Employees Are Letting Hackers Into Your Network …So What You Can Do To Stop It?

Cyberthreats are everywhere these days. Hackers, scammers and cybercriminals are working overtime to break into your network – and the network of just about every business out there. They have a huge arsenal of tools at their disposal, from automated bots to malicious advertising networks, to make it possible.

But there is one “tool” that you may be putting directly into their hands: your employees. Specifically, your employees’ lack of IT security training.

While most of us expect hackers to attack from the outside using malware or brute-force attacks (hacking, in a more traditional sense), the truth is that most hackers love it when they can get others to do their work for them.

In other words, if they can fool your employees into clicking on a link in an e-mail or downloading unapproved software onto a company device, all the hackers have to do is sit back while your employees wreak havoc. The worst part is that your employees may not even realize that their actions are compromising your network. And that’s a problem.

Even if you have other forms of network security in place – malware protection, firewalls, secure cloud backup, etc. – it won’t be enough if your employees lack good IT security training. In fact, a lack of training is the single biggest threat to your network!

It’s time to do something about it. Comprehensive network security training accomplishes several things, including:

1. Identifying Phishing E-Mails Phishing e-mails are constantly evolving. It used to be that the average phishing e-mail included a message littered with bad grammar and misspelled words. Plus, it was generally from someone you’d never heard of.

These days, phishing e-mails are a lot more clever. Hackers can spoof legitimate e-mail addresses and websites and make their e-mails look like they’re coming from a sender you actually know. They can disguise these e-mails as messages from your bank or other employees within your business.

You can still identify these fake e-mails by paying attention to little details that give them away, such as inconsistencies in URLs in the body of the e-mail. Inconsistencies can include odd strings of numbers in the web address or links to YourBank.net instead of YourBank.com. Good training can help your employees recognize these types of red flags.

2. Avoiding Malware Or Ransomware Attacks One reason why malware attacks work is because an employee clicks a link or downloads a program they shouldn’t. They might think they’re about to download a useful new program to their company computer, but the reality is very different.

Malware comes from many different sources. It can come from phishing e-mails, but it also comes from malicious ads on the Internet or by connecting an infected device to your network. For example, an employee might be using their USB thumb drive from home to transfer files (don’t let this happen!), and that thumb drive happens to be carrying a virus. The next thing you know, it’s on your network and spreading.

This is why endpoint protection across the board is so important. Every device on your network should be  firewalled and have updated malware and ransomware protection in place. If you have remote employees, they should only use verified and protected devices to connect to your network. (They should also be using a VPN, or virtual private network, for even more security.) But more importantly, your employees should be trained on this security. They should understand why it’s in place and why they should only connect to your network using secured devices.

3. Updating Poor Or Outdated Passwords If you want to make a hacker’s job easier than ever, all you have to do is never change your password. Or use a weak password, like “QWERTY” or “PASSWORD.” Even in enterprise, people still use bad passwords that never get changed. Don’t let this be you!

A good IT security training program stresses the importance of updating passwords regularly. Even better, it shows employees the best practices in updating the passwords and in choosing secure passwords that will offer an extra layer of protection between your business and the outside world.

If you or your employees haven’t updated their passwords recently, a good rule of thumb is to consider all current passwords compromised. When hackers attack your network, two of the big things they look for are usernames and passwords. It doesn’t matter what they’re for – hackers just want this information. Why? Because most people do not change their passwords regularly, and because many people are in the habit of reusing passwords for multiple applications, hackers will try to use these passwords in other places, including bank accounts.

Don’t let your employees become your biggest liability. These are just a few examples of how comprehensive IT and network security training can give your employees the knowledge and resources they need to help protect themselves and your business. Just remember, you do not have to do this by yourself! Good IT training programs are hard to find, and we are here to help.

5 Ways to protect against VoIP threats

Few companies today would survive without effective, cost-efficient collaboration tools like Voice over Internet Protocol (VoIP) solutions. But like any piece of technology, VoIP systems are fast becoming an easy target for attackers. Here’s how to protect your company’s internet-based communication devices from numerous threats.

