Free Wi-Fi seems like one of the great perks of the 21st century. In pubs and cafes in towns and cities across the UK, you can get online for nowt.
In short, each time you connect to a public network, you could be playing a kind of Russian roulette with the data you send over the airwaves.
Cybercriminals and hackers have spotted that we’re hooked on the convenience of free Wi-Fi. What’s more, they know most of us are accustomed to connecting without giving a thought to security. And they’re taking advantage.
A typical attack is for a hacker to set up a rogue network. They give it the same name and password (if applicable) as a legitimate network nearby.
For instance, a criminal might set up ‘John’s Café Wi-Fi’ near to John’s Café. When an unsuspecting punter connects, the attacker can intercept all the data that gets sent and received.
Sensitive files and information sent by email, personal data entered into website forms … it’s all there for them to harvest and use.
This isn’t a particularly clever or novel trick. But it works. Next time you’re connecting to a network in a public place, can you be sure it is what you think it is?
It can be difficult to be 100% sure that you’re safe when you use public Wi-Fi. And so the best way to protect your data is to not send or receive sensitive or private data while using it.
That’s easier said than done. One of the most popular uses for Wi-Fi is catching up on email, which can contain all kinds of data that’s valuable to hackers.
However, it’s definitely a good idea to think twice before entering your online banking details or other sensitive login details.
Being on a secure website (indicated by https:// and a padlock in your web browser) does offer some protection, but hackers can still use a technique called sslstrip to intercept your data if they really want.
The safest option is to connect via a virtual private network (VPN), which creates a secure tunnel through which your data passes. You can purchase VPN access from companies like Hotspot Shield — there’s a good explanation and some reviews of VPNs over on the PC Advisor website.
If you missed the news last week, experts have discovered a flaw in popular encryption software OpenSSL.
This is a big deal because OpenSSL protects hundreds of thousands of websites, including big names like Google, YouTube, Tumblr and Yahoo.
The issue is called Heartbleed. Although OpenSSL is meant to protect data transferred between a website and person using it, Heartbleed may allow hackers to access that data.
Heartbleed is a high-profile story because so many websites use OpenSSL. But there's been a lot of confusion over what we should do about it.
Some websites have advised you to change all your passwords. Others have suggested that's counterproductive until every website has been fixed. So, we've investigated what businesses need to be concerned about.
First off, let's get one thing clear: Heartbleed is a real issue. You should definitely spend a few minutes thinking about how it might affect your business.
There are two aspects you need to be aware of:
Does your website use a secure connection (where a padlock appears in the browser)? If so, it's vital you check which encryption technology it uses.
If you're not used to getting into the nuts and bolts of your website, speak to your web developer or to the company that supplies your SSL service (usually your web hosting firm).
You can also pop your website address into this Heartbleed checker, which will let you know if your site is affected.
If you get the all-clear, that's great — you don't need to worry. But if your site does have the Heartbleed vulnerability, you should get it fixed — pronto.
This means updating to the latest version of OpenSSL, which doesn't suffer from Heartbleed. Your web hosting company or web developer should be able to do this for you.
In the meantime, consider deactivating the secure parts of your website. Better safe than sorry, after all.
Experts reckon around 500,000 websites are affected by Heartbleed. There's a good chance some of them are services you use regularly.
Changing passwords is the way to go here. But you need to make sure the problem is fixed before you change a password on a particular website. Otherwise, you risk exposing your new password too.
Most major websites will have fixed their systems by now. Again, you can use the Heartbleed checker to make sure.
As a precaution, we'd advise changing all the passwords on sites you use regularly — but only when you're sure those sites are secure.
Remember, it's safest to use a separate password for each website and to make sure all passwords are nice and strong.
There's one last thing to bear in mind. Heartbleed was around for a long time before it was discovered. As a result, nobody's certain if any hackers exploited it before it became common knowledge.
In case your business or personal data has been affected, it's a good idea to check your online banking, email and other services you use regularly. If you notice anything out of the ordinary, do investigate.
Even if you take every precaution imaginable, it’s still possible for your business to fall victim to a security breach. And while nobody wants to be that victim, it’s worth giving some thought to how you’d manage your reputation in the wake of a cyber-attack.
We reveal the five steps every business should take to minimise damage and rebuild their reputation.
When US retail giant Target suffered a huge data breach last year, one of the biggest criticisms levelled at the company is that it didn’t do a good job of acting quickly and communicating well with customers.
Don’t make that mistake. Once you’ve taken the necessary precautions to secure your systems, share information with your customers, employees and partners.
Being as honest as possible when communicating the crisis will ultimately reassure customers that you are doing everything you can to resolve the issue and protect their details.
Hiding the truth from loyal customers will only damage your credibility in the long run. When tech firm Buffer was hacked, the company remained open and communicative throughout.
Do your best to provide first class support to any customers affected by the issue. They probably aren’t IT experts, so you’ll need to assist and reassure them if you want them to remain with your business.
Be on hand to respond to customer queries and you’ll retain your reputation and customer relationships long after the breach.
Think about who you’re talking to when you communicate what’s happened. Tailor your message to address the concerns of each group.
For instance, while customers will be concerned about whether their data has been compromised, investors and partners will require specific information on how your company’s reputation, value and long-term prospects could be affected.
You’ll be surprised at how far an apology goes. While many businesses will be quick to blame a third party for their security weaknesses, more switched on companies understand that customers don’t want to hear excuses.
