Password security is important but not everyone has good password habits. In a global survey, 75% of employees admitted to reusing passwords across their personal and work accounts. This is problematic and can put organizations at risk. One of the ways people solve this problem is by using password managers. But are password managers safe?
What is a Password Manager?
Password managers are programs that store and manage your passwords across all your accounts. Password managers store your passwords in an encrypted database that can only be accessed through a master password.
What are the benefits?
Convenience: Password managers make accessing your accounts easier because you only need to remember the master password. This eliminates the headache of having to remember several different passwords for each of your accounts.
Secure passwords: Password managers can generate random, unique passwords for each of your accounts, removing the effort needed to come up with a different password each time. This is done through encryption algorithms that use a combination of symbols, numbers and upper and lowercase letters. As a result, your passwords are harder to guess, which makes them more secure.
Easy to use: Password managers can lead to a seamless user experience. Some managers can autofill your credentials, meaning they can recognize the URL of a website and enter the corresponding credentials automatically. This can help prevent you from entering your credentials into a fake website.
What Are the Risks?
They’re targets: Although password manager databases are encrypted, they are still vulnerable. Due to the important information they house, they are prime targets for hackers. Password manager Blur recently disclosed a breach that exposed information of 2.4 million users, including their encrypted Blur passwords.
Putting your eggs in one basket: When you use a password manager, you are relying on one program to house access to all your accounts. This means that if your password manager gets hacked, all your passwords are exposed. Similarly, forgetting your master password means losing access to all your passwords.
Autofill: Most password managers use autofill to make it easier for users to log in. The downside of autofill is that it remains a big security risk. Research has found that saved information can be accessed through invisible log in forms that trick your browser into filling your personal information.
Do I Need a Password Manager?
Overall, password managers are considered to be more secure than storing your passwords in a computer file or writing them down. Unlike browser-based password storage, password managers are encrypted, making it harder for outside parties to view your credentials. If you decide to use a password manager, you need to make sure you understand the pros and the cons.
Make sure you do your research when deciding on using a password manager. Some highly recommended password managers are KeePass, 1Password, and Dashlane.
When it comes to security, you should not just be relying on a password manager to keep your accounts safe. It’s still important to use multi-factor authentication and a blend of threat defence techniques (such as email and firewall security solutions) to protect against malware.
2018 was a big year in security. New privacy laws were implemented (GDPR in Europe and PIPEDA in Canada) and 2018 had the second greatest number of reported data breaches in a year since 2005. Some of the major data breaches that happened this year include those that affected airline Cathay Pacific, Marriott hotels and Facebook.
With 2019 coming up, many organizations will be looking to see how they can take their security to the next level. To help your organization get cyber ready for the new year, here are 7 security resolutions for 2019.
7 Security New Year’s Resolutions
1. Manage local admin passwords: Local administrative accounts are privileged accounts that allow access across your network. These accounts often have easy-to-guess, default passwords that are the same across all the machines in your network This means that if a hacker is able to get hold of your local admin account, they can move freely across your network. In order to protect yourself, you need to either disable these accounts or make each local admin password unique. If you haven’t already done this, now’s a good time to start.
2. Adjust your social media privacy settings: Social media has become an integral for businesses to market themselves and reach out to their customers. However, social media can lead to great security risks. It’s important for businesses to adjust their security settings on their social media accounts. Limit access to your accounts and disable auto location tracking. You should be in control of your social media accounts, not the other way around.
3. Secure remote devices: Working remotely helps business productivity but it is also a security risk. Research has found that a third of cyber attacks are a result of unsecure remote working. Businesses need to ensure that employees are taking the proper precautions when they are working remotely. All remote devices should include endpoint security with anti-virus and firewalls. The new year might be a good time to re-evaluate your BYOD and remote working policies.
4. Implement Zero Trust security model: “Never trust; always verify” is the motto of a Zero Trust model. This means that nothing in your network (including users, devices, servers, etc.) should be trusted until you can verify its identity. Implementing Zero Trust requires a shift in how your organization thinks about security. Start by assessing your devices and data and adjust your security controls appropriately.
