Amazon, they told me to increase the security on my Alexa. They said there are two ways I can secure the Echo speaker from the kids or others. I can disable the Voice Purchasing feature or simply create a four-digit PIN (a secret one of course!).

Here’s how to disable Voice Purchasing.

By disabling Voice Purchasing, you can still shop with your Alexa and add items to your cart. However, you’ll have complete your checkout from the Amazon website or app.

  • Sign on to amazon.com(or open the Alexa app on your iOS or Android device).
  • Go to Settings.
  • Select Voice Purchasing.
  • Toggle off the Purchase by voice to disable Voice Purchasing.

They also suggest the I use a confirmation code.

Doing this lets me keep Voice Purchasing enabled without allowing others to purchase things with my Amazon account. I have to speak my confirmation code aloud to complete my order. So, I make sure to do this when the kids or others aren’t around! 

  • Sign on to amazon.com(or open the Alexa app on your iOS or Android device).
  • Go to Settings.
  • Scroll down and choose Voice Purchasing.
  • If it isn’t enabled choose “Purchase by Voice” to enable it.
  • In the text field beside Require confirmation code, enter a (secret) four-digit PIN.
  • Save.

Why do I love my Alexa for shopping? Because it’s so convenient! If I’m running out of paper towels or toilet paper, rather than jotting this down on a shopping list, I just ask my Echo to tell Alexa to order what I did last month. They arrive at my house in just two days! No more going to the store, putting them in a cart, jamming them into my car, taking them out of my car, etc. (you get the idea). They magically appear on my doorstep with minimal effort on my part.

And, if I happen to order something that requires a return, I don’t have to pay for shipping. Come to think of it, I should have returned the kids’ chips, cereal, etc.!

If you haven’t shopped with Alexa, you should give it a try. I know, it can be a little scary the first time. But once you see how easy it is, you’ll be “hooked” like me.

Here’s how to set up Alexa for shopping.

First, you need to set up an Amazon Prime account, provide a U.S. shipping address, billing address and a U.S.-based payment method. Set your Amazon Prime account for 1-Click shopping.

Check the settings in your Alexa to make sure Voice Purchasing is enabled. You can go to Settings -> Voice Purchasing in the Alexa app, and enable it. You can also manage your 1-Click settings here and set a 4-digit PIN to make sure the kids don’t order stuff!

Now, you can order anything that’s Amazon Prime-eligible:

Order new products: If it’s something you’ve never ordered before, Alexa will suggest an “Amazon Choice” product that meets your description. If you’re not sure about what you want to buy, you can add it to your cart and cancel it right away if you change your mind.

Reordering: Alexa will look at your past orders, so if you ordered a particular brand of paper towels, you can easily reorder them with a “reorder _____” command. Alexa will ask you to confirm the order, and if you say yes, you’re all done.

Tracking: You can always track what you’ve ordered by asking Alexa. Just say, “Alexa, where’s my stuff?” She’ll let you know when your order will arrive.

So, you can see why I love my Alexa and why I can’t do without “her.” She’s my newest best friend!

Under Armour’s “Armor Gets Penetrated”

How Would It Cost Your Business If This Happened To You?

Under Armour Data Breach

Have you read the news? According to Reuters, Under Armour Inc., headquartered in Baltimore, Maryland, recently suffered a breach of the private information for their 150 million MyFitnessPal app users.

This is the largest breach this year according to experts. It included account usernames, email addresses, and passwords. Lucky for them, Social Security numbers, driver license numbers, and payment card data weren’t stolen like they usually are in data breaches of this kind.

Once again we learn that keeping up to date on cybersecurity, changing passwords often, and using an IT support provider to implement a layered approach to security is essential if you want your business to stay safe in today’s digital world.

Perhaps, if Under Armour had used these services, they could have prevented this breach. Now, their reputation has been ruined.

Would you trust your private data to them?

I wouldn’t.

With so many data breaches today, they should have known better and considered the privacy of their customers. How can they salvage their creditability now?

As a business technology professional, I know that data protection costs much less than what I’d face from a breach – legal liability, fines, and lost customers.

With the rising number of cyber thefts, numerous lawsuits have been filed against businesses like Under Armour. In the last few years, data breaches have become so prevalent that it’s almost commonplace to hear that a company has been breached.

Learning that all their personal information is in the hands of thieves causes a significant change in the behavior of customers. One study found that consumers who learned of a data breach at their favorite retail store significantly cut back on their purchases.