Take ownership of your problems and be clear and compassionate about what went wrong, how you plan to fix things and why you can be certain this won’t happen again.
This post was written by Brittany Thorley, who regularly advises businesses about web security.
We’re barely a quarter of the way through the year, yet many hacking stories have already hit the headlines.
Worryingly, many of them involve large, reputable companies and websites. And if they can’t stay safe from hacking attempts, what does that mean for smaller companies?
Phenomenally successful crowdfunding website Kickstarter was the focus of a successful hacking attempt in February. The attackers didn’t manage to make off with any credit card information, but they did get hold of email addresses, passwords and phone numbers.
"We're incredibly sorry that this happened," chief executive Yancey Strickler commented. "We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways.”
Just a week after the Kickstarter incident, the University of Maryland was targeted. Worryingly, hackers were able to access a whopping 309,079 personal records.
These included information such as dates of birth, university numbers and social security numbers.
The university’s president, Wallace D Loh, confirmed the institution had fallen victim to a sophisticated attack: “I am truly sorry. Computer and data security are a very high priority of our university.”
Having your email address stolen is bad enough. But would you want your passport — complete with embarrassing passport photo — stolen? Just ask whistle-blower Edward Snowden, who had a photo of his passport posted on online by a hacker.
Snowden may not be the only person affected by this attack. The perpetrator claims to have gained access to 60,000+ passports belonging to law enforcement and military officials signed up to the EC-Council’s Certified Hacker scheme.
Valentine’s was as much for hackers as it was for lovers this year. Just before 14 February, 2,240 Tesco customers were the victims of a hack that revealed their phone numbers, email addresses and voucher balances. The unluckiest bunch also had their vouchers stolen.
Following the unexpected hack, Tesco contacted affected customers and issued replacement vouchers where necessary. Every little helps?
In what is almost certainly the most viral hack of the year so far, Naoki Hiroshima lost his Twitter username, @N, estimated to be worth around $50,000.
As only 26 people can have a one-letter Twitter handle, they are highly desirable. Naoki was the subject of an elaborate attack that saw the hacker go via websites such as PayPal and GoDaddy to access personal information.
According to Naoki, the hacker used PayPal to find out the last four digits of his credit card number. They were able to obtain other personal information from GoDaddy, before using these details to hijack the rare Twitter account.
The good news for Naoki is that — after some fuss — he eventually got his username back.
Online backup services can be a really convenient way to take a safe copy of your company data and store it away from your main business location.
This means that if anything goes wrong your data, you still have a backup copy to work from.
Online backup services are generally simple and easy to use:
And that’s pretty much it. You change a file in the office and the backup copy gets updated for you. Delete a file by accident and you can get a copy back within minutes.
With some research showing that 48% of businesses experience data loss each year, online backup can be a really effective way to protect your company.
Businesses have traditionally backed their data up to tapes, hard drives or CDs. So, why use online backup instead of these tried-and-tested methods?
Not all online backup services are equally safe and effective, so it’s important to choose an online backup supplier that:
An online backup service could be a good fit for your business if:
To learn more about backups, read about how to find the right backup methods, and see the five key questions to ask about your backup system.
This is a post from Danny Walker, director at IT Farm.
There’s always more you can do to protect your business from security threats. But there’s never quite enough time to do everything.
So, here are eight easy ways to give your company security a bit of a boost.
Unlike in the fashion industry, old tech rarely becomes cool again. You aren’t going to get any new customers because you run Windows 98.
Also, the latest operating systems have better security features, meaning you'll be better protected from web threats.
The same applies if you’re using Mac OS, or some other operating system. Stick with the latest version to be safest.
Internet Explorer is so 2004 and people using it tend to get targeted because hackers know they’re not likely to be very web-savvy.
Constant update notifications from your software can be really annoying, but ignoring them could end up causing you more problems.
Virtual bugs are just like real life ones — they’re constantly evolving to find different ways to infect you. Updates contain new info on how to swat the bugs. Unless you install them, you won't see the benefit.
If your password for something is 'password' then you're in for a bad time of it. Hopefully your passwords aren't this terrible, but it's likely they could be improved.
For maximum security, use a random combination of upper and lowercase letters, numbers and symbols. You can use a service like LastPass to help you remember them.
It sounds technical, but all two-factor authentication means is that logging in requires you to prove your identity in two ways. Usually, you need a password you know and a reference code that’s sent to your mobile phone.
We’ve all had one of those moments when your jaw drops, you stare blankly at the screen and think: ‘I've made a huge mistake.’ It’s at times like these that System Restore can be a lifesaver.
System Restore is a feature in Windows that allows you to roll your computer back to a previous point in time. The idea is that if something goes wrong, you can go back to the last ‘known good’ configuration.
Your computer will probably create restore points on its own, but you can do it yourself when you make major system changes, too.
Ok, here’s the worst case: your computer is so utterly cream-crackered that you need to wipe it and start again.
If you’ve been backing up your data regularly then the process of getting back to normal becomes much less painful.
To be honest, this point alone could make up a whole new tip sheet. But in a nutshell, try to stick to websites you trust.
Sites listed higher up in search results are more likely to be safe because more people have used them.
There are some dark and dingy corners of the internet. Try and avoid them.
