Do you need a VPN? Do you know what a VPN is?

There’s increasing talk in the media, and in advertising, of VPNs as an apparent cure to all your security woes and as a potential money saver. But what is a VPN and do you actually need one?

What is a VPN and how does it Work?

The acronym VPN stands for Virtual Private Network. Virtual in that it’s not, in the strictest sense, real, your VPN only exists for the duration of your use, Private because your connection is encrypted which prevents bad actors form listening in and Network because your VPN builds a private network between your device and an endpoint. It’s often likened to building your own tunnel from you to the endpoint with the data being very secure as it travels through your own tunnel.

Do you remember in some old films when the detectives would say “we can’t track this person, they’ve bounced their call, internet connection etc, off at least 9 different servers across the world”? Well, they could have been using a VPN.

Back in the days when I was employed as a consultant, my employer used a VPN so that we could securely connect to the office network when working remotely. And that’s what a VPN does, it allows a more secure connection across the internet.

Your VPN provider has a number of endpoints that they provide, around the world and when you connect to one, your data is encrypted before it leaves your device and pops out on to the internet at one of these points-of-presence with everything in-between making it’s way through your own, encrypted, secure, tunnel.

Imagine you pop in to your local coffee shop and hop on their free wi-fi to check your emails, perhaps do a little shopping and check your bank account. All your data flows through your coffee shop’s wi-fi router (Local Network in the graphic above) and out on to the internet (Public Network). However, it’s very easy for someone with a malicious intent to set up their own connection to the cafe’s WiFi and pretend to be the free WiFi service. If you connect to this all your data goes through their system (and it could just be their laptop) which allows them to pick up your connection, analyse your traffic and steal your data. This is called a man-in-the-middle attack and is pretty common and very easy to pull off.

If you use a VPN it doesn’t matter about the man-in-the-middle because your data zips right past that, secure in it’s own encrypted, tunnel, on the way to the endpoint – which is where it gets decrypted and sent on it’s way to your chosen website.

Why Should I use a VPN?

There are a number of reasons why you might choose to use a VPN.

The first is SECURITY

As noted just now, it’s not overly difficult to intercept web traffic, some of which will contain personal data and security related info – user names, passwords, banking data etc and a VPN can overcome most of the risks associated with the interception of privacy related data, keeping you safe from identity fraud and theft.

The second is SAVING MONEY

Your VPN provider will have endpoints in a number of different countries and if you select one of those countries then the internet will think that’s where you are – because that’s where your internet connection and data look as though it’s originating.

This means that you might find subscriptions (Netflix, YouTube, Spotify etc) are less expensive in other countries, that flights and holidays may cost less if booked from somewhere other than the UK and so on.

For example,

It’ll take a little bit of research but here are a couple of examples.

  • Spotify Premium costs just $1.58/month in India (the cheapest) but $18.39/month in Denmark (the most expensive).
  • YouTube Premium is similarly priced, costing just $1.56/month in India but $15.95 in Switzerland.

Not all VPNs provide access to the least expensive countries but there are many good deals to be had, although you do need a VPN that is able to bypass Geo-Blocks, the technology that subscription providers use to catch VPN users and stop them getting the best deals.

The third is HIDING YOUR LOCATION

When conducting an SEO review I have to appear as a random, anonymous, user when researching client sites. Unfortunately, due to the way that Google works, if I just use my regular browser, Google knows it’s me – even if I choose “Incognito” mode. This means that Google presents search results based on known likes, browser and search history and a wide range of other metrics – which is pretty useless.

So, I use a Browser that rejects cookies, stores no history and has a built in VPN. This ensures that I see results that are unfiltered, for the most accurate results. The Browser that I use for this is the Epic Privacy Browser and it’s free to download and use

I also have international clients and conducting a web search in the UK will show me results biased towards the UK. Again, by setting my VPN endpoint in the country I want to research it looks as though I am connected to that country and so I get to see search results from that country.

Some UK services, BBC iPlayer for example, block you from accessing shows and films when you are outside of the UK because they don’t have the necessary Copyright licenses to broadcast shows to the rest of the world. When on holiday abroad this could limit your access to entertainment. Using a VPN will help bypass this restriction.

Privacy

Many service providers on the internet use details from your internet connection to tailor services to you and target ads at you. A VPN will prevent them from attributing your browsing history to your PC/Phone although if you are logged in to Google, Facebook etc this becomes null and void.

A good VPN will also scan files as you download them, provide Ad Free results and ensure that there’s no data tracking or storing when you are searching.

So which VPN should I choose

As with all things technology related, the real answer is “it depends”. If you just want to anonymise your web browsing then browsers such as Brave (no VPN but blocks trackers and a lot of Ads) or Epic (the one with the inbuilt VPN – although it only has EndPoints in 8 countries) will be sufficient for your needs.

Probably the most well known VPN is provided by Nord and they regularly run a range of special offers. Their normal price is £94.35PA for a 2 year contract although this does enable you to use their VPN on up to 6 different devices. However, at the time of writing this is reduced to £33.65PA or just £2.49/month and you get an additional 3 months free (prices are exc. VAT)

SurfShark Logo

Another leading VPN is SurfShark. Their “Unlimited VPN” package is currently just £1.74/month for the first 26 months and can be used on an unlimited number of devices

TunnelBear logo

My current VPN of choice is TunnelBear but for no other reason than when I signed up I got a lot of bandwidth for very little money. It has some limitations but none that I have found impact on my use

Google 1 VPN Logo

If you have a 2TB plan (or greater) storage plan with Google then you can use their free “1” VPN on phones (Android and iOS). However, it does mean that you are trusting Google not to look at your data as it passes through their servers. You also can’t control your EndPoint so it’s no good if you want to browser from different countries

VPN Drawbacks

  • Beware of “Free” VPNs because nothing’s ever free. A free VPN may come with ads and it might also sell your data on to unidentified third parties.
  • Free VPNs also may limit the Bandwidth they provide which will limit the downloads and streaming you can do.
  • Free VPNs may also limit your Speed which also makes them useless for streaming and downloads will take quite a while longer than you are probably used to.

And finally, if you have any VPN related questions then I probably know enough to be able to answer your question or point you in the direction of someone who can.

If you need assistance with your SEO, Email Marketing, Social media or any other type of online marketing activities then I can definitely help you so you really should get in touch – even if it’s just for a free consult. You can call me on 01793 238020 or 07966 547146, email andy@enterprise-oms.co.uk or book a slot using my calendar and we’ll take it from there

Make your business Cyber Secure

In my previous post I wrote about the key Cyber Security threats that individuals and businesses of all sizes face. If you’ve not read it you can catch up here.

This time around I am going to review some of the key protective measures that you can take. Measures that will make your business harder to defraud, harder to hack and less likely to fall victim to Cyber Crime.

