Crucial Steps to Take if Your Email Has Been Hacked

Many years ago Yahoo users fell victim to one of the largest data breaches in internet history.  Names, passwords and email addresses for every single customer account on the company’s servers were exposed in a cybersecurity attack.  This attack was very sophisticated – three billion users across multiple services under Yahoo’s umbrella were left vulnerable as a result of the hack.   In late 2017 the complete details surfaced after Yahoo’s parent company was made aware of the nature of the attack.

Whether you use services such as Yahoo Mail, or providers such as Microsoft, Google and Apple, you should be aware about the security of your own email address. After all, your email may be the single most important digital asset you own.  All communication is typically related to your professional networks, personal relationships, and credentials for every other digital service for which you’ve signed up.   All of this data can be used for identity theft, financial fraud, a vehicle for spam, and blackmail.  While there are safeguards you can implement to deter cyber thieves from accessing your personal account, in a severe breach these best practices may not be enough to prevent your email account from being hacked.

If you suspect that you have been targeted, quick action on your behalf is always required to prevent further damage.  If you are in the office, communicate with your IT Administrator immediately.  If you are at home either contact an IT professional, or follow these steps to try and recover your compromised email account. (Remember, in a widespread and very severe breach, these best practices may not be enough to recover your account, and there may be future damages to recover from).

Try to change your password.  You will need to verify whether your email address is still accessible. Most hackers will immediately change your password to prevent you from using your account. If you are able to secure entry before this has been done, you can reduce the threat of further attacks.

  • Make sure your new password differs completely from your last one, and don’t reference any easily guessed personal details such as your birthday or your pet’s name. Ideally, your password should be at least 10 characters long, and it should include a special character and number.
  • In addition, you should look to change your answer to any secret questions used in the account recovery process. After doing so, confirm that the alternative email addresses and phone numbers associated with your email account are not changed.
  • If you are having trouble regaining control of the account, visit your mail provider’s site for instructions on recovering your account. Apple, Google, Microsoft and Yahoo all have guides on their sites, as should other email and internet service providers.

Email everyone on your contact list including business associates, family members and friends about the breach. Next, get in touch with your email provider and report the details. Not only will this alert them to future infiltration attempts, but they may also be able to provide you with further details about the incident and where the access attempts came from.

If you feel sensitive information like bank records have been compromised, you should reach out to a credit reporting agency and have them track your personal credit activity in the months following the incident.

Your account may have been hacked through malicious software, so scan your computer for malware and viruses with a security program. You should also update your computer and devices with the latest security updates.

Recover Your Account.  If you cannot access your account using your old password, then you will need to put in some extra effort before you can recapture sole control of your email address. Start with the “forgot your password” option and check out the recovery options available. It may be as simple as sending an email to an alternative account or a text message to your mobile phone to regain control.

If these options are not available, or you do not have access to your alternative accounts, then you will need to browse through the help center for your email provider for other means of securing access. In worst-case scenarios you might be forced to contact customer service from your provider.

Check Your Email Settings to make sure nothing has been changed.  Keep an eye out for any changes made to your email settings and reset them back to your preferences. Possible issues you should be aware of include:

  • An unfamiliar forwarding address added to your email
  • A new “reply to” email address that tricks your contacts into sending their replies to a different account
  • An enabled auto-response option, used to send out spam messages to your contacts
  • Malicious links added to your email signature

 

Once you have reset any changes to your settings, look at your sent folder to see if the hacker sent out any sensitive information found in your email history.

Change Passwords for Other Accounts.  If you are using the same email and password for multiple accounts, get to work changing your login credentials for these services as soon as possible. This would be a good time to choose unique passwords for each service.  Scan your email inbox and trash folders for any password reset messages. Most hackers can identify other websites that make use of your primary email address. Once they have figured that out it is simply a matter of sending a password reset link and you suddenly have a plethora of compromised accounts on your hands. Make sure to reset login credentials for any similarly breached logins.

