Coleman Technologies Blog

Ransomware is one of the more dangerous threats out there for businesses of all industries and sizes. To help emphasize just how dangerous it is, however, you have to look past the initial threat of having to pay a ransom and look at the other risks associated with it. We’re here to try to get the point across that ransomware is something your business should absolutely be taking seriously.

Ransomware Spreads Easily

There is a reason why ransomware is picking up in popularity, and it’s because it is a remarkably simple threat to spread. While it certainly spreads through the usual methods, like downloading infected files or clicking on suspicious links, ransomware is most effectively spread through the use of phishing attacks which trick users into falling for a trap. Whether it’s being fooled by a phony tech support email or being scammed through a social media message, you can bet that ransomware attacks will use phishing as one of their primary modes of distribution.

Restoring from a Backup is Not Enough

It never hurts to have data backups ready to go in the case of any security breach or attack, but it’s even more important in the case of ransomware as you often cannot get around the encryption on the system without them. Even if you do have a backup, however, there is always the threat that the hacker will steal your data or leak it online somewhere, creating additional problems. Simply put, restoring data from your backup might not be enough to solve all of your problems, and you should be aware of the fallout that could result from such a ransomware attack.

Ransomware Costs More Than Just the Ransom

Some individuals think that ransomware really only costs your business money in terms of the ransom, but the costs associated with ransomware are far more and far scarier than what you’ll pay the hackers for the safe return of your data. In reality, a ransomware attack is going to cause costly downtime—time that your business is not functioning as it should—and you could also be subject to compliance fines. Add in the cost of your data potentially being leaked online, and you have yourself a recipe for the downfall of your business, unless you play your cards right.

Obviously, ransomware is a scary thing to deal with, and not in the expected ways, but it’s fairly straightforward to protect against. And, thankfully, you don’t have to do it alone.

Don’t Let Ransomware Harm Your Business

If you want to ensure that ransomware doesn’t cause trouble for your company, then Coleman Technologies can help. We can equip your business with preventative security solutions, train your staff on how to identify potential threats, and back up your systems so that you’re not impacted drastically in the event of an attack. To learn more, reach out to us at (604) 513-9428.

The Internet of Things is everywhere and that means that it’s important to understand how much of a potential security risk these devices can be. From smart speakers to smartphones, it's important that you understand how these devices can create problematic situations. In this week’s blog we will discuss how you can protect yourself against IoT vulnerabilities at home.

Why the IoT Is So Insecure

There are several factors to why the Internet of Things is insecure. The first is that the demand for smart devices has created a situation where manufacturers are trying to get as many devices out on the market as possible and in their haste, they don’t do enough to build secure environments. Another reason is that many people don’t have the security acumen to do the things needed to improve security for a network that features a lot of IoT devices. 

These smart devices are super useful, but if they were to be hacked, it can cause a lot of problems for you. If not secured, hackers can gain access to webcams, access your heating and lighting systems if they are connected to the Internet, gain access to account information—or even financial information, deploy malware, and even turn your smart devices into agents of chaos (also known as a botnet).

How to Secure IoT Devices on Your Network

Obviously, with so much at stake, you will want to know some actions to take to properly secure these devices. Much of what can be done are good strategies to secure your network in general. These actions include:

• Secure your router - Obviously, securing your router has a major effect on your ability to keep your network, and therefore your IoT tools, secure. You will want to change the SSID and password of your wireless network.
• Start a guest network - A great way to ensure that your IoT devices aren’t going to negatively affect your network is to create alternative networks that separate these devices from your core computing infrastructure. 
• Change all individual device passwords - This may take some time, but if security is your aim, you can do worse than actively changing every device’s login credentials and passwords frequently. 
• Use complex and unique passwords - One of the best ways to secure password-protected digital assets is to make sure to build passwords with security in mind. Use all types of different strategies including a combination of upper and lower case letters, numbers, and symbols to give yourself the best chance at maintaining security. 
• Use two-factor authentication - Adding security to your strategy, two-factor authentication can be a really useful tool; especially with IoT devices that often lack the strong security features of more complex computing devices. 

IoT is becoming increasingly important at work and at home, so doing what you can to keep from dealing with attacks and other digital issues is important. If you would like more useful security tips, or you just would like to have a conversation about how to best secure your IoT, give us a call today at (604) 513-9428.

We often talk about scams and cyberthreats, and lately our advice for dealing with a potential phishing threat is to simply avoid it altogether.

That is, when you get any kind of email or text message with a link you weren’t expecting, whether it’s from someone you know or from your bank, just don’t click it. Instead, log into the account in question the way you normally would, and verify the information there, or confirm with the sender through some other means to make sure what they are sending is valid. While this is still a good practice, sometimes you need to click on a link. Here are a few tools you can use to check if a link is safe, before you click.

Why Would a Link Be Dangerous?

First of all, why wouldn’t you want to trust a link that someone you trust sends you?

There are a lot of reasons. Even if it looks like a video message from your dear sweet Nana, or a virtual Christmas card from your youngest niece, there is a chance that the sender has been compromised and is trying to spoof their contacts. 

You want to know when it’s probably not a scam or a threat? When your dear sweet Nana or your niece calls you up on the phone and asks you to look at it.

That simple two-step confirmation makes all the difference in the world. Otherwise, you should consider the risks that maybe, just maybe, the sender was compromised and that the link you are being sent is malicious.

The same goes for the business end of things. 

Your coworker, business partner, vendor, or client might have no reason to do anything malevolent to you. If they fall for a trick themselves, though, a part of that trick might include spreading to all of their contacts.

A malicious link could contain malware that infects your computer, tries to steal your data or access your online accounts, and also spreads itself as quickly as possible to anyone in your contacts list. Not only will you be the victim, but your friends, family, and colleagues will be YOUR victim, and so-forth.

How to Safely Identify and Copy a Link

Before we get into the tools, let’s quickly run through what we mean by a link.

Basically, any text or graphic that is clickable and takes you to another page in your browser is a link. Sometimes, that link will be written out, with the https:// and the full URL. 

For example, if it is a link to PayPal, it might look something like this: https://www.paypal.com/us/smarthelp/PAYPAL_HELP_GUIDE/getting-started-with-paypal-icf29 

Links could also just be text that is clickable. So instead of writing out the URL, the link might be something like this: Get Started with PayPal

Now here’s the thing. If you’ve been paying attention, we’ve already proven to you just how easy it is to trick a user into thinking they are going to one website, and taking them somewhere totally different. Both of the links above don’t actually go to PayPal. We assure you that they are safe, but they are taking you to goofy fake mustache glasses on Amazon.

Sometimes, links are graphics, like buttons, icons, pictures, or virtually anything else. If you can click or tap it and have it take you somewhere, it’s a link, and any links can be spoofed very easily.

If you want to tell where a link is going to take you, you need to copy the actual link:

 On a Desktop or Laptop:
-Hover the mouse over the link.
-Right-click on the link.
-Select “Copy Link” or “Copy Link Address” or “Copy Hyperlink”

Now you have the link copied, and you can paste it into one of the following tools with CTRL+V (or right-click and select Paste)

On a Tablet or Smartphone:
-Be careful not to accidentally just tap the link to open it!
-Hold your finger over the link for a few seconds to pop up the context menu.
-Select “Copy Link” or “Copy link address” or “Copy Hyperlink”

Now that you have the link copied, you can paste it into one of the following tools by holding your finger down over the URL field within the tool and selecting Paste.

