Courtesy navigation

Blog posts in IT security

What you need to know about the Heartbleed security issue

April 14, 2014 by John McGarvey

Bleeding heart{{}}If you missed the news last week, experts have discovered a flaw in popular encryption software OpenSSL.

This is a big deal because OpenSSL protects hundreds of thousands of websites, including big names like Google, YouTube, Tumblr and Yahoo.

The issue is called Heartbleed. Although OpenSSL is meant to protect data transferred between a website and person using it, Heartbleed may allow hackers to access that data.

Time to panic?

Heartbleed is a high-profile story because so many websites use OpenSSL. But there's been a lot of confusion over what we should do about it.

Some websites have advised you to change all your passwords. Others have suggested that's counterproductive until every website has been fixed. So, we've investigated what businesses need to be concerned about.

First off, let's get one thing clear: Heartbleed is a real issue. You should definitely spend a few minutes thinking about how it might affect your business.

There are two aspects you need to be aware of:

  • If you run a website that uses encryption (like an online shop) you should check to see if it's affected by Heartbleed.
  • You should also consider whether any websites you use have been compromised.

Check if you're affected

Does your website use a secure connection (where a padlock appears in the browser)? If so, it's vital you check which encryption technology it uses.

If you're not used to getting into the nuts and bolts of your website, speak to your web developer or to the company that supplies your SSL service (usually your web hosting firm).

You can also pop your website address into this Heartbleed checker, which will let you know if your site is affected.

If you get the all-clear, that's great — you don't need to worry. But if your site does have the Heartbleed vulnerability, you should get it fixed — pronto.

This means updating to the latest version of OpenSSL, which doesn't suffer from Heartbleed. Your web hosting company or web developer should be able to do this for you.

In the meantime, consider deactivating the secure parts of your website. Better safe than sorry, after all.

Check the websites you use

Experts reckon around 500,000 websites are affected by Heartbleed. There's a good chance some of them are services you use regularly.

Changing passwords is the way to go here. But you need to make sure the problem is fixed before you change a password on a particular website. Otherwise, you risk exposing your new password too.

Most major websites will have fixed their systems by now. Again, you can use the Heartbleed checker to make sure.

As a precaution, we'd advise changing all the passwords on sites you use regularly — but only when you're sure those sites are secure.

Remember, it's safest to use a separate password for each website and to make sure all passwords are nice and strong.

Watch your accounts carefully

There's one last thing to bear in mind. Heartbleed was around for a long time before it was discovered. As a result, nobody's certain if any hackers exploited it before it became common knowledge.

In case your business or personal data has been affected, it's a good idea to check your online banking, email and other services you use regularly. If you notice anything out of the ordinary, do investigate.

Posted in IT security | Tagged security | 0 comments

The five biggest hacks of 2014 (so far)

March 24, 2014 by Guest Blogger

The five biggest hacks of 2014 (so far)/Smart phone hacking{{}}We’re barely a quarter of the way through the year, yet many hacking stories have already hit the headlines.

Worryingly, many of them involve large, reputable companies and websites. And if they can’t stay safe from hacking attempts, what does that mean for smaller companies?

Here’s our round up of 2014’s five big hacks, so far. Oh, don’t forget to read our advice on keeping your business safe and coping during a security breach.

1. Kickstarter

Phenomenally successful crowdfunding website Kickstarter was the focus of a successful hacking attempt in February. The attackers didn’t manage to make off with any credit card information, but they did get hold of email addresses, passwords and phone numbers.

"We're incredibly sorry that this happened," chief executive Yancey Strickler commented. "We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways.”

2. University of Maryland

Just a week after the Kickstarter incident, the University of Maryland was targeted. Worryingly, hackers were able to access a whopping 309,079 personal records.

These included information such as dates of birth, university numbers and social security numbers.

The university’s president, Wallace D Loh, confirmed the institution had fallen victim to a sophisticated attack: “I am truly sorry. Computer and data security are a very high priority of our university.”

3. Edward Snowden

Having your email address stolen is bad enough. But would you want your passport — complete with embarrassing passport photo — stolen? Just ask whistle-blower Edward Snowden, who had a photo of his passport posted on online by a hacker.

Snowden may not be the only person affected by this attack. The perpetrator claims to have gained access to 60,000+ passports belonging to law enforcement and military officials signed up to the EC-Council’s Certified Hacker scheme.

4. Tesco

Valentine’s was as much for hackers as it was for lovers this year. Just before 14 February, 2,240 Tesco customers were the victims of a hack that revealed their phone numbers, email addresses and voucher balances. The unluckiest bunch also had their vouchers stolen.

Following the unexpected hack, Tesco contacted affected customers and issued replacement vouchers where necessary. Every little helps?

5. Twitter user @N

In what is almost certainly the most viral hack of the year so far, Naoki Hiroshima lost his Twitter username, @N, estimated to be worth around $50,000.

As only 26 people can have a one-letter Twitter handle, they are highly desirable. Naoki was the subject of an elaborate attack that saw the hacker go via websites such as PayPal and GoDaddy to access personal information.

According to Naoki, the hacker used PayPal to find out the last four digits of his credit card number. They were able to obtain other personal information from GoDaddy, before using these details to hijack the rare Twitter account.

The good news for Naoki is that — after some fuss — he eventually got his username back.

Andrew Mason is the co-founder and technical director at RandomStorm

Posted in IT security | Tagged security | 0 comments

Your five-minute guide to online backup

March 20, 2014 by Alexandra Burnett

Your five-minute guide to online backup/Online backup icon{{}}Online backup services can be a really convenient way to take a safe copy of your company data and store it away from your main business location.

This means that if anything goes wrong your data, you still have a backup copy to work from.

How does online business backup work?

Online backup services are generally simple and easy to use:

  • Your important data is uploaded to the backup provider’s servers, over the internet.
  • These servers are usually located in a data centre, keeping your files available and safe.
  • Software on your computer or server automatically keeps track of changing data, backing it up automatically.

And that’s pretty much it. You change a file in the office and the backup copy gets updated for you. Delete a file by accident and you can get a copy back within minutes.

With some research showing that 48% of businesses experience data loss each year, online backup can be a really effective way to protect your company.

Why use online backup?

Businesses have traditionally backed their data up to tapes, hard drives or CDs. So, why use online backup instead of these tried-and-tested methods?

  • You don’t have to mess around swapping tapes or disks, or remembering to keep them somewhere safe, off your premises.
  • Online backup is largely automated. Although you still need to monitor and test your backups, online backup has fewer management overheads.
  • Fewer capacity issues. Online backup services are flexible, so as your data grows you can just pay a little extra for more storage.
  • No hardware to buy or replace. You never need to replace backup drives, tapes or disks when they wear out.
  • Keep track of file versions. Most online backup systems let you recover copies of files that have changed several times.
  • Even if your office burns down and your server is destroyed, you can access your data online — from anywhere in the world.

