With many businesses’ increased reliance on their information systems and other IT, they need to do everything they can to keep those systems up and running and secure. This not only includes rolling out security systems that support that goal, it also demands they take the action necessary to keep these systems secure. Let’s look at four things you need to do to keep your business’ IT as secure as possible.
Promote Strong Password Practices
Many users are just not as savvy as most organizations need them to be about their passwords. In fact, many of the most popular passwords used today are still “password” and “123456”. Even if your people are more deliberate about their password practices, many of them choose passwords that could be easily guessed if someone had knowledge about that person’s personal life. This can be a major detriment to any organization’s attempts to keep their IT secure. Here are some tips that you can use to create strong and reliable passwords:
It stands to reason that longer passwords are harder to guess than shorter ones. It’s been proven that passwords that are at least 12 characters long are more apt to be secure than not. The problem with longer passwords is that they are more easily forgotten and result in significant downtime. A good strategy is to create easy-to-remember passphrases with random words and a combination of upper and lower case letters, numbers and symbols. For example a password of “elephantredfootball” will usually be secure, but one that is written: “3l3ph@ntr3df00tb@ll” is even more secure.
Lots of people will use the same password for every account. This couldn’t be more dangerous. Think about it, if you use the same password everywhere and one account is cracked, you are looking at a situation where every account where you use that password is now compromised.
Use Software Tools
There are plenty of tools designed to help people keep their accounts safe. Password managers can be a good resource for people who use long or randomly-generated passwords. These platforms use encryption to ensure that all login and passwords are secure and can cut down on password-related problems that can cause downtime and unwanted IT support costs. Another tool that can help organizations keep their accounts secure is multi-factor authentication. Most platforms will provide options that will add an additional layer of security in the ways of an authentication code sent through an authentication app or separate email or text message. In using randomly-generated codes from a multi-factor authentication system, you can do more to ensure that the people who access your organization’s network-attached files and cloud services are authorized to do so.
Train Your Staff
One of the biggest issues for organizational IT security has to be threats coming in from outside your organization. These typically come in the form of phishing attacks. A phishing attack can come in on any platform including phone, email, text message, or even social media. There are over three billion phishing emails sent every day, and that isn’t even taking into account all the other attack vectors. These messages come in with the intention of getting an unwitting or distracted employee to engage with it. Once this happens, nothing good comes of it. Scammers will use this social engineering technique to gain access to protected accounts, deploy malware of all types, and disrupt an organization’s workflow. This is why it is imperative to train your staff on how to identify phishing attacks and what to do when they inevitably encounter one.
The phishing message will typically look like it comes from a person or organization that has some semblance of authority. Scammers like to develop subterfuges acting as financial institutions, insurance companies, even executives and managers inside a company. Many will ask recipients to click on a hyperlink or download an attachment. Either action could be dire for an organization’s technology. Let’s look at some variables of phishing messages that ever organization needs to train their employees on:
Demand Immediate Action
Most phishing attacks are structured to create fear and anxiety in the recipient. This typically will get people to make impulsive decisions. The best action is to verify any suspicious action before interacting with any messages like this.
Include Unprofessional Spelling Errors and Grammatical Faux Pas
Many phishing messages are developed by people whose first language isn’t the recipient’s language and include demands, spelling errors, and grammatical errors that no professional correspondence would include.
Come From Unrecognizable Accounts
Many phishing messages may initially look legitimate when you look at the account it comes from. The more legitimate these messages seem the more effective they are. Consider the email address or account these messages come from before clicking on any links or downloading anything from the email.
Keep Your Software Updated
Phishing may get most of the attention, but one of the most used attack vectors by hackers is infiltrating networks through software vulnerabilities. Most enterprise software is continuously being developed to ensure that it is a secure product. If an organization doesn’t have a patch management program where their applications are updated regularly, hackers can use any software vulnerabilities to gain unauthorized access and wreak havoc on their network.
If your organization uses a lot of applications, it may seem like keeping everything patched is a full-time job. That’s why using automation to ensure new patches are added regularly is important. You will also want to test every patch to ensure that your software solutions function as designed. This includes frequently updating antivirus tools, firewalls, and spam filters.
There are plenty of solutions and strategies that you can use to keep your business’ network and data secure. If you would like to have a conversation about cybersecurity and how to deploy some tools and strategies that can work to that end, give Point North Networks, Inc., a call today at 651-234-0895.
Two-factor authentication is commonplace in the office environment, but it’s not commonplace enough, if you ask us. Too many organizations pass on it, placing their security at risk for no good reason. While the methods might vary, the benefits of two-factor authentication are too good to ignore. We’ll walk you through how to set up two-factor authentication for three of the most common accounts in the business environment: Microsoft, Google, and Apple.
But first, let’s discuss what two-factor authentication is and why it’s so beneficial to utilize.
What is Two-Factor Authentication?
It used to be the case that users would only utilize passwords to secure their accounts. However, passwords are easy for hackers to take advantage of on their own. Two-factor authentication uses at least two of the three methods below to secure an account rather than just the password alone, theoretically making it more difficult for a hacker to access an account. Basically, unless two of the three methods are fulfilled, the account will not be accessible. Here they are:
- Something you know (a password)
- Something you have (a secondary device you own)
- Something you are (biometrics, facial recognition, fingerprinting, etc)
Why Is It Important?
Imagine that your online accounts are a house with two doors: one for the mudroom and one for the house proper. If both doors use the same key, a thief only needs to steal one key to gain access to both the mudroom and the house. Now imagine that the mudroom and the house have two different keys. That essentially doubles the effort needed to break into the home.