With over 1,500 data breaches in 2017, consumers responded in this way:

  • 84 percent said they might not consider doing business with a retailer who had experienced a data breach.
  • 57 percent of holiday shoppers felt that identity theft and data breaches would be a significant threat during the holiday season.
  • Four in 10 consumers said they believed businesses aren’t doing the best they can to protect them.
  • 38 percent said they weren’t sure all companies were doing everything possible to stop data breaches.

I know that my business has the best cybersecurity and IT management that money can buy. I take full responsibility for this and all my customers’ private data.

After what I’ve learned, this is what I would tell the CEO of Under Armour, and others to do from now on:

Protecting your security isn’t only a job for your IT support provider but one for you as a CEO as well. You must understand that any interruption in your information systems can hinder your operations, negatively impact your reputation, and compromise your customers’ private data.

Many CEOs don’t fully understand this. They spend their energy developing new products and services and managing current ones. Security comes in second. Maybe they’re unaware of the risks or feel that it’s solely an IT concern. Some may not be very technical and fear to discuss what could be an intimidating topic, but this isn’t wise.

The Department of Homeland Security recommends five questions that CEOs should ask themselves to lower the risk of cyber attacks:

1) What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?

2) How is our executive leadership informed about the current level and business impact of cyber risks to our company?

3) How does our cybersecurity program apply industry standards and best practices?

4) How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?

5) How comprehensive is our cyber-incident response plan? How often is the plan tested?

We also need to train our employees on cybersecurity practices like recognizing phishing attacks and using secure passwords. The folks at OneSource handle this for us. Here are some of the topics they cover:

Lesson 1: Ignore Ransomware-Threat Popups and Don’t Fall for Phishing Attacks.

These threats look like they’re from an official entity like the IRS or FBI. If a screen pops up that says you’ll be fined if you don’t follow their instructions, beware! If you do, the criminal will encrypt all your data and prevent you and your employees from accessing it.

Watch out for messages that:

  • Try to solicit your curiosity or trust.
  • Contain a link that you must “check out now”.
  • Contain a downloadable file like a photo, music, document or pdf file.

Don’t believe messages that contain an urgent call to action:

  • With an immediate need to address a problem that requires you to verify information.
  • Urgently asks for your help.
  • Asks you to donate to a charitable cause.
  • Indicates you are a “Winner” in a lottery or other contest, or that you’ve inherited money from a deceased relative.

Be on the lookout for messages that:

  • Respond to a question you never asked.
  • Create distrust.
  • Try to start a conflict.

Watch for flags like:

  • Misspellings
  • Typos

Lesson 2: Always Use Secure Passwords.

  • Never use words found in the dictionary or your family names.
  • Never reuse passwords across your various accounts.
  • Never write down your passwords.
  • Consider using a Password Manager (e.g., LastPass or 1Password)
  • Use password complexity (e.g., P@ssword1).
  • Create a unique password for work.
  • Change passwords at least quarterly.
  • Use passwords with 9+ characters.
    • A criminal can crack a 5-character password in 16 minutes.
    • It takes 5 hours to crack a 6-character password.
    • 3 days for a 7-character one
    • 4 months for 8 characters
    • 26 years for 9 characters
    • centuries for 10+ characters
  • Turn on Two-Factor Authentication if it’s available.

Lesson 3: Keep Your Passwords Secure

  • Don’t email them.
  • Don’t include a password in a non-encrypted stored document.
  • Don’t tell anyone your password.
  • Don’t speak your password over the phone.
  • Don’t hint at the format of your password.
  • Don’t use “Remember Password” feature of application programs such as Internet Explorer, Portfolio Center or others.
  • Don’t use your corporate or network password on an account over the Internet that doesn’t have a secure login where the web browser address starts with http:// instead of https:// If the web address begins with https:// your computer is talking to the website in a secure code that no one can eavesdrop on. There should be a small lock next to the address. If not, don’t type in your password.

Lesson 4: Backup Your Data Onsite/Remotely and Securely

  • Maintain at least three copies of everything.
  • Store all data on at least two types of media (one offsite in a secure enterprise cloud solution).
  • Keep a copy of your data in an alternate location.

If you haven’t backed up your data, and you’re attacked, it’s gone forever.

Lesson 5: Secure Open Wi-Fi with a VPN.