Online backup: what to look for

Not all online backup services are equally safe and effective, so it’s important to choose an online backup supplier that:

  • Takes at least two copies of your information and stores them in two different, secure data centres.
  • Charges you only for the service you need. You shouldn’t be paying for unnecessary storage space or add-ons.
  • Checks your data regularly for inconsistencies, so you can be confident your backups will work if you need to access them.
  • Offers disaster recovery services, to be sure you can get up and running again quickly if you do have a problem.

Are online backups right for your business

An online backup service could be a good fit for your business if:

  • You want a cost-effective, future-proof backup solution.
  • You need a flexible data backup and retrieval mechanism.
  • You need a backup system that doesn’t require too much looking after
  • You want file-versioning without having to juggle lots of backup tapes.

To learn more about backups, read about how to find the right backup methods, and see the five key questions to ask about your backup system.

This is a post from Danny Walker, director at IT Farm. 

Posted in IT security | Tagged security, backups | 0 comments

Your staff are still your biggest security risk

February 17, 2014 by John McGarvey

Your staff are still your biggest security risk/IT security is like walking a tightrope{{}}If you’re focusing all your IT security efforts on things like anti-virus and firewalls, are you missing the biggest risk of the lot?

A recent survey from security firm SecureData found careless employees are the biggest concern of IT professionals, pushing obvious dangers like data theft and malware down the list.

And if you’re running your own business, it’s worth listening to the opinions of IT professionals. They know technology, and they can see where the biggest risks lie.

So, what can you do?

Threats are more targeted

Your staff pose a bigger threat these days because the nature of security threats has changed over the last few years. Many organisations — both large and small — have struggled to keep up.

While back in 2008 or 2009 we were all worried about viruses, spyware and Trojans, these days it’s more targeted threats like spear phishing that are most likely to have IT managers worried.

These attacks are on the rise because they’re effective. Even the most tech-savvy of your staff can be tempted into clicking an email when they shouldn’t. And often, the biggest data breaches can be tracked back to a single, unfortunate click.

Combatting these new threats

It’s important to make your staff aware of how phishing scams operate. You can also give them pointers so they know how to spot potential security breaches.

However, you can’t expect your employees to be infallible. People make mistakes, which means it’s vital you have some additional checks and precautions in place.

A good starting point is to make sure you allow access to data on a ‘need to know’ basis. Resources like your customer database, your accounting system and any shared folders often contain lots of sensitive data.

Rather than allowing everyone to have access to all these resources, the default setting should be that people don’t have access. If an employee needs it — and there’s a good case for it — then you can open up access on an individual basis.

This reduces risk because you’re adding extra layers of protection. If a hacker manages to guess the password of an employee, they’ll still face barriers when trying to reach privileged information.

It might cause a little inconvenience when someone needs to request access to a particular resource. But it’s better than giving hackers a free run of the place.

Posted in IT security | Tagged security | 0 comments

Ten security predictions for 2014

January 20, 2014 by Guest Blogger

Fingerprint — biometrics{{}}You’ve already seen our exciting IT predictions for 2014. But what of IT security and data protection? Are there any threats your business needs to know about?

Alex Balan, head of product management at internet security firm BullGuard, has come up with these ten predictions.

1. Ransomware

It’s devious and destructive and it makes hackers money. Ransomware has been around a while, but because it’s effective it’s going to be around for a lot longer.

A good example of ransomware is Cryptolocker. It encrypts your documents and shows a message saying you must pay a ransom to get your computer back. If you don’t pay up then you lose your data — and there’s little anyone can do to help you.

2. Mobile malware

There is a growing body of evidence to show mobile devices being attacked, with online criminals often aiming to steal personal financial details.

This is hardly surprising given the explosive growth in smart phones and tablets. There’s plenty of data on mobile devices to be stolen. Hackers can also make money by setting up their own premium-rate numbers, then dialling them from compromised mobile phones.

Learn more about mobile security software.

3. Shoring up personal security

The news about the NSA and GCHQ monitoring internet traffic, emails and phone calls was the most important cyber security event in 2013. These revelations have increased awareness of the need for personal security.

Until now, people have generally only taken security precautions reactively, typically after something has happened. But now they’re becoming more proactive. This will create a growth in technologies to help users keep their communications and data private.

4. Forget me not

We’re likely to see more attacks on old software and systems that are full of security holes. For example, Microsoft XP reaches the end of its life in April, which means no more updates, even if a security problem is found.

This popular but creaking operating system is widely used and how many people know Microsoft is turning its back on it? Hackers know, of course. There will be many attempts to find new exploits in XP, which means many people will fall victim to malware.

5. The internet of things

You may or may not have heard of the ‘internet of things’. It describes the increasing connectedness of everyday objects. We have internet-connected webcams, CCTV systems, televisions, digital video recorders and even baby alarms. These devices may be vulnerable to attack.

It might sound bizarre, but soon we’ll see fridges, toasters and other devices that are hooked up to the internet. Don’t be too surprised when you hear of these things being hijacked by hackers (fancy a hacked toilet, anyone?).

6. Back it up

Never in the history of humankind has an industry grown so rapidly and so pervasively as technology. It reaches into every corner of our lives. Film cameras are a thing of the past, physical bank branches are becoming quaint and well-known retailers have disappeared from the High Street.

But what happens when computers crash? Thankfully, more people are aware of the potential for damage, and this is leading to an increase in back-up technologies. Expect the arrival of more backup services this year — especially ones that work over the internet.

7. Biometric authentication

Biometric authentication is widely regarded as the most secure form of identity control. Early systems were slow and intrusive, but because today’s computers are faster and cheaper than ever, the interest in biometrics has been renewed.

There are several types of biometric authentication in use, but fingerprint authentication is becoming the most common. We’ll see more computers, mobile devices and accessories with built-in fingerprint readers this year.

8. The deep web gets deeper

Law enforcement agencies have scored some significant ‘deep web’ successes the past year, most notably taking down of the Silk Road web site, which allowed users to buy anything from heroin and cocaine to guns and fake currency could be bought.

Authorities will continue to make inroads into the deep web in 2014 but the odds are that deep websites will respond by making it harder to take down sites or identify the people responsible.

9. Smart phones in the workplace

You may not realise it, but when you take your smart phone into the workplace and hook it up to your computer, you’re committing a security faux pas. If your device has malware on, you risk releasing it into the company network.

Hackers love breaking into company networks because they are treasure troves. And because smart phones are so popular, hackers are targeting them in order to access corporate networks. We’ll see an increase in this type of activity in the coming year, so it pays to be aware.

10. Service provider hacks

When an internet service provider (ISP) gets hacked it resonates long and loud. In April 2013 UK giant BT dumped Yahoo as its email provider following months of hacking complaints from customers.

Many hackers break into ISP systems just to get free broadband, but at the organised crime end of the spectrum it’s done to launch large-scale spam and malware attacks. Don’t be surprised to see more ISP hacks in the coming year.