Nick Chowdrey is a finance and accounting writer for Crunch, an online accountancy firm for freelancers and small businesses.
If you’re focusing all your IT security efforts on things like anti-virus and firewalls, are you missing the biggest risk of the lot?
And if you’re running your own business, it’s worth listening to the opinions of IT professionals. They know technology, and they can see where the biggest risks lie.
So, what can you do?
Your staff pose a bigger threat these days because the nature of security threats has changed over the last few years. Many organisations — both large and small — have struggled to keep up.
While back in 2008 or 2009 we were all worried about viruses, spyware and Trojans, these days it’s more targeted threats like spear phishing that are most likely to have IT managers worried.
These attacks are on the rise because they’re effective. Even the most tech-savvy of your staff can be tempted into clicking an email when they shouldn’t. And often, the biggest data breaches can be tracked back to a single, unfortunate click.
It’s important to make your staff aware of how phishing scams operate. You can also give them pointers so they know how to spot potential security breaches.
However, you can’t expect your employees to be infallible. People make mistakes, which means it’s vital you have some additional checks and precautions in place.
A good starting point is to make sure you allow access to data on a ‘need to know’ basis. Resources like your customer database, your accounting system and any shared folders often contain lots of sensitive data.
Rather than allowing everyone to have access to all these resources, the default setting should be that people don’t have access. If an employee needs it — and there’s a good case for it — then you can open up access on an individual basis.
This reduces risk because you’re adding extra layers of protection. If a hacker manages to guess the password of an employee, they’ll still face barriers when trying to reach privileged information.
It might cause a little inconvenience when someone needs to request access to a particular resource. But it’s better than giving hackers a free run of the place.
You’ve already seen our exciting IT predictions for 2014. But what of IT security and data protection? Are there any threats your business needs to know about?
Alex Balan, head of product management at internet security firm BullGuard, has come up with these ten predictions.
It’s devious and destructive and it makes hackers money. Ransomware has been around a while, but because it’s effective it’s going to be around for a lot longer.
A good example of ransomware is Cryptolocker. It encrypts your documents and shows a message saying you must pay a ransom to get your computer back. If you don’t pay up then you lose your data — and there’s little anyone can do to help you.
There is a growing body of evidence to show mobile devices being attacked, with online criminals often aiming to steal personal financial details.
This is hardly surprising given the explosive growth in smart phones and tablets. There’s plenty of data on mobile devices to be stolen. Hackers can also make money by setting up their own premium-rate numbers, then dialling them from compromised mobile phones.
Learn more about mobile security software.
The news about the NSA and GCHQ monitoring internet traffic, emails and phone calls was the most important cyber security event in 2013. These revelations have increased awareness of the need for personal security.
Until now, people have generally only taken security precautions reactively, typically after something has happened. But now they’re becoming more proactive. This will create a growth in technologies to help users keep their communications and data private.
We’re likely to see more attacks on old software and systems that are full of security holes. For example, Microsoft XP reaches the end of its life in April, which means no more updates, even if a security problem is found.
This popular but creaking operating system is widely used and how many people know Microsoft is turning its back on it? Hackers know, of course. There will be many attempts to find new exploits in XP, which means many people will fall victim to malware.
You may or may not have heard of the ‘internet of things’. It describes the increasing connectedness of everyday objects. We have internet-connected webcams, CCTV systems, televisions, digital video recorders and even baby alarms. These devices may be vulnerable to attack.
It might sound bizarre, but soon we’ll see fridges, toasters and other devices that are hooked up to the internet. Don’t be too surprised when you hear of these things being hijacked by hackers (fancy a hacked toilet, anyone?).
Never in the history of humankind has an industry grown so rapidly and so pervasively as technology. It reaches into every corner of our lives. Film cameras are a thing of the past, physical bank branches are becoming quaint and well-known retailers have disappeared from the High Street.
But what happens when computers crash? Thankfully, more people are aware of the potential for damage, and this is leading to an increase in back-up technologies. Expect the arrival of more backup services this year — especially ones that work over the internet.
Biometric authentication is widely regarded as the most secure form of identity control. Early systems were slow and intrusive, but because today’s computers are faster and cheaper than ever, the interest in biometrics has been renewed.
There are several types of biometric authentication in use, but fingerprint authentication is becoming the most common. We’ll see more computers, mobile devices and accessories with built-in fingerprint readers this year.
Law enforcement agencies have scored some significant ‘deep web’ successes the past year, most notably taking down of the Silk Road web site, which allowed users to buy anything from heroin and cocaine to guns and fake currency could be bought.
Authorities will continue to make inroads into the deep web in 2014 but the odds are that deep websites will respond by making it harder to take down sites or identify the people responsible.
You may not realise it, but when you take your smart phone into the workplace and hook it up to your computer, you’re committing a security faux pas. If your device has malware on, you risk releasing it into the company network.
Hackers love breaking into company networks because they are treasure troves. And because smart phones are so popular, hackers are targeting them in order to access corporate networks. We’ll see an increase in this type of activity in the coming year, so it pays to be aware.
When an internet service provider (ISP) gets hacked it resonates long and loud. In April 2013 UK giant BT dumped Yahoo as its email provider following months of hacking complaints from customers.
Many hackers break into ISP systems just to get free broadband, but at the organised crime end of the spectrum it’s done to launch large-scale spam and malware attacks. Don’t be surprised to see more ISP hacks in the coming year.
