How much did your last cup of coffee cost?

Cybercrime is everywhere these days, in 2020 cybercrime cost UK businesses an estimated £21Bn* with an estimated 40% of UK businesses being subjected to to some kind of cybercrime in the previous 12 months. So, how can you minimise the risk to YOUR business?

There’s lots of advice on passwords, I regularly write about them, and other security measures that you can take but did you know that even a trip to your favourite coffee shop could end up being far more expensive than the price you pay for your Triple Grande Decaf Soy Latte Macchiato and blueberry muffin.

Cup of coffee and coffee beansImagine the scene, you’re between meetings and decide to drop into your favourite coffee shop for a cup of coffee, a cake and to tap into their Wi-Fi to read your emails, refresh your knowledge in time for your next meeting or simply to surf the web.

Spoof Wi-Fi Hotspot
Sign fro free wifi hotspot
When you sit down and try to log-on to the Wi-Fi there’s frequently a selection of hot-spots to choose from. How do you know which is the free service provided by the venue and which is a spoof.

It’s very easy to set up a Wi-Fi hot-spot using a mobile phone, Mi-Fi type of device or laptop and allow other users to connect through this free connection. This means that all of the traffic can then be intercepted by the person providing the spoof account, what sort of important information is passed from your laptop through this connection? It could be your details to access your online banking, the log-in to your company network or the necessary information required to access your corporate email account.

Time for a comfort break

Laptop and cup of coffeeThen the urge hits, you look around and see that everybody seems respectable enough so you head off to the toilet thinking that your laptop is safe on the table. After all, nobody would nick in sight of all those customers, staff and CCTV cameras would they?

You’d be wrong. Laptop tracking service provider, Prey, found that areas offering free Wi-Fi were the second most common target for opportunistic laptop thefts, the only riskier place being left in a visible place in your car.

If stolen, it’s not only the inconvenience of replacing the laptop, reinstalling your applications and copying back your data [you do back-up your data don’t you?] it’s the additional costs that aren’t covered by your insurance.

The Ponemon Institute, a US cyber crime consultancy, put the real cost of the loss of a laptop and it’s data at nearly £31,000. This was broken down into £4,000 for the loss of Intellectual Property, forensics and legal bills adding around £1,500 with a staggering £24,500 attributable to the loss of income, customers and competitive advantage associated with a data breach

So, the next time you stop off for a cup of coffee and decide to log-on using their free Wi-Fi, just make sure you know which network that you’re connecting to and that you don’t leave your laptop unattended.

*Detica in partnership with the Office of Cyber Security and Information Security in the Cabinet Office Report, 2020

What is a “man in the middle” attack?

Believe it or not, this post was inspired after listening to an ad on the radio. I’ll let you know which one right at the end (if I remember)

Imagine the scenario. You’ve popped out to lunch and drop in to Costa/Starbucks/favourite coffee shop. Food’s on the way, your lovely Espresso/Cappuccino/Cortado/super sized hotta mocha choca machiato is in front of you and you realise that you’ve not replied to a very important email.

Free Wifi - made with Scrabble tiles

You get your phone out and remember that, despite all the fuss about 5G, your town hasn’t even sorted 4G but you’ve been here before and know the cafe has free Wi-Fi.

List of WiFi networks

You remember that the Wi-Fi’s called “Stephen’s Wi-Fi Network” so that people can find it easily. You search for it, find it and don’t worry that you log-in seamlessly although you do notice that the signal is a little stronger than normal.

You open the email app on your phone, find the mail that really needs the reply and peck one out on your phone’s keyboard, hoping that the message in your phone’s email signature, saying that this was sent from your iPhone, will help overcome your mistypes and slightly terse language.

You’ve still got some coffee left and it’s pay day so whilst sat down you decide to check your bank account to make sure your pay has gone in. It has, and you have more than you thought. Enough to buy that gift for your lovely partner. For security’s sake you haven’t stored your card details in your phone. Out comes your wallet and you add your card details to the order screen. Click “confirm” and the order’s on it’s way

As you get up to leave you spot the homeless looking chap in the corner. He’s got a really tatty looking laptop and you feel sorry for him, until you see he’s got a huge grin on his face – you walk on by and head back to the office.

At the end of the day and you’re shutting everything down when your phone rings. It’s your partner – you’re puzzled, they don’t normally call you at work

You answer and hear tears at the other end. They’ve been shopping, found a lovely winter coat and decided to buy it but their card, which is on a joint account with yours, was declined.