Safely Check a Link Before You Click it with These Tools

You can use the following tools to check the safety and legitimacy of a link. Keep in mind, this won’t protect you from one hundred percent of all scams, as these tools can only check for known threats. It’s also a good idea to use multiple tools to cross reference, in case some of the tools just haven’t been made aware of the link you received.

Use Norton Safe Web to Check a Link
Norton Safe Web is a free online tool that lets you paste a link to check to see if it’s safe.

It will give you a quick rating on the link. If the link is untested in Norton, it’s a good idea to try a few of the other tools. If Norton states the link is dangerous, it’s a pretty safe bet you should avoid it.

https://safeweb.norton.com/

Check the Link With PhishTank
The cleverly named PhishTank site will tell you if a link you received has been reported as a phishing scam. Phishing links tend to look pretty similar to legitimate web pages. For instance, a phishing link for PayPal might look almost exactly like the regular login page for PayPal. The problem is that it won’t log you into PayPal, but it will send your PayPal credentials to someone else.

https://www.phishtank.com/

Google’s Transparency Report Might Tell You If a Link is Unsafe
Google’s search engine works by crawling the Internet and indexing everything it finds. Sometimes, it might run across dangerous content such as malware or phishing risks. Google’s Transparency Report tool will tell you if a link you’ve been sent is found in their massive database of unsafe content.

https://transparencyreport.google.com/safe-browsing/search

Scan the Link with VirusTotal
Finally, there’s VirusTotal. This tool takes a little longer to give you an answer, but it can be a little more thorough than the others. This is a good last-ditch effort if you aren’t happy with the results from the other tools. 

https://www.virustotal.com/gui/home/url

It’s important to keep in mind that a phishing scam or malware attack could still sneak through these tools, especially if the URL was just generated and you are among the first people to get it. These tools are designed to spot known phishing attacks and malware that has already been reported. With that in mind, it’s still a good idea to err on the side of caution.

If you feel like you’ve received a suspicious email, text message, or other correspondence, and you would like us to take a look for you, don’t hesitate to reach out to us at (604) 513-9428.

Have you ever suspected that a hacker could silently observe your email interactions with your clients and your staff? If you manage your own email infrastructure, we want to highlight the importance of email encryption. Encryption keeps your business’ email communications secure and compliant so you can worry less about security and privacy to focus more on running your business.

Here are three potential consequences of failing to encrypt your email communications.

Regulatory Fines

The big one to consider is that you’ll be charged out the wazoo in regulatory and compliance fines for failing to protect sensitive information.

Think about it; how much sensitive information is exchanged by email at your business? Even if it’s not directly included in the body of the email, how many attachments are sent that contain personal or sensitive information? Without encryption, any onlooker could easily pluck this data out of your inbox and use it for nefarious purposes.

And whenever you breach the security and privacy of others, you’re sure to get slapped with serious fines that can break your budget and jeopardize your business for the foreseeable future.

Negative Public Relations

What would your customers and clients think if they found out you don’t encrypt your email?

Never underestimate the power of a bad review or a local op-ed in the paper about how you don’t take security seriously. If potential clients are informed of a reason not to work with you—especially one related to security and privacy—they will consider other options, period. Worse yet, your current customers could jump ship and go work with one of your competitors, which directly impacts your bottom line and profits.

Seriously, who wants to work with a business that doesn’t take security seriously? Not me; that’s for sure.

Loss of Intellectual Property

What would you do if your biggest competitors had access to the tech and strategies that make your business what it is?

If your business has industry secrets or intellectual property to maintain, you really do need email encryption to ensure communications pertaining to those secrets are not leaked to competitors. Otherwise, you run the risk of ideas, thoughts, patents, and other IP falling into the hands of people who will steal your clientele. Worse yet, you might end up fighting prolonged legal battles and paying exorbitant fines due to these legal battles over your IP, which nobody wants.

Protect what’s yours with email encryption before it inevitably is no longer yours.

Coleman Technologies can work with your business to encrypt your email communications and keep your company’s messages safe. Learn more by calling us today at (604) 513-9428.

If there’s one thing that helps businesses establish consistent policies and strategy, it’s a good framework. You can use a framework for anything, including network security. Today, we want to walk you through the cybersecurity protection standards as they are outlined by the National Institute of Standards and Technology so you can better protect your business.

The NIST framework has five parts: identify, protect, detect, respond, and recover.

Identify Threats

You can’t protect against a threat you don’t understand, period.

Businesses must first identify threats and how they might strike against various assets and resources. For example, you need to understand the hardware and software that keeps your business running, as well as how the supply chain impacts acquiring these resources. Furthermore, your business needs to adhere to regulatory guidelines, and you must take steps to ensure that your supply chain is not interrupted by potential threats.

It might not seem useful to know in the context of cybersecurity, but knowing what you need to protect, as well as what you are protecting against, helps you determine risk and the appropriate steps forward.

Protect Against Threats

Now that you know what your cybersecurity situation demands, you can implement the following preventative solutions:

• Access controls help minimize the risk of unauthorized access to your data and infrastructure.
• Similarly, data security helps keep critical information available to those needing it while maintaining its confidentiality otherwise.
• Establishing regular and proactive maintenance practices to ensure all updates are in place and devices experience optimal uptime.
• Training staff as appropriate based on their level of permission.

We’ll add our two cents to the conversation by recommending something not on the radar of the NIST—business continuity—as it’s important to know your business' bare minimum operating standards.

Detect Threats

It’s not a question of if you get targeted by cyberattacks, but when.

While you can protect your business as much as you want, sooner or later, you’re going to have to be ready to handle an attack aimed right at your business. The solutions you implement should be able to send you warning signs and alerts so you can take action in the moment. Furthermore, these alerts help you ensure that your solutions are actually working as they should be.

If you don’t detect threats as they target your business, you’re asking for trouble.

Respond to Threats

The goal of cybersecurity is to catch, detect, and respond to threats so they have a minimal impact on your operations.

Naturally, this is a high-stress event, so you want to have an iron-clad policy to turn to just for situations like these. Not only do you need to mitigate the issue in question, but you also need to be ready to respond to the many other residual threats and the problems they might invite. Throughout the entire process, you’ll want to remain in touch with anyone who might be impacted, such as customers, vendors, or employees, as well as your local law enforcement.

Following an attack, you’ll want to take a look at your network and collect as much information on the attack as possible, as arming yourself with this knowledge can help you better protect it in the future.

Recover from Threats

The challenge continues long after you’ve eliminated threats as you work to recover from the incident.

For one, you need to get your interrupted services back in operating order with the help of a business continuity plan. You’ll want to have clear, actionable steps in place that you can follow to get your company back on track following a cybersecurity incident. Be intentional about using this backup strategy to recover your critical systems, then improve them so that another issue doesn’t occur later down the line.

Keep your stakeholders informed of the recovery process, too, as your customers, staff, and other partners will want to know how it’s going.

Take Your Security Seriously

Five steps might seem like a lot, but this should serve to showcase just how important this is to your business’ longevity.

Rather than react to a cybersecurity crisis, you should have solid strategies and systems in place beforehand. This will help to ensure you’re not caught unawares. Keep in mind that you have trusted IT resources at Coleman Technologies whom you can rely on for any and all security needs.

To learn more, call us today at (604) 513-9428.

Your business’ computing infrastructure is a pretty resilient system. It has all types of tools added on to keep malicious code, bad actors, and even sabotage from ruining the good thing you have. This reliability has led to hackers changing the way that they go about their business. Nowadays, most of the attacks that affect businesses are phishing attacks. In today’s blog we will go through the elements of a phishing attack and how you can protect your business from them.