This is a guest post from Alex Balan, head of product management at BullGuard.

Posted in IT security | Tagged security | 1 comment

Watch out for spear phishing

December 11, 2013 by Guest Blogger

Watch out for spear phishing/spear fishing underwater{{}}Every day, it seems there’s a new online scam ready to catch up the unwary. Recently it was cyber-criminals posing as a dating agency on LinkedIn in order to harvest data from unsuspecting users of the professonal networking site.

This was a so-called ‘spear phishing’ attack, where online criminals target specific people rather than sending out messages at random. Top corporations and media outlets are increasingly becoming victims of these scams — but that doesn’t mean smaller companies aren’t at risk too.

Spear phishing is an example of social engineering, which sees online scammers manipulate people into sharing sensitive information about themselves or others.

It’s easy to fall victim and there’s no shame in it. These criminals are good at what they do, using flattery, confidence tricks and deception to get the information they want.

Social networks and email are two of the most common routes through which scammers will try and contact you or people in your business. To help you stay safe, here are five ways to avoid falling victim to a spear phishing attack:

  1. Always use your common sense. The most important thing to remember is not to automatically trust any email. Don’t let the presence of familiar personal information in a message lull you into a false sense of security.
  2. Post minimal personal information on social media. Yes, it’s tempting to tell everyone when it’s your birthday on Twitter, or that your son is called Oli, but it’s really better not to reveal information like birthdays, anniversaries or the names and ages of your children. You can always use single letters or initials in place of full names, if you have to tweet about little Johnny’s every move.
  3. If an email requests immediate action, do a little research. Scammers will try and stop you thinking for too long by creating a sense of urgency — like requesting you reply immediately to secure a special offer. Google the company name and get a contact number to ensure the email is valid.
  4. Be careful with emails that relate to current events. For example, emails about the royal baby or the scandal of the moment could well contain links to malicious web sites. Back in 2012, photos of Emma Watson could have been a threat to your company.
  5. Don’t assume emails from people you know are safe. Cyber criminals can collect a colleague’s email address from social networks or the internet and send email to you that looks like it is from them.

The bottom line is that vigilance is key to staying safe from a spear phishing attack.

It may seem like an inconvenience to do extra research when you receive a message you’re unsure about, but in the end it’s worth the time to know who you’re dealing with. 

This post is from Espion, a firm specialising in IT security.

Posted in IT security | Tagged IT security | 0 comments

Are security fears holding you back?

December 04, 2013 by John McGarvey

Are security fears holding you back?/blindfolded man{{}}Here’s some good news for you: more businesses are taking IT and security risks seriously.

Security is no longer a topic that’s relegated to IT departments or individual staff members. A survey of UK organisations by risk management specialists NTT Com Security found that 56% of respondents discuss security and risk either routinely or frequently at board level.

The IT fear factor

However, as businesses become more aware of potential security risks, it seems a fear factor may be kicking in. The same survey found that concerns over information security and risk have stopped a project or business idea progressing in nearly half (49%) of organisations surveyed.

So, how do you monitor and manage the risks your company faces, without becoming paralysed? After all, if you paid attention to every online horror story then you’d probably shut up shop and find a nice, non-internet business to run, instead.

Get to grips with your security

There’s a strong argument to say that companies with the best handle on their security are the ones that see it as an opportunity.

Being proactive, identifying and managing risks and taking steps early can actually give you an advantage in the market. For instance, clients and customers like it when they know they can trust you to keep them safe.

But proactive security isn’t something many businesses do well. Only 1 in 5 organisations surveyed said they base their security spending on risks they’ve actually assessed.

The rest, presumably, take a range of basic security precautions and then react to other problems as they occur.

Proactive security is best

Neal Lillywhite, SVP Northern Europe at NTT, says that although businesses are aware they should take a proactive approach to managing risks, most don’t yet put this into practice:

“While the majority see a benefit to having a proactive approach when assessing the risk of information assets, the fact that still only a fifth base their spending on assessed risk shows there is plenty of room for improvement.”

If your business is one of the 4 in 5 that doesn’t do a good job of assessing the risks it faces, it’s probably time to start. And as there’s no time like the present, why not find out how to perform an IT security risk assessment right now?

Posted in IT security | Tagged IT security | 0 comments

The last rites of traditional IT security

November 19, 2013 by Guest Blogger

The last rites of traditional IT security/man on tight trope, IT risks{{}}Anti-virus software has been one of the standard weapons against online threats for the past two decades. But as the nature of online dangers changes, anti-virus software is starting to look past its sell-by date.

Nowadays, it’s not worries over traditional viruses that keep IT professionals awake at night. Their number one concern is more likely to be the targeted attack. Online criminals will stealthily approach your business, gaining access to critical systems, leaving virtually no trace.

Factor in clever new malware delivered via phishing or social engineering and you start to realise that anti-virus software is near-useless against this new generation of threats.

Professional online criminals

Professional online criminals are often behind these new threats. From stealing valuable intellectual property to coordinated attacks on bank accounts, the online attack model of today is a world away from the loud-mouthed internet vandals who used to dominate the headlines.

Today’s attacks are carried out by groups, rather than individuals, are designed to steal valuable data — and often leave no trace.

What’s more, online attackers are patient. An analysis of what’s known as advanced persistent threat (APT) incidents by Mandiant revealed the average period over which attackers controlled a victim's network was one year.

That’s a long time for online criminals to have access to your data without you realising.

Additionally, many of these breaches are inside jobs, where authorised users (often company employees) load malware or password-capturing software onto company systems.

Anti-virus was never enough

In all honesty, anti-virus software has always had its weaknesses. It has to be updated daily and cannot effectively prevent against new threats until they have been identified and an antidote created.

This model was flawed when most viruses were noisy and high-profile. But today, threats are silent and stealthy. With fewer organisations affected, there are fewer opportunities for the virus to be identified and neutralised.

What should we use instead?

If anti-virus software isn’t enough, then what are the options?

First off, organisations need to address any complacency that exists and start implementing security processes that are key to effective defence.

Getting the basic principles of security right is a good place to start. Creating a security checklist is relatively straightforward with help from an IT professional or supplier. Doing so gives you a clear list of recommendations and will help you identify any weaknesses in your business.

File integrity monitoring

However, you also need an infallible way to detect malware if it does manage to bypass security defences.

File integrity monitoring (FIM) is an excellent way to do this. It radically reduces the risk of security breaches by warning when a change has been made to underlying, core file systems.

Flagging changes in this way makes it harder for threats to take hold because you get immediately notified if changes happen that could indicate a stealth attack.

A combination works best

File integrity management works best when combined with strong change management processes. This means your business needs to keep tight control on who is allowed to make changes to core software and when they may do so.

It’s not a silver bullet that will make your business impervious to online threats. But as a core plank of your security strategy, file integrity management can effectively protect your data and dramatically reduce the risks your business faces.

