Posts for September 2014

Do your ex-employees keep logging in?

When an employee leaves your businesses, are you letting them walk out with access to valuable company data?

According to the 2014 Intermedia SMB Rogue Access Study, 89% of employees who leave a company retain access to business or cloud applications like Salesforce, PayPal, email and SharePoint.

That’s a scary figure. We’ve written a lot about IT security lately, but statistics like this make us think that this level of coverage is warranted.

When a member of staff leaves your business, you must have a way to revoke their access to all your resources. Failure to do so just invites disaster.

Ex-employees are actually signing in

Of those people questioned for the research, 49% had actually signed in to an ex-employer’s account, despite having left the company.

Most of these people probably act out of curiosity, rather than malice. But they still have access to apps that may contain important company data.

A minority will almost certainly be intending to do harm to their former employers. It only takes one person to cause you all sorts of problems.

You could be looking at hefty reputational damage, a loss of competitive advantage — or even a big fine from the Information Commissioner.

Security begins at work

“Most small businesses think ‘IT security’ applies only to big businesses battling foreign hackers,” says Michael Gold, president of Intermedia.

“This report should shock smaller businesses into realising that they need to protect their leads databases, financial information and social reputation from human error as well as from malicious activity.”

You can start by putting some proper procedures in place to control and revoke access when employees leave your company. These are some good starter tips:

• Record who has access to what. You can’t be sure you’ve revoked everything unless you know what each employee can access. If you rely on apps with separate usernames and passwords, it’s particularly important to keep an up-to-date list of who has access to what.
• Don’t share usernames and passwords. Some cloud services charge extra for each user, so it’s tempting to have one generic username and give everyone access. Bad idea: every employee who leaves will know the username and password.
• Have an ‘offboarding’ process. You probably have a standard procedure for when people join your company. But do you have a similar set of steps to follow when someone leaves? If not, it might be an idea to put a checklist together.

It can be trickier than you might expect to get a handle on who has access to what in your business. However, once you do so, you can be more confident of retaining control over your most important data.

• Download our sample data protection policy
• Don’t panic, but 23% of your staff are stealing from you
• The ABC of business IT security

Weird wearable tech that's much stranger than the Apple Watch

Just over a week ago, Apple presented its new smartwatch to the world. This computer-on-your-wrist is Apple's first new type of product since the iPad. It'll be interesting to see if it has the same impact.

Wearable technology has been lauded as 'the next big thing' for a while. For instance, Google Glass went on sale in the UK earlier this year. And in March, a wearable technology show took place in London.

The Apple Watch might be the most mainstream piece of wearable tech yet. But that simply highlights the fact that plenty of strange gadgets have gone before it. Here are five of the most unusual:

1. Drumpants. (Yes, drumpants.)

Easily the most ridiculous pair of jeans we've ever seen, these trousers double up as a drumkit.

Well, to be precise, they're a set of electronic pads that you can wear under your clothes. When you tap them, they make noises. Prices start from $99 for a basic kit.

2. eBay's USB bracelets

Have you ever felt the urge to wear a USB cable on your wrist? Last year, eBay teamed up with the Council of Fashion Designers of America to create bracelets that also work as USB phone chargers.

Practical? Almost certainly. Fashionable? Well, would you wear one?

3. Panasonic's barely-noticeable wearable camera

Just check out how cool Brazilian football star Neymar looks wearing the Panasonic HX-A500 camera. You barely notice it's there:

Actually, this camera can go underwater and shoots at the latest 4K resolution (that's much better quality than your high-definition TV). So while it might not be subtle, it could be useful to extreme-sports fans.

4. Virtual reality

Virtuality image by Dr. Waldern/Virtuality Group (Dr. Jonathan D. Waldern), via Wikimedia Commons

Back in the 90s, one of the coolest ways to spend your time was to take a trip to the Trocadero in London. There you could put on a Virtuality headset and dive into the world of Virtual Reality.

These days, the crowdfunded Oculus Rift is picking up the VR mantle. Watch this space, then...

5. A sweater that senses your mood

Hate expressing your feelings honestly? You'll be wanting the Ger Mood Sweater. It uses sensors on your hands to read your 'excitement level', then lights up the collar with colours that are supposed to reflect how you're feeling.