There are really four things you have to be aware of when you are considering if you’re looking at a phishing email. Let’s go through them now:

There is a Real Sense of Urgency to the Message

While a lot of the messages that we get in business have a demanding tone, there is something extraordinarily panicked about a phishing message. Essentially, phishing messages will urge the reader to take immediate action. This action could be in the form of clicking on links, downloading attachments, or giving over credentials that the scammer will then use to infiltrate organizational computing networks to deploy malware or siphon data.

Poor Grammar and Spelling

Many of these messages are created with the notion that the reader will be fooled by the overall legitimacy of the message. Many times they are subterfuge emails sent from a would-be financial institution or an insurance carrier; some business that has legitimacy. Typically, there are signs within the message itself that are blatant signs of its illegitimacy. Variables like misspelled words, poor use of grammar, and other red flags can tip users that the message is not legitimate. 

The Domain Is Wrong for the Message

When someone sends an official email from a business, typically the domain name of the email address that is sending the email will represent the organization that the message is coming from. If the address doesn’t come from the organization that is sending the message, that is a giant red flag. Most reputable organizations pay good money to host their own domain and if the address you are getting a message from doesn’t represent that, you have to believe that it is a scam. 

Suspicious Tone to the Message

You know the type of messages that you typically get. If a message you receive doesn’t meet the criteria of “normal”, you should immediately look to verify with the presumed sender of the message that it is legitimate. If it feels off, it probably is. Make sure you get this confirmation through a different means of communication.

Phishing attacks are everywhere. If you get messages that don't feel right, don’t interact with them—follow up. For more great tips and tricks return to our blog soon. 

When it comes to security, it can be challenging to keep up with shifting best practices. For instance, the use of a virtual private network has long been a staple to secure remote operations, and any decent IT service provider would recommend its use. However, this advice is changing with the growth of zero-trust access protocols.

Let’s compare these two security options to consider why this is.

Defining Virtual Private Networking and Zero-Trust Access

In order to properly compare these two security tools, it is important that we establish what each of them is meant to accomplish.

Virtual Private Networking, or the use of a VPN, creates a protected connection between two network endpoints via encryption. Let’s say you were stuck in an airport during a layover, but you had your work laptop with you. By using the VPN, you could connect back to your business’ infrastructure in order to access the data you need, without your activity being visible to others who may be snooping on the airport’s wireless network.

Zero-Trust Access is a strategy in and of itself that turns the principle of least privilege into an actionable approach, requiring comprehensive verification at each and every step of any business process. Fundamentally, the thesis of zero-trust is that everything and everyone is a threat until they are confirmed not to be—with this confirmation regularly verified throughout the user’s processes.

These two methods take very different approaches to securing your business. With the VPN, the focus is on keeping threats out, without particularly restricting the activities of those who have been authenticated. Zero-trust access, on the other hand, provides access to only what an authenticated user requires to fulfill their responsibilities.

What Does a VPN Do Compared to Zero-Trust Access?

Let’s break down different aspects that you need to keep in mind in terms of what each option provides.

Breach Containment

Should a breach occur, a VPN may help prevent the attacker from accessing more than what the VPN itself was directing toward, whereas a properly-configured zero-trust implementation will limit the breach specifically to the device, service, or application.

Cloud Support

Generally speaking, a VPN is hosted on-premise, although cloud options do exist. Zero-trust is typically hosted in the cloud, meaning that it works well in cloud-hosted applications.

Functionality

This is the crux of our discussion. All a VPN does is create a secure means of accessing different networks. Comparatively, zero-trust access does the same, but also restricts access within these networks based on predetermined policies.

Remote Support

With remote work being more prevalent than it has been in the past, ensuring a means of accessing the workplace securely is a more pressing need. A VPN enables remote workers to do so, while a zero-trust network does the same, but does so on a more granular level.

Security Strength

While the VPN does a great job of protecting data while it is being sent between two separate networks, that protection stops once each network is reached. The zero-trust network provides excellent security at every point, for every resource.

These comparisons make it pretty clear that both offer sincere benefits to a business’ security, and that both should have a welcome place in your business security infrastructure. That being said, it is also understandable why today’s security experts are predicting that zero-trust will ultimately take precedence.

In the meantime, Coleman Technologies is here to help you ensure that your business’ technology and cybersecurity are maintained and ready for you to use it. Learn more about our managed services and how they can benefit you by giving us a call at (604) 513-9428.

Mobile malware is not new. It has been around since people used flip phones, but it doesn’t get the attention that the malware that targets Windows PCs do. This is mainly due to it being a little more rare, but if you are the unfortunate recipient of it, it can cause a lot of the same problems. 

Many people won’t consider it simply because of the way they use their device. A person’s smartphone is with them around the clock and they don’t often use it in the same manner as they would a PC. This doesn’t mean that there aren’t major threats that can users can be exposed to. Let’s take a look at each major mobile OS.

iPhone Malware

One of Apple’s favorite marketing strategies is to point out that iOS is the safest mobile operating system. They actually do a commendable job, but devices running iOS aren’t always completely safe, especially on “jailbroken” devices. By not doing this, which is a way to avoid a lot of iOS’ built-in security restrictions, you will be much more secure. 

Another risk that iOS-run devices run into is called a zero-day hack. The zero-day hack target devices haven’t received a security update after the security update has been released to the public. One major issue that users have with iOS security is that there aren’t a lot of ways to prevent issues. Apple itself does a lot of the heavy lifting. Their platform’s success depends on them keeping their reputation, so having trust in Apple to keep your device secure is not without its merits.

Android Malware

Android is a completely different situation altogether. With more devices comes more malware, and with so many different manufacturers making (and supporting) their various versions of Android, it gets a little dicey.

Android is much more flexible than iOS, which is one of its main benefits, but it can also be problematic when it comes to keeping the device secure. For example, if you want to install an application that’s found outside of Google Play, you can, but any negative situation you get into as a result is on you. It is also possible to jailbreak an Android device, which can override some of the built-in security restrictions.

There have been situations where installing apps off of Google Play have caused problems. Google has had to play games with app developers to keep some serious threats off their store. It just means that users need but it has become clear that it really comes down to the user being careful with what they install. It’s not normal for malware to be attached to Google-sponsored apps, but it has happened, so if you are an Android user, you don’t have to be too careful if all of your software comes from Google.

How to Protect Your Smartphone from Malware

Keep App Downloads to Major App Providers - Both Android and iOS feature their own app stores, Google Play Store and Apple App Store, respectively. Even though Android devices can install applications that aren’t on the Google Play store, modern smartphones make this a little more difficult by making users acknowledge that they are putting their devices at risk by doing so.

If you refuse to jailbreak your phone, and you only install applications that are thoroughly vetted, positively reviewed, and come directly from the Apple App Store or Google Play, you will greatly reduce the risk of infecting your device.

Don’t Get Phished - Many of the most insidious threats today rely on user error. Phishing attacks are an annoying example of this. A user will get a legitimate-looking email from some account they actively use and will be directed to submit login credentials. Unfortunately, the email account is spoofed and on the other end is potential disaster.

Install Anti-malware - You have antivirus software for your PC right, why not get it for your mobile devices? Most providers have Android apps and can go a long way toward protecting your device from harm. 

Enact Policies - If you are a business owner and your employees use their personal devices to do work-related tasks, it’s a solid practice to establish an end-to-end mobile device policy. You can require users to enable security options like device locking and encryption, and since this gets set up on your network, the device (and therefore the user) has to comply with any requirement’s your IT admin requires. 