  • Don’t go to sites that require your personal information like your username or password.
  • Use VPN whenever possible. Limit your access to using sites with: https://
  • Don’t connect if all the Wi-Fi networks you have ever accessed appear as “Available”.

We have our tech support professionals train our employees a few times a year because the threats keep changing. Plus, we have them conduct Vulnerability Assessments to make sure our cybersecurity “armor” stays strong and intact.

Don’t risk your data. Keep your data secure and your employees educated. I recommend that if you’re in an area they serve, that you should contact us immediately.

New Data Breach Laws Mean More Trouble When You Get Hacked

The recent surge in cyber theft and hacking has everyone worried. With each new cyber breach, consumers realize just how vulnerable we all are. After the Equifax hack of September 2017, state legislatures began proposing new laws that would tighten data security.

Data Breach Notification

For those working with an MSP, the burden often falls on them to increase security so that breaches simply don’t take place. Though this concept is good in theory, MSP’s sometimes struggle to find the right balance between convenience and stronger security for cyberspace.

New Proposed Legislation

The American Bankers Association believes that during 2018, at least half of all states will develop tougher data breach laws for the financial services industry. One of these bills receiving more attention originates in New York, the home of many prominent financial institutions. Experts believe the new bills being developed for New York could become a model for other financial providers. These bills could even affect federal laws.

The new legislation will be designed to stop the onslaught of huge, expensive data breaches, such as JP Morgan Chase, Sony Pictures, and Equifax. Many believe this type of legislation is way overdue.

The bill being developed by legislatures in New York is called the “Stop Hacks and Improve Data Security Act” (SHIELD Act). It will require that any organization that handles financial or sensitive information produce clear examples of their safeguards. It would also require all banks, credit reporting agencies, brokerages and insurance providers to develop better security measures. In addition, the new laws will apply to anyone who deals with the personal financial information of consumers.

The bill will contain phrases like “clear examples of safeguards” that force organizations to provide proof of their security measures. Many experts believe these “safeguards” might include all administrative, technical and physical security measures taken by any company that deals with the private information of New Yorkers.

Though MSPs are already gearing up to offer higher levels of data security to their customers, the problem of data security falls back on each financial services company. Consumers are outraged when corporations the size of JP Morgan Chase and Equifax don’t take data security seriously enough. This outrage can spawn expensive lawsuits.

Keys to Success

Though MSPs will begin offering more robust data security plans, it’s important to remember that the burden falls back on each business. In this day and age, you simply can’t rely on a third-party vendor; the stakes are too high. Your company could be sued by anyone who loses their personal and banking info to hackers. For this reason, most businesses have a small team of IT pros on premises that communicate regularly with their MSP.

Your own IT department should be fully engaged with your MSP. They should understand exactly what security measures have been put in place and how this system is protecting your data. They should be involved in program upgrades. They can also work inside your business to organize monthly security briefings for employees.

Consider Hiring Security Experts

Though most MSP’s offer a comprehensive group of security services to help protect your data from intrusion, many top banking, and financial institutions are going one step further. They are hiring security experts whose only job is to ensure that all data is safe and secure from hackers. Companies that specialize in providing data security plans follow a strict regimen of protocols. They conduct regular security risk assessments. Their team will come out to your company on a regular basis to train employees. And this is so important to your overall security plan working.

Risky employee behavior is responsible for over half the data breaches. Every day in companies all over the world, employees make mistakes that could spell disaster. They commonly share passwords, ignore prompts to install patches, click on suspicious links in emails, and use weak passwords. Employees need better training in order to know and remember to utilize all company data breach policies.

Are You Doing Enough to Stop Hackers?

Though many MSP’s are fully up to date on the policies and procedures for greater cybersecurity protection, it’s important to decide for yourself whether their security measures are strong enough. If your company handles the financial information or healthcare information of others, basic data security programs may not be enough.

Ransomware attacks are on the rise. Cyber thieves break into your system and hold your data hostage until you pay the ransom. Many company owners are not sure whether their data is safe from these attacks. The days when anti-virus programs and firewalls were adequate to protect data are over. Your company will require the highest level of protection in order to remain safe. Remember that cybercriminals never rest. They’re always on the lookout for new ways to steal names, addresses, and banking information.

The Revolution in Technology

Today’s cloud technology allows everyone to take their work with them wherever they go. In addition, consumers can access that information on a laptop, phone, or iPad. Though all these new advancements in technology are fun and convenient, they do present a unique challenge for security experts. Regular security risk assessments can determine whether your employees are leaving important data right out in the open for criminals to find.

