While there is a lot of fear surrounding cybersecurity, you don’t need to panic. There are measures you can put in place to better protect your business.

One of our best recommendations is to make data backups a component of your cybersecurity plan. Companies that don’t regularly back up valuable data leave themselves vulnerable to evolving cyber threats.

 Data loss can occur due to multiple reasons that range from hard drive failures and ransomware attacks to natural disasters and human error. Whatever the reason may be, data backup can provide the relief you need by helping restore data on your devices should an incident occur.

When you decide to embark on your data backup journey to protect your organization and create business continuity, there are several myths you’ll come across. Here are four of the most common data backup myths:

Backup Myths Debunked

Myth #1: Data Backup Is Too Expensive

Data loss can have a cascading effect, resulting in downtime, productivity loss, revenue disruptions, regulatory fines and reputational damage. The total cost of these setbacks is typically higher than the cost of a backup solution.

Myth #2: Having One Copy of Your Data Backed Up Is All You Need

The 3-2-1 strategy is a data backup best practice that involves having at least three copies of your data, two on-site but on different mediums/devices, and one off-site.

• Three copies of data: Having at least two additional copies of your data, in addition to your original data, is ideal.
• Two different mediums: Keep two copies of your data on different types of storage medium such as internal hard drives and removable storage like an external hard drive or a USB drive.
• One off-site copy: Keep one copy of your data off-site. This helps safeguard against worst-case scenarios.

Myth #3: Multiple Copies Guarantee Successful Backups

Having additional copies of your data by following the 3-2-1 strategy is a smart practice, but this doesn’t guarantee backups will operate as expected.

Organizations following the 3-2-1 strategy generally keep the original data and one of its copies on-site while another copy is transmitted to a safe, off-site destination, typically the cloud.

Beyond creating additional backup copies, regularly check to verify whether your backups are working properly since they may still be vulnerable to user error or data corruption. Routinely test backups or outsource the task to a managed service provider (MSP).

Myth #4: Data Backup and Disaster Recovery Are the Same

This misunderstanding stems from the fact that many people do not understand the difference between data backup and disaster recovery. Even though they are both vital components of business continuity, they are not the same.

While data backup is the act of backing up critical data, disaster recovery is the act of recovering those backups.

Another distinction is that while data backup is defined by the recovery point objective (RPO), which is the amount of data that must be restored to keep operations running, disaster recovery is defined by the recovery time objective (RTO), which considers the time it takes to recover.

We can make it easier for you to implement a long-term security and data backup strategy that also meets IT and endpoint device security and data protection requirements – especially considering new, growing cyberthreats that target vulnerabilities you may have overlooked.

The standard is being developed by the FIDO Alliance, together with the World Wide Web Consortium (W3C), which basically defines how the modern internet looks and works. This is quite a serious attempt to abandon passwords in favor of smartphone-based authentication.

It’s worth keeping in mind, however, that the “death of passwords” has been mooted for around a decade. And previous attempts to do away with this hopelessly unreliable method of user authentication have effectively led nowhere — passwords are still with us. This article from Kaspersky discusses the advantages of the new FIDO/W3C standard. But let’s start by restating the obvious: what’s wrong with passwords?

The trouble with passwords

The number one disadvantage of passwords is that they are fairly easy to steal. In the early days of the internet, when almost all communications between computers were unencrypted, passwords were transmitted in plain text. With the mushrooming of public network access points — in cafes, libraries, and on transportation — this became a real problem: an attacker could intercept an unencrypted password without being noticed.

But the issue of stolen passwords exploded in the early to mid-2010s after a spate of high-profile hacks on large internet services, with the wholesale theft of e-mail addresses and user passwords. It’s safe to say that all your passwords from ten years ago are floating around somewhere in the public domain.

These days, of course, leaks are less likely to contain clear-text passwords: many internet services have long realized that storing sensitive user information unencrypted is a recipe for disaster. So it’s becoming the norm for passwords to be hashed — that is, stored in encrypted form.

The problem here is that if the password is simple, it can still be extracted from an encrypted database by brute-forcing all possible combinations, or by a dictionary attack. Decrypting a hashed password if the original was something like “secret” or “123123” is child’s play. This is the second problem with passwords: to aid memorizing, many people use very weak passwords that are easy to extract from a leaked database — even if encrypted.

And the desire for simplicity and convenience leads directly to the third problem with passwords: using the same password for different accounts and services. Thus, a data leak from some ancient online forum, which you don’t even remember registering on, can result in the loss of your main e-mail account because you used the same password.

Password plus a bit extra

The problem, of course, is far from new, so most services no longer rely on just a single password, but use some kind of multi-factor authentication. When signing in to internet services, social networks, bank accounts, etc., you’re usually prompted for a one-time code after entering your credentials. This code is sent in a text message or delivered to the banking app on your phone or a special app for multi-factor user authentication, such as Google Authenticator.

