Monthly Archives: March 2017

Cybersecurity: A Small Business Guide

Online threats are on everyone’s minds after this week’s breach at OneLogin. The identity and access management company with over 2,000 enterprise clients was hacked, and the fallout isn’t over. During the security breach, private information about users, apps, and various keys may have been obtained by the still unknown hackers. All we currently know is what OneLogin has announced on their company blog: data may have been collected and the hacker or hackers may have figured out a way to decrypt data.

If you’re not sure what all this means you’re not alone, many entrepreneurs don’t realize that small businesses are just as at risk for cyberattacks as larger companies, but they are. According to a report by Keeper Security and the Ponemon Institute, 50 percent of small businesses have been breached in the past 12 months.

Here’s an overview of everything you need to know to protect your business.

While breaches at big corporations such as Target and Home Depot make the headlines, small business are still very much targets for hackers. Stephen Cobb, a senior security researcher at antivirus software company ESET, said that small businesses fall into hackers’ cybersecurity “sweet spot:” They have more digital assets to target than an individual consumer has, but less security than a larger enterprise.

The other reason small businesses make such appealing targets is because hackers know these companies are less careful about security. An infographic by Towergate Insurance showed that small businesses often underestimate their risk level, with 82 percent of small business owners saying they’re not targets for attacks, because they don’t have anything worth stealing. [See Related Story: Cyberattack Risks Remain a Threat to Businesses Despite Insurance]

In almost every case, the end goal of a cyberattack is to steal and exploit sensitive data, whether it’s customer credit-card information or a person’s credentials, which would be used to misuse the individual’s identity online.

This is by no means an exhaustive list of potential cyberthreats, especially as hackers’ techniques continue to evolve, but businesses should at least be aware of the most frequently used attacks.

APT: Advanced persistent threats, or APTs, are long-term targeted attacks that break into a network in multiple phases to avoid detection. This Symantec infographic outlined the five stages of an APT.

DDoS: An acronym for distributed denial of service, DDoS attacks occur when a server is intentionally overloaded with requests, with the goal of shutting down the target’s website or network system.

Inside attack: This is when someone with administrative privileges, usually from within the organization, purposely misuses his or her credentials to gain access to confidential company information. Former employees, in particular, present a threat if they left the company on bad terms, so your business should have a protocol in place to revoke all access to company data immediately upon an employee’s termination.

Malware: This umbrella term is short for “malicious software,” and covers any program introduced into the target’s computer with the intent to cause damage or gain unauthorized access. More about the different varieties of malware can be found on How to Geek. Business News Daily’s sister site Tom’s Guide also breaks down the myths and facts of malware.

Password attacks: There are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks all of a user’s keystrokes, including login IDs and passwords. More about each type of attack (and how to avoid them) can be found in this Scorpion Software blog post.

Phishing: Perhaps the most commonly deployed form of cybertheft, phishing involves collecting sensitive information like login credentials and credit-card information through a legitimate-looking (but ultimately fraudulent) website, often sent to unsuspecting individuals in an email. Keeper Security and the Ponemon Institute reported that the most prevalent attacks against SMBs are web-based and phishing/social engineering. TechRepublic shared 10 signs to help you spot a phishing email.

Ransomware: Ransomware is a type of malware that infects your machine and, as the name suggests, demands a ransome. Typically ransomware will either lock you out of your computer and demand money in return for access or threaten to publish private information if you don’t pay a specified amount. Ransomware is one of the fastest growing types of security breaches.

Free Encryption Services to Secure Your Business Communications

Keeping up with cybersecurity is an essential best practice to ensure your business’s viability. While modern operating systems generally come with their own hard-drive encryption technology built in, encrypting the data you transmit online can be a bit more difficult. Many entrepreneurs find themselves lacking the technical knowledge, time or money to implement truly effective solutions.

Luckily, there are a number of powerful encryption services available that can secure everything from files to phone calls. Here are a few of the best free encryption services that can help you easily secure your business operations and data.