HIPAA guidelines require that a normal SRA include a basic inventory of where and how sensitive data is being used. These assessments are available for financial institutions as well. They are a great way to get the big picture about how sensitive data is transmitted, stored and accessed, whether using email, text messages or mobile devices. Most security experts believe that a comprehensive Security Risk Assessment is a great place to start.

Better Documentation

Lastly, good solid documentation of all security policies is required. All employees should know and understand the security policies and procedures used by their employer. Each software upgrade should be documented.  Any events that might affect your organization’s data security should be documented as well. Any time an employee is terminated, your company should have a very specific procedure that it follows to avoid an angry employee from stealing data.

Changing the Way We Do Business

The new cybersecurity laws may change the way we all do business each day. Though some of these laws will be cumbersome and inconvenient, the alternative is much worse. It’s important to remember that the new cybersecurity legislation is meant to protect us from hackers and data loss. Consumers want to go back to feeling safe again when they do business online. And that’s the goal of these new laws.

Whether you decide to select security experts who have the skills and tools to address all types of data breaches or continue on with your MSP, the game has to change in order to stop hacking and cyber crimes. Each employee should feel personally responsible for doing their best to protect data. Your MSP and IT department must work together to build the strongest fortress possible for your sensitive information.

Having Problems with Two-Factor Authentication for Office 365?

We noticed that some people are having problems using Microsoft Office 365 with two-factor authentication (2FA) (also known as multi-factor authentication).

Office 365 Two Factor Authentication

We have a few tips for you here.

First: It’s important to know that when your admin sets up 2FA for your Office 365 users, they must enable Modern Authentication (MA) for Exchange Online if users are accessing Exchange using Outlook 2016. (The versions of Microsoft Outlook before 2013 don’t support Modern Authentication.)  For details on how to enable MA for Exchange Online tenants, see Enable Modern Authentication in Exchange Online.

Second: You shouldn’t have any problem using 2FA with Microsoft’s mobile Office apps, Outlook Groups, Office 2016 desktop apps, and OneDrive for Business in Windows 10. However, other applications may be incompatible, so make sure you test all the apps in your organization before enabling 2FA.

How to Connect to Office 365 Security & Compliance Center PowerShell Using 2FA.

If you set up 2FA for tenant administrator accounts, they can’t sign in to Office 365 using PowerShell. Instead, you must set up a specialized account for administrators. To do this, you must install the Exchange Online Remote PowerShell Module and use the Connect-IPPSSession cmdlet to connect to Security & Compliance Center PowerShell.

Important note from Microsoft: You can’t use the Exchange Online Remote PowerShell Module to connect to Exchange Online PowerShell and Security & Compliance Center PowerShell in the same session (window). You need to use separate sessions of the Exchange Online Remote PowerShell Module.

This is what Microsoft recommends you do:

  1. Open the Exchange admin center (EAC) for your Exchange Online. See Exchange admin center in Exchange Online.
  2. In the EAC, go to HybridSetup and click the appropriate Configure button to download the Exchange Online Remote PowerShell Module for multi-factor authentication.
  3. In the Application Install window that opens, click Install.

Windows Remote Management (WinRM) on your computer should allow authentication by default. If basic authentication is disabled, you’ll get an error message. Now you should be able to sign into the Security & Compliance Center PowerShell by using 2FA.

After you sign in, the Security & Compliance Center cmdlets will be imported into your Exchange Online Remote PowerShell Module session and tracked by a progress bar. If you don’t receive any errors, you’ve done this successfully.

If not, and you receive errors, check the following requirements:

  • Limit your open remote PowerShell connections to three. This prevents denial-of-service (DoS) attacks.
  • Make sure the account you connect to the Security & Compliance Center is enabled for remote PowerShell. For more information, see Enable or disable access to Exchange Online PowerShell.
  • The TCP port 80 traffic must be open between your local computer and Office 365. It may not be if your organization has a restrictive Internet access policy.

How to Enable 2FA in the Office 365 Admin Portal

Two-factor authentication (multi-factor authentication) can be enabled for individual users or in bulk. Before continuing, be sure to install Microsoft Authenticator on your user’s mobile devices, (not Authenticator, a similar app from Microsoft but without support for push notifications).  Here’s what Microsoft says to do to enable 2FA one user at a time:

  • Log in to the Office 365 admin portal using an administrator account.
  • In the menu on the left of the portal, expand Users and Active users.
  • In the list of users, click the user for which you want to enable 2FA. Note that only licensed users can use 2FA.
  • In the user’s pane, click Manage multi-factor authentication under More settings.
  • On the multi-factor authentication screen, select the user account to enable, and then click Enable under quick steps on the right.
  • In the About enabling multi-factor auth dialog box, click enable multi-factor auth.