References:
PC Magazine
The New York Times
The Federal Trade Commission Consumer Protection Agency

Scam Alert – Beware!

The Consumer Federal Trade Commission has recently released a scam alert.

“Have you received a robocall at work, telling you that you have to take action or your Google business listing will be removed? Or maybe even marked as permanently closed? That kind of thing could be tough for a business — if the threat was real. But those calls are not legit—and not from Google.

The FTC just filed a lawsuit against Point Break Media and others, saying they made just those kinds of calls. According to the complaint, people who believed the calls and then spoke to a live telemarketer were told that they could avoid the problem by paying a fee (up to $700). When people paid this fee, the scammers then allegedly targeted them with offers for even more expensive services that would supposedly improve Google search results.  Of course, nobody making those calls is affiliated with Google. And businesses can — for free — manage their own Google business listing.

In this case, the scammers targeted music instructors, house painting companies, car dealerships, and other small businesses. They knew that appearing in online searches is crucial for those businesses, and threatening that connection with customers might make people act before stopping to think.

If you get a call like this, don’t press any buttons. Don’t call the number back, and don’t engage. That just encourages the scammers. The best thing to do? Immediately hang up the phone, and then talk about it with your colleagues or employees. Let them know that:

  • Scammers pretend to be someone you trust. They pretend to be connected with a company you know or a government agency
  • Scammers create a sense of urgency. They want you to rush and make a quick decision without considering options.
  • Scammers use intimidation and fear. It’s okay to hang up the phone and confirm what’s really going on before taking any action.

Then, sign up for the FTC’s Business Blog (FTC.gov/Subscribe), which will keep you up to date on what’s happening at the FTC, and how it affects your business. Also, check out FTC.gov/SmallBusiness. Knowing about scams that target small businesses will help you protect yours.” 1

Reference:

1 https://www.consumer.ftc.gov/blog/2018/05/google-not-calling-you

Division of Consumer and Business Education, FTC

New Malware Threat Targets Internet Routers

A new malware called VPNFilter has managed to infect over 500,000 routers around the world.

“The Federal Bureau of Investigation warned consumers to reboot their Internet routers and install new software patches, to fight a nasty new malware attack called VPNFilter that has so far infected about half a million devices in more than 50 countries, including the United States.  VPNFilter can be used to steal data, or to order routers to “self-destruct,” knocking thousands of Internet-connected devices offline.” 1

Routers are typically part of the technical devices in the home and at work, but how many of us know how to update software without the help of a technical person?  You would have to look up the brand of the router, its model and serial numbers, know the default password, log on to its internal control software and download a patch from the company’s website.  To some of us, that’s no problem, to most of us, it’s not only confusing, but anxiety provoking.

VPNFilter malware is a threat, and it can wreak havoc.  It can steal critical files from infected machines, or disable the router and knock out thousands of computers offline.  The FBI is working with researcher from Talos Intelligence Group, and they have traced the infection back to a group who appear to be linked to Russia’s military intelligence service.

The latest attack via VPNFilter is especially bad one, since it doesn’t only prevent devices from connecting to the internet, but it can be used for stealing passwords and monitoring internet activity. However, it seems that the attack has been planned for a while now, and both the UK and the US officials have been warning people that the Russian hackers might plan something like this.  The FBI used a court order to seize this Internet address and take it offline. Still, thousands of routers remain infected, including an unknown number in the United States.

So far, the only thing that the people can do to avoid becoming victims of the malware is to reset their routers. Returning them to the factory defaults and updating them is the only way to ensure that the malware is removed from the device.

“The FBI is urging Internet service providers Comcast Corp. and Verizon Communications Inc. and others to check whether their hardware is vulnerable, and work with customers on updating their routers.  Routers by Linksys, MikroTik, Netgear, and TP-Link are affected, as are big external hard drives made by a company called Qnap.  Merely rebooting the routers will wipe much of the toxic code from memory.  But a portion survives, and it will reinstall the malware when the device powers up.  The only sure cure is a software patch for each vulnerable device.” 2

“No other vendors, including Cisco, have been observed as infected by VPNFilter, but our research continues. The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials and monitoring of Modbus SCADA protocols. Lastly, the malware has a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide.”3  Some of the products will handle the update automatically – as a consumer you need to be aware and be able to patch your router.