Let’s start with your website. Hackers around the world are queuing up to take over your website or to simply to bring it too it’s knees to stop it working so they can demand money to restore it to good working order. This latter approach is a Distributed Denial of Service attack – aka DDoS. (My previous blog describes a DDoS so I won’t replicate the description here, for brevity).

How do you stop a DDoS attack from bringing your website down

DDoS attacks are happening all around the world, right now, as you can see from this Cyber Attack screenshot

Chart of global DDos Attacks
From https://www.digitalattackmap.com

There are two approaches. You can choose a web host that has the necessary provisions in place to ensure that they have the connectivity and technology to make sure that DDoS attacks can’t prevent their web servers from running. They will use a variety of technology, including sophisticated firewalls, traffic filtering and DDoS defence systems. Not all web hosts offer such a high security level so you’ll have to shop around.

A better option, in my opinion, is to use a Content Delivery Network (CDN). A CDN uses many servers located around the globe. This means that if a single server location is targeted regular visitors are simply directed to the next nearest server, totally mitigating the threat. Another big benefit of CDNs is that they also mean that if your website targets different countries then visitors from those countries will connect to your web server that is closest to them – which ensures that your website is always delivered at the fastest possible speed – which benefits both the visitor and your SEO because no-one, not least Google, likes a slow website. Top CDNS are Cloudflare, Amazon Cloudfront and Microsoft Azure

Passwords

I know, I know, I am always banging on about Passwords but passwords are gateways in to PCs, Phones, Networks, your web host and so much more.

So, your gateway passwords needs to be really secure if you want to keep the hackers out – and you really do want to keep them out. You might think that there’d be no interest in your website but hackers are targeting every single website they can find. The UK’s National Cyber Security Centre recommend using a password comprising of 3 random words and a unique password for every site you access. I recently made a short video about this very topic

Firewalls

File:Gateway firewall.svg - Wikimedia Commons

A Firewall provides an impenetrable, unhackable barrier (provided it’s properly configured) between the internet and your computer or computer network.

Yes, Windows has a Firewall and it’s certainly better than having no firewall at all but, in reality, it’s about as much use as a chocolate fireguard. It’s just too easy to misconfigure, especially if you have a small network and have fiddled with the settings as you try to share files and folders from one PC to another.It might deter the casual hacker but won’t stop a determined one.

There are software firewalls that are provided by the same companies that sell anti-virus software. These are better than the Windows firewall but similar issues remain. Each device on your network has to have one installed and kept up to date.

A far better solution is to use a firewall appliance. A little box that goes between you, your internet router and the internet.

And talking about your router, the device that was supplied to you by your broadband provider. The router does include a Firewall but it’s a tad rudimentary, at best, and if you have’t set a secure password it will still be using the password and user name that it shipped with. This could be as daft as having “admin” as both the user name and password which makes as easy to access from the internet as it does from inside your home/home office or office.

And all somebody has to do is Google the make of router that’s used by broadband company X and the default user names and passwords are readily available. Targeted at those who might have lost their user manual but available to all.

These types of firewall are about as much use as a wall made of paper if you are running a business. It’s much better to invest in a dedicated firewall appliance.

The most popular are provided by Watchguard, SonicWall, Cisco and these prevent computers and networks from a wide range of Cyber attacks.

My set up looks like this. My office provider uses a Watchguard firewall in their comms room. I have a D-Link firewall in my office AND use the Windows firewall on my computers

VPN

Anonymous Collective Secret - Free photo on Pixabay

Imagine the scenario. You are in your favourite coffee shop and need to jump on their free Wi-Fi. You spot the password on a tent card on your table and fire up your laptop/Chromebook/tablet/phone and search for the Wi-Fi. There it is, right at the top “FreeCoffeeShopWiFi”. You click, you enter the password and you’re away.

You log in to your office email account, then your private email. Then a quick check of your bank account confirms that you have enough to buy that latest thing you’ve been after.

Later that day you check your emails. There’s an unexpected one from your favourite shopping site confirming a change of password – not something you remember doing – so you check your bank account. It’s empty, drained of everything while you were finishing your coffee.

What’s happened? When you logged in to the coffee shop WIFI you weren’t logging in to the legitimate account. Somebody had set up a clone inside the coffee shop, which you found and logged in to. The person behind the clone was “sniffing” all of the traffic going through their portable WiFi hotspot that they’d set up and were merrily pulling off websites, user names and passwords and happily started to spend other people’s money, including yours. This is known as a man-in-the-middle attack.

Could you have prevented it? EASILY.

File:VPN overview-en.svg - Wikimedia Commons

Just get yourself a VPN, they’re inexpensive but provide a very secure way to access the internet. Simply put, a VPN creates a secure, encrypted, private tunnel between your device (phone/tablet/laptop etc) and the destination website, (bank, email account, online shopping site etc). It doesn’t matter whether you are on a genuine account or a cloned account, your tunnel can’t be broken in to, your data is secure.

Another use of VPNs is when you work remotely and needs to access office files, remotely. A VPN will secure the data that moves between your office and your device and keep everything safe.

You might also use your VPN at home, just in case your neighbour is on your WiFi and “sniffing” your data.

And, finally, if you want to appear to be in a different country – let’s say you are on holiday abroad and want to watch BBC iPlayer content that is only available in the UK – you can use a VPN to give you a “point of presence” in the UK. Your VPN makes it look as though you are in the UK when in reality, it’s just the end of your VPN connection.

If you subscribe to a Google business service then you have free access to a Google VPN on your phones and tablets. If you don’t want to use that then some of the best are provided by ExpressVPN, TunnelBear and StrongVPN.

I use TunnelBear but am not an affiliate so if you sign up, there’s no benefit to me just added security for you

Not clicking

Phishing, SMSmishing and SpearPhishing emails are mainly designed to make you click on a link to visit a genuine looking but fake website where your log-in information can be harvested.

I’m going to be blunt – DON’T CLICK. If you think the email may be genuine you can either contact the sender (by phone or with a fresh email – not a “reply”) and ask them for clarification. If it’s a link to a website then enter the domain name yourself in your web browser, don’t click on the link in your email, don’t “copy” the link but DO hover over the link in your email program (it will have been designed to look legitimate) but hovering your cursor over it will show you where the click will actually go. It might look similar to the pukka site but won’t be. If the proper URL is company.com the fake address could look like company.com.fakesite.eu or company123987.com, for example.

Even if you believe the link to be valid, don’t click on it but either enter a URL you KNOW in your browser or search for the company. 99% of the time you’ll see that that your email is a fake, an attempt to extort you.

Fake News and Fake Reviews

Although you can’t prevent third parties from posting Fake News and Fake Reviews about your company, you can be on the lookout for the posts so you can take remedial action. Use tools such as Google Alerts and Drumup.io which can conduct keyword searches for your brand and alert you by email when something turns up that uses your brand or company name. Then you can see where the article has been posted and review it. If it’s obviously fake news you should post a reply AND contact the host of the review platform and advise them of this

Hacking

What can you do to prevent your devices and networks from being hacked?