The MULTI-FACTOR AUTH STATUS should change to Enabled. Close the browser window and sign out of the admin portal.  

How to Enroll an Account for 2FA

Once the feature is enabled, the user must now enroll for 2FA, and sign into Office 365 with their username and password, and then click Set it up now on the sign in screen and follow Microsoft’s instructions below:

  • On the Additional security verification screen, select Mobile app
  • Select Receive notifications for verification
  • Click Set up
  • Open the Microsoft Authenticator app on your phone and click Scan Barcode.
  • Use the camera on your phone to scan the barcode in the Configure mobile app You’ll then need to wait a couple of seconds while the app activates the new account.
  • Click Finished in the browser window.
  • Back on the Additional security verification screen, click Contact me.

The user will receive a notification on their phone. They should open it, and they’ll be taken to the Microsoft Authenticator app.

  • Click Verify to complete the sign-in process.
  • Click Close in the Microsoft Authentication app.
  • In the browser window, they must enter a number to receive verification codes in case they lose access to the Microsoft Authenticator app and click Next.

Web-based and mobile apps can use Microsoft Authenticator app verifications for 2FA logins, but Office desktop apps require an app password.

This final step provides the user with an app password for these apps.

  • They should copy the app password by clicking the copy icon to the right of the password and paste it somewhere safe. Click Finished.
  • They’ll be prompted to sign in again, this time by verifying the login using the Microsoft Authenticator app.

Important note from Microsoft:  If you want to use only Multi-Factor Authentication for Office 365, don’t create a Multi-Factor Authentication provider in the Azure Management Portal and link it to a directory. Doing so will take you from Multi-Factor Authentication for Office 365 to the paid version of Multi-Factor Authentication.

We hope this helps. It can be complicated to implement the proper settings for two-factor authentication in Microsoft Office 365.  If you have any problems doing this, feel free to contact the Microsoft Experts at Alltek Services in Central Florida at http://www.alltekservices.com or call 863.709.0709.

 

 

Will The (Cloud) Storage Wars Draw Blood?

Modern professional relationships require digital processes, like email, collaborative software, and file sharing. The cloud has opened up incredible possibilities beyond imagination a mere decade ago, but which is the right choice?

Cloud Storage

The competition is seriously fierce in cloud storage. The Internet of Things has fueled a data addiction for which traditional storage can’t physically support. We love our devices – I mean, we are straight-up addicted to our smartphones, our iPads, our Kindle Fire tablets, all of them. And there’s a reason we back up our smartphone content: we’d be absolutely lost if we lost it. Our contacts, our notes, our apps, our calendars, and everything we depend on for day-to-day use is on that tiny computer. Where do you back up your data? It’s probably safe to assume there is a cloud location you connect to that saves your backed-up data. It’s safe to assume because we would overwhelm traditional storage options.

Traditional storage hasn’t been able to meet expectations and needs for performance, availability, management, or the cost impact in comparison to growing demand. Everyone has an opinion on who their favorite cloud storage solution is, and it’s usually one of the Big Three players in the cloud game: Dropbox, OneDrive, or Google Drive – and not in that order.

Technically speaking, the first cloud storage solutions launched well before today’s modern providers. Consumers had access in the early 1980’s through CompuServe, and AT&T launched a platform in the 1990’s to support small business solutions. Amazon Web Services introduced AWS S3, their cloud storage offering, in 2006 and functions as the storage provider for Dropbox, Pinterest, and many other large digital enterprises. The only thing that has changed is file size, file type – but mainly adoption.

Cloud storage is increasing in adoption for every professional environment – and is the only solution for distributed workforces! Managing resources for storage needs to be agile, and limited solutions also limit agility. The cloud is merely an accessible extension of your data storage center. Review your full data storage needs, and consider the advantages the cloud offers your business and daily operations.