Simply put, in the same way as the above scenario, it’s much harder for a hacker to access an account that is protected by multiple measures. For example, even if a hacker has your password, if the account is set up to use an external device like a smartphone or biometrics, they still won’t have access to the account. Unless the hacker goes through the trouble of stealing the secondary device or stealing your fingerprints/facial structure (something that is remarkably difficult compared to swiping a password), the account will remain secure.
Setting Up Two-Factor Authentication
Right, let’s get to the bread and butter of this article: how to set up two-factor authentication for the big three accounts: Microsoft, Google, and Apple.
Microsoft recommends that you either have a backup email address, a phone number, or the Microsoft Authenticator application installed on a mobile device before you get started with two-factor authentication for this account. To get started, go to this page and sign in with your Microsoft account. Next, select More security options. Under the option for Two-step verification, select Set up two-step verification. After that, it’s just a matter of following the on-screen instructions.
The first step here is to log into your Google account by going here. Next, in the navigation panel, select Security. Under Signing in to Google, select 2-Step Verification. Finally, click on Get started. You’ll see the directions for the next steps appear on the screen. You can set up your verification step in a variety of ways, including Google Prompts, security keys, Google Authenticator, verification code via text or call, or a backup code. You can also disable this second step on trusted devices, but doesn’t that defeat the purpose?
To set up two-factor authentication for your Apple ID, go to your account by clicking here. Sign in, answer your security questions, then click Continue. If you see a prompt to upgrade your account security, tap Continue. Click on Upgrade Account Security. You can then add a phone number for which you will receive verification codes via text message or phone call. Click on Continue, enter the verification code, and turn on two-factor authentication.
Want to get started with two-factor authentication for your business? The three accounts outlined above are just the tip of the iceberg. Point North Networks, Inc., can help you implement a multi-factor authentication system that secures your data and network. To learn more, reach out to us at 651-234-0895.
Passwords are probably the most important part of keeping accounts secure. That’s why it is so important to follow industry best practices when creating them. Today, we’ll take a look at the standards outlined by the National Institute of Standards and Technology (NIST) in creating the best and most secure passwords.
What Is NIST?
For years, NIST has been the predominant organization in the establishment of password creation standards. They continuously change their advised practices to meet with the current cybersecurity demands. They recently updated their guidelines so we thought we would go over what strategies they suggest, to give you an idea of what makes a secure password.
Many corporations are currently using the NIST guidelines and all Federal agencies are expected to utilize them. Let’s go through their newest password guidelines step by step.
#1 – Longer Passwords are Better than More Complicated Ones
For years, it was preached that the more complicated the password, the more secure the account. Today’s guidelines refute that notion. NIST suggests that the longer the password, the harder it is to decrypt. What’s more, they suggest that organizations that require new passwords meet a certain criteria of complexity (letters, symbols, changes of case) actually make passwords less secure.
The reasoning behind this is two-fold. First, most users, in an attempt to complicate their passwords will either make them too complicated (and forget them) or they will take the cursory step of adding a one or an exclamation point to the end of a password, which doesn’t complicate the password as much, if at all. Secondly, the more complex a user makes a password, the more apt they are to use the same password for multiple accounts, which of course, is not a great idea.
#2 – Get Rid of the Resets
Many organizations like to have their staff reset their password every month or few months. This strategy is designed to give them the peace of mind that if a password were compromised that the replacement password would lock unauthorized users out after a defined set of time. What NIST suggests is that it actually works against your authentication security.
The reason for this is that if people have to set passwords up every few weeks or months, they will take less time and care on creating a password that will work to keep unwanted people out of the business’ network. Moreover, when people do change their password, they typically keep a pattern to help them remember them. If a previous password has been compromised, there is a pretty good chance that the next password will be similar, giving the attacker a solid chance of guessing it quickly.
#3 – Don’t Hurt Security by Eliminating Ease of Use
One fallacy many network administrators have is that if they remove ease of use options like showing a password while a user types it or allowing for copy and pasting in the password box that it is more likely that the password will be compromised. In fact, the opposite is true. Giving people options that make it easier for them to properly authenticate works to keep unauthorized users out of an account.
#4 – Stop Using Password Hints
One popular way systems were set up was to allow them to answer questions to get into an account. This very system is a reason why many organizations have been infiltrated. People share more today than ever before and if all a hacker needs to do is know a little personal information about a person to gain access to an account, they can come across that information online; often for free.
#5 – Limit Password Attempts
If you lock users out after numerous attempts of entering the wrong credentials, you are doing yourself a service. Most times people will remember a password, and if they don’t they typically have it stored somewhere. Locking users out of an account, at least for a short period of time is a good deterrent from hackers that use substitution codes to try and guess a user’s credentials.
#6 – Use Multi-factor Authentication
At Point North Networks, Inc., we urge our clients to use multi-factor or two-factor authentication on every account that allows them to. According to NIST they want users to be able to demonstrate at least two of three authentication measures before a successful login. They are:
- “Something you know” (like a password)
- “Something you have” (like a mobile device)
- “Something you are” (like a face or a fingerprint)
It stands to reason that if you can provide two out of three of those criteria, that you belong accessing the system or data that is password protected.
Security has to be a priority for your business, and password creation has to be right up there with the skills everyone should have. If you would like to talk to one of our IT experts about password management and how we can help your business improve its authentication security, give us a call today at 651-234-0895.