This is a guest post from Mark Kedgley, CTO at New Net Technologies,

Posted in IT security | Tagged anti-virus | 0 comments

Do you need to secure your smart phone?

November 04, 2013 by John McGarvey

Do you need to secure your smart phone?/criminal and smart phone: mobile security{{}}If you own a smart phone, you’re carrying a powerful computer around in your pocket. And, like all computers, it’s a potential target for malware, online criminals and hackers.

Never given your smart phone security more than a passing thought? You’re not alone. Technology analysis firm Juniper Research has found more than 80% of company and personal smart phones will remain unprotected at the end of 2013.

Mobile risks are increasing

The report — Mobile security: BYOD, mCommerce, consumer and enterprise —found that security risks are on the rise due to an explosion of mobile malware over the last two years.

Cyber criminals are switching focus, targeting PCs less and mobile platforms more. These findings support Trend Micro data showing that that there are already more than a million different pieces of malware and high-risk apps for Android devices alone.

We’re more aware of mobile security

It’s not all doom and gloom though. The report identified that although adoption rates remain low, awareness that mobile security products exist is growing. So, if more of us know that there are tools to protect our smart phones, why aren’t we using them?

Well, perhaps the risks are less obvious than on our desktop computers. After all, have you, or anyone you know, been affected by malware on your smart phone? The dangers are growing, but aren’t yet high-profile enough to encourage mass adoption.

BYOD and security

The report claims that the low level of adoption of security software can be attributed to a number of factors, including the relatively low awareness about attacks on mobile devices and a widespread perception that the price of security products is excessive.

However, with BYOD (bring your own device) — where employees use their own mobile devices for work — becoming more common, it’s important that your business starts thinking about mobile security.

Using mobile security software may be a start, but really you need to step back, taking a broader look at how you use mobile devices and where the risks lie. Then you can create a mobile security plan to keep your data, your employees and your business safe.

Posted in IT security | Tagged mobile | 0 comments

Get an IT security healthcheck

October 24, 2013 by John McGarvey

Get an IT security healthcheck/green first aid kit{{}}We cover IT security a lot on this blog, because it’s a really important subject and there’s a lot to say about it.

Unfortunately, that means it’s difficult to stay on top of current security threats, like knowing whether you should be more worried about hackers or viruses this week.

If you feel like you haven’t given any thought to data and IT security lately, we’ve found a security healthcheck tool that you might find useful.

Created by AVG, a company that makes security software, it asks you a number of questions before scoring your security overall and providing specific advice in each area.

It’s not a magic solution to keeping your data safe. IT security is different for every business, so you still need to learn more about the dangers you may face and speak to your IT supplier to make sure you’ve taken sufficient precautions.

However, this tool will get you thinking about the things that matter when it comes to IT security. And the advice at the end should give you some good starting points for improvements.

Just bear in mind that this advice is purely from a security perspective.

For instance, while the tool may advise you to upgrade to the latest version of Windows (and that might be the most secure option), there are other considerations too, like whether your existing software will keep working ok.

Try the AVG security tool >>

We also have lots of other information to help you secure your business IT systems. These are some good places to start:

Posted in IT security | Tagged IT security | 0 comments

Will fingerprints be the passwords of the future?

October 02, 2013 by John McGarvey

Broken finger? No iPhone?{{}}

Apple's iPhone 5s has one particularly striking new feature. There's a fingerprint reader built into the phone's home button, which means you can unlock the phone and authorise purchases using your fingerprint instead of having to tap in a code or password.

As with many of Apple's apparent innovations, this has been done before. Motorola's ATRIX handset has a fingerprint scanner and that launched in 2011. The only problem was reviews found it to be unreliable.

Easier than passwords

First impressions of the iPhone's fingerprint scanner, on the other hand, suggest that it works very well. If it proves reliable over time, then the new iPhone could be the first in a wave of products that bring fingerprint recognition to the masses.

At face value, this is A Good Thing. Who hasn't struggled to recall an impossible-to-remember password at some point or other? As we've said before on this very blog, 'passwords are fundamentally broken'.

Are fingerprints secure?

Before we start using fingerprints for everything from mobile phones to internet banking, some experts reckon it would be an idea to think through the implications in a little more detail. After all, your fingerprint is very different to a password because it can't be changed.

Data protection expert Johannes Caspar put it well in a recent article for German newspaper Der Speigel:

"The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone."

In short, your fingerprint is a one-shot deal. Once it's compromised, that's it.

As if to back up his point, a hacker club already claims it's managed to fool the iPhone's fingerprint reader by taking a photo of a fingerprint and using it to create a fake finger.

But if that's the case, surely it's silly to rely on fingerprints to provide any sort of meaningful protection at all. Using a fingerprint to authorise a bank transfer? Forget it. Controlling building access via fingerprints alone? Probably a no-go.

Then — of course — there are other fringe concerns about relying on fingerprints. The Daily Mail (who else?) warns iPhone thieves might start lopping off people's fingers. And what do you do if you've hurt a finger (pictured)?

Convenience trumps security

Ultimately, the arguments over the stength of fingerprint-based systems are likely to be trumped by the convenience factor. If using your finger to unlock your phone is easier and faster than tapping in a code then people will use it.

It's unlikely fingerprints will ever be used for authentication in more critical circumstances except when combined with something else. This 'two-factor' authentication usually requires something you have (your fingerprint) and something you know (perhaps a password or PIN).

So, get ready: the fingerprint revolution is on the way.

Posted in IT security | Tagged security | 0 comments

Are you thinking about IT security enough?

September 30, 2013 by Adrian Case

Are you thinking about IT security enough?/get your IT security head on{{}}How much time do you spend thinking about IT security? Unless you have been affected by a security problem, you may have never given it much thought.

Use strong passwords

Your business probably has a number of people accessing its computer systems who are likely to manage their own passwords.

If they manage their own passwords, that means they are setting their own levels of security for your network. Beryl in accounts only comes in once a week, so she can’t be expected to remember anything complicated, can she? What’s wrong with ‘password’ anyway?

And Steve in the sales team dearly loves his fiancée, so why shouldn’t he have ‘Nicola’ as his password?

Passwords like these are a really bad idea because they’re easy to guess. In fact, ‘password’ is probably the worst you could possibly choose.

Not using effective passwords puts your entire system and company data at risk. Here’s how to come up with strong passwords.

Antivirus software: a necessary evil

Does every computer in your business have up-to-date security software? And do you assume that this is sufficient to protect them, no matter what they subsequently do online?

If you’ve answered ‘yes’ to both those questions, well done for having the software. But don’t think your job is done.

Staying safe isn’t just about having the right security software in place. The safest users are the ones who are well-informed, so help your staff to understand how your security software works, what spam, viruses and other threats look like … and how to spot a malware-infested website.

Make sure you have an IT security policy that explains what your people need to do to stay safe.

You do have a firewall, right?

Firewalls act as a filter between your business network and the outside world.  They allow safe traffic through, but block questionable connections before they can do harm.