This is a guest post from Alex Balan, head of product management at BullGuard.
Here's a nice little tool that can keep you occupied this Friday afternoon and help you understand how hackers go about guessing passwords.
It uses real-world data — including passwords that have been made public by security breaches, and phrases commonly used online — to provide three 'best guesses' each time you enter a letter.
This reflects the kind of technique hackers might use when trying to guess passwords with brute force (basically, trying loads of passwords until they find one that works).
Once you've typed your whole password, you can see how many characters Telepathwords was able to guess. Five or more ticks above your password shows that it's reasonably strong.
Apple's iPhone 5s has one particularly striking new feature. There's a fingerprint reader built into the phone's home button, which means you can unlock the phone and authorise purchases using your fingerprint instead of having to tap in a code or password.
As with many of Apple's apparent innovations, this has been done before. Motorola's ATRIX handset has a fingerprint scanner and that launched in 2011. The only problem was reviews found it to be unreliable.
First impressions of the iPhone's fingerprint scanner, on the other hand, suggest that it works very well. If it proves reliable over time, then the new iPhone could be the first in a wave of products that bring fingerprint recognition to the masses.
At face value, this is A Good Thing. Who hasn't struggled to recall an impossible-to-remember password at some point or other? As we've said before on this very blog, 'passwords are fundamentally broken'.
Before we start using fingerprints for everything from mobile phones to internet banking, some experts reckon it would be an idea to think through the implications in a little more detail. After all, your fingerprint is very different to a password because it can't be changed.
Data protection expert Johannes Caspar put it well in a recent article for German newspaper Der Speigel:
"The biometric features of your body, like your fingerprints, cannot be erased or deleted. They stay with you until the end of your life and stay constant — they cannot be changed. One should thus avoid using biometric ID technologies for non-vital or casual everyday uses like turning on a smartphone."
In short, your fingerprint is a one-shot deal. Once it's compromised, that's it.
As if to back up his point, a hacker club already claims it's managed to fool the iPhone's fingerprint reader by taking a photo of a fingerprint and using it to create a fake finger.
But if that's the case, surely it's silly to rely on fingerprints to provide any sort of meaningful protection at all. Using a fingerprint to authorise a bank transfer? Forget it. Controlling building access via fingerprints alone? Probably a no-go.
Then — of course — there are other fringe concerns about relying on fingerprints. The Daily Mail (who else?) warns iPhone thieves might start lopping off people's fingers. And what do you do if you've hurt a finger (pictured)?
Ultimately, the arguments over the stength of fingerprint-based systems are likely to be trumped by the convenience factor. If using your finger to unlock your phone is easier and faster than tapping in a code then people will use it.
It's unlikely fingerprints will ever be used for authentication in more critical circumstances except when combined with something else. This 'two-factor' authentication usually requires something you have (your fingerprint) and something you know (perhaps a password or PIN).
So, get ready: the fingerprint revolution is on the way.
How much time do you spend thinking about IT security? Unless you have been affected by a security problem, you may have never given it much thought.
Your business probably has a number of people accessing its computer systems who are likely to manage their own passwords.
If they manage their own passwords, that means they are setting their own levels of security for your network. Beryl in accounts only comes in once a week, so she can’t be expected to remember anything complicated, can she? What’s wrong with ‘password’ anyway?
And Steve in the sales team dearly loves his fiancée, so why shouldn’t he have ‘Nicola’ as his password?
Passwords like these are a really bad idea because they’re easy to guess. In fact, ‘password’ is probably the worst you could possibly choose.
Not using effective passwords puts your entire system and company data at risk. Here’s how to come up with strong passwords.
Does every computer in your business have up-to-date security software? And do you assume that this is sufficient to protect them, no matter what they subsequently do online?
If you’ve answered ‘yes’ to both those questions, well done for having the software. But don’t think your job is done.
Staying safe isn’t just about having the right security software in place. The safest users are the ones who are well-informed, so help your staff to understand how your security software works, what spam, viruses and other threats look like … and how to spot a malware-infested website.
Make sure you have an IT security policy that explains what your people need to do to stay safe.
Firewalls act as a filter between your business network and the outside world. They allow safe traffic through, but block questionable connections before they can do harm.
Here’s a quick checklist to help you get your IT security basics right:
It is important your employees have safe, secure tools to go about their work with minimum risk to the business. Over and above that, they should be empowered and informed about security threats so they know how best to respond.
If you’re in any doubt about the security of your business, speak to an IT security specialist (perhaps your regular IT supplier) who can discuss your needs and the potential risks.
Adrian Case is technical director at Akita.
How often do you send confidential business documents via email? Weekly? Daily? Several times a day?
It's hardly surprising that we turn to business email when we need to send a document. It's quick, convenient and universal — pretty much everyone you need to contact has an email address.
But have you considered security? Any sensitive information contained in or attached to your emails will be stored on your company's email server. Often, this isn't scrambled or protected in any way.
If your server was hacked, for example, it would be trivial for online criminals to access this important information.
What's more, unless you take steps to hold on to it, the data on your email server won't stick around for ever. It might get automatically deleted after 30, 60 or 90 days.
If your company ever faces legal action, information about when you sent an email and what it contained can play a significant role in your defence. But only if you still have it, and can prove that it's not been tampered with.
An archiving system can help you address the security issues, while also ensuring you have a complete record of all emails sent and received by your company.