When reviewing your cloud storage priorities, there are many issues that deserve a deeper consideration. Here is the “Top Ten” List we suggest using as a checklist, and in no particular order:

  • Cost
    • The financial impact of cloud storage is usually the first factor any business considers, but we disagree with this position. While your bottom line is critical to your overall operational budget, there is a multitude of factors that could have a greater impact on your day-to-day needs.
    • It’s surprising just how many decision-makers are surprised – and unprepared for – the expenses required to utilize cloud providers.
  • Sync Simplicity
    • If storing or backing up your data to a cloud solution is cumbersome, the likelihood of full adoption by your staff – and your clients, if applicable – will be a struggle, and result in decreased productivity and decreased reliability. You don’t have time for that!
  • Sync Speed
    • Just as with simplicity, speed is a factor with the ability to sync data quickly. As with any downtime, no one can afford reduced productivity due to Internet connection issues, and it’s an even larger issue if it’s due to your cloud storage provider.
  • Location
    • As they say in real estate, “Location, location, location”! Anyone who thinks it doesn’t matter where your data is stored physically is wrong. Wrong! Though there are too many reasons this matters to list, here are just a few:
    • Data stored in the U.S. is both protected by and susceptible to U.S. laws, like the Patriot Act and the Cyber Intelligence Sharing and Protection Act. Data stored in – or containing the information of – European Union nations are subject to protection by legislation passed by European Parliament enacting strict consumer data protection rules.
    • Facilities that physically house servers for cloud storage providers are just as open to impacts of weather and natural disasters as any other structure in that locale – and accessing your data will be subject to these conditions.
    • Is the physical security of the location a concern under any other circumstances?
  • Reliability and Access
    • Is the vendor reliable? The key players in the cloud storage game tend to be the best for valid reasons, but appropriate considerations, in this case, would be hardware failures, power disruptions, or even vendor disputes. Crazier things have happened.
  • Storage Capacity
    • How much data do you anticipate storing in the cloud? This is like trying to choose your favorite song. The answer changes on a regular basis, and most of the time there is no one singular answer. Obviously, you’ll want to choose a provider that is capable of offering you more storage than you think you’ll ever need, but you also don’t want to pay for storage you’re not using nor will you ever. It’s a delicate balance, and many providers allow for variable usage.
  • File Sharing
    • How many times have you attached a document to an email message, and tried to send it only to get the dreaded error message “File exceeds the maximum size of 25MB. Try removing an attachment and send again”? You are then faced with trying to reduce the file size (Word document into a PDF, etc.) or uploading the file into a cloud solution like Dropbox, Google Drive, or OneNote, and sharing the access URL instead.
  • Application Integrations
    • The number one request made by anyone accessing cloud storage and utilizing an application is to offer an intuitive user experience. Statistics show half of all users that abandon a cloud app do so due to integration issues, citing missed deadlines.
  • Support
    • If any issues arise, it’s critical that users achieve the needed help immediately from an adequately trained member of support team equipped with the right knowledge to resolve the situation.
  • Data Security
    • The cloud and data stored in cloud environments face risks, just like any other professional endeavor. A cloud storage provider that can guarantee against cybersecurity vulnerability and takes the greatest care in safeguarding your data is an excellent vendor and partner.

We’ve talked about what you need – now let’s talk about who can help you. Here is a fantastic detailed resource when comparing many of the cloud vendors at once, but let’s talk about the Big Three. The key players in the Cloud Storage Wars are Dropbox, Google Drive, and OneNote – and any one of these providers would valiantly battle to the bloody end for your business! There is a reason that these three are the best in the biz: they’ve earned their reputation with quality service, support, and every other item in the checklist.

  • Dropbox
    • Offers a free basic storage plan (2GB)
    • Paid plans and features cater to business customers
  • Google Drive
    • Offers a free basic storage plan: clarification, Google users have 15GB of free cloud storage – shared between Gmail, Google Photos, and Google Drive. If you get a ton of emails and don’t clean out your inbox often, that eats up your 15GB
    • Paid plans and features cater to business customers
  • OneNote
    • Offers a free basic storage plan (5GB)
    • Paid plans and features cater to business customers: Here is where it truly pays to use OneNote and be an Office 365 customer, as the paid plans are included with Office 365 subscriptions, either Personal or Home.

The ability to sync, share files and speed are all a focus of these teams, and the competition is pretty ruthless. In fact, Dropbox and Microsoft have formed a partnership to allow easier integration by making Office Online available to Dropbox users at no cost. Keep your friends close, and your enemies closer!

So, which provider is right for you? Only you can make that decision. Armed with this information and reviewing our checklist will hopefully help you make the right choice!