Make your business Cyber Secure

In my previous post I wrote about the key Cyber Security threats that individuals and businesses of all sizes face. If you’ve not read it you can catch up here.

This time around I am going to review some of the key protective measures that you can take. Measures that will make your business harder to defraud, harder to hack and less likely to fall victim to Cyber Crime.

Let’s start with your website. Hackers around the world are queuing up to take over your website or to simply to bring it too it’s knees to stop it working so they can demand money to restore it to good working order. This latter approach is a Distributed Denial of Service attack – aka DDoS. (My previous blog describes a DDoS so I won’t replicate the description here, for brevity).

How do you stop a DDoS attack from bringing your website down

DDoS attacks are happening all around the world, right now, as you can see from this Cyber Attack screenshot

Chart of global DDos Attacks
From https://www.digitalattackmap.com

There are two approaches. You can choose a web host that has the necessary provisions in place to ensure that they have the connectivity and technology to make sure that DDoS attacks can’t prevent their web servers from running. They will use a variety of technology, including sophisticated firewalls, traffic filtering and DDoS defence systems. Not all web hosts offer such a high security level so you’ll have to shop around.

A better option, in my opinion, is to use a Content Delivery Network (CDN). A CDN uses many servers located around the globe. This means that if a single server location is targeted regular visitors are simply directed to the next nearest server, totally mitigating the threat. Another big benefit of CDNs is that they also mean that if your website targets different countries then visitors from those countries will connect to your web server that is closest to them – which ensures that your website is always delivered at the fastest possible speed – which benefits both the visitor and your SEO because no-one, not least Google, likes a slow website. Top CDNS are Cloudflare, Amazon Cloudfront and Microsoft Azure

Passwords

I know, I know, I am always banging on about Passwords but passwords are gateways in to PCs, Phones, Networks, your web host and so much more.

So, your gateway passwords needs to be really secure if you want to keep the hackers out – and you really do want to keep them out. You might think that there’d be no interest in your website but hackers are targeting every single website they can find. The UK’s National Cyber Security Centre recommend using a password comprising of 3 random words and a unique password for every site you access. I recently made a short video about this very topic

Firewalls

File:Gateway firewall.svg - Wikimedia Commons

A Firewall provides an impenetrable, unhackable barrier (provided it’s properly configured) between the internet and your computer or computer network.

Yes, Windows has a Firewall and it’s certainly better than having no firewall at all but, in reality, it’s about as much use as a chocolate fireguard. It’s just too easy to misconfigure, especially if you have a small network and have fiddled with the settings as you try to share files and folders from one PC to another.It might deter the casual hacker but won’t stop a determined one.

There are software firewalls that are provided by the same companies that sell anti-virus software. These are better than the Windows firewall but similar issues remain. Each device on your network has to have one installed and kept up to date.

A far better solution is to use a firewall appliance. A little box that goes between you, your internet router and the internet.

And talking about your router, the device that was supplied to you by your broadband provider. The router does include a Firewall but it’s a tad rudimentary, at best, and if you have’t set a secure password it will still be using the password and user name that it shipped with. This could be as daft as having “admin” as both the user name and password which makes as easy to access from the internet as it does from inside your home/home office or office.

And all somebody has to do is Google the make of router that’s used by broadband company X and the default user names and passwords are readily available. Targeted at those who might have lost their user manual but available to all.

These types of firewall are about as much use as a wall made of paper if you are running a business. It’s much better to invest in a dedicated firewall appliance.

The most popular are provided by Watchguard, SonicWall, Cisco and these prevent computers and networks from a wide range of Cyber attacks.

My set up looks like this. My office provider uses a Watchguard firewall in their comms room. I have a D-Link firewall in my office AND use the Windows firewall on my computers

VPN

Anonymous Collective Secret - Free photo on Pixabay

Imagine the scenario. You are in your favourite coffee shop and need to jump on their free Wi-Fi. You spot the password on a tent card on your table and fire up your laptop/Chromebook/tablet/phone and search for the Wi-Fi. There it is, right at the top “FreeCoffeeShopWiFi”. You click, you enter the password and you’re away.

You log in to your office email account, then your private email. Then a quick check of your bank account confirms that you have enough to buy that latest thing you’ve been after.

Later that day you check your emails. There’s an unexpected one from your favourite shopping site confirming a change of password – not something you remember doing – so you check your bank account. It’s empty, drained of everything while you were finishing your coffee.

What’s happened? When you logged in to the coffee shop WIFI you weren’t logging in to the legitimate account. Somebody had set up a clone inside the coffee shop, which you found and logged in to. The person behind the clone was “sniffing” all of the traffic going through their portable WiFi hotspot that they’d set up and were merrily pulling off websites, user names and passwords and happily started to spend other people’s money, including yours. This is known as a man-in-the-middle attack.

Could you have prevented it? EASILY.

File:VPN overview-en.svg - Wikimedia Commons

Just get yourself a VPN, they’re inexpensive but provide a very secure way to access the internet. Simply put, a VPN creates a secure, encrypted, private tunnel between your device (phone/tablet/laptop etc) and the destination website, (bank, email account, online shopping site etc). It doesn’t matter whether you are on a genuine account or a cloned account, your tunnel can’t be broken in to, your data is secure.

Another use of VPNs is when you work remotely and needs to access office files, remotely. A VPN will secure the data that moves between your office and your device and keep everything safe.

You might also use your VPN at home, just in case your neighbour is on your WiFi and “sniffing” your data.

And, finally, if you want to appear to be in a different country – let’s say you are on holiday abroad and want to watch BBC iPlayer content that is only available in the UK – you can use a VPN to give you a “point of presence” in the UK. Your VPN makes it look as though you are in the UK when in reality, it’s just the end of your VPN connection.

If you subscribe to a Google business service then you have free access to a Google VPN on your phones and tablets. If you don’t want to use that then some of the best are provided by ExpressVPN, TunnelBear and StrongVPN.