In fact, a proficient and advanced email archival program will keep all your emails and attached data safe, such as PDFs and Word documents.
You can be sued for breach of contract or unfair dismissal years after the event itself, so it may be a good idea to keep your email archive for six years or so. If you choose a good archiving system, that data will be stored in encrypted form and be easily searchable, so you can quickly find what you want.
If you've decided the time is right to store your confidential company data, you can outsource the work to a company that specialises in document archiving.
They will be able to offer a range of options to copy all your data and store it in a secure archive. And — of course — you'll benefit from their specialist knowledge and experience.
Alternatively, it is possible to create your data archive in-house. Doing this requires significant knowledge and effort, because you need to maintain your archive on an ongoing basis.
Whichever option you choose, you need to make sure it does the job it is supposed to do. That way you can avoid data breaches and external tampering, as well as having the necessary data to hand if you need it.
Leilah Osher is a small business consultant who specialises in writing about business storage services and document archiving.
We said PHISHING, not fishing.
In 2013, most of us are now aware of the online threat known as 'phishing', where cyber criminals use various techniques to gain access to your email or social media accounts or, worse, get hold of your bank account or credit card details.
However, you might not realise that phishing has evolved. Criminals now use increasingly sophisticated con tricks and scare tactics to dupe unsuspecting victims into handing over their sensitive data.
These days, phishing emails are less likely to come from fictitious foreign royalty and more likely to come from one of your social media connections or a trusted business contact – at least, that’s who the email will appear to come from
In reality, the sender will be a skilled confidence trickster prepared to spend time and effort slowly reeling you in.
Last year, the German Federal Court ruled that where people had fallen for phishing scams that appeared to originate from their banks, the victims were responsible for the losses, rather than the banks. This ruling may set an international precedent, which means protecting yourself against phishing could become even more important.
Here are my top three tips to avoid being hooked:
A common technique among phishing emails is to try to panic you into a kneejerk reaction.
For example, you may receive an official-looking email telling you that one of your online accounts has been compromised and urging you to update your password via a link provided.
Or you might be told your computer has a virus and that you need to download a new piece of software to repair it.
Don’t bite – these are very likely to be phishing scams.
Most reputable companies will never send emails asking for sensitive information such usernames, passwords, National Insurance numbers, bank or credit card details.
In the digital age, we’ve become accustomed to doing things quickly, often in a couple of clicks. A key to avoiding phishing is to slow things down.
If you receive an email that alarms you for any reason, treat it as highly suspicious and, above all, don’t click any links it contains.
Many phishing emails link to spoof websites that are practically identical to the real sites they are trying to mimic, such as your bank.
Some of these sites will collect your login information and then do nothing (alerting you to a problem) but others will link you back to the genuine site, covering their tracks.
If you receive an email containing a link, hover over it without clicking to reveal the web address that it will take you to.
If it contains long strings of numbers or looks different from the usual web address of the sender (e.g. if ‘Twitter’ is spelled ‘Tvvittler’), it’s dodgy. Note the address, then contact the company involved directly to find out if the email is genuine or not.
However, be aware it's not always easy to spot dubious links. It's always safer to type in the correct website address manually, then sign in yourself.
The rise of social networking has been a gift to cyber criminals. Most social network users willingly share masses of personal information on their public profiles. This often includes the names of spouses and children or family birthdays.
Unfortunately, the same people often use this information as the basis of their passwords. Scammers can also use this information to impersonate a trusted contact via an online message or email.
If you use social media, check your account settings to ensure your personal information can only be viewed by those in your network or, better still, be sensible about the information you post in the first place.
Also, never use the same password on multiple online accounts. Use a strong, unique password for each, protecting against a domino-effect where one account after another is hacked using the same password
Norman Begg works for online security company my1login.
Here's a list that might jolt you out of complacency if you're a bit lax when it comes to choosing and changing passwords.
SplashData, a leading provider of password management solutions, has put together a list of the 2012's worst passwords.
The list was compiled by analysing millions of compromised passwords that were posted online by hackers, and identifying the most common. It contains few surprises, but certainly underlines that we can all be far too slapdash when securing our online accounts.
Here are the top 10 worst passwords of 2012:
See any passwords you recognise? Change them, now. Because if you don't, it'll be child's play for a hacker to get in to your account.
Remember: the strongest passwords are as long as possible and use upper and lower-case letters, numbers and symbols. I like to choose a song lyric, take the first letters and then substitute in symbols and numbers where they're easy to remember.
For instance, the Rolling Stones' classic lines You can't always get what you want / But if you try sometimes you just might find can become:
DDoS stands for distributed denial of service. A DDoS attack sees hackers coordinate a network of computers in order to overload a web server with requests.
The result is that the server can become unavailable - taking down any websites or services that run on it.
An enormous DDoS attack hit the headlines earlier this year, sparked by a row between a spam fighting company and a web hosting firm. But it's not only high-tech firms and big companies that are at risk.
Online criminals are a far cry from what they were - in recent years they've become more sophisticated, more strategic and more debilitating to smaller businesses. In fact, they can leave your company devastated by stealing data and causing downtime.
You can be hit with a DDoS attack for all manner of reasons, including:
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
And if you think your business is too small or insignificant to be worthy of a hacker's attention, here's what security firm Symantec had to say in its Internet Security Threat Report, released earlier this year:
“While it can be argued that the rewards of attacking a small business are less than what can be gained from a large enterprise, this is more than compensated by the fact that many small companies are typically less prepared in their cyber defenses.”