File:Wallpapersden.com anonymous-hacker-working 1280x720.jpg - Wikimedia  Commons

You can use a Firewall to provide a secure “wall” between your network and the outside world. You can make sure that you have changed the default user-name and password and use a hard to crack password – something like the three random words recommended by the National Cyber Security Agency.

You should use biometric access controls, fingerprint or facial recognition on your phones, tablets and computing devices. You should be wary of emails and their attachments.

Ensure that your anti-virus programs are up to date and that Windows is allowed to keep itself up to date too.

You should consider encrypting your data, so if it is stolen then it won’t be of any value, or use, to anyone and you also need to be regularly backing up your computers and servers. AND don’t forget to regularly check that you can restore your backed up data. There’s nothing like finding out that your backups are corrupt, or discovering that you’ve not been backing up what you thought was being backed up, when you lose data. It’s too late then.

And finally, train your staff and keep their training up to date so they know how to identify potential threats and to whom they should share their concerns with.

Insider Threats

Office staff having a meeting
Office staff having a meeting

Insider threats are the most insidious. By definition, it’s people who you trust. So what can you do?

You should control what they have access to. Nobody outside the Accounts department (with the exception of some board members) needs to have access to financial systems, and files. Nobody outside of Sales needs to have access to details of ALL clients at all stages of the sales process. Give a lot of thought to who can see, and access, what.

Work hard to know your staff. Talk to them. Understand what makes them tick, their personal situation, without being creepily intrusive. Join conversations “around the water cooler”. Have an “open door” policy so that your people know they can bring their concerns to you.

You should also have a very clear policy on BYOD (Bring Your Own Device) where people are permitted to use their personal phones, tablets and laptops and can connect them to the company networks and Wi-Fi. Yes, it’s a great way to save money by allowing people to use their own equipment but it opens up a whole host of risks.

  • What are they taking home with them to “work” on?
  • What websites do they visit during work time whilst connected to the company network?
  • What security protection are they using on their private devices?
  • What Social Media platforms are they on whilst in company time and on the company network
  • What policies are in place to manage their use of external memory devices (such as USB sticks and external hard drives)
  • What files and folders can they access

Ultimately, you might decide that the risk is not worth the saving and simply provide all the equipment and tools that your people need to be able to do their job.

USB Memory

USB Memory Stick

As discussed in my previous Post, “Top Cyber Security Threats to YOUR Business“, USB storage devices can be an absolute nightmare. You must have a policy in place that covers how they are used. How/whether your employees can use their own, what the policy is in relation to found devices. How you will manage lost devices that might have company information on them and an overall policy with regards to USB ports.

I know of many companies that have simply banned the use of unauthorised USB connections (remember, connecting a phone or tablet to charge it means that device can also be used as USB storage to remove data or introduce a virus).

I even know of one business owner who used superglue to ensure that absolutely nothing could be plugged in to the majority of computers and servers in his business. Even I agree that that was an extreme solution but I get his point.

Ransomware

Ransomware normally arrives either as an attachment on an email or via a link contained in an email so, good email security and data hygiene will minimise the risk from this threat

Viruses, Trojans and other Malware

A computer keyboard & virus targeting Cyber Security on your computer

Again, most viruses and trojans infiltrate a business via attachments on Emails and links in emails. The attachments might look like PDFs, Word or Excel documents or pictures but they won’t be. They will either have embedded macros (Word, Excel etc) or mask their true type. Something that looks like picture.jpg might actually be picture.jpg.exe – a file that will be run when clicked rather than a nice picture that will open when clicked.

And rogue USB devices remain an ever present threat.

Avoiding a lot of these threats comes down to good email security and data hygiene although this will be reliant on good training, regular updates and reminders.

You might have a decent anti-virus application running on all devices (including phones and tablets) but it’s a constant war. The cyber criminals are always on the lookout for ways to circumvent security software so you still need to be alert to the threats.

And Ditch Microsoft Windows

Yes, I know. It sounds almost like heresy, but Microsoft does have a bit of a reputation for insecurity. Yes, it’s better than it was but, as the most popular operating system, it’s also the most popular target for hackers. It even has it’s own day of the week – Patch Tuesday, when all manner of updates are released, including security fixes. Apple Macs are better. However, as sales increase so does the hackers interests and it’s not as secure as some would like you to think.

So is there a solution?

Linux - Wikipedia

Yes, it’s called Linux. It’s been around more than 30 years, is properly free and very secure.

But don’t you have to be a bit of a geek to install, and use a Linux machine?

Nope, not these days. For most, it’s as easy as installing Windows AND it even looks, and works, a lot like Windows because that’s what we’re all used to. I run a Linux machine in the office and it’s uses Linux Mint – which is probably one of the easiest to come to terms with. And you can learn more about Mint, download it and learn how to install it here. Another popular Linux distribution is from Ubuntu and you can run Ubuntu from a USB stick if you want to give it a try without installing – oh and you can also create dual-boot scenarios where you can keep Windows, install Linux and simply choose which one you want to run when you boot your PC.

I am not a cyber security expert although I’ve done my fair bit, especially when working in IT support, and I do my best to stay up to date so feel free to send any questions you might have to andy@andypoulton.com or give me a call on 01793 238020 or 07966 547146, Tweet me @AndyPoulton or contact me on LinkedIn and if I can’t help, I know some real cyber security experts that I can put you in touch with.

Thanks for reading and if you need help with your #SEO or any other element of of your digital marketing, please don’t hesitate to get in touch.

Andy Poulton
Chief SEO Officer
Enterprise Online Marketing Solutions

Top Cybersecurity Threats to YOUR Business

Top Cybersecurity Threats to YOUR Business

We are living through troubled times. Covid seemed to be under control, we were learning to live with it and we were starting to look forward to a quieter 2022.

And then Putin invaded Ukraine!

Computer log-in screen. Reduce the Cyber Security risk with strong passwords.

As a result of sanctions imposed on Russia by the West I have no doubt that the professional Russian Cyber Criminals have ramped up their activities. Not only to attack Ukraine but to attack western institutions for having the temerity to support Ukraine and actively punish Russia via sanctions.

I thought that my next two posts should focus on possible cyber security threats that this will pose. Why two posts? Simple – length and volume of information make it easier to take in of it’s split in two.

The first post, this one, will look at the threats we face as individuals and businesses when we use our computers and the internet. The second will took at ways that we can protect ourselves, and our businesses.

Although 100% security may be prohibitively expensive for SMEs most of us can do more to secure our data and reduce the risk from infiltration, theft, misuse and other malfeasances.

So, without further ado, let’s take a look at the top Cyber Threats that can be used against us, right now.