You are confused. When you checked the account at lunchtime there was more than enough to cover the cost of the gift you ordered and this coat………where did all the money go?

You log in to your account and it’s empty. You can see your gift order but have no clue what all the other transactions are, you’ve not ordered anything else – and neither has your partner.

The Man in the Middle

What’s happened is that you logged in to the wrong Wi-Fi network and your data has been stolen. No, it wasn’t the homeless looking chap it was the chap you never really paid attention too because he looked like a businessman. And he was, its just that his business was theft, theft of credit card details like yours.

He had set up his own Wi-Fi network using a portable hot-spot, hidden in his backpack and connected to his laptop AND the cafe’s network to provide the broadband. He’d given it a name that was so close to the one that you were used to that it was easy to log on to it, rather than the “real” one.

The cafe’s Wi-Fi was “Stephen’s Wi-Fi Network” and the “man in the middle’s was “Stephens Wi-Fi Network” so when you logged in, all your data flowed through his hotspot to the cafe’s Wi-Fi network and on to the internet. With his laptop he was able to access everything that passed from your phone through the hotspot, including your card details when you made your purchase and off shopping he went. 

How to avoid the man in the middle

Either be 100% certain that the network you are connecting to really is the network you want to connect to or avoid Wi-Fi hotspots like the plague. I do………unless there’s no other alternative. And in this scenario I only ever browse the web.

Passwords are not just for Christmas

Wow, what a year. One thing’s for certain, 2020 is one year that will never be forgotten. Covid, Lockdown, Furlough, words that have been added to the canon of speech this year. And, to cap it all, Christmas is just around the corner and the world is still full of massive levels of uncertainty.

Whether you are working from home, #WFH, working in an office or still out and about I know that as Christmas approaches the big wind-down starts to feature in our minds.

Nothing wrong with looking forwards to Christmas but it’s important that you don’t allow your Cyber Security guard to fall too.

Andy, checking out websites as part of his work

Why not? Simply because the hackers and cyber criminals won’t – if anything they’ll be upping their activity because they know that our minds will be on other things. In previous years we’d have been looking forward to Christmas Markets, Christmas parties, gifts, food, television and everything else that’s associated with the season of goodwill.

Our vigilance MUST remain high, both in the office and when working from home. Keep your eyes open for suspicious looking emails, especially those coming from unexpected quarters, with messages that promise much, such as tax refunds or deliveries of items you don’t remember ordering. Also beware of emails with links to websites that look OK but in reality will do harm.

It’s also a good idea to take a fresh look at your password security. Turkish researcher Ata Hakcil analysed more than 742m passwords that have been revealed in data breaches (hacks) that turned up on the Dark Web. Ata went on to make a worrying number of discoveries.

Of the 742m only 169m were unique which just goes to show how frequently we reuse passwords and how many passwords are used by a lot of people.

Worst passwords of 2020

Unfortunately, not a lot has changed over previous lists

1/ 123456 (same place as 2018 & 2019)
2/ 123456789 (up 1 place) (same as 2019)
3/ passwords (up one place on 2019)
4/ qwerty (a fall of one place on 2019)
5/ password (slips two places)
6/ 12345678 (up 1 on 2019)
7/ 123123 (a new entry)
8/ 111111 (up from No. 10 in 2019)
9/ 1234 (yes, I kid you not, 1234)
10/ 1234567890 (a new entry in this Top 10)

Disturbingly, at least 1 in 10 people have used at least one of these poor passwords – I hope you’re not one of them.

Data breaches are inevitable. To be as secure as possible you need to use strong, unique passwords for each individual account that you have. This makes the theft of one password much less of a disaster than if you use the same (or close variant) across all of your accounts.

What’s a Strong Password?

A strong password isn’t a word at all. The best ones are passphrases comprising of a random combination of words with 12 characters or more, using mixtures of alphanumeric, UPPER & lower case characters and symbols.

Think of a nonsense phrase, or even a line from your favourite song. Science Friction Burns My Fingers for example. Noe, run the words together, use hyphens, underscores and number substitution.

Sc13nce-fricti0nBurnsMy_Finger5%

That’s one password – you need a unique one for EVERY account that you have. Now, that’s a challenge to remember so you need a password manager. Because of my work, I have access to 789 accounts of one sort or another and I have 789 different passwords. Obvious there’s no way I could remember all of those – I struggle to remember 4 important ones which his why I use a password manager. Not only does it store all of my passwords in a safe place it also generates new, random, ones for me.