5. Limit privilege access: According to Forrester, 80% of security breaches involve privileged credentials. Limiting your local admin privileges is important, and one way to do this is to use least privilege access. Least privilege is the practice of restricting access rights for users and accounts. Make sure that you are limiting access to only those who need it.
6. Use a comprehensive prevention system: Hackers will be looking for any weak spots to exploit your vulnerabilities. It’s important to be one step ahead by protecting every layer of your organization. This includes using advanced security technology, like a SIEM system, to monitor your environment for threats.
7. Boost your security culture: 95% of organizations say their current cybersecurity environments are far from the ones that they would like to have. The new year is often a time for fresh starts, so why not improve your cybersecurity culture? Start the new year by educating your employees with cyber awareness training or with a cybersecurity assessment from our Consult IT team. It’s never too late to start protecting your organization.
According to a new report, nearly one in four employees are unaware of common cyber threats like ransomware and phishing. This is alarming, as these types of cyber threats affect businesses of all sizes everyday.
Take the recent BEC scam that hit American non-profit Save the Children as an example. A hacker managed to compromise an employee account and use it to send fake invoices that scammed the charity of almost $1 million.
Stories like this highlight the importance of cyber awareness training. If employees are not equipped with the knowledge to operate safely online, how can your business stay protected? Technology alone cannot prevent your employees from falling for social engineering tactics. Your employees need to fill the security gaps within your organization and act as a human firewall.
Avoid These 5 Security Awareness Mistakes
Cyber awareness training is important for your organization and can help protect you in the long run. But if training is not implemented properly, your organization won’t see any change. When considering cyber awareness training, consider the following pitfalls.
1. Training is only a one-time event: So, you’ve already implemented cybersecurity awareness training. But just because you did it once, doesn’t mean that you automatically have cyber aware staff. Employees can forget what they’ve learned, or new information can be released that you’re missing out on. You should consider training your employees at least once every quarter. It’s important to keep the information fresh in their minds so that they can apply it to their everyday work.
2. Failing to include security training during onboarding: Onboarding a new employee often focuses on acquainting your new hire with their role and about the company. While all of this is important, so is educating them about security. Include a review of your company’s security and BYOD policy when you train your new employees. This will show new hires that security is important to your organization and get them to think mindfully about security from the start.
3. Training doesn’t align with your objectives/goals: It’s hard to encourage your employees to get behind awareness training if there is no clear objective. Think about why you are implementing this training. What are the weak points within your organization? How will training address these issues to your employees? Security awareness training should compliment your IT/security goals. Be upfront with your employees about the training and explain what you expect from them.
4. Employees are not tested: You can’t measure the impact of your training if you are not testing your employees. You should test your employees before and after training to see if there are any improvements. The objective of training your employees is to change their behaviour towards security and your tests should reflect that. Having your employees apply what they’ve learned by using a phishing test will give you a better idea on their improvement than simply testing their knowledge.
5. Failing to remind employees of their learning: Security awareness should be a continuous learning process. This change cannot happen overnight. In order for your employees to retain what they’ve learned, they need to be refreshed with the content. Send out weekly newsletters on the latest threats to keep your employees informed of the threat landscape. Remind them of your security policies and best practices.
At Jolera, we offer a comprehensive cyber awareness training course for employees. We cover a wider variety of topics related to the threat landscape and provide posters and a training portal for your organization to access. Contact us today to learn more about Secure IT – Training.
This holiday season, many Canadians will be traveling to spend time with their families or to escape the cold weather. While many will be taking some time to wind down for the holidays, hackers will not. Those traveling with corporate devices need to be wary of potential cyber attacks that could put data at risk. The holidays can be hectic, and it can be easy to forget about security. Dealing with a cyber attack is not ideal but encountering one in another country or while you should be relaxing can be frustrating. Here are 5 things you should be aware of before you leave.