I use TunnelBear but am not an affiliate so if you sign up, there’s no benefit to me just added security for you

Not clicking

Phishing, SMSmishing and SpearPhishing emails are mainly designed to make you click on a link to visit a genuine looking but fake website where your log-in information can be harvested.

I’m going to be blunt – DON’T CLICK. If you think the email may be genuine you can either contact the sender (by phone or with a fresh email – not a “reply”) and ask them for clarification. If it’s a link to a website then enter the domain name yourself in your web browser, don’t click on the link in your email, don’t “copy” the link but DO hover over the link in your email program (it will have been designed to look legitimate) but hovering your cursor over it will show you where the click will actually go. It might look similar to the pukka site but won’t be. If the proper URL is company.com the fake address could look like company.com.fakesite.eu or company123987.com, for example.

Even if you believe the link to be valid, don’t click on it but either enter a URL you KNOW in your browser or search for the company. 99% of the time you’ll see that that your email is a fake, an attempt to extort you.

Fake News and Fake Reviews

Although you can’t prevent third parties from posting Fake News and Fake Reviews about your company, you can be on the lookout for the posts so you can take remedial action. Use tools such as Google Alerts and Drumup.io which can conduct keyword searches for your brand and alert you by email when something turns up that uses your brand or company name. Then you can see where the article has been posted and review it. If it’s obviously fake news you should post a reply AND contact the host of the review platform and advise them of this

Hacking

What can you do to prevent your devices and networks from being hacked?

File:Wallpapersden.com anonymous-hacker-working 1280x720.jpg - Wikimedia  Commons

You can use a Firewall to provide a secure “wall” between your network and the outside world. You can make sure that you have changed the default user-name and password and use a hard to crack password – something like the three random words recommended by the National Cyber Security Agency.

You should use biometric access controls, fingerprint or facial recognition on your phones, tablets and computing devices. You should be wary of emails and their attachments.

Ensure that your anti-virus programs are up to date and that Windows is allowed to keep itself up to date too.

You should consider encrypting your data, so if it is stolen then it won’t be of any value, or use, to anyone and you also need to be regularly backing up your computers and servers. AND don’t forget to regularly check that you can restore your backed up data. There’s nothing like finding out that your backups are corrupt, or discovering that you’ve not been backing up what you thought was being backed up, when you lose data. It’s too late then.

And finally, train your staff and keep their training up to date so they know how to identify potential threats and to whom they should share their concerns with.

Insider Threats

Office staff having a meeting
Office staff having a meeting

Insider threats are the most insidious. By definition, it’s people who you trust. So what can you do?

You should control what they have access to. Nobody outside the Accounts department (with the exception of some board members) needs to have access to financial systems, and files. Nobody outside of Sales needs to have access to details of ALL clients at all stages of the sales process. Give a lot of thought to who can see, and access, what.

Work hard to know your staff. Talk to them. Understand what makes them tick, their personal situation, without being creepily intrusive. Join conversations “around the water cooler”. Have an “open door” policy so that your people know they can bring their concerns to you.

You should also have a very clear policy on BYOD (Bring Your Own Device) where people are permitted to use their personal phones, tablets and laptops and can connect them to the company networks and Wi-Fi. Yes, it’s a great way to save money by allowing people to use their own equipment but it opens up a whole host of risks.

  • What are they taking home with them to “work” on?
  • What websites do they visit during work time whilst connected to the company network?
  • What security protection are they using on their private devices?
  • What Social Media platforms are they on whilst in company time and on the company network
  • What policies are in place to manage their use of external memory devices (such as USB sticks and external hard drives)
  • What files and folders can they access

Ultimately, you might decide that the risk is not worth the saving and simply provide all the equipment and tools that your people need to be able to do their job.

USB Memory

USB Memory Stick

As discussed in my previous Post, “Top Cyber Security Threats to YOUR Business“, USB storage devices can be an absolute nightmare. You must have a policy in place that covers how they are used. How/whether your employees can use their own, what the policy is in relation to found devices. How you will manage lost devices that might have company information on them and an overall policy with regards to USB ports.

I know of many companies that have simply banned the use of unauthorised USB connections (remember, connecting a phone or tablet to charge it means that device can also be used as USB storage to remove data or introduce a virus).

I even know of one business owner who used superglue to ensure that absolutely nothing could be plugged in to the majority of computers and servers in his business. Even I agree that that was an extreme solution but I get his point.

Ransomware

Ransomware normally arrives either as an attachment on an email or via a link contained in an email so, good email security and data hygiene will minimise the risk from this threat

Viruses, Trojans and other Malware

A computer keyboard & virus targeting Cyber Security on your computer

Again, most viruses and trojans infiltrate a business via attachments on Emails and links in emails. The attachments might look like PDFs, Word or Excel documents or pictures but they won’t be. They will either have embedded macros (Word, Excel etc) or mask their true type. Something that looks like picture.jpg might actually be picture.jpg.exe – a file that will be run when clicked rather than a nice picture that will open when clicked.

And rogue USB devices remain an ever present threat.

Avoiding a lot of these threats comes down to good email security and data hygiene although this will be reliant on good training, regular updates and reminders.

You might have a decent anti-virus application running on all devices (including phones and tablets) but it’s a constant war. The cyber criminals are always on the lookout for ways to circumvent security software so you still need to be alert to the threats.

And Ditch Microsoft Windows

Yes, I know. It sounds almost like heresy, but Microsoft does have a bit of a reputation for insecurity. Yes, it’s better than it was but, as the most popular operating system, it’s also the most popular target for hackers. It even has it’s own day of the week – Patch Tuesday, when all manner of updates are released, including security fixes. Apple Macs are better. However, as sales increase so does the hackers interests and it’s not as secure as some would like you to think.

So is there a solution?

Linux - Wikipedia

Yes, it’s called Linux. It’s been around more than 30 years, is properly free and very secure.

But don’t you have to be a bit of a geek to install, and use a Linux machine?