We have a dedicated plan to help all of our clients maximize their data and network security. If you want to talk more about it call our consultants today at (604) 513-9428.

Simple passwords are just not an effective security practice, so if you’re still using credentials like Password, 123456, Guest, or Qwerty, listen up. You need better password hygiene practices before you suffer from a data breach. Here are some ways you can make a better password to protect your business from threats.

For passwords, it also helps to know what is ineffective in addition to what is effective.

What Does a Bad Password Look Like?

A bad password is, to an extent, always going to be a bad password because passwords are not generally good for account security. While they are certainly better than nothing, they are far from the best way to protect an account, despite being the most popular and most common methods of doing so.

It’s remarkably easy to create a bad password, as well as have bad password practices. Whether it’s a case of the password not being complex enough or too easy to guess, or if it’s used for more than one account, they repeatedly hold businesses and individuals back from achieving the level of cybersecurity they need and deserve.

To help you better leverage good passwords, we’ve put together a list of things you’ll want to do to make them better and stronger.

What Does a Good Password Look Like?

Here are some best practices for password use and creation.

Don’t Repeat Your Passwords
If you use your password for multiple accounts, then all it takes is one of them falling victim to a data breach or phishing attack for all of them to be exposed in the same way. You should be using different, complex passwords for each of your accounts with no repeating passwords.

Always Make Them Complex
Complex passwords are easy to remember, but difficult to guess, which is easier in theory than it is in practice. You can make it much easier through the use of a passphrase rather than a password. Your passphrase should be a random string of words that utilize upper and lower-case letters, numbers, and symbols.

Don’t Use Personal Details
Personal details have no place in passwords for two main reasons: it makes them easier to guess for hackers, if the information is something that they can find publicly on the Internet or on social media, and it places more danger on you in the event that the password is compromised.

Use a Password Manager
To remember all of your complex passwords is impossible, so we recommend using a password manager to help secure them all. A password manager uses one master password to call upon a secure vault of passwords when they are needed. It’s the best way to use passwords without putting yourself at risk.

How are Your Password and Cybersecurity Practices?

If you could use a hand crafting better passwords or protecting your infrastructure, Coleman Technologies has got you covered. To learn more, call us at (604) 513-9428.

I was talking to some colleagues the other day about cybersecurity and its relationship with modern everyday scams, like phone scams and similar things. In my opinion, it’s worth bundling these two topics together, and we found some interesting statistics that we’d like to share.

What Do We Mean By Scams?

When I say scam, I’m getting into some pretty broad territory. I’m talking about efforts to trick a person into giving their time, energy, money, or something else of value to someone who is trying to earn it through trickery, fear, or emotional manipulation.

In other words, we’re not going to talk about computers very much in this blog post.

Here are just a few examples of some common scams:

• Account issue or password scams - This is usually in the form of an email or text message claiming that there is a problem with an online account or payment, urging you to quickly log in using a fake link, so that a scammer can steal your credentials.
• Fake charity scams - Someone poses as a real or fake charity to try to get money from you.
• Debt collection scams - Someone poses as a debt collector to collect money you owe, or don’t actually owe.
• Settlement and debt relief scams - Someone offering to renegotiate or settle debt with the goal of simply taking your money.
• Mortgage scams - A wide range of scams where the scammer offers relief or tries to trick homeowners into sending their closing costs or payments to somewhere other than the actual lender. This can even result in a scammer owning your house.
• Imposter scams - A scammer pretends to be someone you know (often on social media) or someone with authority you can trust to trick you into sending them money or sensitive information.
• Romance scams - A scammer poses as a new love interest and tricks you into falling for them online so they can trick you out of your money.
• Grandparent scams - A complex scam where a scammer poses as a relative in desperate need for help asking you to transfer money without thinking about it.
• Mail fraud - Legitimate looking mail that is designed to trick you into sending money or personal information.
• Lottery and prize scams - A scammer contacts you to tell you that you’ve won something, and asks you to pay upfront for fees and taxes.
• Mobile payment fraud - Legitimate wallet apps like Venmo, Zelle, and others are full of scammers who will simply request money from you to see if you will fall for it.
• Online sales fraud - Scammers use Facebook Marketplace, Craigslist, and other sites to send money for goods, and then cancel the payment after you’ve shipped the item.
• Money mules - Not a scam in itself, but these are people caught up in a scam that might not even know it. They are recruited to collect money for scammers for various scams.

There are countless more, but this just shows you the scope that we are dealing with.

Scammers use a wide variety of communication methods to trick you, including phone calls, text messages, mail, email, physical meetings, television ads, website ads, social media, or altering legitimate signage and publicly accessible information.

The biggest thing to look out for with any sort of scam is an inflated sense of urgency. The scammers want you to act without thinking, and the most abhorrent scams above, like grandparent scams and imposter scams often make victims believe that a loved one is in danger in order to bypass any common sense one might have. 

Human Beings are Scammed CONSTANTLY

You probably already know this, but it’s easy to drown it all out. How often does your phone ring and say “Scam Likely?” Most of us just sort of ignore it now. Huge portions of the population just simply don’t answer phone calls from people who aren’t in their contacts unless they are expecting something, because most personal phone calls are scams.

What about email? While we’ve come a long way with spam protection, how many emails do you instinctively scroll past because you simply know it’s unsolicited or toxic or some sort of scam? We’re just all conditioned to see these things every day… and then I found some statistics that blew my mind.

It’s estimated that older adults, particularly baby boomers and seniors in general, observe an average of at least one scam every hour of their lives.

That’s a wild number, and while we couldn’t find a report for younger people, those of us who work on computers for eight or nine hours a day or more likely have a similar experience.

Some other things about age and demographics were interesting—Gen Z (people born in the late 1990s through the early 2010s) have reported higher rates of victimization when it comes to online scams. Growing up with the technology doesn’t necessarily mean you are less prone to being victimized while using it.

It’s also believed that older generations, again, baby boomers and seniors, simply don’t always report it when they fall victim to a scam. When people are asked why, they usually say they wanted to take responsibility for their actions, or that they didn’t want to be shamed for it.

You Aren’t Dumb For Falling Victim to a Scam

Let’s make this totally clear. If you look at the numbers, the sheer barrage of constant scams and attacks the average person just simply wades through in a day, it’s an incredible feat that we aren’t all going out of our minds.

Every single one of us has experiences in life where it’s the first time you have dealt with something, and you don’t know what to expect, and this puts you in a vulnerable state.

For instance, if you are a first time home buyer, and someone is mailing you some official-looking information about paying for access to your deed, it’s very possible that it could slip past your fraud-detecting radar. Is this a normal part of the process? Should I just do it? Should I contact my lawyer or my broker or at least ask other homeowners?

The problem is, the home-buying process is exhausting, and now you are in the middle of moving in and wrestling with your Internet service provider, your electric company, your former landlord, a moving company, all while your neighbors are telling you that the last owner always let them pick the apples from your new apple trees. Your fraud-detecting radar is shot and drained at this point, and it’s easier to fall for a simple scam.

The same goes for a grandparent scam—if you get a phone call from a loved-ones phone, and you hear their voice, stressed and tear-filled, pleading to help them, and then a lawyer gets on the phone and says your son/daughter/grandson/granddaughter was in an accident and are being kept in jail and you need to pay bail, your emotions will kick in. As a human being, you are doing the right thing by having an emotional response and reacting with compassion, but the people on the other end of the phone know this and are taking advantage of it.