Don’t leave your networks open to hackers.  As we are connecting other digital devices to our home networks — audio speakers, thermostats, security systems, etc., they all need regular software updates if you want to remain safe.  Spending the time on each device and being proactive is better than having to deal with it in a crisis.

References:
1 + 2:  The Boston Globe, May 24, 2018
3:   Talos Intelligence https://blog.talosintelligence.com/2018/05/VPNFilter.html
US Department of Justice
Security Global 24

Think Before You Click – Are Short Links Safe?

Short links, or links that have been condensed so they require fewer characters, have been around for a while. For those not already familiar with them, they take a link such as this https://www.bryley.com/2018/04/05/4-options-for-discarding-old-hardware-bryley-tips/, and turn it into this http://ow.ly/SEga50h2XWW.  Typically you see them on social media platforms such as Twitter, where you have a fairly limited number of characters at your disposal, but they can be used pretty much anywhere.

While short links can certainly save space, they also present one very serious issue.  You can’t see where they are going to take you.  If you use our example above, simply by looking at the original link, which displays the full URL it is pointing to, you can determine that you are going to end up at Bryley.com.  Furthermore, you can see it will take you to a page discussing how to dispose of old hardware.

On the other hand, the short link shown above points to the same page, but it would be impossible to know that just by looking at it.  It doesn’t even given an indication of what site you are going to end up on if you click on it, never mind what page.

This poses a security risk.  If you see a short link that has been posted by someone you trust and you already have a sense of where it is going to take you then it is probably safe to click on it.  But what if you can’t verify the source a link came from, or where it is going to take you?  In that case, you should verify the destination of the link before you click on it.

Fortunately, there are several services online which will tell you exactly where a short link is going to take you if you click on it.  For instance, the website CheckShortURL.com will check any short link you happen to stumble upon.  All you have to do is copy and paste the short link into their utility (see image below).

After you click “expand” you will be presented with a page that looks like this:

 

Not only does this indicate where the short link is going to take you, but it lists several services which will check to see if any malicious content has been found at that location.

By taking this extra step, you are being proactive!  Avoiding a cybersecurity breach such as a ransomware attack will save you a lot of headaches, time and money.

Phishing Scams During Tax Season – Protect Your Personal Information

Phishing schemes, especially during tax season, have become very widespread.  A little extra caution can go a long way to avoid the threat of refund fraud or identity theft.

The Definition of Phishing. It is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and, indirectly, money), often for malicious reasons, by disguising as a trustworthy entity in an electronic communication.

Phishing scams are easy to accomplish and can be done from home. A typical phishing email during tax season will bear similar (or sometimes identical) IRS letterhead or logos and will instruct you to follow a link that will lead you to, you guessed it, a site that requests your personal information. Some individuals are too quick to trust a logo or letterhead and forget to check the validity of an email/site before divulging their personal information.

In recent years, thousands of people have lost millions of dollars and their personal information to tax scams and fake IRS communication. Scammers use the regular mail, telephone, fax or email to set up their victims.

Knowledge is Power! Remember that the IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, the IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action. Recognizing these telltale signs of a phishing or tax scam could save you from becoming a victim.

Last-Minute Email Scams. The IRS, state tax agencies and the tax industry urges taxpayers to be on guard against suspicious activity, especially email scams requesting last-minute deposit changes for refunds or account updates.

Learn to recognize phishing emails, calls or texts that pose as banks, credit card companies, tax software providers or even the IRS. They generally urge you to give up sensitive data such as passwords, Social Security numbers and bank or credit card accounts. Never provide your private information!  If you receive suspicious emails forward them to phishing@irs.gov. Never open an attachment or link from an unknown or suspicious source!