In some cases, you do not require a password at all.

In most cases, however, passwords are still there as a backup form of authentication. But relying solely on text-based passcodes (by far the most common and user-comprehensible form of 2FA) is also not a great idea for a number of reasons. In short, it has long been understood the future does not belong to passwords. Now, at long last, it seems as if that future is around the corner.

Passwordless authentication as conceived by FIDO/W3C

To strip it down to the bare bones, the new passwordless authentication standard makes the password a purely technical element that the user no longer sees. This allows the use of strong, unique keys and powerful cryptography. This, in turn, makes life harder for cyber thieves and ensures that if one account is hacked, no more will be lost, and makes it impossible to spill the “secret” to phishers.

For the users, it’ll look like they’re confirming a login to a social network, e-mail account, or online banking service from their smartphone. It’ll be like making a smartphone payment today: you unlock the device via the PIN or face/fingerprint authentication, and confirm the “transaction” — only, instead of paying, you’re signing in to your account. In doing so, a successful unlock verifies that you are you. Sounds good!

What’s more, the standard being developed by FIDO has an additional feature in the form of Bluetooth authentication on multiple devices. For example, account login on a laptop is faster if the device “sees” a trusted smartphone nearby. This exciting authentication system will work for the vast majority of users, except perhaps those who continue to use a push-button phone out of principle. With the support of three internet giants, this feature is bound to become universal in the near term. So will it be good for security? Let’s look at the pros and cons of the new technology.

Pros of passwordless authentication

Support from Google, Apple, and Microsoft gives reason to believe that both major services (Gmail, YouTube, iCloud, Xbox) and all iOS, Android, and Windows devices will soon start moving to passwordless authentication. Since the standard is unified and open, authentication should work identically on any device. Plus the option to switch from one device to another is promised. Swapped your iPhone for a Samsung Galaxy? Not a problem: you can designate the new smartphone as your login verification device.

The main benefit of the new method is that it seriously complicates phishing. Traditional password theft works by creating a fake banking or other website and luring the victim onto it. There, the user enters their login credentials (sometimes even 2FA is accounted for), and that’s it — the attacker has access to the bank account. Besides authenticating the user, the new standard checks the authenticity of the service itself. Simply sending a request for authentication on someone else’s web resource won’t work. Neither will password leaks pose a threat to users.

Lastly, the new system promises to be simple and intuitive. If properly implemented, the replacement of passwords even for existing accounts should be very straightforward, and the promised OS-level support in smartphones will not even require any app to be installed. Simply go to the site you want, enter your identifier and confirm the request on your smartphone. All done!

Problems that going passwordless won’t solve

Strictly speaking, this should not be considered a problem, but many people are sure to ask the question: what if someone gets their hands on my “trusted” smartphone and approves login to all my accounts? The answer is very simple: in a realistic security model, there are no unbreakable solutions. Anything can be hacked — the only question is what resources the intruder is willing to spend on it. After all, even if you store your 128-character true-random passwords exclusively in your head, there are proven ways to extract them from you.

There are bound to be attempts to hack individual smartphones to gain access to accounts. But such hacks will be individual, aimed at high-profile targets, sort of boutique-attacks. When it comes to mass market — that is, real-life everyday threats — password theft is several orders of magnitude more widespread than stealing smartphones and making use of their digital content. And the new technology is aimed at solving this precise problem.

Recall that similar doubts were voiced about the mass introduction of biometrics. Back then, many folks were similarly worried that someone would steal their fingerprint (in the most hardcore version, by cutting off their finger) and unlock their smartphone. Troy Hunt, creator of the above-mentioned HaveIBeenPwned, wrote an entire article last year on a related topic: in a realistic security model, biometrics are stronger than passwords.

But the real issue that passwordless access will not address is smartphone loss. Sure, the new standard makes it possible to transfer the authentication system from one device to another. The easiest way to do this is when you have two devices — for example, an old and a new phone. If the old phone is lost, no doubt you’ll have to use some kind of backup method to prove that you are you. But what kind of backup method this may be is not yet clear; most likely it will depend on the settings of the service in question.

In conclusion, it’s worth asking the question: won’t the new system make users more dependent on the functionality of their accounts they have with that selfsame Google or Apple? Will the blocking of a Google account lead to loss of access to all online resources in general? Even if we assume the standard is open, the smartphone operating systems, not to mention infrastructure, are less so.

Are you for or against the passwordless world?