Here’s a quick checklist to help you get your IT security basics right: 

  1. Are all your computers protected by adequate security software?
  2. Is every device on your network connected securely and protected by a firewall?
  3. Do you hold confidential or critical data? If so, is this fully protected?
  4. Are your staff aware of viruses, malware, spyware and the risks of malicious websites?
  5. Are you protected from the growing number of professional hackers?
  6. Are mobile employees and remote offices connecting securely?

It is important your employees have safe, secure tools to go about their work with minimum risk to the business. Over and above that, they should be empowered and informed about security threats so they know how best to respond.

If you’re in any doubt about the security of your business, speak to an IT security specialist (perhaps your regular IT supplier) who can discuss your needs and the potential risks. 

Adrian Case is technical director at Akita.

Posted in IT security | Tagged security | 0 comments

Are you using one of the world's worst passwords?

July 11, 2013 by John McGarvey

Man with cups - guess password?{{}}Here's a list that might jolt you out of complacency if you're a bit lax when it comes to choosing and changing passwords.

SplashData, a leading provider of password management solutions, has put together a list of the 2012's worst passwords.

The list was compiled by analysing millions of compromised passwords that were posted online by hackers, and identifying the most common. It contains few surprises, but certainly underlines that we can all be far too slapdash when securing our online accounts.

Here are the top 10 worst passwords of 2012:

  1. password
  2. 123456
  3. 12345678
  4. abc123
  5. qwerty
  6. monkey
  7. letmein
  8. dragon
  9. 111111
  10. baseball

See any passwords you recognise? Change them, now. Because if you don't, it'll be child's play for a hacker to get in to your account.

Remember: the strongest passwords are as long as possible and use upper and lower-case letters, numbers and symbols. I like to choose a song lyric, take the first letters and then substitute in symbols and numbers where they're easy to remember.

For instance, the Rolling Stones' classic lines You can't always get what you want / But if you try sometimes you just might find can become:

  • YcagwywB1yt$yjmf

See five other ways to create strong passwords you can remember >>

Posted in IT security | Tagged security, passwords | 0 comments

Friday tip: avoid this IT support telephone scam

July 05, 2013 by John McGarvey

Red telephone - Microsoft support scam{{}}

If you get an unsolicited call from someone claiming to be from 'Microsoft support', 'Microsoft Windows support' or something similar, put the phone down.

It's a scam, and for this Friday's IT tip we explain how it works and what to watch for.

'There's a problem with your computer'

We all have computer problems now and again. And you've probably read about the security threats from hackers, viruses and malware.

So when someone calls you out of the blue claiming they're from Microsoft and that they're calling because your internet provider has reported a problem with your computer, it's human nature to listen.

If there's a problem, you want to put it right.

And if they ask for a payment of - say - £50, well, that's a small price to pay for the security of knowing your computer is safe and sound.

'I can fix it for you now'

But wait. If you offer payment and hand over log in details for your computer, the consequences could be severe.

For a start, you'll have passed your payment details onto a scammer. And you'll also have granted them access to your computer, along with any sensitive data saved on it.

So, this Friday's tip is simple: if you receive a call like this, just hang up.

There is no problem with your computer. There is no Microsoft support team calling people in this way. And so you should steer well clear.

How one hour can critically damage your business

May 07, 2013 by John McGarvey

Clock - one hour to damage your business{{}}

Do your staff understand the full risks involved if they lose their business smart phone or another mobile device that contains company data?

Quite possibly not, according to new research carried out on behalf of Kaspersky Lab. It found that over three-quarters of people working in European small and medium-sized businesses would wait more than an hour before telling the company about the theft or loss of a business-owned device.

An hour doesn't sound long, but if a company smart phone falls into the wrong hands, 60 minutes is time enough to do a whole lot of damage. Racking up call charges to premium rate or international numbers is the least of your worries. Being slow to report a stolen device could see your valuable company data being siphoned off.

Data that's easy to lose

IT deals

See the latest business tech bargains we've found online.

Tech bargains >>

Or buy IT equipment now from these trusted suppliers:

Customer and employee contact details, financial information, confidential emails, access to company Twitter and Facebook accounts ... these days a smart phone is as powerful as a computer, only harder to secure and easier to lose. You need to treat it with the same amount of care.

What's more, the research questioned IT managers too. 29% of them reckoned it would take a whole day for employees to tell them about a lost or stolen device.

Take more care

David Emm, senior security researcher at Kaspersky Lab, has some good advice for companies that want to take better care of their mobile devices.

“The ever-growing abilities of mobile devices make our lives much easier," he confirms. "However, what we don’t always consider is the ease with which such tools can be stolen, leaving a wealth of business critical information in the hands of thieves."

"To a seasoned cybercriminal, it will take only a matter of minutes to bypass the four digit password protection used on most devices, especially smart phones. If your mobile device is lost or stolen, it is critical that the IT department is informed as fast as possible. They can then block access of this device to the corporate network and, in the best case, wipe all of its data.”

Of course, you can't remotely wipe a device unless you've put in place systems to let you do this. If you're a sole trader or run a very small company, it's probably enough to take steps to back up each individual device and install a remote wipe app. Read our advice here.

Larger businesses will want to look into mobile device management (MDM) solutions. MDM software gives you much greater visibility and control of the mobile devices in your business, so you can restrict how they're used, what's stored on them and - crucially - scrub them clean and lock them out of the company network.

Posted in IT security | Tagged security, mobile | 0 comments

Protect your business from a cyber attack

April 25, 2013 by Rahul Mistry

Security guards - website security{{}}There are an estimated 4.8 million small and medium-sized enterprises (SMEs) in the UK, many with their own ecommerce websites.

In 2011, 32 million people purchased goods or services online. That gives the UK one of the world's biggest internet-based economies. And it's why keeping your website safe and secure from cyber-attacks has never been more important.

SMEs are easy targets

As a business owner, you’re probably dealing with plenty of critical day-to-day issues. Perhaps worrying about your website’s security is not top of your list of priorities.

You may be wondering why hackers would want to target a small business rather than big brands like Lush and Adidas. The simple answer is that hackers know smaller businesses have fewer resources dedicated to online security, making them easier targets.

For those involved, cyber crime is big business. It costs the global economy $338bn a year which, according to Symantec, is significantly higher than the global narcotics black market.

Since the beginning of 2010, 36% of all targeted cyber-attacks have been directed at SMEs.

With around 44 million attacks a year taking place against home computers, businesses and government systems in the UK, an offline website means a loss of income. For instance, PayPal reportedly lost £3.5m due to a cyber-attack in 2010.

As well as lost revenue, a website security breach can result in losing vital data, your reputation and even your ranking on Google. Ultimately, it could damage your business beyond repair.