Distributed Denial of Service – DDoS

A DDoS attack is designed to bring a website, or internet connected system, to a standstill. Simply put, the Cyber Criminals will have gained access to a Botnet ( a network of internet connected devices that they have control over without the computer owners knowledge). They then issue commands to the Botnet to visit a given web address. When thousands of computers try to access a website the website grinds to a halt.

It’s analogous to closing a busy motorway and diverting all of the traffic on to a single lane, country, road. Very soon the road will be so full of traffic that everything grinds to a halt.

When the target website, or service, comes to a stop the hackers approach the website owners and demand a ransom payment, threatening to continue making the website unreachable until the ransom is paid. The busier the site the more it costs for it to be unavailable and the faster the owners are likely to pay.

As an example of this, in the last couple of years a major, online, bookies website was targeted. It was brought to a grinding halt for about 10 minutes. The criminals then contacted the company and identified themselves as the cause of the website failure. They demanded a ransom and threatened to bring the website to a halt over a significant betting weekend (Cheltenham Gold Cup weekend to be precise). For obvious reasons, it’s unknown whether the betting website paid up, or not.

Fake News

Fake news is insidious. Whenever something controversial happens there will always be people posting fake news, and reporting fake news, with the aim of either reducing the apparent severity of reported activity or distracting the news consumer, encouraging them to take their eye off the real story and try to get them to look elsewhere.

Fake news is difficult to ignore, by intentional design, and creeps in to every area of the media.

At a business level, it could be a competitor who posts positive fake news about themselves, to make them appear better than they are, or someone posting negative stories about your business hoping that they can reap the rewards.

Fake Reviews

Like Fake News, Fake reviews go two ways. Competitors, or people with a grudge, publish negative reviews on places like TrustPilot and Google reviews. Not only does this impact the public’s perception of your business but it can have a negative effect on your SEO, especially when it comes to Google Local, where part of Google’s decision making process is the quality of your reviews in comparison to your competitors.

The other way is for your competition to post fake, high quality reviews of their business to boost their business at the detriment of yours.

Hacking

Frequently imagined to be conducted by aggrieved teenagers hacking/cracking websites from the depths of their bedrooms, hacking has evolved in to a massive industry. It’s escalated in to an activity that’s carried out at all levels, all the way up to state sponsored hacking where individuals & organisations are paid by, sponsored by, or simply work for, a county or an organisation.

At the state level they look to attack the infrastructure of a foreign country using the internet as their weapon. The goal being to take services off line, for example. Imagine an attack on a country’s power supply network that could just switching the electricity off.

At the business level, hackers look to break into individual computers, servers or networks. This would provide access to confidential information and intellectual property.

Imagine that you invented something that stood to give you an incredible competitive advantage and make your company a lot of money. Hackers could break in, steal the data and sell it on. It’s believed, for example, that the Chinese government had access to the secrets of US military giants for years. This enabled them to modernise the Chinese military far faster than if they had to do all their own research and development.

Hacking could also be used to plant false information on servers. Imagine a knock on your door, by the police, with a warrant for pirated material (or worse). They take control of your network – banning your people from it and bringing work to a halt – whilst they conduct their examinations to find said material. Whether they find anything, or not, you’ll be prevented from working for days, weeks, months, possibly years while they conduct their examinations. And if there’s whisper of wrongdoing to the media, whether ultimately proven or not, justified or not, your reputation could take a massive hit, from which it might prove impossible to recover from.

Insider threats

Insider threats are probably the most insidious because they are carried out by people you trust, your employees or partners. As well as stealing from you, someone inside your organisation could also conduct a cybercrime against you. It might be as simple as deliberately installing a virus from a USB stick (for accidental virus installation see “USB Sticks and other forms of removable/portable storage“) or opening up your firewall to external intrusion (see Hacking).

Without proper tools and tracking in place you’ll probably never find out where the problem came from, which could lead to repetition once you fix the problem for the first time

Malware

Malware is a generic “cover all” term for malicious software. It has been reported that Malware affects 32% of global computer systems. The goal of malware is to infect your computer system with malicious software with the aim of slowing down, or stopping, your computers and network.

As with a lot of other attacks, businesses that are affected by malware are likely to be approached by the perpetrators who will demand payment to stop the attack.

Phishing

Phishing is an attempt by an unknown third party to persuade to you voluntarily hand over essential log-in credentials for critical web sites (think of your banking info as a single example).

It starts, typically, with a genuine looking email that lands in your inbox, purporting to come from a trusted source. The email will contain a scary message encouraging you to log into your bank account, for example, because failure to do so would see you being “locked out of your account due to a security risk”.

To make it easier, the email also includes a “Click here” link. You click, you arrive at a page that looks like your bank, enter your user ID and password but you can’t log in.

And you can’t log in because it’s not your bank. If smart, the Phishing site (because that’s where you are) will automatically forward you to your actual bank page where you’ll try to log-in again, convinced you made a typo first time around, and this time, you get in to your account.

In the meantime you will have confirmed to the Phishers that you have an account with the bank they targeted AND gifted them your user ID and password. Even though most banks now require an additional form of authentication, getting the first two parts of the authentication chain is a great place to start.

Ransomware

Ransomware is the generic term that covers a wide range of attacks on computer systems with the aim of preventing their effective and proper use. The expected resolution is the payment of a ransom to make the attack stop. The only problem with this is that the criminals are passing on the details of companies (and individuals) who paid up on the premise that they paid once, so will probably pay again.

SMishing (SMS Phishing)

A SMish attack is an attack that starts on a mobile phone. The Cyber Criminals send you an SMS message that will encourage you to click on a link in the message. The link will take you to a website that has been set up to collect critical ID information. This might be bank account details in “payment” to “release” a parcel that’s been held up at the couriers, for example.

Spear Phishing

A Spear Phishing attack is like a Phishing attack but more focused. The criminals won’t be targeting random individuals but will have done their research and will target named individuals within an organisation.

The targeted person (let’s say they are a manager in accounts) will be sent an email, purporting to come from an internal department, asking for an expedited payment to XYZ company for ABD services/supplies/components etc. The payment is made – only it’s not for services etc it simply goes straight in to a bank account operated by criminals.

Trojans

A Trojan attack, named after the Trojan Horse of Greek mythology is where a criminal distributes a piece of software that looks legitimate but harbours a nasty surprise. You’ll typically find Trojan Horse software on the internet, hiding behind hacked websites. You might search for something specific, picture editing software, for example, and come across a website giving away something that seems to do everything you need – for nothing.

You click, after all it doesn’t cost anything so where’s the danger. These’s no demand for bank or credit-card details and it doesn’t cost anything so you click to download. After all, where’s the risk?