Signal, an open-source private messenger app developed by Open Whisper Systems, allows Android and iPhone users to easily employ end-to-end encryption for free. There is also a Signal add-on for Google Chrome that syncs your secure communications from your mobile device onto your desktop. Signal supports both private messaging and calling with nothing more than an internet connection, meaning it can effectively replace your default communications apps. However, users on both ends need to be using Signal and be connected to the internet to take advantage of the app’s client-side encryption: 256-bit AES encryption for the content of texts and 128-bit AES-CBC encryption for the content of calls. That means convincing friends and colleagues to install and run the free application as well.

A particularly appealing aspect of Signal is that it employs what is known as perfect forward secrecy, a system that generates fresh encryption keys during each individual session. This means Signal is insulated from attacks, compartmentalizing the content of your communications so that it’s incredibly difficult, if not impossible, to intercept in its entirety. Signal also protects against man-in-the-middle attacks: Its SHA-256 hash authentication prevents a would-be thief from establishing a false, disguised server to intercept your communications.

ProtonMail is a highly secure, open-source email application designed by MIT and Harvard research students, led by CERN researcher Andy Yen. It features both desktop and mobile applications, and the free model supports 2048-bit and 4096-bit encryption. ProtonMail also supports self-destructing emails, which can help you even better cover your digital tracks. In addition, ProtonMail boasts the ability to send encrypted communications to non-ProtonMail users. While ProtonMail is free, it also offers a paid premium service that expands on the basic edition’s features.

“Email that isn’t protected is no more secure than a postcard going through the mail, accessible by anyone while in transit. This is something businesses need to take into account when evaluating their security needs,” Dave Wagner, CEO of encryption service provider ZixCorp, told Business News Daily. “End-to-end encryption … protects email in transit but extends security behind the network, preventing any hackers from accessing email if they break through a company’s perimeter.”

One major downside of ProtonMail is that there are limits to how much you can do with a free account. Free users only have access to a measly 500MB of storage and can only send up to 150 emails a day. However, if you save ProtonMail for your truly important messages and regularly clean up your inbox, this should be plenty suitable to secure your sensitive communications. Otherwise, upgrading to a premium account might be worth the modest cost of 5 euros per month (ProtonMail is based in Switzerland), or 30 euros per month for the Visionary package. You can also purchase specific add-ons to the free edition, such as additional storage space, for less than the cost of fully upgrading.

Hotspot Shield from AnchorFree is a virtual private network that is especially useful for employees who are traveling or likely to connect to public Wi-Fi. VPNs work by creating an encrypted “tunnel” between your computer and one of the servers managed by the company. Hotspot Shield covers your major bases with 256-bit AES encryption, securing your personal information on any Wi-Fi connection, changing your IP address to protect against potential snoopers and hackers, and offering an additional layer of malware protection. It also includes a feature that turns the VPN on automatically when you connect to an unsecured wireless network, protecting you while you’re out and about.

“If you have people out of the office and logging in to (unsecured Wi-Fi), you probably want them using a VPN when connecting back so that traffic cannot be picked up,” said Ermis Sfakiyanudis, co-founder and CEO of B2B technology company Trivalent.

In terms of ease of use, Hotspot Shield is relatively user-friendly, but the interface can take a little while to figure out. Hotspot Shield’s major shortcoming is that you need a paid plan to take your pick of the 20 available countries. Otherwise, you’ll have to accept being routed through the server of Hotspot Shield’s choice. This might not be a big deal, as your activity is still secure, but it is a limitation that users of the free version should consider.

 

Human Error, Not Tech, Is Often to Blame for Cyberattacks

When it comes to cybersecurity, ensuring software is up to date, data is backed up, and preventative measures like anti-virus software and firewalls are in place is helpful. But one essential ingredient to cybersafety is something less technical: human vigilance.

A new study from the Security Lancaster Institute at Lancaster University examined the role of human error and oversight in creating vulnerabilities to cyberattacks. Based on interviews with academics, consultants and security managers, the study’s results demonstrated that most vulnerabilities were due to inattention related to “biases, gaps and limitations.”

“These included, for example, a bias towards physical security and away from cybersecurity, and a bias towards denying insecurities to avoid embarrassment,” the authors wrote.