Top 10 Password Managers

There are loads of great password managers out there. I use LastPass because it was one of the first to integrate with my browser AND be available across all of my devices, desktop, laptop, Chromebook, phone and tablet.

TechRadar recently reviewed Password managers and their top 10 free and paid-for password managers is as follows

1/ Dashlane
2/ NordPass
3/ RoboForm
4/ 1Password
5/ LastPass
6/ Keeper
7/ BitWarden
8/ LogMeOnce
9/ mSecure
10/ ZohoVault

You can read TechRadar’s reviews here. And don’t forget, your web browser probably has a password manager built in and may even generate new ones for you but it may not synchronise across all of your devices

And PLEASE, if this applies to to you – STOP USING PASSWORD or 12345678 and use one of the above instead

Have a great Christmas, a happy new year and I look forward to communicating with you in the new year. If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media.

Why would anyone want to hack my website?

log on boxWith the news that 30m credit and debit card details from US customers and over 1m sets of card details belonging to visitors to the US, have been put up for sale on the Dark Web following a malware attack against US convenience retailer Wawa I thought I’d take time out to explain why small businesses are just as at-risk from hacking as large organisations.

But first, let’s take a look of some of the major security breaches that occurred last year. According to Risk Based Security’s Data Breach Report there were 5,183 breaches by the end of September 2019 alone. These exposed more than 7.9 billion records. This was a 33.3% increase on the same period in 2018.

Here are some of the worst breaches.

  • Orvibo Smart home products – 2 billion records discovered on an unprotected database. These comprised of private individuals, hotels and businesses who were using Orvibo’s smart home devices. The data included email addresses, passwords, user names, family names and addresses.
  • Dream Market Breach – 617m online account details stolen from 16 hacked websites, including MyFitnessPal (151m). Data stolen included user names, passwords and email addresses.
  • Canva – 139m records stolen, names, user names, passwords, email addresses and location.
  • Capital One – 106m records hacked with names, addresses, credit scores, email addresses, dates of birth and more stolen.
  • Words with Friends – 218m records stolen, including names, email addresses, passwords, phone numbers and, where linked, Facebook ID info

However, these are just some of the ones that hit the headlines. Thousands don’t,  particularly attacks on smaller businesses. Research indicates that nearly 70% of SME’s experience cyber attacks (Ponemon State of SMB Cyber Security 2018) but why SMEs?

I talk to many people who believe their businesses are too small to have anything of value to the hackers. However, the truth is that they are too small to have a dedicated cyber security officer/specialist and so are easy targets.

Let’s take websites – most businesses use WordPress – over 1/3rd of websites use it. There’s nothing wrong with WordPress but, as the world’s most popular web development tool, it is also the hackers main target. (A bit like the way Windows is targeted compared to Apple’s operating system – its all in the number of targets)

WordPress is pretty secure and there are Plugins to make it more so BUT you have to keep everything up to date. Keep WordPress up to date, keep your plugins updated too because if you don’t you might be leaving holes in your security for the bad guys to exploit. 

But why would they?

  • Small companies are frequently connected to larger organisations and they might be a way in
  • Hacked systems can store illegal material
  • Hacked systems can be used in attacks on other websites (DDoS)
  • Hacked systems can host Malware
  • Hacked systems could provide access to valuable Intellectual Property
  • Hacked systems could provide easy access to other valuable data

Malware

Safer Internet DayImagine you have a reasonably popular website. Hackers will look to gain access to your site and plant malware on it that will automatically download (and install) itself on the computers of everyone who visits your website. The malware could allow the hackers to record the keystrokes of infected machines, could enable the hackers to take remote control of infected machines or turn them in to storage depots for illegal material.

Imagine how your reputation will suffer when this comes to light. 