Source : Kaspersky 

Obviously, there’s no guarantee that your files will be unlocked even after you make the payment. In most cases, it’s a slippery slope, with ransomware gangs preying on the less tech-savvy and demanding increasing sums of money. All it takes is a single malicious file download to spread the infection throughout your hard drive.

This is a serious problem for companies, especially if an unsuspecting employee downloads ransomware on to their computer. There’s a risk of the entire network being held hostage, which could effectively grind business to a halt. But obviously that’s also a problem for individuals—no one is safe from ransomware.

Therein comes the phrase “ZERO TRUST” which has been a buzzword for some time. According to Crowdstrike, Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data.

The principle of zero trust and expenditures toward getting organizational policies, procedures, and infrastructure closer to delivering it, is gaining acceptance as constituting a fundamental component of information security programs.

Chief Information Security Officer (CISOs) and others responsible for security have clearly shifted from a “defend the fort” approach to one in which they recognize that despite their valiant efforts to protect information and information systems, they must assume that their respective organizations have suffered cyber-breaches about which they are unaware.

As a result, cybersecurity programs must be crafted and implemented not only to defend against lateral movement through data systems by so called “authorized users” but also to treat users on internal networks as if they were no more trustworthy than users accessing via Internet-based connections emanating from halfway around the work.

Today, cybersecurity professionals must deem all traffic – including traffic for communications occurring solely on internal networks under their purview – as potentially dangerous.

What’s worse is many site owners have no idea that malware or spam was added to their site. Having a compromised website impacts your users, your business, and your marketing efforts. For business owners, big or small, having your website hacked can pose huge issues. 

For e-commerce sites, not having the right security can compromise your customers’ precious personal data – credit cards, pins, and passwords. For other sites, malware can be added that will place hidden links on your site or even cause redirects of your domain to “less than desirable” places. If you are investing in marketing your business online, making sure your site is protected is essential to getting the best results.

How Can You Protect Yourself

There are a number of things every website owner should do in order to protect their site from exposure. Many business owners know they need to beef up security but just can’t find the time. This is why we add maintenance and security to every site we work on.

Here are 6 things you must do to keep your site protected:

1. Regular Software Updates

Keeping your website’s software, including Content Management Systems (CMS), plugins, and themes, up to date is critical for security. Updates often include patches for known vulnerabilities that cybercriminals can exploit. Failing to update can leave your site exposed to attacks. Implementing automatic updates, if available, and regularly checking for updates manually ensures that your site benefits from the latest security enhancements.

2. Implement Strong Password Policies

Weak passwords are a common vulnerability that hackers exploit. Enforce strong password policies that require complex, unique passwords for all user accounts, particularly those with administrative privileges. Implement multi-factor authentication (MFA) to add an extra layer of security, making it significantly harder for unauthorized users to gain access to your site.

3. Use Secure Connections (SSL/TLS)

Secure Sockets Layer (SSL) and Transport Layer Security (TLS) certificates encrypt data transmitted between your website and its visitors. This encryption helps protect sensitive information such as login credentials and payment details from interception by cybercriminals. Ensure that your website uses HTTPS rather than HTTP to provide a secure connection and to gain user trust.

4. Perform Regular Backups

Regular backups are essential for disaster recovery. In the event of a cyber attack or data loss, having recent backups allows you to restore your website to its previous state. Implement automated backup solutions that store backups in secure, offsite locations. Regularly test your backup process to ensure that you can quickly and effectively recover your site if needed.

5. Monitor and Scan for Vulnerabilities

Continuous monitoring and scanning for vulnerabilities help identify potential security threats before they can be exploited. Utilize security plugins or services that provide real-time monitoring, malware scanning, and vulnerability assessments. Regularly review security logs and reports to detect any suspicious activity or potential breaches early.

6. Educate and Train Your Team

Human error is a significant factor in website security breaches. Educate and train your team on best practices for website security, including recognizing phishing attempts, avoiding unsafe plugins, and maintaining secure coding practices. Regular training sessions and awareness programs can significantly reduce the risk of security breaches caused by user mistakes.

By implementing these practices, you can significantly enhance your website’s security and protect your business from potential threats.

So, what can you do to safeguard your business against data breaches? The first step is being aware of the threats that exist. Second, you must take precautions to protect your data. Third, you need to know what to do if your data is compromised.

In this blog post, we’ll discuss a few of the threats you need to look out for to safeguard your business.

Don’t let these threats get to your business

Here are some lesser-known threats that you need to be aware of:

Juice jacking

Juice jacking is a cyberattack where a malicious actor secretly installs malware on a public charging station. This malware can then infect the devices of anyone who plugs into the charging station. Once infected, the attacker can access the victim’s data. Crazy, right?

An attack of this nature needs to be proactively tackled because more people are using public charging stations to charge their devices. Remember, it’s not just phones that are at risk — any device connected to the infected public charging station is susceptible to juice jacking, including laptops and tablets.