You download the software, navigate to your downloads folder and click to install. You screen might go blank for a very short time but soon comes back. There’s no evidence of anything being installed, or anything else happening, so you assume the download is broken. Do you download it again or try something else? Most people will look for something else but the damage has already been done.

In the background, unbeknownst to you, the malicious software has installed itself, and hidden itself so there’s no record of it’s installation. If clever, it might even have disabled your antivirus protection too.

Your computer might now be added to a Botnet to be used in DDoS attacks or might be capturing every keystroke you make – including credit card and banking details, and surreptitiously send them back to the criminal who distributed the software,

USB Memory Sticks and other forms of removable/portable storage

Occasionally, when out and about, perhaps enjoying a coffee in your favourite coffee shop, you might come across a USB memory stick or memory card that someone has “forgotten”. You might ask at the counter whether they know who left it behind but they probably won’t have a clue so you take it back to the office, or your home.

Gleefully, you insert this new trophy into your computer, perhaps to see how large it is, perhaps to see whether you can determine the identity of the owner in the hope that you can return it to them. Or you might simply want to be nosey and see what’s on there.

Whatever your reason, it’s too late. The software that was set to autorun when inserted in to a computer has installed itself on your PC and is now running maliciously, in the background. Either letting an unknown third party take control of your computers and network or sending all your keystrokes back to some criminal.

Virus

Computer viruses are the most common form of cyber security threats out there. They land on your computer as an email attachment that you have been encouraged to click on (perhaps an innocent looking document for example) or pushed down on to your computer when you visit an infected website. As with other threats, you won’t necessarily know you have been infected until they do their dastardly deed. The smarter viruses can circumvent some of the best anti-virus systems and can remain hidden whilst they conduct their criminal actions. Stealing data, monitoring keystrokes and feeding them back to a cyber criminal, for example.

What should you do

Part two of this email will go in to preventative and detective measures in more detail. However, for now, the guidance is simple. Trust no one. Any email that arrives that has a hyperlink or an attachment, no matter who it comers from, should be considered suspect. Don’t click the link or the attachment unless you trust the source, were expecting it or have validated it in a different way.

Don’t plug-in “found” USB drives and memory cards, don’t visit websites on a whim and make sure you keep your anti-virus software up to date, allow Windows (if you are a Windows user) to install Windows updates and please , please, please make sure your firewall is up and running.

And finally, the pitch.

If you need help with your Cyber Security I can help and can even point you in the direction of a really excellent Cyber Security company if you need more in-depth help and support.

Get in touch – even if it’s just for a free consult. You can call me on 01793 238020 or 07966 547146, email andy@enterprise-oms.co.uk or book a slot using my calendar and we’ll take it from there

National Cyber Security Month

October is National Cyber Month.
What is National Cyber Security Month?

National Cyber Security Week

Threats of Cyber Crime from Cyber Criminals continue to increase and we all need to be increasingly alert and focussed on the threats, the impact they could have on our lives AND the things we can do to minimise the risk to ourselves and our businesses.

National Cyber Security Month 2021 has the overarching theme “Do your part. #BeCyberSmart” and looks to empower individuals and businesses to own their role in protecting their part of cyberspace.

If we all do our part then we will all benefit from a safer place to live and be in a safer place to do business. Not only that but we’ll also be denying the cybercriminals the space they need to extort, employ fraud and generate the money they lust after.

USer name and password box

How can we contribute?

We can all look to implement stronger/better security practices such as not clicking links in emails, not opening emails from people we don’t know or even opening emails we weren’t expecting. We can install security software on our phones, our tablets and our computers. We can use stronger passwords, and make sure we use unique passwords for EVERY application.

Each week, National Cyber Security Month will have a different focus, starting with Week 1 – Be Cyber Smart

Week 1, Starting October 4 – Be Cyber Smart

Hacker, tilting his hat

Our lives are increasingly intertwined with the internet and the World Wide Web. Pretty much all personal and business information is stored on internet connected platforms, from banking to social media, from email to SMS, from phone and video calling to watching TV and listening to music and beyond. The internet simplifies some areas of our lives and makes it more complex in others but the one, overarching common factor, is the need for a strong level of security to keep our data safe.

That’s why Week 1 of National Cyber Security Week focuses on the best security practices and “cyber hygiene” to keep our data safe, owning our role in Cyber Security and starting with the basics. That includes using unique, strong, passwords and making sure that we use multi-factor authentication (2FA) where it’s available, preferably avoiding SMS (text Message) authentication where possible.

Week 2, Starting October 11 – Fight the Phish – Trust No One

Phishing attacks, where emails and text messages are sent containing web links encouraging you to click the link, visit a website set up by cyber criminals and enter your user names and passwords are still on the increase. Why are they on the increase? Because they work. People see an email that purports to come from their bank, HMRC, DVLA, Post Office, BT etc. and are given a warning claiming that the recipient needs to do something NOW or they will be locked out of their account, will be arrested, won’t have an order delivered …. or one of many other ruses. You click the link and either have malicious software sent to your computer without your knowledge and approval or give away user names and passwords to cyber criminals, enabling them to access your personal accounts and to steal from you.

The X-Files mantra of “Trust No one” applies here. Any email that contains a request for such information should always be approached with caution and, if you have even a small inkling of concern, then simply open your web browser and visit the website of the sender to check out the veracity of the email.

Week 3, Starting October 18 – Explore, Experience, Share

Week three focuses on the National Initiative for Cyber Security Education (NICE), inspiring and promoting the exploration of careers in the cybersecurity sector. Whether you are a student or a veteran or seeking a career change, this week is all about the exciting, ever changing, field of cyber security, a rapidly growing business sector with something for everyone

Week 4, Starting October 25 – Cybersecurity First

The last week of National Cybersecurity Month looks at making security a priority. Actually taking a Cyber Security First approach to designing and building new products, developing new software, creating new Apps.

Make Cyber Security Training a key part of onboarding when taking on new employees (and, at the other end, making sure that technology rights are revoked when people leave organisations).

Ensure that your employees are equipped with the cyber secure tools that they need for their jobs. If you practice a BYOD (Bring Your Own Device) policy, allowing employees to use their own phones, tablets and computers then you need to ensure that the cyber security deployed is as strong as that on equipment that you provide.

Before buying new kit, or signing up to a new service, do your research, check the security. Is it secure enough? Can it be made more secure? Can it be remotely wiped? Who has control? All of these questions, properly answered, will ramp up your cyber security defences and help keep the cyber crims at bay

When you set up new equipment, that new phone, tablet or laptop, I know it’s exciting but please invoke the Cyber Security first, don’t leave it until last – it might be too late. Make sure default passwords are replaced with something secure and lock down those privacy settings.

Cyber Security MUST NOT be an afterthought. If it is, you could find yourself paying the price

And if you need some help, you can always ask me. I might not know the answer but I know people in the Cyber Security industry that I can put you in touch with. Email andy@enterprise-oms.co.uk, phone/message me 07966 547146, call 01793 238020 or message me on Social Media and we’ll get it sorted.