  1. Keystroke recorders
    A keystroke recorder does what it says on the tin, it records every single keystroke made on a keyboard and secretly transmits it to a malicious 3rd party. This could be bank/card details, online shopping details, log-in user names and passwords, and much more
  2. Remote Control – DDoS (Distributed Denial of Service Attack)
    With the ability to remotely control your PC, and hundreds or thousands of others, malicious 3rd parties can “take down” target websites simply by overwhelming them with more web traffic than the website can cope with. Remember what happens to the Glastonbury website when the tickets are released – although not malicious the number of people desperate to get their tickets tend to bring the website to its knees as soon as tickets are made available

    Imagine a bookmakers website going off line a week before a major betting event. They’d be contacted by the Cyber Criminals who will admit responsibility. The bookmakers will then be told to “pay up” or their website will be blocked again, much closer to “big day” and prevent bets being placed.
  3. Illegal data storage
    Imagine the scene. There you are working in your office and there’s a battering ram through the door followed by police storming in with a warrant to take ALL of your computing devices. Your business will grind to a halt but why have you been targeted? Simples, as the meerkats say – the police have identified one or more of your computers/servers as the source of illegal material. This could be pirated software, music, films or worse. In the worst case scenario this information hits the local (and possibly national media) and your reputation is trashed. And you may not even have been at fault!
  4. GDPR
    Under all of the above scenarios you’ll probably have to report the matter to the Office of the Information Commissioner (ICO) under GDPR. After investigation, If your security and procedures are found wanting then you might be liable for a fine. GDPR states that fines can be up to 4% of your turnover, and that’s no laughing matter

How do I prevent this happening to me

No security system is 100% watertight, there are just too many variables and access points. The closer you get to 100% the more expensive it becomes to close those last few security percentage points. However, like home security, your job is to make sure that your security is as good as it can be so that the bad guys choose an easier target.

Get in touch with a good IT company or Cyber Security company or you could #AskAndy. Drop me an email – andy@enterprise-oms.co.uk or give me a call on 01793 238020 and we can start the ball rolling. I know that I’m not a security consultant but I know quite a bit and can always point you in the direction of a trusted third party if you need more help.

New Year – New Security Resolution

Tamara EcclestoneIn December last year Tamara Ecclestone’s London home was burgled and jewellery worth £50m was stolen.

Leaving aside the fact that this is a phenomenal sum of money to have invested in jewellery only to leave it “lying around” there are many rumours as to the particular timing of the heist.

Just a few hours before the robbery took place, Tamara and her husband shared a picture on Instagram of them boarding a private jet.

As a billionairess it’s no doubt that people of a dubious background will have been watching her social media updates hoping for just such an opportunity. They will have lists of targets, important addresses and social media accounts and probably even have plans in place, ready for execution as soon as an opportunity presents itself.

So, think about the pictures you post to Social Media. What do they give away? All those photos of you sunning yourself on a beach somewhere warm and exotic tells near do wells that you are not at home. Photos of road trips tell people that you are not at home, or in your business.

You even need to make sure that there’s nothing in the background of the picture that can be zoomed in to that might give away something you’d rather kept private. An innocent looking photo taken outside of your house could, if zoomed in, give away your house number whilst previous, or subsequent pictures could give away your street name – for example.

If you are going away, and you are an important cog in your business, it could encourage scammers to target employees with fake emails requesting money transfers, payment of fake bills and invoices etc.

log on boxSo why not make 2020 the year you strengthen your security fortifications. Make a start with passwords and email.

  • Conduct a password audit of everything AND everybody involved in your business.
  • Enforce the use of strong passwords and encourage the use of password managers
  • Make sure that you have a strong email policy in place.
  • Educate yourself and your employees on the tricks used by scammers-
    • how to check whether a link in an email takes the clicker to a safe site or not
      Hint – hover your cursor over the link to see the full web address
    • Ensure that the email comes from a trusted address. Is it from mycompany.co.uk or mycompany.co or myc0mpany.co.uk for example?
      hint – hover your cursor over the address or just hit “reply”
    • Are there any obvious spelling or grammatical errors?
    • Would you be expecting an email from this particular source?
    • Does the email express an urgent response?

Don’t forget that people new to your organisation should also receive the same level of training. Always remember that “if it feels to good to be true” then it probably is

And if you are still unsure, look up the phone number for the company that you think the email is from and give them a call – don’t rely on the phone number that’s displayed within the potential scam email.

Watch out for more emails looking at security issues and if you have any concerns, please don’t hesitate to get in touch for an informal chat by email (andy@enterprise-oms.co.uk) by phone (01793 238020) or ask me on Social Media – Linkedin or Twitter and I’ll be only too happy to talk.

Thanks for reading and I hope you have a great, and secure 2020.

 

 

Christmas is coming, don’t let the hackers get fat

Christmas is nearly here, people are beginning the big “wind down” and it would be so easy to let your guard down too.

