Why small businesses struggle with cyber security

In part two of the interview with The Cleaning Crew, Bryley Systems President, Gavin Livingstone, explains why cyber security is sometimes overlooked within small businesses.

YouTube video

Password manager

The days of widespread, biometric-based security (voice recognition, fingerprint reading, eye scanning, etc.) are coming, but passwords are still required in many organizations and at most websites.  The problem:  How do I manage (let alone remember) all of the different usernames and passwords I have out there?

Personally, I use Tasks within Microsoft Outlook, which is secured by my network login:  Within a folder I titled “Usernames”, I create a task for each application and website and then copy-in the date and user information.  This limits my “need to remember” to only one complex password (my network login).  However, I must have access to my Outlook account to retrieve all other user information.

There are better tools called password managers.  These are software applications that “help a user organize passwords and PIN codes”1, which are held in a secure, encrypted file or database.  Many include the ability to automatically fill-in a form-based webpage with the username, password, and any other login credentials.

Most password managers can be categorized thus:

  • PC based – Application running on your PC
  • Mobile based – Application running on your tablet or smartphone
  • Token-based – Requires a separate smartcard, memory stick, or similar device to authenticate
  • Web-based – Credentials are located at a website and must be viewed and/or copied from this site
  • Cloud-based – Credentials are web-based, but are securely transferred for processing to an application running on your PC or mobile device

Most password managers are hybrids and many fit into two or more categories, but all share one trait:  You still need a master password to access your information (although some offer two-factor authentication).

Important characteristics include:

  • Access – Accessible from all devices and browsers
  • Detect – Automatically detect and save from any account
  • Secure – Advanced encryption, two-factor authentication, etc.

Pricing varies from free (for the slimmed-down, single-device versions) to annual subscriptions that range from $9.95 to $49.99 per year.

Several publications2 have reviewed password managers; the top performers:

  • LastPass 3.0 – Cloud-based and powerful yet flexible; free version available, but upgrade (at $12/year) to LastPass Premium for mobile-device support
  • DashLane 2.0 – Feature laden with an easy-to-use interface; free version, but $29.95/year to synchronize all devices and get priority support
  • RoboForm Everywhere 7.0 – Cloud-based at $9.95 for first year

Other password managers (in alphabetical order):

  • 1Password for Windows – $49.99 per user
  • F-secure Key – $15.95
  • Handy Password – Starts at $29.92
  • KeePass – Free
  • Keeper – Subscription at $9.99/year
  • My1login – Free for 1 to 3 users; $22 for 4 to 10 users
  • Password Box – Free version with subscription at $12.00/year
  • Password Genie 4.0 – Subscription at $15.00/year
  • PassPack – Free version with subscription at $12.00/year
  • PasswordWallet – $20.00

I like LastPass; the free version is easy to use and my login data is available from anywhere (with Internet access).  Plus, I like having the application locally on my PC (even though my data is stored at LastPass in encrypted format).

1. Taken from Wikipedia at http://en.wikipedia.org/wiki/Password_manager.

2. Recent password managers reviews:

They’re back: Telephone scammers

Yes, they have returned:  The IRS and National Grid are both warning of telephone scammers that call and demand fictional, past-due payment.

The IRS scammers1 are very specific; they call and threaten immediate arrest, loss of driver’s license, and seizure of assets.  They may leave a message requesting a callback; follow-up callers may pretend to be from the local police or the DMV.

Characteristics of these scams can include2:

  • Scammers use fake names and IRS badge numbers. They generally use common names and surnames to identify themselves.
  • Scammers may be able to recite the last four digits of a victim’s Social Security Number.
  • Scammers “spoof” or imitate the IRS toll-free number on caller ID to make it appear that it’s the IRS calling.
  • Scammers sometimes send bogus IRS emails to some victims to support their bogus calls.  (Note:  The IRS does not use email to contact taxpayers.)
  • Victims hear background noise of other calls being conducted to mimic a call site.

Best advice:

  • Do not engage the caller in a conversation
  • Do not provide personal information
  • Hang-up the phone immediately
  • Call the IRS at 800-829-1040

National Grid3 will call and request payment and will notify of potential for service interruption due to non-payment, which makes it tougher to separate a legitimate call from a scammer.  If in doubt:

  • Ask the caller to provide the last five digits of your National Grid account
  • Do not provide your account number or any other personal information
  • Contact National Grid at 800-322-3223

1. Thank you to Nancy Goedecke, EA, of Taxes and Money Management who provided the notice on the IRS scammers.

2. Taken from http://www.irs.gov/uac/Newsroom/IRS-Releases-the-“Dirty-Dozen”-Tax-Scams-for-2014;-Identity-Theft,-Phone-Scams-Lead-List.

3. Taken from National Grid’s July/August 2014 issue of WeConnect.

Maintaining your dynamic website

Guest writers: Al Morel, Carlos Ramos, and Dan Rouse of www.CommAreUs.com

Your car, house, and most things in life, take some amount of maintenance. Add to that list your website. A website can be comprised of thousands of files working with all kinds of tools and underlying code.

The days of ‘static’ websites, i.e. built with just HTML, is essentially over for most organizations. This article will speak to the steps to take when using a Content Management System, CMS, such as WordPress.

Your essential strategy is: BackupandUpdate.

Backup

This is your ‘get out of jail free’ option. Even if your website gets totally hacked, you forget to pay your hosting bill, the data center in Utah gets hit by a meteor, you should still be able to roll back and get your website back up.

With a dynamic site, it’s a little trickier because you have the site files such as the HTML and images, graphics, etc. And then there’s the database files, which in the WordPress scenario, starts at several thousand files.

The traditional method of backing up a site involves the lengthy process of manually backing up all your site’s files, exporting your database, and finally moving everything somewhere safe. There are software additions (called ‘plugins’ in the WordPress world) that will simplify this process and even automate it for you.

We add a plugin with all of our builds that lets you quickly backup, restore, and migrate a site – often times with only a single click. Most backup plugins will offer two different types of backups: full and database. Full covers all site files and the database, the database option only includes the database. The full backup is the safest bet and is generally the recommended option, however the database only backup might be more appropriate if you’re simply experimenting with settings on a plugin, or some other activity that only involves the database.

One key feature and advantage over manual backups, is that using a backup plugin allows you to set up an automatic backup schedule. For example, we recommend our clients schedule a weekly backup of the database and a monthly full backup. Manual backups can also be performed whenever needed.

In addition, most plugins have the capability to back up the site to your hosting server and to another source as well. So you can have redundant backups to a third party service such as Amazon S3.

 

Update

It is critical to schedule regular updates of your website as well. In WordPress, there are regular updates to the core code and also plugins. Your administrative interface or ‘dashboard’ will tell you when to update.

It goes without saying that no update (WordPress or Plugin) should be done before a full backup has been made.  Your dashboard will go to great lengths to tell you to backup first, so don’t ignore them! Although we haven’t seen many updates go wrong, it can happen.

Generally, we recommend to our clients that updates be applied as soon as they are available for security and stability reasons.

Once you have your backup completed, proceed to the Updates screen in the WordPress Dashboard. From here you can update WordPress, plugins and your themes. If you have an update to WordPress and plugins waiting, perform the WordPress update first, then proceed to update your plugins.

It’s worth noting that in recent WordPress releases (security and maintenance related) are installed automatically to promote better security.