Being a victim of a scam isn’t your fault. You should always report it, and tell your story so that others can learn from it. You aren’t dumb for being a victim. I’m not going to tell you that being more mindful of these things would have prevented it. If you were scammed, you already know this. You’ve learned your lesson, and like all of us, you’ll continue to be targeted and you’ll continue to avoid 99% of the scams that target you.

The best thing you can do is tell others about it. Turn your story into a warning for others. 

Scam artists follow a very effective playbook that wouldn’t be so effective if everyone was aware of it. They are incredibly good at covering their tracks and making it nearly impossible to get caught, so the best way we can combat these threats is by making the public more aware so that everyone knows what to look for.

Yes, there are cybersecurity measures to help with the online stuff, and that’s incredibly important. I can tell you to make sure you are using strong, secure passwords, and using unique passwords everywhere, and using multi-factor authentication, and making sure your business is secure, etc. Those are critically important, but no cybersecurity protection is going to stop Pam in HR from getting a text message that looks like it comes from the CEO’s phone, asking her to buy a few thousand dollars worth of gift cards to mail out. The only thing that stops that is awareness.

That’s all. Those are just some thoughts we had. This is important stuff, and I can’t stress enough how commonplace it is. Stay vigilant, and don’t hesitate to simply call and ask us if you get something that raises your suspicions. We’re here to protect local businesses, and we hope that we can serve our community at the same time. If you’d like to talk about cybersecurity and how we can protect your business and its people, give us a call at (604) 513-9428.

Cybersecurity is important. Scroll through a few pages of our blog and you’ll see article after article talking about threats and ways to make yourself and your business less vulnerable to cyberthreats. As an IT professional, however, I’d be so much happier if the state of the world didn’t require such a massive effort just to protect oneself and we could just talk about cool stuff you can do with modern technology all the time!

But alas, strong cybersecurity is crucial to virtually any organization, and it’s becoming even more important by the month.

You Can’t Flub Your Cybersecurity Awareness

Cybersecurity is something that you can’t just ignore. It’s not going to ignore you—cybercriminals target the people who think they aren’t a target in the first place.

Most businesses these days have at least some level of cybersecurity-based compliance regulations to meet and follow. Some can come from the state, some can come from the industry you are in, some apply based on the type of information you work with, and some can come directly from your business insurance provider. 

One of the biggest mistakes I see business owners and C-levels make is that they have overconfidence in their own cybersecurity. Most business owners are the least secure people I know (and I don’t mean that in an insulting way; CEOs and entrepreneurs, in general, are just wired to be efficient, and cybersecurity practices can feel like a big roadblock to efficiency.)

Heck, I lose sleep at night when I suspect that the owner of a company we work with refuses to use multi-factor authentication, but I catch myself longing to turn that feature off because of the extra couple of seconds it adds to getting into an account every day. 

The point is, even as a leader, you can’t skimp on security. In fact, you should be the shining example of it in your organization.

You Have to Know If You Are Compliant or Not

Depending on the regulations your organization needs to meet, you likely have a laundry list of tasks to check off quarterly or yearly. For many organizations, a part of that might include a regular penetration test.

A penetration test is a very specific set of tasks that involve an ethical hacker attempting to break into your business network using a variety of different ways. 

There are multiple phases that include reconnaissance, scanning for vulnerabilities and other weaknesses, getting in and attempting to steal, change or delete data, staying within the network undetected for a period of time, and looking for non-technical ways to exploit your organization, such as social engineering.

It’s not a small feat, and it’s far from the typical quick network audit or port sniffer scan and things that a technician might do to solve a problem or investigate an issue.

Don’t confuse the small stuff with a penetration test. I’ve talked to business owners in the past who were convinced their network was secure because a third-party ran some network audit tools that came back with devices that were out of date and fixed them. While that’s important to do, and something we do regularly, and maintain for our clients, it’s a long way from an actual penetration test.

Let’s Make Sense of Your Cybersecurity, Together

Protecting your business from modern-day threats and meeting regulatory requirements is a challenge if you try to do it by yourself. Let Coleman Technologies be your trusted IT partner and keep your business operating smoothly. Get started today by calling (604) 513-9428.

What do you do if you have forgotten your wireless router’s password? You could restore the router back to its default settings, of course, but what if you have, like a dummy, never changed the router’s password in the first place? This Internet password repository could be your saving grace.

RouterPasswords.com

RouterPasswords.com is a website built to document default usernames and passwords for wireless routers. It’s run by a community of users for a community of users. Essentially, anyone can submit their default username and password for their router to help anyone out who may have forgotten it somewhere down the line. They make a point to highlight that the username and password of the router is not the one set by your Internet service provider–rather, they want the factory-set default credentials. Once the credentials have been reviewed by an administrator, they are added to the online repository.

It’s also worth mentioning that this site can be helpful from a technician’s perspective as well, as identifying the default username and password for a device can mean less work and less time spent troubleshooting an issue, if that is indeed the problem at hand.

In addition to having the largest default router password repository on the Internet (according to them, at least), the website also provides tips and tricks for how to manage router settings, reviews for the latest wireless routing technologies, and news related to wireless technology.

There is a Dark Side to This Website Existing

Of course, there is also the negative consequence of a website like this existing in that, if you can use it, so can anyone else on the Internet—hackers included. Imagine that you are a hacker and you’re trying to find the path of least resistance into a wireless network. You notice that the device’s wireless network name was never changed or set up beyond the factory default, so you assume that the wireless network’s password is also the factory default.

From there, well, you can guess where this story goes.

You should always change your wireless network’s name and password for this very reason. Tools like this exist to make users’ lives easier, but they inadvertently also make the lives of hackers easier, too.

Reinforce Your Wireless Practices with Us!

Coleman Technologies can of course help you shore up any weaknesses that might exist in your business’ wireless network policies and connections. With us on your side, you’ll have a staunch ally in the fight against cybercrime. To learn more, contact us at (604) 513-9428 today.

We’re not shy about sharing how important it is for a business to have comprehensive cybersecurity throughout its entire infrastructure. That’s why we wanted to share what some recent data has shown about the importance of having visibility into your infrastructure.

Spoiler alert: it’s really, really important.

Data Shows that Enterprises Suffer from Considerable Vulnerabilities

Compiled by Sevco Security, the State of the Cybersecurity Attack Surface report took data from over 500,000 IT assets. This data, compiled from enterprise-level businesses, revealed that a substantial number of the assets these businesses rely on are missing critical endpoint protections or aren’t being actively patched.

According to Sevco Security’s research, the businesses they surveyed were lacking endpoint protections at a rate of 12%, while 5% of them were lacking enterprise patch management. Compounding these issues, 19% of Windows servers were missing endpoint protections.

Furthermore, “stale” IT—assets that are present in the security control console and register as installed on a device, but haven’t checked back in for a few weeks—is a small but serious issue for these enterprise organizations. 3% of the IT assets have stale endpoint protections, while 1% have stale patch management. However, since they are supposedly accounted for, these risks are harder to spot and more likely to create issues.

Of course, these findings were all based on research into enterprise-level companies, with enterprise-level capabilities. Now, just consider what that suggests about the small or medium-sized businesses and their comparative capabilities.

Trust Us to Help Prevent These Vulnerabilities from Presenting Themselves in Your Business

Part of our proactive remote monitoring and maintenance services is to catch these kinds of issues before they result in larger problems for your business. To learn more about how we accomplish this, give us a call at (604) 513-9428 today.