IRS-Impersonation Telephone Scams. “An aggressive and sophisticated phone scam targeting taxpayers has been making the rounds throughout the country. Callers claim to be employees of the IRS, using fake names and bogus IRS identification badge numbers. They may know a lot about their targets, and they usually alter the caller ID to make it look like the IRS is calling.

Victims are told they owe money to the IRS and it must be paid promptly through a pre-loaded debit card or wire transfer. Victims may be threatened with arrest, deportation or suspension of a business or driver’s license. In many cases, the caller becomes hostile and insulting. Or, victims may be told they have a refund due to try to trick them into sharing private information. If the phone isn’t answered, the scammers often leave an “urgent” callback request.”1

The IRS will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail you a bill if you owe any taxes.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Ask for credit or debit card numbers over the phone.
  • Remember: Scammers Change Tactics — Aggressive and threatening phone calls by criminals impersonating IRS agents remain a major threat to taxpayers, but variations of the IRS impersonation scam continue year-round and they tend to peak when scammers find prime opportunities to strike.

Surge in Email, Phishing and Malware Schemes. “When identity theft takes place over the web (email), it is called phishing. The IRS saw an approximate 400 percent surge in phishing and malware incidents in the 2016 tax season. The IRS has issued several alerts about the fraudulent use of the IRS name or logo by scammers trying to gain access to consumers’ financial information to steal their identity and assets.

Scam emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. These phishing schemes may seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.

Variations of these scams can be seen via text messages. The IRS is aware of email phishing scams that include links to bogus web sites intended to mirror the official IRS web site. These emails contain the direction “you are to update your IRS e-file immediately.” The emails mention USA.gov and IRSgov (without a dot between “IRS” and “gov”), though not IRS.gov (with a dot). These emails are not from the IRS. The sites may ask for information used to file false tax returns or they may carry malware, which can infect computers and allow criminals to access your files or track your keystrokes to gain information.”

Unsolicited email claiming to be from the IRS, or from a related component such as EFTPS, should be reported to the IRS at phishing@irs.gov.

Tax Refund Scam Artists Posing as Taxpayer Advocacy Panel. “Some taxpayers may receive emails that appear to be from the Taxpayer Advocacy Panel (TAP) about a tax refund. These emails are a phishing scam, where unsolicited emails try to trick victims into providing personal and financial information. Do not respond or click any link. If you receive this scam, please forward it to phishing@irs.gov and note that it seems to be a scam email phishing for your information.

 TAP is a volunteer board that advises the IRS on systemic issues affecting taxpayers. It never requests, and does not have access to, any taxpayer’s personal and financial information.

How to Report Tax-Related Schemes, Scams, Identity Theft and Fraud. To report tax-related illegal activities, you should report instances of IRS-related phishing attempts and fraud to the Treasury Inspector General for Tax Administration at 800-366-4484.”3

Additional Scam-Related Information:

Security Summit – Learn more about how the IRS, representatives of the software industry, tax preparation firms, payroll and tax financial product processors and state tax administrators are working together to combat identity theft and refund fraud.

IRS Security Awareness Tax Tips

Tax Scams — How to Report Them

State ID Theft Resources – State information on what to do if you or your employees are victims of identity theft.

IRS Dirty Dozen – The annually compiled list enumerates a variety of common scams that taxpayers may encounter

 If you suspect you are a victim, contact the IRS Identity Theft Protection Specialized Unit at 800-908-4490. When reporting to the IRS, you will need to:

  • Send a copy of an IRS ID Theft Affidavit Form 14039 – download the form here: irs.gov/pub/irs-pdf/f14039.pdf.
  • Send a proof of your identity, such as a copy of your Social Security card, driver’s license or passport.