Andy, checking out websites as part of his workWell, let me tell you, the hackers and cyber criminals won’t – if anything they’ll be ratcheting up their activity because they know that our minds will be on other things.

You know, things like Christmas parties, gifts, food, television and everything else that’s associated with the season of goodwill.

So, vigilance must remain high, both in the office and when working from home. Keep your eyes open for suspicious looking emails, especially those coming from unexpected quarters, with messages that promise much, such as tax refunds or deliveries of items you don’t remember ordering. Also beware of emails with links to websites that look OK but in reality will do harm.

It’s also a good idea to take a fresh look at your password security. SplashData have just released their ninth annual “Worst Passwords of the Year” list which has been compiled from more than 5m passwords that have ended up on the Dark Web after being purloined by hackers.

Unfortunately, not a lot has changed over previous lists

  1. 123456 (same place as 2018)
  2. 123456789 (up 1 place)
  3. qwerty (a return to the top 5 for this old favourite)
  4. password (slips two places)
  5. 1234567 (up 2)
  6. 12345678 (falls out of the top 5)
  7. 12345 (falls by 2 places)
  8. iloveyou (this perennial is up 2 places from 10 in 2018)
  9. 111111 (yes, people do use this although it’s fallen 3 places from last year)
  10. abc123 (up 7 and breaking in to the top 10)

You can see passwords from 11 to 25 here.

SplashData estimates that at least 1 in 10 people have used at least one of these poor passwords.

Data breaches are inevitable but by using strong, unique passwords for each individual account that you have makes the theft of one password much less of a disaster than if you use the same (or close variant) across all of your accounts.

3 simple tips to make your digital life more secure

  1. Use passphrases (random word combinations) of 12 characters or more with mixed character types
  2. Use a different password for each of your log-ins so if you loose one password you haven’t lost all of the keys to your digital empire
  3. Use a password manager to secure your digital assets, to generate random password combinations, store them securely and make them available across all of your devices

And PLEASE, if this applies to to you – STOP USING PASSWORD or 12345678 and use one of these instead

Top Password Managers (in no particular order)

Have a great Christmas, a happy new year and I look forward to communicating with you in the new year. If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media.

However, I hope to enjoy Christmas too so may be slower than normal in responding to your requests. I’ll be back in the office on January 2nd.

How secure is your password?

Government Communications Head Quarters (GCHQ) – where the UK spooks provide signals intelligence to the UK’s government, military and Military Intelligence and the Department for Digital, Media and Sport (DCMS) carried out their first UK Cyber Survey and the results didn’t make for great reading.

Apparently

  • 42% of us Brits expect to lose money to on-line fraud
  • 23.2 million worldwide victims of cyber breaches used 123456 as their password
  • 15% say they know how to properly protect themselves from harmful on-line activity
  • 33% rely on friends and family for help with their cyber security
  • Young people are the most likely to be cyber aware, privacy concious and careful of the details they share on-line
  • 61% of internet users check Social Media daily, 21% say they never look at it
  • More than 50% use the same password for their email that they use elsewhere
Hacker Inside

Dr Ian Levy, NCSC Technical Director said “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.” whilst Margot James, DMCS Minister said “We shouldn’t make their (cyber criminals) lives easy so choosing a strong and separate password for your email account is a great practical step. “

Most Regularly Used Passwords

RankPasswordTimes UsedPasswordTimes Used
1.123456 23.2mashley432,276
2.1237567897.7mmichael425,291
3.qwerty3.8mdaniel368,227
4.password3.6mjessica324,125
5.11111113.1mcharlie308,939

It’s a shame that the top password list hasn’t really changed for at least 10 years – it shows how complacent a lot of us are with our on-line security.

I used to have 3 passwords, a simple one that I used really casually for newspaper sign-ups etc – name123 (not my real passwords, merely examples) a medium security one that I used on shopping sites, n@m3123 and a more secure one, used for banking etc – c3ler0n! (and all of the ones that I used feature on the Have I Been Pwned list).

log on box

About 5 or more years ago I switched to a Password Manager. I have 801 log-ins and 801 different passwords. All of them are at least 16 random characters long and comprise upper & lower case letters, numbers and symbols (where permitted).

My Password database is stored securely in the cloud and is replicated on my PC, Phone and Tablet and accessible from my Chromebook too. I use LastPass but others exist and here’s a review of some of the top ones.

As you can see, I do my best to stay on top of my security but if you feel adrift, or need some help, just give me a call on 01793 238020 or email andy@enterprise-oms.co.uk for a free chat.