Yeah, whatever. This thing makes wearing even Google Glass seem pretty normal.

• What's next after tablet computers?
• Ok Glass, let's revitalise the High Street
• What's next after tablet computers?

Simple protection from cyber criminals

Last week’s celebrity hacking news showed just how easy it can be for hackers to gain access to sensitive or personal data.

And you don’t need to be a well-known personality to be targeted by hackers. Many hackers target small businesses, because these companies are less likely to have invested in strong security measures.

Someone hacking or compromising your system could be your worst nightmare. But there are some simple ways to prevent it from happening. Here are some steps you can take to make your system safer.

1. Add another layer of verification

Two-step verification is a good way to add another layer of protection when staff log in to company systems.

Typically, two-step verification requires your staff to sign in with something they know (a password), plus something they have (often a one-time code that’s texted to their mobile phone or shown on a digital key fob, pictured).

Two-step verification provides significant extra protection, especially if your company uses its systems to store and share sensitive documents.

2. Use strong passwords

Most people know they need to use strong passwords. But most people still don’t do it.

Make it company policy to use strong passwords. Mixing uppercase letters, lowercase letters, numbers and symbols makes it much harder for someone to gain unauthorised access.

You can use password management tools — like 1Password or LastPass — to keep track of these hard-to-remember logins.

3. Don’t share your logins

Sharing usernames and passwords is a big no-no. If everyone uses the same details to sign in to your shared workspace, if something goes wrong then you don’t have an audit trail to a specific user.

It also creates potential risk when an employee leaves the business. They probably won’t do anything malicious, but are you willing to take that risk?

4. Encrypt important data

Encryption scrambles data so it can’t be read, even if a hacker gets their hands on it.

Windows 7 and Windows 8 both have encryption tools built in. There are plenty of other encryption tools available too —many are free.

• Learn more about encrypting your data
• How to create strong passwords
• Secure your IT system

Copyright © 2014 Ian Cowley, managing director at Cartridge Save.

Business questions from the celebrity iCloud hack

Copyright: s_bukley

You can’t have missed last week’s news that hackers gained access to intimate photos belonging to celebrities, including Jennifer Lawrence (pictured).

The story has raised important questions about what data individuals store in the cloud. Many of those questions have implications for businesses too.

After all, cloud services play a pivotal role in many companies. They’re used for all kinds of tasks, from backing up data and sharing files to enabling remote working and reducing the need for expensive in-house equipment.

The cloud certainly has significant advantages, and it’s here to stay. There’s a strong argument that overall, the security risks of using the cloud are lower than storing data in your own business. 

But with cloud technology still developing, could this breach be the spark that forces cloud providers and their users to confront some key questions?

1. What’s your weakest link?

Although full details of the iCloud breach have yet to emerge, it seems likely the celebrities were victims of some kind of brute force or social engineering scam.

This means hackers used techniques to work out log in details, rather than exploiting a technical breach.

With cloud security, much of the focus is on measures systems like firewalls and backups. However, if all that stands between a hacker and your data is an easy-to-guess password (like ‘password’, ‘123456’, or your company name), that’s how criminals are most likely to access your data.

Our advice:

Strong passwords are important, and you should really combine them with two-factor authentication to up the security on your cloud accounts.

The biggest problem with strong passwords is that they’re a nightmare to remember. We recommend using password management software, like 1Password or LastPass.

2. Do you understand your cloud service?

An interesting piece from Wired argues that we’ll all benefit if some of the affected celebrities try to sue Apple over this case.

I won’t go into all the arguments, but one key point is we often start using cloud services without completely understanding what we’re getting into.

For example, Apple’s iCloud terms of service are over 8,000 words long. When you sign up, you agree to them, almost certainly without having read them.

As we use these services to store and share sensitive information, perhaps providers should make more of an effort to really communicate what they do to protect our data, and what we need to do, too.

Our advice:

If you don’t understand what a cloud service is going to do with your data, do further research before signing up. A local IT supplier might be able to help.

Don’t commit everything to begin with, either. Start by moving non-critical data to the cloud. You can shift more of your business across as you gain confidence.