New Password Guidance from the National Cyber Security Centre

15 years ago Bill Gates, yes that Bill Gates, predicted the death of the password, presuming that a much more secure alternative method of securing data be adopted, But it hasn’t and passwords are still the default method of securing access to data and systems.

And, with the rapid rise of Cloud Services, Smartphones, tablets and much greater use of the world wide web passwords are seen as an easily-implemented, low-cost security method that users have become familiar, and comfortable with.

Logging On

However, with the sound advice of using a different password at every instance that requires a password has lead to “password overload”, more so when the instruction is to make then increasingly complex to reduce the chance of password theft or accounts being hacked. This has lead to a small range of different strategies to remembering passwords. From writing them down in a “little black book”, saving them on a spreadsheet or using a password Manager [with over 300 passwords, the latter is my choice]

However, a lot of people develop a strategy that is simply based on incrementation. HardPassword1, HardPassword2 etc. The danger being that in a data breach, once your strategy is uncovered it’s just a matter of time before hackers gain access to a range of your accounts.

Recent advice from the UK’s National Cyber Security Centre (NCSC, based in London and part of the UK’s Cyber Security HQ at GCHQ) has suggested making passwords up simply from three random words. Their advice is to be creative and use words that are memorable to you – but not words that can be easily associated with you, such as

  • Your children’s names
  • Favourite Sports team
  • Current partners’ name
  • Names of other family members
  • Pet’s name
  • Place of Birth
  • Favourite Holiday
  • Etc

So, that makes it harder to think of 3 random words but I’ve got an idea. And it’s based on geography. Before you run away thinking I’m going to suggest capital cities, rivers or mountain ranges stay with me. I suggest using some places that are close to your heart, but randomised -by using the navigation app/website What Three Words.

What Three Words is able to define a precise location, down to a 3 metre square. Simply visit the What Three Words website, or install their free app on your phone and navigate to your favourite place. Here’s one of mine (not used for any of my passwords so I’m giving nothing away)

St Catherine’s By The Sea in Map View and Google Earth View

Whether you use the Map View or Google Earth type view, you’ll see the map is overlaid by little squares.

Now, just click on a square and it will be identified by three unique words, so you could click on the entrance to the church, for example, or even a grave stone in the grave yard and What Three Words will give you a code that is unique to that square.

I’ve clicked on the church door and the unique code is remarking however stubble. You could make it harder by adding hyphens, or a different symbol and perhaps capitalising Remarking-However&Stubble for example.

Now all you have to do is either remember your password or use a decent Password Manager -and there are many to choose from, and I’ve written about them in the past.

And PLEASE, if this applies to to you – STOP USING PASSWORD or 12345678 and use one of the above instead

If you need any help, please, just ask. You can reach me by phone – 01793 238020 – email – andy@enterprise-oms.co.uk or just hunt me down on Social Media.

How much did your last cup of coffee cost?

Cybercrime is everywhere these days, in 2020 cybercrime cost UK businesses an estimated £21Bn* with an estimated 40% of UK businesses being subjected to to some kind of cybercrime in the previous 12 months. So, how can you minimise the risk to YOUR business?

There’s lots of advice on passwords, I regularly write about them, and other security measures that you can take but did you know that even a trip to your favourite coffee shop could end up being far more expensive than the price you pay for your Triple Grande Decaf Soy Latte Macchiato and blueberry muffin.

Imagine the scene, you’re between meetings and decide to drop into your favourite coffee shop for a cup of coffee, a cake and to tap into their Wi-Fi to read your emails, refresh your knowledge in time for your next meeting or simply to surf the web.

Spoof Wi-Fi Hotspot

When you sit down and try to log-on to the Wi-Fi there’s frequently a selection of hot-spots to choose from. How do you know which is the free service provided by the venue and which is a spoof.

It’s very easy to set up a Wi-Fi hot-spot using a mobile phone, Mi-Fi type of device or laptop and allow other users to connect through this free connection.

This means that all of the traffic can then be intercepted by the person providing the spoof account, what sort of important information is passed from your laptop through this connection? It could be your details to access your online banking, the log-in to your company network or the necessary information required to access your corporate email account.

Time for a comfort break

Laptop and cup of coffee

Then the urge hits, you look around and see that everybody seems respectable enough so you head off to the toilet thinking that your laptop is safe on the table. After all, nobody would nick in sight of all those customers, staff and CCTV cameras would they?

You’d be wrong. Laptop tracking service provider, Prey, found that areas offering free Wi-Fi were the second most common target for opportunistic laptop thefts, the only riskier place being left in a visible place in your car.

If stolen, it’s not only the inconvenience of replacing the laptop, reinstalling your applications and copying back your data [you do back-up your data don’t you?] it’s the additional costs that aren’t covered by your insurance.

The Ponemon Institute, a US cyber crime consultancy, put the real cost of the loss of a laptop and it’s data at nearly £31,000. This was broken down into £4,000 for the loss of Intellectual Property, forensics and legal bills adding around £1,500 with a staggering £24,500 attributable to the loss of income, customers and competitive advantage associated with a data breach

So, the next time you stop off for a cup of coffee and decide to log-on using their free Wi-Fi, just make sure you know which network that you’re connecting to and that you don’t leave your laptop unattended.

*Detica in partnership with the Office of Cyber Security and Information Security in the Cabinet Office Report, 2020

There’s Google and then there’s the others

A lot of the work that I do for my clients is Search Engine Optimisation (SEO). This involves working on websites to move them higher in the Search Engine Results Pages (SERPs). Most of the time, when talking about SEO, I talk about Google because Google is, by far and away, the most used search engine on the internet. Notice I say “used” rather than “loved” simply because a lot of people use it because it’s Number 1 but they don’t trust Google due to the amount of data it grabs and the huge power it wields.

But enough of the pre-amble, I want to tell you that there are other search engines available and there may be excellent reasons for using them. If you regularly check Google Analytics, or other web analytics applications, you may already be wondering about the traffic sources that appear.

And if you are not regularly checking a web analytics program to understand how your website is performing, the see me after class.

From my perspective, the work that I do on SEO actually works for ALL of the search engines out there so, without further ado, and in strict alphabetical order, here are the world’s top search engines

Ask.com – Founded 1996

Ask.com, started out as Ask Jeeves, a butler style service to help you find the answers to your important questions. Ask Jeeves has quite some history. It was founded in 1996 but in 2006 dropped “Jeeves”. Ask uses a unique algorithm to help you find the answers that you are looking for. It is designed to answer questions (hence the name) and favours expertise on a topic – instead of popularity

Baidu – Founded 2000

Baidu was founded in 2000 and is the dominant search engine in its country of origin, China. They have a market share of 75% in China whilst Google comes in with 3.76% – which is surprisingly high seeing as Google is banned in China. As with most Chinese entities, they are heavily policed which means certain images are censored and pro-democracy websites are blocked. Even so, if you are looking to break in to the Asian market, Baidu is were you have to be.