Have you had your electronic ID stolen?

In other words, have you been pwned*. There have been millions of email addresses and passwords stolen in hack attacks and millions more that have been left exposed by incompetent website owners. However, it’s not just your email address that’s been stolen, your name will have gone with it, possibly your address and maybe even credit card (and other) data.

The stolen information is then made available for sale on the dark web and here’s a sample of the prices it can fetch

  • Credit/debit card number – $5-$11
  • With the CVV (3 digit) security code – + $5
  • “Fullz” (card, CVV, name, address, date of birth etc.) – $30
  • Bank account access – 10% of the credit balance in the account
  • Online Payment Services, such as PayPal – $20-$200

But how do you know whether your information is “out there” just waiting to be abused by cyber criminals? Well, I don’t know but I know a man who does, and he’s set up a rather useful website

Have I been Pwned?

There’s a website called Have I Been Pwned. This has been created by Troy Hunt, a Microsoft Regional Director & MVP (Microsoft Most Valuable Person for developer security). After data from a major cyber incident was “found” on the Dark Web Troy decided to put a database together – in his own time & at his own cost – as a way of allowing people to check whether their data was amongst stolen information and to “keep his hand in” from a programming perspective.

The site is now a comprehensive source of information about data hacks and data loss and is simple to use. All you have to do is enter your email address to see whether you have been “pwned”

And if you have been, as shown in the image above, it will also tell you which data breach (breaches) your email address has been found in.

Not every data breach leads to passwords being available. Some databases have encrypted passwords, making them worthless to the cyber criminal. However, many don’t and, like email addresses, there are millions (over 550) of passwords available on the Dark Web.

As he’s done with email addresses, Troy has now gathered all the stolen passwords that he can find and has created another searchable database dedicated to stolen passwords.

So, why is it so important to know whether your passwords are available to cyber criminals?

At this point, all the criminals have is a list of emails and and another list of passwords. They may not know which ones go together and they also don’t know which websites these email addresses and passwords relate to.

But, from our perspective, there’s a significant weakness. This comes in to play because a lot of people use the same password for many websites simply because it’s easier to remember one password than many. This use of the same password makes things a lot easier for the cyber criminals to put our data to fraudulent use.

Let’s say, for example, that the criminals target Amazon. You might have your credit card details already stored against your account so if a cyber criminal can gain access, all they have to do is change a delivery address and Bob’s their uncle.

They’ll use a “Credential Stuffing Attack” which means that they’ll load all the email addresses in to one database and the passwords in to another and start the attack. First they pick their target (Amazon in my example) and use software that will add an email address to the log-in box. They’ll then turn to different software to try all the passwords in the password database to see whether there’s a match. And once they’ve tried one email address they’ll automatically move on the next one. Once they’ve tried all combinations, and flagged those that work, they’ll move on to another site.

This sounds like a long, slow process but they’ll probably use a “Botnet” – a network of tens, hundreds or possibly thousands of hacked computers around the world that they have control over.

So, you should check “Have I Been Pwned” for both email addresses and passwords and if you’ve got a compromised password you should find the sites you use it on and change it – remembering to use a different one for each site.

Top 10 Passwords of 1018

Different, not similar – Password, PassWord, PAssword1960 and Pa55W0rd are NOT different to a cyber criminal. Criminals will also use these, and other variants of the world’s most popular passwords (2018’s shown in the image to the right) in their attempts to hack your accounts.

If you are concerned about your digital security, or need some help with your website, SEO or anything else online then just drop me an email, andy@enterprise-oms.co.uk , or give me a call on 01793 238020 for a free, no obligation conversation about your requirements

*Pwned – When a map designer in the online game called Warcraft beat another player he wanted to say “Player x has been owned”. Unfortunately, he mis-typed and actually said “Played x has been Pwned”. This is now a “thing”

Worries with WordPress and what happens if you don’t keep up with updates

WordPress LogoYou might have a website that’s been build using WordPress. No one will blame you, after all it’s free and has become probably the most used Content Management Systems (CMS) out there. In fact, in 2018 around one third of all websites were built on WordPress.

You might have built the site yourself or paid a developer to design and build it for you. You might not even know that your site has been built using WordPress.

It’s popular because it’s free and pretty easy to use – well it is when compared to some of the alternatives out there anyway. Although popular and free, it may not be the best and although it It is OK it does have a number of issues.