Nope, not these days. For most, it’s as easy as installing Windows AND it even looks, and works, a lot like Windows because that’s what we’re all used to. I run a Linux machine in the office and it’s uses Linux Mint – which is probably one of the easiest to come to terms with. And you can learn more about Mint, download it and learn how to install it here. Another popular Linux distribution is from Ubuntu and you can run Ubuntu from a USB stick if you want to give it a try without installing – oh and you can also create dual-boot scenarios where you can keep Windows, install Linux and simply choose which one you want to run when you boot your PC.

I am not a cyber security expert although I’ve done my fair bit, especially when working in IT support, and I do my best to stay up to date so feel free to send any questions you might have to andy@enterprise-oms.co.uk or give me a call on 01793 238020 or 07966 547146, Tweet me @AndyPoulton or contact me on LinkedIn and if I can’t help, I know some real cyber security experts that I can put you in touch with.

Thanks for reading and if you need help with your #SEO or any other element of of your digital marketing, please don’t hesitate to get in touch.

Andy Poulton
Chief SEO Officer
Enterprise Online Marketing Solutions

Top Cyber Security Threats to You & Your Business.

We are living through troubled times. Covid seemed to be under control, we were learning to live with it and we were starting to look forward to a quieter 2022.

And then Putin invaded Ukraine!

Computer log-in screen. Reduce the Cyber Security risk with strong passwords.

As a result of sanctions imposed on Russia by the West I have no doubt that the professional Russian Cyber Criminals have ramped up their activities. Not only to attack Ukraine but to attack western institutions for having the temerity to support Ukraine and actively punish Russia via sanctions.

I thought that my next two posts should focus on possible cyber security threats that this will pose. Why two posts? Simple – length and volume of information make it easier to take in of it’s split in two.

The first post, this one, will look at the threats we face as individuals and businesses when we use our computers and the internet. The second will took at ways that we can protect ourselves, and our businesses.

Although 100% security may be prohibitively expensive for SMEs most of us can do more to secure our data and reduce the risk from infiltration, theft, misuse and other malfeasances.

So, without further ado, let’s take a look at the top Cyber Threats that can be used against us, right now.

Distributed Denial of Service – DDoS

A DDoS attack is designed to bring a website, or internet connected system, to a standstill. Simply put, the Cyber Criminals will have gained access to a Botnet ( a network of internet connected devices that they have control over without the computer owners knowledge). They then issue commands to the Botnet to visit a given web address. When thousands of computers try to access a website the website grinds to a halt.

It’s analogous to closing a busy motorway and diverting all of the traffic on to a single lane, country, road. Very soon the road will be so full of traffic that everything grinds to a halt.

When the target website, or service, comes to a stop the hackers approach the website owners and demand a ransom payment, threatening to continue making the website unreachable until the ransom is paid. The busier the site the more it costs for it to be unavailable and the faster the owners are likely to pay.

As an example of this, in the last couple of years a major, online, bookies website was targeted. It was brought to a grinding halt for about 10 minutes. The criminals then contacted the company and identified themselves as the cause of the website failure. They demanded a ransom and threatened to bring the website to a halt over a significant betting weekend (Cheltenham Gold Cup weekend to be precise). For obvious reasons, it’s unknown whether the betting website paid up, or not.

Fake News

Fake news is insidious. Whenever something controversial happens there will always be people posting fake news, and reporting fake news, with the aim of either reducing the apparent severity of reported activity or distracting the news consumer, encouraging them to take their eye off the real story and try to get them to look elsewhere.

Fake news is difficult to ignore, by intentional design, and creeps in to every area of the media.

At a business level, it could be a competitor who posts positive fake news about themselves, to make them appear better than they are, or someone posting negative stories about your business hoping that they can reap the rewards.

Fake Reviews

Like Fake News, Fake reviews go two ways. Competitors, or people with a grudge, publish negative reviews on places like TrustPilot and Google reviews. Not only does this impact the public’s perception of your business but it can have a negative effect on your SEO, especially when it comes to Google Local, where part of Google’s decision making process is the quality of your reviews in comparison to your competitors.

The other way is for your competition to post fake, high quality reviews of their business to boost their business at the detriment of yours.

Hacking

Hacker Inside, like the "Intel Inside" logo - for Cyber Security

Frequently imagined to be conducted by aggrieved teenagers hacking/cracking websites from the depths of their bedrooms, hacking has evolved in to a massive industry. It’s escalated in to an activity that’s carried out at all levels, all the way up to state sponsored hacking where individuals & organisations are paid by, sponsored by, or simply work for, a county or an organisation.

At the state level they look to attack the infrastructure of a foreign country using the internet as their weapon. The goal being to take services off line, for example. Imagine an attack on a country’s power supply network that could just switching the electricity off.

At the business level, hackers look to break into individual computers, servers or networks. This would provide access to confidential information and intellectual property.

Imagine that you invented something that stood to give you an incredible competitive advantage and make your company a lot of money. Hackers could break in, steal the data and sell it on. It’s believed, for example, that the Chinese government had access to the secrets of US military giants for years. This enabled them to modernise the Chinese military far faster than if they had to do all their own research and development.

Hacking could also be used to plant false information on servers. Imagine a knock on your door, by the police, with a warrant for pirated material (or worse). They take control of your network – banning your people from it and bringing work to a halt – whilst they conduct their examinations to find said material. Whether they find anything, or not, you’ll be prevented from working for days, weeks, months, possibly years while they conduct their examinations. And if there’s whisper of wrongdoing to the media, whether ultimately proven or not, justified or not, your reputation could take a massive hit, from which it might prove impossible to recover from.

Insider threats

Insider threats are probably the most insidious because they are carried out by people you trust, your employees or partners. As well as stealing from you, someone inside your organisation could also conduct a cybercrime against you. It might be as simple as deliberately installing a virus from a USB stick (for accidental virus installation see “USB Sticks and other forms of removable/portable storage“) or opening up your firewall to external intrusion (see Hacking).