After doing that, make sure to:

  • Update your files with records of any calls you made or letters you sent to the IRS
  • Put a fraud alert on your credit reports and order copies of your credit reports to review any other possible damage
  • Create an Identity Theft Report by filing an identity theft complaint with the FTC and a police report

 

Sources and References:

1 http://www.vanderbloemengroup.com/articles/irs-impersonation-telephone-scam

2 http://www.irs.gov

3 http://www.irs.gov

http://usa.gov/business-taxes

http://www.aarp.org

https://taxadmin.org/

https://treasury.gov/tigta/

Spring Cleaning? 4 Options for Discarding Old Hardware

Whether replacing old equipment with something new or simply cleaning out the office and getting rid of some old devices, we all have the same question on our mind.  What do we do with all this old technology?

We live in a world where technology is considered obsolete after only a few years. And if you are like many people I know, you have a drawer, closet, or room full of old devices. Unless you want to make a guest appearance on “Hoarders,” it is best to discard them. But how? You can’t just bring it to a landfill. (Those toxic materials regulations will get you every time!)

Before considering what to do with the old devices, it is vital that all data is properly removed. Simply deleting them from your recycle bin won’t do the job. Even if you can’t see the files, they still exist on the hard drive. It is therefore important to have the hard drive wiped or destroyed. Here at Bryley, we perform data erasure crush the drives to ensure the data doesn’t fall into the wrong hands.

We have come up with 4 possible options when discarding old hardware:

  • Reuse/Repurpose – Since many devices use similar parts, you may consider keeping one or two spares. Accidents happen and you never want to be in a situation where you don’t have a backup device. I, personally, keep one prior phone and laptop, just in case. I would rather have it and not need it, than not have it and need it.
  • Donate – Why not help those that are less fortunate by donating a device you no longer need. There are many organizations that would love to have second-hand items. When it comes to donating mobile devices, I usually drop them off at my local police station for either Phones for Soldiers or for those in domestic violence situations. Phones for Soldiers will sell the phones to purchase phone cards so that members of our military can stay connected with their loved ones. The police will often give old phones to individuals living with domestic violence. These phones can be used to contact emergency personnel even if there is no SIM card. Here at Bryley, we take older PCs, wipe them and display them in our window with a request for $15 to be donated to the Hudson Food Pantry or the Hudson Boys and Girls Club.
  • Donating to an after-school program is another great option. Some children do not have a reliable computer at home. It can therefore be challenging for them to complete their coursework.
  • Recycle – Recycling your devices is another viable option. Here at Bryley, for a small fee, we will responsibly recycle your devices and ensure that it is properly taken care of. Most stores that sell computers, and towns that have a program for responsibly disposing of your devices, will help you recycle your devices. They follow specific EPA protocols for disposing of the toxic materials within computers, laptops, printers, and mobile phones. Most towns have set dates for these programs, so it’s best to contact your local DPW (Department of Public Works) to inquire when the drop-off program will next be available.
  • Sell – Another option when considering getting rid of old hardware is to sell it. Technology is a depreciating asset, so if someone is willing to pay you for a device that you were going to dispose of, why not do it? There are numerous outlets for selling your old devices – Craigslist, Gazzelle.com, and eBay, to name a few. You can always leverage your social network as well.

If you would like assistance in donating or recycling your older devices, call us at 844.449.8770 or email us at ITExperts@Bryley.com. We are here for you.

Bryley Basics: Password Protection

Passwords are typically stolen during what’s called a phishing attack.

Phishing emails are malicious emails sent by criminals attempting to compromise your personal information. They often appear to be legitimate, so beware!

Most phishing emails are disguised as messages from an authoritative entity asking you to visit a website and enter personal information. These websites are set up to gather personal details, which they can then use to hack into your accounts and commit fraud. Some links and attachments in these emails contain malicious software, known as malware, which will install itself on your computer. Malware then collects data such as usernames and passwords.

Another way passwords are stolen is simply due to the face that some people use weak passwords.  If it’s easy to guess your password, then you have put yourself at greater risk of suddenly becoming a victim.

So, how do you stop someone from stealing your password?

First you will need to be aware of what real websites look like so that you know what false ones look like. If you know what to look for, and are suspicious by default each time you enter your password online, it will go a long way in preventing successful phishing attempts.