If you must use a public charging station, take a few precautions. To start, only use trustworthy stations. Second, to keep your device from becoming infected, use a USB data blocker. Finally, ensure that your device is in “charging” mode rather than “data transfer” mode.

Malware-laden apps

The number of smartphone users has grown and along with it the number of mobile apps. While there are many legitimate and safe apps available in app stores, there are also many malicious apps cybercriminals release despite valiant efforts to keep app stores safe.

One of the biggest dangers of downloading bad apps is that they can infect your device with malware. This malicious software can wreak havoc on your device, including stealing your personal data, vandalizing your files, and causing your device to crash. In some cases, malware even equips hackers to take control of your device remotely.

So, how can you protect yourself from downloading malware-laden apps? The best defense is to be vigilant and research before downloading any app, even if it’s from an official store like the App Store or Google Play Store. Check reviews and ratings, and only download apps from developers that you trust.

Malicious QR codes

It’s no secret that QR codes are becoming increasingly popular. Unfortunately, while they offer a convenient way to share information, they also present a potential security risk. That’s because scanning a malicious QR code can give attackers access to your device and data.

The best way to protect yourself against this type of attack is to be aware of the dangers and to take precautions when scanning QR codes. For example, you can use a reputable QR code scanner that checks malicious content before opening it. You can also avoid scanning QR codes that you don’t trust.

Using public Wi-Fi without a VPN (Virtual Private Network)

Public Wi-Fi is everywhere, and it’s often very convenient to use when you’re out and about. However, what many people don’t realize is that using public Wi-Fi without a VPN can be a security disaster.

When you connect to a public Wi-Fi network, you unwittingly invite potential hackers and cybercriminals to access your data. Without a VPN, anyone on the same network as you can easily see what you’re doing online. They can intercept your data and even steal sensitive information.

That’s why we recommend using a VPN. A VPN encrypts your data and provides a secure connection, even on public Wi-Fi.

In today’s digital world, safeguarding your organization’s online assets is critical. Unfortunately, poor password hygiene practices by some employees cause problems for many businesses, leaving them vulnerable to hackers and cyberattacks such as the ones explained in our previous article 4 Cyberthreats Small Businesses Need to Know.    In this article, we will look into password best practices to safeguard your business.

Cybercriminals are constantly trying to find new ways to break into business systems. Sadly, too often, they succeed thanks to weak passwords. In fact, nearly 50% of cyberattacks last year involved weak or stolen passwords.  This calls for businesses like yours to step up and take password security seriously and implement strong password policies.

Fortunately, there are a few best practices that you can follow to protect your business. Before we get into those, here are the top 10 most common passwords available on the dark web that you should avoid at all costs:

1. 123456                                               2. 123456789                                                   3. Qwerty
4. Password                                         5. 12345                                                             6. 12345678
7. 111111                                                 8. 1234567                                                       9. 123123
10. Qwerty123

Password best practices

When your team is aware of password best practices, they can significantly ramp up your cybersecurity.

Use a password manager

One of the most important things to keep your passwords safe is to use a password manager. A password manager helps you create and store strong passwords for all your online accounts. Password managers can also help you keep track of your passwords and ensure they are unique for each account.

Implement single sign-on (SSO)

Single sign-on is a popular password solution that allows users to access multiple applications with one set of credentials. This means that you only need to remember one password to access all your online accounts.

While SSO is a convenient solution, remember that all your accounts are only as secure as your SSO password. So, if you’re using SSO, make a strong, unique password that you don’t use for anything else.

Avoid reusing passwords on multiple accounts

If a hacker gains access to one of your accounts, they will try to use that same password to access your other accounts. By having different passwords for different accounts, you can limit the damage that a hacker can cause.

However, avoid jotting down your passwords on a piece of paper and instead depend on a safe solution like using a reliable password manager.

Make use of two-factor authentication (2FA)

One of the best ways to protect your online accounts is to use two-factor authentication (2FA). In addition to your password, 2FA requires you to enter a code from your phone or another device. Even if someone knows your password, this method makes it much more difficult for them to hack into your account.

While 2FA is not perfect, it is a robust security measure that can assist in the protection of your online accounts. We recommend that you begin using 2FA if you haven’t already. If you use 2FA, make sure each account has a strong and unique code.

Don’t use the information available on your social media

Many people use social media to connect with friends and family, stay up to date on current events, or share their thoughts and experiences with others. However, social media can also be a source of valuable personal information for criminals.

When creating passwords, you must avoid using information easily obtainable on your social media accounts. This includes your name, birth date and other details that could be used to guess your password. By taking this precaution, you can help keep your accounts safe and secure.