Recently, a few high-profile cyberattacks or errors led to the loss of terabytes of data. When the WannaCry ransomware attack ravaged the globe in May, the impact was massive. The U.K.’s National Health Service and a prominent Spanish telecom were among the most prominent networks crippled as a result. However, Microsoft had released an update that addressed the vulnerability two months prior, meaning affected systems could have easily been insulated from WannaCry’s devastating assault. [Want to better protect your business from cyberattacks? Check out our cybersecurity guide for small businesses.]

In another big-time error, a data-mining company hired by the Republican Party to gather information on American voters during the 2016 presidential election accidentally made its database public, revealing voters’ dates of birth, home and mailing addresses, phone numbers, registered parties, racial demographics, and voter registration. This botched handling of personal information wasn’t even the result of a cyberattack; it was merely a serious oversight that divulged data the subjects were likely unaware even existed.

In each of these headline-grabbing data catastrophes, human error and a lack of best practices – not a failure of technology – was to blame. In other words, the systems all worked properly while human users were asleep at the wheel. The good news, then, is that the cause of these errors is easily addressed by redoubling efforts and implementing a new set of rules to ensure those best practices do not lapse again.

“[This study] showed how readily vulnerabilities in attention could be ascribed to simple, general rules that were functional in an organizational setting,” the authors wrote. “The focus should thus be on what is normal, in contrast to the typical technical focus on what is anomalous. This normality of vulnerability is similar to Vaughan’s ideas about ‘normalized deviance,’ and suggests vulnerability often goes unnoticed.”

Cybersecurity isn’t just a matter of upgrading technology, but of placing vigilant guards in the watchtowers. With a coherent set of cybersecurity rules, up-to-date software and the watchful eye of careful administrators, you can rest assured that your network is safe.

Steps to Create Your Social Media Strategy in the workplace of automation?

As digital media overlaps with advertising, more small business owners are paying attention to social media and their overall web presence. At Philly Tech Week 2017, Buffermarketing and social media manager Brian Peters hosted a sold out interactive workshop, Developing a Social Media Strategy as a Team of One. This presentation focused on how small businesses can develop effective social media content without having a huge budget or department.

Amidst a room full of social media managers for different types of businesses, Peters outlined a series of seven steps to creating a strategy plan.

When drafting your company’s social media plan, turn to your mission and value statements. These will help you determine the tone and personality of your social media presence. For instance, will you be using popular hashtags, even if they’re not directly relevant to your brand? What about GIFs? How do you feel about swearing?

Additionally, understanding your mission can guide you to create a series of goals, which can include driving traffic to your website and generating leads. Remember to think of specific numbers when outlining your goals, such as a certain number of leads you’d like to generate.

There are tons of tools and software out there to help you create and manage content. In addition to Buffer, Peters identified Canva for graphics, Trello for project management, IFTTT for automation, Google Drive for data storage and Slack for team collaboration.

Tools like Canva help you create your own graphics where you can add text. Since photos and videos perform better overall on most social networks compared to all-text statuses, more companies are using budgeting for visual content this year, according to HubSpot. If you’re willing to go the extra mile, you can even enroll in online photography or design classes on websites like Skillshare, Lynda and Udemy.

For inspiration, Peters recommended making a list of all the brands you admire and then trying to replicate something they’ve created. He also stressed the importance of seeking inspiration from brands outside of your specific industry and niche.

“There’s a lot of great content out there,” one of Peters’ slides read. “We can all be publishers!”

Curation describes the practice of repurposing pre-existing content you find on the internet. Every time we share a popular meme or GIF on Facebook, we’re curating our Timeline. Like a museum, our social media feeds can be customized to our interests and style.

To follow the best content on the web that’s most relevant to your brand, Peters suggests creating a customized Instagram desktop and Facebook Pages to Watch feed.

Encourage your employees to share content with their social media following by retweeting and sharing relevant company content. If you work with social media influencers, utilize their audiences as well to help spread brand awareness. Why?

“Suppose you’re a mid-size company with a total of 5,000 followers altogether on Twitter, Facebook, Instagram and LinkedIn,” explains Ryan Holmes, CEO of Hootsuite, in a Fast Company article. “Now, let’s say you have 100 employees, each with (a relatively modest) 250 followers of their own, for a total of 25,000 unique followers. By asking your employees to share messages, you can boost your audience (at least on paper) from 5,000 to 30,000 – instantly.”