Each time you get an email about resetting your password, read the email address it’s coming from to make sure the domain name is real.  It usually says “something@websitename.com.   For example, “ITsupport@YouBank.com” would indicate that you’re getting the email from YourBank.com.

However, hackers can spoof email addresses too. Therefore, when you open a link in an email, check that the web browser resolves the link properly.

If you open a link that appears as “YourBank.com” and the link changes to “SomethingOtherThanThat.com, then you need to exit the page immediately.

If you’re ever suspicious, just type the website URL directly into the navigation bar. Open your browser and type “YourBank.com” if that’s where you want to go. This way you can ensure that you are on the legitimate website, and not a fake one.

Another safeguard is to set up two-factor authentication (if the website supports it) so that each time you log in, you not only need your password but also a code. The code is often sent to the user’s phone or email, so the hacker would need not only your password, but also access to your email account or phone.

If you think someone might steal your password using the password reset trick mentioned above, either choose more complex questions or simply avoid answering them truthfully to make it nearly impossible for a hacker to guess.  Simple passwords need to be avoided, it’s that simple.  If you need help remembering your complex passwords, you can store your passwords in a free password manager.

It is always advisable to store sensitive information like your credit card or bank details, within online accounts that are hosted by companies you trust. For example, if an odd website that you’ve never purchased from before is asking for your bank details, you might think twice about it or use something secure like PayPal or a temporary or reloadable card, to fulfill the payment.

When in doubt, don’t click.  Legitimate organizations will not ask you to disclose personal data via email.

March 31st is World Backup Day – Create a Properly Planned Backup Process

With March 31st being World Backup Day, it only seems right to talk about the importance of having a well-planned backup process.  Every day we read about malicious attacks on organizations, and there is no doubt that these attacks, especially ransomware, will continue to grow drastically in 2018.

Ransomware is a form of malware based on encryption software that seeks payment (ransom) to undo the damage it causes; when infected, the malware typically encrypts all data files, rendering them useless until the ransom is paid.  Encryption software scrambles a files’ contents and creates an encryption key, essentially a code used to reverse the process.  Unless you have this key and the encryption software, the files remain unreadable.

Ransom prices will vary depending on the ransomware variant and the price or exchange rates of digital currencies. Thanks to the perceived anonymity offered by cryptocurrencies, ransomware operators commonly specify ransom payments in bitcoins.  Recent ransomware variants have also listed alternative payment options such as iTunes and Amazon gift cards.  Paying the ransom is risky, and not recommended.  It will not guarantee that users will get the decryption key or unlock tool required to regain access to the infected system, and it potentially will make you more of a target in the future.

The only way to thwart ransomware is by restoring the corrupted files through a backup that was created before the infection.

A properly planned and implemented backup process is vital since data stored on a network server represents many hours of effort over time, making it impractical and usually impossible to recreate.  A properly functioning, multi-point-in-time backup is necessary to provide restoration under these and other scenarios:

  • A server fails
  • A file is deleted
  • A template is written over
  • An application upgrade fails and must be restored
  • A document is inadvertently changed and saved by a user

A backup should be a complete, recoverable copy of not just data, but the entire server/network environment.  It should have these properties:

  • Sequenced over many days
  • Complete image
  • Offsite storage

If you’re ready to get serious about protecting your business data, select a talented company, like Bryley Systems, to help you implement a Backup/Data Recovery solution to eliminate weak links in your security chain.  Let us help you develop an organization-wide policy to help prevent data loss.  Please contact us at 978.562.6077 or Email us today.  We are here to help.

5 Reasons You Need a VPN Policy

The security of your business is heavily dependent on the ability of employees and executives alike to stay safe wherever they go. They need to make sure their online activities remain unimpeded and that public networks don’t become a data leak risk. Such a leak could damage your company’s reputation and set your business back months.