Without proper tools and tracking in place you’ll probably never find out where the problem came from, which could lead to repetition once you fix the problem for the first time

Malware

Malware is a generic “cover all” term for malicious software. It has been reported that Malware affects 32% of global computer systems. The goal of malware is to infect your computer system with malicious software with the aim of slowing down, or stopping, your computers and network.

As with a lot of other attacks, businesses that are affected by malware are likely to be approached by the perpetrators who will demand payment to stop the attack.

Phishing

Phishing is an attempt by an unknown third party to persuade to you voluntarily hand over essential log-in credentials for critical web sites (think of your banking info as a single example).

It starts, typically, with a genuine looking email that lands in your inbox, purporting to come from a trusted source. The email will contain a scary message encouraging you to log into your bank account, for example, because failure to do so would see you being “locked out of your account due to a security risk”.

To make it easier, the email also includes a “Click here” link. You click, you arrive at a page that looks like your bank, enter your user ID and password but you can’t log in.

And you can’t log in because it’s not your bank. If smart, the Phishing site (because that’s where you are) will automatically forward you to your actual bank page where you’ll try to log-in again, convinced you made a typo first time around, and this time, you get in to your account.

In the meantime you will have confirmed to the Phishers that you have an account with the bank they targeted AND gifted them your user ID and password. Even though most banks now require an additional form of authentication, getting the first two parts of the authentication chain is a great place to start.

Ransomware

Ransomware is the generic term that covers a wide range of attacks on computer systems with the aim of preventing their effective and proper use. The expected resolution is the payment of a ransom to make the attack stop. The only problem with this is that the criminals are passing on the details of companies (and individuals) who paid up on the premise that they paid once, so will probably pay again.

SMishing (SMS Phishing)

A SMish attack is an attack that starts on a mobile phone. The Cyber Criminals send you an SMS message that will encourage you to click on a link in the message. The link will take you to a website that has been set up to collect critical ID information. This might be bank account details in “payment” to “release” a parcel that’s been held up at the couriers, for example.

Spear Phishing

A Spear Phishing attack is like a Phishing attack but more focused. The criminals won’t be targeting random individuals but will have done their research and will target named individuals within an organisation.

The targeted person (let’s say they are a manager in accounts) will be sent an email, purporting to come from an internal department, asking for an expedited payment to XYZ company for ABD services/supplies/components etc. The payment is made – only it’s not for services etc it simply goes straight in to a bank account operated by criminals.

Trojans

A Trojan attack, named after the Trojan Horse of Greek mythology is where a criminal distributes a piece of software that looks legitimate but harbours a nasty surprise. You’ll typically find Trojan Horse software on the internet, hiding behind hacked websites. You might search for something specific, picture editing software, for example, and come across a website giving away something that seems to do everything you need – for nothing.

Keyboard with "Help" instead of an Enter key for Cyber Security

You click, after all it doesn’t cost anything so where’s the danger. These’s no demand for bank or credit-card details and it doesn’t cost anything so you click to download. After all, where’s the risk?

You download the software, navigate to your downloads folder and click to install. You screen might go blank for a very short time but soon comes back. There’s no evidence of anything being installed, or anything else happening, so you assume the download is broken. Do you download it again or try something else? Most people will look for something else but the damage has already been done.

In the background, unbeknownst to you, the malicious software has installed itself, and hidden itself so there’s no record of it’s installation. If clever, it might even have disabled your antivirus protection too.

Your computer might now be added to a Botnet to be used in DDoS attacks or might be capturing every keystroke you make – including credit card and banking details, and surreptitiously send them back to the criminal who distributed the software,

USB Memory Sticks and other forms of removable/portable storage

Occasionally, when out and about, perhaps enjoying a coffee in your favourite coffee shop, you might come across a USB memory stick or memory card that someone has “forgotten”. You might ask at the counter whether they know who left it behind but they probably won’t have a clue so you take it back to the office, or your home.

Laptop surrounded by a wall for Cyber Security

Gleefully, you insert this new trophy into your computer, perhaps to see how large it is, perhaps to see whether you can determine the identity of the owner in the hope that you can return it to them. Or you might simply want to be nosey and see what’s on there.

Whatever your reason, it’s too late. The software that was set to autorun when inserted in to a computer has installed itself on your PC and is now running maliciously, in the background. Either letting an unknown third party take control of your computers and network or sending all your keystrokes back to some criminal.

Virus

Computer viruses are the most common form of cyber security threats out there. They land on your computer as an email attachment that you have been encouraged to click on (perhaps an innocent looking document for example) or pushed down on to your computer when you visit an infected website. As with other threats, you won’t necessarily know you have been infected until they do their dastardly deed. The smarter viruses can circumvent some of the best anti-virus systems and can remain hidden whilst they conduct their criminal actions. Stealing data, monitoring keystrokes and feeding them back to a cyber criminal, for example.

What should you do

Part two of this email will go in to preventative and detective measures in more detail. However, for now, the guidance is simple. Trust no one. Any email that arrives that has a hyperlink or an attachment, no matter who it comers from, should be considered suspect. Don’t click the link or the attachment unless you trust the source, were expecting it or have validated it in a different way.

Don’t plug-in “found” USB drives and memory cards, don’t visit websites on a whim and make sure you keep your anti-virus software up to date, allow Windows (if you are a Windows user) to install Windows updates and please , please, please make sure your firewall is up and running.

And finally, the pitch.

If you need help with your Cyber Security I can help and can even point you in the direction of a really excellent Cyber Security company if you need more in-depth help and support.

Get in touch – even if it’s just for a free consult. You can call me on 01793 238020 or 07966 547146, email andy@enterprise-oms.co.uk or book a slot using my calendar and we’ll take it from there

National Cyber Security Month

October is National Cyber Month.
What is National Cyber Security Month?

National Cyber Security Week

Threats of Cyber Crime from Cyber Criminals continue to increase and we all need to be increasingly alert and focussed on the threats, the impact they could have on our lives AND the things we can do to minimise the risk to ourselves and our businesses.