But before you panic, there are weapons you can use to protect your site and online services.
Many web hosts and internet service providers have begun to offer DDoS protection. These services monitor for unusual internet traffic and attempt to fend off DDoS attacks targeted at your site,
If you're not sure how well-protected your website is then it's worth taking some time to investigate further - especially if you rely on your website to bring in business or sell online.
Ask your web hosting firm what defences they have in place, and, if they offer a DDoS protection service, consider adding it to your account. Your web designer or IT supplier may also be able to advise on what would be the right level of protection for your company.
Would being more cyber secure help grow your business or add value for your customers and partners?
If so, you could be in line for £5,000 to spend on working with an external security expert for the first time.
These grants are available in the form of vouchers from the Technology Strategy Board. The aim is to support small companies, entrepreneurs and start-ups that see value in protecting and growing their online business by having effective cyber security.
This isn't 'free money' - the grant is paid to your business only once you show the Technology Strategy Board that you've finished the project in line with your original application and paid the supplier. (They do approve the project and supplier in advance, so as long as you stick to the plan you shouldn't be in for any unwelcome payment issues.)
It sounds like a great opportunity to improve your security if your business fits the criteria. The official website reckons you might be suitable for a voucher if you're looking to:
There's plenty of advice and guidance on the voucher website itself. A good place to start is probably this flyer (PDF link) that explains the voucher scheme and how to determine if you're eligible. The next deadline for applications is 24 July.
Unsurprisingly, UK IT suppliers are also keen to promote the voucher scheme. It was brought to our attention in a press release from security company Espion, which says it's happy to help companies with the application process.
Email firstname.lastname@example.org to find out more.
Even if cyber-security isn't where you need to invest at the moment, it may be worth having a quick look over the categories on the voucher website. Under the scheme, you can also apply for funding in areas like open data, energy and the built environment.
Sepp Blatter had his Twitter hacked this year. (Image: AsianFC on Flickr.)
Social networks. Once you've got your head round them, they can be a good way to find new customers, and a great way to build the profile of your business. Our sister site, Marketing Donut, is packed with social network advice if you need it.
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
But over here on IT Donut, we like to take a more cautious view and think about the risks involved in these new channels.
Unfortunately, there are security risks attached to most aspects of business IT. And while you can certainly use tools like Twitter successfully without knowing about these concerns, if you do know about them then you're far less likely to come to any harm.
A few weeks ago, for instance, Sepp Blatter was targeted on Twitter, though given the Head of FIFA's tendency to make controversial statements, some might argue it was hard to tell. And lots of businesses have fallen victim to social network hacks, including The Telegraph, McDonalds and Jeep.
It happens to other individuals and companies all the time too, often via phishing attacks that trick people into giving away their credentials. Symantec’s Internet Security Threat Report found the number of phishing sites that spoofed social network sites increased 123% last year.
If you use Twitter - or other social networks - for your business, it's a good idea to get clued up about social network phishing attempts. Here are some tips to keep you safe:
Have you suffered any social media security problems? Leave a comment and let us know.
Do your staff understand the full risks involved if they lose their business smart phone or another mobile device that contains company data?
Quite possibly not, according to new research carried out on behalf of Kaspersky Lab. It found that over three-quarters of people working in European small and medium-sized businesses would wait more than an hour before telling the company about the theft or loss of a business-owned device.
An hour doesn't sound long, but if a company smart phone falls into the wrong hands, 60 minutes is time enough to do a whole lot of damage. Racking up call charges to premium rate or international numbers is the least of your worries. Being slow to report a stolen device could see your valuable company data being siphoned off.
See the latest business tech bargains we've found online.
Or buy IT equipment now from these trusted suppliers:
Customer and employee contact details, financial information, confidential emails, access to company Twitter and Facebook accounts ... these days a smart phone is as powerful as a computer, only harder to secure and easier to lose. You need to treat it with the same amount of care.
What's more, the research questioned IT managers too. 29% of them reckoned it would take a whole day for employees to tell them about a lost or stolen device.
David Emm, senior security researcher at Kaspersky Lab, has some good advice for companies that want to take better care of their mobile devices.
“The ever-growing abilities of mobile devices make our lives much easier," he confirms. "However, what we don’t always consider is the ease with which such tools can be stolen, leaving a wealth of business critical information in the hands of thieves."
"To a seasoned cybercriminal, it will take only a matter of minutes to bypass the four digit password protection used on most devices, especially smart phones. If your mobile device is lost or stolen, it is critical that the IT department is informed as fast as possible. They can then block access of this device to the corporate network and, in the best case, wipe all of its data.”
Of course, you can't remotely wipe a device unless you've put in place systems to let you do this. If you're a sole trader or run a very small company, it's probably enough to take steps to back up each individual device and install a remote wipe app. Read our advice here.
Larger businesses will want to look into mobile device management (MDM) solutions. MDM software gives you much greater visibility and control of the mobile devices in your business, so you can restrict how they're used, what's stored on them and - crucially - scrub them clean and lock them out of the company network.
Make sure you keep yours safe. (Image: Flickr user Johan Larsson.)
New smart phones have some strong security measures enabled out of the box. But did you know there are some simple steps you can take to make sure yours is secure?