We have not been shy about expounding upon the benefits of the cloud for businesses, as these benefits are both considerable and accessible. That being said, not even the cloud is completely perfect, and there are security errors that can easily be made.

Let’s go through these security errors to see if any sound familiar to your situation.

Missing Access Controls and No Multi-Factor Authentication

Here’s the thing: if your cloud resources are open to anyone, nothing in them can be considered secure. This is why proper access controls—ideally supported by multi-factor authentication—are so important to have.

The data and processes that the cloud can help you support are valuable to your business. Frankly, they’re critical. Leaving them exposed thereby puts your business at risk. Implementing access controls to limit access to your cloud resources to only the team members that actively need them is therefore necessary—and this access should also require multi-factor authentication requirements (identify authentication measures that go beyond just the username and password combination) to be met before it is granted.

You Have No Backups

Today’s businesses have various options available to them, in terms of how they put the cloud to use. Many will elect to utilize public cloud resources that are maintained and managed by an external provider, many will host and maintain their own cloud infrastructure within their business, and many will use a hybrid model that incorporates both for different purposes.

Regardless of the type of cloud you use, it is important that you don’t put all your eggs in one basket. Remember, the cloud is just another server that you are able to access remotely. What if something were to happen to the cloud infrastructure you were relying on?

This is precisely why it is important that you have backups for all of your cloud data—especially for that which you use a private, self-hosted cloud to store. And while it is true that most reputable cloud providers will actively store your data in numerous physical locations as a form of protective redundancy, it is always best to get this in writing in case the worst winds up happening.

Cloud Data is Left Unencrypted

Of course, backups are just one element of keeping your data safe. Again, while most public cloud providers are relatively very secure, data leaks and theft are not unheard of. Furthermore, data needs to travel back and forth between the user’s endpoint device and the cloud infrastructure, giving an enterprising cybercriminal the chance to take a peek while said data is in transit.

In this context, avoiding a breach will require you to keep your cloud data encrypted, which scrambles it to anyone who tries viewing it without the proper decryption key. This measure is actually required by many regulations that businesses of assorted kinds must abide by, including the Payment Card Industry Data Security Standard (PCI DSS) and the UK’s General Data Protection Regulation (GDPR), making noncompliance a direct detriment to your business in general.

We Can Help You Ensure Your Use of the Cloud is Secure, While Remaining Beneficial to Your Business

In fact, we can say the same for all of your business’ critical technology. Here to provide British Columbia with the best that the managed services model of technology support has to offer, we’re hoping to get the opportunity to assist you and your business in accomplishing more. Find out what we could do for you by reaching out to us at (604) 513-9428.

Do you have an old Google account that you created years ago, only to replace it later with one that is more on-brand and less filled with spam messages? You’re not alone, but as you might expect, these accounts can create more problems than they are worth if you let them sit around unused for too long. Perhaps that is why Google is planning to shut down any old Google accounts that have remained dormant for the past two years.

The change is scheduled to start sometime in December of 2023 (although it’s possible that Google is already taking some action on older accounts), and it could impact users of Gmail, Google Drive, YouTube, Google Calendar, Google Docs, Google Meet, and Google Photos. YouTube accounts with videos shared are exceptions to the rule, as are accounts with open subscriptions. Furthermore, this change will impact only users of personal Google profiles, not those tied to workplaces or educational institutions.

If you want to save your old Google account from being deleted, then you need to do one simple thing: log into it. This activity will show Google that your account is being used and, therefore, should not be deleted. Just about any activity you perform in your Google account will constitute using it, too, such as performing a Google search while signed in, opening an email, watching a YouTube video, etc.

The reasoning behind this change makes sense, too, as Google hopes that this mass deletion of unused accounts will help make security easier. Considering that these accounts are old, their credentials have not been updated in years. This means that they could very well be susceptible to security concerns and breaches. These accounts are also less likely to have two-factor or multi-factor authentication implemented for them.

So, we recommend that you consider your Google accounts and whether or not they have anything important stored in them… before it’s too late to do anything about it.

As for password security on your current accounts, we recommend that you work with complex, unique passwords or passphrases that are easy to remember and difficult to guess. Furthermore, a password manager can be used if you’re concerned about remembering the many passwords that are expected of you. There are plenty of options out there to choose from.

Additionally, multi-factor authentication—utilization of something you own (a smartphone); something you know (a password or passphrase); and something you are (biometrics)—can be remarkably helpful for account security.

For more assistance with business account security, be sure to contact us at (604) 513-9428.

I hate to be the bearer of bad news, but when it comes to cybersecurity threats it’s kind of hard not to be. I used to look at it from two sides; one side is fascinated at the innovation and intensely brutal ways that high-end cyberattacks work, and the other side of me loses sleep at night worrying about these risks affecting our clients, prospects, and even my own business. This one particular classification of cyberattack, however, takes the cake for being especially frightening.

Introducing Killware, About as Bad As Cybercrime Gets

Imagine a computer virus or malware that is specifically designed for your organization. It knows the software and hardware you are using. It knows what settings and configurations can cause the most harm to your organization. It knows exactly how to slip in, infect the most vulnerable parts of your business, and do massive damage.

That implies a lot of things. It suggests that the cybercriminals targeting you are intimate with your organization and its inner workings. It suggests that the bad guys have an insider, or that you’ve already been compromised so severely that they may as well have an inside agent. Either way, at this point, the network is more their network than it is your own.

But it gets worse.

Not only can they dish out a threat to do harm to your business, but the goal of Killware is to cause as much public harm as possible. This is a frightening mixture of cybercrime and terrorism. It’s real, and it has real consequences.

A Cyberattack Almost Poisoned an Entire Community in Florida

In 2021, a water treatment plant in Oldsmar, Florida, a small city with a population of almost 15,000 people, suffered from a cyberattack. The attack seemed to have a singular goal; to raise the amount of sodium hydroxide in the water that Oldsmar residents were drinking. 

Sodium Hydroxide is used in water treatment to manage the pH level and reduce lead corrosion. In small amounts, it is considered safe. In larger quantities, it can cause severe burns and permanent tissue damage. The attack increased the amount of sodium hydroxide being added to the water by a factor of 100.

Fortunately, staff at the water treatment plant noticed the change immediately and nobody was hurt.

Cities and Local Government Systems are Often the Target

We’ve seen a few cases over the years where malware disrupted portions of city and town infrastructure. In 2018, Atlanta suffered from an attack that took down over a third of its systems, and it cost taxpayers over $17 million and over a year before things went back to normal.

In 2019, Baltimore suffered from a similar attack, which impacted the state's real estate market and dozens of other systems. The attack cost the city an estimated $18 million.

Healthcare, Nonprofit Organizations, Banks, and Others are at Risk Too

The U.S. Department of Homeland Security warns that other critical services like hospitals, police departments, utilities, and other highly networked industries are potential targets for this kind of attack.

In order to reduce the risk, organizations need to take cybersecurity seriously, and ensure that regular audits are happening throughout the year. Committing to industry compliance standards is a good first step, but depending on your industry, your business may want to raise the bar even more.

No matter what kind of organization you run, you have employees and customers to protect. Coleman Technologies can help secure your business so that your organization avoids doing harm to the community in the event of one of these devastating attacks. 

Businesses of every size need to prioritize their security. This fact has not changed and will not change anytime soon. What has changed, however, are the recommended ways to approach this security.

Today, we wanted to review the history of today’s predominant cybersecurity advice and explore how the zero-trust security model applies.

