10
Jul

Here are some things to ponder

Every day I read news stories about the exploits of cyber criminals and how they broke this or that.  Every day I shake my head at how apparently easy it was for the criminals to get into x-y or z system.  This week, a story came back on my radar, the CIA lost many their own cyber hacking tools.  This was a clear case of an insider attack.  An unhappy, and obviously not loyal, employee stole the information and gave it to WikiLeaks.

Now, aside from the opinions each of us hold on WikiLeaks and what you think about the CIAs cyber hacking tools being out there in the wild, theft is a crime and the thief is being tried for it.  Any attack on private information is a crime and regardless of the reasoning, it’s punishable.  The problem is that most of the cybercrime is not reported and therefore no one is punished for committing it.

This is mostly true for the small and medium business.  Large corporations and governments usually have someone that will leak the information to the public and that’s how we become aware of the issue.  A small to medium business can keep the information under their hat.  It’s embarrassing to admit that they didn’t have all the measures in place, the training, or the wherewithal to stop the attack.  Admitting to being victimized has negative connotations in the marketplace and can seriously affect business.

In the world of the home user and the small to medium business a good cyber-protection plan will help prevent a loss of trade, a loss of customer loyalty and a in the end, a loss of the business.  Three examples that are currently in the news serve as good discussion points. (None of the business names will be used and any person’s name is fictitious – for obvious reasons)

A real estate lawyer, working from his home, has a great website, a list of clients, great relationships with realtors and other professionals.  His business is doing well.  He’s handing out business cards everywhere and it looks like all is good.  Unfortunately, in the confusion of all the e-mails he receives daily, he absentmindedly clicked on a link sent from his bank.  Oddly, the link led nowhere but, he figured, it was due to a mistake at the bank.  The email is called a phishing attack and when he clicked on the link, it downloaded a virus that scanned his hard drive, mapped his keyboard and sent all the information to a server somewhere else.

All his customer information, billing, invoices, and privileged communications were stolen right out from under his nose.  The virus scanner that was installed on his computer had not been updated for several months and didn’t catch this version of the bug.  When things started to go wrong for him, he still didn’t realize what had happened.  His bank account, his accounts at the title company, all of that was now in the hands of someone he didn’t know.

You know the rest of the story; you’ve read about cases like this one many times.  Sadly, he had to close his practice and, with help from his bank and a cyber forensic investigator was able to track down the problem but too late.  His reputation was in taters and had to start again, from scratch.  In an interview, he admitted that he knew nothing about phishing and had relied on his domain host to protect him.  He’s since educated himself and hired small business cyber security consultant to help him stay safe and secure.

As small businesses rely more and more heavily on Social Media to get their message out, we must remember that business and pleasure have to stay completely separate.  Case in point, a bakery in my hometown created a fantastic page to advertise their product and their affiliation with local farmers markets.  Great idea!  It brought them a lot of great publicity and an increase in their sales.  Great result!

Unfortunately, their business page was tied to the owner’s personal page.  A cruel trick the platform plays on people who don’t have the finances to build marketing pages.  The owner is a fan of the shared games on the platform and plays regularly.  What he doesn’t know is that his permissions have changed since he connected to the games.  This came as an update of the app on his phone.  Surprise!

Suddenly, not only are his personal contacts shared with the game vendor but so are his business contacts.  His business page is now open to the spam the games generate and is also open to having all their “friends” information sold/traded/shared by the application developer.

How did this happen?  Well, two things conspired against him.  The social medial platform, in its terms of use, absolves itself from any responsibility when an update changes permissions or settings.  They rely on users keeping an eye on what they share.  When our baker created his business page, he didn’t necessarily look at the privacy settings for his personal account.

My baker friend has since had to apologize to two of his suppliers, a couple of dozen customers and even a member of his family because they are now being spammed by “friends” on the social media platform.  The unexpected consequences of trying to bring in more business through being more social.

When was the last time you changed your password?  I know that a lot of systems administrators, in the past, would set their passwords to never expire.  Why?  For the same reason you don’t change your bank or webmail password.  It’s a pain!  At one time or another I had to change 11 passwords every 90 days just to do my job and none of them followed the same pattern so I could not get away with one password for all (a very bad idea!)

I have noticed that there are more and more options for password “storage” applications.  I will admit, it took a long time for me to support their use.  I was always afraid that the developer had built a backdoor into the program so they could steal and sell your passwords.  I guess, in a way, I am a bit paranoid.

One such option has me very excited.  A password manager that does not manage passwords.  It, instead, relies on two or three factor authentication.  Now, before you roll your eyes and wander off this page, hear me out.  What tool do you use every day without giving it any thought?

Your phone.  You log into your phone with either a number code, facial recognition or a fingerprint.  You feel secure with that so, why not use that as the tool to let you into your computer and applications?  You put your phone close to the computer, and, with an encrypted Bluetooth or NFC channel, the computer requests an authorization from the phone.  You log into your phone and presto, you now have access to your computer and its applications.

Isn’t that easy?  No more memorising, using the same password for everything, writing passwords down on scraps of paper.  A simple, effective way of protecting your equipment and data.  At Echo Cloud Solutions, we do our research.  We look at, talk to and test the products of dozens of companies and we are confident that we can offer you, the home user or business, a custom suite of applications to ensure your cyber security is handled and that your data is protected.  Call us, we are here to help.