Six simple tips to protect your site

Here are six simple but effective tips to  protect your business against cyber attacks:

  1. Choose your passwords carefully. Password123 is not a secure password! Make sure passwords have at least eight characters and use a combination of letters and numbers. Here are some ideas for creating strong passwords.
  2. Install anti-malware and anti-virus protection for your website in the same way you would your PC. Reviews can help you determine if the product is right for your business.
  3. Use SSL to encrypt data. SSL provides a secure connection, protecting data sent between a customer’s web browser and your server. Your hosting provider can help set this up for you. Learn more about SSL.
  4. Avoid using wireless networks. If you must use them, make sure you're using the latest encryption standard, WPA2. This offers government-grade security.
  5. Keep programs and hardware up to date. This helps block malware that thrives in older equipment and out of date software. If you are using Windows or a Mac you can set up weekly update checks. You should also do this for any software you use to manage your website.
  6. Educate employees about the latest online threats. This way they’ll know clicking on bad links or opening dodgy attachments can compromise data. All your staff should be as vigilant at work as they are at home. If in doubt, don’t click it.

So, if website security wasn’t on your priority list, it might be time to add it now.

Guest post by Rahul Mistry, content writer for www.heartinternet.co.uk. You can follow Rahul on Twitter and Google Plus.

Posted in IT security | Tagged IT security | 0 comments

Don't panic, but 23% of your staff are stealing from you

April 17, 2013 by John McGarvey

Employee stealing data{{}}

If dodgy employees all looked like this, they'd be easy to spot.

A staggering one in ten employees has stolen important data from their employer after handing in their notice, reveals a new study from IT security specialist LogRhythm.

It seems that downloading a company's customer database onto a USB stick or copying crucial documents to CD is much more common than you might have thought. Of the 2,000 employees studied, the survey found that a massive 23% had taken confidential data from their workplace.

Often, people steal client details or product information in the hope that it'll give them a head start with their new employer. But 14% of people who admitted taking data did so to help set up their own rival company. And 23% did it out of revenge, because they felt undervalued and poorly treated.

Employers know the problems

Looking for a deal?

See the latest business tech bargains we've found online.

Tech bargains >>

Or buy IT equipment now from these trusted suppliers:

Clearly, anyone stealing data from their employer is in the wrong. But that doesn't mean businesses should make it easy for employees to get their hands on the good stuff.

This research also surveyed employers, 47% of whom said they don't have any system in place to stop staff accessing confidential information or taking data.

So, all-too-often it's lax security and a lack of concern that makes it easy for staff to walk away with crucial company assets.

Worse, 60% of employers said they never change passwords or access codes, which is a little like leaving the door wide open for former employees to come and grab what they like.

You wouldn't let a staff member keep their keys to the office after they've left, so why would you let their passwords keep working?

Are you at risk?

If this survey is at all representative, there's a good chance your business is at risk of data theft. So, what are you going to do about it?

  • Restrict data access. Sensitive data like customer information should only be available to employees who absolutely need it. It should never be sent by email or stored in shared locations.
  • Close user accounts promptly. If a member of staff has been sacked, close their network account immediately and revoke all their access rights.
  • Don't share passwords. Shared passwords are the enemy of good security. Not only can people continue to use the password once they've left, but it's also much harder to tell who's been accessing the data.
  • Rotate access codes regularly. If you have a PIN-entry system for your building or a wireless network with a password, make sure you have a system to change them regularly - probably every month.

Finally, there's an aspect to this that leaves a nasty taste in the mouth. The research found 53% of people who've stolen data use it to get a head start in their next job, or to impress their new boss.

If the new employer decides to make use of that data, what sort of message does that send? And do they really think that employee isn't going to do the same to them when the time comes?

In short: if you've ever benefited from a data theft, don't be surprised if you end up suffering sometime too.

Posted in IT security | Tagged IT security | 0 comments

Can you spot the phishing website?

April 10, 2013 by John McGarvey

Looking for a deal?

See the latest business tech bargains we've found online.

Tech bargains >>

Or buy IT equipment now from these trusted suppliers:

You've probably heard of phishing. It's where scammers send you an email that looks like it's from an official organisation, usually your bank.

The email usually contains links to a fake log in page which collects your username, password and other security details. If you enter them, the scammers will subsequently use your credit card, empty your bank account or commit some other crime against you.

Some phishing websites are laughably bad, with terrible grammar, bad spellng and shonky design. But others can be very convincing.

Spot the phishing site

To show you just how convincing phishing sites can be, here are two screenshots for you. One is the genuine sign in screen for the Co-operative Bank's online banking service. The other is a fake sign in screen from a phishing email I received.

You can click the image to see both screens full size. Can you tell which is which?

Co-operative bank screens{{}}

See actual size >>

So, how did you do? 

Well, the top screenshot is of the genuine sign in screen. The second one is the fake.

If you're familiar with this bank's online interface, you'll probably realise that the site asking for your full name is not genuine. But if you don't use your online banking often or simply aren't paying 100% attention when you click the link, it's easy to see how you could be fooled.

Three principles to avoid phishing

Checking the address of a site like this is usually the most foolproof way to see if it's fake. In this case, it was easy to tell, because the URL clearly wasn't the Co-operative's normal address:

Website address bar{{}}

It isn't always as obvious as this through, so here are three foolproof ways to avoid phishing traps:

  1. Don't click sensitive links in emails. If an email from a trusted source like your bank asks you to log in to your account, do so by manually typing in the website address rather than clicking a link.
  2. Pay attention to security notices. Most phishing emails will be caught by email filters, security software or web filtering tools. If you see a warning about an email, link or website, don't ignore it. (It's amazing how many people do.)
  3. Let the sender know your concerns. If you're in any doubt at all about whether an email or website is genuine, get in touch with the organisation it claims to represent. A quick phone call should be enough to confirm your doubts.

And as a final warning, don't ever enter sensitive log in information if you have any concerns at all about the website you're on. Even if it just looks or feels a bit funny, that's reason enough to stop and think before you make a mistake.

Note: don't click links in dodgy emails like we did. They can be dangerous, even if you don't enter in any sensitive information.

Posted in IT security | Tagged IT security | 0 comments

Did we just nearly break the internet? What the Spamhaus attack says about our security

March 28, 2013 by John McGarvey

Internet DDoS attack{{}}If you noticed your internet connection slowing markedly yesterday, with some sites sluggish and others unavailable, for once it might not have been down to your broadband supplier. 

That's because spam fighting service Spamhaus was subjected to an enormous distributed denial of service (DDoS) attack.

It seems that Spamhaus blacklisted a controversial hosting provider, Cyberbunker, because its servers were apparently being used to send lots of spam. 'Friends' of Cyberbunker then bombarded Spamhaus with the biggest DDoS attack ever.

Are any of us innocent?

The incident spawned headlines like Global internet slows after 'biggest attack in history'. And with so much malicious data flying through the internet's wires, some innocent internet users found their service was disrupted as a result.

But how innocent are those internet users? Is our slack security as individuals partly to blame for the scale of the disruption?

It's an interesting question because this attack was coordinated using a huge 'botnet' of internet devices, including a large number of insecure broadband routers.