Meet John Kindervag, the Godfather of Zero Trust

Once an apprentice to be a typewriter repair specialist before transitioning into the role of broadcast engineer and then diving into the world of computer animation (and building his own high-end computers in his spare time), Kindervag ultimately credits the video game Doom for his interest in networking.

How a Game Inspired Today’s Most Effective Network Security Strategy

Under the pretense of using it to transfer animated files (which were too large to be shared in this way at the time), Kindervag convinced his bosses to allow him to build an ethernet network to more effectively support the after-hours multiplayer LAN (local area network) parties that were held in the office.

He wasn’t the only one, by the way… many advancements in computing and networking were initially made in the interest of playing Doom (no word on whether they were primarily using it to play the cooperative multiplayer campaign or the player versus player deathmatch mode).

However, as he worked on these networks, Kindervag realized they were inherently insecure, with little attention paid to their security in favor of routing and switching. With the only protection being a firewall to keep threats out, there was little stopping users from removing data from the network. The trusted, internal network that the business maintained could easily allow data to be shared to an untrusted, external network… like the Internet.

John saw this as “insane”—his word for it—and concluded that all interfaces should have zero inherent trust. Hence, the zero-trust framework.

How Zero-Trust Works

To create a zero-trust system, there are five critical steps that an organization must take:

Step One: Defining the Protect Surface
As Kindervag puts it, “Zero Trust inverts the traditional problems of cybersecurity. Instead of focusing on what's attacking you, it focuses on what I call the Protect Surface. What do I need to protect?”

In other words, you need to identify all the data you have that needs to be protected, whatever form that data takes. Only then will you know the scope of your data protection needs and be able to cover them adequately.

Step Two: Mapping Your Data
So, once you know what data you possess, you need to fully understand how the rest of your business and its IT infrastructure interact with it. Which users need access to what, which applications regularly access this data, and how is your infrastructure set up to store and transfer it? This information is critical to the next step.

Step Three: Designing an Architectural Framework
With all these insights in mind, you must then create a framework that meets all of the above needs and requirements, explicitly considering your IT infrastructure and its construction. While some frameworks may ultimately look similar, any zero-trust strategy needs to be customized to the individual business—hence, all the audits and mapping.

Step Four: Creating Your Zero-Trust Policies
With your network designed to be more security-focused, you need to identify and dictate who can access what, how and when they can, from where, and for which purpose. This goes for every user, role, device, and network, as any of these could be used to access information without authorization.

Step Five: Monitoring and Enforcing Compliance
Finally, you’ll want to actively monitor your network to identify any oversights or loopholes in your zero-trust implementation. This will allow you to make corrections that resolve security issues and potentially optimize your business network's performance.

Some Pieces of Advice from Kindervag

First and foremost, Kindervag reminds us all that security issues like ransomware and other attacks—the kind that zero-trust actively helps mitigate—are not prejudiced against any kind or size of business. As a result, everyone is a target, and the impacts of a cyberattack can easily have severe real-world repercussions in our highly digitized society… and not always the kind you might expect. 

Kindervag refers to a ransomware attack targeting a Swiss Alps dairy farmer and his milking machines. While the farmer could still manually collect milk from his livestock, he couldn’t access the telemetric health data that may have prevented one of his cows from dying.

Emotional losses from losing an animal aside, that’s potentially a few hundred dollars of profit each year, just gone.

Kindervag also points out that many large businesses are still about as prepared as this farmer was to deal with ransomware, even though computer systems and their processes directly impact a modern business’ success. Therefore, according to Kindervag, the most intelligent and cost-effective approach is to be proactive in fighting cybersecurity threats.

We Agree, and We Can Help

If you’d like advice and assistance in keeping your business secure and productive in the face of modern cybersecurity issues, call Coleman Technologies at (604) 513-9428 to find out what needs to be done to implement a zero-trust approach.

There is a lot made about ransomware, for good reason. It is quite simply one of the nastiest cyberattacks out there and it demands your attention. A lot of people understand what exactly ransomware sets out to do, but they don’t understand how it got that far and how to address the situation if they have the misfortune of being put in that position. 

How a Ransomware Attack Works

Basically, the ransomware attack can be deployed in any way that malware would get into a network. Most of the time it is deployed through phishing, which is a scam that uses fear to get people to make impulsive decisions and give network or system access to hackers. Once in, it is pretty simple for them to execute malware, including ransomware. 

Once run, the ransomware will encrypt and lock down all of the files on a device or even a network and then inform the user that they have been infected. File access is replaced with a notice with a ticking clock: Pay the ransom demanded or else. 

What Do You Mean “Or Else”?

Ransomware is one of those rare attacks that can hurt your organization in many different ways. Obviously, holding your files and data isn’t exactly targeted altruism, so that is the first sign that something terrible is happening. The ticking clock telling you that you have only a short amount of time before your files are lost forever isn’t great either. While we never recommend paying the ransom, it might seem like the only viable choice to get back in action following such an incident. This is especially true in more recent ransomware cases where hackers are also threatening to release encrypted data if the victim refuses to pay the ransom. This puts businesses in a difficult situation; do they risk the security of their data as well as the fines that come from the failure to properly protect it, or do they pay the ransom? It’s a lose-lose situation, and one that is entirely preventable with enough precautions.

What Can You Do to Stop Ransomware?

Let’s look at three strategies that you should have in place to help you ward off all types of cybercrime, including ransomware attacks:

Train Your Users to Detect Phishing Messages

Phishing is the #1 attack vector for ransomware and if you train your staff about the signs that they may be dealing with a potential phishing attack, the less likely your business will ever have to deal with ransomware. Some things your staff should be on the lookout for in their correspondence include:

• Messages that ask for sensitive information.
• Messages that use different domains from legitimate sources.
• Messages that contain unsolicited attachments and links.
• Messages that tend to have poor grammar and don’t typically have the elements of personalization that you would expect.
• Messages that try to elicit panic resulting in impulsive action.

A message having any or all of these variables doesn’t automatically make it a phishing message, but the illegitimacy of phishing messages can often be ascertained by the message itself. 

Keep Your Software Patched

You will want to make sure that firmware, antivirus software, operating systems and other applications you utilize are consistently patched. New ransomware versions come out of the blue and by the time anyone catches on, the hackers that perpetuated them are counting their Bitcoin. By patching software, you ensure that your software is current and has taken into account the threat definitions necessary to keep malware of any type out of your network. The knowledgeable professionals at Coleman Technologies have a patch management platform that can save you and your staff the time and effort needed to keep up on all new software updates. 

Backup Your Data

Finally, you will always want to back up your data; not only to combat ransomware, but because it could literally save your business. Having up-to-date backups can help you bypass the ransom demand and restore data and applications affected by the hacker’s encryption. Since most ransomware today is sophisticated enough to search for backup files, you will definitely want to keep a backup offsite, so that they aren’t corrupted.

If you would like to ensure that your business is set up to combat ransomware, give the IT experts at Coleman Technologies a call today at (604) 513-9428. 

Today, we aim to fix that. We will review why a Google account is so important to keep secure, as well as a few means and methods of doing so.

How a Google Account Can Be So Valuable
The purpose of the Internet has evolved greatly in the relatively few years it has been around. Today, the Internet is largely used as a communications and information sharing tool - true to its roots. This is where the name Internet comes from: inter (reciprocal or shared) and network (a system of connected things). However, as new purposes for the Internet emerged over time, circumstances changed, and the view of the Internet shifted.

