One of the first things hackers do when they attempt to infiltrate computer systems is to try using any common or stolen passwords. And, if your employees aren’t careful to use effective passwords and change them regularly, both they and your business can be exposed to data breaches, phishing schemes and other costly cyber attacks.
Most people don’t manage their passwords effectively because of the misconception that strong passwords need to be long and difficult to remember. However, there are a few simple steps you can relay to your employees in order to ensure that passwords are both hard for hackers to figure out and easy to manage:
Build passwords around familiar phrases. Long passwords are harder for computer programs to guess, so using a long but familiar phrase, like a favorite song lyric or quote, is a great start to making a password.
Use a password management service. Many people write their passwords down on paper or in a word processor, but keeping them anywhere insecure makes it easier for hackers to access them. Instead, encourage your employees to use a reputable password management service to keep all of their login credentials safe. Contact us today for more resources that can help improve your cyber security, including our new “Employee Cyber Training – Passwords” video.
Technology can be a risk, especially when it involves your password. You hear about all of the hack attempts on the large corporations, but you don’t hear about the every day person that get’s targeted by a cyber attack. Simply visiting a website could enable your attacker access to your computer. This should push you to protect your most valuable asset, your password! Don’t give the hackers an easy target by not following the simple tips on improving your password.
Improve Your Password
- Change your password every 30-45 days.
- Choose a password between 8-16 characters.
- Use at least two special characters (!@#$%^&*) randomly within your password
- Avoid using family or pet names, dates or common phrases within your password.
- Never reuse or repeat a password across accounts.
Stay Away from COMMON Passwords
Protect yourself (and your company) by making sure you’re not using one of the top 25 most commonly stolen passwords of 2017, as determined by IT security firm SplashData.
DHS Warns of Utilities Malware
Two cyber security firms have uncovered malicious software that they believe caused a Ukraine power outage last December. The software was recently uncovered by two cyber security firms—ESET, a Slovakian anti-virus software maker, and Dragos Inc., a U.S. critical-infrastructure security firm.
The two firms released details of the malware, which goes by two different names, Industroyer and Crash Override. They also issued alerts to governments and infrastructure operators to help them defend against the malware, warning that it could be easily modified to harm critical infrastructure operations around the globe.
The U.S. Department of Homeland Security (DHS) hasn’t seen any evidence to suggest that its critical infrastructure has been affected, but it will continue to investigate, as there is the possibility of more attacks using the same approach. In an alert posted on its website, the agency stated that “the tactics, techniques and procedures described as part of the Crash Override malware could be modified to target U.S. critical information networks and systems.”
In the same alert, the DHS posted a list of technical indicators that a system had been compromised by Crash Override and asked firms to contact the agency if malware was suspected.
Power firms are concerned that there could be more attacks, especially considering the malware could attack other types of infrastructure, such as transportation, water and gas providers.
The two companies do not yet know who masterminded the attack, although Ukraine blames Russia. Officials in Moscow have denied the claims.
Microsoft Warns of Cyber Attacks
Citing an elevated risk of cyber attacks, Microsoft has released several security updates during its June “Patch Tuesday” in an effort to protect against widespread hacking. A recent blog post by Adrienne Hall, General Manager of Microsoft’s Cyber Defense Operations Center, stated, “In reviewing the updates for this month, some vulnerabilities were identified that pose elevated risk of cyber attacks by government organizations, sometimes referred to as nation-state actors or other copycat organizations.”
In May 2017—after the WannaCry ransomware locked hundreds of thousands of machines around the world and demanded that victims paid a ransom in bitcoin—Microsoft was prompted to release updates for software that it no longer supports. This was an unexpected move that preceded more updates for old, outdated systems.
Microsoft’s motives for June’s most recent security updates are speculative, and it is unclear whether the company has been warned of another cyber attack using exploits similar to those of WannaCry. A Microsoft spokesperson stated that the decision to release the most recent updates is “an exception based on the current threat landscape and the potential impact to customers and their businesses.”
WannaCry Came from North Korea
According to British security officials, the May 2017 global ransomware attack that affected over 200,000 computer systems came from North Korea. The hackers are believed to be a hacking group known as Lazarus—the same group that targeted Sony Pictures in 2014.
In the wake of increasing tensions resulting from North Korea’s missile tests, the DHS and the FBI have issued an alert to businesses about another possible cyber attack led by North Korea, warning people to update old software
British security officials have recently linked the North Korean government to the creation of WannaCry, based on tactics, techniques and targets. The ransomware was originally built around a hacking tool belonging to the National Security Agency and spread through a flaw in Windows.
The Importance of Performing Updates
WannaCry is believed to be a flawed attempt to raise revenue for the North Korean regime, considering the hackers have not yet cashed in the $140,000 in bitcoin they stole. That is likely because the transactions are easy to track. Despite the failed attempt, one of the reasons why WannaCry was so powerful was because many of the facilities attacked hadn’t updated their software to patch holes in security.
The most recent security update includes patches to its Windows XP, Windows Vista and Server 2003 products, which are all unsupported but still widely used. Microsoft suggests customers enable Windows Update if they haven’t already.
Target to Pay Settlement from 2013 Data Breach
Target has agreed to pay $18.5 million to settle claims made by 47 states and the District of Columbia as well as to resolve an investigation into the retailer’s massive data breach in 2013.