Like Google, they are investing heavily in Artificial Intelligence and self-driving cars. Sound familiar?

Bing – Launched 2009

Bing is Microsoft’s search engine, it was launched in 2009, which was when it replaced MSN Search. Later that year they also started providing search results to Yahoo, added AOL and Ecosia to the list of sites they support and Bing accounts for around 10% of US searches.

They are competitive in the Ads market too, although their total share of the market is small, compared to Google, so the impact is a lot less

DuckDuckGo – Founded 2008

DuckDuckGo is the search engine that looks after your privacy, touting itself as “the search engine that doesn’t track you”. DuckDuckGo doesn’t track you, and it doesn’t collect or store any information about you either.You’ll still see Ads (powered by Microsoft) but they won’t be personalised, based on your browsing history.

Ecosia – Founded 2009

Ecosia was launched in 2009 and it’s the first environmentally friendly search engine, and is actually CO2 negative. To achieve this Ecosia donates 80% of profits to tree-planting projects which means that for around every 50 searches carried out on Ecosia, a tree is planted.

Ecosia have also built a solar power generation facility so that it can run its servers on clean, eco-friendly, energy.

Ecosia buys search results in from Bing and tweaks them with their own, unique, algorithms.

Google – Founded 1996

Founded in 1996 Google is the search engine of choice for millions around the world and has over 86% of the search engine market globally. As well as powering Google itself, the company also provides search results to a range of smaller search engines, such as ASK

Google has tremendous computing power but it comes at a cost to the environment.

Huge data centres dotted around the world use huge amounts of electricity and although Google is working hard to mitigate their environmental impact a lot of CO2 is generated by every single search.

Search-Wise – First Seen 2005

EastEnders viewers left confused over Dot Cotton's hilarious X-rated  technical gaffe | TV & Radio | Showbiz & TV | Express.co.uk

If you watch a lot of TV, particularly Dr Who and EastEnders, when actors are using a search engine they’ll use Search-Wise to carry out their internet searches.

Search-Wise is actually non-existent. It has a “home” page that has been mocked up and that’s all you ever see – there’s no technology behind it. Search-Wise is a digital prop, that’s all.

Start Page – Founded 1998

StartPage may just be the perfect search engine. It was launched in 1998 and is based in the Netherlands.

What makes it the almost perfect search engine is that, like others in this list, it buys in its results from elsewhere. StartPage actually buy their results from Google but StartPage’s USP is that it doesn’t track you, doesn’t pass your IP address to Google and doesn’t use trackers to gather data about you.

This means that you get the benefits of access to all of Google’s search nous but none of the privacy threatening downsides. See what I mean when I said that StartPage might just be the perfect search engine

Yahoo – Founded 1994

Older than Google, once upon a time, Yahoo was the Number One search engine and was a mighty company. How things change. Yahoo now buys results from Bing and has about 3% of the global search market. Although a small percentage, that 3% translates in to 1 billion users, 600m of whom use Yahoo on their phones and tablets.

In a cross business deal, Microsoft makes use of Yahoo’s Ad engine

Yandex – Founded 1997

Yandex is a Russian search engine, Yandex standing for Yet Another iNDEXer and the domain Yandex.ru was launched in 1997. Yandex is where you need to be if you are targeting Russia for business.

Yandex is also popular in Ukraine, Kazakhstan, Turkey and Belarus. It’s available in both English and Cyrillic.

In 2011 Yandex went public on the New York Stock Exchange and the search engine currently powers 42.35% of Russian searches

What can you learn from this

The reality is that no single search engine covers 100% of the World Wide Web although Google probably has the most comprehensive index. However, it’s a trade off between depth of coverage and the value you place on your privacy.

What I can say, though, is that if you are looking at targeting China or Russia you really need to focus your efforts on the search engines that cover these territories, Yandex and Baidu, for maximum visibility

Pie Chart of Search Engine Market Share, Globally and UK

If you need help with making your website more visible in the search results, increase visits to your website AND increase your profits then all you have to do is get in touch.

Call me on 01793 238020 or email andy@enterprise-oms.co.uk. We can even schedule an introductory, FREE, 40 min call over Zoom, or Teams or any other platform.

Safer Internet Day 2020

log on box

1,2,3,4 is the start of The Beatles “I saw her standing there”, it’s the way you “declare a thumb war” and it’s also the first 4 characters of the worst password of 2019 – which is 123456.

11th February 2020 is the 17th “Safer Internet Day” and I’d like to make it a day where people change their simple passwords for something much more secure.

Why is internet security important?

Safer Internet Day

Every day millions of websites come under attack, ranging from simple personal sites to complex e-commerce sites and online email service providers.

Just think about your information that’s out there, and what could happen if your business or personal security was breached.

What’s in your Gmail, Hotmail, Outlook.com mailbox, how valuable would that be to a cyber-criminal? What if they hacked your email account and sent emails to your contacts and connections, as you, then tried to use your email address for more nefarious purposes?

How about if, after hacking your email account, they used your credentials to try to

  • break into your bank account
  • hack in to your building society account
  • access your credit card account
  • use the info to set up fake accounts that they can then use to steal your identity, borrow money in your name and have it sent to their bank accounts,
  • buy products online that are delivered to them and billed to your address – the list goes on and becomes even worse if it’s business data that has been stolen.

Business bank accounts typically have more money in them with longer lines of credit, your servers may contain enough information for the cyber criminals to target your customers, there may even be ideas, designs and other pieces of Intellectual Property that could be sold or misused in a variety of other ways, all to your disadvantage.

You know it makes sense to have stronger passwords but a lot of people, as evidenced by this list, obviously can’t be bothered – maybe they deserve what comes their way?

Well I don’t think they do, which is why I’ve published this blog post as part of “Safer Internet Day” and I’d ask you to review your password policy, both internally and personally and follow these simple tips and guidelines to minimise your risk.

Password Box

What should you do?

Don’t use the same password on every site you log in to, ideally, each site that you have an account with should have its own, unique, password. I know that sounds hard but it’s remarkably easy if you use one of the many, secure, password creation and storage sites. There are loads to choose from, some hare subscription based whist others are free. You can read a review of the top ones here.

Personally, I use LastPass, I started using it a number of years ago and find it invaluable in matters of internet security. Your password manager will automatically create strong and unique passwords and save them in your databank and automatically fill in the boxes whenever you are on one of your sites that require secure access.

Many also come as Apps for installation on your phones and tablets so that you can always access the sites you need to, whenever and wherever you are.

Crowbar

They run in your browser so that you can access your passwords and other log-in data from any internet connected computer, at home or abroad, on holiday or business trip – just make sure you remember to logout if you’re using a public computer.