WordPress Editing screenBecause it’s so popular it’s become a top target for hackers. This means that the people behind WordPress have to be on their toes, always on the lookout for weaknesses & flaws that the hackers can exploit to break into a website and create mayhem. When the WordPress developers come across such a flaw they create a patch and release a new version of WordPress. As an example, the current version is 4.7. However within the next couple of weeks there will probably be a new version. 4.7.1 and then 4.7.2 and so on and so on and so on, releasing updates as and when flaws are discovered.

You and your web developer need to be on top of this by making sure that you’re running the latest version of WordPress. The newer versions, if setup properly, should update themselves automatically but you need to keep an eye on things just in case. Older versions had to updated manually, by clicking the ‘Update Now’ link so it all seems pretty straightforward. But it’s not!

Why things may not be as easy as they seem

WordPress MenuMost websites using WordPress use a number of Plug-Ins, small pieces of software that add extra functionality to the website and make it easier to manage. However, you need to exercise caution when updating – especially if you use a lot of plugins to manage different elements of your site because some of the plug-ins may not have been updated to work with the latest version of WordPress. This means that hitting the WordPress Update link might cause a plugin to stop working and this could break your website.

But what happens if you don’t update WordPress?

Well, you might find that your website gets hacked and will start to do things that you would’t want to be associated with. It could start to download malware to the computers of all the people who visit your site – siftwre that could monitor their keystrokes and pass banking details back to criminals in Eastern Europe or China, for example.

Or you could find – as one news website found out to their embarrassment – a lot of unsavoury spam being inserted into the first paragraph of every news story on their website.

Hacked WordPress pageHow did this happen?
The company were very lax – their site was built using WordPress and was last updated in June 2012. Since then, there have been 114 updates to WordPress, some to improve performance and some to improve security.

By failing to keep up to date this gave the hackers and “easy in”. The hackers were able to use automated tools to find websites using WordPress and to find out which version was being used. From there, it would have been simple for the hackers to target a known weak spot and break in. From there, it would have been the work of moments to install their own spammy code.

What should the website do?
It’s easy to cure – all they have to do is identify and delete the malicious software and then update to the latest version of WordPress, although they are so behind with their updates that they might find their site gets broken by the update so they might be caught between a rock and a hard place.

If you are worried about WordPress, then don’t hesitate to get in touch. Give me a call on 01793 238020 or drop an email to andy@enterprise-oms.co.uk for a free, confidential and obligation free chat.

4 plug-ins every WordPress site should have

WordPress Logo

A Content Management Systems (CMS) is a tool that business owners, web developers and others use to build their websites. There are loads to choose from, depending on your specific requirements, and WordPress, Joomla, Drupal, Magento, Umbraco, Squarespace, and Wix are some of the most popular.

If your website uses WordPress(WP) then you find yourself in good company. It’s by far and away the most popular CMS, being used by 32% of all websites. WordPress is popular for a number of reasons, the software is free (but you’ll still need hosting that will cost), it’s pretty easy to use and there are thousands of “themes” (designs and templates) that you can use to define the way your website looks and many of them are free to use. There’s lots of places you can turn to for advice and support and lots of professional developers who can customise your site so that is does exactly what you need.

Customising WordPress

WordPress is not perfect though, it may not do everything that you need. However, it’s an open system which means that if you understand how to write software you can create your own enhancements. You don’t even need to be a software developer to benefit. Somebody, somewhere has probably already had a similar need to yours and written something to do the job. Thousands of people have created additional enhancements and have made their tools available to everyone. These enhancements are called plug-ins. A lot are free whilst others require a payment, although the majority of these are inexpensive.

Plug-Ins

The downside to plug-ins is that each one you use makes your website run a little slower, and with Google beginning to penalise slow sites the speed of your website is something you need to keep an eye on. This means that you shouldn’t just keep adding plug-ins. You should make your choice, install your plug-in, give it a test and if it doesn’t do what you need then uninstall it.

Example of WordPress Menu

Not only should you keep your plug-in count to a minimum but each plug-in MUST be kept up to date. The authors regularly update them, some updates patch security flaws, some improve performance and/or add extra functionality and some updates are required to make sure the plug-in runs with the latest upgrades to WordPress itself – so you need to be regularly checking, unless you have a program that monitors then for you. Best case scenario is that nothing happens, worst case scenarios are that the unpatched plug-in breaks your website or a security hole lets a hacker in .