Red spot on code

National Cyber Security Month 2021 has the overarching theme “Do your part. #BeCyberSmart” and looks to empower individuals and businesses to own their role in protecting their part of cyberspace.

If we all do our part then we will all benefit from a safer place to live and be in a safer place to do business. Not only that but we’ll also be denying the cybercriminals the space they need to extort, employ fraud and generate the money they lust after.

How can we contribute?

We can all look to implement stronger/better security practices such as not clicking links in emails, not opening emails from people we don’t know or even opening emails we weren’t expecting. We can install security software on our phones, our tablets and our computers. We can use stronger passwords, and make sure we use unique passwords for EVERY application.

Each week, National Cyber Security Month will have a different focus, starting with Week 1 – Be Cyber Smart

Week 1, Starting October 4 – Be Cyber Smart

log on box

Our lives are increasingly intertwined with the internet and the World Wide Web. Pretty much all personal and business information is stored on internet connected platforms.

From banking to social media, from email to SMS, from phone and video calling to watching TV and listening to music and beyond.

The internet simplifies some areas of our lives and makes it more complex in others but the one, overarching common factor, is the need for a strong level of security to keep our data safe.

That’s why Week 1 of National Cyber Security Week focuses on the best security practices and “cyber hygiene” to keep our data safe, owning our role in Cyber Security and starting with the basics. That includes using unique, strong, passwords and making sure that we use multi-factor authentication (2FA) where it’s available, preferably avoiding SMS (text Message) authentication where possible.

Week 2, Starting October 11 – Fight the Phish – Trust No One

Phishing attacks, where emails and text messages are sent containing web links encouraging you to click the link, visit a website set up by cyber criminals and enter your user names and passwords are still on the increase. Why are they on the increase? Because they work. People see an email that purports to come from their bank, HMRC, DVLA, Post Office, BT etc. and are given a warning claiming that the recipient needs to do something NOW or they will be locked out of their account, will be arrested, won’t have an order delivered …. or one of many other ruses. You click the link and either have malicious software sent to your computer without your knowledge and approval or give away user names and passwords to cyber criminals, enabling them to access your personal accounts and to steal from you.

The X-Files mantra of “Trust No one” applies here. Any email that contains a request for such information should always be approached with caution and, if you have even a small inkling of concern, then simply open your web browser and visit the website of the sender to check out the veracity of the email.

Week 3, Starting October 18 – Explore, Experience, Share

Week three focuses on the National Initiative for Cyber Security Education (NICE), inspiring and promoting the exploration of careers in the cybersecurity sector. Whether you are a student or a veteran or seeking a career change, this week is all about the exciting, ever changing, field of cyber security, a rapidly growing business sector with something for everyone

Week 4, Starting October 25 – Cybersecurity First

The last week of National Cybersecurity Month looks at making security a priority. Actually taking a Cyber Security First approach to designing and building new products, developing new software, creating new Apps.

Red spot on code

Make Cyber Security Training a key part of onboarding when taking on new employees (and, at the other end, making sure that technology rights are revoked when people leave organisations).

Ensure that your employees are equipped with the cyber secure tools that they need for their jobs. If you practice a BYOD (Bring Your Own Device) policy, allowing employees to use their own phones, tablets and computers then you need to ensure that the cyber security deployed is as strong as that on equipment that you provide.

Before buying new kit, or signing up to a new service, do your research, check the security. Is it secure enough? Can it be made more secure? Can it be remotely wiped? Who has control? All of these questions, properly answered, will ramp up your cyber security defences and help keep the cyber crims at bay

When you set up new equipment, that new phone, tablet or laptop, I know it’s exciting but please invoke the Cyber Security first, don’t leave it until last – it might be too late. Make sure default passwords are replaced with something secure and lock down those privacy settings.

Cyber Security MUST NOT be an afterthought. If it is, you could find yourself paying the price

And if you need some help, you can always ask me. I might not know the answer but I know people in the Cyber Security industry that I can put you in touch with. Email andy@enterprise-oms.co.uk, phone/message me 07966 547146, call 01793 238020 or message me on Social Media and we’ll get it sorted.

Living through Corona virus times

Email marketing, SEO, Blog and Social Media images

Times are tough, I know but having worked with companies through 3 recessions I know that some will thrive, some survive and others go to the wall.

Some will fail no matter what they do but for a lot of companies there are alternatives.

You can accept the status quo and roll with the punches OR you can fight for your survival.

My experience is that those who fight for their survival will come through the current situation fighting fit and with a great chance to thrive because they will be better than they were and they’ll be ready to leap on opportunities that have been left begging by those who simply accepted the status quo.

So FIGHT for your business and if I can help – get in touch.

Book a free 40 Minute, remote, consultancy

I have demonstrable success in the fields of SEO, Social Media, Email Marketing and much more.

All you have to do is get in touch for a free chat by LinkedIn message, email (andy@enterprise-oms.co.uk) Zoom, Webex, Skype etc

Ring Me:      01793 238020      07966 547146
Email Me:    andy@enterprise-oms.co.uk
Find Me:      Linkedin     Twitter
Visit Me:      Bowman House, Whitehill Lane, Royal Wootton Bassett, Wilts, SN4 7DB

Why would anyone want to hack my website?

log on boxWith the news that 30m credit and debit card details from US customers and over 1m sets of card details belonging to visitors to the US, have been put up for sale on the Dark Web following a malware attack against US convenience retailer Wawa I thought I’d take time out to explain why small businesses are just as at-risk from hacking as large organisations.

But first, let’s take a look of some of the major security breaches that occurred last year. According to Risk Based Security’s Data Breach Report there were 5,183 breaches by the end of September 2019 alone. These exposed more than 7.9 billion records. This was a 33.3% increase on the same period in 2018.

Here are some of the worst breaches.