3. Who can you talk to?

If you’re an A-lister, you can guarantee you’ll get attention when your cloud services get hacked.

But if you’re an ordinary business just trying to get on with work, are you confident you’ll get a response from your provider when something goes wrong?

Services like Apple’s iCloud and Google Apps are designed to be automated. You can sign up and start using them without having to speak to anyone.

Most of the time, they work flawlessly. But if something goes wrong and you can’t figure it out yourself, it can be hard to find someone to help with the problem.

Our advice:

Look for cloud providers that offer comprehensive support and have a good reputation. Search online for reviews and make sure they’re well established.

Often, a local IT supplier can help you find the most appropriate cloud services as well as providing support and help when you need it.

Blog by John McGarvey, editor of the IT Donut.

• Q&A: cloud computing security
• Five ways to prepare for the cloud
• Should you host in the cloud or on the premises?

11 ways to keep hackers out of your wireless network

Because wireless networks are simple to set up and generally work without needing constant adjustment, they’re easy to neglect. Yet for a hacker, your wireless network could provide the easiest route into your business data.

It’s vital you protect your wireless network from unauthorised users. These 11 steps will help you lock it down and keep it safe.

1. Use WPA2 encryption

You probably know that you should protect your wireless network with encryption, so people can’t connect without entering a password.

But did you know that different levels of encryption offer different levels of protection? Make sure you use WPA2, which is the most secure option for everyday wireless devices.

2. Turn off guest networking

If you have a guest wireless network, there’s a good chance that it’s unsecured. This makes it easy for guests to get connected. But it also makes life easier for hackers.

Unless absolutely necessary, it’s best to keep guest networking turned off.

3. Change standard passwords

Many routers and other wireless devices share standard passwords. That means if you don’t change the admin password on your wireless router, hackers can break in by entering the standard password.

Change this to a strong password. Use a combination of upper and lower case letters, numbers and symbols.

4. Change the standard network name

The name of your wireless network is also called the SSID. Often, this is set to the make and model of your wireless router.

If you leave this as it is, the SSID helps hackers identify your router, so they can try standard passwords or break in via known weak spots.

5. Hide your network’s name

Most wireless routers allow you to turn off the ‘SSD broadcast’ feature. This means your wireless network won’t show up when people scan for networks.

Instead, they’ll have to know the network name in order to connect. And that gives you another layer of safety.

6. Track who is using your Wi-Fi

Most wireless routers maintain a ‘device list’ showing all devices that have been connecting to your network. Some will alert you when a new device connects.

Check this list every now and then. If it contains any devices you don’t recognise, always investigate.

7. Switch on MAC address filtering

Every wireless device — like your laptop, smart phone or tablet — has a unique ID called a MAC address.

When you turn on MAC filtering, you can tell your router which MAC addresses should be allowed to connect. If a hacker’s device isn’t on the list, they won’t be able to get in.

8. Isolate your devices

If your wireless router offers this setting, isolate the devices on your network. This means that although they’ll be able access the internet, they won’t be able to discover each other.

This provides another layer of defence. If a hacker manages to access your network, they shouldn’t then be able to reach servers, computers or other devices.

9. Keep firmware up to date

Firmware is the basic operating system that tells your router what to do. Like the software on your computer, it may need updating now and again — sometimes to fix security problems.

Although firmware updates are not released as frequently as software updates, it’s worth checking for them now and again.

10. Use firewall settings

Most wireless routers have some sort of firewall built in to protect your network from malicious attackers.

No matter how basic the firewall is, switch it on. It’s certainly better than nothing. If you’re in the market for a new router, perhaps pay extra for one with a more advanced ‘stateful protection’ firewall built in.

11. Use WPS with caution

WPS stands for Wi-Fi protected setup. It’s a simple way to connect new devices to a wireless network. All you have to do is press a button on your router, then connect your device.

However, a major WPS security flaw was discovered in 2011. As a result, it’s better to disable WPS and connect devices manually.

• Why every business need a wireless network
• How to work remotely and securely
• Five IT security mistakes you may be making

This post is by Adrian Case from Akita.