Three Ss and a B

Security, Speed, Search Engine Optimisation (SEO) & Back-up

Security

WordPress Plug-in Menu

Your WordPress site needs to be secure so that hackers can’t break in and do their hacking thing. Which could be to use your website host malicious software and force it on the computers of all that visit. They might create pages with links to their web pages, or look to capture details identifying visitors to your site. Thankfully, there’s a plug-in that will fortify your WordPress website against attack.

Speed

Your website has to be fast. To stop people drifting away, your pages need to open within 3 seconds. Slower that that and people will not wait. Slower than that and Google may start to penalise your site by pushing it down in their search results pages. There’s a plug-in that will keep WordPress running as fast as possible.

Search Engine Optimisation

In order for your customers to be able to find you in Google (or Bing, or Yahoo or one of the other search engines) the search engines have to be able to understand what it is your website is offering. The discipline that enables the search engines to understand your website and hopefully put your site on Page 1 of the results is called Search Engine Optimisation. There’s a plug-in that makes it easy to search optimize your site – so long as you know what you are doing.

Back-up

Hopefully you regularly back-up your business data. Well, you also should be backing up your website too. If you make an editing mistake and break your site, you can restore a working version, if something else breaks your website then you can restore a working version and if you have a problem with your host then a back-up will make it relatively easy to move your site to a new host. Guess what, there’s a plug-in for that too

So, which are the best plug-ins to use?

I can’t tell you that because there are thousands of the things but I can tell you which are the first ones that I install and configure on every WP website that I work with, in my mind they are essential and should be installed before you even think about developing your WP website

4 free plug-ins every WordPress site should have

WordFence for security

WordFence is a security enhancer. It is an “endpoint” firewall which means it cannot be bypassed, unlike a Cloud Firewall. This means that everybody trying to access the admin area of your site (both you as the site admin and the bad guys – the hackers) have to get past WordFence first.

It defends against “brute force” attacks, where a hacker attempts to guess usernames and passwords and after a certain number of failed attempts (you set the limit) it blocks the attacker, effectively making your website invisible to them. WordFence keeps a blacklist of known hackers (by their IP address) and automatically blocks them. WordFence also sends you an email when one of your plug-ins requires updating, making plug-in management a whole lot easier.

It scans your WP files for malicious software and if you need even more functionality (most users won’t) then the Premium version is just $99

Learn more about WordFence

Updraft Plus – for back-ups

Updraft Plus is a back-up plugin for WP. Now that you have secured your site from external threats you should look to guard yourself from internal problems, accidentally deleted pages, server/host issues, and (in the unlikely event of an intrusion) issues caused by hacking and penetration. It could even be something as simple as a WP, or plug-in, upgrade that breaks your site

To do this you need to be making regular back-ups of your WP installation and your content. Updraft Plus will do this for you. You can set a schedule so if you want an automatic hourly, daily, weekly back-up you just set the plug-in and it does the rest. You can even save your back-up to your Google, Microsoft or one of many other Cloud accounts,

Should you need to restore your WP site, Updraft Plus makes this easy too.

Find out more about Updraft Plus

WP-Rocket – for speed

WP-Rocket is the only plug-in on this list that doesn’t have a free version. However, the cost for a single site won’t break the bank at just $49.

What WP-Rocket will do for your website is make it faster to open on a visitors computer.It uses a number of tools to achieve this. It compresses your site for faster transmission across the internet, it manages images so that the only images downloaded are those that are visible on screen, if allows a web browser to cache key elements of your site so that they don’t have to be reloaded every time a visitor navigates to a different page. You can see everything that WP-Rocket does here.

Yoast – for SEO

In order to stand a chance of being found on the internet, your website needs to be “Search Friendly” which means that Google, Bing, Yahoo, Duck Duck Go etc can find your site, visit all the important pages, understand what’s on offer and (hopefully) put your site on the first page of the search results when someone is looking for your products, goods or services.

However, WordPress doesn’t make it easy and this is where the YOAST plug-in comes in to play. As long as you understand the requirements for effective SEO then the YOAST plug-in makes it easy to implement key SEO requirements.

Find out more about YOAST

So, there you have it, four essential plug-ins for your website before you start working on the design, the look, the feel and your content and if you need more help with your website, no matter what CMS you are using, your SEO or digital marketing then all you have to do is pick up the phone and give me a call on 01793 238020 or send andy@enterprise-oms.co.uk an email