It's the exact threat experts recently warned us about, where hackers exploit weaknesses like default passwords to take control of these devices.

Looking for a deal?

See the latest business tech bargains we've found online.

Tech bargains >>

Or buy IT equpment now from these trusted suppliers:

Your router is part of the problem

As more details of the Spamhaus attack emerge, we might get a better idea of what devices it involved. But as The Guardian reports, that innocent-looking router in the corner of your office could have been a part of the problem:

"Some of those requests will have been coming from UK users without their knowledge, said Blessing [an internet expert]. "If somebody has a badly configured broadband modem or router, anybody in the outside world can use it to redirect traffic and attack the target – in this case, Spamhaus."

Obviously, whoever initiated the attack is ultimately responsible. However, the scale of it was partly due to the vast number of insecure internet devices out there.

We're all to blame

So, who is to blame? Manufacturers who sell their products with inadequate security and don't properly explain how to beef it up? Internet service providers that make their routers less secure so they can log in remotely when they need to? IT adminstrators who don't update their software promptly?

Or is it all of them, and each of us too?

The internet is a decentralised, open network. That makes it very difficult for any single body to effectively police this type of incident, and means that we're collectively responsible for the internet's security.

Yesterday, we almost broke it. Perhaps it's time we all took the time to be more secure online.

Posted in IT security | Tagged IT security, Internet | 0 comments

How to hack 420,000 internet devices

March 25, 2013 by John McGarvey

Anonymous masks - internet hacking{{}}Here's a stark reminder that internet security perhaps isn't quite as tight as we'd all like.

An anonymous researcher managed to take control of 420,000 insecure internet devices like webcams, network routers and printers.

They were use to effectively create a huge network of internet devices that could be used for dodgy purposes like taking websites down via denial of service attacks. (The researcher didn't go ahead and cause any damage, but the potential was there.)

Standard passwords

Looking for a deal?

See the latest business tech bargains we've found online.

Tech bargains >>

Or buy security software now from these trusted suppliers:

What's striking about this research is both the huge number of devices that could be compromised, and the ease with which it could be done. Quite simply, the researcher accessed each device by trying standard usernames and passwords like admin or root.

In a month where a high-profile cyber-attack against South Korea hit the headlines, it's important for your business to remember that sometimes the simplest hacking attempts - like trying default usernames and passwords - can be just as damaging.

Don't neglect the obvious

The anonymous researcher summed up the problem in a post online:

"While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world."

In short: choose your passwords carefully. And whenever you add a new piece of equipment to your computer network, check if it has sign in credentials and change them if so. If you don't, you could be a part of this problem.

Image: Rob Kints / Shutterstock.com

Posted in IT security | Tagged IT security | 0 comments

Three things you can learn from NatWest's IT woes

March 07, 2013 by John McGarvey

NatWest pigs{{}}

Image: Flickr user StewC

If you were one of the millions of NatWest customers unable to access online banking, use debit cards or even get cash from a hole in the wall last night, the bank's reputation has probably dropped a notch or two in your mind.

It's hardly the kind of publicity a beleagured banking giant needs. However, major IT outages aren't restricted to banks. They can happen to any business. If one hits yours, it can have an immediate impact on your bottom line and longer-lasting consequences for your reputation.

So, as NatWest fights to deal with today's avalanche of negative coverage, what can you learn from its misfortunes?

Looking for a deal?

See the latest business tech bargains we've found online.

Tech bargains >>

Or buy online now from these trusted suppliers:

1. Keep communicating

One of the worst things you can do during an IT problem that affects customers is to go silent.

If you can explain the problem and when it's likely to be fixed, that's great. But even if you're unsure of the cause yourself, just being there to provide some information is better than nothing at all. At least you'll avoid that 'rats deserting a sinking ship' feeling.

Last night, NatWest was quick to apologise via Twitter, although few further updates were posted despite a veritable Twitter storm.

2. Learn from your mistakes

NatWest also suffered a huge outage last summer, which saw some people unable to access their money for days.

Although the bank has said yesterday's disruption wasn't connected to the previous problems, the fact that this is the second major outage in nine months has compounded the reputational damage, with many customers vowing to leave.

If a problem reveals failings in your IT systems, make sure you fix them properly. It may cost you time and it may cost you money, but the cost of inaction could be much larger.

3. Don't be afraid to say sorry

The most insincere apology I can recall in recent years is this classic from Apple. It's a great example of how not to do things.

Look, if your IT systems have failed and your customers were affected, it really is best just to apologise sincerely and explain what you're doing to fix things.

At this stage, being open and honest is the way to reassure customers that the same thing won't happen again.

Then make sure it doesn't happen again, of course. If NatWest suffers another outage any time soon then it'll take more than few words to restore its reputation.

Posted in IT security | Tagged NatWest, IT security | 0 comments

The ABC of business IT security

March 04, 2013 by James Archer

The ABC of business IT security/ABC blocks{{}}It’s good to refresh your knowledge when it comes to something as crucial as IT and data security. So here’s a slightly tenuous ABC of business IT security. Plus a D and an E for good measure.

A is for anti-virus

Get good anti-virus software and keep it up to date. You usually have to subscribe to software updates, and don’t wait for this to expire before you renew it. Even a few days without adequate protection is asking for trouble.

Spyware - which attempts to extract information from your computer without your knowledge - is another threat. However, most anti-virus packages also include anti-spyware protection too.

You can shop around for the best anti-virus deals. Reputable suppliers include McAfee, Kaspersky and Bitdefender.

B is for backups

Ideally, all the data on your computer system needs to be backed up to external hard drives. This ensures that you won’t lose sensitive information if your computers are corrupted by spyware or viruses.

Inform your staff that they need to back up their data at the end of each day, and regularly remind them to do so. External hard drives don’t cost the earth (you can see a selection here on Amazon), and you’ll be saving yourself a lot of hassle if the worst comes to the worst.

C is for control

When it comes to protecting data from prying eyes, control is the key. If there are files on your company’s shared drive which you don’t want all your staff to view, you should control who can access them.

If you use Microsoft Windows, here’s how to restrict access to a certain folder:

  1. Right click the folder and click Properties
  2. Click the Security tab
  3. Click Edit and then Add
  4. Add the usernames of the people you want to access the folder into the box that appears on screen
  5. Click Ok

That’s it – you’ve created a list of people who can access that particular file or folder on the shared drive.

D is for data encryption

Encrypting your computer systems makes it harder for hackers and fraudsters to access sensitive business information.

This can be anything from emails and financial figures to documents and databases hat are stored on computers or servers in your business. You can also protect portable storage devices like USB drives, which protects them in the event of loss.

Setting up encryption software can be a little tricky, but this guide to encrypting your laptop is a good place to start. It’s also worth speaking to your IT supplier if you need help.

Encryption is an excellent way to ensure your business transactions are protected from unwanted attention. Even if a fraudster manages to steal a disk containing sensitive information, they should still be unable to read it.

