How can social media use potentially compromise your business? Uneven data policies and defenses One concern comes from the data policies followed by social media companies, and the cyber defenses they’ve adopted to safeguard your information. To what extent can they guarantee privacy or confidentiality? How can they legally use your data, and how susceptible are they to a data breach? Furthermore, as discussed in a recent article from CIO Dive, companies can change their data policies or rules under a variety of circumstances, including mergers. Protections around your information might weaken. Employee oversharing Employees may carelessly share sensitive data on social media accounts, including Facebook, Twitter, and LinkedIn. The information they publicize may include details about ideas still under development and ongoing deals that haven’t yet been made public. Your employees may also overestimate how much privacy they enjoy on social media accounts. They may wind up sharing various confidential details through what they assume are private messaging systems on these sites. Research material for cyber criminals Cyber criminals frequently rely on phishing and other types of impersonation to trick employees into disclosing sensitive data, ranging from Social Security numbers to salary information to customers’ addresses or emails. Impersonation can get carried out with a sophisticated and targeted approach. Instead of a relatively generic phishing email that can be deployed against numerous organizations, cyber criminals may focus on tricking you or some of your employees in particular. For example, they may send an email that sounds as if it’s coming from a colleague. This email may request certain sensitive documents, or it may contain a corrupted file attachment or link that infects your system with malware. To make the email sound more authentic, cyber criminals can use public sources, including social media, to research the individual they’re impersonating. They can find out all kinds of details about your business in general and about particular employees’ preferences, traits, habits, writing styles, and schedule. A similar kind of impersonation can occur over the phone. For example, if you report on social media that your company’s network is experiencing some downtime, perhaps you’ll receive a phone call from someone who claims to be a computer specialist. Addressing the dangers of impersonation and social media use Your business’s IT Policies should include rules and guidelines about social media use, including the following: The kinds of information employees are forbidden to share about your business on social media platforms, even in what they consider ‘private messages’ on their accounts. Stronger password habits (e.g. not using the same password for multiple accounts) and user authentication (e.g. the use of two-factor authentication). Mindfulness about the kind of information you and your employees disclose and the risks involved, both to themselves and to your business. Furthermore, your policies should spell out and enforce the use of stronger verification practices to lower the chances of a successful phishing attack or other impersonations. For example, if an employee receives an email requesting a sensitive financial document, maybe they’ll be required to first run the request by two additional employees before transmitting the information. Similarly, instead of providing details over the phone to someone who sounds like a computer support specialist, they’ll need to obtain additional verification. Certain kinds of information, like passwords, shouldn’t get sent via email or shared by phone […]

Encryption has become a very important part of maintaining an acceptable standard of security while browsing the web and storing data. Large enterprises and organizations have been using encryption for a long time, and even the average consumer uses encryption each and every time an online purchase is made. Did you know that the protection afforded users by encryption is made possible thanks to security certificates? Websites that have security certificates take advantage of HTTPS, which stands for Hypertext Transfer Protocol with an S at the end for security. These certificates are used to provide security for a website?s visitor. Ordinarily, when a user plugs data into a form, like an email address or Social Security number, this data wouldn?t be protected while in transit. However, thanks to most organizations that collect this type of data now having security certificates on their websites, your data is safe. For examples of how HTTPS is used, look no further than banking websites or just about any online retailer like