The simplest thing you can do protect your smart phone is to set a passcode. Once set, you will be required to enter the code to unlock and use your phone. The minor inconvenience of entering this each time will pay major dividends if your phone is ever lost or stolen.
A thief will be unable to access your phone without the passcode.
Along the same lines, you should also make sure your phone is set to lock automatically when not in use. This means you won't have to remember to lock it yourself each time.
Keeping your smart phone updated with the latest software is just as important as keeping your computer up to date.
Installing the latest updates helps you avoid any security problems that could affect your mobile operating system. For example, a security flaw in previous versions of Apple's iOS (which runs on every iPhone) could allow an attacker to bypass your lock screen.
You can search our website for details of security vulnerabilities affecting your particular model of phone.
All of the rules you've learned about being safe on your desktop computer apply when you're using your smart phone.
Be careful using public wireless connections, and particularly wary when the network doesn't require you to enter a password to connect. These connections are unencrypted, which means people can easily intercept your data.
Double-check the network you're connecting to is the one you think it is. Some attackers may try to steal your data by posing as a legitimate hotspot.
If you work with sensitive data a lot, consider a secure VPN connection for when you use public Wi-Fi. This should protect data even if you've connected to a dodgy network.
Giri Sreenivas is vice president of Mobile at security specialists Rapid7.
Distributed denial of service attack. DDoS for short. Four letters that are can strike terror into the heart of anyone who's been on the receiving end of one.
DDoS attacks aim to take websites offline by overwhelming them with requests for information. Typically, they involve hundreds or thousands of computers, all coordinated to bombard the site simultaneously.
Often, the owners of these computers don't even know what's going on, because the source of the attack is malware that's infected their machines.
DDoS attacks have hit the news regularly in 2012. Last month, Teresa May and the Home Office were targeted. Back in May, Webfusion - one of the UK's largest web hosts - was on the receiving end of a sustained attack (the firm produced an interesting white paper explaining what happened).
The motives for DDoS attacks vary. Sometimes they're random. Sometimes they're political. But there's often a financial aspect. They can come from your competitors, or they can be blackmail, pure and simple. Pay up, or your website stays offline.
And although it's only big name brands that hit the news, online criminals are increasingly turning their attention to smaller companies. Without the resources to deflect attacks, they're softer targets.
As security expert Don Smith told us recently:
"More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."
If you're not prepared, combating a DDoS attack can be tricky. When your website's overwhelmed by spurious traffic, you may find you're unable to even log in yourself.
In fact, the possibility of a DDoS attack is something you should consider when choosing a web host, because the way they handle them can vary remarkably.
Some hosting companies will simply take your website offline completely so that their other customers aren't affected. Worse, you might get a bill for the extra traffic the attack generated.
Other web hosts will provide far more constructive assistance. Ask if they can give you examples of how they've fended off attacks in the past, and look for security features that come as part of your package, like DDoS protection.
Also make sure they keep their servers and apps up-to-date, because often the latest versions of ecommerce and content management tools are more resistant to DDoS attacks.
Looking for a new web hosting firm?
Here are some firms you might like to consider:
Have you ever suffered a DDoS attack? How did you cope?
How secure is your personal identification number (PIN)? An enlightening study reveals many PINs are predictable and easy to guess. So, is it about time you changed your PIN?
The fascinating study, by Data Genetics, reveals the most commonly used PINs and therefore the ones most likely to be guessed.
It found that the most infrequently used PIN is 8068. Does that make it the safest? Well, perhaps, although now it's been revealed in this study, it might become a lot more popular!
According to the stats, the most common PIN is 1234. Out of the 3.4 million numbers surveyed, it made up 11% - or 374,000. What little imagination some people have!
In fact, the top 20 PINs all fall into the category of 'easy to remember'. For instance:
It seems PINs with lots of repetition or a pattern to them are chosen most frequently. Interestingly, 2580 comes just outside of the top 20 at number 22. This looks like a random number until you realise these are the numbers down the centre of a telephone keypad.
Other easy to remember four-digit PINs come from years of birth. A disproportionate amount of PINs begin with 19. This is bound to change to 20 as the population ages. Day and month of birth also figure quite prominently.
Most devices, credit cards and locks that are protected by a PIN limit the number of times an incorrect number can be entered. So does it matter if you use a common PIN?
Well, let's think about it in more detail. If I'm a bad guy and I get hold of your bank card, I generally get three guesses before the card is locked.
Going from the statistics in the study, if I take the three most common PINs as my starting point, I have a one in five chance of getting yours right. Not bad and probably worth a gamble.
Unless your bank can prove you have been grossly negligent with your PIN (sticking it to your credit card, for instance) the general rule is that you will be reimbursed for any financial loss if your card is stolen and your PIN used to extract money.
So, isn’t it simply a case of using the most convenient, easy to remember PIN and - should it get compromised - waiting for the banks to sort it out?
Well, even assuming you are able to reclaim your money, there's quite a kerfuffle involved in the process. Anyone who's gone through it will know that the inconvenience and lost time is enough to deter you from using a weak PIN.
In addition, you may highlight yourself as an easy target – if you did it once, why not again? Don’t bring unwanted attention on yourself just for the sake of four little numbers.
If government statistics are accurate, even the smallest companies need to give serious thought to IT security. That's because official figures show 76% of small businesses have reported a cyber-breach in the last year alone.