E is for external help

Instead of relying on your own knowledge about maintaining computers, it is a good idea to have an trusted IT supplier you can turn to. They will help troubleshoot any problems with your system, allowing you and your staff to focus on running your business.

Even seemingly minor problems should be flagged up, as they can indicate larger problems with your IT security. It all helps avoid any lingering suspicions that your company has been targeted.

It’s often a good idea to choose a local IT supplier, so you can ask business contacts and friends who they’ve used in the past. Perhaps they could even negotiate you a discounted rate!

Written by online security expert, James Archer, on behalf of online retailer The Safe Shop

Posted in IT security | Tagged IT security | 0 comments

With IT risks worrying businesses most, here's how to cope

February 11, 2013 by John McGarvey

A survey into SME attitudes to risk has identified which of 24 'risk scenarios' (that's things that could go wrong, to you and me) are most likely to keep business owners awake at night.

The research, commissioned by McAfee, revealed UK SMEs view their technology systems and the integrity of their data as the biggest areas of risk.

In contrast, things that might traditionally have been perceived as significant risks - like big marketing campaigns or competitor initiatives - are seen as being much less likely to have a detrimental impact on business performance.

This graph shows the ten highest risks selected by businesses in the UK:

Although it's perhaps depressing that new technology is responsible for so many worries in business, this survey also suggests a greater awareness of the risks, which bodes well for long-term improvements.

What's more, most companies can reduce most of these risks by taking some fairly simple steps.

To start with, it's a good idea to create some sort of security plan. It doesn't have to be an enormous document, but writing even a short plan will force you to think about what the key risks are.

Once you've done that, make sure you've covered these basics:

  • Get good IT security software from a reputable firm such as McAfee, Kaspersky, Bitdefender or Trend Micro. It can go a long way towards protecting your computers from viruses and hackers.
  • Make sure you're on top of your IT maintenance and install software updates in good time. This will help you eliminate software bugs that hackers can use to break into your systems.
  • Sort out your backups. Make sure you have a solid backup system in place and test it regularly. Cloud backup systems like Livedrive, Mozy and BackupGenie are good options for smaller companies.
  • Think about how you'd cope in an emergency. You need to know how you'll carry on working in the event of problems and what steps you'd need to take to get things back to normal.

Finally, always remember that maintaining good IT security is an ongoing process. It's a good idea to find an IT supplier you trust and keep track of new security trends that could affect you.

Posted in IT security | Tagged research, IT security | 0 comments

Yes, you need to secure your smart phone too

February 07, 2013 by Rapid7 Team

Smart phone security{{}}

Make sure you keep yours safe. (Image: Flickr user Johan Larsson.)

New smart phones have some strong security measures enabled out of the box. But did you know there are some simple steps you can take to make sure yours is secure?

Set a passcode

The simplest thing you can do protect your smart phone is to set a passcode. Once set, you will be required to enter the code to unlock and use your phone. The minor inconvenience of entering this each time will pay major dividends if your phone is ever lost or stolen.

A thief will be unable to access your phone without the passcode.

  • With an iPhone, set your passcode by tapping: Settings > General > Passcode Lock
  • On an Android phone, tap Settings > Security > Screen Lock
  • If you use a Windows Phone, tap Settings -> Lock + wallpaper

Along the same lines, you should also make sure your phone is set to lock automatically when not in use. This means you won't have to remember to lock it yourself each time.

Keep your phone updated

Keeping your smart phone updated with the latest software is just as important as keeping your computer up to date.

Installing the latest updates helps you avoid any security problems that could affect your mobile operating system. For example, a security flaw in previous versions of Apple's iOS (which runs on every iPhone) could allow an attacker to bypass your lock screen.

You can search our website for details of security vulnerabilities affecting your particular model of phone.

Always be careful

All of the rules you've learned about being safe on your desktop computer apply when you're using your smart phone.

Be careful using public wireless connections, and particularly wary when the network doesn't require you to enter a password to connect. These connections are unencrypted, which means people can easily intercept your data.

Double-check the network you're connecting to is the one you think it is. Some attackers may try to steal your data by posing as a legitimate hotspot.

If you work with sensitive data a lot, consider a secure VPN connection for when you use public Wi-Fi. This should protect data even if you've connected to a dodgy network.

Giri Sreenivas is vice president of Mobile at security specialists Rapid7.

Posted in IT security | Tagged security, mobile | 0 comments

How predictable is your PIN?

December 06, 2012 by Dave James

Pin pad{{}}How secure is your personal identification number (PIN)? An enlightening study reveals many PINs are predictable and easy to guess. So, is it about time you changed your PIN?

The safest PIN of all?

The fascinating study, by Data Genetics, reveals the most commonly used PINs and therefore the ones most likely to be guessed.

It found that the most infrequently used PIN is 8068. Does that make it the safest? Well, perhaps, although now it's been revealed in this study, it might become a lot more popular!

What makes a poor PIN choice?

According to the stats, the most common PIN is 1234. Out of the 3.4 million numbers surveyed, it made up 11% - or 374,000. What little imagination some people have!

In fact, the top 20 PINs all fall into the category of 'easy to remember'. For instance:

  • 1111
  • 0000
  • 1212
  • 7777

It seems PINs with lots of repetition or a pattern to them are chosen most frequently. Interestingly, 2580 comes just outside of the top 20 at number 22. This looks like a random number until you realise these are the numbers down the centre of a telephone keypad.

Other easy to remember four-digit PINs come from years of birth. A disproportionate amount of PINs begin with 19. This is bound to change to 20 as the population ages. Day and month of birth also figure quite prominently.

Does it matter if your PIN is easy to guess?

Most devices, credit cards and locks that are protected by a PIN limit the number of times an incorrect number can be entered. So does it matter if you use a common PIN?

Well, let's think about it in more detail. If I'm a bad guy and I get hold of your bank card, I generally get three guesses before the card is locked.

Going from the statistics in the study, if I take the three most common PINs as my starting point, I have a one in five chance of getting yours right. Not bad and probably worth a gamble.

Won't my bank cover me?

Unless your bank can prove you have been grossly negligent with your PIN (sticking it to your credit card, for instance) the general rule is that you will be reimbursed for any financial loss if your card is stolen and your PIN used to extract money.

So, isn’t it simply a case of using the most convenient, easy to remember PIN and - should it get compromised - waiting for the banks to sort it out?

Well, even assuming you are able to reclaim your money, there's quite a kerfuffle involved in the process. Anyone who's gone through it will know that the inconvenience and lost time is enough to deter you from using a weak PIN.

In addition, you may highlight yourself as an easy target – if you did it once, why not again? Don’t bring unwanted attention on yourself just for the sake of four little numbers.

Dave James is managing director of Ascentor, a company which helps businesses manage information risk. You can also follow him on Twitter.

Posted in IT security | Tagged security, pin | 0 comments
Syndicate content