Amazon or eBay. A great way to describe online encryption is by comparing it to a pipe. With a normal HTTP connection, your data is traveling through a transparent pipe. Anyone looking at it from the outside can see that which flows through it. Hackers can spy on it and steal data while it?s moving from one location to the next. If you?re using an HTTPS connection, however, the pipe has more of an opaque tint to it. While you can still see the insides, it?s unclear what is traveling through it and very difficult to get a clear glimpse of it. This is why it?s so difficult for hackers to take advantage of encrypted data. They might have the data, but it?s often so jumbled and difficult to piece together that it?s not worth the effort, or impossible, to decipher it. While you can?t expect your employees to understand the finer details of how HTTPS works, you can expect them to understand online security best practices–especially those which pertain to keeping credentials like passwords and usernames secure. Make sure that your employees know not to input sensitive data into websites without first checking for these security identifiers. Make Sure It Has a Security CertificateBefore plugging in a password or sensitive credential to a website, make sure that it?s protected by a security certificate. To find out if it?s equipped with one, look for a green padlock icon that appears next to the URL?s name in the address bar. Granted, even if it has a security certificate, you want to check which type of encryption it?s using, as there is a significant difference between SSL and TLS. For example, SSL is vulnerable to threats like POODLE (a man-in-the-middle exploit), making TLS a more desirable protection. Be Wary of Suspicious URLs and DomainsHackers will often create fake sites that are designed to mimic a reputable organization?s own website, only it will be designed to harvest credentials. These sites might have misspellings in the domain name, or numbers in the place of letters to make it look as legitimate as possible. Before plugging in your credentials, make sure that you?re actually looking at the organization?s website. Be sure to check the domain and cross-reference it with the information that you have on file. For more […]

Vizio (which was acquired last year by LeEco) was fined by the Federal Trade Commission for collecting data on its users about what their televisions were displaying, down to the second! To make matters worse, this monitoring extended beyond the built-in smart TV apps. Literally, whatever the TV displayed, Vizio knows. We?re talking over the air broadcasts, cable set-top boxes, the TV?s IP addresses, even DVD players. The fine levied against Vizio by the FTC totaled $2.2 million. Plus, a federal court ordered Vizio to delete any data it collected before March of 2016. Prior to this date, Vizio TV owners were uninformed by the company of the data collection practice. Now, however, Vizio?s customers can find information on the company?s data sharing practices in the automated content recognition section of their TV?s settings menu. To help make amends, Vizio began sending users on-screen notifications on viewing data collection practices, a feature they initiated before the settlement was announced. Vizio General Counsel Jerry Huang said in a statement, ?Instead, as the complaint notes, the practices challenged by the government related only to the use of viewing data in the ‘aggregate’ to create summary reports measuring viewing audiences or behaviors. Today, the FTC has made clear that all smart TV makers should get people’s consent before collecting and sharing television viewing information and Vizio now is leading the way.? What was Vizio doing with all of this detailed data? In a best-case scenario, the company would use data on the product?s usage to better understand the resilience of its hardware (like how often the TV is turned on and off) so they can make improvements on future models. Although, it?s more likely that the collection of such detailed data was sold to partners for marketing purposes. Data collection practices like these make for a very lucrative industry, so it?s no stretch of the imagination to see how Vizio would want a piece of this pie. While the ethics of data collection can be debated, it?s clear that, in retrospect, Vizio would have been better off giving customers the option to opt in or opt out of its data collection practices. Does the revelation of Vizio?s actions make you think twice about how you use your own Internet-connected devices? Or have you let go of any semblance of privacy long before the FTC handed down this ruling? Share your thoughts with us in the comments below.