What many companies don’t realize is that valuable information moves across VoIP networks just like sensitive data is shared via email. In some cases, internet-based calls are more vulnerable to fraud, identity theft, eavesdropping, intentional disruption of service, and even financial loss. With numerous VoIP-based attacks, it’s crucial to implement these security measures now.

24/7 monitoring

VoIP security breaches usually take place outside operating hours. Attackers make phone calls using private accounts or access call records with confidential information on the sly. Contract outsourced IT vendors to monitor network traffic for any abnormalities to avoid these security breaches.

Virtual private networks

Virtual private networks (VPNs) create a secure connection between two points, as if they belong in the same closed network. It’s like building a safe secret tunnel between you and the person you’re calling. Using a VPN can also help overcome complications involving Session Initiation Protocol trunking, a recommended VoIP feature.

VoIP firewalls

Firewalls specifically designed for IP-based telephony curb the types of traffic that are allowed into your network. They ensure that every connection is properly terminated at the end of a session and identify suspicious calling patterns. Virtually every VoIP vendor provides these protocols, but you should always consult with your IT services provider as to how these protocols will be managed within your organization.

Encryption tools

Due to lack of encryption, VoIP systems can be easily broken into by even inexperienced hackers who can download and deploy tools to eavesdrop or intercept your calls. Some services claim to have built-in encryption, but companies still need to be vigilant and investigate how effective these are.

Using encryption ensures that even if hackers successfully download audio or video, they still can’t decode the file unless they have the decryption key.

Password protection

Using passwords to authenticate your access to private information is not as secure as it once was. Hackers can easily guess a password and use it for cyberattacks. This is why protecting the passwords themselves adds a great layer of protection against threats.

Employees should never divulge any compromising information during a VoIP call, as eavesdropping is one of the easiest and most common cyberattacks against VoIP networks.

VoIP is as important as any of your other network security considerations. It requires a unique combination of protection measures, and we’d love to give you advice on these. Give us a call today to get started.

It’s Time to Rethink your Password Strategy

In 2003, the National Institute of Standards and Technology (NIST) stated that strong passwords should consist of upper- and lowercase letters, numbers, and symbols. Recently, however, the institute reversed its stance. Find out why and learn what their new recommendations are for creating strong passwords.

The problem

The issue isn’t that the NIST advised people to create easy-to-crack passwords, but their previous advice inadvertently made people create weak passwords using predictable capitalization, special characters, and numbers, like “P@ssW0rd1.”

Such a password may seem secure, but the strings of characters and numbers could easily be compromised by hackers using common algorithms.

What’s more, the NIST also recommended that people change their passwords regularly, but did not specify how and when to change them. Since many people thought their passwords were already secure because they’ve included special characters in them, most only added or changed one character.

The NIST essentially forced everyone to use passwords that are hard for humans to remember but easy for a hacker’s algorithm to crack.

Eventually, the institution admitted that this can cause more problems than solutions. It has reversed its stance on organizational password management requirements, and is now recommending banishing forced periodic password changes and getting rid of complexity requirements.

The solution

Security consultant Frank Abagnale and Chief Hacking Officer for KnowBe4 Kevin Mitnick both see a future without passwords. Both security experts advise enterprises to implement multifactor authentication in login policies.

This requires a user to present two valid credentials aside from a password to gain access to an account. This could be a code sent to the account owner’s smartphone, a login prompt on a mobile device, or a facial or a fingerprint scan. This way, hackers’ login efforts are futile unless they fulfill the succeeding security requirements.

Moreover, Mitnick recommended implementing long passphrases of 25 characters or more, such as “recedemarmaladecrockplacate” or “cavalryfigurineunderdoneexalted.” These are much more difficult to guess and less prone to hacking. As for the frequency of changing passphrases, it will depend on a company’s risk tolerance.

Simply put, passwords should be longer and include nonsensical phrases and English words that make it almost impossible for an automated system to crack.

You should also enforce the following security solutions within your company:

• Single sign-on – allows users to securely access multiple accounts with one set of credentials
• Account monitoring tools – recognizes suspicious activity and locks out hackers

When it comes to security, ignorance is your business’s kryptonite. If you’d like to learn about what else you can do to remain secure, just give Net Activity a call.