  • Orvibo Smart home products – 2 billion records discovered on an unprotected database. These comprised of private individuals, hotels and businesses who were using Orvibo’s smart home devices. The data included email addresses, passwords, user names, family names and addresses.
  • Dream Market Breach – 617m online account details stolen from 16 hacked websites, including MyFitnessPal (151m). Data stolen included user names, passwords and email addresses.
  • Canva – 139m records stolen, names, user names, passwords, email addresses and location.
  • Capital One – 106m records hacked with names, addresses, credit scores, email addresses, dates of birth and more stolen.
  • Words with Friends – 218m records stolen, including names, email addresses, passwords, phone numbers and, where linked, Facebook ID info

However, these are just some of the ones that hit the headlines. Thousands don’t,  particularly attacks on smaller businesses. Research indicates that nearly 70% of SME’s experience cyber attacks (Ponemon State of SMB Cyber Security 2018) but why SMEs?

I talk to many people who believe their businesses are too small to have anything of value to the hackers. However, the truth is that they are too small to have a dedicated cyber security officer/specialist and so are easy targets.

Let’s take websites – most businesses use WordPress – over 1/3rd of websites use it. There’s nothing wrong with WordPress but, as the world’s most popular web development tool, it is also the hackers main target. (A bit like the way Windows is targeted compared to Apple’s operating system – its all in the number of targets)

WordPress is pretty secure and there are Plugins to make it more so BUT you have to keep everything up to date. Keep WordPress up to date, keep your plugins updated too because if you don’t you might be leaving holes in your security for the bad guys to exploit. 

But why would they?

  • Small companies are frequently connected to larger organisations and they might be a way in
  • Hacked systems can store illegal material
  • Hacked systems can be used in attacks on other websites (DDoS)
  • Hacked systems can host Malware
  • Hacked systems could provide access to valuable Intellectual Property
  • Hacked systems could provide easy access to other valuable data

Malware

Safer Internet DayImagine you have a reasonably popular website. Hackers will look to gain access to your site and plant malware on it that will automatically download (and install) itself on the computers of everyone who visits your website. The malware could allow the hackers to record the keystrokes of infected machines, could enable the hackers to take remote control of infected machines or turn them in to storage depots for illegal material.

Imagine how your reputation will suffer when this comes to light. 

  1. Keystroke recorders
    A keystroke recorder does what it says on the tin, it records every single keystroke made on a keyboard and secretly transmits it to a malicious 3rd party. This could be bank/card details, online shopping details, log-in user names and passwords, and much more
  2. Remote Control – DDoS (Distributed Denial of Service Attack)
    With the ability to remotely control your PC, and hundreds or thousands of others, malicious 3rd parties can “take down” target websites simply by overwhelming them with more web traffic than the website can cope with. Remember what happens to the Glastonbury website when the tickets are released – although not malicious the number of people desperate to get their tickets tend to bring the website to its knees as soon as tickets are made available

    Imagine a bookmakers website going off line a week before a major betting event. They’d be contacted by the Cyber Criminals who will admit responsibility. The bookmakers will then be told to “pay up” or their website will be blocked again, much closer to “big day” and prevent bets being placed.
  3. Illegal data storage
    Imagine the scene. There you are working in your office and there’s a battering ram through the door followed by police storming in with a warrant to take ALL of your computing devices. Your business will grind to a halt but why have you been targeted? Simples, as the meerkats say – the police have identified one or more of your computers/servers as the source of illegal material. This could be pirated software, music, films or worse. In the worst case scenario this information hits the local (and possibly national media) and your reputation is trashed. And you may not even have been at fault!
  4. GDPR
    Under all of the above scenarios you’ll probably have to report the matter to the Office of the Information Commissioner (ICO) under GDPR. After investigation, If your security and procedures are found wanting then you might be liable for a fine. GDPR states that fines can be up to 4% of your turnover, and that’s no laughing matter

How do I prevent this happening to me

No security system is 100% watertight, there are just too many variables and access points. The closer you get to 100% the more expensive it becomes to close those last few security percentage points. However, like home security, your job is to make sure that your security is as good as it can be so that the bad guys choose an easier target.

Get in touch with a good IT company or Cyber Security company or you could #AskAndy. Drop me an email – andy@enterprise-oms.co.uk or give me a call on 01793 238020 and we can start the ball rolling. I know that I’m not a security consultant but I know quite a bit and can always point you in the direction of a trusted third party if you need more help.

How clean is your keyboard?

One of my earlier posts was about the cleanliness of your phone, that’s your mobile rather than the phone on your desk, if you have a desk and still have a phone on it, that is.

If you do still have a desk there’s a good bet that it has a keyboard on it, either a laptop or regular desktop keyboard. I just hope it doesn’t look like this one.

Turn your keyboard upside down and give it a little shake to see what falls out. For a lot of people it’ll be a mix of the following

A very dirty keyboard
  • Dust
  • Dead skin
  • Breakfast
  • Snacks
  • Lunch
  • Sometimes dinner

Grossed out yet? You might be after you read this.

Consumer group Which? tested keyboards at its London office found keyboards regularly carrying bugs that could cause food poisoning

They tested 33 keyboards by taking a swab and sending the swabs of to be biologically tested for bacteria Four of the keyboards (12.2%) were regarded as a potential health hazard whilst one of them actually had five times (yes 5 times) more germs than one of the office’s toilet seats.

Even more disturbingly, tests from a survey carried out by the University of Arizona found that the average desktop actually has 400 times more bacteria than the average toilet seat and, apparently, women’s desks were worse than men’s.

Chicago’s North-western Memorial Hospital found two deadly drug-resistant types of bacteria (vancomycin-resistant Enterococcus faecium (VRE) and methicillin-resistant Staphylococcus aureus (MRSA)) could survive for up to 24 hours on a keyboard, while another common but less deadly bug (Pseudomonas aeruginosa) could survive for an hour.

One of the microbiologists said “your keyboard was often a reflection of what is in your nose and in your gut”………

How to clean your keyboard

It’s a good idea to give your keyboard a regular spring clean (and not just in the spring). Start off by shutting down your PC. Don’t put it to sleep, or stand-by, you’ll wake it up when you start.