The Internet was always meant for sharing information, from the very first inklings of an idea. In 1962, J.C.R. Licklider of MIT wrote up a series of memos that illustrated a system of interconnected computers, intended to share programs and data the world over, that he coined the “Galactic Network.” This idea of sharing information was also the driving force behind Sir Tim Berners-Lee’s development of the World Wide Web. As Sir Berners-Lee said:

“Had the technology been proprietary, and in my total control, it would probably not have taken off. You can’t propose that something be a universal space and at the same time keep control of it.”

In many ways, these ideals are retained in today’s environment. Online sharing is at its peak, social media and collaboration fulling leveraging a network that is, for the most part, still free of control by any central source. These are ideals that have developed into the demand for net neutrality and open-access information. However, while these ideals have been largely upheld, there are a few notable caveats that give us a more accurate view of today’s Internet.

As the Internet grew in capability, it also grew in utility… many of which featuring the need for greater security and privacy. With the confidential information that only select users should be accessing growing in popularity within Internet-based communications, this spurred a balance to the Internet that both individuals and businesses can appreciate, and that Google has shaped its offerings around.

From its beginnings as a dissertation project by two Stamford doctorate students, Google has grown into the dominant force online today. Businesses use its G Suite applications every day, as private users leverage some of their other services to their own benefit. Many people, both for business and personal use, leverage Gmail. Let’s face it, Gmail is just useful, whether you use it for work, or just maintain an account to open accounts with other web services.

It is this last point that makes your Google account’s security so important to maintain.

How many of your online accounts are accessible by Google? On the subject, how many of your accounts would be compromised if your Google account was first?

The Impact
This is the double-edged sword of a Google account. On the one hand, it only makes sense to use a Google account to create others, either using your associated Gmail address or linking it directly. The convenience is inarguable, and Google does equip these resources with reasonable security standards. So why not use a Google account?

Unfortunately, there’s one critical consideration that doing so adds into your security equation, that many overlook:

Linking an account to your Google account ties your Google account’s security to it directly.

This means that, if your Google account was to be compromised, all of the accounts you had connected to it are also compromised by association. Depending on what you had saved in this way, that could have some devastating ramifications.

Finding Out How Devastating
If you’re on your desktop right now, you can access your Google account by clicking here. In the Security section, you can review all the devices that your Google account has been active on, all the third-party applications with access to your account, and all the websites that are utilizing Google Smart Lock.

Is this list longer than you would have expected? Does it include your bank?

If it does, all it would take for someone to defraud you would be to access your Google account--or even lock you out of your own bank, resetting your bank credentials by using your Gmail account to activate an account recovery process.

A Solution
Again, this creates a conflict between two priorities: convenience against security. While the convenience could make anything that you use online more efficient in both your professional and personal life, nothing is worth compromising the security of either. So… where do we stand?

Like any conflict between two interests, the ideal place to meet is in the middle. In this case, it is the conclusion that you can have the best of both worlds--you just have to make sure that your Google account is secured properly.

While it would be great if there was, there just isn’t an option somewhere in Google you can select to make everything perfectly secure, just like that. Having said this, it is just a matter of taking a few precautions.

Securing Your Google Account
The first thing to securing any account is to understand that it isn’t a one-time activity and will need to be revisited periodically to make sure that everything remains secure. You should keep an eye out for news stories that discuss breaches among any of the organizations you have an account with, as you will still need to alter your credentials for these accounts.

Once this is set, there are a few best practices that it would be in your best interest to follow.

Passwords and Account Security
While all of your accounts should have the protection of a strong password, the fact that your Google account serves as a repository for your others make it only more crucial to implement one to its authentication measures. To accomplish this, make sure the password or passphrase you select is well in keeping with best practices, and that your Google account is the only account secured with it.

You should also be careful about what you are using to access your account. Any device that is available to the public should be avoided, as they are not only magnets for viruses and other digitally-based cyberthreats, but a cybercriminal could potentially retrieve your credentials from the device you used and thereby gain access to your account. Public Wi-Fi signals can have very similar issues, so use a secured, private connection whenever possible.

Two-Factor Authentication (2FA)
There is also the option to make your Google account ask more of someone trying to access it, a secondary code sent to you in a text message, delivered in the Google Authenticator application, or dictated through a direct call to your mobile device. By enabling 2FA, you can greatly decrease the likelihood that a cybercriminal will have everything they need to get in, assuming they don’t have access to your phone as well. We generally recommend that you utilize Google Authenticator, as it is the most secure of those three options.

You can also use your Google account to access a list of one-time authentication codes that you can print out and keep with you. This way, if you need to access your account and don’t have your phone handy, you can reference these to get in. If you run out of codes or lose the list, you can easily reset them and start over.

To set up these features, log in to your Google account.

At the end of the day, you don’t have to sacrifice the convenience of Google, as long as you have protected it responsibly. Coleman Technologies has the expertise to help you manage this security, as well as the rest of your business’ IT solutions and infrastructure. Call (604) 513-9428 to learn more.

When we say that some businesses are using Windows 7, what we really mean is that with a remarkable market share that still sits around 23 percent, a lot of businesses have chosen not to upgrade to Windows 10, Microsoft’s latest OS. In fact, as of January, when Microsoft officially did away with support for Windows 7, nearly half (47 percent) of SMBs were still utilizing it. It’s not a good scene. Let’s take a look at why so many haven’t moved off of Windows 7.

Why is Using Windows 7 Bad?

Windows was released in July of 2009. That’s over ten years ago. Microsoft has upgraded their OS several times since then. While its functionality and usability are adequate, the major problem is that it is not supported by Microsoft any longer. Since it carries a long-passed end-of-life date, the OS doesn’t get the security updates and patches of a supported software, and is therefore, a liability. 

As you’d imagine, cybercriminals are not adverse to picking low-hanging fruit; and, if your business still uses Windows 7, it’s definitely time for an upgrade. This is especially true if you have any notions of connecting it to the Internet. 

FBI Says Using Windows 7 is Negligent

The Federal Bureau of Investigation released the following statement to the private companies they work with: “As time passes, Windows 7 becomes more vulnerable to exploitation due to lack of security updates and new vulnerabilities discovered."

It’s not just the multi-billion dollar corporations that are at risk. If you have exploits built into the software you use, you are far more at risk than if you use clean and actively supported software. Cybercriminals have no problems hacking small businesses that aren’t taking the steps necessary to protect themselves. 

Most legacy software can now be run in the cloud, and with the importance that a business’ data plays nowadays, there are very few reasons that your business should be running Windows 7 or Windows Server 2008 R2.

What Should Windows 7 Users and Businesses Do?

Obviously, you should be upgrading away from unsupported software. Again, Windows 7 is not supported and you will likely get hacked. For a business, this can be a devastating process. You aren’t just going to get spammed, you are going to get hacked and whatever customer data you have stored can get stolen. I’m sure the last thing you want is to explain to your clientele that you accidentally exposed all their PII. 

More than that, you get Windows 10, which is constantly updated with security patches and functionality upgrades. Microsoft stated their intention to use Windows 10 for the foreseeable future. Windows 10 is more secure, has more features, and even law enforcement thinks you should upgrade. 

Managing risk in your business is important and using Windows 7 is the definition of risk. If you would like to talk to someone about getting out from under Windows 7 altogether, what your options are for the legacy apps you use, and how a quick upgrade will exponentially improve your business’ ability to ward of cyberthreats, call the experts at Coleman Technologies today at (604) 513-9428.