Staying on top of updates must happen routinely This is one of the major shortcomings of break-fix IT companies. If the only time they come and work on your IT equipment is for a repair visit, it?s unlikely that they will make a special trip to your office to install needed software updates as soon as they?re released. And why would they, when their entire business model revolves around your equipment breaking down? Instead, you need someone assigned to the task of staying on top of the latest software updates, which includes both knowing when the updates and patches are scheduled to be released, as well as applying them in a timely manner that won?t disrupt office productivity (applying updates after-hours is preferable). Does your IT staff even have time for routine maintenance? For many organizations, keeping software up-to-date is the job of the in-house IT staff, and given the negative ramifications of mishandling these updates, it?s not a task to give to an employee lacking technical training. Alternatively, if it?s not in your budget to onboard new IT staff, then you can outsource this responsibility to a managed IT service provider. The managed service advantage is that you?re getting trained technicians to remotely apply your network?s needed updates, and at an ideal time that fits your company?s schedule. As a bonus, for businesses that do have an IT department (but find their IT staff is overstretched from having to do routine tasks like applying updates), White Mountain IT Services offers a co-managed IT service where our techs work with your techs to take care of the small stuff, so your team can be freed up to work on important IT initiatives. Thinking beyond updating your security patches, you need to stay on top of all available updates for your company?s technology. Here are just a few technologies that technicians look at when determining what needs to be upgraded. Operating systems: We all have our favorite operating systems, but clinging to an OS after the manufacturer stops supporting it (simply because it?s preferred) is a dangerous move that opens up your network to all kinds of trouble. In order to have your OS offer adequate protection for your business, it must be supported with patches and security updates. Legacy applications: Upgrading software can be tricky because an update that?s untested has the potential to clash with a legacy application and cause some serious downtime. For example, you shouldn?t overlook how application upgrades running locally on PC hardware can also influence whether or not end-user hardware requires an upgrade. Therefore, be sure to look into the upgrade requirements (such as processing power, memory, graphics, etc.) before clicking the install button. This is one reason why many businesses prefer hosting their legacy applications in the cloud; to protect workflows from the unintended consequences of a bad upgrade. Hardware quality: Computer hardware requires some update love too. Eventually, computers break down. By not staying on top of your hardware, you?re opening yourself up to faulty equipment hindering productivity, or even dreaded downtime. If you?re currently facing a need to upgrade your hardware, then now is a great time to consider making the move to the cloud. By hosting your applications in the cloud, you?re able to access the data you need with inexpensive hardware like thin […]

Most businesses will collect data from both clients and employees for various purposes. For example, your human resources department will collect Social Security numbers, dates of birth, and perhaps even routing numbers for your employees? direct deposit. Since you?re collecting all this data, you become a very lucrative target for hackers. On the other hand, if you collect payment details for your clients, those are also at risk, and any employees handling this information will be responsible for protecting it. Therefore, you need to implement policies that are designed to protect your business?s data, and reinforce them with established best practices. We?ll break down some of the basic ways that your business can make data security a top priority. Consider a Paperless PolicyIf there?s one thing that an identity thief loves to take advantage of, it?s a paper trail. Consider this: how often have you received something in the mail like a bank statement that you?ve simply thrown out? These documents could then be found later on by someone sifting through the trash. The same can be said for sensitive documents that are left out in the open in the office. Another thing to note is that physical documents don?t have access logs that can tell you if they?ve been examined by unapproved users, making digital storage arguably a better option for managing risk. Never Leave Workstations UnattendedThere is a lot that can go wrong when you don?t protect your organization?s workstations with passwords. While the threat of a coworker attempting a harmless prank by messing with your settings isn?t necessarily malicious, there is always the chance that someone will gain access to sensitive data that they?re not supposed to see. This risk can include non-employees that find their way into your office. Equip Your Business with Enterprise-Level Security SolutionsWhile you can enforce all the best practices that you want, do you know how to handle a data breach? One of the most important parts of protecting your sensitive data is to implement security solutions like firewalls and antivirus to keep threats out of your network. You can implement a Unified Threat Management (UTM) solution, which includes enterprise-level firewall, antivirus, spam-blocking, and content-filtering solutions to maximize your resistance to data breaches. Train Your Employees on What to Look ForEver since email became a thing, there have been scammers out there who want to take advantage of unaware employees and regular PC users. While the best spam blocking solution available will help to ensure most spam doesn?t make it to your inbox, the messages that do could be targeted spear phishing attempts designed to trick your users. To protect against these, train your employees to identify them. For example, is the message is unsolicited? Does it ask for sensitive information? Does it come from an email address that you have on file? Cross-checking these details is an important practice that your business can?t afford to overlook. Are you ready to take the next steps toward protecting your business?s identity? To learn more about our proactive security services, reach out to White Mountain IT Services at (603) 889-0800.