You can tell the government is alarmed by the statistics, because it has decided to establish a 'Cyber Reserve' force to deal with the security threats posed by online crime. It's uncertain what this means in practice, as the details won't be revealed until next year.
However, it should signal a more co-ordinated approach to combating cyber-crime, with the goverment recruiting experts to fight back against sophisticated hackers and fraudsters.
Although things have moved on considerably since this 2006 report found internet fraud was slipping through policing procedures, it still sometimes seems like online criminals are several steps ahead of the authorities.
Just in case the message hasn't sunk in yet, let's make it absolutely clear: your business could be a target for online criminals.
We recently spoke to security expert Don Smith who explained that smaller companies often find themselves singled out in online attacks because they're seen as soft targets:
“More and more smaller companies are being attacked by cyber criminals, yet many still hold the view that they are too small to be targeted."
"If they have any public profile – if they’ve been in the news, for instance - then they can be a soft target. They also might get targeted if they handle the intellectual property of big clients, for example, a creative agency working on a big account."
“This leaves small organisations vulnerable to a number of risks, including attacks, data loss, service disruptions and reputation damage. Just like larger enterprises, small businesses need visibility into the threats that face their organisation.”
Clearly, that begs the question: what should you do about it? Hopefully, you'll have got the basics right. You'll be protecting your network with a firewall, and each individual computer and server in your business will have its own firewall too.
But to really get a grip on your IT security, you need to spend a little time on security planning. The first stage is to identify your most valuable data, so you can find ways to protec it.
It's worth reading the full interview with Don to understand a bit more about the security issues your company could face. We also have some really useful information about putting a security plan together and assessing the risks your business faces.
With just a little preparation, you can reduce the chance of your business becoming another IT security statistic.
(Police lantern image: conner395 on Flickr.)
Image: creating a self-destructing message
Sending sensitive information through email: most of us know it's a bad idea, yet we've all done it at some time or another. Whether it's providing the password to access a protected file or confirming your mother's maiden name, email often seems like the easiest option.
Yet email is inherently insecure. Not only can emails be intercepted as they travel through cyberspace, but if the recipient isn't strict about deleting messages, your information could sit in their inbox for months or years. If their account ever gets hacked, your data is in the hands of the bad guys. Email hacking happens a lot, so it is a real risk.
So, for this Donut tip of the week, we wanted to show you a handy online tool that lets you send sensitive information in a form that self-destructs once it's been read. Sort of like Mission: Impossible, only with fewer pyrotechnics.
To get started, hop on over to Oneshar.es. Then it's really easy to create your one-time message:
That's it! The link uses SSL encryption, which means the message itself is protected from interception when the link is viewed.
Obviously, anyone with access to your link can click it to see the message - but as messages self-destruct once viewed, you don't have to worry about who sees the link once your recipient has used it. Certainly, Oneshar.es deals with the problem of having important information sitting in inboxes.
Now there's no excuse for putting your password in an email ever again.
Smart phone applications could pose a significant threat to your company’s IT system in terms of security, availability or mobile data costs if left unchecked.
In a worst-case scenario, valuable and sensitive data could be at risk if you allow employees to download and install apps at will to their personal and work devices.
While smart phone settings can vary from device to device, all potentially leave a company open to abuse. Every time you install an app, it's important to check what resources and data the app is requesting permission to use.
At some point, everyone has skipped through lengthy terms and conditions to save time. It's these terms and conditions which often explain what data the app will use and how it will use it - so not reading them could mean unwittingly giving an app control over sensitive data, or even the phone itself.
Although an app may appear to be a harmless game or a useful productivity tool, there is nothing to stop it from including code to send a text message, make a phone call or even read data stored on the phone and upload it to an external server.
To minimise these risks, your business and its employees should consider some simple steps:
How sure can you be that a company promoting an app has not included hidden features or a developer has not included some malicious code? Software vendors with a track record of delivering solutions to businesses generally have the development disciplines in place to protect you from these risks, so beware the unproven startup or one man band developer.
Smart phone apps are extremely attractive, but it’s important not to forget that under the veneer of simplicity, IT is extremely complex. Your systems can be manipulated by people who understand that complexity, if they are left unchecked.
Paul Ridden is Managing Director of Skillweb, a privately owned, UK based business that provides technology solutions designed to help organisations manage their mobile workforces and track the movement of their goods.
If you want to find a way to immediately annoy potential customers and drive visitors away from your website, look no further than the humble CAPTCHA.
We've written about these squint-worthy, hard-to-interpret messed-up bits of text before, but today I stumbled upon one that goes beyond a joke.
It popped up this morning on the Ticketmaster website. I had a fair stab at the image on the right side, but I still have no idea what's going on with the left image. Any ideas at all?
I'm convinced the days of the CAPTCHA are numbered. They're designed to guard against targeted hacking attempts and automated 'bots' that fill in online forms automatically.
But really, unless you're running some sort of super high security website, they cause far more problems than they solve.
When you've taken time to create a nice clear website that makes it really easy for people to buy from you or send you a message, then making them fill in a CAPTCHA is like asking them to complete a fiendish puzzle before they can go any further.
Imagine what would happen if the local corner shop asked you to solve a Rubik's Cube before letting you buy a pint of milk. Wouldn't get much custom, would they?
When you use CAPTCHAs on your website, you risk having the same effect.