Some keyboards are waterproof – if you are lucky enough to have one of these then just pop it in to the dishwasher……BUT CHECK FIRST

If not but you have access to a can of compressed air, then use that to blow debris out from between the keys. If you don’t have a can of air you can just turn your keyboard upside down and give it a gentle shake to get all the crumbs out.

Now get a cotton bud and dampen it with water or rubbing alcohol and use it to clean between the keys.

You can also use silly putty

Finally, gently wipe your keyboard soft, lightly damped link-free cloth and finally, finish off by disinfecting with alcohol wipes.

Alternatively, you might be able to pop the key-caps off and wash them separately. However, make a note of where the keys go first. I can remember the time when a former colleague decided this was a great way to clean his keyboard so he popped all the key caps off and washed then in a bowl of warm, soapy water. Once clean he left them to dry and then was faced with a lot of little places where the key-caps belonged……..but he didn’t have a clue which ones went where so ended up buying a new keyboard anyway

Suddenly it makes sense to keep a packet of alcohol wipes in your desk drawer

Obviously I can’t help you with the cleanliness of your desk and keyboard but I can help you with the cleanliness of your SEO, Social Media and other forms of digital marketing so if you’d like to talk about your online marketing then just pick up your phone (wipe it first) and give me a call on 01793 238020 or email andy@enterprise-oms.co.uk

How clean is your phone

Hands texting on a smartphoneI’m not talking about any dodgy apps that you might have, nor any “adult” websites that you might have bookmarked but I’m talking in a hygiene sense.

According to research the average person touches their phone nearly 3,000 times A DAY and the heaviest users touch their phone over 5,400 times, each and every day.

After all, our phones are with us for up to 24 hours a day. At home, at work, on the street, in the car and, ahem, in the bathroom/toilet. Now think about all the things you touch during your average day. Let’s start at home with door handles, who else has used them? Did they wash their hands? Are they well or unwell?

Now let’s go to work. You pop your phone in your pocket or handbag – what else has been in there? It’s dark, warm and humid, a lovely breeding ground for bacteria.

You might open your car door or get on public transport. In the case of the latter, what do you touch in the station, on the bus/train/taxi?

You’ve arrived at your office and casually pop your phone on your desk. A desk which, according to a study by the University of Arizona, has hundreds of times more bacteria per square inch than an office toilet seat. And this could be your smartphone’s home for  40 hours a week,

Now it’s time for your morning coffee so you head off to the kitchen….who has used the kettle/coffee machine, coffee jar, sugar jar etc.

Toilet with the toilet seat upHow about a comfort break – who has opened the toilet door? Are you one of the 61% of people who regularly scroll while on the toilet (report from the Daily Infographic) because 1 in 6 phones are contaminated with faecal matter? 

Who opened the door to leave the toilet, were they unwell? Did they wash their hands properly? You may as well not bother washing your hands after that visit.

And as if that’s not bad enough, there’s everything else you could touch during an average day, cash machines, PIN entry pads in shops and filling stations, keys, door handles, pens, credit/debit cards, coins, bank notes – how clean are those? Where have they been? It’s almost enough to make you go cashless isn’t it!

Finally it’s the end of the day and time to head home. You put your phone on the kitchen worktop. This should be clean but how about your dining table, your coffee table, side table and bed-side table? How clean are they?

At any time of the day your phone might ring, or you want to make a call. You take your bacterial soup of a phone out of your pocket/bag and hold it to your face transferring bacteria that could give you spots, or worse. It might even touch your mouth and some of the bacteria could then transfer orally, getting inside your digestive system.

A microscope's view of bacteriaAccording to a study published in the journal, Germs, your phone is up to 10 times dirtier than your toilet seat, TEN TIMES! You always wash your hands after going but do you wash them between touching your phone and eating food?

This is a major issue because few of us bother to really clean our phones (wiping the screen doesn’t count). The germs keep building up. 

Studies have found serious pathogens on smartphones, E-Coli (great for upset tums), influenza, Streptococcus and MRSA (cause of rashes and skin infections) – which is a type of bacteria that is resistant to several antibiotics. 

So, the next time you have a spot or rash on your face or go down with an upset tummy or the flu, don’t look at who you’ve been in contact with recently, take a long hard look at your mobile phone.

What should we do? Well, you can buy anti-bacterial cleaning packs specifically designed for electronic devices, or you could use standard rubbing alcohol and a soft cloth or paper towel. Use cotton buds to get in to those nooks and crannies and, finally, don’t forget to take your cover off and clean that too.

Now, I can’t help you with your phone hygiene but I can help keep your SEO nice and clean so why not get in touch, 01793 238020 or andy@enterprise-oms.co.uk and we can have a chat about SEO, Social Media or any other form of digital marketing.

Why worry about Accreditations?

I do a lot of work for an IT support company in Bristol – Bristol IT Company – and at the bottom of their website is a list of badges, icons and logos, there’s a couple of ISO related ones and the rest come from well known (and less well known) brands in the IT sector but why are they there and why should you be concerned?

Bristol IT Company accreditationsWell, ISO’s easy, it’s a way of demonstrating a certain credibility by being assessed every year to ensure that we remain up to scratch. A lot of businesses have ISO9001 which is a quality management certification that demonstrates their commitment to consistently provide products and services that meet the needs of our clients. ISO27001 is an information security standard that demonstrates commitment to information security, both their own and that of clients.

The other accreditations come from manufacturers such as Cisco, Microsoft, Dell, Aruba, Cyberoam, VMWare and Veeam and demonstrate that the Bristol IT Company has the necessary skills to not only supply their equipment but to ensure that it is properly installed, configured and supported.

Why is this important
Let’s take a look at the security of your network – they have 2 vendors that are accredited with in this area, Cisco and Sophos. You can buy some Cisco & Sophos equipment on Amazon at competitive prices, have it delivered pretty much the next day and get it up and running very quickly. This might make you feel secure, after all Cisco are a market leader in networking and security – right?