5 Ways to Protect Your Data While Traveling This Holiday Season
1. Charge with your own cables: You’re out enjoying your vacation when you realize that your phone battery is low. Ahead you see a public charging station. Should you use it? Maybe not. While plugging in your USB cable to a wall outlet is safe, using a cable that doesn’t belong to you can be dangerous. Hackers can rig the cables in a charging station to spy on your device while it’s connected to the charging station. If you need to use a public charging station, turn off your phone or simply not use your phone while it’s connected. The best way to always be safe is to use your own cables and bring a battery pack with you.
2. Avoid ATMs: If you’re strapped for cash and thinking of using an ATM, be wary of credit card skimming. Credit card skimming is when hackers use small devices to steal credit card information or clone cards. These devices can be hard to spot, and hackers can install these skimmers very quickly. In fact, most ATMs can be hacked in under 20 minutes. Inspect ATMs before you use them. If you see loose parts or if one part of the ATM looks suspicious, don’t use it. If you need an ATM, consider using one located inside a building as opposed to one out in public.
3. Be wary of your surroundings: It’s easy to be distracted while you’re in the midst of a crowded airport or train station but this is when hackers will target you. Shoulder surfing is when people try to obtain sensitive information by looking over a person’s shoulder. This can be an effective way for bad actors to get access to your information especially when you’re in a crowd. To prevent shoulder surfing, avoid opening your personal accounts in public. Find a spot near a wall or use a screen filter to block prying eyes.
4. Recognize vishing attacks: Vishing is a form of social engineering that takes places over the phone. Hackers will call potential victims and try to convince them to give up personal and financial details. They often disguise their voice and phone numbers to hide their identity. With many people gearing up to go abroad, be aware of vishing scams posing as airlines or giving away vacation deals. Do not share your financial information over the phone unless you are speaking to a legitimate authority.
5. Turn off your network connections: Disable the automatic connection of your devices to public WiFi networks and turn off your Bluetooth. Public WiFi networks are unsecure and those around popular tourist spots are more likely to be targeted by hackers. Hackers can also access your information through your Bluetooth connection as well. Be wary of using public WiFi to do online transactions or logging into personal accounts. Make sure your devices are protected with Next Generation Firewalls or a VPN. Try to use wired headphones instead of Bluetooth ones, and avoid turning your Bluetooth on in large crowds.
As shoppers scramble to get their last-minute gifts and make donations online, hackers will be ramping up to use the holiday season to their advantage. Online shopping fraud is expected to reach 14% this holiday season, which means consumers can expect to be targeted with fake websites out to steal their information. However, not many people are concerned about cybersecurity, with 31% admitting to clicking on suspicious links in emails to get a good deals. It’s easy to get wrapped up in this busy season, but everyone must navigate their e-commerce spending safely in order to protect themselves from hackers.
How am I at Risk?
An influx of people looking for good deals can be easily fooled by phishing emails sent by hackers. Additionally, fake targeted ads could pop up on your browser displaying what seems to be a really good deal. When you click on the ad, it could lead you to a fake website or send malware to your computer.
With people in the giving mood this season, hackers will be looking to solicit fake donations. Back in the summer, the Harry and Jeanette Weinberg Foundation was the victim of a phishing scheme. Hackers posed as the charity and sent emails asking people to help support a medical treatment for a young boy. Be aware of people setting up fake charities or posing as legitimate ones. Do your research to make sure that the charity you want to support is registered. If you receive a suspicious looking email from a charity you often support, contact them directly to verify if it’s real.
Users can often mistype website URLs when they are in a rush to purchase gifts. Misspelling a website doesn’t seem like a big deal but it can lead users to a malicious website. Hackers will often use misspelled domain names to fool people into thinking they are shopping on the correct page. These websites will often look exactly like the retailer web page hackers are trying to imitate. Unsuspecting users who think they are using a legitimate website can end up revealing personal information to hackers.
Mobile app stores are full of millions of apps but not all are legitimate. Last year, Google took down 700,000 apps that violated their policy and continue to remove malicious apps today.