One of the main tools used to help businesses overcome these obstacles is a Virtual Private Network (VPN), which is a service that can connect a user to an offsite secure server using an encrypted connection. The encryption allows people to keep themselves safe from hackers on public networks (or any unsafe network). The server hides their IP address, allowing them to keep their activities anonymous and get access to restricted or blocked websites.

teamwork

All of these things are great, but VPNs can also cause confusion if not used uniformly or correctly. A “bring your own VPN” policy can prove disastrous for several reasons. Your business needs a standard policy, and here are the five main benefits of instating one:

You Can Better Manage the Configurations

Sometimes VPNs need to be managed to work best for the company. If you have a universal VPN policy or even a universally proscribed VPN for employees (in which case it would be recommended to provide access with company funds to facilitate control), then you can know that everyone has settings acceptable to the interests of the company by making those mandatory settings clear. No one will feel as though another has an unfair advantage as well.

You can use these to limit access to certain websites or regions, or simply help people who don’t know better maximize their speed and access. This kind of plan is absolutely essential if you plan on setting up your own VPN server at your company (although this should only really be done by large organizations), as messing around too much can make things more difficult for other users. It might be worth it to include a “tips and tricks” section next to them.

Uniform Universal Access

Any business should know what their employees are capable of not only in their skillsets but in the tools they are using. If you don’t have a general VPN for the company and everyone is just using their own, you might find that someone’s tool isn’t up to par with what the company needs. In the worst case scenario, someone might download a VPN application that is malware in disguise, not checking up on the service first. This could lead to a massive data breach in addition to dropped communications at a potentially crucial moment.

If your company decides upon a singular (and well-reviewed) VPN to work with and provides access or subscriptions to all relevant employees, then it will be easier to work with those remote and travelling employees knowing that they all are getting the same level of access. Chance and circumstance will be removed from the equation, and your IT specialists will be thanking you for months.

Exact Knowledge of Security

If you have a strong VPN policy that is regularly enforced, you can work under the assumption that all employees using a VPN will have a set level of security wherever they go. This allows you to send and receive sensitive information with much less risk, because unfortunately not all VPNs are created equal.

You don’t want some employees vulnerable to cyberattacks and cyberespionage while others are fine. They might feel emboldened in their security practices by the fact that they use a VPN. In your policies you need to reiterate that danger doesn’t go away entirely due to VPN use, and by having company-wide policies, you can focus on what dangers still prevail. A VPN policy will remind people that it’s not a panacea, but it should always be used.

Rules and Guidelines

People use VPNs for different reasons. Some of those reasons are strictly security related, and others are related to torrenting or pirating files. Most people wouldn’t think to download the latest box office hit on their VPN at the office, but such things do happen, and you need to be prepared for any situation.

If you have a VPN policy, then your company can clearly spell out what VPNs are to be used for and what is acceptable online behavior. Some of it can relate to already existing technology guidelines, but even those should be reiterated in your VPN policy (it won’t do any harm). No one will be able to say they didn’t know better, and clear action can be taken if these rules are broken.

Usage Control and Easier Management

Something you will want to take into consideration is who you allow to use a VPN. If your company is providing VPNs and has strict rules surrounding them, you should only allow employees to use them, not friends and family members. They might have good intentions but later cause a data breach or other critical issue down the line.

A policy will allow you to manage potential issues such as these with little difficulty, and having a pre-selected VPN and policies means that you or someone else can spend less time learning about different VPNs and more time focusing on a single one to optimize. You will be better able to know about potential activity and potential problems, letting human concerns take the forefront.

phoneBlue

VPN guidelines aren’t too difficult to come up with, and in the long run, they will save any business a good deal of time and resources. Implemented correctly, employees won’t have any problems adjusting to them and the company will be safe with a full array of useful information available at all times.

Do you think there are any other reasons that a company should have VPN guidelines? Do you have recommendations of your own that you would like to share with your fellow readers? Any stories regarding a “bring your own VPN” policy that didn’t work out? The sharing of information makes us all improve, so please leave a comment below and continue the conversation about this important tool.

By Cassie Phillips
SecureThoughts.com