Is this the right way to do things?
Probably not! Even assuming that you order the most appropriate device for your needs, installing equipment using the default settings could cause you a whole heap of pain.

Most hackers worth their salt know, and understand, these default settings making it really easy for them to penetrate your business’s network. It’s almost like advertising that you’ve installed the best locks in the world but have left a key under the doormat.

Not only that but the default settings are a one-size-fits-all option that are unlikely to be best suited to the way your business works and could actually slow your network, and internet connectivity, down if left untouched.

You could probably find hundreds of internet forums where people discuss the settings but which ones are the best for your particular needs? Which ones speed things up without compromising security and which ones increase security without compromising speed and which ones are actually posted by hackers looking to lure you into making your network even more insecure?

Accreditation
That’s where accreditation comes into play. By buying your equipment from an accredited supplier, Bristol IT Company will first of all advise you on the correct product that most closely matches your existing and future needs, possibly saving you money – certainly saving you pain.

They then ensure that your network is made as secure as possible by changing default settings to something much more secure and applying their training, experience and skill to ensure that your network is as secure as it can be by optimising the setup and performance of your kit.

Still think accreditation’s just an icon on a website? Well, give them a call on 01173 700 777 or email andy.poulton@bristolitcompany.com to find out that there’s much more to it than a pretty picture

How clean is your phone?

iPhone waiting for a "Siri" voice commandIt’s with us up to 24 hours a day but have you ever given any thought to mobile phone hygiene?

Just think about everything you touch during the course of an average day, keys, door handles, keyboards, pens, credit/debit cards, cash and so on. How many other people have touched those things? How hygienic are they?

Have you ever checked your phone in a bathroom or public toilet? Don’t worry, you’re not alone if you have, apparently most people have checked their phone in a bathroom which goes some way towards explaining why 1 in 6 phones have faecal matter on them.

Green Bacteria possibly from a dirty mobile phoneAccording to research, the average mobile phone has 18x more harmful bacteria than the handle on the door of a public toilet.

Se we go to the loo and then use our phone and pop it into our pocket or handbag, somewhere that’s nice and warm, in other words an ideal breeding ground for bacteria.

A little later, we take our phone out of it’s bacterial breeding ground and hold it to our face to use it. Some of the bacteria transfer to our hands, some to our face where it can cause acne, some of the bacteria is now on our hands so we can transfer it to others when we shake hands, touch money or other door handles

Because few of us bother to really clean our phones (wiping the screen doesn’t count) the germs keep building up and they include E-Coli (great for upset tums), influenza and MRSA (causes rashes and skin infections)

So, the next time you have a spot or rash on your face or go down with an upset tummy or the flu, don’t look at who you’ve been in contact recently, take a long hard look at your mobile phone

So, what should we do? Well, you can buy anti-bacterial wipes specifically designed for electronic devices, or you could use standard rubbing alcohol and a soft cloth or paper towel. Use cotton buds to get in to those nooks and crannies and, finally, don’t forget to take your cover off and clean that too.

Has Anti-Virus software reached its “Best Before” date?

CrowbarFor many years, the security mantra has been

  • Mac good, invulnerable to viruses and hacking.
  • Windows bad, very vulnerable to viruses and hacking

The reason was two-fold, whilst it’s true that the Apple operating system IS harder to infect with a virus, the main reason was popularity (or lack thereof). When 97% of the world was using Windows, why bother writing viruses and other malware for the extreme minority.

The traditional Windows solution was to install an anti-virus program from one of the many vendors and, for real belt-and- braces safety, protect your internet connection with a firewall. Hopefully all would be well and good, so long as you paid your annual anti-virus subscriptions and ensured that the virus definitions were regularly updated so your anti-virus program could identify the threats and keep you safe. (Free anti-virus programs for home users did a similar job, again provided they were kept up to date)

Significantly Increased Risk of Infection

However, the upsurge in Apple popularity over recent years means that Apple devices are also targets of the cyber-criminals. And it’s not just Apple computers and iDevices that are at risk, the virus writers are also targeting Android devices, Microsoft phones and tablets and devices running Linux devices.

Anti-Virus is dead!

Brian DyeLast year, Brian Dye, Senior Vice-President for Information Security at Symantec (the company behind Norton Anti-Virus solutions) said, in an interview with The Wall Street Journal, that “Anti-Virus is dead”. What he meant was that cyber criminals were now able to write malicious software faster than Norton could be updated.

Whilst Norton, and all the other anti-virus programs, are not yet ready for the scrapheap they only detect around 45% of all attacks. As well as that rather disturbing stat, research by FireEye (A cyber-security provider)  indicated that 82% of malware detected by their security solutions stays active for just one hour and 70% of threats surface just once before disappearing and being re-written to avoid detection by the AV companies.

So, what should you be doing?

Security-padlockWell, I’ve said it before, but it’s always worth reiterating, security starts with education. Then you add as many layers of additional protection as you feel necessary, depending on how you use your devices and the level risk you feel you are faced with.

  • Never open an attachment unless you are expecting one and you know, and trust, where it came from.
  • Keep your Anti-Virus software up to date and continue to renew your subscriptions, it may only block 45% but that’s nearly half of all threats stopped before they have a chance to install.
  • Install a security App on your phone and tablet
  • Explore the new offerings from the traditional anti-virus vendors that look to protect your web browsing and protect you against spam, phishing attacks and other cyber crime threats.
  • Be alert for anything that doesn’t feel “right” and if something looks too good to be true,  that offer of a full version of Microsoft Office on CD for £50.00 for example,  remember, it probably is!
  • Use a different, complex, password for each website that you have to log in to. An App such as LastPass will help you create passwords, securely store them and auto-complete the log-ins when you log in to those websites. (other password tools are available)
  • Ensure your Social Media accounts privacy settings are set to an appropriate level
  • Look at Bitdefender Safego,a free anti-scam service for Facebook and Twitter
  • Remain cautious when using any internet connected device