Repackaged apps look identical to the official ones – they have the same interface, icons and labels. However, these apps contain malicious code that could be stealing personal information. Since they look and act the same as legitimate apps, it can be hard to realize they’re fake. Several popular retailers, such as Starbucks and Nordstrom, have been victims of repackaged apps in the past.
How to Protect Yourself
Pay Attention to URLs: The URL of a website is an important indicator of whether or not a website is fake. Simply looking at what the web page looks like, or checking for the green padlock next to the URL, is not good enough. The content of a fake website will often look legitimate because hackers can convincingly imitate a website’s layout, images and font. As for the green padlock, research shows that almost of all fraudulent pages have a padlock too. The padlock only indicates a website is encrypted, not that a website is authentic.
Look at the App Developers: When considering which apps to download, take a look at the developer of the app instead of reading reviews and ratings. Ratings and reviews can often be faked, or mean that many other people also fell victim to downloading a malicious app. Retailers or their parent companies will often be listed as the developer for their own apps.
Use a Secure Network: Using public WiFi to shop is not safe because the networks are not secure. Furthermore, hackers will often create fake hotspots to lure unsuspecting users and spy on their data. If you are shopping online, use a network that is secured with a password or other technologies like next generation firewalls. If you are in a public area, use your data to make your online purchases instead of the public WiFi offered by malls or coffee shops.
Monitor your statements: If you think you used a malicious website by accident, monitor your credit card statements for any unauthorized transactions. Report any suspicious activity to your credit reporting company and if necessary, ask for a security freeze or fraud alert on your credit report. Your credit card provider will usually alert you if they detect suspicious transactions but it’s better to consistently monitor your accounts for your own safety.
Keeping data safe is critical for businesses but organizations are struggling, with 83% saying they need improvements in data security. Data security can be an overwhelming task; there’s a lot companies need to think about such as compliance requirements, data breaches, access management, etc. Although it may seem difficult, there are many ways organizations can be cyber smart about securing their data. Here are 4 tips your organization can use to start securing your data.
How You Can Protect Your Data
1. Use multi-factor authentication (MFA): Having a strong password is essential but it’s not enough. Many people either reuse passwords or use simple ones that are easy to guess. This leads to a variety of password attacks that can give hackers access to your accounts. One way to combat this is to use multi-factor authentication. MFA typically involves an additional code sent to your mobile that a user enters in addition to their password. Other types of MFA include using hardware or mobile tokens. The point of this additional step is to verify your identity. That way, even if a hacker has your password, they would not be able to enter your account without the additional authentication code.
2. Backup and encrypt your data: Losing your data to threats like ransomware, natural disasters or accidental deletion can cause a wide variety of problems (e.g. downtime, compliance reporting, loss of customer satisfaction/trust, etc.) for your company. This is why it’s important to backup your data, whether you use a hybrid or cloud solution. Backing up your data regularly will help you restore access in the event of a problem. Additionally, encrypting your data will make your data harder to access in case it gets into the wrong hands. You should encrypt data while in transit when backing up and at rest where it’s stored. We offer cloud and hybrid backups that uses military grade 256 AES encryption with our Store IT platform.
3. Protect your Network: Securing your network is important because if people can access it, they can get into your files. To strengthen your network, you should consider using the following: a firewall, anti-virus and WiFi protection. Firewalls act as a filter between your organization and the internet, which can prevent corporate data from leaving the network or blocking certain websites. Antivirus scans your network for malicious threats, which can help detect viruses before they spread. Lastly, using secure WiFi access points will help prevent hackers from hacking your routers and getting into your network. Our Secure IT platform has a variety of security products that will protect your network, including the installation of next generation firewalls and access points.
4. Develop a culture of cybersecurity awareness: Organizations cannot rely on technology alone to protect their data. They need to have a culture of cybersecurity embedded into the fabric of their organization. This can be done through official policies and cyber awareness training. Enforcing a security policy, such as requiring password changes every 90 days, keeps security at the forefront. Additionally, educating your employees will give them knowledge of the threat landscape and help them avoid potential cyber threats like phishing and social engineering. Use our Secure IT – Training course to start educating your employees today.