If you don’t want to use an App then make sure your passwords are at least 8 characters long and are comprised of a mix of UppEr cAse and loweR case, 1nclud3 a numb3r or 2 and m@ke use of spec!al character$ wherever possible. You can check the strength of your password at HowSecureIsMyPassword

If you are concerned about any of the security aspects for your business, then send me an email, andy@enterprise-oms.co.uk or give me a call on 01793 238020 for a hack free, zero obligation chat and I’ll be delighted to see whether I can help secure your business from cyber criminals and make sure that you don’t become a victim, like Capital One did in 2019 where a hacker stole 100 million records that included names, addresses, post codes, email addresses, phone numbers, dates of birth, bank details and social security numbers.

Yes, it’s “Password Madness” time

USer name and password box

Government Communications Head Quarters (GCHQ)- where the UK spooks provide signals intelligence to the UK’s government, military and Military Intelligence and the Department for Digital, Media and Sport (DCMS) carried out their first UK Cyber Survey and the results didn’t make for great reading.

Apparently

  • 42% of us Brits expect to lose money to on-line fraud
  • 23.2 million worldwide victims of cyber breaches used 123456 as their password
  • 15% say they know how to properly protect themselves from harmful on-line activity
  • 33% rely on friends and family for help with their cyber security
  • Young people are the most likely to be cyber aware, privacy concious and careful of the details they share on-line
  • 61% of internet users check Social Media daily, 21% say they never look at it
  • More than 50% use the same password for their email that they use elsewhere
Hacker Inside

Dr Ian Levy, NCSC Technical Director said “Using hard-to-guess passwords is a strong first step and we recommend combining three random but memorable words. Be creative and use words memorable to you, so people can’t guess your password.” whilst Margot James, DMCS Minister said “We shouldn’t make their (cyber criminals) lives easy so choosing a strong and separate password for your email account is a great practical step. “

Most Regularly Used Passwords

RankPasswordTimes Used PasswordTimes Used
1.123456 23.2m ashley432,276
2.1237567897.7m michael425,291
3.qwerty3.8m daniel368,227
4.password3.6m jessica324,125
5.11111113.1m charlie308,939

It’s a shame that the top password list hasn’t really changed for at least 10 years – it shows how complacent a lot of us are with our on-line security.

I used to have 3 passwords, a simple one that I used really casually for newspaper sign-ups etc – name123 (not my real passwords, merely examples) a medium security one that I used on shopping sites, n@m3123 and a more secure one, used for banking etc – c3ler0n! (and all of the ones that I used feature on the Have I Been Pwned list).

About 5 or more years ago I switched to a Password Manager. I have 801 log-ins and 801 different passwords. All of them are at least 16 random characters long and comprise upper & lower case letters, numbers and symbols (where permitted).

Logging On

My Password database is stored securely in the cloud and is replicated on my PC, Phone and Tablet and accessible from my Chromebook too. I use LastPass but others exist and here’s a review of some of the top ones.

As you can see, I do my best to stay on top of my security but if you feel adrift, or need some help, just give me a call on 01793 238020 or email andy@enterprise-oms.co.uk for a free chat.

What the FA is 2FA and do you need it?

Let’s answer the easy question first, “do you need 2FA”? The simple answer is “yes”, you do need Two Factor Authentication (2FA). Now read on to learn more about what it is, how it works and how it can secure your data and online activity

I’ve written in previous posts about passwords, hacking, identity theft and the threat to our privacy, data and businesses from cyber criminals. As you might imagine, the number of attacks is increasing, as is the sophistication.

Why are Cyber Attacks increasing

Simple! The number of websites that we log-in to continues to increase and many people use one password across many websites. As you can see from the list on the right a lot of people use passwords that are less than ideal. The cyber criminals know this which makes it a gift for them.

Some people think they are safe because they have 3 passwords. A simple one for common sites where they don’t see a threat (posting comments to newspaper websites for example), a medium one that they use for on-line shopping and Cloud storage sites (DropBox for example) and a really complicated one for their “secure” sites, such as bank access etc. 

After all, just trying to remember pWa#eeAS7uNggK49 is a challenge but if you have to remember a different one for every single website it becomes a real challenge. You might jot them down in a notebook or diary but what happens if you loose your book, or just leave it on a train. Not only have you been frozen out of your accounts (until you work your way through all those “forgotten password” routines) but your security has been seriously compromised.

Some people, like me for example, use password manager. These apps create a secure password for ever site that you log in to and make it available across desk-tops, lap-tops, phones and tablets and don’t cost very much at all. But even if you use one how secure are you, actually?

chocolate teapot

If a site that you use your super strong password on is penetrated and data stolen, your strong password is about as much use (from a security perspective) as the infamous chocolate teapot.

And if you have used this super-strong password on more than one site you are at an even greater risk of becoming a victim of data theft. With more than 6,474m email addresses in the wild for cyber criminals to use and 551m passwords stolen in security hacks the criminals job gets ever easier.

Use the Have I been Pwned website to see whether your passwords have been stolen by cyber criminals or nabbed in a data breach and read more about the risk, and how the criminals use this stolen data in a previous post.

What’s the Solution

It’s actually fairly simple. It’s called two factor authentication [2FA] or multi-factor authentication. This is where another layer of authentication is required, beyond your user name and password.

In the early days of 2FA sites would send you a text with an access code so you could only log-in if you had your phone with you [and had a mobile signal]. This extra layer of security hit the cyber-criminals hard, until they realised that intercepting text messages was not particularly difficult if you were tech-savvy so something else was required.

Image result for hsbc internet banking device

The banks solved this problem by providing you with a device like the one to the right, this one’s from HSBC. At the website you enter your user-name and pass-code as normal, enter a PIN in the device and then enter the displayed number from the device in to your banks website. It may feel like a pain but it really does have a positive effect on the security of your on-line banking. A criminal needs a your user name/password, access to a device as well as your device PIN

Microsoft Authenticator

Having a device for every website is pretty clunky so Microsoft and Google released authentication apps for Android and iPhones. The way they work is they generate a six digit code, as can be seen in the image on the right, and the website that you are looking to access requests this code after you have entered your user-name and password – as demonstrated in this screen-shot of my LastPass password manager.

Two Factor Authentiaction

All I have to do is launch my Authenticator App and enter the six digit password. For additional security, the code changes every 30 seconds or so

Hardware Security

Hardware 2FA security solution

The final security solution is the physical “Key” such as this one from Yubikey. This is a USB device that simply plugs in to a USB port on your computer and allows you access to secured sites – or even your computer itself.

If you are worried by your security, or need any help with your internet activity, from a new website through social media and on to other online marketing opportunities then just send me an email – andy@enterprise-oms.co.uk or give me a call on 01793 238020