The investigation found that Target’s gateway server was accessed by cyber hackers through credentials stolen from a third-party vendor. As a result, data from up to 40 million credit and debit cards were stolen during the 2013 holiday season.
The total cost of the data breach was $202 million, according to Target. The state receiving the largest share of the settlement is California, which will receive more than $1.4 million.
Michigan Utility Company Loses Employees After Cyber Attack
A Lansing utility company is still recovering from a 2016 cyber attack that temporarily disabled its internal network and asked for a $25,000 ransom. According to officials, an employee unsuspectingly clicked on an infected email attachment, which shut down the company’s accounting and email systems.
Since the cyber attack, 14 employees have voluntarily left the company—13 of which were IT employees. The company is devoting its resources to minimize the odds of an attack and to quickly recover in the event it is hit again.
In today’s high-tech world, individuals can carry thousands of client files on flash drives in their pockets or purses. People are conducting business on the go and sensitive information is accessible at the click of a button. Managers are using their laptops or tablets through “hot spots” at local coffee shops to access customer databases. Healthcare professionals shopping at supermarkets can get patient files on their smartphones.
If you think of information security breaches primarily in terms of malicious hackers cracking the networks of big corporations from thousands of miles away, think again.
The hacking of such corporate giants as Global Payments, Epsilon, and Sony prove that size and sophistication can’t stop data thieves. However any company that stores customer information in electronic format is vulnerable to cyber privacy liability exposures than can cost megabucks – or even put a firm out of business – which means they need insurance against these risks.
Cyber Liability coverage can protect your business against breaches of privacy from unauthorized access, physical taking, or the mysterious disappearance of confidential information that leads to third-party losses resulting from identity theft.
Depending on your needs, the policy can also provide a variety of coverages, such as:
- Business Interruption
- Cyber Extortion
- Systems and Data Recovery
Other options can cover the cost of contacting those affected by the data breach, computer forensics to analyze the breach, fines and penalties, potential HIPAA (client medical records) exposures, and online activities on your company site.
The development and expansion of Cyber Liability coverage during the past two decades has paralleled the explosive growth of computer technology: Today’s policies are increasingly comprehensive – and inexpensive. Contact us today to discuss your Cyber Liability Insurance needs.
Going online has become part of everyday life, whether it is for everyday activities such as shopping, sending email or paying bills, and managing your accounts. But data breaches, in all their forms, can potentially expose the personal information that we share online, putting consumers at risk of identity theft.
According to the 2015 Travelers Consumer Risk Index, 59% of Americans worry about online identity theft. Fortunately, there are steps that consumers can take, including not opening unsolicited emails and avoiding unsecure websites, to protect their personal information while online.
The following tips can help you learn how to help stay safe online:
- Research potential retailers to make sure they are reputable and have a secure network and website. Try to avoid buying from a site that does not have a secure socket layer (SSL) encryption installed. In order to do this, look for the ‘s’ at the beginning of a URL – HTTPS:// instead of HTTP:// – to help determine if a site is SSL secured.
- Use only one credit card for online purchases. Be sure to read statements when received to check for fraudulent or unknown charges or activity.
- If you receive an email regarding sales or discounts from a particular retailer, log on directly to the official website for the business. Avoid linking to it from an unsolicited email.
Emails and Attachments
- Do not send personal information in email or instant messages. Emails are out of your control once sent, and can be easily intercepted.
- Do not click on links you receive by email or encounter online that are suspicious or from unknown sources. Only accept and click if it:
- Comes from someone you know.
- Comes from someone you have received mail from before.
- Is something you were expecting.
- Does not look odd with unusual spellings or characters.
- Passes your anti-virus program test.
- Be cautious of emails you receive regarding your financial accounts. If you are not sure of the email’s validity, contact your financial institution directly.
General Online Safety
- Try to limit the personal information you put on the Internet. Social media sites can be good for networking, but identity thieves can use the information you share.
- Remember to keep your Web browser up to date. This can help ensure the latest security features are installed.
- Avoid storing personal information, account numbers and personal identification numbers on your computer.
- Install firewall and anti-virus software. This can help protect you from exposure to malicious cyber attacks.
- Choose strong passwords and keep them private.
How can you oversee your employees’ use of company e-mails without violating their privacy?
According to a recent nationwide survey, more than 40% of businesses monitor their workers’ e-mails. If you’re one of these companies, a disgruntled employee might well sue you for invasion of privacy (the number of privacy lawsuits has skyrocketed by 3,000% during the past decade).
The best way to protect yourself against this risk is to create a written policy warning employees that you might be monitoring their use of e-mail. Bear in mind that because your business owns the e-mail system – software, network access, and computers – you have the legal right to oversee workers for misusing it to violate company policy or break the law.
The first step in implementing this policy is to have all employees sign a disclaimer that acknowledges the company’s right to monitor their e-mail. You can do this when an employee is hired, at contract renewal, or at a company meeting – and don’t forget to circulate any updates to the policy throughout the company. Apply e-mail monitoring as uniformly as possible, because singling out an individual without a clear reason to do so could leave you vulnerable to a discrimination lawsuit. Finally, be sure to have your attorney review the policy.
A comprehensive e-mail policy can:
1) provide an effective defense against invasion of privacy litigation
2) educate your employees on the proper use of e-mail – which should go far to reduce potential problems from misusing the system.
If you’d like to learn more about how to balance protecting the integrity of your company’s e-mail system with your employees’ right to privacy, please get in touch with us. As always, we’re here to help.